statem_srvr.c 141 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the OpenSSL license (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include "../ssl_locl.h"
  13. #include "statem_locl.h"
  14. #include "internal/constant_time_locl.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/hmac.h>
  21. #include <openssl/x509.h>
  22. #include <openssl/dh.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/md5.h>
  25. #define TICKET_NONCE_SIZE 8
  26. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
  27. /*
  28. * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
  29. * handshake state transitions when a TLSv1.3 server is reading messages from
  30. * the client. The message type that the client has sent is provided in |mt|.
  31. * The current state is in |s->statem.hand_state|.
  32. *
  33. * Return values are 1 for success (transition allowed) and 0 on error
  34. * (transition not allowed)
  35. */
  36. static int ossl_statem_server13_read_transition(SSL *s, int mt)
  37. {
  38. OSSL_STATEM *st = &s->statem;
  39. /*
  40. * Note: There is no case for TLS_ST_BEFORE because at that stage we have
  41. * not negotiated TLSv1.3 yet, so that case is handled by
  42. * ossl_statem_server_read_transition()
  43. */
  44. switch (st->hand_state) {
  45. default:
  46. break;
  47. case TLS_ST_EARLY_DATA:
  48. if (s->hello_retry_request == SSL_HRR_PENDING) {
  49. if (mt == SSL3_MT_CLIENT_HELLO) {
  50. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  51. return 1;
  52. }
  53. break;
  54. } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  55. if (mt == SSL3_MT_END_OF_EARLY_DATA) {
  56. st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
  57. return 1;
  58. }
  59. break;
  60. }
  61. /* Fall through */
  62. case TLS_ST_SR_END_OF_EARLY_DATA:
  63. case TLS_ST_SW_FINISHED:
  64. if (s->s3->tmp.cert_request) {
  65. if (mt == SSL3_MT_CERTIFICATE) {
  66. st->hand_state = TLS_ST_SR_CERT;
  67. return 1;
  68. }
  69. } else {
  70. if (mt == SSL3_MT_FINISHED) {
  71. st->hand_state = TLS_ST_SR_FINISHED;
  72. return 1;
  73. }
  74. }
  75. break;
  76. case TLS_ST_SR_CERT:
  77. if (s->session->peer == NULL) {
  78. if (mt == SSL3_MT_FINISHED) {
  79. st->hand_state = TLS_ST_SR_FINISHED;
  80. return 1;
  81. }
  82. } else {
  83. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  84. st->hand_state = TLS_ST_SR_CERT_VRFY;
  85. return 1;
  86. }
  87. }
  88. break;
  89. case TLS_ST_SR_CERT_VRFY:
  90. if (mt == SSL3_MT_FINISHED) {
  91. st->hand_state = TLS_ST_SR_FINISHED;
  92. return 1;
  93. }
  94. break;
  95. case TLS_ST_OK:
  96. /*
  97. * Its never ok to start processing handshake messages in the middle of
  98. * early data (i.e. before we've received the end of early data alert)
  99. */
  100. if (s->early_data_state == SSL_EARLY_DATA_READING)
  101. break;
  102. if (mt == SSL3_MT_CERTIFICATE
  103. && s->post_handshake_auth == SSL_PHA_REQUESTED) {
  104. st->hand_state = TLS_ST_SR_CERT;
  105. return 1;
  106. }
  107. if (mt == SSL3_MT_KEY_UPDATE) {
  108. st->hand_state = TLS_ST_SR_KEY_UPDATE;
  109. return 1;
  110. }
  111. break;
  112. }
  113. /* No valid transition found */
  114. return 0;
  115. }
  116. /*
  117. * ossl_statem_server_read_transition() encapsulates the logic for the allowed
  118. * handshake state transitions when the server is reading messages from the
  119. * client. The message type that the client has sent is provided in |mt|. The
  120. * current state is in |s->statem.hand_state|.
  121. *
  122. * Return values are 1 for success (transition allowed) and 0 on error
  123. * (transition not allowed)
  124. */
  125. int ossl_statem_server_read_transition(SSL *s, int mt)
  126. {
  127. OSSL_STATEM *st = &s->statem;
  128. if (SSL_IS_TLS13(s)) {
  129. if (!ossl_statem_server13_read_transition(s, mt))
  130. goto err;
  131. return 1;
  132. }
  133. switch (st->hand_state) {
  134. default:
  135. break;
  136. case TLS_ST_BEFORE:
  137. case TLS_ST_OK:
  138. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  139. if (mt == SSL3_MT_CLIENT_HELLO) {
  140. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  141. return 1;
  142. }
  143. break;
  144. case TLS_ST_SW_SRVR_DONE:
  145. /*
  146. * If we get a CKE message after a ServerDone then either
  147. * 1) We didn't request a Certificate
  148. * OR
  149. * 2) If we did request one then
  150. * a) We allow no Certificate to be returned
  151. * AND
  152. * b) We are running SSL3 (in TLS1.0+ the client must return a 0
  153. * list if we requested a certificate)
  154. */
  155. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  156. if (s->s3->tmp.cert_request) {
  157. if (s->version == SSL3_VERSION) {
  158. if ((s->verify_mode & SSL_VERIFY_PEER)
  159. && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  160. /*
  161. * This isn't an unexpected message as such - we're just
  162. * not going to accept it because we require a client
  163. * cert.
  164. */
  165. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  166. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  167. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  168. return 0;
  169. }
  170. st->hand_state = TLS_ST_SR_KEY_EXCH;
  171. return 1;
  172. }
  173. } else {
  174. st->hand_state = TLS_ST_SR_KEY_EXCH;
  175. return 1;
  176. }
  177. } else if (s->s3->tmp.cert_request) {
  178. if (mt == SSL3_MT_CERTIFICATE) {
  179. st->hand_state = TLS_ST_SR_CERT;
  180. return 1;
  181. }
  182. }
  183. break;
  184. case TLS_ST_SR_CERT:
  185. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  186. st->hand_state = TLS_ST_SR_KEY_EXCH;
  187. return 1;
  188. }
  189. break;
  190. case TLS_ST_SR_KEY_EXCH:
  191. /*
  192. * We should only process a CertificateVerify message if we have
  193. * received a Certificate from the client. If so then |s->session->peer|
  194. * will be non NULL. In some instances a CertificateVerify message is
  195. * not required even if the peer has sent a Certificate (e.g. such as in
  196. * the case of static DH). In that case |st->no_cert_verify| should be
  197. * set.
  198. */
  199. if (s->session->peer == NULL || st->no_cert_verify) {
  200. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  201. /*
  202. * For the ECDH ciphersuites when the client sends its ECDH
  203. * pub key in a certificate, the CertificateVerify message is
  204. * not sent. Also for GOST ciphersuites when the client uses
  205. * its key from the certificate for key exchange.
  206. */
  207. st->hand_state = TLS_ST_SR_CHANGE;
  208. return 1;
  209. }
  210. } else {
  211. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  212. st->hand_state = TLS_ST_SR_CERT_VRFY;
  213. return 1;
  214. }
  215. }
  216. break;
  217. case TLS_ST_SR_CERT_VRFY:
  218. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  219. st->hand_state = TLS_ST_SR_CHANGE;
  220. return 1;
  221. }
  222. break;
  223. case TLS_ST_SR_CHANGE:
  224. #ifndef OPENSSL_NO_NEXTPROTONEG
  225. if (s->s3->npn_seen) {
  226. if (mt == SSL3_MT_NEXT_PROTO) {
  227. st->hand_state = TLS_ST_SR_NEXT_PROTO;
  228. return 1;
  229. }
  230. } else {
  231. #endif
  232. if (mt == SSL3_MT_FINISHED) {
  233. st->hand_state = TLS_ST_SR_FINISHED;
  234. return 1;
  235. }
  236. #ifndef OPENSSL_NO_NEXTPROTONEG
  237. }
  238. #endif
  239. break;
  240. #ifndef OPENSSL_NO_NEXTPROTONEG
  241. case TLS_ST_SR_NEXT_PROTO:
  242. if (mt == SSL3_MT_FINISHED) {
  243. st->hand_state = TLS_ST_SR_FINISHED;
  244. return 1;
  245. }
  246. break;
  247. #endif
  248. case TLS_ST_SW_FINISHED:
  249. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  250. st->hand_state = TLS_ST_SR_CHANGE;
  251. return 1;
  252. }
  253. break;
  254. }
  255. err:
  256. /* No valid transition found */
  257. if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  258. BIO *rbio;
  259. /*
  260. * CCS messages don't have a message sequence number so this is probably
  261. * because of an out-of-order CCS. We'll just drop it.
  262. */
  263. s->init_num = 0;
  264. s->rwstate = SSL_READING;
  265. rbio = SSL_get_rbio(s);
  266. BIO_clear_retry_flags(rbio);
  267. BIO_set_retry_read(rbio);
  268. return 0;
  269. }
  270. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
  271. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  272. SSL_R_UNEXPECTED_MESSAGE);
  273. return 0;
  274. }
  275. /*
  276. * Should we send a ServerKeyExchange message?
  277. *
  278. * Valid return values are:
  279. * 1: Yes
  280. * 0: No
  281. */
  282. static int send_server_key_exchange(SSL *s)
  283. {
  284. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  285. /*
  286. * only send a ServerKeyExchange if DH or fortezza but we have a
  287. * sign only certificate PSK: may send PSK identity hints For
  288. * ECC ciphersuites, we send a serverKeyExchange message only if
  289. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  290. * the server certificate contains the server's public key for
  291. * key exchange.
  292. */
  293. if (alg_k & (SSL_kDHE | SSL_kECDHE)
  294. /*
  295. * PSK: send ServerKeyExchange if PSK identity hint if
  296. * provided
  297. */
  298. #ifndef OPENSSL_NO_PSK
  299. /* Only send SKE if we have identity hint for plain PSK */
  300. || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
  301. && s->cert->psk_identity_hint)
  302. /* For other PSK always send SKE */
  303. || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
  304. #endif
  305. #ifndef OPENSSL_NO_SRP
  306. /* SRP: send ServerKeyExchange */
  307. || (alg_k & SSL_kSRP)
  308. #endif
  309. ) {
  310. return 1;
  311. }
  312. return 0;
  313. }
  314. /*
  315. * Should we send a CertificateRequest message?
  316. *
  317. * Valid return values are:
  318. * 1: Yes
  319. * 0: No
  320. */
  321. int send_certificate_request(SSL *s)
  322. {
  323. if (
  324. /* don't request cert unless asked for it: */
  325. s->verify_mode & SSL_VERIFY_PEER
  326. /*
  327. * don't request if post-handshake-only unless doing
  328. * post-handshake in TLSv1.3:
  329. */
  330. && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
  331. || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
  332. /*
  333. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  334. * a second time:
  335. */
  336. && (s->certreqs_sent < 1 ||
  337. !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
  338. /*
  339. * never request cert in anonymous ciphersuites (see
  340. * section "Certificate request" in SSL 3 drafts and in
  341. * RFC 2246):
  342. */
  343. && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  344. /*
  345. * ... except when the application insists on
  346. * verification (against the specs, but statem_clnt.c accepts
  347. * this for SSL 3)
  348. */
  349. || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  350. /* don't request certificate for SRP auth */
  351. && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
  352. /*
  353. * With normal PSK Certificates and Certificate Requests
  354. * are omitted
  355. */
  356. && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
  357. return 1;
  358. }
  359. return 0;
  360. }
  361. /*
  362. * ossl_statem_server13_write_transition() works out what handshake state to
  363. * move to next when a TLSv1.3 server is writing messages to be sent to the
  364. * client.
  365. */
  366. static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
  367. {
  368. OSSL_STATEM *st = &s->statem;
  369. /*
  370. * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
  371. * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
  372. */
  373. switch (st->hand_state) {
  374. default:
  375. /* Shouldn't happen */
  376. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  377. SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION,
  378. ERR_R_INTERNAL_ERROR);
  379. return WRITE_TRAN_ERROR;
  380. case TLS_ST_OK:
  381. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  382. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  383. return WRITE_TRAN_CONTINUE;
  384. }
  385. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  386. st->hand_state = TLS_ST_SW_CERT_REQ;
  387. return WRITE_TRAN_CONTINUE;
  388. }
  389. /* Try to read from the client instead */
  390. return WRITE_TRAN_FINISHED;
  391. case TLS_ST_SR_CLNT_HELLO:
  392. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  393. return WRITE_TRAN_CONTINUE;
  394. case TLS_ST_SW_SRVR_HELLO:
  395. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  396. && s->hello_retry_request != SSL_HRR_COMPLETE)
  397. st->hand_state = TLS_ST_SW_CHANGE;
  398. else if (s->hello_retry_request == SSL_HRR_PENDING)
  399. st->hand_state = TLS_ST_EARLY_DATA;
  400. else
  401. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  402. return WRITE_TRAN_CONTINUE;
  403. case TLS_ST_SW_CHANGE:
  404. if (s->hello_retry_request == SSL_HRR_PENDING)
  405. st->hand_state = TLS_ST_EARLY_DATA;
  406. else
  407. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  408. return WRITE_TRAN_CONTINUE;
  409. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  410. if (s->hit)
  411. st->hand_state = TLS_ST_SW_FINISHED;
  412. else if (send_certificate_request(s))
  413. st->hand_state = TLS_ST_SW_CERT_REQ;
  414. else
  415. st->hand_state = TLS_ST_SW_CERT;
  416. return WRITE_TRAN_CONTINUE;
  417. case TLS_ST_SW_CERT_REQ:
  418. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  419. s->post_handshake_auth = SSL_PHA_REQUESTED;
  420. st->hand_state = TLS_ST_OK;
  421. } else {
  422. st->hand_state = TLS_ST_SW_CERT;
  423. }
  424. return WRITE_TRAN_CONTINUE;
  425. case TLS_ST_SW_CERT:
  426. st->hand_state = TLS_ST_SW_CERT_VRFY;
  427. return WRITE_TRAN_CONTINUE;
  428. case TLS_ST_SW_CERT_VRFY:
  429. st->hand_state = TLS_ST_SW_FINISHED;
  430. return WRITE_TRAN_CONTINUE;
  431. case TLS_ST_SW_FINISHED:
  432. st->hand_state = TLS_ST_EARLY_DATA;
  433. return WRITE_TRAN_CONTINUE;
  434. case TLS_ST_EARLY_DATA:
  435. return WRITE_TRAN_FINISHED;
  436. case TLS_ST_SR_FINISHED:
  437. /*
  438. * Technically we have finished the handshake at this point, but we're
  439. * going to remain "in_init" for now and write out any session tickets
  440. * immediately.
  441. */
  442. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  443. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  444. } else if (!s->ext.ticket_expected) {
  445. /*
  446. * If we're not going to renew the ticket then we just finish the
  447. * handshake at this point.
  448. */
  449. st->hand_state = TLS_ST_OK;
  450. return WRITE_TRAN_CONTINUE;
  451. }
  452. if (s->num_tickets > s->sent_tickets)
  453. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  454. else
  455. st->hand_state = TLS_ST_OK;
  456. return WRITE_TRAN_CONTINUE;
  457. case TLS_ST_SR_KEY_UPDATE:
  458. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  459. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  460. return WRITE_TRAN_CONTINUE;
  461. }
  462. /* Fall through */
  463. case TLS_ST_SW_KEY_UPDATE:
  464. st->hand_state = TLS_ST_OK;
  465. return WRITE_TRAN_CONTINUE;
  466. case TLS_ST_SW_SESSION_TICKET:
  467. /* In a resumption we only ever send a maximum of one new ticket.
  468. * Following an initial handshake we send the number of tickets we have
  469. * been configured for.
  470. */
  471. if (s->hit || s->num_tickets <= s->sent_tickets) {
  472. /* We've written enough tickets out. */
  473. st->hand_state = TLS_ST_OK;
  474. }
  475. return WRITE_TRAN_CONTINUE;
  476. }
  477. }
  478. /*
  479. * ossl_statem_server_write_transition() works out what handshake state to move
  480. * to next when the server is writing messages to be sent to the client.
