statem_srvr.c 135 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include "../ssl_local.h"
  13. #include "statem_local.h"
  14. #include "internal/constant_time.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/x509.h>
  21. #include <openssl/dh.h>
  22. #include <openssl/rsa.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/md5.h>
  25. #include <openssl/trace.h>
  26. #include <openssl/core_names.h>
  27. #include <openssl/asn1t.h>
  28. #define TICKET_NONCE_SIZE 8
  29. typedef struct {
  30. ASN1_TYPE *kxBlob;
  31. ASN1_TYPE *opaqueBlob;
  32. } GOST_KX_MESSAGE;
  33. DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  34. ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
  35. ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
  36. ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
  37. } ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
  38. IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  39. static int tls_construct_encrypted_extensions(SSL_CONNECTION *s, WPACKET *pkt);
  40. /*
  41. * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
  42. * handshake state transitions when a TLSv1.3 server is reading messages from
  43. * the client. The message type that the client has sent is provided in |mt|.
  44. * The current state is in |s->statem.hand_state|.
  45. *
  46. * Return values are 1 for success (transition allowed) and 0 on error
  47. * (transition not allowed)
  48. */
  49. static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt)
  50. {
  51. OSSL_STATEM *st = &s->statem;
  52. /*
  53. * Note: There is no case for TLS_ST_BEFORE because at that stage we have
  54. * not negotiated TLSv1.3 yet, so that case is handled by
  55. * ossl_statem_server_read_transition()
  56. */
  57. switch (st->hand_state) {
  58. default:
  59. break;
  60. case TLS_ST_EARLY_DATA:
  61. if (s->hello_retry_request == SSL_HRR_PENDING) {
  62. if (mt == SSL3_MT_CLIENT_HELLO) {
  63. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  64. return 1;
  65. }
  66. break;
  67. } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  68. if (mt == SSL3_MT_END_OF_EARLY_DATA) {
  69. st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
  70. return 1;
  71. }
  72. break;
  73. }
  74. /* Fall through */
  75. case TLS_ST_SR_END_OF_EARLY_DATA:
  76. case TLS_ST_SW_FINISHED:
  77. if (s->s3.tmp.cert_request) {
  78. if (mt == SSL3_MT_CERTIFICATE) {
  79. st->hand_state = TLS_ST_SR_CERT;
  80. return 1;
  81. }
  82. } else {
  83. if (mt == SSL3_MT_FINISHED) {
  84. st->hand_state = TLS_ST_SR_FINISHED;
  85. return 1;
  86. }
  87. }
  88. break;
  89. case TLS_ST_SR_CERT:
  90. if (s->session->peer == NULL) {
  91. if (mt == SSL3_MT_FINISHED) {
  92. st->hand_state = TLS_ST_SR_FINISHED;
  93. return 1;
  94. }
  95. } else {
  96. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  97. st->hand_state = TLS_ST_SR_CERT_VRFY;
  98. return 1;
  99. }
  100. }
  101. break;
  102. case TLS_ST_SR_CERT_VRFY:
  103. if (mt == SSL3_MT_FINISHED) {
  104. st->hand_state = TLS_ST_SR_FINISHED;
  105. return 1;
  106. }
  107. break;
  108. case TLS_ST_OK:
  109. /*
  110. * Its never ok to start processing handshake messages in the middle of
  111. * early data (i.e. before we've received the end of early data alert)
  112. */
  113. if (s->early_data_state == SSL_EARLY_DATA_READING)
  114. break;
  115. if (mt == SSL3_MT_CERTIFICATE
  116. && s->post_handshake_auth == SSL_PHA_REQUESTED) {
  117. st->hand_state = TLS_ST_SR_CERT;
  118. return 1;
  119. }
  120. if (mt == SSL3_MT_KEY_UPDATE) {
  121. st->hand_state = TLS_ST_SR_KEY_UPDATE;
  122. return 1;
  123. }
  124. break;
  125. }
  126. /* No valid transition found */
  127. return 0;
  128. }
  129. /*
  130. * ossl_statem_server_read_transition() encapsulates the logic for the allowed
  131. * handshake state transitions when the server is reading messages from the
  132. * client. The message type that the client has sent is provided in |mt|. The
  133. * current state is in |s->statem.hand_state|.
  134. *
  135. * Return values are 1 for success (transition allowed) and 0 on error
  136. * (transition not allowed)
  137. */
  138. int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt)
  139. {
  140. OSSL_STATEM *st = &s->statem;
  141. if (SSL_CONNECTION_IS_TLS13(s)) {
  142. if (!ossl_statem_server13_read_transition(s, mt))
  143. goto err;
  144. return 1;
  145. }
  146. switch (st->hand_state) {
  147. default:
  148. break;
  149. case TLS_ST_BEFORE:
  150. case TLS_ST_OK:
  151. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  152. if (mt == SSL3_MT_CLIENT_HELLO) {
  153. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  154. return 1;
  155. }
  156. break;
  157. case TLS_ST_SW_SRVR_DONE:
  158. /*
  159. * If we get a CKE message after a ServerDone then either
  160. * 1) We didn't request a Certificate
  161. * OR
  162. * 2) If we did request one then
  163. * a) We allow no Certificate to be returned
  164. * AND
  165. * b) We are running SSL3 (in TLS1.0+ the client must return a 0
  166. * list if we requested a certificate)
  167. */
  168. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  169. if (s->s3.tmp.cert_request) {
  170. if (s->version == SSL3_VERSION) {
  171. if ((s->verify_mode & SSL_VERIFY_PEER)
  172. && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  173. /*
  174. * This isn't an unexpected message as such - we're just
  175. * not going to accept it because we require a client
  176. * cert.
  177. */
  178. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  179. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  180. return 0;
  181. }
  182. st->hand_state = TLS_ST_SR_KEY_EXCH;
  183. return 1;
  184. }
  185. } else {
  186. st->hand_state = TLS_ST_SR_KEY_EXCH;
  187. return 1;
  188. }
  189. } else if (s->s3.tmp.cert_request) {
  190. if (mt == SSL3_MT_CERTIFICATE) {
  191. st->hand_state = TLS_ST_SR_CERT;
  192. return 1;
  193. }
  194. }
  195. break;
  196. case TLS_ST_SR_CERT:
  197. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  198. st->hand_state = TLS_ST_SR_KEY_EXCH;
  199. return 1;
  200. }
  201. break;
  202. case TLS_ST_SR_KEY_EXCH:
  203. /*
  204. * We should only process a CertificateVerify message if we have
  205. * received a Certificate from the client. If so then |s->session->peer|
  206. * will be non NULL. In some instances a CertificateVerify message is
  207. * not required even if the peer has sent a Certificate (e.g. such as in
  208. * the case of static DH). In that case |st->no_cert_verify| should be
  209. * set.
  210. */
  211. if (s->session->peer == NULL || st->no_cert_verify) {
  212. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  213. /*
  214. * For the ECDH ciphersuites when the client sends its ECDH
  215. * pub key in a certificate, the CertificateVerify message is
  216. * not sent. Also for GOST ciphersuites when the client uses
  217. * its key from the certificate for key exchange.
  218. */
  219. st->hand_state = TLS_ST_SR_CHANGE;
  220. return 1;
  221. }
  222. } else {
  223. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  224. st->hand_state = TLS_ST_SR_CERT_VRFY;
  225. return 1;
  226. }
  227. }
  228. break;
  229. case TLS_ST_SR_CERT_VRFY:
  230. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  231. st->hand_state = TLS_ST_SR_CHANGE;
  232. return 1;
  233. }
  234. break;
  235. case TLS_ST_SR_CHANGE:
  236. #ifndef OPENSSL_NO_NEXTPROTONEG
  237. if (s->s3.npn_seen) {
  238. if (mt == SSL3_MT_NEXT_PROTO) {
  239. st->hand_state = TLS_ST_SR_NEXT_PROTO;
  240. return 1;
  241. }
  242. } else {
  243. #endif
  244. if (mt == SSL3_MT_FINISHED) {
  245. st->hand_state = TLS_ST_SR_FINISHED;
  246. return 1;
  247. }
  248. #ifndef OPENSSL_NO_NEXTPROTONEG
  249. }
  250. #endif
  251. break;
  252. #ifndef OPENSSL_NO_NEXTPROTONEG
  253. case TLS_ST_SR_NEXT_PROTO:
  254. if (mt == SSL3_MT_FINISHED) {
  255. st->hand_state = TLS_ST_SR_FINISHED;
  256. return 1;
  257. }
  258. break;
  259. #endif
  260. case TLS_ST_SW_FINISHED:
  261. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  262. st->hand_state = TLS_ST_SR_CHANGE;
  263. return 1;
  264. }
  265. break;
  266. }
  267. err:
  268. /* No valid transition found */
  269. if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  270. BIO *rbio;
  271. /*
  272. * CCS messages don't have a message sequence number so this is probably
  273. * because of an out-of-order CCS. We'll just drop it.
  274. */
  275. s->init_num = 0;
  276. s->rwstate = SSL_READING;
  277. rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s));
  278. BIO_clear_retry_flags(rbio);
  279. BIO_set_retry_read(rbio);
  280. return 0;
  281. }
  282. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  283. return 0;
  284. }
  285. /*
  286. * Should we send a ServerKeyExchange message?
  287. *
  288. * Valid return values are:
  289. * 1: Yes
  290. * 0: No
  291. */
  292. static int send_server_key_exchange(SSL_CONNECTION *s)
  293. {
  294. unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  295. /*
  296. * only send a ServerKeyExchange if DH or fortezza but we have a
  297. * sign only certificate PSK: may send PSK identity hints For
  298. * ECC ciphersuites, we send a serverKeyExchange message only if
  299. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  300. * the server certificate contains the server's public key for
  301. * key exchange.
  302. */
  303. if (alg_k & (SSL_kDHE | SSL_kECDHE)
  304. /*
  305. * PSK: send ServerKeyExchange if PSK identity hint if
  306. * provided
  307. */
  308. #ifndef OPENSSL_NO_PSK
  309. /* Only send SKE if we have identity hint for plain PSK */
  310. || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
  311. && s->cert->psk_identity_hint)
  312. /* For other PSK always send SKE */
  313. || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
  314. #endif
  315. #ifndef OPENSSL_NO_SRP
  316. /* SRP: send ServerKeyExchange */
  317. || (alg_k & SSL_kSRP)
  318. #endif
  319. ) {
  320. return 1;
  321. }
  322. return 0;
  323. }
  324. /*
  325. * Should we send a CertificateRequest message?
  326. *
  327. * Valid return values are:
  328. * 1: Yes
  329. * 0: No
  330. */
  331. int send_certificate_request(SSL_CONNECTION *s)
  332. {
  333. if (
  334. /* don't request cert unless asked for it: */
  335. s->verify_mode & SSL_VERIFY_PEER
  336. /*
  337. * don't request if post-handshake-only unless doing
  338. * post-handshake in TLSv1.3:
  339. */
  340. && (!SSL_CONNECTION_IS_TLS13(s)
  341. || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
  342. || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
  343. /*
  344. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  345. * a second time:
  346. */
  347. && (s->certreqs_sent < 1 ||
  348. !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
  349. /*
  350. * never request cert in anonymous ciphersuites (see
  351. * section "Certificate request" in SSL 3 drafts and in
  352. * RFC 2246):
  353. */
  354. && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)
  355. /*
  356. * ... except when the application insists on
  357. * verification (against the specs, but statem_clnt.c accepts
  358. * this for SSL 3)
  359. */
  360. || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  361. /* don't request certificate for SRP auth */
  362. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP)
  363. /*
  364. * With normal PSK Certificates and Certificate Requests
  365. * are omitted
  366. */
  367. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
  368. return 1;
  369. }
  370. return 0;
  371. }
  372. /*
  373. * ossl_statem_server13_write_transition() works out what handshake state to
  374. * move to next when a TLSv1.3 server is writing messages to be sent to the
  375. * client.
  376. */
  377. static WRITE_TRAN ossl_statem_server13_write_transition(SSL_CONNECTION *s)
  378. {
  379. OSSL_STATEM *st = &s->statem;
  380. /*
  381. * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
  382. * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
  383. */
  384. switch (st->hand_state) {
  385. default:
  386. /* Shouldn't happen */
  387. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  388. return WRITE_TRAN_ERROR;
  389. case TLS_ST_OK:
  390. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  391. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  392. return WRITE_TRAN_CONTINUE;
  393. }
  394. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  395. st->hand_state = TLS_ST_SW_CERT_REQ;
  396. return WRITE_TRAN_CONTINUE;
  397. }
  398. if (s->ext.extra_tickets_expected > 0) {
  399. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  400. return WRITE_TRAN_CONTINUE;
  401. }
  402. /* Try to read from the client instead */
  403. return WRITE_TRAN_FINISHED;
  404. case TLS_ST_SR_CLNT_HELLO:
  405. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  406. return WRITE_TRAN_CONTINUE;
  407. case TLS_ST_SW_SRVR_HELLO:
  408. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  409. && s->hello_retry_request != SSL_HRR_COMPLETE)
  410. st->hand_state = TLS_ST_SW_CHANGE;
  411. else if (s->hello_retry_request == SSL_HRR_PENDING)
  412. st->hand_state = TLS_ST_EARLY_DATA;
  413. else
  414. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  415. return WRITE_TRAN_CONTINUE;
  416. case TLS_ST_SW_CHANGE:
  417. if (s->hello_retry_request == SSL_HRR_PENDING)
  418. st->hand_state = TLS_ST_EARLY_DATA;
  419. else
  420. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  421. return WRITE_TRAN_CONTINUE;
  422. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  423. if (s->hit)
  424. st->hand_state = TLS_ST_SW_FINISHED;
  425. else if (send_certificate_request(s))
  426. st->hand_state = TLS_ST_SW_CERT_REQ;
  427. else
  428. st->hand_state = TLS_ST_SW_CERT;
  429. return WRITE_TRAN_CONTINUE;
  430. case TLS_ST_SW_CERT_REQ:
  431. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  432. s->post_handshake_auth = SSL_PHA_REQUESTED;
  433. st->hand_state = TLS_ST_OK;
  434. } else {
  435. st->hand_state = TLS_ST_SW_CERT;
  436. }
  437. return WRITE_TRAN_CONTINUE;
  438. case TLS_ST_SW_CERT:
  439. st->hand_state = TLS_ST_SW_CERT_VRFY;
  440. return WRITE_TRAN_CONTINUE;
  441. case TLS_ST_SW_CERT_VRFY:
  442. st->hand_state = TLS_ST_SW_FINISHED;
  443. return WRITE_TRAN_CONTINUE;
  444. case TLS_ST_SW_FINISHED:
  445. st->hand_state = TLS_ST_EARLY_DATA;
  446. return WRITE_TRAN_CONTINUE;
  447. case TLS_ST_EARLY_DATA:
  448. return WRITE_TRAN_FINISHED;
  449. case TLS_ST_SR_FINISHED:
  450. /*
  451. * Technically we have finished the handshake at this point, but we're
  452. * going to remain "in_init" for now and write out any session tickets
  453. * immediately.
  454. */
  455. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  456. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  457. } else if (!s->ext.ticket_expected) {
  458. /*
  459. * If we're not going to renew the ticket then we just finish the
  460. * handshake at this point.
  461. */
  462. st->hand_state = TLS_ST_OK;
  463. return WRITE_TRAN_CONTINUE;
  464. }
  465. if (s->num_tickets > s->sent_tickets)
  466. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  467. else
  468. st->hand_state = TLS_ST_OK;
  469. return WRITE_TRAN_CONTINUE;
  470. case TLS_ST_SR_KEY_UPDATE:
  471. case TLS_ST_SW_KEY_UPDATE:
  472. st->hand_state = TLS_ST_OK;
  473. return WRITE_TRAN_CONTINUE;
  474. case TLS_ST_SW_SESSION_TICKET:
  475. /* In a resumption we only ever send a maximum of one new ticket.
  476. * Following an initial handshake we send the number of tickets we have
  477. * been configured for.
