2
0

statem_clnt.c 119 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include <time.h>
  13. #include <assert.h>
  14. #include "../ssl_local.h"
  15. #include "statem_local.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/md5.h>
  21. #include <openssl/dh.h>
  22. #include <openssl/rsa.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/engine.h>
  25. #include <openssl/trace.h>
  26. #include <openssl/core_names.h>
  27. #include <openssl/param_build.h>
  28. #include "internal/cryptlib.h"
  29. static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
  30. static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
  31. static ossl_inline int cert_req_allowed(SSL *s);
  32. static int key_exchange_expected(SSL *s);
  33. static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
  34. WPACKET *pkt);
  35. /*
  36. * Is a CertificateRequest message allowed at the moment or not?
  37. *
  38. * Return values are:
  39. * 1: Yes
  40. * 0: No
  41. */
  42. static ossl_inline int cert_req_allowed(SSL *s)
  43. {
  44. /* TLS does not like anon-DH with client cert */
  45. if ((s->version > SSL3_VERSION
  46. && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL))
  47. || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
  48. return 0;
  49. return 1;
  50. }
  51. /*
  52. * Should we expect the ServerKeyExchange message or not?
  53. *
  54. * Return values are:
  55. * 1: Yes
  56. * 0: No
  57. */
  58. static int key_exchange_expected(SSL *s)
  59. {
  60. long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  61. /*
  62. * Can't skip server key exchange if this is an ephemeral
  63. * ciphersuite or for SRP
  64. */
  65. if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
  66. | SSL_kSRP)) {
  67. return 1;
  68. }
  69. return 0;
  70. }
  71. /*
  72. * ossl_statem_client_read_transition() encapsulates the logic for the allowed
  73. * handshake state transitions when a TLS1.3 client is reading messages from the
  74. * server. The message type that the server has sent is provided in |mt|. The
  75. * current state is in |s->statem.hand_state|.
  76. *
  77. * Return values are 1 for success (transition allowed) and 0 on error
  78. * (transition not allowed)
  79. */
  80. static int ossl_statem_client13_read_transition(SSL *s, int mt)
  81. {
  82. OSSL_STATEM *st = &s->statem;
  83. /*
  84. * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
  85. * yet negotiated TLSv1.3 at that point so that is handled by
  86. * ossl_statem_client_read_transition()
  87. */
  88. switch (st->hand_state) {
  89. default:
  90. break;
  91. case TLS_ST_CW_CLNT_HELLO:
  92. /*
  93. * This must a ClientHello following a HelloRetryRequest, so the only
  94. * thing we can get now is a ServerHello.
  95. */
  96. if (mt == SSL3_MT_SERVER_HELLO) {
  97. st->hand_state = TLS_ST_CR_SRVR_HELLO;
  98. return 1;
  99. }
  100. break;
  101. case TLS_ST_CR_SRVR_HELLO:
  102. if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
  103. st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
  104. return 1;
  105. }
  106. break;
  107. case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
  108. if (s->hit) {
  109. if (mt == SSL3_MT_FINISHED) {
  110. st->hand_state = TLS_ST_CR_FINISHED;
  111. return 1;
  112. }
  113. } else {
  114. if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
  115. st->hand_state = TLS_ST_CR_CERT_REQ;
  116. return 1;
  117. }
  118. if (mt == SSL3_MT_CERTIFICATE) {
  119. st->hand_state = TLS_ST_CR_CERT;
  120. return 1;
  121. }
  122. }
  123. break;
  124. case TLS_ST_CR_CERT_REQ:
  125. if (mt == SSL3_MT_CERTIFICATE) {
  126. st->hand_state = TLS_ST_CR_CERT;
  127. return 1;
  128. }
  129. break;
  130. case TLS_ST_CR_CERT:
  131. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  132. st->hand_state = TLS_ST_CR_CERT_VRFY;
  133. return 1;
  134. }
  135. break;
  136. case TLS_ST_CR_CERT_VRFY:
  137. if (mt == SSL3_MT_FINISHED) {
  138. st->hand_state = TLS_ST_CR_FINISHED;
  139. return 1;
  140. }
  141. break;
  142. case TLS_ST_OK:
  143. if (mt == SSL3_MT_NEWSESSION_TICKET) {
  144. st->hand_state = TLS_ST_CR_SESSION_TICKET;
  145. return 1;
  146. }
  147. if (mt == SSL3_MT_KEY_UPDATE) {
  148. st->hand_state = TLS_ST_CR_KEY_UPDATE;
  149. return 1;
  150. }
  151. if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
  152. #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
  153. /* Restore digest for PHA before adding message.*/
  154. # error Internal DTLS version error
  155. #endif
  156. if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
  157. s->post_handshake_auth = SSL_PHA_REQUESTED;
  158. /*
  159. * In TLS, this is called before the message is added to the
  160. * digest. In DTLS, this is expected to be called after adding
  161. * to the digest. Either move the digest restore, or add the
  162. * message here after the swap, or do it after the clientFinished?
  163. */
  164. if (!tls13_restore_handshake_digest_for_pha(s)) {
  165. /* SSLfatal() already called */
  166. return 0;
  167. }
  168. st->hand_state = TLS_ST_CR_CERT_REQ;
  169. return 1;
  170. }
  171. }
  172. break;
  173. }
  174. /* No valid transition found */
  175. return 0;
  176. }
  177. /*
  178. * ossl_statem_client_read_transition() encapsulates the logic for the allowed
  179. * handshake state transitions when the client is reading messages from the
  180. * server. The message type that the server has sent is provided in |mt|. The
  181. * current state is in |s->statem.hand_state|.
  182. *
  183. * Return values are 1 for success (transition allowed) and 0 on error
  184. * (transition not allowed)
  185. */
  186. int ossl_statem_client_read_transition(SSL *s, int mt)
  187. {
  188. OSSL_STATEM *st = &s->statem;
  189. int ske_expected;
  190. /*
  191. * Note that after writing the first ClientHello we don't know what version
  192. * we are going to negotiate yet, so we don't take this branch until later.
  193. */
  194. if (SSL_IS_TLS13(s)) {
  195. if (!ossl_statem_client13_read_transition(s, mt))
  196. goto err;
  197. return 1;
  198. }
  199. switch (st->hand_state) {
  200. default:
  201. break;
  202. case TLS_ST_CW_CLNT_HELLO:
  203. if (mt == SSL3_MT_SERVER_HELLO) {
  204. st->hand_state = TLS_ST_CR_SRVR_HELLO;
  205. return 1;
  206. }
  207. if (SSL_IS_DTLS(s)) {
  208. if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
  209. st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
  210. return 1;
  211. }
  212. }
  213. break;
  214. case TLS_ST_EARLY_DATA:
  215. /*
  216. * We've not actually selected TLSv1.3 yet, but we have sent early
  217. * data. The only thing allowed now is a ServerHello or a
  218. * HelloRetryRequest.
  219. */
  220. if (mt == SSL3_MT_SERVER_HELLO) {
  221. st->hand_state = TLS_ST_CR_SRVR_HELLO;
  222. return 1;
  223. }
  224. break;
  225. case TLS_ST_CR_SRVR_HELLO:
  226. if (s->hit) {
  227. if (s->ext.ticket_expected) {
  228. if (mt == SSL3_MT_NEWSESSION_TICKET) {
  229. st->hand_state = TLS_ST_CR_SESSION_TICKET;
  230. return 1;
  231. }
  232. } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  233. st->hand_state = TLS_ST_CR_CHANGE;
  234. return 1;
  235. }
  236. } else {
  237. if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
  238. st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
  239. return 1;
  240. } else if (s->version >= TLS1_VERSION
  241. && s->ext.session_secret_cb != NULL
  242. && s->session->ext.tick != NULL
  243. && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  244. /*
  245. * Normally, we can tell if the server is resuming the session
  246. * from the session ID. EAP-FAST (RFC 4851), however, relies on
  247. * the next server message after the ServerHello to determine if
  248. * the server is resuming.