  481. */
  482. WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
  483. {
  484. OSSL_STATEM *st = &s->statem;
  485. /*
  486. * Note that before the ClientHello we don't know what version we are going
  487. * to negotiate yet, so we don't take this branch until later
  488. */
  489. if (SSL_IS_TLS13(s))
  490. return ossl_statem_server13_write_transition(s);
  491. switch (st->hand_state) {
  492. default:
  493. /* Shouldn't happen */
  494. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  495. SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION,
  496. ERR_R_INTERNAL_ERROR);
  497. return WRITE_TRAN_ERROR;
  498. case TLS_ST_OK:
  499. if (st->request_state == TLS_ST_SW_HELLO_REQ) {
  500. /* We must be trying to renegotiate */
  501. st->hand_state = TLS_ST_SW_HELLO_REQ;
  502. st->request_state = TLS_ST_BEFORE;
  503. return WRITE_TRAN_CONTINUE;
  504. }
  505. /* Must be an incoming ClientHello */
  506. if (!tls_setup_handshake(s)) {
  507. /* SSLfatal() already called */
  508. return WRITE_TRAN_ERROR;
  509. }
  510. /* Fall through */
  511. case TLS_ST_BEFORE:
  512. /* Just go straight to trying to read from the client */
  513. return WRITE_TRAN_FINISHED;
  514. case TLS_ST_SW_HELLO_REQ:
  515. st->hand_state = TLS_ST_OK;
  516. return WRITE_TRAN_CONTINUE;
  517. case TLS_ST_SR_CLNT_HELLO:
  518. if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
  519. && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
  520. st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
  521. } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  522. /* We must have rejected the renegotiation */
  523. st->hand_state = TLS_ST_OK;
  524. return WRITE_TRAN_CONTINUE;
  525. } else {
  526. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  527. }
  528. return WRITE_TRAN_CONTINUE;
  529. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  530. return WRITE_TRAN_FINISHED;
  531. case TLS_ST_SW_SRVR_HELLO:
  532. if (s->hit) {
  533. if (s->ext.ticket_expected)
  534. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  535. else
  536. st->hand_state = TLS_ST_SW_CHANGE;
  537. } else {
  538. /* Check if it is anon DH or anon ECDH, */
  539. /* normal PSK or SRP */
  540. if (!(s->s3->tmp.new_cipher->algorithm_auth &
  541. (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  542. st->hand_state = TLS_ST_SW_CERT;
  543. } else if (send_server_key_exchange(s)) {
  544. st->hand_state = TLS_ST_SW_KEY_EXCH;
  545. } else if (send_certificate_request(s)) {
  546. st->hand_state = TLS_ST_SW_CERT_REQ;
  547. } else {
  548. st->hand_state = TLS_ST_SW_SRVR_DONE;
  549. }
  550. }
  551. return WRITE_TRAN_CONTINUE;
  552. case TLS_ST_SW_CERT:
  553. if (s->ext.status_expected) {
  554. st->hand_state = TLS_ST_SW_CERT_STATUS;
  555. return WRITE_TRAN_CONTINUE;
  556. }
  557. /* Fall through */
  558. case TLS_ST_SW_CERT_STATUS:
  559. if (send_server_key_exchange(s)) {
  560. st->hand_state = TLS_ST_SW_KEY_EXCH;
  561. return WRITE_TRAN_CONTINUE;
  562. }
  563. /* Fall through */
  564. case TLS_ST_SW_KEY_EXCH:
  565. if (send_certificate_request(s)) {
  566. st->hand_state = TLS_ST_SW_CERT_REQ;
  567. return WRITE_TRAN_CONTINUE;
  568. }
  569. /* Fall through */
  570. case TLS_ST_SW_CERT_REQ:
  571. st->hand_state = TLS_ST_SW_SRVR_DONE;
  572. return WRITE_TRAN_CONTINUE;
  573. case TLS_ST_SW_SRVR_DONE:
  574. return WRITE_TRAN_FINISHED;
  575. case TLS_ST_SR_FINISHED:
  576. if (s->hit) {
  577. st->hand_state = TLS_ST_OK;
  578. return WRITE_TRAN_CONTINUE;
  579. } else if (s->ext.ticket_expected) {
  580. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  581. } else {
  582. st->hand_state = TLS_ST_SW_CHANGE;
  583. }
  584. return WRITE_TRAN_CONTINUE;
  585. case TLS_ST_SW_SESSION_TICKET:
  586. st->hand_state = TLS_ST_SW_CHANGE;
  587. return WRITE_TRAN_CONTINUE;
  588. case TLS_ST_SW_CHANGE:
  589. st->hand_state = TLS_ST_SW_FINISHED;
  590. return WRITE_TRAN_CONTINUE;
  591. case TLS_ST_SW_FINISHED:
  592. if (s->hit) {
  593. return WRITE_TRAN_FINISHED;
  594. }
  595. st->hand_state = TLS_ST_OK;
  596. return WRITE_TRAN_CONTINUE;
  597. }
  598. }
  599. /*
  600. * Perform any pre work that needs to be done prior to sending a message from
  601. * the server to the client.
  602. */
  603. WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
  604. {
  605. OSSL_STATEM *st = &s->statem;
  606. switch (st->hand_state) {
  607. default:
  608. /* No pre work to be done */
  609. break;
  610. case TLS_ST_SW_HELLO_REQ:
  611. s->shutdown = 0;
  612. if (SSL_IS_DTLS(s))
  613. dtls1_clear_sent_buffer(s);
  614. break;
  615. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  616. s->shutdown = 0;
  617. if (SSL_IS_DTLS(s)) {
  618. dtls1_clear_sent_buffer(s);
  619. /* We don't buffer this message so don't use the timer */
  620. st->use_timer = 0;
  621. }
  622. break;
  623. case TLS_ST_SW_SRVR_HELLO:
  624. if (SSL_IS_DTLS(s)) {
  625. /*
  626. * Messages we write from now on should be buffered and
  627. * retransmitted if necessary, so we need to use the timer now
  628. */
  629. st->use_timer = 1;
  630. }
  631. break;
  632. case TLS_ST_SW_SRVR_DONE:
  633. #ifndef OPENSSL_NO_SCTP
  634. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  635. /* Calls SSLfatal() as required */
  636. return dtls_wait_for_dry(s);
  637. }
  638. #endif
  639. return WORK_FINISHED_CONTINUE;
  640. case TLS_ST_SW_SESSION_TICKET:
  641. if (SSL_IS_TLS13(s) && s->sent_tickets == 0) {
  642. /*
  643. * Actually this is the end of the handshake, but we're going
  644. * straight into writing the session ticket out. So we finish off
  645. * the handshake, but keep the various buffers active.
  646. *
  647. * Calls SSLfatal as required.
  648. */
  649. return tls_finish_handshake(s, wst, 0, 0);
  650. } if (SSL_IS_DTLS(s)) {
  651. /*
  652. * We're into the last flight. We don't retransmit the last flight
  653. * unless we need to, so we don't use the timer
  654. */
  655. st->use_timer = 0;
  656. }
  657. break;
  658. case TLS_ST_SW_CHANGE:
  659. if (SSL_IS_TLS13(s))
  660. break;
  661. s->session->cipher = s->s3->tmp.new_cipher;
  662. if (!s->method->ssl3_enc->setup_key_block(s)) {
  663. /* SSLfatal() already called */
  664. return WORK_ERROR;
  665. }
  666. if (SSL_IS_DTLS(s)) {
  667. /*
  668. * We're into the last flight. We don't retransmit the last flight
  669. * unless we need to, so we don't use the timer. This might have
  670. * already been set to 0 if we sent a NewSessionTicket message,
  671. * but we'll set it again here in case we didn't.
  672. */
  673. st->use_timer = 0;
  674. }
  675. return WORK_FINISHED_CONTINUE;
  676. case TLS_ST_EARLY_DATA:
  677. if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  678. && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
  679. return WORK_FINISHED_CONTINUE;
  680. /* Fall through */
  681. case TLS_ST_OK:
  682. /* Calls SSLfatal() as required */
  683. return tls_finish_handshake(s, wst, 1, 1);
  684. }
  685. return WORK_FINISHED_CONTINUE;
  686. }
  687. static ossl_inline int conn_is_closed(void)
  688. {
  689. switch (get_last_sys_error()) {
  690. #if defined(EPIPE)
  691. case EPIPE:
  692. return 1;
  693. #endif
  694. #if defined(ECONNRESET)
  695. case ECONNRESET:
  696. return 1;
  697. #endif
  698. default:
  699. return 0;
  700. }
  701. }
  702. /*
  703. * Perform any work that needs to be done after sending a message from the
  704. * server to the client.
  705. */
  706. WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
  707. {
  708. OSSL_STATEM *st = &s->statem;
  709. s->init_num = 0;
  710. switch (st->hand_state) {
  711. default:
  712. /* No post work to be done */
  713. break;
  714. case TLS_ST_SW_HELLO_REQ:
  715. if (statem_flush(s) != 1)
  716. return WORK_MORE_A;
  717. if (!ssl3_init_finished_mac(s)) {
  718. /* SSLfatal() already called */
  719. return WORK_ERROR;
  720. }
  721. break;
  722. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  723. if (statem_flush(s) != 1)
  724. return WORK_MORE_A;
  725. /* HelloVerifyRequest resets Finished MAC */
  726. if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
  727. /* SSLfatal() already called */
  728. return WORK_ERROR;
  729. }
  730. /*
  731. * The next message should be another ClientHello which we need to
  732. * treat like it was the first packet
  733. */
  734. s->first_packet = 1;
  735. break;
  736. case TLS_ST_SW_SRVR_HELLO:
  737. if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
  738. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
  739. && statem_flush(s) != 1)
  740. return WORK_MORE_A;
  741. break;
  742. }
  743. #ifndef OPENSSL_NO_SCTP
  744. if (SSL_IS_DTLS(s) && s->hit) {
  745. unsigned char sctpauthkey[64];
  746. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  747. /*
  748. * Add new shared key for SCTP-Auth, will be ignored if no
  749. * SCTP used.
  750. */
  751. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  752. sizeof(DTLS1_SCTP_AUTH_LABEL));
  753. if (SSL_export_keying_material(s, sctpauthkey,
  754. sizeof(sctpauthkey), labelbuffer,
  755. sizeof(labelbuffer), NULL, 0,
  756. 0) <= 0) {
  757. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  758. SSL_F_OSSL_STATEM_SERVER_POST_WORK,
  759. ERR_R_INTERNAL_ERROR);
  760. return WORK_ERROR;
  761. }
  762. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  763. sizeof(sctpauthkey), sctpauthkey);
  764. }
  765. #endif
  766. if (!SSL_IS_TLS13(s)
  767. || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  768. && s->hello_retry_request != SSL_HRR_COMPLETE))
  769. break;
  770. /* Fall through */
  771. case TLS_ST_SW_CHANGE:
  772. if (s->hello_retry_request == SSL_HRR_PENDING) {
  773. if (!statem_flush(s))
  774. return WORK_MORE_A;
  775. break;
  776. }
  777. if (SSL_IS_TLS13(s)) {
  778. if (!s->method->ssl3_enc->setup_key_block(s)
  779. || !s->method->ssl3_enc->change_cipher_state(s,
  780. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  781. /* SSLfatal() already called */
  782. return WORK_ERROR;
  783. }
  784. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
  785. && !s->method->ssl3_enc->change_cipher_state(s,
  786. SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
  787. /* SSLfatal() already called */
  788. return WORK_ERROR;
  789. }
  790. /*
  791. * We don't yet know whether the next record we are going to receive
  792. * is an unencrypted alert, an encrypted alert, or an encrypted
  793. * handshake message. We temporarily tolerate unencrypted alerts.
  794. */
  795. s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS;
  796. break;
  797. }
  798. #ifndef OPENSSL_NO_SCTP
  799. if (SSL_IS_DTLS(s) && !s->hit) {
  800. /*
  801. * Change to new shared key of SCTP-Auth, will be ignored if
  802. * no SCTP used.
  803. */
  804. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  805. 0, NULL);
  806. }
  807. #endif
  808. if (!s->method->ssl3_enc->change_cipher_state(s,
  809. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  810. {
  811. /* SSLfatal() already called */
  812. return WORK_ERROR;
  813. }
  814. if (SSL_IS_DTLS(s))
  815. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  816. break;
  817. case TLS_ST_SW_SRVR_DONE:
  818. if (statem_flush(s) != 1)
  819. return WORK_MORE_A;
  820. break;
  821. case TLS_ST_SW_FINISHED:
  822. if (statem_flush(s) != 1)
  823. return WORK_MORE_A;
  824. #ifndef OPENSSL_NO_SCTP
  825. if (SSL_IS_DTLS(s) && s->hit) {
  826. /*
  827. * Change to new shared key of SCTP-Auth, will be ignored if
  828. * no SCTP used.
  829. */
  830. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  831. 0, NULL);
  832. }
  833. #endif
  834. if (SSL_IS_TLS13(s)) {
  835. if (!s->method->ssl3_enc->generate_master_secret(s,
  836. s->master_secret, s->handshake_secret, 0,
  837. &s->session->master_key_length)
  838. || !s->method->ssl3_enc->change_cipher_state(s,
  839. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
  840. /* SSLfatal() already called */
  841. return WORK_ERROR;
  842. }
  843. break;
  844. case TLS_ST_SW_CERT_REQ:
  845. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  846. if (statem_flush(s) != 1)
  847. return WORK_MORE_A;
  848. }
  849. break;
  850. case TLS_ST_SW_KEY_UPDATE:
  851. if (statem_flush(s) != 1)
  852. return WORK_MORE_A;
  853. if (!tls13_update_key(s, 1)) {
  854. /* SSLfatal() already called */
  855. return WORK_ERROR;
  856. }
  857. break;
  858. case TLS_ST_SW_SESSION_TICKET:
  859. clear_sys_error();
  860. if (SSL_IS_TLS13(s) && statem_flush(s) != 1) {
  861. if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL
  862. && conn_is_closed()) {
  863. /*
  864. * We ignore connection closed errors in TLSv1.3 when sending a
  865. * NewSessionTicket and behave as if we were successful. This is
  866. * so that we are still able to read data sent to us by a client
  867. * that closes soon after the end of the handshake without
  868. * waiting to read our post-handshake NewSessionTickets.
  869. */
  870. s->rwstate = SSL_NOTHING;
  871. break;
  872. }
  873. return WORK_MORE_A;
  874. }
  875. break;
  876. }
  877. return WORK_FINISHED_CONTINUE;
  878. }
  879. /*
  880. * Get the message construction function and message type for sending from the
  881. * server
  882. *
  883. * Valid return values are:
  884. * 1: Success
  885. * 0: Error
  886. */
  887. int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
  888. confunc_f *confunc, int *mt)
  889. {
  890. OSSL_STATEM *st = &s->statem;
  891. switch (st->hand_state) {
  892. default:
  893. /* Shouldn't happen */
  894. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  895. SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
  896. SSL_R_BAD_HANDSHAKE_STATE);
  897. return 0;
  898. case TLS_ST_SW_CHANGE:
  899. if (SSL_IS_DTLS(s))
  900. *confunc = dtls_construct_change_cipher_spec;
  901. else
  902. *confunc = tls_construct_change_cipher_spec;
  903. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  904. break;
  905. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  906. *confunc = dtls_construct_hello_verify_request;
  907. *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
  908. break;
  909. case TLS_ST_SW_HELLO_REQ:
  910. /* No construction function needed */
  911. *confunc = NULL;
  912. *mt = SSL3_MT_HELLO_REQUEST;
  913. break;
  914. case TLS_ST_SW_SRVR_HELLO:
  915. *confunc = tls_construct_server_hello;
  916. *mt = SSL3_MT_SERVER_HELLO;
  917. break;
  918. case TLS_ST_SW_CERT:
  919. *confunc = tls_construct_server_certificate;
  920. *mt = SSL3_MT_CERTIFICATE;
  921. break;
  922. case TLS_ST_SW_CERT_VRFY:
  923. *confunc = tls_construct_cert_verify;
  924. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  925. break;
  926. case TLS_ST_SW_KEY_EXCH:
  927. *confunc = tls_construct_server_key_exchange;
  928. *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
  929. break;
  930. case TLS_ST_SW_CERT_REQ:
  931. *confunc = tls_construct_certificate_request;
  932. *mt = SSL3_MT_CERTIFICATE_REQUEST;
  933. break;
  934. case TLS_ST_SW_SRVR_DONE:
  935. *confunc = tls_construct_server_done;
  936. *mt = SSL3_MT_SERVER_DONE;
  937. break;
  938. case TLS_ST_SW_SESSION_TICKET:
  939. *confunc = tls_construct_new_session_ticket;
  940. *mt = SSL3_MT_NEWSESSION_TICKET;
  941. break;
  942. case TLS_ST_SW_CERT_STATUS:
  943. *confunc = tls_construct_cert_status;
  944. *mt = SSL3_MT_CERTIFICATE_STATUS;
  945. break;
  946. case TLS_ST_SW_FINISHED:
  947. *confunc = tls_construct_finished;
  948. *mt = SSL3_MT_FINISHED;
  949. break;
  950. case TLS_ST_EARLY_DATA:
  951. *confunc = NULL;
  952. *mt = SSL3_MT_DUMMY;
  953. break;
  954. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  955. *confunc = tls_construct_encrypted_extensions;
  956. *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
  957. break;
  958. case TLS_ST_SW_KEY_UPDATE:
  959. *confunc = tls_construct_key_update;
  960. *mt = SSL3_MT_KEY_UPDATE;
  961. break;
  962. }
  963. return 1;
  964. }
  965. /*
  966. * Maximum size (excluding the Handshake header) of a ClientHello message,
  967. * calculated as follows:
  968. *
  969. * 2 + # client_version
  970. * 32 + # only valid length for random
  971. * 1 + # length of session_id
  972. * 32 + # maximum size for session_id
  973. * 2 + # length of cipher suites
  974. * 2^16-2 + # maximum length of cipher suites array
  975. * 1 + # length of compression_methods
  976. * 2^8-1 + # maximum length of compression methods
  977. * 2 + # length of extensions
  978. * 2^16-1 # maximum length of extensions
  979. */
  980. #define CLIENT_HELLO_MAX_LENGTH 131396
  981. #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
  982. #define NEXT_PROTO_MAX_LENGTH 514
  983. /*
  984. * Returns the maximum allowed length for the current message that we are
  985. * reading. Excludes the message header.