  478. */
  479. if (!SSL_IS_FIRST_HANDSHAKE(s) && s->ext.extra_tickets_expected > 0) {
  480. return WRITE_TRAN_CONTINUE;
  481. } else if (s->hit || s->num_tickets <= s->sent_tickets) {
  482. /* We've written enough tickets out. */
  483. st->hand_state = TLS_ST_OK;
  484. }
  485. return WRITE_TRAN_CONTINUE;
  486. }
  487. }
  488. /*
  489. * ossl_statem_server_write_transition() works out what handshake state to move
  490. * to next when the server is writing messages to be sent to the client.
  491. */
  492. WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s)
  493. {
  494. OSSL_STATEM *st = &s->statem;
  495. /*
  496. * Note that before the ClientHello we don't know what version we are going
  497. * to negotiate yet, so we don't take this branch until later
  498. */
  499. if (SSL_CONNECTION_IS_TLS13(s))
  500. return ossl_statem_server13_write_transition(s);
  501. switch (st->hand_state) {
  502. default:
  503. /* Shouldn't happen */
  504. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  505. return WRITE_TRAN_ERROR;
  506. case TLS_ST_OK:
  507. if (st->request_state == TLS_ST_SW_HELLO_REQ) {
  508. /* We must be trying to renegotiate */
  509. st->hand_state = TLS_ST_SW_HELLO_REQ;
  510. st->request_state = TLS_ST_BEFORE;
  511. return WRITE_TRAN_CONTINUE;
  512. }
  513. /* Must be an incoming ClientHello */
  514. if (!tls_setup_handshake(s)) {
  515. /* SSLfatal() already called */
  516. return WRITE_TRAN_ERROR;
  517. }
  518. /* Fall through */
  519. case TLS_ST_BEFORE:
  520. /* Just go straight to trying to read from the client */
  521. return WRITE_TRAN_FINISHED;
  522. case TLS_ST_SW_HELLO_REQ:
  523. st->hand_state = TLS_ST_OK;
  524. return WRITE_TRAN_CONTINUE;
  525. case TLS_ST_SR_CLNT_HELLO:
  526. if (SSL_CONNECTION_IS_DTLS(s) && !s->d1->cookie_verified
  527. && (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE)) {
  528. st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
  529. } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  530. /* We must have rejected the renegotiation */
  531. st->hand_state = TLS_ST_OK;
  532. return WRITE_TRAN_CONTINUE;
  533. } else {
  534. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  535. }
  536. return WRITE_TRAN_CONTINUE;
  537. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  538. return WRITE_TRAN_FINISHED;
  539. case TLS_ST_SW_SRVR_HELLO:
  540. if (s->hit) {
  541. if (s->ext.ticket_expected)
  542. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  543. else
  544. st->hand_state = TLS_ST_SW_CHANGE;
  545. } else {
  546. /* Check if it is anon DH or anon ECDH, */
  547. /* normal PSK or SRP */
  548. if (!(s->s3.tmp.new_cipher->algorithm_auth &
  549. (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  550. st->hand_state = TLS_ST_SW_CERT;
  551. } else if (send_server_key_exchange(s)) {
  552. st->hand_state = TLS_ST_SW_KEY_EXCH;
  553. } else if (send_certificate_request(s)) {
  554. st->hand_state = TLS_ST_SW_CERT_REQ;
  555. } else {
  556. st->hand_state = TLS_ST_SW_SRVR_DONE;
  557. }
  558. }
  559. return WRITE_TRAN_CONTINUE;
  560. case TLS_ST_SW_CERT:
  561. if (s->ext.status_expected) {
  562. st->hand_state = TLS_ST_SW_CERT_STATUS;
  563. return WRITE_TRAN_CONTINUE;
  564. }
  565. /* Fall through */
  566. case TLS_ST_SW_CERT_STATUS:
  567. if (send_server_key_exchange(s)) {
  568. st->hand_state = TLS_ST_SW_KEY_EXCH;
  569. return WRITE_TRAN_CONTINUE;
  570. }
  571. /* Fall through */
  572. case TLS_ST_SW_KEY_EXCH:
  573. if (send_certificate_request(s)) {
  574. st->hand_state = TLS_ST_SW_CERT_REQ;
  575. return WRITE_TRAN_CONTINUE;
  576. }
  577. /* Fall through */
  578. case TLS_ST_SW_CERT_REQ:
  579. st->hand_state = TLS_ST_SW_SRVR_DONE;
  580. return WRITE_TRAN_CONTINUE;
  581. case TLS_ST_SW_SRVR_DONE:
  582. return WRITE_TRAN_FINISHED;
  583. case TLS_ST_SR_FINISHED:
  584. if (s->hit) {
  585. st->hand_state = TLS_ST_OK;
  586. return WRITE_TRAN_CONTINUE;
  587. } else if (s->ext.ticket_expected) {
  588. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  589. } else {
  590. st->hand_state = TLS_ST_SW_CHANGE;
  591. }
  592. return WRITE_TRAN_CONTINUE;
  593. case TLS_ST_SW_SESSION_TICKET:
  594. st->hand_state = TLS_ST_SW_CHANGE;
  595. return WRITE_TRAN_CONTINUE;
  596. case TLS_ST_SW_CHANGE:
  597. st->hand_state = TLS_ST_SW_FINISHED;
  598. return WRITE_TRAN_CONTINUE;
  599. case TLS_ST_SW_FINISHED:
  600. if (s->hit) {
  601. return WRITE_TRAN_FINISHED;
  602. }
  603. st->hand_state = TLS_ST_OK;
  604. return WRITE_TRAN_CONTINUE;
  605. }
  606. }
  607. /*
  608. * Perform any pre work that needs to be done prior to sending a message from
  609. * the server to the client.
  610. */
  611. WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
  612. {
  613. OSSL_STATEM *st = &s->statem;
  614. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  615. switch (st->hand_state) {
  616. default:
  617. /* No pre work to be done */
  618. break;
  619. case TLS_ST_SW_HELLO_REQ:
  620. s->shutdown = 0;
  621. if (SSL_CONNECTION_IS_DTLS(s))
  622. dtls1_clear_sent_buffer(s);
  623. break;
  624. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  625. s->shutdown = 0;
  626. if (SSL_CONNECTION_IS_DTLS(s)) {
  627. dtls1_clear_sent_buffer(s);
  628. /* We don't buffer this message so don't use the timer */
  629. st->use_timer = 0;
  630. }
  631. break;
  632. case TLS_ST_SW_SRVR_HELLO:
  633. if (SSL_CONNECTION_IS_DTLS(s)) {
  634. /*
  635. * Messages we write from now on should be buffered and
  636. * retransmitted if necessary, so we need to use the timer now
  637. */
  638. st->use_timer = 1;
  639. }
  640. break;
  641. case TLS_ST_SW_SRVR_DONE:
  642. #ifndef OPENSSL_NO_SCTP
  643. if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {
  644. /* Calls SSLfatal() as required */
  645. return dtls_wait_for_dry(s);
  646. }
  647. #endif
  648. return WORK_FINISHED_CONTINUE;
  649. case TLS_ST_SW_SESSION_TICKET:
  650. if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0
  651. && s->ext.extra_tickets_expected == 0) {
  652. /*
  653. * Actually this is the end of the handshake, but we're going
  654. * straight into writing the session ticket out. So we finish off
  655. * the handshake, but keep the various buffers active.
  656. *
  657. * Calls SSLfatal as required.
  658. */
  659. return tls_finish_handshake(s, wst, 0, 0);
  660. }
  661. if (SSL_CONNECTION_IS_DTLS(s)) {
  662. /*
  663. * We're into the last flight. We don't retransmit the last flight
  664. * unless we need to, so we don't use the timer
  665. */
  666. st->use_timer = 0;
  667. }
  668. break;
  669. case TLS_ST_SW_CHANGE:
  670. if (SSL_CONNECTION_IS_TLS13(s))
  671. break;
  672. /* Writes to s->session are only safe for initial handshakes */
  673. if (s->session->cipher == NULL) {
  674. s->session->cipher = s->s3.tmp.new_cipher;
  675. } else if (s->session->cipher != s->s3.tmp.new_cipher) {
  676. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  677. return WORK_ERROR;
  678. }
  679. if (!ssl->method->ssl3_enc->setup_key_block(s)) {
  680. /* SSLfatal() already called */
  681. return WORK_ERROR;
  682. }
  683. if (SSL_CONNECTION_IS_DTLS(s)) {
  684. /*
  685. * We're into the last flight. We don't retransmit the last flight
  686. * unless we need to, so we don't use the timer. This might have
  687. * already been set to 0 if we sent a NewSessionTicket message,
  688. * but we'll set it again here in case we didn't.
  689. */
  690. st->use_timer = 0;
  691. }
  692. return WORK_FINISHED_CONTINUE;
  693. case TLS_ST_EARLY_DATA:
  694. if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  695. && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  696. return WORK_FINISHED_CONTINUE;
  697. /* Fall through */
  698. case TLS_ST_OK:
  699. /* Calls SSLfatal() as required */
  700. return tls_finish_handshake(s, wst, 1, 1);
  701. }
  702. return WORK_FINISHED_CONTINUE;
  703. }
  704. static ossl_inline int conn_is_closed(void)
  705. {
  706. switch (get_last_sys_error()) {
  707. #if defined(EPIPE)
  708. case EPIPE:
  709. return 1;
  710. #endif
  711. #if defined(ECONNRESET)
  712. case ECONNRESET:
  713. return 1;
  714. #endif
  715. #if defined(WSAECONNRESET)
  716. case WSAECONNRESET:
  717. return 1;
  718. #endif
  719. default:
  720. return 0;
  721. }
  722. }
  723. /*
  724. * Perform any work that needs to be done after sending a message from the
  725. * server to the client.
  726. */
  727. WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst)
  728. {
  729. OSSL_STATEM *st = &s->statem;
  730. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  731. s->init_num = 0;
  732. switch (st->hand_state) {
  733. default:
  734. /* No post work to be done */
  735. break;
  736. case TLS_ST_SW_HELLO_REQ:
  737. if (statem_flush(s) != 1)
  738. return WORK_MORE_A;
  739. if (!ssl3_init_finished_mac(s)) {
  740. /* SSLfatal() already called */
  741. return WORK_ERROR;
  742. }
  743. break;
  744. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  745. if (statem_flush(s) != 1)
  746. return WORK_MORE_A;
  747. /* HelloVerifyRequest resets Finished MAC */
  748. if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
  749. /* SSLfatal() already called */
  750. return WORK_ERROR;
  751. }
  752. /*
  753. * The next message should be another ClientHello which we need to
  754. * treat like it was the first packet
  755. */
  756. s->first_packet = 1;
  757. break;
  758. case TLS_ST_SW_SRVR_HELLO:
  759. if (SSL_CONNECTION_IS_TLS13(s)
  760. && s->hello_retry_request == SSL_HRR_PENDING) {
  761. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
  762. && statem_flush(s) != 1)
  763. return WORK_MORE_A;
  764. break;
  765. }
  766. #ifndef OPENSSL_NO_SCTP
  767. if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
  768. unsigned char sctpauthkey[64];
  769. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  770. size_t labellen;
  771. /*
  772. * Add new shared key for SCTP-Auth, will be ignored if no
  773. * SCTP used.
  774. */
  775. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  776. sizeof(DTLS1_SCTP_AUTH_LABEL));
  777. /* Don't include the terminating zero. */
  778. labellen = sizeof(labelbuffer) - 1;
  779. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  780. labellen += 1;
  781. if (SSL_export_keying_material(ssl, sctpauthkey,
  782. sizeof(sctpauthkey), labelbuffer,
  783. labellen, NULL, 0,
  784. 0) <= 0) {
  785. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  786. return WORK_ERROR;
  787. }
  788. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  789. sizeof(sctpauthkey), sctpauthkey);
  790. }
  791. #endif
  792. if (!SSL_CONNECTION_IS_TLS13(s)
  793. || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  794. && s->hello_retry_request != SSL_HRR_COMPLETE))
  795. break;
  796. /* Fall through */
  797. case TLS_ST_SW_CHANGE:
  798. if (s->hello_retry_request == SSL_HRR_PENDING) {
  799. if (!statem_flush(s))
  800. return WORK_MORE_A;
  801. break;
  802. }
  803. if (SSL_CONNECTION_IS_TLS13(s)) {
  804. if (!ssl->method->ssl3_enc->setup_key_block(s)
  805. || !ssl->method->ssl3_enc->change_cipher_state(s,
  806. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  807. /* SSLfatal() already called */
  808. return WORK_ERROR;
  809. }
  810. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
  811. && !ssl->method->ssl3_enc->change_cipher_state(s,
  812. SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
  813. /* SSLfatal() already called */
  814. return WORK_ERROR;
  815. }
  816. /*
  817. * We don't yet know whether the next record we are going to receive
  818. * is an unencrypted alert, an encrypted alert, or an encrypted
  819. * handshake message. We temporarily tolerate unencrypted alerts.
  820. */
  821. if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
  822. s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 1);
  823. break;
  824. }
  825. #ifndef OPENSSL_NO_SCTP
  826. if (SSL_CONNECTION_IS_DTLS(s) && !s->hit) {
  827. /*
  828. * Change to new shared key of SCTP-Auth, will be ignored if
  829. * no SCTP used.
  830. */
  831. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  832. 0, NULL);
  833. }
  834. #endif
  835. if (!ssl->method->ssl3_enc->change_cipher_state(s,
  836. SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  837. /* SSLfatal() already called */
  838. return WORK_ERROR;
  839. }
  840. if (SSL_CONNECTION_IS_DTLS(s))
  841. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  842. break;
  843. case TLS_ST_SW_SRVR_DONE:
  844. if (statem_flush(s) != 1)
  845. return WORK_MORE_A;
  846. break;
  847. case TLS_ST_SW_FINISHED:
  848. if (statem_flush(s) != 1)
  849. return WORK_MORE_A;
  850. #ifndef OPENSSL_NO_SCTP
  851. if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
  852. /*
  853. * Change to new shared key of SCTP-Auth, will be ignored if
  854. * no SCTP used.
  855. */
  856. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  857. 0, NULL);
  858. }
  859. #endif
  860. if (SSL_CONNECTION_IS_TLS13(s)) {
  861. /* TLS 1.3 gets the secret size from the handshake md */
  862. size_t dummy;
  863. if (!ssl->method->ssl3_enc->generate_master_secret(s,
  864. s->master_secret, s->handshake_secret, 0,
  865. &dummy)
  866. || !ssl->method->ssl3_enc->change_cipher_state(s,
  867. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
  868. /* SSLfatal() already called */
  869. return WORK_ERROR;
  870. }
  871. break;
  872. case TLS_ST_SW_CERT_REQ:
  873. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  874. if (statem_flush(s) != 1)
  875. return WORK_MORE_A;
  876. }
  877. break;
  878. case TLS_ST_SW_KEY_UPDATE:
  879. if (statem_flush(s) != 1)
  880. return WORK_MORE_A;
  881. if (!tls13_update_key(s, 1)) {
  882. /* SSLfatal() already called */
  883. return WORK_ERROR;
  884. }
  885. break;
  886. case TLS_ST_SW_SESSION_TICKET:
  887. clear_sys_error();
  888. if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) {
  889. if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL
  890. && conn_is_closed()) {
  891. /*
  892. * We ignore connection closed errors in TLSv1.3 when sending a
  893. * NewSessionTicket and behave as if we were successful. This is
  894. * so that we are still able to read data sent to us by a client
  895. * that closes soon after the end of the handshake without
  896. * waiting to read our post-handshake NewSessionTickets.