  249. */
  250. s->hit = 1;
  251. st->hand_state = TLS_ST_CR_CHANGE;
  252. return 1;
  253. } else if (!(s->s3.tmp.new_cipher->algorithm_auth
  254. & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  255. if (mt == SSL3_MT_CERTIFICATE) {
  256. st->hand_state = TLS_ST_CR_CERT;
  257. return 1;
  258. }
  259. } else {
  260. ske_expected = key_exchange_expected(s);
  261. /* SKE is optional for some PSK ciphersuites */
  262. if (ske_expected
  263. || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
  264. && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
  265. if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
  266. st->hand_state = TLS_ST_CR_KEY_EXCH;
  267. return 1;
  268. }
  269. } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
  270. && cert_req_allowed(s)) {
  271. st->hand_state = TLS_ST_CR_CERT_REQ;
  272. return 1;
  273. } else if (mt == SSL3_MT_SERVER_DONE) {
  274. st->hand_state = TLS_ST_CR_SRVR_DONE;
  275. return 1;
  276. }
  277. }
  278. }
  279. break;
  280. case TLS_ST_CR_CERT:
  281. /*
  282. * The CertificateStatus message is optional even if
  283. * |ext.status_expected| is set
  284. */
  285. if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
  286. st->hand_state = TLS_ST_CR_CERT_STATUS;
  287. return 1;
  288. }
  289. /* Fall through */
  290. case TLS_ST_CR_CERT_STATUS:
  291. ske_expected = key_exchange_expected(s);
  292. /* SKE is optional for some PSK ciphersuites */
  293. if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
  294. && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
  295. if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
  296. st->hand_state = TLS_ST_CR_KEY_EXCH;
  297. return 1;
  298. }
  299. goto err;
  300. }
  301. /* Fall through */
  302. case TLS_ST_CR_KEY_EXCH:
  303. if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
  304. if (cert_req_allowed(s)) {
  305. st->hand_state = TLS_ST_CR_CERT_REQ;
  306. return 1;
  307. }
  308. goto err;
  309. }
  310. /* Fall through */
  311. case TLS_ST_CR_CERT_REQ:
  312. if (mt == SSL3_MT_SERVER_DONE) {
  313. st->hand_state = TLS_ST_CR_SRVR_DONE;
  314. return 1;
  315. }
  316. break;
  317. case TLS_ST_CW_FINISHED:
  318. if (s->ext.ticket_expected) {
  319. if (mt == SSL3_MT_NEWSESSION_TICKET) {
  320. st->hand_state = TLS_ST_CR_SESSION_TICKET;
  321. return 1;
  322. }
  323. } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  324. st->hand_state = TLS_ST_CR_CHANGE;
  325. return 1;
  326. }
  327. break;
  328. case TLS_ST_CR_SESSION_TICKET:
  329. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  330. st->hand_state = TLS_ST_CR_CHANGE;
  331. return 1;
  332. }
  333. break;
  334. case TLS_ST_CR_CHANGE:
  335. if (mt == SSL3_MT_FINISHED) {
  336. st->hand_state = TLS_ST_CR_FINISHED;
  337. return 1;
  338. }
  339. break;
  340. case TLS_ST_OK:
  341. if (mt == SSL3_MT_HELLO_REQUEST) {
  342. st->hand_state = TLS_ST_CR_HELLO_REQ;
  343. return 1;
  344. }
  345. break;
  346. }
  347. err:
  348. /* No valid transition found */
  349. if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  350. BIO *rbio;
  351. /*
  352. * CCS messages don't have a message sequence number so this is probably
  353. * because of an out-of-order CCS. We'll just drop it.
  354. */
  355. s->init_num = 0;
  356. s->rwstate = SSL_READING;
  357. rbio = SSL_get_rbio(s);
  358. BIO_clear_retry_flags(rbio);
  359. BIO_set_retry_read(rbio);
  360. return 0;
  361. }
  362. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  363. return 0;
  364. }
  365. /*
  366. * ossl_statem_client13_write_transition() works out what handshake state to
  367. * move to next when the TLSv1.3 client is writing messages to be sent to the
  368. * server.
  369. */
  370. static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
  371. {
  372. OSSL_STATEM *st = &s->statem;
  373. /*
  374. * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
  375. * TLSv1.3 yet at that point. They are handled by
  376. * ossl_statem_client_write_transition().
  377. */
  378. switch (st->hand_state) {
  379. default:
  380. /* Shouldn't happen */
  381. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  382. return WRITE_TRAN_ERROR;
  383. case TLS_ST_CR_CERT_REQ:
  384. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  385. st->hand_state = TLS_ST_CW_CERT;
  386. return WRITE_TRAN_CONTINUE;
  387. }
  388. /*
  389. * We should only get here if we received a CertificateRequest after
  390. * we already sent close_notify
  391. */
  392. if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) {
  393. /* Shouldn't happen - same as default case */
  394. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  395. return WRITE_TRAN_ERROR;
  396. }
  397. st->hand_state = TLS_ST_OK;
  398. return WRITE_TRAN_CONTINUE;
  399. case TLS_ST_CR_FINISHED:
  400. if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
  401. || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
  402. st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
  403. else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  404. && s->hello_retry_request == SSL_HRR_NONE)
  405. st->hand_state = TLS_ST_CW_CHANGE;
  406. else
  407. st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
  408. : TLS_ST_CW_FINISHED;
  409. return WRITE_TRAN_CONTINUE;
  410. case TLS_ST_PENDING_EARLY_DATA_END:
  411. if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  412. st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
  413. return WRITE_TRAN_CONTINUE;
  414. }
  415. /* Fall through */
  416. case TLS_ST_CW_END_OF_EARLY_DATA:
  417. case TLS_ST_CW_CHANGE:
  418. st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
  419. : TLS_ST_CW_FINISHED;
  420. return WRITE_TRAN_CONTINUE;
  421. case TLS_ST_CW_CERT:
  422. /* If a non-empty Certificate we also send CertificateVerify */
  423. st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
  424. : TLS_ST_CW_FINISHED;
  425. return WRITE_TRAN_CONTINUE;
  426. case TLS_ST_CW_CERT_VRFY:
  427. st->hand_state = TLS_ST_CW_FINISHED;
  428. return WRITE_TRAN_CONTINUE;
  429. case TLS_ST_CR_KEY_UPDATE:
  430. case TLS_ST_CW_KEY_UPDATE:
  431. case TLS_ST_CR_SESSION_TICKET:
  432. case TLS_ST_CW_FINISHED:
  433. st->hand_state = TLS_ST_OK;
  434. return WRITE_TRAN_CONTINUE;
  435. case TLS_ST_OK:
  436. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  437. st->hand_state = TLS_ST_CW_KEY_UPDATE;
  438. return WRITE_TRAN_CONTINUE;
  439. }
  440. /* Try to read from the server instead */
  441. return WRITE_TRAN_FINISHED;
  442. }
  443. }
  444. /*
  445. * ossl_statem_client_write_transition() works out what handshake state to
  446. * move to next when the client is writing messages to be sent to the server.