  986. */
  987. size_t ossl_statem_server_max_message_size(SSL *s)
  988. {
  989. OSSL_STATEM *st = &s->statem;
  990. switch (st->hand_state) {
  991. default:
  992. /* Shouldn't happen */
  993. return 0;
  994. case TLS_ST_SR_CLNT_HELLO:
  995. return CLIENT_HELLO_MAX_LENGTH;
  996. case TLS_ST_SR_END_OF_EARLY_DATA:
  997. return END_OF_EARLY_DATA_MAX_LENGTH;
  998. case TLS_ST_SR_CERT:
  999. return s->max_cert_list;
  1000. case TLS_ST_SR_KEY_EXCH:
  1001. return CLIENT_KEY_EXCH_MAX_LENGTH;
  1002. case TLS_ST_SR_CERT_VRFY:
  1003. return SSL3_RT_MAX_PLAIN_LENGTH;
  1004. #ifndef OPENSSL_NO_NEXTPROTONEG
  1005. case TLS_ST_SR_NEXT_PROTO:
  1006. return NEXT_PROTO_MAX_LENGTH;
  1007. #endif
  1008. case TLS_ST_SR_CHANGE:
  1009. return CCS_MAX_LENGTH;
  1010. case TLS_ST_SR_FINISHED:
  1011. return FINISHED_MAX_LENGTH;
  1012. case TLS_ST_SR_KEY_UPDATE:
  1013. return KEY_UPDATE_MAX_LENGTH;
  1014. }
  1015. }
  1016. /*
  1017. * Process a message that the server has received from the client.
  1018. */
  1019. MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
  1020. {
  1021. OSSL_STATEM *st = &s->statem;
  1022. switch (st->hand_state) {
  1023. default:
  1024. /* Shouldn't happen */
  1025. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1026. SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE,
  1027. ERR_R_INTERNAL_ERROR);
  1028. return MSG_PROCESS_ERROR;
  1029. case TLS_ST_SR_CLNT_HELLO:
  1030. return tls_process_client_hello(s, pkt);
  1031. case TLS_ST_SR_END_OF_EARLY_DATA:
  1032. return tls_process_end_of_early_data(s, pkt);
  1033. case TLS_ST_SR_CERT:
  1034. return tls_process_client_certificate(s, pkt);
  1035. case TLS_ST_SR_KEY_EXCH:
  1036. return tls_process_client_key_exchange(s, pkt);
  1037. case TLS_ST_SR_CERT_VRFY:
  1038. return tls_process_cert_verify(s, pkt);
  1039. #ifndef OPENSSL_NO_NEXTPROTONEG
  1040. case TLS_ST_SR_NEXT_PROTO:
  1041. return tls_process_next_proto(s, pkt);
  1042. #endif
  1043. case TLS_ST_SR_CHANGE:
  1044. return tls_process_change_cipher_spec(s, pkt);
  1045. case TLS_ST_SR_FINISHED:
  1046. return tls_process_finished(s, pkt);
  1047. case TLS_ST_SR_KEY_UPDATE:
  1048. return tls_process_key_update(s, pkt);
  1049. }
  1050. }
  1051. /*
  1052. * Perform any further processing required following the receipt of a message
  1053. * from the client
  1054. */
  1055. WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
  1056. {
  1057. OSSL_STATEM *st = &s->statem;
  1058. switch (st->hand_state) {
  1059. default:
  1060. /* Shouldn't happen */
  1061. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1062. SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE,
  1063. ERR_R_INTERNAL_ERROR);
  1064. return WORK_ERROR;
  1065. case TLS_ST_SR_CLNT_HELLO:
  1066. return tls_post_process_client_hello(s, wst);
  1067. case TLS_ST_SR_KEY_EXCH:
  1068. return tls_post_process_client_key_exchange(s, wst);
  1069. }
  1070. }
  1071. #ifndef OPENSSL_NO_SRP
  1072. /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
  1073. static int ssl_check_srp_ext_ClientHello(SSL *s)
  1074. {
  1075. int ret;
  1076. int al = SSL_AD_UNRECOGNIZED_NAME;
  1077. if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  1078. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  1079. if (s->srp_ctx.login == NULL) {
  1080. /*
  1081. * RFC 5054 says SHOULD reject, we do so if There is no srp
  1082. * login name
  1083. */
  1084. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  1085. SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1086. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1087. return -1;
  1088. } else {
  1089. ret = SSL_srp_server_param_with_username(s, &al);
  1090. if (ret < 0)
  1091. return 0;
  1092. if (ret == SSL3_AL_FATAL) {
  1093. SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1094. al == SSL_AD_UNKNOWN_PSK_IDENTITY
  1095. ? SSL_R_PSK_IDENTITY_NOT_FOUND
  1096. : SSL_R_CLIENTHELLO_TLSEXT);
  1097. return -1;
  1098. }
  1099. }
  1100. }
  1101. return 1;
  1102. }
  1103. #endif
  1104. int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
  1105. size_t cookie_len)
  1106. {
  1107. /* Always use DTLS 1.0 version: see RFC 6347 */
  1108. if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
  1109. || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
  1110. return 0;
  1111. return 1;
  1112. }
  1113. int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
  1114. {
  1115. unsigned int cookie_leni;
  1116. if (s->ctx->app_gen_cookie_cb == NULL ||
  1117. s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
  1118. &cookie_leni) == 0 ||
  1119. cookie_leni > 255) {
  1120. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1121. SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1122. return 0;
  1123. }
  1124. s->d1->cookie_len = cookie_leni;
  1125. if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
  1126. s->d1->cookie_len)) {
  1127. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1128. ERR_R_INTERNAL_ERROR);
  1129. return 0;
  1130. }
  1131. return 1;
  1132. }
  1133. #ifndef OPENSSL_NO_EC
  1134. /*-
  1135. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1136. * SecureTransport using the TLS extension block in |hello|.
  1137. * Safari, since 10.6, sends exactly these extensions, in this order:
  1138. * SNI,
  1139. * elliptic_curves
  1140. * ec_point_formats
  1141. * signature_algorithms (for TLSv1.2 only)
  1142. *
  1143. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1144. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1145. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1146. * 10.8..10.8.3 (which don't work).
  1147. */
  1148. static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
  1149. {
  1150. static const unsigned char kSafariExtensionsBlock[] = {
  1151. 0x00, 0x0a, /* elliptic_curves extension */
  1152. 0x00, 0x08, /* 8 bytes */
  1153. 0x00, 0x06, /* 6 bytes of curve ids */
  1154. 0x00, 0x17, /* P-256 */
  1155. 0x00, 0x18, /* P-384 */
  1156. 0x00, 0x19, /* P-521 */
  1157. 0x00, 0x0b, /* ec_point_formats */
  1158. 0x00, 0x02, /* 2 bytes */
  1159. 0x01, /* 1 point format */
  1160. 0x00, /* uncompressed */
  1161. /* The following is only present in TLS 1.2 */
  1162. 0x00, 0x0d, /* signature_algorithms */
  1163. 0x00, 0x0c, /* 12 bytes */
  1164. 0x00, 0x0a, /* 10 bytes */
  1165. 0x05, 0x01, /* SHA-384/RSA */
  1166. 0x04, 0x01, /* SHA-256/RSA */
  1167. 0x02, 0x01, /* SHA-1/RSA */
  1168. 0x04, 0x03, /* SHA-256/ECDSA */
  1169. 0x02, 0x03, /* SHA-1/ECDSA */
  1170. };
  1171. /* Length of the common prefix (first two extensions). */
  1172. static const size_t kSafariCommonExtensionsLength = 18;
  1173. unsigned int type;
  1174. PACKET sni, tmppkt;
  1175. size_t ext_len;
  1176. tmppkt = hello->extensions;
  1177. if (!PACKET_forward(&tmppkt, 2)
  1178. || !PACKET_get_net_2(&tmppkt, &type)
  1179. || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
  1180. return;
  1181. }
  1182. if (type != TLSEXT_TYPE_server_name)
  1183. return;
  1184. ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
  1185. sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
  1186. s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
  1187. ext_len);
  1188. }
  1189. #endif /* !OPENSSL_NO_EC */
  1190. MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
  1191. {
  1192. /* |cookie| will only be initialized for DTLS. */
  1193. PACKET session_id, compression, extensions, cookie;
  1194. static const unsigned char null_compression = 0;
  1195. CLIENTHELLO_MSG *clienthello = NULL;
  1196. /* Check if this is actually an unexpected renegotiation ClientHello */
  1197. if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  1198. if (!ossl_assert(!SSL_IS_TLS13(s))) {
  1199. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1200. ERR_R_INTERNAL_ERROR);
  1201. goto err;
  1202. }
  1203. if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
  1204. || (!s->s3->send_connection_binding
  1205. && (s->options
  1206. & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
  1207. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1208. return MSG_PROCESS_FINISHED_READING;
  1209. }
  1210. s->renegotiate = 1;
  1211. s->new_session = 1;
  1212. }
  1213. clienthello = OPENSSL_zalloc(sizeof(*clienthello));
  1214. if (clienthello == NULL) {
  1215. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1216. ERR_R_INTERNAL_ERROR);
  1217. goto err;
  1218. }
  1219. /*
  1220. * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
  1221. */
  1222. clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
  1223. PACKET_null_init(&cookie);
  1224. if (clienthello->isv2) {
  1225. unsigned int mt;
  1226. if (!SSL_IS_FIRST_HANDSHAKE(s)
  1227. || s->hello_retry_request != SSL_HRR_NONE) {
  1228. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1229. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
  1230. goto err;
  1231. }
  1232. /*-
  1233. * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
  1234. * header is sent directly on the wire, not wrapped as a TLS
  1235. * record. Our record layer just processes the message length and passes
  1236. * the rest right through. Its format is:
  1237. * Byte Content
  1238. * 0-1 msg_length - decoded by the record layer
  1239. * 2 msg_type - s->init_msg points here
  1240. * 3-4 version
  1241. * 5-6 cipher_spec_length
  1242. * 7-8 session_id_length
  1243. * 9-10 challenge_length
  1244. * ... ...
  1245. */
  1246. if (!PACKET_get_1(pkt, &mt)
  1247. || mt != SSL2_MT_CLIENT_HELLO) {
  1248. /*
  1249. * Should never happen. We should have tested this in the record
  1250. * layer in order to have determined that this is a SSLv2 record
  1251. * in the first place
  1252. */
  1253. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1254. ERR_R_INTERNAL_ERROR);
  1255. goto err;
  1256. }
  1257. }
  1258. if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
  1259. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1260. SSL_R_LENGTH_TOO_SHORT);
  1261. goto err;
  1262. }
  1263. /* Parse the message and load client random. */
  1264. if (clienthello->isv2) {
  1265. /*
  1266. * Handle an SSLv2 backwards compatible ClientHello
  1267. * Note, this is only for SSLv3+ using the backward compatible format.
  1268. * Real SSLv2 is not supported, and is rejected below.
  1269. */
  1270. unsigned int ciphersuite_len, session_id_len, challenge_len;
  1271. PACKET challenge;
  1272. if (!PACKET_get_net_2(pkt, &ciphersuite_len)
  1273. || !PACKET_get_net_2(pkt, &session_id_len)
  1274. || !PACKET_get_net_2(pkt, &challenge_len)) {
  1275. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1276. SSL_R_RECORD_LENGTH_MISMATCH);
  1277. goto err;
  1278. }
  1279. if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
  1280. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1281. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  1282. goto err;
  1283. }
  1284. if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
  1285. ciphersuite_len)
  1286. || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
  1287. || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
  1288. /* No extensions. */
  1289. || PACKET_remaining(pkt) != 0) {
  1290. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1291. SSL_R_RECORD_LENGTH_MISMATCH);
  1292. goto err;
  1293. }
  1294. clienthello->session_id_len = session_id_len;
  1295. /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
  1296. * here rather than sizeof(clienthello->random) because that is the limit
  1297. * for SSLv3 and it is fixed. It won't change even if
  1298. * sizeof(clienthello->random) does.
  1299. */
  1300. challenge_len = challenge_len > SSL3_RANDOM_SIZE
  1301. ? SSL3_RANDOM_SIZE : challenge_len;
  1302. memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
  1303. if (!PACKET_copy_bytes(&challenge,
  1304. clienthello->random + SSL3_RANDOM_SIZE -
  1305. challenge_len, challenge_len)
  1306. /* Advertise only null compression. */
  1307. || !PACKET_buf_init(&compression, &null_compression, 1)) {
  1308. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1309. ERR_R_INTERNAL_ERROR);
  1310. goto err;
  1311. }
  1312. PACKET_null_init(&clienthello->extensions);
  1313. } else {
  1314. /* Regular ClientHello. */
  1315. if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
  1316. || !PACKET_get_length_prefixed_1(pkt, &session_id)
  1317. || !PACKET_copy_all(&session_id, clienthello->session_id,
  1318. SSL_MAX_SSL_SESSION_ID_LENGTH,
  1319. &clienthello->session_id_len)) {
  1320. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1321. SSL_R_LENGTH_MISMATCH);
  1322. goto err;
  1323. }
  1324. if (SSL_IS_DTLS(s)) {
  1325. if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
  1326. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1327. SSL_R_LENGTH_MISMATCH);
  1328. goto err;
  1329. }
  1330. if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
  1331. DTLS1_COOKIE_LENGTH,
  1332. &clienthello->dtls_cookie_len)) {
  1333. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1334. SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  1335. goto err;
  1336. }
  1337. /*
  1338. * If we require cookies and this ClientHello doesn't contain one,
  1339. * just return since we do not want to allocate any memory yet.
  1340. * So check cookie length...