  897. */
  898. s->rwstate = SSL_NOTHING;
  899. break;
  900. }
  901. return WORK_MORE_A;
  902. }
  903. break;
  904. }
  905. return WORK_FINISHED_CONTINUE;
  906. }
  907. /*
  908. * Get the message construction function and message type for sending from the
  909. * server
  910. *
  911. * Valid return values are:
  912. * 1: Success
  913. * 0: Error
  914. */
  915. int ossl_statem_server_construct_message(SSL_CONNECTION *s,
  916. confunc_f *confunc, int *mt)
  917. {
  918. OSSL_STATEM *st = &s->statem;
  919. switch (st->hand_state) {
  920. default:
  921. /* Shouldn't happen */
  922. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  923. return 0;
  924. case TLS_ST_SW_CHANGE:
  925. if (SSL_CONNECTION_IS_DTLS(s))
  926. *confunc = dtls_construct_change_cipher_spec;
  927. else
  928. *confunc = tls_construct_change_cipher_spec;
  929. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  930. break;
  931. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  932. *confunc = dtls_construct_hello_verify_request;
  933. *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
  934. break;
  935. case TLS_ST_SW_HELLO_REQ:
  936. /* No construction function needed */
  937. *confunc = NULL;
  938. *mt = SSL3_MT_HELLO_REQUEST;
  939. break;
  940. case TLS_ST_SW_SRVR_HELLO:
  941. *confunc = tls_construct_server_hello;
  942. *mt = SSL3_MT_SERVER_HELLO;
  943. break;
  944. case TLS_ST_SW_CERT:
  945. *confunc = tls_construct_server_certificate;
  946. *mt = SSL3_MT_CERTIFICATE;
  947. break;
  948. case TLS_ST_SW_CERT_VRFY:
  949. *confunc = tls_construct_cert_verify;
  950. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  951. break;
  952. case TLS_ST_SW_KEY_EXCH:
  953. *confunc = tls_construct_server_key_exchange;
  954. *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
  955. break;
  956. case TLS_ST_SW_CERT_REQ:
  957. *confunc = tls_construct_certificate_request;
  958. *mt = SSL3_MT_CERTIFICATE_REQUEST;
  959. break;
  960. case TLS_ST_SW_SRVR_DONE:
  961. *confunc = tls_construct_server_done;
  962. *mt = SSL3_MT_SERVER_DONE;
  963. break;
  964. case TLS_ST_SW_SESSION_TICKET:
  965. *confunc = tls_construct_new_session_ticket;
  966. *mt = SSL3_MT_NEWSESSION_TICKET;
  967. break;
  968. case TLS_ST_SW_CERT_STATUS:
  969. *confunc = tls_construct_cert_status;
  970. *mt = SSL3_MT_CERTIFICATE_STATUS;
  971. break;
  972. case TLS_ST_SW_FINISHED:
  973. *confunc = tls_construct_finished;
  974. *mt = SSL3_MT_FINISHED;
  975. break;
  976. case TLS_ST_EARLY_DATA:
  977. *confunc = NULL;
  978. *mt = SSL3_MT_DUMMY;
  979. break;
  980. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  981. *confunc = tls_construct_encrypted_extensions;
  982. *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
  983. break;
  984. case TLS_ST_SW_KEY_UPDATE:
  985. *confunc = tls_construct_key_update;
  986. *mt = SSL3_MT_KEY_UPDATE;
  987. break;
  988. }
  989. return 1;
  990. }
  991. /*
  992. * Maximum size (excluding the Handshake header) of a ClientHello message,
  993. * calculated as follows:
  994. *
  995. * 2 + # client_version
  996. * 32 + # only valid length for random
  997. * 1 + # length of session_id
  998. * 32 + # maximum size for session_id
  999. * 2 + # length of cipher suites
  1000. * 2^16-2 + # maximum length of cipher suites array
  1001. * 1 + # length of compression_methods
  1002. * 2^8-1 + # maximum length of compression methods
  1003. * 2 + # length of extensions
  1004. * 2^16-1 # maximum length of extensions
  1005. */
  1006. #define CLIENT_HELLO_MAX_LENGTH 131396
  1007. #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
  1008. #define NEXT_PROTO_MAX_LENGTH 514
  1009. /*
  1010. * Returns the maximum allowed length for the current message that we are
  1011. * reading. Excludes the message header.
  1012. */
  1013. size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s)
  1014. {
  1015. OSSL_STATEM *st = &s->statem;
  1016. switch (st->hand_state) {
  1017. default:
  1018. /* Shouldn't happen */
  1019. return 0;
  1020. case TLS_ST_SR_CLNT_HELLO:
  1021. return CLIENT_HELLO_MAX_LENGTH;
  1022. case TLS_ST_SR_END_OF_EARLY_DATA:
  1023. return END_OF_EARLY_DATA_MAX_LENGTH;
  1024. case TLS_ST_SR_CERT:
  1025. return s->max_cert_list;
  1026. case TLS_ST_SR_KEY_EXCH:
  1027. return CLIENT_KEY_EXCH_MAX_LENGTH;
  1028. case TLS_ST_SR_CERT_VRFY:
  1029. return SSL3_RT_MAX_PLAIN_LENGTH;
  1030. #ifndef OPENSSL_NO_NEXTPROTONEG
  1031. case TLS_ST_SR_NEXT_PROTO:
  1032. return NEXT_PROTO_MAX_LENGTH;
  1033. #endif
  1034. case TLS_ST_SR_CHANGE:
  1035. return CCS_MAX_LENGTH;
  1036. case TLS_ST_SR_FINISHED:
  1037. return FINISHED_MAX_LENGTH;
  1038. case TLS_ST_SR_KEY_UPDATE:
  1039. return KEY_UPDATE_MAX_LENGTH;
  1040. }
  1041. }
  1042. /*
  1043. * Process a message that the server has received from the client.
  1044. */
  1045. MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s,
  1046. PACKET *pkt)
  1047. {
  1048. OSSL_STATEM *st = &s->statem;
  1049. switch (st->hand_state) {
  1050. default:
  1051. /* Shouldn't happen */
  1052. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1053. return MSG_PROCESS_ERROR;
  1054. case TLS_ST_SR_CLNT_HELLO:
  1055. return tls_process_client_hello(s, pkt);
  1056. case TLS_ST_SR_END_OF_EARLY_DATA:
  1057. return tls_process_end_of_early_data(s, pkt);
  1058. case TLS_ST_SR_CERT:
  1059. return tls_process_client_certificate(s, pkt);
  1060. case TLS_ST_SR_KEY_EXCH:
  1061. return tls_process_client_key_exchange(s, pkt);
  1062. case TLS_ST_SR_CERT_VRFY:
  1063. return tls_process_cert_verify(s, pkt);
  1064. #ifndef OPENSSL_NO_NEXTPROTONEG
  1065. case TLS_ST_SR_NEXT_PROTO:
  1066. return tls_process_next_proto(s, pkt);
  1067. #endif
  1068. case TLS_ST_SR_CHANGE:
  1069. return tls_process_change_cipher_spec(s, pkt);
  1070. case TLS_ST_SR_FINISHED:
  1071. return tls_process_finished(s, pkt);
  1072. case TLS_ST_SR_KEY_UPDATE:
  1073. return tls_process_key_update(s, pkt);
  1074. }
  1075. }
  1076. /*
  1077. * Perform any further processing required following the receipt of a message
  1078. * from the client
  1079. */
  1080. WORK_STATE ossl_statem_server_post_process_message(SSL_CONNECTION *s,
  1081. WORK_STATE wst)
  1082. {
  1083. OSSL_STATEM *st = &s->statem;
  1084. switch (st->hand_state) {
  1085. default:
  1086. /* Shouldn't happen */
  1087. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1088. return WORK_ERROR;
  1089. case TLS_ST_SR_CLNT_HELLO:
  1090. return tls_post_process_client_hello(s, wst);
  1091. case TLS_ST_SR_KEY_EXCH:
  1092. return tls_post_process_client_key_exchange(s, wst);
  1093. }
  1094. }
  1095. #ifndef OPENSSL_NO_SRP
  1096. /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
  1097. static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s)
  1098. {
  1099. int ret;
  1100. int al = SSL_AD_UNRECOGNIZED_NAME;
  1101. if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  1102. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  1103. if (s->srp_ctx.login == NULL) {
  1104. /*
  1105. * RFC 5054 says SHOULD reject, we do so if There is no srp
  1106. * login name
  1107. */
  1108. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  1109. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1110. return -1;
  1111. } else {
  1112. ret = ssl_srp_server_param_with_username_intern(s, &al);
  1113. if (ret < 0)
  1114. return 0;
  1115. if (ret == SSL3_AL_FATAL) {
  1116. SSLfatal(s, al,
  1117. al == SSL_AD_UNKNOWN_PSK_IDENTITY
  1118. ? SSL_R_PSK_IDENTITY_NOT_FOUND
  1119. : SSL_R_CLIENTHELLO_TLSEXT);
  1120. return -1;
  1121. }
  1122. }
  1123. }
  1124. return 1;
  1125. }
  1126. #endif
  1127. int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
  1128. size_t cookie_len)
  1129. {
  1130. /* Always use DTLS 1.0 version: see RFC 6347 */
  1131. if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
  1132. || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
  1133. return 0;
  1134. return 1;
  1135. }
  1136. int dtls_construct_hello_verify_request(SSL_CONNECTION *s, WPACKET *pkt)
  1137. {
  1138. unsigned int cookie_leni;
  1139. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1140. if (sctx->app_gen_cookie_cb == NULL
  1141. || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_SSL(s), s->d1->cookie,
  1142. &cookie_leni) == 0
  1143. || cookie_leni > DTLS1_COOKIE_LENGTH) {
  1144. SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1145. return 0;
  1146. }
  1147. s->d1->cookie_len = cookie_leni;
  1148. if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
  1149. s->d1->cookie_len)) {
  1150. SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);
  1151. return 0;
  1152. }
  1153. return 1;
  1154. }
  1155. /*-
  1156. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1157. * SecureTransport using the TLS extension block in |hello|.
  1158. * Safari, since 10.6, sends exactly these extensions, in this order:
  1159. * SNI,
  1160. * elliptic_curves
  1161. * ec_point_formats
  1162. * signature_algorithms (for TLSv1.2 only)
  1163. *
  1164. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1165. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1166. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1167. * 10.8..10.8.3 (which don't work).
  1168. */
  1169. static void ssl_check_for_safari(SSL_CONNECTION *s,
  1170. const CLIENTHELLO_MSG *hello)
  1171. {
  1172. static const unsigned char kSafariExtensionsBlock[] = {
  1173. 0x00, 0x0a, /* elliptic_curves extension */
  1174. 0x00, 0x08, /* 8 bytes */
  1175. 0x00, 0x06, /* 6 bytes of curve ids */
  1176. 0x00, 0x17, /* P-256 */
  1177. 0x00, 0x18, /* P-384 */
  1178. 0x00, 0x19, /* P-521 */
  1179. 0x00, 0x0b, /* ec_point_formats */
  1180. 0x00, 0x02, /* 2 bytes */
  1181. 0x01, /* 1 point format */
  1182. 0x00, /* uncompressed */
  1183. /* The following is only present in TLS 1.2 */
  1184. 0x00, 0x0d, /* signature_algorithms */
  1185. 0x00, 0x0c, /* 12 bytes */
  1186. 0x00, 0x0a, /* 10 bytes */
  1187. 0x05, 0x01, /* SHA-384/RSA */
  1188. 0x04, 0x01, /* SHA-256/RSA */
  1189. 0x02, 0x01, /* SHA-1/RSA */
  1190. 0x04, 0x03, /* SHA-256/ECDSA */
  1191. 0x02, 0x03, /* SHA-1/ECDSA */
  1192. };
  1193. /* Length of the common prefix (first two extensions). */
  1194. static const size_t kSafariCommonExtensionsLength = 18;
  1195. unsigned int type;
  1196. PACKET sni, tmppkt;
  1197. size_t ext_len;
  1198. tmppkt = hello->extensions;
  1199. if (!PACKET_forward(&tmppkt, 2)
  1200. || !PACKET_get_net_2(&tmppkt, &type)
  1201. || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
  1202. return;
  1203. }
  1204. if (type != TLSEXT_TYPE_server_name)
  1205. return;
  1206. ext_len = TLS1_get_client_version(
  1207. SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION ?
  1208. sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
  1209. s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
  1210. ext_len);
  1211. }
  1212. #define RENEG_OPTIONS_OK(options) \
  1213. ((options & SSL_OP_NO_RENEGOTIATION) == 0 \
  1214. && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0)
  1215. MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt)
  1216. {
  1217. /* |cookie| will only be initialized for DTLS. */
  1218. PACKET session_id, compression, extensions, cookie;
  1219. static const unsigned char null_compression = 0;
  1220. CLIENTHELLO_MSG *clienthello = NULL;
  1221. /* Check if this is actually an unexpected renegotiation ClientHello */
  1222. if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  1223. if (!ossl_assert(!SSL_CONNECTION_IS_TLS13(s))) {
  1224. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1225. goto err;
  1226. }
  1227. if (!RENEG_OPTIONS_OK(s->options)
  1228. || (!s->s3.send_connection_binding
  1229. && (s->options
  1230. & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
  1231. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1232. return MSG_PROCESS_FINISHED_READING;
  1233. }
  1234. s->renegotiate = 1;
  1235. s->new_session = 1;
  1236. }
  1237. clienthello = OPENSSL_zalloc(sizeof(*clienthello));
  1238. if (clienthello == NULL) {
  1239. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1240. goto err;
  1241. }
  1242. /*
  1243. * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
  1244. */
  1245. clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
  1246. PACKET_null_init(&cookie);
  1247. if (clienthello->isv2) {
  1248. unsigned int mt;
  1249. if (!SSL_IS_FIRST_HANDSHAKE(s)
  1250. || s->hello_retry_request != SSL_HRR_NONE) {
  1251. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  1252. goto err;
  1253. }
  1254. /*-
  1255. * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
  1256. * header is sent directly on the wire, not wrapped as a TLS
  1257. * record. Our record layer just processes the message length and passes
  1258. * the rest right through. Its format is:
  1259. * Byte Content
  1260. * 0-1 msg_length - decoded by the record layer
  1261. * 2 msg_type - s->init_msg points here
  1262. * 3-4 version
  1263. * 5-6 cipher_spec_length
  1264. * 7-8 session_id_length
  1265. * 9-10 challenge_length
  1266. * ... ...
  1267. */
  1268. if (!PACKET_get_1(pkt, &mt)
  1269. || mt != SSL2_MT_CLIENT_HELLO) {
  1270. /*
  1271. * Should never happen. We should have tested this in the record
  1272. * layer in order to have determined that this is a SSLv2 record
  1273. * in the first place
  1274. */
  1275. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1276. goto err;
  1277. }
  1278. }
  1279. if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
  1280. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  1281. goto err;
  1282. }
  1283. /* Parse the message and load client random. */
  1284. if (clienthello->isv2) {
  1285. /*
  1286. * Handle an SSLv2 backwards compatible ClientHello
  1287. * Note, this is only for SSLv3+ using the backward compatible format.
  1288. * Real SSLv2 is not supported, and is rejected below.
  1289. */
  1290. unsigned int ciphersuite_len, session_id_len, challenge_len;
  1291. PACKET challenge;
  1292. if (!PACKET_get_net_2(pkt, &ciphersuite_len)
  1293. || !PACKET_get_net_2(pkt, &session_id_len)
  1294. || !PACKET_get_net_2(pkt, &challenge_len)) {
  1295. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
  1296. goto err;
  1297. }
  1298. if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
  1299. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH);
  1300. goto err;
  1301. }
  1302. if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
  1303. ciphersuite_len)
  1304. || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
  1305. || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
  1306. /* No extensions. */
  1307. || PACKET_remaining(pkt) != 0) {
  1308. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
  1309. goto err;
  1310. }
  1311. clienthello->session_id_len = session_id_len;
  1312. /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
  1313. * here rather than sizeof(clienthello->random) because that is the limit
  1314. * for SSLv3 and it is fixed. It won't change even if
  1315. * sizeof(clienthello->random) does.
  1316. */
  1317. challenge_len = challenge_len > SSL3_RANDOM_SIZE
  1318. ? SSL3_RANDOM_SIZE : challenge_len;
  1319. memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
  1320. if (!PACKET_copy_bytes(&challenge,
  1321. clienthello->random + SSL3_RANDOM_SIZE -
  1322. challenge_len, challenge_len)
  1323. /* Advertise only null compression. */
  1324. || !PACKET_buf_init(&compression, &null_compression, 1)) {
  1325. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1326. goto err;
  1327. }
  1328. PACKET_null_init(&clienthello->extensions);
  1329. } else {
  1330. /* Regular ClientHello. */
  1331. if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
  1332. || !PACKET_get_length_prefixed_1(pkt, &session_id)
  1333. || !PACKET_copy_all(&session_id, clienthello->session_id,
  1334. SSL_MAX_SSL_SESSION_ID_LENGTH,
  1335. &clienthello->session_id_len)) {
  1336. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1337. goto err;
  1338. }
  1339. if (SSL_CONNECTION_IS_DTLS(s)) {
  1340. if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
  1341. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1342. goto err;
  1343. }
  1344. if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
  1345. DTLS1_COOKIE_LENGTH,
  1346. &clienthello->dtls_cookie_len)) {
  1347. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1348. goto err;
  1349. }
  1350. /*
  1351. * If we require cookies and this ClientHello doesn't contain one,
  1352. * just return since we do not want to allocate any memory yet.