  447. */
  448. WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
  449. {
  450. OSSL_STATEM *st = &s->statem;
  451. /*
  452. * Note that immediately before/after a ClientHello we don't know what
  453. * version we are going to negotiate yet, so we don't take this branch until
  454. * later
  455. */
  456. if (SSL_IS_TLS13(s))
  457. return ossl_statem_client13_write_transition(s);
  458. switch (st->hand_state) {
  459. default:
  460. /* Shouldn't happen */
  461. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  462. return WRITE_TRAN_ERROR;
  463. case TLS_ST_OK:
  464. if (!s->renegotiate) {
  465. /*
  466. * We haven't requested a renegotiation ourselves so we must have
  467. * received a message from the server. Better read it.
  468. */
  469. return WRITE_TRAN_FINISHED;
  470. }
  471. /* Renegotiation */
  472. /* fall thru */
  473. case TLS_ST_BEFORE:
  474. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  475. return WRITE_TRAN_CONTINUE;
  476. case TLS_ST_CW_CLNT_HELLO:
  477. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
  478. /*
  479. * We are assuming this is a TLSv1.3 connection, although we haven't
  480. * actually selected a version yet.
  481. */
  482. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
  483. st->hand_state = TLS_ST_CW_CHANGE;
  484. else
  485. st->hand_state = TLS_ST_EARLY_DATA;
  486. return WRITE_TRAN_CONTINUE;
  487. }
  488. /*
  489. * No transition at the end of writing because we don't know what
  490. * we will be sent
  491. */
  492. return WRITE_TRAN_FINISHED;
  493. case TLS_ST_CR_SRVR_HELLO:
  494. /*
  495. * We only get here in TLSv1.3. We just received an HRR, so issue a
  496. * CCS unless middlebox compat mode is off, or we already issued one
  497. * because we did early data.
  498. */
  499. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  500. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
  501. st->hand_state = TLS_ST_CW_CHANGE;
  502. else
  503. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  504. return WRITE_TRAN_CONTINUE;
  505. case TLS_ST_EARLY_DATA:
  506. return WRITE_TRAN_FINISHED;
  507. case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
  508. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  509. return WRITE_TRAN_CONTINUE;
  510. case TLS_ST_CR_SRVR_DONE:
  511. if (s->s3.tmp.cert_req)
  512. st->hand_state = TLS_ST_CW_CERT;
  513. else
  514. st->hand_state = TLS_ST_CW_KEY_EXCH;
  515. return WRITE_TRAN_CONTINUE;
  516. case TLS_ST_CW_CERT:
  517. st->hand_state = TLS_ST_CW_KEY_EXCH;
  518. return WRITE_TRAN_CONTINUE;
  519. case TLS_ST_CW_KEY_EXCH:
  520. /*
  521. * For TLS, cert_req is set to 2, so a cert chain of nothing is
  522. * sent, but no verify packet is sent
  523. */
  524. /*
  525. * XXX: For now, we do not support client authentication in ECDH
  526. * cipher suites with ECDH (rather than ECDSA) certificates. We
  527. * need to skip the certificate verify message when client's
  528. * ECDH public key is sent inside the client certificate.
  529. */
  530. if (s->s3.tmp.cert_req == 1) {
  531. st->hand_state = TLS_ST_CW_CERT_VRFY;
  532. } else {
  533. st->hand_state = TLS_ST_CW_CHANGE;
  534. }
  535. if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
  536. st->hand_state = TLS_ST_CW_CHANGE;
  537. }
  538. return WRITE_TRAN_CONTINUE;
  539. case TLS_ST_CW_CERT_VRFY:
  540. st->hand_state = TLS_ST_CW_CHANGE;
  541. return WRITE_TRAN_CONTINUE;
  542. case TLS_ST_CW_CHANGE:
  543. if (s->hello_retry_request == SSL_HRR_PENDING) {
  544. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  545. } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
  546. st->hand_state = TLS_ST_EARLY_DATA;
  547. } else {
  548. #if defined(OPENSSL_NO_NEXTPROTONEG)
  549. st->hand_state = TLS_ST_CW_FINISHED;
  550. #else
  551. if (!SSL_IS_DTLS(s) && s->s3.npn_seen)
  552. st->hand_state = TLS_ST_CW_NEXT_PROTO;
  553. else
  554. st->hand_state = TLS_ST_CW_FINISHED;
  555. #endif
  556. }
  557. return WRITE_TRAN_CONTINUE;
  558. #if !defined(OPENSSL_NO_NEXTPROTONEG)
  559. case TLS_ST_CW_NEXT_PROTO:
  560. st->hand_state = TLS_ST_CW_FINISHED;
  561. return WRITE_TRAN_CONTINUE;
  562. #endif
  563. case TLS_ST_CW_FINISHED:
  564. if (s->hit) {
  565. st->hand_state = TLS_ST_OK;
  566. return WRITE_TRAN_CONTINUE;
  567. } else {
  568. return WRITE_TRAN_FINISHED;
  569. }
  570. case TLS_ST_CR_FINISHED:
  571. if (s->hit) {
  572. st->hand_state = TLS_ST_CW_CHANGE;
  573. return WRITE_TRAN_CONTINUE;
  574. } else {
  575. st->hand_state = TLS_ST_OK;
  576. return WRITE_TRAN_CONTINUE;
  577. }
  578. case TLS_ST_CR_HELLO_REQ:
  579. /*
  580. * If we can renegotiate now then do so, otherwise wait for a more
  581. * convenient time.
  582. */
  583. if (ssl3_renegotiate_check(s, 1)) {
  584. if (!tls_setup_handshake(s)) {
  585. /* SSLfatal() already called */
  586. return WRITE_TRAN_ERROR;
  587. }
  588. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  589. return WRITE_TRAN_CONTINUE;
  590. }
  591. st->hand_state = TLS_ST_OK;
  592. return WRITE_TRAN_CONTINUE;
  593. }
  594. }
  595. /*
  596. * Perform any pre work that needs to be done prior to sending a message from
  597. * the client to the server.
  598. */
  599. WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
  600. {
  601. OSSL_STATEM *st = &s->statem;
  602. switch (st->hand_state) {
  603. default:
  604. /* No pre work to be done */
  605. break;
  606. case TLS_ST_CW_CLNT_HELLO:
  607. s->shutdown = 0;
  608. if (SSL_IS_DTLS(s)) {
  609. /* every DTLS ClientHello resets Finished MAC */
  610. if (!ssl3_init_finished_mac(s)) {
  611. /* SSLfatal() already called */
  612. return WORK_ERROR;
  613. }
  614. }
  615. break;
  616. case TLS_ST_CW_CHANGE:
  617. if (SSL_IS_DTLS(s)) {
  618. if (s->hit) {
  619. /*
  620. * We're into the last flight so we don't retransmit these
  621. * messages unless we need to.
  622. */
  623. st->use_timer = 0;
  624. }
  625. #ifndef OPENSSL_NO_SCTP
  626. if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  627. /* Calls SSLfatal() as required */
  628. return dtls_wait_for_dry(s);
  629. }
  630. #endif
  631. }
  632. break;
  633. case TLS_ST_PENDING_EARLY_DATA_END:
  634. /*
  635. * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
  636. * attempt to write early data before calling SSL_read() then we press
  637. * on with the handshake. Otherwise we pause here.