  1341. */
  1342. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1343. if (clienthello->dtls_cookie_len == 0) {
  1344. OPENSSL_free(clienthello);
  1345. return MSG_PROCESS_FINISHED_READING;
  1346. }
  1347. }
  1348. }
  1349. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
  1350. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1351. SSL_R_LENGTH_MISMATCH);
  1352. goto err;
  1353. }
  1354. if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
  1355. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1356. SSL_R_LENGTH_MISMATCH);
  1357. goto err;
  1358. }
  1359. /* Could be empty. */
  1360. if (PACKET_remaining(pkt) == 0) {
  1361. PACKET_null_init(&clienthello->extensions);
  1362. } else {
  1363. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
  1364. || PACKET_remaining(pkt) != 0) {
  1365. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1366. SSL_R_LENGTH_MISMATCH);
  1367. goto err;
  1368. }
  1369. }
  1370. }
  1371. if (!PACKET_copy_all(&compression, clienthello->compressions,
  1372. MAX_COMPRESSIONS_SIZE,
  1373. &clienthello->compressions_len)) {
  1374. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1375. ERR_R_INTERNAL_ERROR);
  1376. goto err;
  1377. }
  1378. /* Preserve the raw extensions PACKET for later use */
  1379. extensions = clienthello->extensions;
  1380. if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
  1381. &clienthello->pre_proc_exts,
  1382. &clienthello->pre_proc_exts_len, 1)) {
  1383. /* SSLfatal already been called */
  1384. goto err;
  1385. }
  1386. s->clienthello = clienthello;
  1387. return MSG_PROCESS_CONTINUE_PROCESSING;
  1388. err:
  1389. if (clienthello != NULL)
  1390. OPENSSL_free(clienthello->pre_proc_exts);
  1391. OPENSSL_free(clienthello);
  1392. return MSG_PROCESS_ERROR;
  1393. }
  1394. static int tls_early_post_process_client_hello(SSL *s)
  1395. {
  1396. unsigned int j;
  1397. int i, al = SSL_AD_INTERNAL_ERROR;
  1398. int protverr;
  1399. size_t loop;
  1400. unsigned long id;
  1401. #ifndef OPENSSL_NO_COMP
  1402. SSL_COMP *comp = NULL;
  1403. #endif
  1404. const SSL_CIPHER *c;
  1405. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  1406. STACK_OF(SSL_CIPHER) *scsvs = NULL;
  1407. CLIENTHELLO_MSG *clienthello = s->clienthello;
  1408. DOWNGRADE dgrd = DOWNGRADE_NONE;
  1409. /* Finished parsing the ClientHello, now we can start processing it */
  1410. /* Give the ClientHello callback a crack at things */
  1411. if (s->ctx->client_hello_cb != NULL) {
  1412. /* A failure in the ClientHello callback terminates the connection. */
  1413. switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
  1414. case SSL_CLIENT_HELLO_SUCCESS:
  1415. break;
  1416. case SSL_CLIENT_HELLO_RETRY:
  1417. s->rwstate = SSL_CLIENT_HELLO_CB;
  1418. return -1;
  1419. case SSL_CLIENT_HELLO_ERROR:
  1420. default:
  1421. SSLfatal(s, al,
  1422. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1423. SSL_R_CALLBACK_FAILED);
  1424. goto err;
  1425. }
  1426. }
  1427. /* Set up the client_random */
  1428. memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
  1429. /* Choose the version */
  1430. if (clienthello->isv2) {
  1431. if (clienthello->legacy_version == SSL2_VERSION
  1432. || (clienthello->legacy_version & 0xff00)
  1433. != (SSL3_VERSION_MAJOR << 8)) {
  1434. /*
  1435. * This is real SSLv2 or something completely unknown. We don't
  1436. * support it.
  1437. */
  1438. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1439. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1440. SSL_R_UNKNOWN_PROTOCOL);
  1441. goto err;
  1442. }
  1443. /* SSLv3/TLS */
  1444. s->client_version = clienthello->legacy_version;
  1445. }
  1446. /*
  1447. * Do SSL/TLS version negotiation if applicable. For DTLS we just check
  1448. * versions are potentially compatible. Version negotiation comes later.
  1449. */
  1450. if (!SSL_IS_DTLS(s)) {
  1451. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1452. } else if (s->method->version != DTLS_ANY_VERSION &&
  1453. DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
  1454. protverr = SSL_R_VERSION_TOO_LOW;
  1455. } else {
  1456. protverr = 0;
  1457. }
  1458. if (protverr) {
  1459. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  1460. /* like ssl3_get_record, send alert using remote version number */
  1461. s->version = s->client_version = clienthello->legacy_version;
  1462. }
  1463. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1464. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1465. goto err;
  1466. }
  1467. /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
  1468. if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1469. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1470. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1471. SSL_R_NOT_ON_RECORD_BOUNDARY);
  1472. goto err;
  1473. }
  1474. if (SSL_IS_DTLS(s)) {
  1475. /* Empty cookie was already handled above by returning early. */
  1476. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1477. if (s->ctx->app_verify_cookie_cb != NULL) {
  1478. if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
  1479. clienthello->dtls_cookie_len) == 0) {
  1480. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1481. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1482. SSL_R_COOKIE_MISMATCH);
  1483. goto err;
  1484. /* else cookie verification succeeded */
  1485. }
  1486. /* default verification */
  1487. } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
  1488. || memcmp(clienthello->dtls_cookie, s->d1->cookie,
  1489. s->d1->cookie_len) != 0) {
  1490. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1491. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1492. SSL_R_COOKIE_MISMATCH);
  1493. goto err;
  1494. }
  1495. s->d1->cookie_verified = 1;
  1496. }
  1497. if (s->method->version == DTLS_ANY_VERSION) {
  1498. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1499. if (protverr != 0) {
  1500. s->version = s->client_version;
  1501. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1502. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1503. goto err;
  1504. }
  1505. }
  1506. }
  1507. s->hit = 0;
  1508. if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
  1509. clienthello->isv2) ||
  1510. !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
  1511. clienthello->isv2, 1)) {
  1512. /* SSLfatal() already called */
  1513. goto err;
  1514. }
  1515. s->s3->send_connection_binding = 0;
  1516. /* Check what signalling cipher-suite values were received. */
  1517. if (scsvs != NULL) {
  1518. for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
  1519. c = sk_SSL_CIPHER_value(scsvs, i);
  1520. if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
  1521. if (s->renegotiate) {
  1522. /* SCSV is fatal if renegotiating */
  1523. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1524. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1525. SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
  1526. goto err;
  1527. }
  1528. s->s3->send_connection_binding = 1;
  1529. } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
  1530. !ssl_check_version_downgrade(s)) {
  1531. /*
  1532. * This SCSV indicates that the client previously tried
  1533. * a higher version. We should fail if the current version
  1534. * is an unexpected downgrade, as that indicates that the first
  1535. * connection may have been tampered with in order to trigger
  1536. * an insecure downgrade.
  1537. */
  1538. SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
  1539. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1540. SSL_R_INAPPROPRIATE_FALLBACK);
  1541. goto err;
  1542. }
  1543. }
  1544. }
  1545. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1546. if (SSL_IS_TLS13(s)) {
  1547. const SSL_CIPHER *cipher =
  1548. ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  1549. if (cipher == NULL) {
  1550. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1551. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1552. SSL_R_NO_SHARED_CIPHER);
  1553. goto err;
  1554. }
  1555. if (s->hello_retry_request == SSL_HRR_PENDING
  1556. && (s->s3->tmp.new_cipher == NULL
  1557. || s->s3->tmp.new_cipher->id != cipher->id)) {
  1558. /*
  1559. * A previous HRR picked a different ciphersuite to the one we
  1560. * just selected. Something must have changed.
  1561. */
  1562. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1563. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1564. SSL_R_BAD_CIPHER);
  1565. goto err;
  1566. }
  1567. s->s3->tmp.new_cipher = cipher;
  1568. }
  1569. /* We need to do this before getting the session */
  1570. if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
  1571. SSL_EXT_CLIENT_HELLO,
  1572. clienthello->pre_proc_exts, NULL, 0)) {
  1573. /* SSLfatal() already called */
  1574. goto err;
  1575. }
  1576. /*
  1577. * We don't allow resumption in a backwards compatible ClientHello.
  1578. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
  1579. *
  1580. * Versions before 0.9.7 always allow clients to resume sessions in
  1581. * renegotiation. 0.9.7 and later allow this by default, but optionally
  1582. * ignore resumption requests with flag
  1583. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  1584. * than a change to default behavior so that applications relying on
  1585. * this for security won't even compile against older library versions).
  1586. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  1587. * request renegotiation but not a new session (s->new_session remains
  1588. * unset): for servers, this essentially just means that the
  1589. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
  1590. * ignored.
  1591. */
  1592. if (clienthello->isv2 ||
  1593. (s->new_session &&
  1594. (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  1595. if (!ssl_get_new_session(s, 1)) {
  1596. /* SSLfatal() already called */
  1597. goto err;
  1598. }
  1599. } else {
  1600. i = ssl_get_prev_session(s, clienthello);
  1601. if (i == 1) {
  1602. /* previous session */
  1603. s->hit = 1;
  1604. } else if (i == -1) {
  1605. /* SSLfatal() already called */
  1606. goto err;
  1607. } else {
  1608. /* i == 0 */
  1609. if (!ssl_get_new_session(s, 1)) {
  1610. /* SSLfatal() already called */
  1611. goto err;
  1612. }
  1613. }
  1614. }
  1615. if (SSL_IS_TLS13(s)) {
  1616. memcpy(s->tmp_session_id, s->clienthello->session_id,
  1617. s->clienthello->session_id_len);
  1618. s->tmp_session_id_len = s->clienthello->session_id_len;
  1619. }
  1620. /*
  1621. * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
  1622. * ciphersuite compatibility with the session as part of resumption.
  1623. */
  1624. if (!SSL_IS_TLS13(s) && s->hit) {
  1625. j = 0;
  1626. id = s->session->cipher->id;
  1627. #ifdef CIPHER_DEBUG
  1628. fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
  1629. #endif
  1630. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1631. c = sk_SSL_CIPHER_value(ciphers, i);
  1632. #ifdef CIPHER_DEBUG
  1633. fprintf(stderr, "client [%2d of %2d]:%s\n",
  1634. i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1635. #endif
  1636. if (c->id == id) {
  1637. j = 1;
  1638. break;
  1639. }
  1640. }
  1641. if (j == 0) {
  1642. /*
  1643. * we need to have the cipher in the cipher list if we are asked
  1644. * to reuse it
  1645. */
  1646. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1647. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1648. SSL_R_REQUIRED_CIPHER_MISSING);
  1649. goto err;
  1650. }
  1651. }
  1652. for (loop = 0; loop < clienthello->compressions_len; loop++) {
  1653. if (clienthello->compressions[loop] == 0)
  1654. break;
  1655. }
  1656. if (loop >= clienthello->compressions_len) {
  1657. /* no compress */
  1658. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1659. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1660. SSL_R_NO_COMPRESSION_SPECIFIED);
  1661. goto err;
  1662. }
  1663. #ifndef OPENSSL_NO_EC
  1664. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1665. ssl_check_for_safari(s, clienthello);
  1666. #endif /* !OPENSSL_NO_EC */
  1667. /* TLS extensions */
  1668. if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
  1669. clienthello->pre_proc_exts, NULL, 0, 1)) {
  1670. /* SSLfatal() already called */
  1671. goto err;
  1672. }
  1673. /*
  1674. * Check if we want to use external pre-shared secret for this handshake
  1675. * for not reused session only. We need to generate server_random before
  1676. * calling tls_session_secret_cb in order to allow SessionTicket
  1677. * processing to use it in key derivation.
  1678. */
  1679. {
  1680. unsigned char *pos;
  1681. pos = s->s3->server_random;
  1682. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
  1683. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1684. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1685. ERR_R_INTERNAL_ERROR);
  1686. goto err;
  1687. }
  1688. }
  1689. if (!s->hit
  1690. && s->version >= TLS1_VERSION
  1691. && !SSL_IS_TLS13(s)
  1692. && !SSL_IS_DTLS(s)
  1693. && s->ext.session_secret_cb) {
  1694. const SSL_CIPHER *pref_cipher = NULL;
  1695. /*
  1696. * s->session->master_key_length is a size_t, but this is an int for
  1697. * backwards compat reasons
  1698. */
  1699. int master_key_length;
  1700. master_key_length = sizeof(s->session->master_key);
  1701. if (s->ext.session_secret_cb(s, s->session->master_key,
  1702. &master_key_length, ciphers,
  1703. &pref_cipher,
  1704. s->ext.session_secret_cb_arg)
  1705. && master_key_length > 0) {
  1706. s->session->master_key_length = master_key_length;
  1707. s->hit = 1;
  1708. s->session->ciphers = ciphers;
  1709. s->session->verify_result = X509_V_OK;
  1710. ciphers = NULL;
  1711. /* check if some cipher was preferred by call back */
  1712. if (pref_cipher == NULL)
  1713. pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
  1714. SSL_get_ciphers(s));
  1715. if (pref_cipher == NULL) {
  1716. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1717. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1718. SSL_R_NO_SHARED_CIPHER);
  1719. goto err;
  1720. }
  1721. s->session->cipher = pref_cipher;
  1722. sk_SSL_CIPHER_free(s->cipher_list);
  1723. s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
  1724. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1725. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
  1726. }
  1727. }
  1728. /*
  1729. * Worst case, we will use the NULL compression, but if we have other
  1730. * options, we will now look for them. We have complen-1 compression
  1731. * algorithms from the client, starting at q.
  1732. */
  1733. s->s3->tmp.new_compression = NULL;
  1734. if (SSL_IS_TLS13(s)) {
  1735. /*
  1736. * We already checked above that the NULL compression method appears in
  1737. * the list. Now we check there aren't any others (which is illegal in
  1738. * a TLSv1.3 ClientHello.
  1739. */
  1740. if (clienthello->compressions_len != 1) {
  1741. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1742. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1743. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1744. goto err;
  1745. }
  1746. }
  1747. #ifndef OPENSSL_NO_COMP
  1748. /* This only happens if we have a cache hit */
  1749. else if (s->session->compress_meth != 0) {
  1750. int m, comp_id = s->session->compress_meth;
  1751. unsigned int k;
  1752. /* Perform sanity checks on resumed compression algorithm */
  1753. /* Can't disable compression */
  1754. if (!ssl_allow_compression(s)) {
  1755. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1756. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1757. SSL_R_INCONSISTENT_COMPRESSION);
  1758. goto err;
  1759. }
  1760. /* Look for resumed compression method */
  1761. for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
  1762. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1763. if (comp_id == comp->id) {
  1764. s->s3->tmp.new_compression = comp;
  1765. break;
  1766. }
  1767. }
  1768. if (s->s3->tmp.new_compression == NULL) {
  1769. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1770. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1771. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1772. goto err;
  1773. }
  1774. /* Look for resumed method in compression list */
  1775. for (k = 0; k < clienthello->compressions_len; k++) {
  1776. if (clienthello->compressions[k] == comp_id)
  1777. break;
  1778. }
  1779. if (k >= clienthello->compressions_len) {
  1780. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1781. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1782. SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
  1783. goto err;
  1784. }
  1785. } else if (s->hit) {
  1786. comp = NULL;
  1787. } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
  1788. /* See if we have a match */
  1789. int m, nn, v, done = 0;
  1790. unsigned int o;
  1791. nn = sk_SSL_COMP_num(s->ctx->comp_methods);
  1792. for (m = 0; m < nn; m++) {
  1793. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1794. v = comp->id;
  1795. for (o = 0; o < clienthello->compressions_len; o++) {
  1796. if (v == clienthello->compressions[o]) {
  1797. done = 1;
  1798. break;
  1799. }
  1800. }
  1801. if (done)
  1802. break;
  1803. }
  1804. if (done)
  1805. s->s3->tmp.new_compression = comp;
  1806. else
  1807. comp = NULL;
  1808. }
  1809. #else
  1810. /*
  1811. * If compression is disabled we'd better not try to resume a session
  1812. * using compression.
  1813. */
  1814. if (s->session->compress_meth != 0) {
  1815. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1816. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1817. SSL_R_INCONSISTENT_COMPRESSION);
  1818. goto err;
  1819. }
  1820. #endif
  1821. /*
  1822. * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
  1823. */
  1824. if (!s->hit || SSL_IS_TLS13(s)) {
  1825. sk_SSL_CIPHER_free(s->session->ciphers);
  1826. s->session->ciphers = ciphers;
  1827. if (ciphers == NULL) {
  1828. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1829. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1830. ERR_R_INTERNAL_ERROR);
  1831. goto err;
  1832. }
  1833. ciphers = NULL;
  1834. }
  1835. if (!s->hit) {
  1836. #ifdef OPENSSL_NO_COMP
  1837. s->session->compress_meth = 0;
  1838. #else
  1839. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1840. #endif
  1841. }
  1842. sk_SSL_CIPHER_free(ciphers);
  1843. sk_SSL_CIPHER_free(scsvs);
  1844. OPENSSL_free(clienthello->pre_proc_exts);
  1845. OPENSSL_free(s->clienthello);
  1846. s->clienthello = NULL;
  1847. return 1;
  1848. err:
  1849. sk_SSL_CIPHER_free(ciphers);
  1850. sk_SSL_CIPHER_free(scsvs);
  1851. OPENSSL_free(clienthello->pre_proc_exts);
  1852. OPENSSL_free(s->clienthello);
  1853. s->clienthello = NULL;
  1854. return 0;
  1855. }
  1856. /*
  1857. * Call the status request callback if needed. Upon success, returns 1.
  1858. * Upon failure, returns 0.
  1859. */
  1860. static int tls_handle_status_request(SSL *s)
  1861. {
  1862. s->ext.status_expected = 0;
  1863. /*
  1864. * If status request then ask callback what to do. Note: this must be
  1865. * called after servername callbacks in case the certificate has changed,
  1866. * and must be called after the cipher has been chosen because this may
  1867. * influence which certificate is sent
  1868. */
  1869. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
  1870. && s->ctx->ext.status_cb != NULL) {
  1871. int ret;
  1872. /* If no certificate can't return certificate status */
  1873. if (s->s3->tmp.cert != NULL) {
  1874. /*
  1875. * Set current certificate to one we will use so SSL_get_certificate
  1876. * et al can pick it up.