  1353. * So check cookie length...
  1354. */
  1355. if (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE) {
  1356. if (clienthello->dtls_cookie_len == 0) {
  1357. OPENSSL_free(clienthello);
  1358. return MSG_PROCESS_FINISHED_READING;
  1359. }
  1360. }
  1361. }
  1362. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
  1363. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1364. goto err;
  1365. }
  1366. if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
  1367. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1368. goto err;
  1369. }
  1370. /* Could be empty. */
  1371. if (PACKET_remaining(pkt) == 0) {
  1372. PACKET_null_init(&clienthello->extensions);
  1373. } else {
  1374. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
  1375. || PACKET_remaining(pkt) != 0) {
  1376. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1377. goto err;
  1378. }
  1379. }
  1380. }
  1381. if (!PACKET_copy_all(&compression, clienthello->compressions,
  1382. MAX_COMPRESSIONS_SIZE,
  1383. &clienthello->compressions_len)) {
  1384. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1385. goto err;
  1386. }
  1387. /* Preserve the raw extensions PACKET for later use */
  1388. extensions = clienthello->extensions;
  1389. if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
  1390. &clienthello->pre_proc_exts,
  1391. &clienthello->pre_proc_exts_len, 1)) {
  1392. /* SSLfatal already been called */
  1393. goto err;
  1394. }
  1395. s->clienthello = clienthello;
  1396. return MSG_PROCESS_CONTINUE_PROCESSING;
  1397. err:
  1398. if (clienthello != NULL)
  1399. OPENSSL_free(clienthello->pre_proc_exts);
  1400. OPENSSL_free(clienthello);
  1401. return MSG_PROCESS_ERROR;
  1402. }
  1403. static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
  1404. {
  1405. unsigned int j;
  1406. int i, al = SSL_AD_INTERNAL_ERROR;
  1407. int protverr;
  1408. size_t loop;
  1409. unsigned long id;
  1410. #ifndef OPENSSL_NO_COMP
  1411. SSL_COMP *comp = NULL;
  1412. #endif
  1413. const SSL_CIPHER *c;
  1414. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  1415. STACK_OF(SSL_CIPHER) *scsvs = NULL;
  1416. CLIENTHELLO_MSG *clienthello = s->clienthello;
  1417. DOWNGRADE dgrd = DOWNGRADE_NONE;
  1418. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1419. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1420. /* Finished parsing the ClientHello, now we can start processing it */
  1421. /* Give the ClientHello callback a crack at things */
  1422. if (sctx->client_hello_cb != NULL) {
  1423. /* A failure in the ClientHello callback terminates the connection. */
  1424. switch (sctx->client_hello_cb(ssl, &al, sctx->client_hello_cb_arg)) {
  1425. case SSL_CLIENT_HELLO_SUCCESS:
  1426. break;
  1427. case SSL_CLIENT_HELLO_RETRY:
  1428. s->rwstate = SSL_CLIENT_HELLO_CB;
  1429. return -1;
  1430. case SSL_CLIENT_HELLO_ERROR:
  1431. default:
  1432. SSLfatal(s, al, SSL_R_CALLBACK_FAILED);
  1433. goto err;
  1434. }
  1435. }
  1436. /* Set up the client_random */
  1437. memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE);
  1438. /* Choose the version */
  1439. if (clienthello->isv2) {
  1440. if (clienthello->legacy_version == SSL2_VERSION
  1441. || (clienthello->legacy_version & 0xff00)
  1442. != (SSL3_VERSION_MAJOR << 8)) {
  1443. /*
  1444. * This is real SSLv2 or something completely unknown. We don't
  1445. * support it.
  1446. */
  1447. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNKNOWN_PROTOCOL);
  1448. goto err;
  1449. }
  1450. /* SSLv3/TLS */
  1451. s->client_version = clienthello->legacy_version;
  1452. }
  1453. /*
  1454. * Do SSL/TLS version negotiation if applicable. For DTLS we just check
  1455. * versions are potentially compatible. Version negotiation comes later.
  1456. */
  1457. if (!SSL_CONNECTION_IS_DTLS(s)) {
  1458. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1459. } else if (ssl->method->version != DTLS_ANY_VERSION &&
  1460. DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
  1461. protverr = SSL_R_VERSION_TOO_LOW;
  1462. } else {
  1463. protverr = 0;
  1464. }
  1465. if (protverr) {
  1466. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  1467. /* like ssl3_get_record, send alert using remote version number */
  1468. s->version = s->client_version = clienthello->legacy_version;
  1469. }
  1470. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
  1471. goto err;
  1472. }
  1473. /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
  1474. if (SSL_CONNECTION_IS_TLS13(s)
  1475. && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1476. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  1477. goto err;
  1478. }
  1479. if (SSL_CONNECTION_IS_DTLS(s)) {
  1480. /* Empty cookie was already handled above by returning early. */
  1481. if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) {
  1482. if (sctx->app_verify_cookie_cb != NULL) {
  1483. if (sctx->app_verify_cookie_cb(ssl, clienthello->dtls_cookie,
  1484. clienthello->dtls_cookie_len) == 0) {
  1485. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1486. SSL_R_COOKIE_MISMATCH);
  1487. goto err;
  1488. /* else cookie verification succeeded */
  1489. }
  1490. /* default verification */
  1491. } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
  1492. || memcmp(clienthello->dtls_cookie, s->d1->cookie,
  1493. s->d1->cookie_len) != 0) {
  1494. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH);
  1495. goto err;
  1496. }
  1497. s->d1->cookie_verified = 1;
  1498. }
  1499. if (ssl->method->version == DTLS_ANY_VERSION) {
  1500. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1501. if (protverr != 0) {
  1502. s->version = s->client_version;
  1503. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
  1504. goto err;
  1505. }
  1506. }
  1507. }
  1508. s->hit = 0;
  1509. if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
  1510. clienthello->isv2) ||
  1511. !ossl_bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers,
  1512. &scsvs, clienthello->isv2, 1)) {
  1513. /* SSLfatal() already called */
  1514. goto err;
  1515. }
  1516. s->s3.send_connection_binding = 0;
  1517. /* Check what signalling cipher-suite values were received. */
  1518. if (scsvs != NULL) {
  1519. for (i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
  1520. c = sk_SSL_CIPHER_value(scsvs, i);
  1521. if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
  1522. if (s->renegotiate) {
  1523. /* SCSV is fatal if renegotiating */
  1524. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1525. SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
  1526. goto err;
  1527. }
  1528. s->s3.send_connection_binding = 1;
  1529. } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
  1530. !ssl_check_version_downgrade(s)) {
  1531. /*
  1532. * This SCSV indicates that the client previously tried
  1533. * a higher version. We should fail if the current version
  1534. * is an unexpected downgrade, as that indicates that the first
  1535. * connection may have been tampered with in order to trigger
  1536. * an insecure downgrade.
  1537. */
  1538. SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
  1539. SSL_R_INAPPROPRIATE_FALLBACK);
  1540. goto err;
  1541. }
  1542. }
  1543. }
  1544. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1545. if (SSL_CONNECTION_IS_TLS13(s)) {
  1546. const SSL_CIPHER *cipher =
  1547. ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl));
  1548. if (cipher == NULL) {
  1549. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
  1550. goto err;
  1551. }
  1552. if (s->hello_retry_request == SSL_HRR_PENDING
  1553. && (s->s3.tmp.new_cipher == NULL
  1554. || s->s3.tmp.new_cipher->id != cipher->id)) {
  1555. /*
  1556. * A previous HRR picked a different ciphersuite to the one we
  1557. * just selected. Something must have changed.
  1558. */
  1559. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
  1560. goto err;
  1561. }
  1562. s->s3.tmp.new_cipher = cipher;
  1563. }
  1564. /* We need to do this before getting the session */
  1565. if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
  1566. SSL_EXT_CLIENT_HELLO,
  1567. clienthello->pre_proc_exts, NULL, 0)) {
  1568. /* SSLfatal() already called */
  1569. goto err;
  1570. }
  1571. /*
  1572. * We don't allow resumption in a backwards compatible ClientHello.
  1573. * In TLS1.1+, session_id MUST be empty.
  1574. *
  1575. * Versions before 0.9.7 always allow clients to resume sessions in
  1576. * renegotiation. 0.9.7 and later allow this by default, but optionally
  1577. * ignore resumption requests with flag
  1578. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  1579. * than a change to default behavior so that applications relying on
  1580. * this for security won't even compile against older library versions).
  1581. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  1582. * request renegotiation but not a new session (s->new_session remains
  1583. * unset): for servers, this essentially just means that the
  1584. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
  1585. * ignored.
  1586. */
  1587. if (clienthello->isv2 ||
  1588. (s->new_session &&
  1589. (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  1590. if (!ssl_get_new_session(s, 1)) {
  1591. /* SSLfatal() already called */
  1592. goto err;
  1593. }
  1594. } else {
  1595. i = ssl_get_prev_session(s, clienthello);
  1596. if (i == 1) {
  1597. /* previous session */
  1598. s->hit = 1;
  1599. } else if (i == -1) {
  1600. /* SSLfatal() already called */
  1601. goto err;
  1602. } else {
  1603. /* i == 0 */
  1604. if (!ssl_get_new_session(s, 1)) {
  1605. /* SSLfatal() already called */
  1606. goto err;
  1607. }
  1608. }
  1609. }
  1610. if (SSL_CONNECTION_IS_TLS13(s)) {
  1611. memcpy(s->tmp_session_id, s->clienthello->session_id,
  1612. s->clienthello->session_id_len);
  1613. s->tmp_session_id_len = s->clienthello->session_id_len;
  1614. }
  1615. /*
  1616. * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
  1617. * ciphersuite compatibility with the session as part of resumption.
  1618. */
  1619. if (!SSL_CONNECTION_IS_TLS13(s) && s->hit) {
  1620. j = 0;
  1621. id = s->session->cipher->id;
  1622. OSSL_TRACE_BEGIN(TLS_CIPHER) {
  1623. BIO_printf(trc_out, "client sent %d ciphers\n",
  1624. sk_SSL_CIPHER_num(ciphers));
  1625. }
  1626. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1627. c = sk_SSL_CIPHER_value(ciphers, i);
  1628. if (trc_out != NULL)
  1629. BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i,
  1630. sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1631. if (c->id == id) {
  1632. j = 1;
  1633. break;
  1634. }
  1635. }
  1636. if (j == 0) {
  1637. /*
  1638. * we need to have the cipher in the cipher list if we are asked
  1639. * to reuse it
  1640. */
  1641. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1642. SSL_R_REQUIRED_CIPHER_MISSING);
  1643. OSSL_TRACE_CANCEL(TLS_CIPHER);
  1644. goto err;
  1645. }
  1646. OSSL_TRACE_END(TLS_CIPHER);
  1647. }
  1648. for (loop = 0; loop < clienthello->compressions_len; loop++) {
  1649. if (clienthello->compressions[loop] == 0)
  1650. break;
  1651. }
  1652. if (loop >= clienthello->compressions_len) {
  1653. /* no compress */
  1654. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_COMPRESSION_SPECIFIED);
  1655. goto err;
  1656. }
  1657. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1658. ssl_check_for_safari(s, clienthello);
  1659. /* TLS extensions */
  1660. if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
  1661. clienthello->pre_proc_exts, NULL, 0, 1)) {
  1662. /* SSLfatal() already called */
  1663. goto err;
  1664. }
  1665. /*
  1666. * Check if we want to use external pre-shared secret for this handshake
  1667. * for not reused session only. We need to generate server_random before
  1668. * calling tls_session_secret_cb in order to allow SessionTicket
  1669. * processing to use it in key derivation.
  1670. */
  1671. {
  1672. unsigned char *pos;
  1673. pos = s->s3.server_random;
  1674. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
  1675. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1676. goto err;
  1677. }
  1678. }
  1679. if (!s->hit
  1680. && s->version >= TLS1_VERSION
  1681. && !SSL_CONNECTION_IS_TLS13(s)
  1682. && !SSL_CONNECTION_IS_DTLS(s)
  1683. && s->ext.session_secret_cb != NULL) {
  1684. const SSL_CIPHER *pref_cipher = NULL;
  1685. /*
  1686. * s->session->master_key_length is a size_t, but this is an int for
  1687. * backwards compat reasons
  1688. */
  1689. int master_key_length;
  1690. master_key_length = sizeof(s->session->master_key);
  1691. if (s->ext.session_secret_cb(ssl, s->session->master_key,
  1692. &master_key_length, ciphers,
  1693. &pref_cipher,
  1694. s->ext.session_secret_cb_arg)
  1695. && master_key_length > 0) {
  1696. s->session->master_key_length = master_key_length;
  1697. s->hit = 1;
  1698. s->peer_ciphers = ciphers;
  1699. s->session->verify_result = X509_V_OK;
  1700. ciphers = NULL;
  1701. /* check if some cipher was preferred by call back */
  1702. if (pref_cipher == NULL)
  1703. pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
  1704. SSL_get_ciphers(ssl));
  1705. if (pref_cipher == NULL) {
  1706. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
  1707. goto err;
  1708. }
  1709. s->session->cipher = pref_cipher;
  1710. sk_SSL_CIPHER_free(s->cipher_list);
  1711. s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1712. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1713. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1714. }
  1715. }
  1716. /*
  1717. * Worst case, we will use the NULL compression, but if we have other
  1718. * options, we will now look for them. We have complen-1 compression
  1719. * algorithms from the client, starting at q.
  1720. */
  1721. s->s3.tmp.new_compression = NULL;
  1722. if (SSL_CONNECTION_IS_TLS13(s)) {
  1723. /*
  1724. * We already checked above that the NULL compression method appears in
  1725. * the list. Now we check there aren't any others (which is illegal in
  1726. * a TLSv1.3 ClientHello.
  1727. */
  1728. if (clienthello->compressions_len != 1) {
  1729. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1730. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1731. goto err;
  1732. }
  1733. }
  1734. #ifndef OPENSSL_NO_COMP
  1735. /* This only happens if we have a cache hit */
  1736. else if (s->session->compress_meth != 0) {
  1737. int m, comp_id = s->session->compress_meth;
  1738. unsigned int k;
  1739. /* Perform sanity checks on resumed compression algorithm */
  1740. /* Can't disable compression */
  1741. if (!ssl_allow_compression(s)) {
  1742. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1743. SSL_R_INCONSISTENT_COMPRESSION);
  1744. goto err;
  1745. }
  1746. /* Look for resumed compression method */
  1747. for (m = 0; m < sk_SSL_COMP_num(sctx->comp_methods); m++) {
  1748. comp = sk_SSL_COMP_value(sctx->comp_methods, m);
  1749. if (comp_id == comp->id) {
  1750. s->s3.tmp.new_compression = comp;
  1751. break;
  1752. }
  1753. }
  1754. if (s->s3.tmp.new_compression == NULL) {
  1755. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1756. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1757. goto err;
  1758. }
  1759. /* Look for resumed method in compression list */
  1760. for (k = 0; k < clienthello->compressions_len; k++) {
  1761. if (clienthello->compressions[k] == comp_id)
  1762. break;
  1763. }
  1764. if (k >= clienthello->compressions_len) {
  1765. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1766. SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
  1767. goto err;
  1768. }
  1769. } else if (s->hit) {
  1770. comp = NULL;
  1771. } else if (ssl_allow_compression(s) && sctx->comp_methods) {
  1772. /* See if we have a match */
  1773. int m, nn, v, done = 0;
  1774. unsigned int o;
  1775. nn = sk_SSL_COMP_num(sctx->comp_methods);
  1776. for (m = 0; m < nn; m++) {
  1777. comp = sk_SSL_COMP_value(sctx->comp_methods, m);
  1778. v = comp->id;
  1779. for (o = 0; o < clienthello->compressions_len; o++) {
  1780. if (v == clienthello->compressions[o]) {
  1781. done = 1;
  1782. break;
  1783. }
  1784. }
  1785. if (done)
  1786. break;
  1787. }
  1788. if (done)
  1789. s->s3.tmp.new_compression = comp;
  1790. else
  1791. comp = NULL;
  1792. }
  1793. #else
  1794. /*
  1795. * If compression is disabled we'd better not try to resume a session
  1796. * using compression.