  638. */
  639. if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
  640. || s->early_data_state == SSL_EARLY_DATA_NONE)
  641. return WORK_FINISHED_CONTINUE;
  642. /* Fall through */
  643. case TLS_ST_EARLY_DATA:
  644. return tls_finish_handshake(s, wst, 0, 1);
  645. case TLS_ST_OK:
  646. /* Calls SSLfatal() as required */
  647. return tls_finish_handshake(s, wst, 1, 1);
  648. }
  649. return WORK_FINISHED_CONTINUE;
  650. }
  651. /*
  652. * Perform any work that needs to be done after sending a message from the
  653. * client to the server.
  654. */
  655. WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
  656. {
  657. OSSL_STATEM *st = &s->statem;
  658. s->init_num = 0;
  659. switch (st->hand_state) {
  660. default:
  661. /* No post work to be done */
  662. break;
  663. case TLS_ST_CW_CLNT_HELLO:
  664. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
  665. && s->max_early_data > 0) {
  666. /*
  667. * We haven't selected TLSv1.3 yet so we don't call the change
  668. * cipher state function associated with the SSL_METHOD. Instead
  669. * we call tls13_change_cipher_state() directly.
  670. */
  671. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
  672. if (!tls13_change_cipher_state(s,
  673. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
  674. /* SSLfatal() already called */
  675. return WORK_ERROR;
  676. }
  677. }
  678. /* else we're in compat mode so we delay flushing until after CCS */
  679. } else if (!statem_flush(s)) {
  680. return WORK_MORE_A;
  681. }
  682. if (SSL_IS_DTLS(s)) {
  683. /* Treat the next message as the first packet */
  684. s->first_packet = 1;
  685. }
  686. break;
  687. case TLS_ST_CW_END_OF_EARLY_DATA:
  688. /*
  689. * We set the enc_write_ctx back to NULL because we may end up writing
  690. * in cleartext again if we get a HelloRetryRequest from the server.
  691. */
  692. EVP_CIPHER_CTX_free(s->enc_write_ctx);
  693. s->enc_write_ctx = NULL;
  694. break;
  695. case TLS_ST_CW_KEY_EXCH:
  696. if (tls_client_key_exchange_post_work(s) == 0) {
  697. /* SSLfatal() already called */
  698. return WORK_ERROR;
  699. }
  700. break;
  701. case TLS_ST_CW_CHANGE:
  702. if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING)
  703. break;
  704. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
  705. && s->max_early_data > 0) {
  706. /*
  707. * We haven't selected TLSv1.3 yet so we don't call the change
  708. * cipher state function associated with the SSL_METHOD. Instead
  709. * we call tls13_change_cipher_state() directly.
  710. */
  711. if (!tls13_change_cipher_state(s,
  712. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
  713. return WORK_ERROR;
  714. break;
  715. }
  716. s->session->cipher = s->s3.tmp.new_cipher;
  717. #ifdef OPENSSL_NO_COMP
  718. s->session->compress_meth = 0;
  719. #else
  720. if (s->s3.tmp.new_compression == NULL)
  721. s->session->compress_meth = 0;
  722. else
  723. s->session->compress_meth = s->s3.tmp.new_compression->id;
  724. #endif
  725. if (!s->method->ssl3_enc->setup_key_block(s)) {
  726. /* SSLfatal() already called */
  727. return WORK_ERROR;
  728. }
  729. if (!s->method->ssl3_enc->change_cipher_state(s,
  730. SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
  731. /* SSLfatal() already called */
  732. return WORK_ERROR;
  733. }
  734. if (SSL_IS_DTLS(s)) {
  735. #ifndef OPENSSL_NO_SCTP
  736. if (s->hit) {
  737. /*
  738. * Change to new shared key of SCTP-Auth, will be ignored if
  739. * no SCTP used.
  740. */
  741. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  742. 0, NULL);
  743. }
  744. #endif
  745. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  746. }
  747. break;
  748. case TLS_ST_CW_FINISHED:
  749. #ifndef OPENSSL_NO_SCTP
  750. if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
  751. /*
  752. * Change to new shared key of SCTP-Auth, will be ignored if
  753. * no SCTP used.
  754. */
  755. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  756. 0, NULL);
  757. }
  758. #endif
  759. if (statem_flush(s) != 1)
  760. return WORK_MORE_B;
  761. if (SSL_IS_TLS13(s)) {
  762. if (!tls13_save_handshake_digest_for_pha(s)) {
  763. /* SSLfatal() already called */
  764. return WORK_ERROR;
  765. }
  766. if (s->post_handshake_auth != SSL_PHA_REQUESTED) {
  767. if (!s->method->ssl3_enc->change_cipher_state(s,
  768. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
  769. /* SSLfatal() already called */
  770. return WORK_ERROR;
  771. }
  772. }
  773. }
  774. break;
  775. case TLS_ST_CW_KEY_UPDATE:
  776. if (statem_flush(s) != 1)
  777. return WORK_MORE_A;
  778. if (!tls13_update_key(s, 1)) {
  779. /* SSLfatal() already called */
  780. return WORK_ERROR;
  781. }
  782. break;
  783. }
  784. return WORK_FINISHED_CONTINUE;
  785. }
  786. /*
  787. * Get the message construction function and message type for sending from the
  788. * client
  789. *
  790. * Valid return values are:
  791. * 1: Success
  792. * 0: Error
  793. */
  794. int ossl_statem_client_construct_message(SSL *s,
  795. confunc_f *confunc, int *mt)
  796. {
  797. OSSL_STATEM *st = &s->statem;
  798. switch (st->hand_state) {
  799. default:
  800. /* Shouldn't happen */
  801. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  802. return 0;
  803. case TLS_ST_CW_CHANGE:
  804. if (SSL_IS_DTLS(s))
  805. *confunc = dtls_construct_change_cipher_spec;
  806. else
  807. *confunc = tls_construct_change_cipher_spec;
  808. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  809. break;
  810. case TLS_ST_CW_CLNT_HELLO:
  811. *confunc = tls_construct_client_hello;
  812. *mt = SSL3_MT_CLIENT_HELLO;
  813. break;
  814. case TLS_ST_CW_END_OF_EARLY_DATA:
  815. *confunc = tls_construct_end_of_early_data;
  816. *mt = SSL3_MT_END_OF_EARLY_DATA;
  817. break;
  818. case TLS_ST_PENDING_EARLY_DATA_END:
  819. *confunc = NULL;
  820. *mt = SSL3_MT_DUMMY;
  821. break;
  822. case TLS_ST_CW_CERT:
  823. *confunc = tls_construct_client_certificate;
  824. *mt = SSL3_MT_CERTIFICATE;
  825. break;
  826. case TLS_ST_CW_KEY_EXCH:
  827. *confunc = tls_construct_client_key_exchange;
  828. *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
  829. break;
  830. case TLS_ST_CW_CERT_VRFY:
  831. *confunc = tls_construct_cert_verify;
  832. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  833. break;
  834. #if !defined(OPENSSL_NO_NEXTPROTONEG)
  835. case TLS_ST_CW_NEXT_PROTO:
  836. *confunc = tls_construct_next_proto;
  837. *mt = SSL3_MT_NEXT_PROTO;
  838. break;
  839. #endif
  840. case TLS_ST_CW_FINISHED:
  841. *confunc = tls_construct_finished;
  842. *mt = SSL3_MT_FINISHED;
  843. break;
  844. case TLS_ST_CW_KEY_UPDATE:
  845. *confunc = tls_construct_key_update;
  846. *mt = SSL3_MT_KEY_UPDATE;
  847. break;
  848. }
  849. return 1;
  850. }
  851. /*
  852. * Returns the maximum allowed length for the current message that we are
  853. * reading. Excludes the message header.