  1877. */
  1878. s->cert->key = s->s3->tmp.cert;
  1879. ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
  1880. switch (ret) {
  1881. /* We don't want to send a status request response */
  1882. case SSL_TLSEXT_ERR_NOACK:
  1883. s->ext.status_expected = 0;
  1884. break;
  1885. /* status request response should be sent */
  1886. case SSL_TLSEXT_ERR_OK:
  1887. if (s->ext.ocsp.resp)
  1888. s->ext.status_expected = 1;
  1889. break;
  1890. /* something bad happened */
  1891. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1892. default:
  1893. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1894. SSL_F_TLS_HANDLE_STATUS_REQUEST,
  1895. SSL_R_CLIENTHELLO_TLSEXT);
  1896. return 0;
  1897. }
  1898. }
  1899. }
  1900. return 1;
  1901. }
  1902. /*
  1903. * Call the alpn_select callback if needed. Upon success, returns 1.
  1904. * Upon failure, returns 0.
  1905. */
  1906. int tls_handle_alpn(SSL *s)
  1907. {
  1908. const unsigned char *selected = NULL;
  1909. unsigned char selected_len = 0;
  1910. if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
  1911. int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
  1912. s->s3->alpn_proposed,
  1913. (unsigned int)s->s3->alpn_proposed_len,
  1914. s->ctx->ext.alpn_select_cb_arg);
  1915. if (r == SSL_TLSEXT_ERR_OK) {
  1916. OPENSSL_free(s->s3->alpn_selected);
  1917. s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
  1918. if (s->s3->alpn_selected == NULL) {
  1919. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
  1920. ERR_R_INTERNAL_ERROR);
  1921. return 0;
  1922. }
  1923. s->s3->alpn_selected_len = selected_len;
  1924. #ifndef OPENSSL_NO_NEXTPROTONEG
  1925. /* ALPN takes precedence over NPN. */
  1926. s->s3->npn_seen = 0;
  1927. #endif
  1928. /* Check ALPN is consistent with session */
  1929. if (s->session->ext.alpn_selected == NULL
  1930. || selected_len != s->session->ext.alpn_selected_len
  1931. || memcmp(selected, s->session->ext.alpn_selected,
  1932. selected_len) != 0) {
  1933. /* Not consistent so can't be used for early_data */
  1934. s->ext.early_data_ok = 0;
  1935. if (!s->hit) {
  1936. /*
  1937. * This is a new session and so alpn_selected should have
  1938. * been initialised to NULL. We should update it with the
  1939. * selected ALPN.
  1940. */
  1941. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1942. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1943. SSL_F_TLS_HANDLE_ALPN,
  1944. ERR_R_INTERNAL_ERROR);
  1945. return 0;
  1946. }
  1947. s->session->ext.alpn_selected = OPENSSL_memdup(selected,
  1948. selected_len);
  1949. if (s->session->ext.alpn_selected == NULL) {
  1950. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1951. SSL_F_TLS_HANDLE_ALPN,
  1952. ERR_R_INTERNAL_ERROR);
  1953. return 0;
  1954. }
  1955. s->session->ext.alpn_selected_len = selected_len;
  1956. }
  1957. }
  1958. return 1;
  1959. } else if (r != SSL_TLSEXT_ERR_NOACK) {
  1960. SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
  1961. SSL_R_NO_APPLICATION_PROTOCOL);
  1962. return 0;
  1963. }
  1964. /*
  1965. * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
  1966. * present.
  1967. */
  1968. }
  1969. /* Check ALPN is consistent with session */
  1970. if (s->session->ext.alpn_selected != NULL) {
  1971. /* Not consistent so can't be used for early_data */
  1972. s->ext.early_data_ok = 0;
  1973. }
  1974. return 1;
  1975. }
  1976. WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  1977. {
  1978. const SSL_CIPHER *cipher;
  1979. if (wst == WORK_MORE_A) {
  1980. int rv = tls_early_post_process_client_hello(s);
  1981. if (rv == 0) {
  1982. /* SSLfatal() was already called */
  1983. goto err;
  1984. }
  1985. if (rv < 0)
  1986. return WORK_MORE_A;
  1987. wst = WORK_MORE_B;
  1988. }
  1989. if (wst == WORK_MORE_B) {
  1990. if (!s->hit || SSL_IS_TLS13(s)) {
  1991. /* Let cert callback update server certificates if required */
  1992. if (!s->hit) {
  1993. if (s->cert->cert_cb != NULL) {
  1994. int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
  1995. if (rv == 0) {
  1996. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1997. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  1998. SSL_R_CERT_CB_ERROR);
  1999. goto err;
  2000. }
  2001. if (rv < 0) {
  2002. s->rwstate = SSL_X509_LOOKUP;
  2003. return WORK_MORE_B;
  2004. }
  2005. s->rwstate = SSL_NOTHING;
  2006. }
  2007. if (!tls1_set_server_sigalgs(s)) {
  2008. /* SSLfatal already called */
  2009. goto err;
  2010. }
  2011. }
  2012. /* In TLSv1.3 we selected the ciphersuite before resumption */
  2013. if (!SSL_IS_TLS13(s)) {
  2014. cipher =
  2015. ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
  2016. if (cipher == NULL) {
  2017. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2018. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  2019. SSL_R_NO_SHARED_CIPHER);
  2020. goto err;
  2021. }
  2022. s->s3->tmp.new_cipher = cipher;
  2023. }
  2024. if (!s->hit) {
  2025. if (!tls_choose_sigalg(s, 1)) {
  2026. /* SSLfatal already called */
  2027. goto err;
  2028. }
  2029. /* check whether we should disable session resumption */
  2030. if (s->not_resumable_session_cb != NULL)
  2031. s->session->not_resumable =
  2032. s->not_resumable_session_cb(s,
  2033. ((s->s3->tmp.new_cipher->algorithm_mkey
  2034. & (SSL_kDHE | SSL_kECDHE)) != 0));
  2035. if (s->session->not_resumable)
  2036. /* do not send a session ticket */
  2037. s->ext.ticket_expected = 0;
  2038. }
  2039. } else {
  2040. /* Session-id reuse */
  2041. s->s3->tmp.new_cipher = s->session->cipher;
  2042. }
  2043. /*-
  2044. * we now have the following setup.
  2045. * client_random
  2046. * cipher_list - our preferred list of ciphers
  2047. * ciphers - the clients preferred list of ciphers
  2048. * compression - basically ignored right now
  2049. * ssl version is set - sslv3
  2050. * s->session - The ssl session has been setup.
  2051. * s->hit - session reuse flag
  2052. * s->s3->tmp.new_cipher- the new cipher to use.
  2053. */
  2054. /*
  2055. * Call status_request callback if needed. Has to be done after the
  2056. * certificate callbacks etc above.
  2057. */
  2058. if (!tls_handle_status_request(s)) {
  2059. /* SSLfatal() already called */
  2060. goto err;
  2061. }
  2062. /*
  2063. * Call alpn_select callback if needed. Has to be done after SNI and
  2064. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  2065. * we already did this because cipher negotiation happens earlier, and
  2066. * we must handle ALPN before we decide whether to accept early_data.
  2067. */
  2068. if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
  2069. /* SSLfatal() already called */
  2070. goto err;
  2071. }
  2072. wst = WORK_MORE_C;
  2073. }
  2074. #ifndef OPENSSL_NO_SRP
  2075. if (wst == WORK_MORE_C) {
  2076. int ret;
  2077. if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
  2078. /*
  2079. * callback indicates further work to be done
  2080. */
  2081. s->rwstate = SSL_X509_LOOKUP;
  2082. return WORK_MORE_C;
  2083. }
  2084. if (ret < 0) {
  2085. /* SSLfatal() already called */
  2086. goto err;
  2087. }
  2088. }
  2089. #endif
  2090. return WORK_FINISHED_STOP;
  2091. err:
  2092. return WORK_ERROR;
  2093. }
  2094. int tls_construct_server_hello(SSL *s, WPACKET *pkt)
  2095. {
  2096. int compm;
  2097. size_t sl, len;
  2098. int version;
  2099. unsigned char *session_id;
  2100. int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
  2101. version = usetls13 ? TLS1_2_VERSION : s->version;
  2102. if (!WPACKET_put_bytes_u16(pkt, version)
  2103. /*
  2104. * Random stuff. Filling of the server_random takes place in
  2105. * tls_process_client_hello()
  2106. */
  2107. || !WPACKET_memcpy(pkt,
  2108. s->hello_retry_request == SSL_HRR_PENDING
  2109. ? hrrrandom : s->s3->server_random,
  2110. SSL3_RANDOM_SIZE)) {
  2111. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2112. ERR_R_INTERNAL_ERROR);
  2113. return 0;
  2114. }
  2115. /*-
  2116. * There are several cases for the session ID to send
  2117. * back in the server hello:
  2118. * - For session reuse from the session cache,
  2119. * we send back the old session ID.
  2120. * - If stateless session reuse (using a session ticket)
  2121. * is successful, we send back the client's "session ID"
  2122. * (which doesn't actually identify the session).
  2123. * - If it is a new session, we send back the new
  2124. * session ID.
  2125. * - However, if we want the new session to be single-use,
  2126. * we send back a 0-length session ID.
  2127. * - In TLSv1.3 we echo back the session id sent to us by the client
  2128. * regardless
  2129. * s->hit is non-zero in either case of session reuse,
  2130. * so the following won't overwrite an ID that we're supposed
  2131. * to send back.
  2132. */
  2133. if (s->session->not_resumable ||
  2134. (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
  2135. && !s->hit))
  2136. s->session->session_id_length = 0;
  2137. if (usetls13) {
  2138. sl = s->tmp_session_id_len;
  2139. session_id = s->tmp_session_id;
  2140. } else {
  2141. sl = s->session->session_id_length;
  2142. session_id = s->session->session_id;
  2143. }
  2144. if (sl > sizeof(s->session->session_id)) {
  2145. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2146. ERR_R_INTERNAL_ERROR);
  2147. return 0;
  2148. }
  2149. /* set up the compression method */
  2150. #ifdef OPENSSL_NO_COMP
  2151. compm = 0;
  2152. #else
  2153. if (usetls13 || s->s3->tmp.new_compression == NULL)
  2154. compm = 0;
  2155. else
  2156. compm = s->s3->tmp.new_compression->id;
  2157. #endif
  2158. if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
  2159. || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
  2160. || !WPACKET_put_bytes_u8(pkt, compm)) {
  2161. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2162. ERR_R_INTERNAL_ERROR);
  2163. return 0;
  2164. }
  2165. if (!tls_construct_extensions(s, pkt,
  2166. s->hello_retry_request == SSL_HRR_PENDING
  2167. ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  2168. : (SSL_IS_TLS13(s)
  2169. ? SSL_EXT_TLS1_3_SERVER_HELLO
  2170. : SSL_EXT_TLS1_2_SERVER_HELLO),
  2171. NULL, 0)) {
  2172. /* SSLfatal() already called */
  2173. return 0;
  2174. }
  2175. if (s->hello_retry_request == SSL_HRR_PENDING) {
  2176. /* Ditch the session. We'll create a new one next time around */
  2177. SSL_SESSION_free(s->session);
  2178. s->session = NULL;
  2179. s->hit = 0;
  2180. /*
  2181. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  2182. * a synthetic message_hash in place of ClientHello1.
  2183. */
  2184. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  2185. /* SSLfatal() already called */
  2186. return 0;
  2187. }
  2188. } else if (!(s->verify_mode & SSL_VERIFY_PEER)
  2189. && !ssl3_digest_cached_records(s, 0)) {
  2190. /* SSLfatal() already called */;
  2191. return 0;
  2192. }
  2193. return 1;
  2194. }
  2195. int tls_construct_server_done(SSL *s, WPACKET *pkt)
  2196. {
  2197. if (!s->s3->tmp.cert_request) {
  2198. if (!ssl3_digest_cached_records(s, 0)) {
  2199. /* SSLfatal() already called */
  2200. return 0;
  2201. }
  2202. }
  2203. return 1;
  2204. }
  2205. int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
  2206. {
  2207. #ifndef OPENSSL_NO_DH
  2208. EVP_PKEY *pkdh = NULL;
  2209. #endif
  2210. #ifndef OPENSSL_NO_EC
  2211. unsigned char *encodedPoint = NULL;
  2212. size_t encodedlen = 0;
  2213. int curve_id = 0;
  2214. #endif
  2215. const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
  2216. int i;
  2217. unsigned long type;
  2218. const BIGNUM *r[4];
  2219. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  2220. EVP_PKEY_CTX *pctx = NULL;
  2221. size_t paramlen, paramoffset;
  2222. if (!WPACKET_get_total_written(pkt, &paramoffset)) {
  2223. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2224. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2225. goto err;
  2226. }
  2227. if (md_ctx == NULL) {
  2228. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2229. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2230. goto err;
  2231. }
  2232. type = s->s3->tmp.new_cipher->algorithm_mkey;
  2233. r[0] = r[1] = r[2] = r[3] = NULL;
  2234. #ifndef OPENSSL_NO_PSK
  2235. /* Plain PSK or RSAPSK nothing to do */
  2236. if (type & (SSL_kPSK | SSL_kRSAPSK)) {
  2237. } else
  2238. #endif /* !OPENSSL_NO_PSK */
  2239. #ifndef OPENSSL_NO_DH
  2240. if (type & (SSL_kDHE | SSL_kDHEPSK)) {
  2241. CERT *cert = s->cert;
  2242. EVP_PKEY *pkdhp = NULL;
  2243. DH *dh;
  2244. if (s->cert->dh_tmp_auto) {
  2245. DH *dhp = ssl_get_auto_dh(s);
  2246. pkdh = EVP_PKEY_new();
  2247. if (pkdh == NULL || dhp == NULL) {
  2248. DH_free(dhp);
  2249. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2250. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2251. ERR_R_INTERNAL_ERROR);
  2252. goto err;
  2253. }
  2254. EVP_PKEY_assign_DH(pkdh, dhp);
  2255. pkdhp = pkdh;
  2256. } else {
  2257. pkdhp = cert->dh_tmp;
  2258. }
  2259. if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
  2260. DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
  2261. pkdh = ssl_dh_to_pkey(dhp);
  2262. if (pkdh == NULL) {
  2263. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2264. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2265. ERR_R_INTERNAL_ERROR);
  2266. goto err;
  2267. }
  2268. pkdhp = pkdh;
  2269. }
  2270. if (pkdhp == NULL) {
  2271. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2272. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2273. SSL_R_MISSING_TMP_DH_KEY);
  2274. goto err;
  2275. }
  2276. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  2277. EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
  2278. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2279. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2280. SSL_R_DH_KEY_TOO_SMALL);
  2281. goto err;
  2282. }
  2283. if (s->s3->tmp.pkey != NULL) {
  2284. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2285. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2286. ERR_R_INTERNAL_ERROR);
  2287. goto err;
  2288. }
  2289. s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
  2290. if (s->s3->tmp.pkey == NULL) {
  2291. /* SSLfatal() already called */
  2292. goto err;
  2293. }
  2294. dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);
  2295. if (dh == NULL) {
  2296. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2297. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2298. ERR_R_INTERNAL_ERROR);
  2299. goto err;
  2300. }
  2301. EVP_PKEY_free(pkdh);
  2302. pkdh = NULL;
  2303. DH_get0_pqg(dh, &r[0], NULL, &r[1]);
  2304. DH_get0_key(dh, &r[2], NULL);
  2305. } else
  2306. #endif
  2307. #ifndef OPENSSL_NO_EC
  2308. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2309. if (s->s3->tmp.pkey != NULL) {
  2310. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2311. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2312. ERR_R_INTERNAL_ERROR);
  2313. goto err;
  2314. }
  2315. /* Get NID of appropriate shared curve */
  2316. curve_id = tls1_shared_group(s, -2);
  2317. if (curve_id == 0) {
  2318. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2319. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2320. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  2321. goto err;
  2322. }
  2323. s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id);
  2324. /* Generate a new key for this curve */
  2325. if (s->s3->tmp.pkey == NULL) {
  2326. /* SSLfatal() already called */
  2327. goto err;
  2328. }
  2329. /* Encode the public key. */
  2330. encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
  2331. &encodedPoint);
  2332. if (encodedlen == 0) {
  2333. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2334. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
  2335. goto err;
  2336. }
  2337. /*
  2338. * We'll generate the serverKeyExchange message explicitly so we
  2339. * can set these to NULLs
  2340. */
  2341. r[0] = NULL;
  2342. r[1] = NULL;
  2343. r[2] = NULL;
  2344. r[3] = NULL;
  2345. } else
  2346. #endif /* !OPENSSL_NO_EC */
  2347. #ifndef OPENSSL_NO_SRP
  2348. if (type & SSL_kSRP) {
  2349. if ((s->srp_ctx.N == NULL) ||
  2350. (s->srp_ctx.g == NULL) ||
  2351. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  2352. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2353. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2354. SSL_R_MISSING_SRP_PARAM);
  2355. goto err;
  2356. }
  2357. r[0] = s->srp_ctx.N;
  2358. r[1] = s->srp_ctx.g;
  2359. r[2] = s->srp_ctx.s;
  2360. r[3] = s->srp_ctx.B;
  2361. } else
  2362. #endif
  2363. {
  2364. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2365. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2366. SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2367. goto err;
  2368. }
  2369. if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
  2370. || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
  2371. lu = NULL;
  2372. } else if (lu == NULL) {
  2373. SSLfatal(s, SSL_AD_DECODE_ERROR,
  2374. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2375. goto err;
  2376. }
  2377. #ifndef OPENSSL_NO_PSK
  2378. if (type & SSL_PSK) {
  2379. size_t len = (s->cert->psk_identity_hint == NULL)
  2380. ? 0 : strlen(s->cert->psk_identity_hint);
  2381. /*
  2382. * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
  2383. * checked this when we set the identity hint - but just in case
  2384. */
  2385. if (len > PSK_MAX_IDENTITY_LEN
  2386. || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
  2387. len)) {
  2388. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2389. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2390. ERR_R_INTERNAL_ERROR);
  2391. goto err;
  2392. }
  2393. }
  2394. #endif
  2395. for (i = 0; i < 4 && r[i] != NULL; i++) {
  2396. unsigned char *binval;
  2397. int res;
  2398. #ifndef OPENSSL_NO_SRP
  2399. if ((i == 2) && (type & SSL_kSRP)) {
  2400. res = WPACKET_start_sub_packet_u8(pkt);
  2401. } else
  2402. #endif
  2403. res = WPACKET_start_sub_packet_u16(pkt);
  2404. if (!res) {
  2405. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2406. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2407. ERR_R_INTERNAL_ERROR);
  2408. goto err;
  2409. }
  2410. #ifndef OPENSSL_NO_DH
  2411. /*-
  2412. * for interoperability with some versions of the Microsoft TLS
  2413. * stack, we need to zero pad the DHE pub key to the same length
  2414. * as the prime
  2415. */
  2416. if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
  2417. size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
  2418. if (len > 0) {
  2419. if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
  2420. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2421. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2422. ERR_R_INTERNAL_ERROR);
  2423. goto err;
  2424. }
  2425. memset(binval, 0, len);
  2426. }
  2427. }
  2428. #endif
  2429. if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
  2430. || !WPACKET_close(pkt)) {
  2431. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2432. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2433. ERR_R_INTERNAL_ERROR);
  2434. goto err;
  2435. }
  2436. BN_bn2bin(r[i], binval);
  2437. }
  2438. #ifndef OPENSSL_NO_EC
  2439. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2440. /*
  2441. * We only support named (not generic) curves. In this situation, the
  2442. * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
  2443. * [1 byte length of encoded point], followed by the actual encoded
  2444. * point itself
  2445. */
  2446. if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
  2447. || !WPACKET_put_bytes_u8(pkt, 0)
  2448. || !WPACKET_put_bytes_u8(pkt, curve_id)
  2449. || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
  2450. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2451. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2452. ERR_R_INTERNAL_ERROR);
  2453. goto err;
  2454. }
  2455. OPENSSL_free(encodedPoint);
  2456. encodedPoint = NULL;
  2457. }
  2458. #endif
  2459. /* not anonymous */
  2460. if (lu != NULL) {
  2461. EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
  2462. const EVP_MD *md;
  2463. unsigned char *sigbytes1, *sigbytes2, *tbs;
  2464. size_t siglen, tbslen;
  2465. int rv;
  2466. if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
  2467. /* Should never happen */
  2468. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2469. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2470. ERR_R_INTERNAL_ERROR);
  2471. goto err;
  2472. }
  2473. /* Get length of the parameters we have written above */
  2474. if (!WPACKET_get_length(pkt, &paramlen)) {
  2475. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2476. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2477. ERR_R_INTERNAL_ERROR);
  2478. goto err;
  2479. }
  2480. /* send signature algorithm */
  2481. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  2482. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2483. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2484. ERR_R_INTERNAL_ERROR);
  2485. goto err;
  2486. }
  2487. /*
  2488. * Create the signature. We don't know the actual length of the sig
  2489. * until after we've created it, so we reserve enough bytes for it
  2490. * up front, and then properly allocate them in the WPACKET
  2491. * afterwards.