  1797. */
  1798. if (s->session->compress_meth != 0) {
  1799. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
  1800. goto err;
  1801. }
  1802. #endif
  1803. /*
  1804. * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
  1805. */
  1806. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  1807. sk_SSL_CIPHER_free(s->peer_ciphers);
  1808. s->peer_ciphers = ciphers;
  1809. if (ciphers == NULL) {
  1810. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1811. goto err;
  1812. }
  1813. ciphers = NULL;
  1814. }
  1815. if (!s->hit) {
  1816. #ifdef OPENSSL_NO_COMP
  1817. s->session->compress_meth = 0;
  1818. #else
  1819. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1820. #endif
  1821. if (!tls1_set_server_sigalgs(s)) {
  1822. /* SSLfatal() already called */
  1823. goto err;
  1824. }
  1825. }
  1826. sk_SSL_CIPHER_free(ciphers);
  1827. sk_SSL_CIPHER_free(scsvs);
  1828. OPENSSL_free(clienthello->pre_proc_exts);
  1829. OPENSSL_free(s->clienthello);
  1830. s->clienthello = NULL;
  1831. return 1;
  1832. err:
  1833. sk_SSL_CIPHER_free(ciphers);
  1834. sk_SSL_CIPHER_free(scsvs);
  1835. OPENSSL_free(clienthello->pre_proc_exts);
  1836. OPENSSL_free(s->clienthello);
  1837. s->clienthello = NULL;
  1838. return 0;
  1839. }
  1840. /*
  1841. * Call the status request callback if needed. Upon success, returns 1.
  1842. * Upon failure, returns 0.
  1843. */
  1844. static int tls_handle_status_request(SSL_CONNECTION *s)
  1845. {
  1846. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1847. s->ext.status_expected = 0;
  1848. /*
  1849. * If status request then ask callback what to do. Note: this must be
  1850. * called after servername callbacks in case the certificate has changed,
  1851. * and must be called after the cipher has been chosen because this may
  1852. * influence which certificate is sent
  1853. */
  1854. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && sctx != NULL
  1855. && sctx->ext.status_cb != NULL) {
  1856. int ret;
  1857. /* If no certificate can't return certificate status */
  1858. if (s->s3.tmp.cert != NULL) {
  1859. /*
  1860. * Set current certificate to one we will use so SSL_get_certificate
  1861. * et al can pick it up.
  1862. */
  1863. s->cert->key = s->s3.tmp.cert;
  1864. ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s),
  1865. sctx->ext.status_arg);
  1866. switch (ret) {
  1867. /* We don't want to send a status request response */
  1868. case SSL_TLSEXT_ERR_NOACK:
  1869. s->ext.status_expected = 0;
  1870. break;
  1871. /* status request response should be sent */
  1872. case SSL_TLSEXT_ERR_OK:
  1873. if (s->ext.ocsp.resp)
  1874. s->ext.status_expected = 1;
  1875. break;
  1876. /* something bad happened */
  1877. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1878. default:
  1879. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CLIENTHELLO_TLSEXT);
  1880. return 0;
  1881. }
  1882. }
  1883. }
  1884. return 1;
  1885. }
  1886. /*
  1887. * Call the alpn_select callback if needed. Upon success, returns 1.
  1888. * Upon failure, returns 0.
  1889. */
  1890. int tls_handle_alpn(SSL_CONNECTION *s)
  1891. {
  1892. const unsigned char *selected = NULL;
  1893. unsigned char selected_len = 0;
  1894. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1895. if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
  1896. int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_SSL(s),
  1897. &selected, &selected_len,
  1898. s->s3.alpn_proposed,
  1899. (unsigned int)s->s3.alpn_proposed_len,
  1900. sctx->ext.alpn_select_cb_arg);
  1901. if (r == SSL_TLSEXT_ERR_OK) {
  1902. OPENSSL_free(s->s3.alpn_selected);
  1903. s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len);
  1904. if (s->s3.alpn_selected == NULL) {
  1905. s->s3.alpn_selected_len = 0;
  1906. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1907. return 0;
  1908. }
  1909. s->s3.alpn_selected_len = selected_len;
  1910. #ifndef OPENSSL_NO_NEXTPROTONEG
  1911. /* ALPN takes precedence over NPN. */
  1912. s->s3.npn_seen = 0;
  1913. #endif
  1914. /* Check ALPN is consistent with session */
  1915. if (s->session->ext.alpn_selected == NULL
  1916. || selected_len != s->session->ext.alpn_selected_len
  1917. || memcmp(selected, s->session->ext.alpn_selected,
  1918. selected_len) != 0) {
  1919. /* Not consistent so can't be used for early_data */
  1920. s->ext.early_data_ok = 0;
  1921. if (!s->hit) {
  1922. /*
  1923. * This is a new session and so alpn_selected should have
  1924. * been initialised to NULL. We should update it with the
  1925. * selected ALPN.
  1926. */
  1927. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1928. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1929. ERR_R_INTERNAL_ERROR);
  1930. return 0;
  1931. }
  1932. s->session->ext.alpn_selected = OPENSSL_memdup(selected,
  1933. selected_len);
  1934. if (s->session->ext.alpn_selected == NULL) {
  1935. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1936. ERR_R_INTERNAL_ERROR);
  1937. return 0;
  1938. }
  1939. s->session->ext.alpn_selected_len = selected_len;
  1940. }
  1941. }
  1942. return 1;
  1943. } else if (r != SSL_TLSEXT_ERR_NOACK) {
  1944. SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL,
  1945. SSL_R_NO_APPLICATION_PROTOCOL);
  1946. return 0;
  1947. }
  1948. /*
  1949. * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
  1950. * present.
  1951. */
  1952. }
  1953. /* Check ALPN is consistent with session */
  1954. if (s->session->ext.alpn_selected != NULL) {
  1955. /* Not consistent so can't be used for early_data */
  1956. s->ext.early_data_ok = 0;
  1957. }
  1958. return 1;
  1959. }
  1960. WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
  1961. {
  1962. const SSL_CIPHER *cipher;
  1963. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1964. if (wst == WORK_MORE_A) {
  1965. int rv = tls_early_post_process_client_hello(s);
  1966. if (rv == 0) {
  1967. /* SSLfatal() was already called */
  1968. goto err;
  1969. }
  1970. if (rv < 0)
  1971. return WORK_MORE_A;
  1972. wst = WORK_MORE_B;
  1973. }
  1974. if (wst == WORK_MORE_B) {
  1975. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  1976. /* Let cert callback update server certificates if required */
  1977. if (!s->hit && s->cert->cert_cb != NULL) {
  1978. int rv = s->cert->cert_cb(ssl, s->cert->cert_cb_arg);
  1979. if (rv == 0) {
  1980. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR);
  1981. goto err;
  1982. }
  1983. if (rv < 0) {
  1984. s->rwstate = SSL_X509_LOOKUP;
  1985. return WORK_MORE_B;
  1986. }
  1987. s->rwstate = SSL_NOTHING;
  1988. }
  1989. /* In TLSv1.3 we selected the ciphersuite before resumption */
  1990. if (!SSL_CONNECTION_IS_TLS13(s)) {
  1991. cipher =
  1992. ssl3_choose_cipher(s, s->peer_ciphers,
  1993. SSL_get_ciphers(ssl));
  1994. if (cipher == NULL) {
  1995. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1996. SSL_R_NO_SHARED_CIPHER);
  1997. goto err;
  1998. }
  1999. s->s3.tmp.new_cipher = cipher;
  2000. }
  2001. if (!s->hit) {
  2002. if (!tls_choose_sigalg(s, 1)) {
  2003. /* SSLfatal already called */
  2004. goto err;
  2005. }
  2006. /* check whether we should disable session resumption */
  2007. if (s->not_resumable_session_cb != NULL)
  2008. s->session->not_resumable =
  2009. s->not_resumable_session_cb(ssl,
  2010. ((s->s3.tmp.new_cipher->algorithm_mkey
  2011. & (SSL_kDHE | SSL_kECDHE)) != 0));
  2012. if (s->session->not_resumable)
  2013. /* do not send a session ticket */
  2014. s->ext.ticket_expected = 0;
  2015. }
  2016. } else {
  2017. /* Session-id reuse */
  2018. s->s3.tmp.new_cipher = s->session->cipher;
  2019. }
  2020. /*-
  2021. * we now have the following setup.
  2022. * client_random
  2023. * cipher_list - our preferred list of ciphers
  2024. * ciphers - the clients preferred list of ciphers
  2025. * compression - basically ignored right now
  2026. * ssl version is set - sslv3
  2027. * s->session - The ssl session has been setup.
  2028. * s->hit - session reuse flag
  2029. * s->s3.tmp.new_cipher - the new cipher to use.
  2030. */
  2031. /*
  2032. * Call status_request callback if needed. Has to be done after the
  2033. * certificate callbacks etc above.
  2034. */
  2035. if (!tls_handle_status_request(s)) {
  2036. /* SSLfatal() already called */
  2037. goto err;
  2038. }
  2039. /*
  2040. * Call alpn_select callback if needed. Has to be done after SNI and
  2041. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  2042. * we already did this because cipher negotiation happens earlier, and
  2043. * we must handle ALPN before we decide whether to accept early_data.
  2044. */
  2045. if (!SSL_CONNECTION_IS_TLS13(s) && !tls_handle_alpn(s)) {
  2046. /* SSLfatal() already called */
  2047. goto err;
  2048. }
  2049. wst = WORK_MORE_C;
  2050. }
  2051. #ifndef OPENSSL_NO_SRP
  2052. if (wst == WORK_MORE_C) {
  2053. int ret;
  2054. if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
  2055. /*
  2056. * callback indicates further work to be done
  2057. */
  2058. s->rwstate = SSL_X509_LOOKUP;
  2059. return WORK_MORE_C;
  2060. }
  2061. if (ret < 0) {
  2062. /* SSLfatal() already called */
  2063. goto err;
  2064. }
  2065. }
  2066. #endif
  2067. return WORK_FINISHED_STOP;
  2068. err:
  2069. return WORK_ERROR;
  2070. }
  2071. int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
  2072. {
  2073. int compm;
  2074. size_t sl, len;
  2075. int version;
  2076. unsigned char *session_id;
  2077. int usetls13 = SSL_CONNECTION_IS_TLS13(s)
  2078. || s->hello_retry_request == SSL_HRR_PENDING;
  2079. version = usetls13 ? TLS1_2_VERSION : s->version;
  2080. if (!WPACKET_put_bytes_u16(pkt, version)
  2081. /*
  2082. * Random stuff. Filling of the server_random takes place in
  2083. * tls_process_client_hello()
  2084. */
  2085. || !WPACKET_memcpy(pkt,
  2086. s->hello_retry_request == SSL_HRR_PENDING
  2087. ? hrrrandom : s->s3.server_random,
  2088. SSL3_RANDOM_SIZE)) {
  2089. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2090. return 0;
  2091. }
  2092. /*-
  2093. * There are several cases for the session ID to send
  2094. * back in the server hello:
  2095. * - For session reuse from the session cache,
  2096. * we send back the old session ID.
  2097. * - If stateless session reuse (using a session ticket)
  2098. * is successful, we send back the client's "session ID"
  2099. * (which doesn't actually identify the session).
  2100. * - If it is a new session, we send back the new
  2101. * session ID.
  2102. * - However, if we want the new session to be single-use,
  2103. * we send back a 0-length session ID.
  2104. * - In TLSv1.3 we echo back the session id sent to us by the client
  2105. * regardless
  2106. * s->hit is non-zero in either case of session reuse,
  2107. * so the following won't overwrite an ID that we're supposed
  2108. * to send back.
  2109. */
  2110. if (s->session->not_resumable ||
  2111. (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
  2112. && !s->hit))
  2113. s->session->session_id_length = 0;
  2114. if (usetls13) {
  2115. sl = s->tmp_session_id_len;
  2116. session_id = s->tmp_session_id;
  2117. } else {
  2118. sl = s->session->session_id_length;
  2119. session_id = s->session->session_id;
  2120. }
  2121. if (sl > sizeof(s->session->session_id)) {
  2122. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2123. return 0;
  2124. }
  2125. /* set up the compression method */
  2126. #ifdef OPENSSL_NO_COMP
  2127. compm = 0;
  2128. #else
  2129. if (usetls13 || s->s3.tmp.new_compression == NULL)
  2130. compm = 0;
  2131. else
  2132. compm = s->s3.tmp.new_compression->id;
  2133. #endif
  2134. if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
  2135. || !SSL_CONNECTION_GET_SSL(s)->method->put_cipher_by_char(s->s3.tmp.new_cipher,
  2136. pkt, &len)
  2137. || !WPACKET_put_bytes_u8(pkt, compm)) {
  2138. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2139. return 0;
  2140. }
  2141. if (!tls_construct_extensions(s, pkt,
  2142. s->hello_retry_request == SSL_HRR_PENDING
  2143. ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  2144. : (SSL_CONNECTION_IS_TLS13(s)
  2145. ? SSL_EXT_TLS1_3_SERVER_HELLO
  2146. : SSL_EXT_TLS1_2_SERVER_HELLO),
  2147. NULL, 0)) {
  2148. /* SSLfatal() already called */
  2149. return 0;
  2150. }
  2151. if (s->hello_retry_request == SSL_HRR_PENDING) {
  2152. /* Ditch the session. We'll create a new one next time around */
  2153. SSL_SESSION_free(s->session);
  2154. s->session = NULL;
  2155. s->hit = 0;
  2156. /*
  2157. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  2158. * a synthetic message_hash in place of ClientHello1.