  854. */
  855. size_t ossl_statem_client_max_message_size(SSL *s)
  856. {
  857. OSSL_STATEM *st = &s->statem;
  858. switch (st->hand_state) {
  859. default:
  860. /* Shouldn't happen */
  861. return 0;
  862. case TLS_ST_CR_SRVR_HELLO:
  863. return SERVER_HELLO_MAX_LENGTH;
  864. case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
  865. return HELLO_VERIFY_REQUEST_MAX_LENGTH;
  866. case TLS_ST_CR_CERT:
  867. return s->max_cert_list;
  868. case TLS_ST_CR_CERT_VRFY:
  869. return SSL3_RT_MAX_PLAIN_LENGTH;
  870. case TLS_ST_CR_CERT_STATUS:
  871. return SSL3_RT_MAX_PLAIN_LENGTH;
  872. case TLS_ST_CR_KEY_EXCH:
  873. return SERVER_KEY_EXCH_MAX_LENGTH;
  874. case TLS_ST_CR_CERT_REQ:
  875. /*
  876. * Set to s->max_cert_list for compatibility with previous releases. In
  877. * practice these messages can get quite long if servers are configured
  878. * to provide a long list of acceptable CAs
  879. */
  880. return s->max_cert_list;
  881. case TLS_ST_CR_SRVR_DONE:
  882. return SERVER_HELLO_DONE_MAX_LENGTH;
  883. case TLS_ST_CR_CHANGE:
  884. if (s->version == DTLS1_BAD_VER)
  885. return 3;
  886. return CCS_MAX_LENGTH;
  887. case TLS_ST_CR_SESSION_TICKET:
  888. return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
  889. : SESSION_TICKET_MAX_LENGTH_TLS12;
  890. case TLS_ST_CR_FINISHED:
  891. return FINISHED_MAX_LENGTH;
  892. case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
  893. return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
  894. case TLS_ST_CR_KEY_UPDATE:
  895. return KEY_UPDATE_MAX_LENGTH;
  896. }
  897. }
  898. /*
  899. * Process a message that the client has received from the server.
  900. */
  901. MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
  902. {
  903. OSSL_STATEM *st = &s->statem;
  904. switch (st->hand_state) {
  905. default:
  906. /* Shouldn't happen */
  907. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  908. return MSG_PROCESS_ERROR;
  909. case TLS_ST_CR_SRVR_HELLO:
  910. return tls_process_server_hello(s, pkt);
  911. case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
  912. return dtls_process_hello_verify(s, pkt);
  913. case TLS_ST_CR_CERT:
  914. return tls_process_server_certificate(s, pkt);
  915. case TLS_ST_CR_CERT_VRFY:
  916. return tls_process_cert_verify(s, pkt);
  917. case TLS_ST_CR_CERT_STATUS:
  918. return tls_process_cert_status(s, pkt);
  919. case TLS_ST_CR_KEY_EXCH:
  920. return tls_process_key_exchange(s, pkt);
  921. case TLS_ST_CR_CERT_REQ:
  922. return tls_process_certificate_request(s, pkt);
  923. case TLS_ST_CR_SRVR_DONE:
  924. return tls_process_server_done(s, pkt);
  925. case TLS_ST_CR_CHANGE:
  926. return tls_process_change_cipher_spec(s, pkt);
  927. case TLS_ST_CR_SESSION_TICKET:
  928. return tls_process_new_session_ticket(s, pkt);
  929. case TLS_ST_CR_FINISHED:
  930. return tls_process_finished(s, pkt);
  931. case TLS_ST_CR_HELLO_REQ:
  932. return tls_process_hello_req(s, pkt);
  933. case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
  934. return tls_process_encrypted_extensions(s, pkt);
  935. case TLS_ST_CR_KEY_UPDATE:
  936. return tls_process_key_update(s, pkt);
  937. }
  938. }
  939. /*
  940. * Perform any further processing required following the receipt of a message
  941. * from the server
  942. */
  943. WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
  944. {
  945. OSSL_STATEM *st = &s->statem;
  946. switch (st->hand_state) {
  947. default:
  948. /* Shouldn't happen */
  949. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  950. return WORK_ERROR;
  951. case TLS_ST_CR_CERT:
  952. return tls_post_process_server_certificate(s, wst);
  953. case TLS_ST_CR_CERT_VRFY:
  954. case TLS_ST_CR_CERT_REQ:
  955. return tls_prepare_client_certificate(s, wst);
  956. }
  957. }
  958. int tls_construct_client_hello(SSL *s, WPACKET *pkt)
  959. {
  960. unsigned char *p;
  961. size_t sess_id_len;
  962. int i, protverr;
  963. #ifndef OPENSSL_NO_COMP
  964. SSL_COMP *comp;
  965. #endif
  966. SSL_SESSION *sess = s->session;
  967. unsigned char *session_id;
  968. /* Work out what SSL/TLS/DTLS version to use */
  969. protverr = ssl_set_client_hello_version(s);
  970. if (protverr != 0) {
  971. SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr);
  972. return 0;
  973. }
  974. if (sess == NULL
  975. || !ssl_version_supported(s, sess->ssl_version, NULL)
  976. || !SSL_SESSION_is_resumable(sess)) {
  977. if (s->hello_retry_request == SSL_HRR_NONE
  978. && !ssl_get_new_session(s, 0)) {
  979. /* SSLfatal() already called */
  980. return 0;
  981. }
  982. }
  983. /* else use the pre-loaded session */
  984. p = s->s3.client_random;
  985. /*
  986. * for DTLS if client_random is initialized, reuse it, we are
  987. * required to use same upon reply to HelloVerify
  988. */
  989. if (SSL_IS_DTLS(s)) {
  990. size_t idx;
  991. i = 1;
  992. for (idx = 0; idx < sizeof(s->s3.client_random); idx++) {
  993. if (p[idx]) {
  994. i = 0;
  995. break;
  996. }
  997. }
  998. } else {
  999. i = (s->hello_retry_request == SSL_HRR_NONE);
  1000. }
  1001. if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
  1002. DOWNGRADE_NONE) <= 0) {
  1003. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1004. return 0;
  1005. }
  1006. /*-
  1007. * version indicates the negotiated version: for example from
  1008. * an SSLv2/v3 compatible client hello). The client_version
  1009. * field is the maximum version we permit and it is also
  1010. * used in RSA encrypted premaster secrets. Some servers can
  1011. * choke if we initially report a higher version then
  1012. * renegotiate to a lower one in the premaster secret. This
  1013. * didn't happen with TLS 1.0 as most servers supported it
  1014. * but it can with TLS 1.1 or later if the server only supports
  1015. * 1.0.
  1016. *
  1017. * Possible scenario with previous logic:
  1018. * 1. Client hello indicates TLS 1.2
  1019. * 2. Server hello says TLS 1.0
  1020. * 3. RSA encrypted premaster secret uses 1.2.
  1021. * 4. Handshake proceeds using TLS 1.0.
  1022. * 5. Server sends hello request to renegotiate.
  1023. * 6. Client hello indicates TLS v1.0 as we now
  1024. * know that is maximum server supports.
  1025. * 7. Server chokes on RSA encrypted premaster secret
  1026. * containing version 1.0.
  1027. *
  1028. * For interoperability it should be OK to always use the
  1029. * maximum version we support in client hello and then rely
  1030. * on the checking of version to ensure the servers isn't
  1031. * being inconsistent: for example initially negotiating with
  1032. * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
  1033. * client_version in client hello and not resetting it to
  1034. * the negotiated version.