  2492. */
  2493. siglen = EVP_PKEY_size(pkey);
  2494. if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
  2495. || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
  2496. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2497. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2498. ERR_R_INTERNAL_ERROR);
  2499. goto err;
  2500. }
  2501. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2502. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2503. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2504. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2505. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2506. ERR_R_EVP_LIB);
  2507. goto err;
  2508. }
  2509. }
  2510. tbslen = construct_key_exchange_tbs(s, &tbs,
  2511. s->init_buf->data + paramoffset,
  2512. paramlen);
  2513. if (tbslen == 0) {
  2514. /* SSLfatal() already called */
  2515. goto err;
  2516. }
  2517. rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
  2518. OPENSSL_free(tbs);
  2519. if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
  2520. || sigbytes1 != sigbytes2) {
  2521. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2522. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2523. ERR_R_INTERNAL_ERROR);
  2524. goto err;
  2525. }
  2526. }
  2527. EVP_MD_CTX_free(md_ctx);
  2528. return 1;
  2529. err:
  2530. #ifndef OPENSSL_NO_DH
  2531. EVP_PKEY_free(pkdh);
  2532. #endif
  2533. #ifndef OPENSSL_NO_EC
  2534. OPENSSL_free(encodedPoint);
  2535. #endif
  2536. EVP_MD_CTX_free(md_ctx);
  2537. return 0;
  2538. }
  2539. int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
  2540. {
  2541. if (SSL_IS_TLS13(s)) {
  2542. /* Send random context when doing post-handshake auth */
  2543. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  2544. OPENSSL_free(s->pha_context);
  2545. s->pha_context_len = 32;
  2546. if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
  2547. || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
  2548. || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
  2549. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2550. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2551. ERR_R_INTERNAL_ERROR);
  2552. return 0;
  2553. }
  2554. /* reset the handshake hash back to just after the ClientFinished */
  2555. if (!tls13_restore_handshake_digest_for_pha(s)) {
  2556. /* SSLfatal() already called */
  2557. return 0;
  2558. }
  2559. } else {
  2560. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  2561. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2562. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2563. ERR_R_INTERNAL_ERROR);
  2564. return 0;
  2565. }
  2566. }
  2567. if (!tls_construct_extensions(s, pkt,
  2568. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
  2569. 0)) {
  2570. /* SSLfatal() already called */
  2571. return 0;
  2572. }
  2573. goto done;
  2574. }
  2575. /* get the list of acceptable cert types */
  2576. if (!WPACKET_start_sub_packet_u8(pkt)
  2577. || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
  2578. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2579. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
  2580. return 0;
  2581. }
  2582. if (SSL_USE_SIGALGS(s)) {
  2583. const uint16_t *psigs;
  2584. size_t nl = tls12_get_psigalgs(s, 1, &psigs);
  2585. if (!WPACKET_start_sub_packet_u16(pkt)
  2586. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  2587. || !tls12_copy_sigalgs(s, pkt, psigs, nl)
  2588. || !WPACKET_close(pkt)) {
  2589. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2590. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2591. ERR_R_INTERNAL_ERROR);
  2592. return 0;
  2593. }
  2594. }
  2595. if (!construct_ca_names(s, get_ca_names(s), pkt)) {
  2596. /* SSLfatal() already called */
  2597. return 0;
  2598. }
  2599. done:
  2600. s->certreqs_sent++;
  2601. s->s3->tmp.cert_request = 1;
  2602. return 1;
  2603. }
  2604. static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
  2605. {
  2606. #ifndef OPENSSL_NO_PSK
  2607. unsigned char psk[PSK_MAX_PSK_LEN];
  2608. size_t psklen;
  2609. PACKET psk_identity;
  2610. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
  2611. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2612. SSL_R_LENGTH_MISMATCH);
  2613. return 0;
  2614. }
  2615. if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
  2616. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2617. SSL_R_DATA_LENGTH_TOO_LONG);
  2618. return 0;
  2619. }
  2620. if (s->psk_server_callback == NULL) {
  2621. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2622. SSL_R_PSK_NO_SERVER_CB);
  2623. return 0;
  2624. }
  2625. if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
  2626. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2627. ERR_R_INTERNAL_ERROR);
  2628. return 0;
  2629. }
  2630. psklen = s->psk_server_callback(s, s->session->psk_identity,
  2631. psk, sizeof(psk));
  2632. if (psklen > PSK_MAX_PSK_LEN) {
  2633. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2634. ERR_R_INTERNAL_ERROR);
  2635. return 0;
  2636. } else if (psklen == 0) {
  2637. /*
  2638. * PSK related to the given identity not found
  2639. */
  2640. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  2641. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2642. SSL_R_PSK_IDENTITY_NOT_FOUND);
  2643. return 0;
  2644. }
  2645. OPENSSL_free(s->s3->tmp.psk);
  2646. s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
  2647. OPENSSL_cleanse(psk, psklen);
  2648. if (s->s3->tmp.psk == NULL) {
  2649. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2650. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
  2651. return 0;
  2652. }
  2653. s->s3->tmp.psklen = psklen;
  2654. return 1;
  2655. #else
  2656. /* Should never happen */
  2657. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2658. ERR_R_INTERNAL_ERROR);
  2659. return 0;
  2660. #endif
  2661. }
  2662. static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
  2663. {
  2664. #ifndef OPENSSL_NO_RSA
  2665. unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
  2666. int decrypt_len;
  2667. unsigned char decrypt_good, version_good;
  2668. size_t j, padding_len;
  2669. PACKET enc_premaster;
  2670. RSA *rsa = NULL;
  2671. unsigned char *rsa_decrypt = NULL;
  2672. int ret = 0;
  2673. rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
  2674. if (rsa == NULL) {
  2675. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2676. SSL_R_MISSING_RSA_CERTIFICATE);
  2677. return 0;
  2678. }
  2679. /* SSLv3 and pre-standard DTLS omit the length bytes. */
  2680. if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
  2681. enc_premaster = *pkt;
  2682. } else {
  2683. if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
  2684. || PACKET_remaining(pkt) != 0) {
  2685. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2686. SSL_R_LENGTH_MISMATCH);
  2687. return 0;
  2688. }
  2689. }
  2690. /*
  2691. * We want to be sure that the plaintext buffer size makes it safe to
  2692. * iterate over the entire size of a premaster secret
  2693. * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
  2694. * their ciphertext cannot accommodate a premaster secret anyway.
  2695. */
  2696. if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
  2697. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2698. RSA_R_KEY_SIZE_TOO_SMALL);
  2699. return 0;
  2700. }
  2701. rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
  2702. if (rsa_decrypt == NULL) {
  2703. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2704. ERR_R_MALLOC_FAILURE);
  2705. return 0;
  2706. }
  2707. /*
  2708. * We must not leak whether a decryption failure occurs because of
  2709. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2710. * section 7.4.7.1). The code follows that advice of the TLS RFC and
  2711. * generates a random premaster secret for the case that the decrypt
  2712. * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2713. */
  2714. if (RAND_priv_bytes(rand_premaster_secret,
  2715. sizeof(rand_premaster_secret)) <= 0) {
  2716. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2717. ERR_R_INTERNAL_ERROR);
  2718. goto err;
  2719. }
  2720. /*
  2721. * Decrypt with no padding. PKCS#1 padding will be removed as part of
  2722. * the timing-sensitive code below.
  2723. */
  2724. /* TODO(size_t): Convert this function */
  2725. decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
  2726. PACKET_data(&enc_premaster),
  2727. rsa_decrypt, rsa, RSA_NO_PADDING);
  2728. if (decrypt_len < 0) {
  2729. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2730. ERR_R_INTERNAL_ERROR);
  2731. goto err;
  2732. }
  2733. /* Check the padding. See RFC 3447, section 7.2.2. */
  2734. /*
  2735. * The smallest padded premaster is 11 bytes of overhead. Small keys
  2736. * are publicly invalid, so this may return immediately. This ensures
  2737. * PS is at least 8 bytes.
  2738. */
  2739. if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
  2740. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2741. SSL_R_DECRYPTION_FAILED);
  2742. goto err;
  2743. }
  2744. padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
  2745. decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
  2746. constant_time_eq_int_8(rsa_decrypt[1], 2);
  2747. for (j = 2; j < padding_len - 1; j++) {
  2748. decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
  2749. }
  2750. decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
  2751. /*
  2752. * If the version in the decrypted pre-master secret is correct then
  2753. * version_good will be 0xff, otherwise it'll be zero. The
  2754. * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
  2755. * (http://eprint.iacr.org/2003/052/) exploits the version number
  2756. * check as a "bad version oracle". Thus version checks are done in
  2757. * constant time and are treated like any other decryption error.
  2758. */
  2759. version_good =
  2760. constant_time_eq_8(rsa_decrypt[padding_len],
  2761. (unsigned)(s->client_version >> 8));
  2762. version_good &=
  2763. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2764. (unsigned)(s->client_version & 0xff));
  2765. /*
  2766. * The premaster secret must contain the same version number as the
  2767. * ClientHello to detect version rollback attacks (strangely, the
  2768. * protocol does not offer such protection for DH ciphersuites).
  2769. * However, buggy clients exist that send the negotiated protocol
  2770. * version instead if the server does not support the requested
  2771. * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
  2772. * clients.
  2773. */
  2774. if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
  2775. unsigned char workaround_good;
  2776. workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
  2777. (unsigned)(s->version >> 8));
  2778. workaround_good &=
  2779. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2780. (unsigned)(s->version & 0xff));
  2781. version_good |= workaround_good;
  2782. }
  2783. /*
  2784. * Both decryption and version must be good for decrypt_good to
  2785. * remain non-zero (0xff).
  2786. */
  2787. decrypt_good &= version_good;
  2788. /*
  2789. * Now copy rand_premaster_secret over from p using
  2790. * decrypt_good_mask. If decryption failed, then p does not
  2791. * contain valid plaintext, however, a check above guarantees
  2792. * it is still sufficiently large to read from.
  2793. */
  2794. for (j = 0; j < sizeof(rand_premaster_secret); j++) {
  2795. rsa_decrypt[padding_len + j] =
  2796. constant_time_select_8(decrypt_good,
  2797. rsa_decrypt[padding_len + j],
  2798. rand_premaster_secret[j]);
  2799. }
  2800. if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
  2801. sizeof(rand_premaster_secret), 0)) {
  2802. /* SSLfatal() already called */
  2803. goto err;
  2804. }
  2805. ret = 1;
  2806. err:
  2807. OPENSSL_free(rsa_decrypt);
  2808. return ret;
  2809. #else
  2810. /* Should never happen */
  2811. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2812. ERR_R_INTERNAL_ERROR);
  2813. return 0;
  2814. #endif
  2815. }
  2816. static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
  2817. {
  2818. #ifndef OPENSSL_NO_DH
  2819. EVP_PKEY *skey = NULL;
  2820. DH *cdh;
  2821. unsigned int i;
  2822. BIGNUM *pub_key;
  2823. const unsigned char *data;
  2824. EVP_PKEY *ckey = NULL;
  2825. int ret = 0;
  2826. if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
  2827. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2828. SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2829. goto err;
  2830. }
  2831. skey = s->s3->tmp.pkey;
  2832. if (skey == NULL) {
  2833. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2834. SSL_R_MISSING_TMP_DH_KEY);
  2835. goto err;
  2836. }
  2837. if (PACKET_remaining(pkt) == 0L) {
  2838. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2839. SSL_R_MISSING_TMP_DH_KEY);
  2840. goto err;
  2841. }
  2842. if (!PACKET_get_bytes(pkt, &data, i)) {
  2843. /* We already checked we have enough data */
  2844. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2845. ERR_R_INTERNAL_ERROR);
  2846. goto err;
  2847. }
  2848. ckey = EVP_PKEY_new();
  2849. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
  2850. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2851. SSL_R_BN_LIB);
  2852. goto err;
  2853. }
  2854. cdh = EVP_PKEY_get0_DH(ckey);
  2855. pub_key = BN_bin2bn(data, i, NULL);
  2856. if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
  2857. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2858. ERR_R_INTERNAL_ERROR);
  2859. BN_free(pub_key);
  2860. goto err;
  2861. }
  2862. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2863. /* SSLfatal() already called */
  2864. goto err;
  2865. }
  2866. ret = 1;
  2867. EVP_PKEY_free(s->s3->tmp.pkey);
  2868. s->s3->tmp.pkey = NULL;
  2869. err:
  2870. EVP_PKEY_free(ckey);
  2871. return ret;
  2872. #else
  2873. /* Should never happen */
  2874. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2875. ERR_R_INTERNAL_ERROR);
  2876. return 0;
  2877. #endif
  2878. }
  2879. static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
  2880. {
  2881. #ifndef OPENSSL_NO_EC
  2882. EVP_PKEY *skey = s->s3->tmp.pkey;
  2883. EVP_PKEY *ckey = NULL;
  2884. int ret = 0;
  2885. if (PACKET_remaining(pkt) == 0L) {
  2886. /* We don't support ECDH client auth */
  2887. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2888. SSL_R_MISSING_TMP_ECDH_KEY);
  2889. goto err;
  2890. } else {
  2891. unsigned int i;
  2892. const unsigned char *data;
  2893. /*
  2894. * Get client's public key from encoded point in the
  2895. * ClientKeyExchange message.