  2159. */
  2160. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  2161. /* SSLfatal() already called */
  2162. return 0;
  2163. }
  2164. } else if (!(s->verify_mode & SSL_VERIFY_PEER)
  2165. && !ssl3_digest_cached_records(s, 0)) {
  2166. /* SSLfatal() already called */;
  2167. return 0;
  2168. }
  2169. return 1;
  2170. }
  2171. int tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt)
  2172. {
  2173. if (!s->s3.tmp.cert_request) {
  2174. if (!ssl3_digest_cached_records(s, 0)) {
  2175. /* SSLfatal() already called */
  2176. return 0;
  2177. }
  2178. }
  2179. return 1;
  2180. }
  2181. int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt)
  2182. {
  2183. EVP_PKEY *pkdh = NULL;
  2184. unsigned char *encodedPoint = NULL;
  2185. size_t encodedlen = 0;
  2186. int curve_id = 0;
  2187. const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
  2188. int i;
  2189. unsigned long type;
  2190. BIGNUM *r[4];
  2191. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  2192. EVP_PKEY_CTX *pctx = NULL;
  2193. size_t paramlen, paramoffset;
  2194. int freer = 0, ret = 0;
  2195. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2196. if (!WPACKET_get_total_written(pkt, &paramoffset)) {
  2197. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2198. goto err;
  2199. }
  2200. if (md_ctx == NULL) {
  2201. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2202. goto err;
  2203. }
  2204. type = s->s3.tmp.new_cipher->algorithm_mkey;
  2205. r[0] = r[1] = r[2] = r[3] = NULL;
  2206. #ifndef OPENSSL_NO_PSK
  2207. /* Plain PSK or RSAPSK nothing to do */
  2208. if (type & (SSL_kPSK | SSL_kRSAPSK)) {
  2209. } else
  2210. #endif /* !OPENSSL_NO_PSK */
  2211. if (type & (SSL_kDHE | SSL_kDHEPSK)) {
  2212. CERT *cert = s->cert;
  2213. EVP_PKEY *pkdhp = NULL;
  2214. if (s->cert->dh_tmp_auto) {
  2215. pkdh = ssl_get_auto_dh(s);
  2216. if (pkdh == NULL) {
  2217. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2218. goto err;
  2219. }
  2220. pkdhp = pkdh;
  2221. } else {
  2222. pkdhp = cert->dh_tmp;
  2223. }
  2224. #if !defined(OPENSSL_NO_DEPRECATED_3_0)
  2225. if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
  2226. pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_SSL(s),
  2227. 0, 1024));
  2228. if (pkdh == NULL) {
  2229. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2230. goto err;
  2231. }
  2232. pkdhp = pkdh;
  2233. }
  2234. #endif
  2235. if (pkdhp == NULL) {
  2236. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2237. goto err;
  2238. }
  2239. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  2240. EVP_PKEY_get_security_bits(pkdhp), 0, pkdhp)) {
  2241. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
  2242. goto err;
  2243. }
  2244. if (s->s3.tmp.pkey != NULL) {
  2245. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2246. goto err;
  2247. }
  2248. s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp);
  2249. if (s->s3.tmp.pkey == NULL) {
  2250. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2251. goto err;
  2252. }
  2253. EVP_PKEY_free(pkdh);
  2254. pkdh = NULL;
  2255. /* These BIGNUMs need to be freed when we're finished */
  2256. freer = 1;
  2257. if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P,
  2258. &r[0])
  2259. || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_G,
  2260. &r[1])
  2261. || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey,
  2262. OSSL_PKEY_PARAM_PUB_KEY, &r[2])) {
  2263. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2264. goto err;
  2265. }
  2266. } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2267. if (s->s3.tmp.pkey != NULL) {
  2268. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2269. goto err;
  2270. }
  2271. /* Get NID of appropriate shared curve */
  2272. curve_id = tls1_shared_group(s, -2);
  2273. if (curve_id == 0) {
  2274. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2275. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  2276. goto err;
  2277. }
  2278. /* Cache the group used in the SSL_SESSION */
  2279. s->session->kex_group = curve_id;
  2280. /* Generate a new key for this curve */
  2281. s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id);
  2282. if (s->s3.tmp.pkey == NULL) {
  2283. /* SSLfatal() already called */
  2284. goto err;
  2285. }
  2286. /* Encode the public key. */
  2287. encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey,
  2288. &encodedPoint);
  2289. if (encodedlen == 0) {
  2290. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2291. goto err;
  2292. }
  2293. /*
  2294. * We'll generate the serverKeyExchange message explicitly so we
  2295. * can set these to NULLs
  2296. */
  2297. r[0] = NULL;
  2298. r[1] = NULL;
  2299. r[2] = NULL;
  2300. r[3] = NULL;
  2301. } else
  2302. #ifndef OPENSSL_NO_SRP
  2303. if (type & SSL_kSRP) {
  2304. if ((s->srp_ctx.N == NULL) ||
  2305. (s->srp_ctx.g == NULL) ||
  2306. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  2307. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM);
  2308. goto err;
  2309. }
  2310. r[0] = s->srp_ctx.N;
  2311. r[1] = s->srp_ctx.g;
  2312. r[2] = s->srp_ctx.s;
  2313. r[3] = s->srp_ctx.B;
  2314. } else
  2315. #endif
  2316. {
  2317. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2318. goto err;
  2319. }
  2320. if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
  2321. || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
  2322. lu = NULL;
  2323. } else if (lu == NULL) {
  2324. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
  2325. goto err;
  2326. }
  2327. #ifndef OPENSSL_NO_PSK
  2328. if (type & SSL_PSK) {
  2329. size_t len = (s->cert->psk_identity_hint == NULL)
  2330. ? 0 : strlen(s->cert->psk_identity_hint);
  2331. /*
  2332. * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
  2333. * checked this when we set the identity hint - but just in case
  2334. */
  2335. if (len > PSK_MAX_IDENTITY_LEN
  2336. || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
  2337. len)) {
  2338. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2339. goto err;
  2340. }
  2341. }
  2342. #endif
  2343. for (i = 0; i < 4 && r[i] != NULL; i++) {
  2344. unsigned char *binval;
  2345. int res;
  2346. #ifndef OPENSSL_NO_SRP
  2347. if ((i == 2) && (type & SSL_kSRP)) {
  2348. res = WPACKET_start_sub_packet_u8(pkt);
  2349. } else
  2350. #endif
  2351. res = WPACKET_start_sub_packet_u16(pkt);
  2352. if (!res) {
  2353. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2354. goto err;
  2355. }
  2356. /*-
  2357. * for interoperability with some versions of the Microsoft TLS
  2358. * stack, we need to zero pad the DHE pub key to the same length
  2359. * as the prime
  2360. */
  2361. if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
  2362. size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
  2363. if (len > 0) {
  2364. if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
  2365. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2366. goto err;
  2367. }
  2368. memset(binval, 0, len);
  2369. }
  2370. }
  2371. if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
  2372. || !WPACKET_close(pkt)) {
  2373. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2374. goto err;
  2375. }
  2376. BN_bn2bin(r[i], binval);
  2377. }
  2378. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2379. /*
  2380. * We only support named (not generic) curves. In this situation, the
  2381. * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
  2382. * [1 byte length of encoded point], followed by the actual encoded
  2383. * point itself
  2384. */
  2385. if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
  2386. || !WPACKET_put_bytes_u8(pkt, 0)
  2387. || !WPACKET_put_bytes_u8(pkt, curve_id)
  2388. || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
  2389. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2390. goto err;
  2391. }
  2392. OPENSSL_free(encodedPoint);
  2393. encodedPoint = NULL;
  2394. }
  2395. /* not anonymous */
  2396. if (lu != NULL) {
  2397. EVP_PKEY *pkey = s->s3.tmp.cert->privatekey;
  2398. const EVP_MD *md;
  2399. unsigned char *sigbytes1, *sigbytes2, *tbs;
  2400. size_t siglen = 0, tbslen;
  2401. if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
  2402. /* Should never happen */
  2403. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2404. goto err;
  2405. }
  2406. /* Get length of the parameters we have written above */
  2407. if (!WPACKET_get_length(pkt, &paramlen)) {
  2408. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2409. goto err;
  2410. }
  2411. /* send signature algorithm */
  2412. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  2413. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2414. goto err;
  2415. }
  2416. if (EVP_DigestSignInit_ex(md_ctx, &pctx,
  2417. md == NULL ? NULL : EVP_MD_get0_name(md),
  2418. sctx->libctx, sctx->propq, pkey,
  2419. NULL) <= 0) {
  2420. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2421. goto err;
  2422. }
  2423. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2424. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2425. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2426. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2427. goto err;
  2428. }
  2429. }
  2430. tbslen = construct_key_exchange_tbs(s, &tbs,
  2431. s->init_buf->data + paramoffset,
  2432. paramlen);
  2433. if (tbslen == 0) {
  2434. /* SSLfatal() already called */
  2435. goto err;
  2436. }
  2437. if (EVP_DigestSign(md_ctx, NULL, &siglen, tbs, tbslen) <=0
  2438. || !WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
  2439. || EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen) <= 0
  2440. || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
  2441. || sigbytes1 != sigbytes2) {
  2442. OPENSSL_free(tbs);
  2443. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2444. goto err;
  2445. }
  2446. OPENSSL_free(tbs);
  2447. }
  2448. ret = 1;
  2449. err:
  2450. EVP_PKEY_free(pkdh);
  2451. OPENSSL_free(encodedPoint);
  2452. EVP_MD_CTX_free(md_ctx);
  2453. if (freer) {
  2454. BN_free(r[0]);
  2455. BN_free(r[1]);
  2456. BN_free(r[2]);
  2457. BN_free(r[3]);
  2458. }
  2459. return ret;
  2460. }
  2461. int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt)
  2462. {
  2463. if (SSL_CONNECTION_IS_TLS13(s)) {
  2464. /* Send random context when doing post-handshake auth */
  2465. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  2466. OPENSSL_free(s->pha_context);
  2467. s->pha_context_len = 32;
  2468. if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
  2469. s->pha_context_len = 0;
  2470. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2471. return 0;
  2472. }
  2473. if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
  2474. s->pha_context, s->pha_context_len, 0) <= 0
  2475. || !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
  2476. s->pha_context_len)) {
  2477. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2478. return 0;
  2479. }
  2480. /* reset the handshake hash back to just after the ClientFinished */
  2481. if (!tls13_restore_handshake_digest_for_pha(s)) {
  2482. /* SSLfatal() already called */
  2483. return 0;
  2484. }
  2485. } else {
  2486. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  2487. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2488. return 0;
  2489. }
  2490. }
  2491. if (!tls_construct_extensions(s, pkt,
  2492. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
  2493. 0)) {
  2494. /* SSLfatal() already called */
  2495. return 0;
  2496. }
  2497. goto done;
  2498. }
  2499. /* get the list of acceptable cert types */
  2500. if (!WPACKET_start_sub_packet_u8(pkt)
  2501. || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
  2502. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2503. return 0;
  2504. }
  2505. if (SSL_USE_SIGALGS(s)) {
  2506. const uint16_t *psigs;
  2507. size_t nl = tls12_get_psigalgs(s, 1, &psigs);
  2508. if (!WPACKET_start_sub_packet_u16(pkt)
  2509. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  2510. || !tls12_copy_sigalgs(s, pkt, psigs, nl)
  2511. || !WPACKET_close(pkt)) {
  2512. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2513. return 0;
  2514. }
  2515. }
  2516. if (!construct_ca_names(s, get_ca_names(s), pkt)) {
  2517. /* SSLfatal() already called */
  2518. return 0;
  2519. }
  2520. done:
  2521. s->certreqs_sent++;
  2522. s->s3.tmp.cert_request = 1;
  2523. return 1;
  2524. }
  2525. static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt)
  2526. {
  2527. #ifndef OPENSSL_NO_PSK
  2528. unsigned char psk[PSK_MAX_PSK_LEN];
  2529. size_t psklen;
  2530. PACKET psk_identity;
  2531. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
  2532. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2533. return 0;
  2534. }
  2535. if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
  2536. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DATA_LENGTH_TOO_LONG);
  2537. return 0;
  2538. }
  2539. if (s->psk_server_callback == NULL) {
  2540. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_SERVER_CB);
  2541. return 0;
  2542. }
  2543. if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
  2544. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2545. return 0;
  2546. }
  2547. psklen = s->psk_server_callback(SSL_CONNECTION_GET_SSL(s),
  2548. s->session->psk_identity,
  2549. psk, sizeof(psk));
  2550. if (psklen > PSK_MAX_PSK_LEN) {
  2551. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2552. return 0;
  2553. } else if (psklen == 0) {
  2554. /*
  2555. * PSK related to the given identity not found
  2556. */
  2557. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, SSL_R_PSK_IDENTITY_NOT_FOUND);
  2558. return 0;
  2559. }
  2560. OPENSSL_free(s->s3.tmp.psk);
  2561. s->s3.tmp.psk = OPENSSL_memdup(psk, psklen);
  2562. OPENSSL_cleanse(psk, psklen);
  2563. if (s->s3.tmp.psk == NULL) {
  2564. s->s3.tmp.psklen = 0;
  2565. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2566. return 0;
  2567. }
  2568. s->s3.tmp.psklen = psklen;
  2569. return 1;
  2570. #else
  2571. /* Should never happen */
  2572. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2573. return 0;
  2574. #endif
  2575. }
  2576. static int tls_process_cke_rsa(SSL_CONNECTION *s, PACKET *pkt)
  2577. {
  2578. size_t outlen;
  2579. PACKET enc_premaster;
  2580. EVP_PKEY *rsa = NULL;
  2581. unsigned char *rsa_decrypt = NULL;
  2582. int ret = 0;
  2583. EVP_PKEY_CTX *ctx = NULL;
  2584. OSSL_PARAM params[3], *p = params;
  2585. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2586. rsa = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
  2587. if (rsa == NULL) {
  2588. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_RSA_CERTIFICATE);
  2589. return 0;
  2590. }
  2591. /* SSLv3 and pre-standard DTLS omit the length bytes. */
  2592. if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
  2593. enc_premaster = *pkt;
  2594. } else {
  2595. if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
  2596. || PACKET_remaining(pkt) != 0) {
  2597. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2598. return 0;
  2599. }
  2600. }
  2601. outlen = SSL_MAX_MASTER_KEY_LENGTH;
  2602. rsa_decrypt = OPENSSL_malloc(outlen);
  2603. if (rsa_decrypt == NULL) {
  2604. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2605. return 0;
  2606. }
  2607. ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, rsa, sctx->propq);
  2608. if (ctx == NULL) {
  2609. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2610. goto err;
  2611. }
  2612. /*
  2613. * We must not leak whether a decryption failure occurs because of
  2614. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2615. * section 7.4.7.1). We use the special padding type
  2616. * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automatically decrypt the
  2617. * RSA, check the padding and check that the client version is as expected
  2618. * in the premaster secret. If any of that fails then the function appears
  2619. * to return successfully but with a random result. The call below could
  2620. * still fail if the input is publicly invalid.
  2621. * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2622. */
  2623. if (EVP_PKEY_decrypt_init(ctx) <= 0
  2624. || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_WITH_TLS_PADDING) <= 0) {
  2625. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2626. goto err;
  2627. }
  2628. *p++ = OSSL_PARAM_construct_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION,
  2629. (unsigned int *)&s->client_version);
  2630. if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0)
  2631. *p++ = OSSL_PARAM_construct_uint(
  2632. OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION,
  2633. (unsigned int *)&s->version);
  2634. *p++ = OSSL_PARAM_construct_end();
  2635. if (!EVP_PKEY_CTX_set_params(ctx, params)
  2636. || EVP_PKEY_decrypt(ctx, rsa_decrypt, &outlen,
  2637. PACKET_data(&enc_premaster),
  2638. PACKET_remaining(&enc_premaster)) <= 0) {
  2639. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2640. goto err;
  2641. }
  2642. /*
  2643. * This test should never fail (otherwise we should have failed above) but
  2644. * we double check anyway.
  2645. */
  2646. if (outlen != SSL_MAX_MASTER_KEY_LENGTH) {
  2647. OPENSSL_cleanse(rsa_decrypt, SSL_MAX_MASTER_KEY_LENGTH);
  2648. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2649. goto err;
  2650. }
  2651. /* Also cleanses rsa_decrypt (on success or failure) */
  2652. if (!ssl_generate_master_secret(s, rsa_decrypt,
  2653. SSL_MAX_MASTER_KEY_LENGTH, 0)) {
  2654. /* SSLfatal() already called */
  2655. goto err;
  2656. }
  2657. ret = 1;
  2658. err:
  2659. OPENSSL_free(rsa_decrypt);
  2660. EVP_PKEY_CTX_free(ctx);
  2661. return ret;
  2662. }
  2663. static int tls_process_cke_dhe(SSL_CONNECTION *s, PACKET *pkt)
  2664. {
  2665. EVP_PKEY *skey = NULL;
  2666. unsigned int i;
  2667. const unsigned char *data;
  2668. EVP_PKEY *ckey = NULL;
  2669. int ret = 0;
  2670. if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
  2671. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2672. goto err;
  2673. }
  2674. skey = s->s3.tmp.pkey;
  2675. if (skey == NULL) {
  2676. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2677. goto err;
  2678. }
  2679. if (PACKET_remaining(pkt) == 0L) {
  2680. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2681. goto err;
  2682. }
  2683. if (!PACKET_get_bytes(pkt, &data, i)) {
  2684. /* We already checked we have enough data */
  2685. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2686. goto err;
  2687. }
  2688. ckey = EVP_PKEY_new();
  2689. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
  2690. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  2691. goto err;
  2692. }
  2693. if (!EVP_PKEY_set1_encoded_public_key(ckey, data, i)) {
  2694. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2695. goto err;
  2696. }
  2697. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2698. /* SSLfatal() already called */
  2699. goto err;
  2700. }
  2701. ret = 1;
  2702. EVP_PKEY_free(s->s3.tmp.pkey);
  2703. s->s3.tmp.pkey = NULL;
  2704. err:
  2705. EVP_PKEY_free(ckey);
  2706. return ret;
  2707. }
  2708. static int tls_process_cke_ecdhe(SSL_CONNECTION *s, PACKET *pkt)
  2709. {
  2710. EVP_PKEY *skey = s->s3.tmp.pkey;
  2711. EVP_PKEY *ckey = NULL;
  2712. int ret = 0;
  2713. if (PACKET_remaining(pkt) == 0L) {
  2714. /* We don't support ECDH client auth */
  2715. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_TMP_ECDH_KEY);
  2716. goto err;
  2717. } else {
  2718. unsigned int i;
  2719. const unsigned char *data;
  2720. /*
  2721. * Get client's public key from encoded point in the
  2722. * ClientKeyExchange message.