  1035. *
  1036. * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
  1037. * supported_versions extension for the real supported versions.
  1038. */
  1039. if (!WPACKET_put_bytes_u16(pkt, s->client_version)
  1040. || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) {
  1041. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1042. return 0;
  1043. }
  1044. /* Session ID */
  1045. session_id = s->session->session_id;
  1046. if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) {
  1047. if (s->version == TLS1_3_VERSION
  1048. && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
  1049. sess_id_len = sizeof(s->tmp_session_id);
  1050. s->tmp_session_id_len = sess_id_len;
  1051. session_id = s->tmp_session_id;
  1052. if (s->hello_retry_request == SSL_HRR_NONE
  1053. && RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id,
  1054. sess_id_len, 0) <= 0) {
  1055. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1056. return 0;
  1057. }
  1058. } else {
  1059. sess_id_len = 0;
  1060. }
  1061. } else {
  1062. assert(s->session->session_id_length <= sizeof(s->session->session_id));
  1063. sess_id_len = s->session->session_id_length;
  1064. if (s->version == TLS1_3_VERSION) {
  1065. s->tmp_session_id_len = sess_id_len;
  1066. memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
  1067. }
  1068. }
  1069. if (!WPACKET_start_sub_packet_u8(pkt)
  1070. || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
  1071. sess_id_len))
  1072. || !WPACKET_close(pkt)) {
  1073. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1074. return 0;
  1075. }
  1076. /* cookie stuff for DTLS */
  1077. if (SSL_IS_DTLS(s)) {
  1078. if (s->d1->cookie_len > sizeof(s->d1->cookie)
  1079. || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
  1080. s->d1->cookie_len)) {
  1081. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1082. return 0;
  1083. }
  1084. }
  1085. /* Ciphers supported */
  1086. if (!WPACKET_start_sub_packet_u16(pkt)) {
  1087. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1088. return 0;
  1089. }
  1090. if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) {
  1091. /* SSLfatal() already called */
  1092. return 0;
  1093. }
  1094. if (!WPACKET_close(pkt)) {
  1095. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1096. return 0;
  1097. }
  1098. /* COMPRESSION */
  1099. if (!WPACKET_start_sub_packet_u8(pkt)) {
  1100. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1101. return 0;
  1102. }
  1103. #ifndef OPENSSL_NO_COMP
  1104. if (ssl_allow_compression(s)
  1105. && s->ctx->comp_methods
  1106. && (SSL_IS_DTLS(s) || s->s3.tmp.max_ver < TLS1_3_VERSION)) {
  1107. int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
  1108. for (i = 0; i < compnum; i++) {
  1109. comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
  1110. if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
  1111. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1112. return 0;
  1113. }
  1114. }
  1115. }
  1116. #endif
  1117. /* Add the NULL method */
  1118. if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
  1119. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1120. return 0;
  1121. }
  1122. /* TLS extensions */
  1123. if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
  1124. /* SSLfatal() already called */
  1125. return 0;
  1126. }
  1127. return 1;
  1128. }
  1129. MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
  1130. {
  1131. size_t cookie_len;
  1132. PACKET cookiepkt;
  1133. if (!PACKET_forward(pkt, 2)
  1134. || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
  1135. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1136. return MSG_PROCESS_ERROR;
  1137. }
  1138. cookie_len = PACKET_remaining(&cookiepkt);
  1139. if (cookie_len > sizeof(s->d1->cookie)) {
  1140. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG);
  1141. return MSG_PROCESS_ERROR;
  1142. }
  1143. if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
  1144. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1145. return MSG_PROCESS_ERROR;
  1146. }
  1147. s->d1->cookie_len = cookie_len;
  1148. return MSG_PROCESS_FINISHED_READING;
  1149. }
  1150. static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
  1151. {
  1152. STACK_OF(SSL_CIPHER) *sk;
  1153. const SSL_CIPHER *c;
  1154. int i;
  1155. c = ssl_get_cipher_by_char(s, cipherchars, 0);
  1156. if (c == NULL) {
  1157. /* unknown cipher */
  1158. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED);
  1159. return 0;
  1160. }
  1161. /*
  1162. * If it is a disabled cipher we either didn't send it in client hello,
  1163. * or it's not allowed for the selected protocol. So we return an error.
  1164. */
  1165. if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
  1166. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
  1167. return 0;
  1168. }
  1169. sk = ssl_get_ciphers_by_id(s);
  1170. i = sk_SSL_CIPHER_find(sk, c);
  1171. if (i < 0) {
  1172. /* we did not say we would use this cipher */
  1173. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
  1174. return 0;
  1175. }
  1176. if (SSL_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL
  1177. && s->s3.tmp.new_cipher->id != c->id) {
  1178. /* ServerHello selected a different ciphersuite to that in the HRR */
  1179. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
  1180. return 0;
  1181. }
  1182. /*
  1183. * Depending on the session caching (internal/external), the cipher
  1184. * and/or cipher_id values may not be set. Make sure that cipher_id is
  1185. * set and use it for comparison.
  1186. */
  1187. if (s->session->cipher != NULL)
  1188. s->session->cipher_id = s->session->cipher->id;
  1189. if (s->hit && (s->session->cipher_id != c->id)) {
  1190. if (SSL_IS_TLS13(s)) {
  1191. const EVP_MD *md = ssl_md(s->ctx, c->algorithm2);
  1192. /*
  1193. * In TLSv1.3 it is valid for the server to select a different
  1194. * ciphersuite as long as the hash is the same.
  1195. */
  1196. if (md == NULL
  1197. || md != ssl_md(s->ctx, s->session->cipher->algorithm2)) {
  1198. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1199. SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
  1200. return 0;
  1201. }
  1202. } else {
  1203. /*
  1204. * Prior to TLSv1.3 resuming a session always meant using the same
  1205. * ciphersuite.
  1206. */
  1207. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1208. SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
  1209. return 0;
  1210. }
  1211. }
  1212. s->s3.tmp.new_cipher = c;
  1213. return 1;
  1214. }
  1215. MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
  1216. {
  1217. PACKET session_id, extpkt;
  1218. size_t session_id_len;
  1219. const unsigned char *cipherchars;
  1220. int hrr = 0;
  1221. unsigned int compression;
  1222. unsigned int sversion;
  1223. unsigned int context;
  1224. RAW_EXTENSION *extensions = NULL;
  1225. #ifndef OPENSSL_NO_COMP
  1226. SSL_COMP *comp;
  1227. #endif
  1228. if (!PACKET_get_net_2(pkt, &sversion)) {
  1229. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1230. goto err;
  1231. }
  1232. /* load the server random */
  1233. if (s->version == TLS1_3_VERSION
  1234. && sversion == TLS1_2_VERSION
  1235. && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
  1236. && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
  1237. if (s->hello_retry_request != SSL_HRR_NONE) {
  1238. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  1239. goto err;
  1240. }
  1241. s->hello_retry_request = SSL_HRR_PENDING;
  1242. hrr = 1;
  1243. if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
  1244. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1245. goto err;
  1246. }
  1247. } else {
  1248. if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) {
  1249. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1250. goto err;
  1251. }
  1252. }
  1253. /* Get the session-id. */
  1254. if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
  1255. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1256. goto err;
  1257. }
  1258. session_id_len = PACKET_remaining(&session_id);
  1259. if (session_id_len > sizeof(s->session->session_id)
  1260. || session_id_len > SSL3_SESSION_ID_SIZE) {
  1261. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG);
  1262. goto err;
  1263. }
  1264. if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
  1265. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1266. goto err;
  1267. }
  1268. if (!PACKET_get_1(pkt, &compression)) {
  1269. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1270. goto err;
  1271. }
  1272. /* TLS extensions */
  1273. if (PACKET_remaining(pkt) == 0 && !hrr) {
  1274. PACKET_null_init(&extpkt);
  1275. } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
  1276. || PACKET_remaining(pkt) != 0) {
  1277. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  1278. goto err;
  1279. }
  1280. if (!hrr) {
  1281. if (!tls_collect_extensions(s, &extpkt,
  1282. SSL_EXT_TLS1_2_SERVER_HELLO
  1283. | SSL_EXT_TLS1_3_SERVER_HELLO,
  1284. &extensions, NULL, 1)) {
  1285. /* SSLfatal() already called */
  1286. goto err;
  1287. }
  1288. if (!ssl_choose_client_version(s, sversion, extensions)) {
  1289. /* SSLfatal() already called */
  1290. goto err;
  1291. }
  1292. }
  1293. if (SSL_IS_TLS13(s) || hrr) {
  1294. if (compression != 0) {
  1295. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1296. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1297. goto err;
  1298. }
  1299. if (session_id_len != s->tmp_session_id_len
  1300. || memcmp(PACKET_data(&session_id), s->tmp_session_id,
  1301. session_id_len) != 0) {
  1302. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID);
  1303. goto err;
  1304. }
  1305. }
  1306. if (hrr) {
  1307. if (!set_client_ciphersuite(s, cipherchars)) {
  1308. /* SSLfatal() already called */
  1309. goto err;
  1310. }
  1311. return tls_process_as_hello_retry_request(s, &extpkt);
  1312. }
  1313. /*
  1314. * Now we have chosen the version we need to check again that the extensions
  1315. * are appropriate for this version.