  2896. */
  2897. /* Get encoded point length */
  2898. if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
  2899. || PACKET_remaining(pkt) != 0) {
  2900. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2901. SSL_R_LENGTH_MISMATCH);
  2902. goto err;
  2903. }
  2904. if (skey == NULL) {
  2905. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2906. SSL_R_MISSING_TMP_ECDH_KEY);
  2907. goto err;
  2908. }
  2909. ckey = EVP_PKEY_new();
  2910. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
  2911. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2912. ERR_R_EVP_LIB);
  2913. goto err;
  2914. }
  2915. if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
  2916. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2917. ERR_R_EC_LIB);
  2918. goto err;
  2919. }
  2920. }
  2921. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2922. /* SSLfatal() already called */
  2923. goto err;
  2924. }
  2925. ret = 1;
  2926. EVP_PKEY_free(s->s3->tmp.pkey);
  2927. s->s3->tmp.pkey = NULL;
  2928. err:
  2929. EVP_PKEY_free(ckey);
  2930. return ret;
  2931. #else
  2932. /* Should never happen */
  2933. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2934. ERR_R_INTERNAL_ERROR);
  2935. return 0;
  2936. #endif
  2937. }
  2938. static int tls_process_cke_srp(SSL *s, PACKET *pkt)
  2939. {
  2940. #ifndef OPENSSL_NO_SRP
  2941. unsigned int i;
  2942. const unsigned char *data;
  2943. if (!PACKET_get_net_2(pkt, &i)
  2944. || !PACKET_get_bytes(pkt, &data, i)) {
  2945. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2946. SSL_R_BAD_SRP_A_LENGTH);
  2947. return 0;
  2948. }
  2949. if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
  2950. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2951. ERR_R_BN_LIB);
  2952. return 0;
  2953. }
  2954. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
  2955. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
  2956. SSL_R_BAD_SRP_PARAMETERS);
  2957. return 0;
  2958. }
  2959. OPENSSL_free(s->session->srp_username);
  2960. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2961. if (s->session->srp_username == NULL) {
  2962. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2963. ERR_R_MALLOC_FAILURE);
  2964. return 0;
  2965. }
  2966. if (!srp_generate_server_master_secret(s)) {
  2967. /* SSLfatal() already called */
  2968. return 0;
  2969. }
  2970. return 1;
  2971. #else
  2972. /* Should never happen */
  2973. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2974. ERR_R_INTERNAL_ERROR);
  2975. return 0;
  2976. #endif
  2977. }
  2978. static int tls_process_cke_gost(SSL *s, PACKET *pkt)
  2979. {
  2980. #ifndef OPENSSL_NO_GOST
  2981. EVP_PKEY_CTX *pkey_ctx;
  2982. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  2983. unsigned char premaster_secret[32];
  2984. const unsigned char *start;
  2985. size_t outlen = 32, inlen;
  2986. unsigned long alg_a;
  2987. unsigned int asn1id, asn1len;
  2988. int ret = 0;
  2989. PACKET encdata;
  2990. /* Get our certificate private key */
  2991. alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  2992. if (alg_a & SSL_aGOST12) {
  2993. /*
  2994. * New GOST ciphersuites have SSL_aGOST01 bit too
  2995. */
  2996. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
  2997. if (pk == NULL) {
  2998. pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2999. }
  3000. if (pk == NULL) {
  3001. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  3002. }
  3003. } else if (alg_a & SSL_aGOST01) {
  3004. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  3005. }
  3006. pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
  3007. if (pkey_ctx == NULL) {
  3008. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3009. ERR_R_MALLOC_FAILURE);
  3010. return 0;
  3011. }
  3012. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  3013. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3014. ERR_R_INTERNAL_ERROR);
  3015. return 0;
  3016. }
  3017. /*
  3018. * If client certificate is present and is of the same type, maybe
  3019. * use it for key exchange. Don't mind errors from
  3020. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  3021. * client certificate for authorization only.
  3022. */
  3023. client_pub_pkey = X509_get0_pubkey(s->session->peer);
  3024. if (client_pub_pkey) {
  3025. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  3026. ERR_clear_error();
  3027. }
  3028. /* Decrypt session key */
  3029. if (!PACKET_get_1(pkt, &asn1id)
  3030. || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
  3031. || !PACKET_peek_1(pkt, &asn1len)) {
  3032. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3033. SSL_R_DECRYPTION_FAILED);
  3034. goto err;
  3035. }
  3036. if (asn1len == 0x81) {
  3037. /*
  3038. * Long form length. Should only be one byte of length. Anything else
  3039. * isn't supported.
  3040. * We did a successful peek before so this shouldn't fail
  3041. */
  3042. if (!PACKET_forward(pkt, 1)) {
  3043. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3044. SSL_R_DECRYPTION_FAILED);
  3045. goto err;
  3046. }
  3047. } else if (asn1len >= 0x80) {
  3048. /*
  3049. * Indefinite length, or more than one long form length bytes. We don't
  3050. * support it
  3051. */
  3052. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3053. SSL_R_DECRYPTION_FAILED);
  3054. goto err;
  3055. } /* else short form length */
  3056. if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
  3057. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3058. SSL_R_DECRYPTION_FAILED);
  3059. goto err;
  3060. }
  3061. inlen = PACKET_remaining(&encdata);
  3062. start = PACKET_data(&encdata);
  3063. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
  3064. inlen) <= 0) {
  3065. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3066. SSL_R_DECRYPTION_FAILED);
  3067. goto err;
  3068. }
  3069. /* Generate master secret */
  3070. if (!ssl_generate_master_secret(s, premaster_secret,
  3071. sizeof(premaster_secret), 0)) {
  3072. /* SSLfatal() already called */
  3073. goto err;
  3074. }
  3075. /* Check if pubkey from client certificate was used */
  3076. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
  3077. NULL) > 0)
  3078. s->statem.no_cert_verify = 1;
  3079. ret = 1;
  3080. err:
  3081. EVP_PKEY_CTX_free(pkey_ctx);
  3082. return ret;
  3083. #else
  3084. /* Should never happen */
  3085. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3086. ERR_R_INTERNAL_ERROR);
  3087. return 0;
  3088. #endif
  3089. }
  3090. MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
  3091. {
  3092. unsigned long alg_k;
  3093. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  3094. /* For PSK parse and retrieve identity, obtain PSK key */
  3095. if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
  3096. /* SSLfatal() already called */
  3097. goto err;
  3098. }
  3099. if (alg_k & SSL_kPSK) {
  3100. /* Identity extracted earlier: should be nothing left */
  3101. if (PACKET_remaining(pkt) != 0) {
  3102. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3103. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3104. SSL_R_LENGTH_MISMATCH);
  3105. goto err;
  3106. }
  3107. /* PSK handled by ssl_generate_master_secret */
  3108. if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
  3109. /* SSLfatal() already called */
  3110. goto err;
  3111. }
  3112. } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  3113. if (!tls_process_cke_rsa(s, pkt)) {
  3114. /* SSLfatal() already called */
  3115. goto err;
  3116. }
  3117. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  3118. if (!tls_process_cke_dhe(s, pkt)) {
  3119. /* SSLfatal() already called */
  3120. goto err;
  3121. }
  3122. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  3123. if (!tls_process_cke_ecdhe(s, pkt)) {
  3124. /* SSLfatal() already called */
  3125. goto err;
  3126. }
  3127. } else if (alg_k & SSL_kSRP) {
  3128. if (!tls_process_cke_srp(s, pkt)) {
  3129. /* SSLfatal() already called */
  3130. goto err;
  3131. }
  3132. } else if (alg_k & SSL_kGOST) {
  3133. if (!tls_process_cke_gost(s, pkt)) {
  3134. /* SSLfatal() already called */
  3135. goto err;
  3136. }
  3137. } else {
  3138. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3139. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3140. SSL_R_UNKNOWN_CIPHER_TYPE);
  3141. goto err;
  3142. }
  3143. return MSG_PROCESS_CONTINUE_PROCESSING;
  3144. err:
  3145. #ifndef OPENSSL_NO_PSK
  3146. OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
  3147. s->s3->tmp.psk = NULL;
  3148. #endif
  3149. return MSG_PROCESS_ERROR;
  3150. }
  3151. WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
  3152. {
  3153. #ifndef OPENSSL_NO_SCTP
  3154. if (wst == WORK_MORE_A) {
  3155. if (SSL_IS_DTLS(s)) {
  3156. unsigned char sctpauthkey[64];
  3157. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3158. /*
  3159. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3160. * used.
  3161. */
  3162. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3163. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3164. if (SSL_export_keying_material(s, sctpauthkey,
  3165. sizeof(sctpauthkey), labelbuffer,
  3166. sizeof(labelbuffer), NULL, 0,
  3167. 0) <= 0) {
  3168. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3169. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3170. ERR_R_INTERNAL_ERROR);
  3171. return WORK_ERROR;
  3172. }
  3173. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3174. sizeof(sctpauthkey), sctpauthkey);
  3175. }
  3176. }
  3177. #endif
  3178. if (s->statem.no_cert_verify || !s->session->peer) {
  3179. /*
  3180. * No certificate verify or no peer certificate so we no longer need
  3181. * the handshake_buffer
  3182. */
  3183. if (!ssl3_digest_cached_records(s, 0)) {
  3184. /* SSLfatal() already called */
  3185. return WORK_ERROR;
  3186. }
  3187. return WORK_FINISHED_CONTINUE;
  3188. } else {
  3189. if (!s->s3->handshake_buffer) {
  3190. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3191. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3192. ERR_R_INTERNAL_ERROR);
  3193. return WORK_ERROR;
  3194. }
  3195. /*
  3196. * For sigalgs freeze the handshake buffer. If we support
  3197. * extms we've done this already so this is a no-op
  3198. */
  3199. if (!ssl3_digest_cached_records(s, 1)) {
  3200. /* SSLfatal() already called */
  3201. return WORK_ERROR;
  3202. }
  3203. }
  3204. return WORK_FINISHED_CONTINUE;
  3205. }
  3206. MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
  3207. {
  3208. int i;
  3209. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3210. X509 *x = NULL;
  3211. unsigned long l;
  3212. const unsigned char *certstart, *certbytes;
  3213. STACK_OF(X509) *sk = NULL;
  3214. PACKET spkt, context;
  3215. size_t chainidx;
  3216. SSL_SESSION *new_sess = NULL;
  3217. /*
  3218. * To get this far we must have read encrypted data from the client. We no
  3219. * longer tolerate unencrypted alerts. This value is ignored if less than
  3220. * TLSv1.3
  3221. */
  3222. s->statem.enc_read_state = ENC_READ_STATE_VALID;
  3223. if ((sk = sk_X509_new_null()) == NULL) {
  3224. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3225. ERR_R_MALLOC_FAILURE);
  3226. goto err;
  3227. }
  3228. if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
  3229. || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
  3230. || (s->pha_context != NULL &&
  3231. !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
  3232. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3233. SSL_R_INVALID_CONTEXT);
  3234. goto err;
  3235. }
  3236. if (!PACKET_get_length_prefixed_3(pkt, &spkt)
  3237. || PACKET_remaining(pkt) != 0) {
  3238. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3239. SSL_R_LENGTH_MISMATCH);
  3240. goto err;
  3241. }
  3242. for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
  3243. if (!PACKET_get_net_3(&spkt, &l)
  3244. || !PACKET_get_bytes(&spkt, &certbytes, l)) {
  3245. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3246. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3247. SSL_R_CERT_LENGTH_MISMATCH);
  3248. goto err;
  3249. }
  3250. certstart = certbytes;
  3251. x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
  3252. if (x == NULL) {
  3253. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3254. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
  3255. goto err;
  3256. }
  3257. if (certbytes != (certstart + l)) {
  3258. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3259. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3260. SSL_R_CERT_LENGTH_MISMATCH);
  3261. goto err;
  3262. }
  3263. if (SSL_IS_TLS13(s)) {
  3264. RAW_EXTENSION *rawexts = NULL;
  3265. PACKET extensions;
  3266. if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
  3267. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3268. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3269. SSL_R_BAD_LENGTH);
  3270. goto err;
  3271. }
  3272. if (!tls_collect_extensions(s, &extensions,
  3273. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  3274. NULL, chainidx == 0)
  3275. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  3276. rawexts, x, chainidx,
  3277. PACKET_remaining(&spkt) == 0)) {
  3278. OPENSSL_free(rawexts);
  3279. goto err;
  3280. }
  3281. OPENSSL_free(rawexts);
  3282. }
  3283. if (!sk_X509_push(sk, x)) {
  3284. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3285. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3286. ERR_R_MALLOC_FAILURE);
  3287. goto err;
  3288. }
  3289. x = NULL;
  3290. }
  3291. if (sk_X509_num(sk) <= 0) {
  3292. /* TLS does not mind 0 certs returned */
  3293. if (s->version == SSL3_VERSION) {
  3294. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3295. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3296. SSL_R_NO_CERTIFICATES_RETURNED);
  3297. goto err;
  3298. }
  3299. /* Fail for TLS only if we required a certificate */
  3300. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3301. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3302. SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
  3303. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3304. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3305. goto err;
  3306. }
  3307. /* No client certificate so digest cached records */
  3308. if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
  3309. /* SSLfatal() already called */
  3310. goto err;
  3311. }
  3312. } else {
  3313. EVP_PKEY *pkey;
  3314. i = ssl_verify_cert_chain(s, sk);
  3315. if (i <= 0) {
  3316. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  3317. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3318. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3319. goto err;
  3320. }
  3321. if (i > 1) {
  3322. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3323. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
  3324. goto err;
  3325. }
  3326. pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
  3327. if (pkey == NULL) {
  3328. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3329. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3330. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3331. goto err;
  3332. }
  3333. }
  3334. /*
  3335. * Sessions must be immutable once they go into the session cache. Otherwise
  3336. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3337. * we replace them with a duplicate. Here, we need to do this every time
  3338. * a new certificate is received via post-handshake authentication, as the
  3339. * session may have already gone into the session cache.
  3340. */
  3341. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3342. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  3343. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3344. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3345. ERR_R_MALLOC_FAILURE);
  3346. goto err;
  3347. }
  3348. SSL_SESSION_free(s->session);
  3349. s->session = new_sess;
  3350. }
  3351. X509_free(s->session->peer);
  3352. s->session->peer = sk_X509_shift(sk);
  3353. s->session->verify_result = s->verify_result;
  3354. sk_X509_pop_free(s->session->peer_chain, X509_free);
  3355. s->session->peer_chain = sk;
  3356. /*
  3357. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3358. * message
  3359. */
  3360. if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
  3361. /* SSLfatal() already called */
  3362. goto err;
  3363. }
  3364. /*
  3365. * Inconsistency alert: cert_chain does *not* include the peer's own
  3366. * certificate, while we do include it in statem_clnt.c
  3367. */
  3368. sk = NULL;
  3369. /* Save the current hash state for when we receive the CertificateVerify */
  3370. if (SSL_IS_TLS13(s)) {
  3371. if (!ssl_handshake_hash(s, s->cert_verify_hash,
  3372. sizeof(s->cert_verify_hash),
  3373. &s->cert_verify_hash_len)) {
  3374. /* SSLfatal() already called */
  3375. goto err;
  3376. }
  3377. /* Resend session tickets */
  3378. s->sent_tickets = 0;
  3379. }
  3380. ret = MSG_PROCESS_CONTINUE_READING;
  3381. err:
  3382. X509_free(x);
  3383. sk_X509_pop_free(sk, X509_free);
  3384. return ret;
  3385. }
  3386. int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
  3387. {
  3388. CERT_PKEY *cpk = s->s3->tmp.cert;
  3389. if (cpk == NULL) {
  3390. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3391. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3392. return 0;
  3393. }
  3394. /*
  3395. * In TLSv1.3 the certificate chain is always preceded by a 0 length context
  3396. * for the server Certificate message
  3397. */
  3398. if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
  3399. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3400. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3401. return 0;
  3402. }
  3403. if (!ssl3_output_cert_chain(s, pkt, cpk)) {
  3404. /* SSLfatal() already called */
  3405. return 0;
  3406. }
  3407. return 1;
  3408. }
  3409. static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
  3410. unsigned char *tick_nonce)
  3411. {
  3412. /*
  3413. * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
  3414. * unspecified for resumed session (for simplicity).