  2723. */
  2724. /* Get encoded point length */
  2725. if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
  2726. || PACKET_remaining(pkt) != 0) {
  2727. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2728. goto err;
  2729. }
  2730. if (skey == NULL) {
  2731. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_ECDH_KEY);
  2732. goto err;
  2733. }
  2734. ckey = EVP_PKEY_new();
  2735. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
  2736. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  2737. goto err;
  2738. }
  2739. if (EVP_PKEY_set1_encoded_public_key(ckey, data, i) <= 0) {
  2740. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2741. goto err;
  2742. }
  2743. }
  2744. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2745. /* SSLfatal() already called */
  2746. goto err;
  2747. }
  2748. ret = 1;
  2749. EVP_PKEY_free(s->s3.tmp.pkey);
  2750. s->s3.tmp.pkey = NULL;
  2751. err:
  2752. EVP_PKEY_free(ckey);
  2753. return ret;
  2754. }
  2755. static int tls_process_cke_srp(SSL_CONNECTION *s, PACKET *pkt)
  2756. {
  2757. #ifndef OPENSSL_NO_SRP
  2758. unsigned int i;
  2759. const unsigned char *data;
  2760. if (!PACKET_get_net_2(pkt, &i)
  2761. || !PACKET_get_bytes(pkt, &data, i)) {
  2762. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRP_A_LENGTH);
  2763. return 0;
  2764. }
  2765. if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
  2766. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
  2767. return 0;
  2768. }
  2769. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
  2770. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRP_PARAMETERS);
  2771. return 0;
  2772. }
  2773. OPENSSL_free(s->session->srp_username);
  2774. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2775. if (s->session->srp_username == NULL) {
  2776. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2777. return 0;
  2778. }
  2779. if (!srp_generate_server_master_secret(s)) {
  2780. /* SSLfatal() already called */
  2781. return 0;
  2782. }
  2783. return 1;
  2784. #else
  2785. /* Should never happen */
  2786. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2787. return 0;
  2788. #endif
  2789. }
  2790. static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt)
  2791. {
  2792. #ifndef OPENSSL_NO_GOST
  2793. EVP_PKEY_CTX *pkey_ctx;
  2794. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  2795. unsigned char premaster_secret[32];
  2796. const unsigned char *start;
  2797. size_t outlen = 32, inlen;
  2798. unsigned long alg_a;
  2799. GOST_KX_MESSAGE *pKX = NULL;
  2800. const unsigned char *ptr;
  2801. int ret = 0;
  2802. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2803. /* Get our certificate private key */
  2804. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  2805. if (alg_a & SSL_aGOST12) {
  2806. /*
  2807. * New GOST ciphersuites have SSL_aGOST01 bit too
  2808. */
  2809. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
  2810. if (pk == NULL) {
  2811. pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2812. }
  2813. if (pk == NULL) {
  2814. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2815. }
  2816. } else if (alg_a & SSL_aGOST01) {
  2817. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2818. }
  2819. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq);
  2820. if (pkey_ctx == NULL) {
  2821. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2822. return 0;
  2823. }
  2824. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2825. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2826. return 0;
  2827. }
  2828. /*
  2829. * If client certificate is present and is of the same type, maybe
  2830. * use it for key exchange. Don't mind errors from
  2831. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  2832. * client certificate for authorization only.
  2833. */
  2834. client_pub_pkey = X509_get0_pubkey(s->session->peer);
  2835. if (client_pub_pkey) {
  2836. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  2837. ERR_clear_error();
  2838. }
  2839. ptr = PACKET_data(pkt);
  2840. /* Some implementations provide extra data in the opaqueBlob
  2841. * We have nothing to do with this blob so we just skip it */
  2842. pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
  2843. if (pKX == NULL
  2844. || pKX->kxBlob == NULL
  2845. || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
  2846. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2847. goto err;
  2848. }
  2849. if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
  2850. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
  2851. goto err;
  2852. }
  2853. if (PACKET_remaining(pkt) != 0) {
  2854. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
  2855. goto err;
  2856. }
  2857. inlen = pKX->kxBlob->value.sequence->length;
  2858. start = pKX->kxBlob->value.sequence->data;
  2859. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
  2860. inlen) <= 0) {
  2861. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2862. goto err;
  2863. }
  2864. /* Generate master secret */
  2865. if (!ssl_generate_master_secret(s, premaster_secret,
  2866. sizeof(premaster_secret), 0)) {
  2867. /* SSLfatal() already called */
  2868. goto err;
  2869. }
  2870. /* Check if pubkey from client certificate was used */
  2871. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
  2872. NULL) > 0)
  2873. s->statem.no_cert_verify = 1;
  2874. ret = 1;
  2875. err:
  2876. EVP_PKEY_CTX_free(pkey_ctx);
  2877. GOST_KX_MESSAGE_free(pKX);
  2878. return ret;
  2879. #else
  2880. /* Should never happen */
  2881. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2882. return 0;
  2883. #endif
  2884. }
  2885. static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt)
  2886. {
  2887. #ifndef OPENSSL_NO_GOST
  2888. unsigned char rnd_dgst[32];
  2889. EVP_PKEY_CTX *pkey_ctx = NULL;
  2890. EVP_PKEY *pk = NULL;
  2891. unsigned char premaster_secret[32];
  2892. const unsigned char *start = NULL;
  2893. size_t outlen = 32, inlen = 0;
  2894. int ret = 0;
  2895. int cipher_nid = ossl_gost18_cke_cipher_nid(s);
  2896. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2897. if (cipher_nid == NID_undef) {
  2898. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2899. return 0;
  2900. }
  2901. if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
  2902. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2903. goto err;
  2904. }
  2905. /* Get our certificate private key */
  2906. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ?
  2907. s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey :
  2908. s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2909. if (pk == NULL) {
  2910. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  2911. goto err;
  2912. }
  2913. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq);
  2914. if (pkey_ctx == NULL) {
  2915. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2916. goto err;
  2917. }
  2918. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2919. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2920. goto err;
  2921. }
  2922. /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size */
  2923. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
  2924. EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
  2925. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2926. goto err;
  2927. }
  2928. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
  2929. EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
  2930. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2931. goto err;
  2932. }
  2933. inlen = PACKET_remaining(pkt);
  2934. start = PACKET_data(pkt);
  2935. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
  2936. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2937. goto err;
  2938. }
  2939. /* Generate master secret */
  2940. if (!ssl_generate_master_secret(s, premaster_secret,
  2941. sizeof(premaster_secret), 0)) {
  2942. /* SSLfatal() already called */
  2943. goto err;
  2944. }
  2945. ret = 1;
  2946. err:
  2947. EVP_PKEY_CTX_free(pkey_ctx);
  2948. return ret;
  2949. #else
  2950. /* Should never happen */
  2951. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2952. return 0;
  2953. #endif
  2954. }
  2955. MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s,
  2956. PACKET *pkt)
  2957. {
  2958. unsigned long alg_k;
  2959. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  2960. /* For PSK parse and retrieve identity, obtain PSK key */
  2961. if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
  2962. /* SSLfatal() already called */
  2963. goto err;
  2964. }
  2965. if (alg_k & SSL_kPSK) {
  2966. /* Identity extracted earlier: should be nothing left */
  2967. if (PACKET_remaining(pkt) != 0) {
  2968. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2969. goto err;
  2970. }
  2971. /* PSK handled by ssl_generate_master_secret */
  2972. if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
  2973. /* SSLfatal() already called */
  2974. goto err;
  2975. }
  2976. } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  2977. if (!tls_process_cke_rsa(s, pkt)) {
  2978. /* SSLfatal() already called */
  2979. goto err;
  2980. }
  2981. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  2982. if (!tls_process_cke_dhe(s, pkt)) {
  2983. /* SSLfatal() already called */
  2984. goto err;
  2985. }
  2986. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2987. if (!tls_process_cke_ecdhe(s, pkt)) {
  2988. /* SSLfatal() already called */
  2989. goto err;
  2990. }
  2991. } else if (alg_k & SSL_kSRP) {
  2992. if (!tls_process_cke_srp(s, pkt)) {
  2993. /* SSLfatal() already called */
  2994. goto err;
  2995. }
  2996. } else if (alg_k & SSL_kGOST) {
  2997. if (!tls_process_cke_gost(s, pkt)) {
  2998. /* SSLfatal() already called */
  2999. goto err;
  3000. }
  3001. } else if (alg_k & SSL_kGOST18) {
  3002. if (!tls_process_cke_gost18(s, pkt)) {
  3003. /* SSLfatal() already called */
  3004. goto err;
  3005. }
  3006. } else {
  3007. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
  3008. goto err;
  3009. }
  3010. return MSG_PROCESS_CONTINUE_PROCESSING;
  3011. err:
  3012. #ifndef OPENSSL_NO_PSK
  3013. OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
  3014. s->s3.tmp.psk = NULL;
  3015. s->s3.tmp.psklen = 0;
  3016. #endif
  3017. return MSG_PROCESS_ERROR;
  3018. }
  3019. WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s,
  3020. WORK_STATE wst)
  3021. {
  3022. #ifndef OPENSSL_NO_SCTP
  3023. if (wst == WORK_MORE_A) {
  3024. if (SSL_CONNECTION_IS_DTLS(s)) {
  3025. unsigned char sctpauthkey[64];
  3026. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3027. size_t labellen;
  3028. /*
  3029. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3030. * used.
  3031. */
  3032. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3033. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3034. /* Don't include the terminating zero. */
  3035. labellen = sizeof(labelbuffer) - 1;
  3036. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  3037. labellen += 1;
  3038. if (SSL_export_keying_material(SSL_CONNECTION_GET_SSL(s),
  3039. sctpauthkey,
  3040. sizeof(sctpauthkey), labelbuffer,
  3041. labellen, NULL, 0,
  3042. 0) <= 0) {
  3043. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3044. return WORK_ERROR;
  3045. }
  3046. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3047. sizeof(sctpauthkey), sctpauthkey);
  3048. }
  3049. }
  3050. #endif
  3051. if (s->statem.no_cert_verify || !s->session->peer) {
  3052. /*
  3053. * No certificate verify or no peer certificate so we no longer need
  3054. * the handshake_buffer
  3055. */
  3056. if (!ssl3_digest_cached_records(s, 0)) {
  3057. /* SSLfatal() already called */
  3058. return WORK_ERROR;
  3059. }
  3060. return WORK_FINISHED_CONTINUE;
  3061. } else {
  3062. if (!s->s3.handshake_buffer) {
  3063. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3064. return WORK_ERROR;
  3065. }
  3066. /*
  3067. * For sigalgs freeze the handshake buffer. If we support
  3068. * extms we've done this already so this is a no-op
  3069. */
  3070. if (!ssl3_digest_cached_records(s, 1)) {
  3071. /* SSLfatal() already called */
  3072. return WORK_ERROR;
  3073. }
  3074. }
  3075. return WORK_FINISHED_CONTINUE;
  3076. }
  3077. MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s,
  3078. PACKET *pkt)
  3079. {
  3080. int i;
  3081. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3082. X509 *x = NULL;
  3083. unsigned long l;
  3084. const unsigned char *certstart, *certbytes;
  3085. STACK_OF(X509) *sk = NULL;
  3086. PACKET spkt, context;
  3087. size_t chainidx;
  3088. SSL_SESSION *new_sess = NULL;
  3089. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  3090. /*
  3091. * To get this far we must have read encrypted data from the client. We no
  3092. * longer tolerate unencrypted alerts. This is ignored if less than TLSv1.3
  3093. */
  3094. if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
  3095. s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
  3096. if ((sk = sk_X509_new_null()) == NULL) {
  3097. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3098. goto err;
  3099. }
  3100. if (SSL_CONNECTION_IS_TLS13(s)
  3101. && (!PACKET_get_length_prefixed_1(pkt, &context)
  3102. || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
  3103. || (s->pha_context != NULL
  3104. && !PACKET_equal(&context, s->pha_context,
  3105. s->pha_context_len)))) {
  3106. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
  3107. goto err;
  3108. }
  3109. if (!PACKET_get_length_prefixed_3(pkt, &spkt)
  3110. || PACKET_remaining(pkt) != 0) {
  3111. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3112. goto err;
  3113. }
  3114. for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
  3115. if (!PACKET_get_net_3(&spkt, &l)
  3116. || !PACKET_get_bytes(&spkt, &certbytes, l)) {
  3117. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  3118. goto err;
  3119. }
  3120. certstart = certbytes;
  3121. x = X509_new_ex(sctx->libctx, sctx->propq);
  3122. if (x == NULL) {
  3123. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE);
  3124. goto err;
  3125. }
  3126. if (d2i_X509(&x, (const unsigned char **)&certbytes, l) == NULL) {
  3127. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
  3128. goto err;
  3129. }
  3130. if (certbytes != (certstart + l)) {
  3131. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  3132. goto err;
  3133. }
  3134. if (SSL_CONNECTION_IS_TLS13(s)) {
  3135. RAW_EXTENSION *rawexts = NULL;
  3136. PACKET extensions;
  3137. if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
  3138. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  3139. goto err;
  3140. }
  3141. if (!tls_collect_extensions(s, &extensions,
  3142. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  3143. NULL, chainidx == 0)
  3144. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  3145. rawexts, x, chainidx,
  3146. PACKET_remaining(&spkt) == 0)) {
  3147. OPENSSL_free(rawexts);
  3148. goto err;
  3149. }
  3150. OPENSSL_free(rawexts);
  3151. }
  3152. if (!sk_X509_push(sk, x)) {
  3153. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3154. goto err;
  3155. }
  3156. x = NULL;
  3157. }
  3158. if (sk_X509_num(sk) <= 0) {
  3159. /* TLS does not mind 0 certs returned */
  3160. if (s->version == SSL3_VERSION) {
  3161. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3162. SSL_R_NO_CERTIFICATES_RETURNED);
  3163. goto err;
  3164. }
  3165. /* Fail for TLS only if we required a certificate */
  3166. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3167. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3168. SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
  3169. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3170. goto err;
  3171. }
  3172. /* No client certificate so digest cached records */
  3173. if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
  3174. /* SSLfatal() already called */
  3175. goto err;
  3176. }
  3177. } else {
  3178. EVP_PKEY *pkey;
  3179. i = ssl_verify_cert_chain(s, sk);
  3180. if (i <= 0) {
  3181. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  3182. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3183. goto err;
  3184. }
  3185. pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
  3186. if (pkey == NULL) {
  3187. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3188. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3189. goto err;
  3190. }
  3191. }
  3192. /*
  3193. * Sessions must be immutable once they go into the session cache. Otherwise
  3194. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3195. * we replace them with a duplicate. Here, we need to do this every time
  3196. * a new certificate is received via post-handshake authentication, as the
  3197. * session may have already gone into the session cache.
  3198. */
  3199. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3200. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  3201. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3202. goto err;
  3203. }
  3204. SSL_SESSION_free(s->session);
  3205. s->session = new_sess;
  3206. }
  3207. X509_free(s->session->peer);
  3208. s->session->peer = sk_X509_shift(sk);
  3209. s->session->verify_result = s->verify_result;
  3210. OSSL_STACK_OF_X509_free(s->session->peer_chain);
  3211. s->session->peer_chain = sk;
  3212. sk = NULL;
  3213. /*
  3214. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3215. * message
  3216. */
  3217. if (SSL_CONNECTION_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
  3218. /* SSLfatal() already called */
  3219. goto err;
  3220. }
  3221. /*
  3222. * Inconsistency alert: cert_chain does *not* include the peer's own
  3223. * certificate, while we do include it in statem_clnt.c
  3224. */
  3225. /* Save the current hash state for when we receive the CertificateVerify */
  3226. if (SSL_CONNECTION_IS_TLS13(s)) {
  3227. if (!ssl_handshake_hash(s, s->cert_verify_hash,
  3228. sizeof(s->cert_verify_hash),
  3229. &s->cert_verify_hash_len)) {
  3230. /* SSLfatal() already called */
  3231. goto err;
  3232. }
  3233. /* Resend session tickets */
  3234. s->sent_tickets = 0;
  3235. }
  3236. ret = MSG_PROCESS_CONTINUE_READING;
  3237. err:
  3238. X509_free(x);
  3239. OSSL_STACK_OF_X509_free(sk);
  3240. return ret;
  3241. }
  3242. int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt)
  3243. {
  3244. CERT_PKEY *cpk = s->s3.tmp.cert;
  3245. if (cpk == NULL) {
  3246. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3247. return 0;
  3248. }
  3249. /*
  3250. * In TLSv1.3 the certificate chain is always preceded by a 0 length context
  3251. * for the server Certificate message
  3252. */
  3253. if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
  3254. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3255. return 0;
  3256. }
  3257. if (!ssl3_output_cert_chain(s, pkt, cpk)) {
  3258. /* SSLfatal() already called */
  3259. return 0;
  3260. }
  3261. return 1;
  3262. }
  3263. static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt,
  3264. uint32_t age_add, unsigned char *tick_nonce)
  3265. {
  3266. uint32_t timeout = (uint32_t)s->session->timeout;
  3267. /*
  3268. * Ticket lifetime hint:
  3269. * In TLSv1.3 we reset the "time" field above, and always specify the
  3270. * timeout, limited to a 1 week period per RFC8446.