  1316. */
  1317. context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
  1318. : SSL_EXT_TLS1_2_SERVER_HELLO;
  1319. if (!tls_validate_all_contexts(s, context, extensions)) {
  1320. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  1321. goto err;
  1322. }
  1323. s->hit = 0;
  1324. if (SSL_IS_TLS13(s)) {
  1325. /*
  1326. * In TLSv1.3 a ServerHello message signals a key change so the end of
  1327. * the message must be on a record boundary.
  1328. */
  1329. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1330. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1331. SSL_R_NOT_ON_RECORD_BOUNDARY);
  1332. goto err;
  1333. }
  1334. /* This will set s->hit if we are resuming */
  1335. if (!tls_parse_extension(s, TLSEXT_IDX_psk,
  1336. SSL_EXT_TLS1_3_SERVER_HELLO,
  1337. extensions, NULL, 0)) {
  1338. /* SSLfatal() already called */
  1339. goto err;
  1340. }
  1341. } else {
  1342. /*
  1343. * Check if we can resume the session based on external pre-shared
  1344. * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
  1345. * Resumption based on server-side state works with session IDs.
  1346. * Resumption based on pre-shared Protected Access Credentials (PACs)
  1347. * works by overriding the SessionTicket extension at the application
  1348. * layer, and does not send a session ID. (We do not know whether
  1349. * EAP-FAST servers would honour the session ID.) Therefore, the session
  1350. * ID alone is not a reliable indicator of session resumption, so we
  1351. * first check if we can resume, and later peek at the next handshake
  1352. * message to see if the server wants to resume.
  1353. */
  1354. if (s->version >= TLS1_VERSION
  1355. && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
  1356. const SSL_CIPHER *pref_cipher = NULL;
  1357. /*
  1358. * s->session->master_key_length is a size_t, but this is an int for
  1359. * backwards compat reasons
  1360. */
  1361. int master_key_length;
  1362. master_key_length = sizeof(s->session->master_key);
  1363. if (s->ext.session_secret_cb(s, s->session->master_key,
  1364. &master_key_length,
  1365. NULL, &pref_cipher,
  1366. s->ext.session_secret_cb_arg)
  1367. && master_key_length > 0) {
  1368. s->session->master_key_length = master_key_length;
  1369. s->session->cipher = pref_cipher ?
  1370. pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
  1371. } else {
  1372. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1373. goto err;
  1374. }
  1375. }
  1376. if (session_id_len != 0
  1377. && session_id_len == s->session->session_id_length
  1378. && memcmp(PACKET_data(&session_id), s->session->session_id,
  1379. session_id_len) == 0)
  1380. s->hit = 1;
  1381. }
  1382. if (s->hit) {
  1383. if (s->sid_ctx_length != s->session->sid_ctx_length
  1384. || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
  1385. /* actually a client application bug */
  1386. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1387. SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
  1388. goto err;
  1389. }
  1390. } else {
  1391. /*
  1392. * If we were trying for session-id reuse but the server
  1393. * didn't resume, make a new SSL_SESSION.
  1394. * In the case of EAP-FAST and PAC, we do not send a session ID,
  1395. * so the PAC-based session secret is always preserved. It'll be
  1396. * overwritten if the server refuses resumption.
  1397. */
  1398. if (s->session->session_id_length > 0) {
  1399. ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss);
  1400. if (!ssl_get_new_session(s, 0)) {
  1401. /* SSLfatal() already called */
  1402. goto err;
  1403. }
  1404. }
  1405. s->session->ssl_version = s->version;
  1406. /*
  1407. * In TLSv1.2 and below we save the session id we were sent so we can
  1408. * resume it later. In TLSv1.3 the session id we were sent is just an
  1409. * echo of what we originally sent in the ClientHello and should not be
  1410. * used for resumption.
  1411. */
  1412. if (!SSL_IS_TLS13(s)) {
  1413. s->session->session_id_length = session_id_len;
  1414. /* session_id_len could be 0 */
  1415. if (session_id_len > 0)
  1416. memcpy(s->session->session_id, PACKET_data(&session_id),
  1417. session_id_len);
  1418. }
  1419. }
  1420. /* Session version and negotiated protocol version should match */
  1421. if (s->version != s->session->ssl_version) {
  1422. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1423. SSL_R_SSL_SESSION_VERSION_MISMATCH);
  1424. goto err;
  1425. }
  1426. /*
  1427. * Now that we know the version, update the check to see if it's an allowed
  1428. * version.
  1429. */
  1430. s->s3.tmp.min_ver = s->version;
  1431. s->s3.tmp.max_ver = s->version;
  1432. if (!set_client_ciphersuite(s, cipherchars)) {
  1433. /* SSLfatal() already called */
  1434. goto err;
  1435. }
  1436. #ifdef OPENSSL_NO_COMP
  1437. if (compression != 0) {
  1438. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1439. SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
  1440. goto err;
  1441. }
  1442. /*
  1443. * If compression is disabled we'd better not try to resume a session
  1444. * using compression.
  1445. */
  1446. if (s->session->compress_meth != 0) {
  1447. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
  1448. goto err;
  1449. }
  1450. #else
  1451. if (s->hit && compression != s->session->compress_meth) {
  1452. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1453. SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
  1454. goto err;
  1455. }
  1456. if (compression == 0)
  1457. comp = NULL;
  1458. else if (!ssl_allow_compression(s)) {
  1459. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED);
  1460. goto err;
  1461. } else {
  1462. comp = ssl3_comp_find(s->ctx->comp_methods, compression);
  1463. }
  1464. if (compression != 0 && comp == NULL) {
  1465. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1466. SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
  1467. goto err;
  1468. } else {
  1469. s->s3.tmp.new_compression = comp;
  1470. }
  1471. #endif
  1472. if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) {
  1473. /* SSLfatal() already called */
  1474. goto err;
  1475. }
  1476. #ifndef OPENSSL_NO_SCTP
  1477. if (SSL_IS_DTLS(s) && s->hit) {
  1478. unsigned char sctpauthkey[64];
  1479. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  1480. size_t labellen;
  1481. /*
  1482. * Add new shared key for SCTP-Auth, will be ignored if
  1483. * no SCTP used.