  3415. * In TLSv1.3 we reset the "time" field above, and always specify the
  3416. * timeout.
  3417. */
  3418. if (!WPACKET_put_bytes_u32(pkt,
  3419. (s->hit && !SSL_IS_TLS13(s))
  3420. ? 0 : s->session->timeout)) {
  3421. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3422. ERR_R_INTERNAL_ERROR);
  3423. return 0;
  3424. }
  3425. if (SSL_IS_TLS13(s)) {
  3426. if (!WPACKET_put_bytes_u32(pkt, age_add)
  3427. || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
  3428. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3429. ERR_R_INTERNAL_ERROR);
  3430. return 0;
  3431. }
  3432. }
  3433. /* Start the sub-packet for the actual ticket data */
  3434. if (!WPACKET_start_sub_packet_u16(pkt)) {
  3435. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3436. ERR_R_INTERNAL_ERROR);
  3437. return 0;
  3438. }
  3439. return 1;
  3440. }
  3441. static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
  3442. unsigned char *tick_nonce)
  3443. {
  3444. unsigned char *senc = NULL;
  3445. EVP_CIPHER_CTX *ctx = NULL;
  3446. HMAC_CTX *hctx = NULL;
  3447. unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
  3448. const unsigned char *const_p;
  3449. int len, slen_full, slen, lenfinal;
  3450. SSL_SESSION *sess;
  3451. unsigned int hlen;
  3452. SSL_CTX *tctx = s->session_ctx;
  3453. unsigned char iv[EVP_MAX_IV_LENGTH];
  3454. unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
  3455. int iv_len, ok = 0;
  3456. size_t macoffset, macendoffset;
  3457. /* get session encoding length */
  3458. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3459. /*
  3460. * Some length values are 16 bits, so forget it if session is too
  3461. * long
  3462. */
  3463. if (slen_full == 0 || slen_full > 0xFF00) {
  3464. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3465. ERR_R_INTERNAL_ERROR);
  3466. goto err;
  3467. }
  3468. senc = OPENSSL_malloc(slen_full);
  3469. if (senc == NULL) {
  3470. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3471. SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_MALLOC_FAILURE);
  3472. goto err;
  3473. }
  3474. ctx = EVP_CIPHER_CTX_new();
  3475. hctx = HMAC_CTX_new();
  3476. if (ctx == NULL || hctx == NULL) {
  3477. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3478. ERR_R_MALLOC_FAILURE);
  3479. goto err;
  3480. }
  3481. p = senc;
  3482. if (!i2d_SSL_SESSION(s->session, &p)) {
  3483. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3484. ERR_R_INTERNAL_ERROR);
  3485. goto err;
  3486. }
  3487. /*
  3488. * create a fresh copy (not shared with other threads) to clean up
  3489. */
  3490. const_p = senc;
  3491. sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
  3492. if (sess == NULL) {
  3493. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3494. ERR_R_INTERNAL_ERROR);
  3495. goto err;
  3496. }
  3497. slen = i2d_SSL_SESSION(sess, NULL);
  3498. if (slen == 0 || slen > slen_full) {
  3499. /* shouldn't ever happen */
  3500. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3501. ERR_R_INTERNAL_ERROR);
  3502. SSL_SESSION_free(sess);
  3503. goto err;
  3504. }
  3505. p = senc;
  3506. if (!i2d_SSL_SESSION(sess, &p)) {
  3507. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3508. ERR_R_INTERNAL_ERROR);
  3509. SSL_SESSION_free(sess);
  3510. goto err;
  3511. }
  3512. SSL_SESSION_free(sess);
  3513. /*
  3514. * Initialize HMAC and cipher contexts. If callback present it does
  3515. * all the work otherwise use generated values from parent ctx.
  3516. */
  3517. if (tctx->ext.ticket_key_cb) {
  3518. /* if 0 is returned, write an empty ticket */
  3519. int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
  3520. hctx, 1);
  3521. if (ret == 0) {
  3522. /* Put timeout and length */
  3523. if (!WPACKET_put_bytes_u32(pkt, 0)
  3524. || !WPACKET_put_bytes_u16(pkt, 0)) {
  3525. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3526. SSL_F_CONSTRUCT_STATELESS_TICKET,
  3527. ERR_R_INTERNAL_ERROR);
  3528. goto err;
  3529. }
  3530. OPENSSL_free(senc);
  3531. EVP_CIPHER_CTX_free(ctx);
  3532. HMAC_CTX_free(hctx);
  3533. return 1;
  3534. }
  3535. if (ret < 0) {
  3536. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3537. SSL_R_CALLBACK_FAILED);
  3538. goto err;
  3539. }
  3540. iv_len = EVP_CIPHER_CTX_iv_length(ctx);
  3541. } else {
  3542. const EVP_CIPHER *cipher = EVP_aes_256_cbc();
  3543. iv_len = EVP_CIPHER_iv_length(cipher);
  3544. if (RAND_bytes(iv, iv_len) <= 0
  3545. || !EVP_EncryptInit_ex(ctx, cipher, NULL,
  3546. tctx->ext.secure->tick_aes_key, iv)
  3547. || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  3548. sizeof(tctx->ext.secure->tick_hmac_key),
  3549. EVP_sha256(), NULL)) {
  3550. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3551. ERR_R_INTERNAL_ERROR);
  3552. goto err;
  3553. }
  3554. memcpy(key_name, tctx->ext.tick_key_name,
  3555. sizeof(tctx->ext.tick_key_name));
  3556. }
  3557. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3558. /* SSLfatal() already called */
  3559. goto err;
  3560. }
  3561. if (!WPACKET_get_total_written(pkt, &macoffset)
  3562. /* Output key name */
  3563. || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
  3564. /* output IV */
  3565. || !WPACKET_memcpy(pkt, iv, iv_len)
  3566. || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
  3567. &encdata1)
  3568. /* Encrypt session data */
  3569. || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
  3570. || !WPACKET_allocate_bytes(pkt, len, &encdata2)
  3571. || encdata1 != encdata2
  3572. || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
  3573. || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
  3574. || encdata1 + len != encdata2
  3575. || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
  3576. || !WPACKET_get_total_written(pkt, &macendoffset)
  3577. || !HMAC_Update(hctx,
  3578. (unsigned char *)s->init_buf->data + macoffset,
  3579. macendoffset - macoffset)
  3580. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
  3581. || !HMAC_Final(hctx, macdata1, &hlen)
  3582. || hlen > EVP_MAX_MD_SIZE
  3583. || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
  3584. || macdata1 != macdata2) {
  3585. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3586. SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_INTERNAL_ERROR);
  3587. goto err;
  3588. }
  3589. /* Close the sub-packet created by create_ticket_prequel() */
  3590. if (!WPACKET_close(pkt)) {
  3591. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3592. ERR_R_INTERNAL_ERROR);
  3593. goto err;
  3594. }
  3595. ok = 1;
  3596. err:
  3597. OPENSSL_free(senc);
  3598. EVP_CIPHER_CTX_free(ctx);
  3599. HMAC_CTX_free(hctx);
  3600. return ok;
  3601. }
  3602. static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
  3603. unsigned char *tick_nonce)
  3604. {
  3605. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3606. /* SSLfatal() already called */
  3607. return 0;
  3608. }
  3609. if (!WPACKET_memcpy(pkt, s->session->session_id,
  3610. s->session->session_id_length)
  3611. || !WPACKET_close(pkt)) {
  3612. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATEFUL_TICKET,
  3613. ERR_R_INTERNAL_ERROR);
  3614. return 0;
  3615. }
  3616. return 1;
  3617. }
  3618. int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
  3619. {
  3620. SSL_CTX *tctx = s->session_ctx;
  3621. unsigned char tick_nonce[TICKET_NONCE_SIZE];
  3622. union {
  3623. unsigned char age_add_c[sizeof(uint32_t)];
  3624. uint32_t age_add;
  3625. } age_add_u;
  3626. age_add_u.age_add = 0;
  3627. if (SSL_IS_TLS13(s)) {
  3628. size_t i, hashlen;
  3629. uint64_t nonce;
  3630. static const unsigned char nonce_label[] = "resumption";
  3631. const EVP_MD *md = ssl_handshake_md(s);
  3632. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  3633. int hashleni = EVP_MD_size(md);
  3634. /* Ensure cast to size_t is safe */
  3635. if (!ossl_assert(hashleni >= 0)) {
  3636. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3637. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3638. ERR_R_INTERNAL_ERROR);
  3639. goto err;
  3640. }
  3641. hashlen = (size_t)hashleni;
  3642. if (s->info_callback != NULL)
  3643. cb = s->info_callback;
  3644. else if (s->ctx->info_callback != NULL)
  3645. cb = s->ctx->info_callback;
  3646. if (cb != NULL) {
  3647. /*
  3648. * We don't start and stop the handshake in between each ticket when
  3649. * sending more than one - but it should appear that way to the info
  3650. * callback.
  3651. */
  3652. if (s->sent_tickets != 0) {
  3653. ossl_statem_set_in_init(s, 0);
  3654. cb(s, SSL_CB_HANDSHAKE_DONE, 1);
  3655. ossl_statem_set_in_init(s, 1);
  3656. }
  3657. cb(s, SSL_CB_HANDSHAKE_START, 1);
  3658. }
  3659. /*
  3660. * If we already sent one NewSessionTicket, or we resumed then
  3661. * s->session may already be in a cache and so we must not modify it.
  3662. * Instead we need to take a copy of it and modify that.
  3663. */
  3664. if (s->sent_tickets != 0 || s->hit) {
  3665. SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
  3666. if (new_sess == NULL) {
  3667. /* SSLfatal already called */
  3668. goto err;
  3669. }
  3670. SSL_SESSION_free(s->session);
  3671. s->session = new_sess;
  3672. }
  3673. if (!ssl_generate_session_id(s, s->session)) {
  3674. /* SSLfatal() already called */
  3675. goto err;
  3676. }
  3677. if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
  3678. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3679. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3680. ERR_R_INTERNAL_ERROR);
  3681. goto err;
  3682. }
  3683. s->session->ext.tick_age_add = age_add_u.age_add;
  3684. nonce = s->next_ticket_nonce;
  3685. for (i = TICKET_NONCE_SIZE; i > 0; i--) {
  3686. tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
  3687. nonce >>= 8;
  3688. }
  3689. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  3690. nonce_label,
  3691. sizeof(nonce_label) - 1,
  3692. tick_nonce,
  3693. TICKET_NONCE_SIZE,
  3694. s->session->master_key,
  3695. hashlen)) {
  3696. /* SSLfatal() already called */
  3697. goto err;
  3698. }
  3699. s->session->master_key_length = hashlen;
  3700. s->session->time = (long)time(NULL);
  3701. if (s->s3->alpn_selected != NULL) {
  3702. OPENSSL_free(s->session->ext.alpn_selected);
  3703. s->session->ext.alpn_selected =
  3704. OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
  3705. if (s->session->ext.alpn_selected == NULL) {
  3706. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3707. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3708. ERR_R_MALLOC_FAILURE);
  3709. goto err;
  3710. }
  3711. s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
  3712. }
  3713. s->session->ext.max_early_data = s->max_early_data;
  3714. }
  3715. if (tctx->generate_ticket_cb != NULL &&
  3716. tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
  3717. goto err;
  3718. /*
  3719. * If we are using anti-replay protection then we behave as if
  3720. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  3721. * is no point in using full stateless tickets.
  3722. */
  3723. if (SSL_IS_TLS13(s)
  3724. && ((s->options & SSL_OP_NO_TICKET) != 0
  3725. || (s->max_early_data > 0
  3726. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
  3727. if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
  3728. /* SSLfatal() already called */
  3729. goto err;
  3730. }
  3731. } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add,
  3732. tick_nonce)) {
  3733. /* SSLfatal() already called */
  3734. goto err;
  3735. }
  3736. if (SSL_IS_TLS13(s)) {
  3737. if (!tls_construct_extensions(s, pkt,
  3738. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  3739. NULL, 0)) {
  3740. /* SSLfatal() already called */
  3741. goto err;
  3742. }
  3743. /*
  3744. * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
  3745. * gets reset to 0 if we send more tickets following a post-handshake
  3746. * auth, but |next_ticket_nonce| does not.
  3747. */
  3748. s->sent_tickets++;
  3749. s->next_ticket_nonce++;
  3750. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  3751. }
  3752. return 1;
  3753. err:
  3754. return 0;
  3755. }
  3756. /*
  3757. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  3758. * create a separate message. Returns 1 on success or 0 on failure.
  3759. */
  3760. int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
  3761. {
  3762. if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
  3763. || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
  3764. s->ext.ocsp.resp_len)) {
  3765. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY,
  3766. ERR_R_INTERNAL_ERROR);
  3767. return 0;
  3768. }
  3769. return 1;
  3770. }
  3771. int tls_construct_cert_status(SSL *s, WPACKET *pkt)
  3772. {
  3773. if (!tls_construct_cert_status_body(s, pkt)) {
  3774. /* SSLfatal() already called */
  3775. return 0;
  3776. }
  3777. return 1;
  3778. }
  3779. #ifndef OPENSSL_NO_NEXTPROTONEG
  3780. /*
  3781. * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
  3782. * It sets the next_proto member in s if found
  3783. */
  3784. MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
  3785. {
  3786. PACKET next_proto, padding;
  3787. size_t next_proto_len;
  3788. /*-
  3789. * The payload looks like:
  3790. * uint8 proto_len;
  3791. * uint8 proto[proto_len];
  3792. * uint8 padding_len;
  3793. * uint8 padding[padding_len];
  3794. */
  3795. if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
  3796. || !PACKET_get_length_prefixed_1(pkt, &padding)
  3797. || PACKET_remaining(pkt) > 0) {
  3798. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3799. SSL_R_LENGTH_MISMATCH);
  3800. return MSG_PROCESS_ERROR;
  3801. }
  3802. if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
  3803. s->ext.npn_len = 0;
  3804. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3805. ERR_R_INTERNAL_ERROR);
  3806. return MSG_PROCESS_ERROR;
  3807. }
  3808. s->ext.npn_len = (unsigned char)next_proto_len;
  3809. return MSG_PROCESS_CONTINUE_READING;
  3810. }
  3811. #endif
  3812. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
  3813. {
  3814. if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3815. NULL, 0)) {
  3816. /* SSLfatal() already called */
  3817. return 0;
  3818. }
  3819. return 1;
  3820. }
  3821. MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
  3822. {
  3823. if (PACKET_remaining(pkt) != 0) {
  3824. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3825. SSL_R_LENGTH_MISMATCH);
  3826. return MSG_PROCESS_ERROR;
  3827. }
  3828. if (s->early_data_state != SSL_EARLY_DATA_READING
  3829. && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
  3830. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3831. ERR_R_INTERNAL_ERROR);
  3832. return MSG_PROCESS_ERROR;
  3833. }
  3834. /*
  3835. * EndOfEarlyData signals a key change so the end of the message must be on
  3836. * a record boundary.
  3837. */
  3838. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  3839. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  3840. SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3841. SSL_R_NOT_ON_RECORD_BOUNDARY);
  3842. return MSG_PROCESS_ERROR;
  3843. }
  3844. s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
  3845. if (!s->method->ssl3_enc->change_cipher_state(s,
  3846. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  3847. /* SSLfatal() already called */
  3848. return MSG_PROCESS_ERROR;
  3849. }
  3850. return MSG_PROCESS_CONTINUE_READING;
  3851. }