  3271. * For TLSv1.2 this is advisory only and we leave this unspecified for
  3272. * resumed session (for simplicity).
  3273. */
  3274. #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
  3275. if (SSL_CONNECTION_IS_TLS13(s)) {
  3276. if (s->session->timeout > ONE_WEEK_SEC)
  3277. timeout = ONE_WEEK_SEC;
  3278. } else if (s->hit)
  3279. timeout = 0;
  3280. if (!WPACKET_put_bytes_u32(pkt, timeout)) {
  3281. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3282. return 0;
  3283. }
  3284. if (SSL_CONNECTION_IS_TLS13(s)) {
  3285. if (!WPACKET_put_bytes_u32(pkt, age_add)
  3286. || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
  3287. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3288. return 0;
  3289. }
  3290. }
  3291. /* Start the sub-packet for the actual ticket data */
  3292. if (!WPACKET_start_sub_packet_u16(pkt)) {
  3293. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3294. return 0;
  3295. }
  3296. return 1;
  3297. }
  3298. static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt,
  3299. uint32_t age_add,
  3300. unsigned char *tick_nonce)
  3301. {
  3302. unsigned char *senc = NULL;
  3303. EVP_CIPHER_CTX *ctx = NULL;
  3304. SSL_HMAC *hctx = NULL;
  3305. unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
  3306. const unsigned char *const_p;
  3307. int len, slen_full, slen, lenfinal;
  3308. SSL_SESSION *sess;
  3309. size_t hlen;
  3310. SSL_CTX *tctx = s->session_ctx;
  3311. unsigned char iv[EVP_MAX_IV_LENGTH];
  3312. unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
  3313. int iv_len, ok = 0;
  3314. size_t macoffset, macendoffset;
  3315. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3316. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  3317. /* get session encoding length */
  3318. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3319. /*
  3320. * Some length values are 16 bits, so forget it if session is too
  3321. * long
  3322. */
  3323. if (slen_full == 0 || slen_full > 0xFF00) {
  3324. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3325. goto err;
  3326. }
  3327. senc = OPENSSL_malloc(slen_full);
  3328. if (senc == NULL) {
  3329. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3330. goto err;
  3331. }
  3332. ctx = EVP_CIPHER_CTX_new();
  3333. hctx = ssl_hmac_new(tctx);
  3334. if (ctx == NULL || hctx == NULL) {
  3335. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3336. goto err;
  3337. }
  3338. p = senc;
  3339. if (!i2d_SSL_SESSION(s->session, &p)) {
  3340. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3341. goto err;
  3342. }
  3343. /*
  3344. * create a fresh copy (not shared with other threads) to clean up
  3345. */
  3346. const_p = senc;
  3347. sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
  3348. if (sess == NULL) {
  3349. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3350. goto err;
  3351. }
  3352. slen = i2d_SSL_SESSION(sess, NULL);
  3353. if (slen == 0 || slen > slen_full) {
  3354. /* shouldn't ever happen */
  3355. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3356. SSL_SESSION_free(sess);
  3357. goto err;
  3358. }
  3359. p = senc;
  3360. if (!i2d_SSL_SESSION(sess, &p)) {
  3361. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3362. SSL_SESSION_free(sess);
  3363. goto err;
  3364. }
  3365. SSL_SESSION_free(sess);
  3366. /*
  3367. * Initialize HMAC and cipher contexts. If callback present it does
  3368. * all the work otherwise use generated values from parent ctx.
  3369. */
  3370. #ifndef OPENSSL_NO_DEPRECATED_3_0
  3371. if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL)
  3372. #else
  3373. if (tctx->ext.ticket_key_evp_cb != NULL)
  3374. #endif
  3375. {
  3376. int ret = 0;
  3377. if (tctx->ext.ticket_key_evp_cb != NULL)
  3378. ret = tctx->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx,
  3379. ssl_hmac_get0_EVP_MAC_CTX(hctx),
  3380. 1);
  3381. #ifndef OPENSSL_NO_DEPRECATED_3_0
  3382. else if (tctx->ext.ticket_key_cb != NULL)
  3383. /* if 0 is returned, write an empty ticket */
  3384. ret = tctx->ext.ticket_key_cb(ssl, key_name, iv, ctx,
  3385. ssl_hmac_get0_HMAC_CTX(hctx), 1);
  3386. #endif
  3387. if (ret == 0) {
  3388. /* Put timeout and length */
  3389. if (!WPACKET_put_bytes_u32(pkt, 0)
  3390. || !WPACKET_put_bytes_u16(pkt, 0)) {
  3391. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3392. goto err;
  3393. }
  3394. OPENSSL_free(senc);
  3395. EVP_CIPHER_CTX_free(ctx);
  3396. ssl_hmac_free(hctx);
  3397. return 1;
  3398. }
  3399. if (ret < 0) {
  3400. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
  3401. goto err;
  3402. }
  3403. iv_len = EVP_CIPHER_CTX_get_iv_length(ctx);
  3404. if (iv_len < 0) {
  3405. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3406. goto err;
  3407. }
  3408. } else {
  3409. EVP_CIPHER *cipher = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC",
  3410. sctx->propq);
  3411. if (cipher == NULL) {
  3412. /* Error is already recorded */
  3413. SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
  3414. goto err;
  3415. }
  3416. iv_len = EVP_CIPHER_get_iv_length(cipher);
  3417. if (iv_len < 0
  3418. || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0
  3419. || !EVP_EncryptInit_ex(ctx, cipher, NULL,
  3420. tctx->ext.secure->tick_aes_key, iv)
  3421. || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
  3422. sizeof(tctx->ext.secure->tick_hmac_key),
  3423. "SHA256")) {
  3424. EVP_CIPHER_free(cipher);
  3425. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3426. goto err;
  3427. }
  3428. EVP_CIPHER_free(cipher);
  3429. memcpy(key_name, tctx->ext.tick_key_name,
  3430. sizeof(tctx->ext.tick_key_name));
  3431. }
  3432. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3433. /* SSLfatal() already called */
  3434. goto err;
  3435. }
  3436. if (!WPACKET_get_total_written(pkt, &macoffset)
  3437. /* Output key name */
  3438. || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
  3439. /* output IV */
  3440. || !WPACKET_memcpy(pkt, iv, iv_len)
  3441. || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
  3442. &encdata1)
  3443. /* Encrypt session data */
  3444. || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
  3445. || !WPACKET_allocate_bytes(pkt, len, &encdata2)
  3446. || encdata1 != encdata2
  3447. || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
  3448. || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
  3449. || encdata1 + len != encdata2
  3450. || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
  3451. || !WPACKET_get_total_written(pkt, &macendoffset)
  3452. || !ssl_hmac_update(hctx,
  3453. (unsigned char *)s->init_buf->data + macoffset,
  3454. macendoffset - macoffset)
  3455. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
  3456. || !ssl_hmac_final(hctx, macdata1, &hlen, EVP_MAX_MD_SIZE)
  3457. || hlen > EVP_MAX_MD_SIZE
  3458. || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
  3459. || macdata1 != macdata2) {
  3460. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3461. goto err;
  3462. }
  3463. /* Close the sub-packet created by create_ticket_prequel() */
  3464. if (!WPACKET_close(pkt)) {
  3465. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3466. goto err;
  3467. }
  3468. ok = 1;
  3469. err:
  3470. OPENSSL_free(senc);
  3471. EVP_CIPHER_CTX_free(ctx);
  3472. ssl_hmac_free(hctx);
  3473. return ok;
  3474. }
  3475. static int construct_stateful_ticket(SSL_CONNECTION *s, WPACKET *pkt,
  3476. uint32_t age_add,
  3477. unsigned char *tick_nonce)
  3478. {
  3479. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3480. /* SSLfatal() already called */
  3481. return 0;
  3482. }
  3483. if (!WPACKET_memcpy(pkt, s->session->session_id,
  3484. s->session->session_id_length)
  3485. || !WPACKET_close(pkt)) {
  3486. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3487. return 0;
  3488. }
  3489. return 1;
  3490. }
  3491. int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
  3492. {
  3493. SSL_CTX *tctx = s->session_ctx;
  3494. unsigned char tick_nonce[TICKET_NONCE_SIZE];
  3495. union {
  3496. unsigned char age_add_c[sizeof(uint32_t)];
  3497. uint32_t age_add;
  3498. } age_add_u;
  3499. age_add_u.age_add = 0;
  3500. if (SSL_CONNECTION_IS_TLS13(s)) {
  3501. size_t i, hashlen;
  3502. uint64_t nonce;
  3503. static const unsigned char nonce_label[] = "resumption";
  3504. const EVP_MD *md = ssl_handshake_md(s);
  3505. int hashleni = EVP_MD_get_size(md);
  3506. /* Ensure cast to size_t is safe */
  3507. if (!ossl_assert(hashleni >= 0)) {
  3508. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3509. goto err;
  3510. }
  3511. hashlen = (size_t)hashleni;
  3512. /*
  3513. * If we already sent one NewSessionTicket, or we resumed then
  3514. * s->session may already be in a cache and so we must not modify it.
  3515. * Instead we need to take a copy of it and modify that.
  3516. */
  3517. if (s->sent_tickets != 0 || s->hit) {
  3518. SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
  3519. if (new_sess == NULL) {
  3520. /* SSLfatal already called */
  3521. goto err;
  3522. }
  3523. SSL_SESSION_free(s->session);
  3524. s->session = new_sess;
  3525. }
  3526. if (!ssl_generate_session_id(s, s->session)) {
  3527. /* SSLfatal() already called */
  3528. goto err;
  3529. }
  3530. if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
  3531. age_add_u.age_add_c, sizeof(age_add_u), 0) <= 0) {
  3532. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3533. goto err;
  3534. }
  3535. s->session->ext.tick_age_add = age_add_u.age_add;
  3536. nonce = s->next_ticket_nonce;
  3537. for (i = TICKET_NONCE_SIZE; i > 0; i--) {
  3538. tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
  3539. nonce >>= 8;
  3540. }
  3541. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  3542. nonce_label,
  3543. sizeof(nonce_label) - 1,
  3544. tick_nonce,
  3545. TICKET_NONCE_SIZE,
  3546. s->session->master_key,
  3547. hashlen, 1)) {
  3548. /* SSLfatal() already called */
  3549. goto err;
  3550. }
  3551. s->session->master_key_length = hashlen;
  3552. s->session->time = time(NULL);
  3553. ssl_session_calculate_timeout(s->session);
  3554. if (s->s3.alpn_selected != NULL) {
  3555. OPENSSL_free(s->session->ext.alpn_selected);
  3556. s->session->ext.alpn_selected =
  3557. OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
  3558. if (s->session->ext.alpn_selected == NULL) {
  3559. s->session->ext.alpn_selected_len = 0;
  3560. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3561. goto err;
  3562. }
  3563. s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
  3564. }
  3565. s->session->ext.max_early_data = s->max_early_data;
  3566. }
  3567. if (tctx->generate_ticket_cb != NULL &&
  3568. tctx->generate_ticket_cb(SSL_CONNECTION_GET_SSL(s),
  3569. tctx->ticket_cb_data) == 0) {
  3570. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3571. goto err;
  3572. }
  3573. /*
  3574. * If we are using anti-replay protection then we behave as if
  3575. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  3576. * is no point in using full stateless tickets.
  3577. */
  3578. if (SSL_CONNECTION_IS_TLS13(s)
  3579. && ((s->options & SSL_OP_NO_TICKET) != 0
  3580. || (s->max_early_data > 0
  3581. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
  3582. if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
  3583. /* SSLfatal() already called */
  3584. goto err;
  3585. }
  3586. } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add,
  3587. tick_nonce)) {
  3588. /* SSLfatal() already called */
  3589. goto err;
  3590. }
  3591. if (SSL_CONNECTION_IS_TLS13(s)) {
  3592. if (!tls_construct_extensions(s, pkt,
  3593. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  3594. NULL, 0)) {
  3595. /* SSLfatal() already called */
  3596. goto err;
  3597. }
  3598. /*
  3599. * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
  3600. * gets reset to 0 if we send more tickets following a post-handshake
  3601. * auth, but |next_ticket_nonce| does not. If we're sending extra
  3602. * tickets, decrement the count of pending extra tickets.
  3603. */
  3604. s->sent_tickets++;
  3605. s->next_ticket_nonce++;
  3606. if (s->ext.extra_tickets_expected > 0)
  3607. s->ext.extra_tickets_expected--;
  3608. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  3609. }
  3610. return 1;
  3611. err:
  3612. return 0;
  3613. }
  3614. /*
  3615. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  3616. * create a separate message. Returns 1 on success or 0 on failure.
  3617. */
  3618. int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt)
  3619. {
  3620. if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
  3621. || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
  3622. s->ext.ocsp.resp_len)) {
  3623. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3624. return 0;
  3625. }
  3626. return 1;
  3627. }
  3628. int tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt)
  3629. {
  3630. if (!tls_construct_cert_status_body(s, pkt)) {
  3631. /* SSLfatal() already called */
  3632. return 0;
  3633. }
  3634. return 1;
  3635. }
  3636. #ifndef OPENSSL_NO_NEXTPROTONEG
  3637. /*
  3638. * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
  3639. * It sets the next_proto member in s if found
  3640. */
  3641. MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt)
  3642. {
  3643. PACKET next_proto, padding;
  3644. size_t next_proto_len;
  3645. /*-
  3646. * The payload looks like:
  3647. * uint8 proto_len;
  3648. * uint8 proto[proto_len];
  3649. * uint8 padding_len;
  3650. * uint8 padding[padding_len];
  3651. */
  3652. if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
  3653. || !PACKET_get_length_prefixed_1(pkt, &padding)
  3654. || PACKET_remaining(pkt) > 0) {
  3655. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3656. return MSG_PROCESS_ERROR;
  3657. }
  3658. if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
  3659. s->ext.npn_len = 0;
  3660. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3661. return MSG_PROCESS_ERROR;
  3662. }
  3663. s->ext.npn_len = (unsigned char)next_proto_len;
  3664. return MSG_PROCESS_CONTINUE_READING;
  3665. }
  3666. #endif
  3667. static int tls_construct_encrypted_extensions(SSL_CONNECTION *s, WPACKET *pkt)
  3668. {
  3669. if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3670. NULL, 0)) {
  3671. /* SSLfatal() already called */
  3672. return 0;
  3673. }
  3674. return 1;
  3675. }
  3676. MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt)
  3677. {
  3678. if (PACKET_remaining(pkt) != 0) {
  3679. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3680. return MSG_PROCESS_ERROR;
  3681. }
  3682. if (s->early_data_state != SSL_EARLY_DATA_READING
  3683. && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
  3684. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3685. return MSG_PROCESS_ERROR;
  3686. }
  3687. /*
  3688. * EndOfEarlyData signals a key change so the end of the message must be on
  3689. * a record boundary.
  3690. */
  3691. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  3692. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  3693. return MSG_PROCESS_ERROR;
  3694. }
  3695. s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
  3696. if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s,
  3697. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  3698. /* SSLfatal() already called */
  3699. return MSG_PROCESS_ERROR;
  3700. }
  3701. return MSG_PROCESS_CONTINUE_READING;
  3702. }