  1484. */
  1485. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  1486. sizeof(DTLS1_SCTP_AUTH_LABEL));
  1487. /* Don't include the terminating zero. */
  1488. labellen = sizeof(labelbuffer) - 1;
  1489. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  1490. labellen += 1;
  1491. if (SSL_export_keying_material(s, sctpauthkey,
  1492. sizeof(sctpauthkey),
  1493. labelbuffer,
  1494. labellen, NULL, 0, 0) <= 0) {
  1495. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1496. goto err;
  1497. }
  1498. BIO_ctrl(SSL_get_wbio(s),
  1499. BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  1500. sizeof(sctpauthkey), sctpauthkey);
  1501. }
  1502. #endif
  1503. /*
  1504. * In TLSv1.3 we have some post-processing to change cipher state, otherwise
  1505. * we're done with this message
  1506. */
  1507. if (SSL_IS_TLS13(s)
  1508. && (!s->method->ssl3_enc->setup_key_block(s)
  1509. || !s->method->ssl3_enc->change_cipher_state(s,
  1510. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
  1511. /* SSLfatal() already called */
  1512. goto err;
  1513. }
  1514. OPENSSL_free(extensions);
  1515. return MSG_PROCESS_CONTINUE_READING;
  1516. err:
  1517. OPENSSL_free(extensions);
  1518. return MSG_PROCESS_ERROR;
  1519. }
  1520. static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s,
  1521. PACKET *extpkt)
  1522. {
  1523. RAW_EXTENSION *extensions = NULL;
  1524. /*
  1525. * If we were sending early_data then the enc_write_ctx is now invalid and
  1526. * should not be used.
  1527. */
  1528. EVP_CIPHER_CTX_free(s->enc_write_ctx);
  1529. s->enc_write_ctx = NULL;
  1530. if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
  1531. &extensions, NULL, 1)
  1532. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
  1533. extensions, NULL, 0, 1)) {
  1534. /* SSLfatal() already called */
  1535. goto err;
  1536. }
  1537. OPENSSL_free(extensions);
  1538. extensions = NULL;
  1539. if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) {
  1540. /*
  1541. * We didn't receive a cookie or a new key_share so the next
  1542. * ClientHello will not change
  1543. */
  1544. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR);
  1545. goto err;
  1546. }
  1547. /*
  1548. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  1549. * a synthetic message_hash in place of ClientHello1.
  1550. */
  1551. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  1552. /* SSLfatal() already called */
  1553. goto err;
  1554. }
  1555. /*
  1556. * Add this message to the Transcript Hash. Normally this is done
  1557. * automatically prior to the message processing stage. However due to the
  1558. * need to create the synthetic message hash, we defer that step until now
  1559. * for HRR messages.
  1560. */
  1561. if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  1562. s->init_num + SSL3_HM_HEADER_LENGTH)) {
  1563. /* SSLfatal() already called */
  1564. goto err;
  1565. }
  1566. return MSG_PROCESS_FINISHED_READING;
  1567. err:
  1568. OPENSSL_free(extensions);
  1569. return MSG_PROCESS_ERROR;
  1570. }
  1571. /* prepare server cert verification by setting s->session->peer_chain from pkt */
  1572. MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
  1573. {
  1574. unsigned long cert_list_len, cert_len;
  1575. X509 *x = NULL;
  1576. const unsigned char *certstart, *certbytes;
  1577. size_t chainidx;
  1578. unsigned int context = 0;
  1579. if ((s->session->peer_chain = sk_X509_new_null()) == NULL) {
  1580. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  1581. goto err;
  1582. }
  1583. if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
  1584. || context != 0
  1585. || !PACKET_get_net_3(pkt, &cert_list_len)
  1586. || PACKET_remaining(pkt) != cert_list_len
  1587. || PACKET_remaining(pkt) == 0) {
  1588. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1589. goto err;
  1590. }
  1591. for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
  1592. if (!PACKET_get_net_3(pkt, &cert_len)
  1593. || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
  1594. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  1595. goto err;
  1596. }
  1597. certstart = certbytes;
  1598. x = X509_new_ex(s->ctx->libctx, s->ctx->propq);
  1599. if (x == NULL) {
  1600. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE);
  1601. ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
  1602. goto err;
  1603. }
  1604. if (d2i_X509(&x, (const unsigned char **)&certbytes,
  1605. cert_len) == NULL) {
  1606. SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB);
  1607. goto err;
  1608. }
  1609. if (certbytes != (certstart + cert_len)) {
  1610. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  1611. goto err;
  1612. }
  1613. if (SSL_IS_TLS13(s)) {
  1614. RAW_EXTENSION *rawexts = NULL;
  1615. PACKET extensions;
  1616. if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
  1617. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  1618. goto err;
  1619. }
  1620. if (!tls_collect_extensions(s, &extensions,
  1621. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  1622. NULL, chainidx == 0)
  1623. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  1624. rawexts, x, chainidx,
  1625. PACKET_remaining(pkt) == 0)) {
  1626. OPENSSL_free(rawexts);
  1627. /* SSLfatal already called */
  1628. goto err;
  1629. }
  1630. OPENSSL_free(rawexts);
  1631. }
  1632. if (!sk_X509_push(s->session->peer_chain, x)) {
  1633. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  1634. goto err;
  1635. }
  1636. x = NULL;
  1637. }
  1638. return MSG_PROCESS_CONTINUE_PROCESSING;
  1639. err:
  1640. X509_free(x);
  1641. OSSL_STACK_OF_X509_free(s->session->peer_chain);
  1642. s->session->peer_chain = NULL;
  1643. return MSG_PROCESS_ERROR;
  1644. }
  1645. /*
  1646. * Verify the s->session->peer_chain and check server cert type.
  1647. * On success set s->session->peer and s->session->verify_result.
  1648. * Else the peer certificate verification callback may request retry.
  1649. */
  1650. WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst)
  1651. {
  1652. X509 *x;
  1653. EVP_PKEY *pkey = NULL;
  1654. const SSL_CERT_LOOKUP *clu;
  1655. size_t certidx;
  1656. int i;
  1657. if (s->rwstate == SSL_RETRY_VERIFY)
  1658. s->rwstate = SSL_NOTHING;
  1659. i = ssl_verify_cert_chain(s, s->session->peer_chain);
  1660. if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) {
  1661. return WORK_MORE_A;
  1662. }
  1663. /*
  1664. * The documented interface is that SSL_VERIFY_PEER should be set in order
  1665. * for client side verification of the server certificate to take place.
  1666. * However, historically the code has only checked that *any* flag is set
  1667. * to cause server verification to take place. Use of the other flags makes
  1668. * no sense in client mode. An attempt to clean up the semantics was
  1669. * reverted because at least one application *only* set
  1670. * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
  1671. * server verification to take place, after the clean up it silently did
  1672. * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
  1673. * sent to them because they are void functions. Therefore, we now use the
  1674. * (less clean) historic behaviour of performing validation if any flag is
  1675. * set. The *documented* interface remains the same.
  1676. */
  1677. if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
  1678. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  1679. SSL_R_CERTIFICATE_VERIFY_FAILED);
  1680. return WORK_ERROR;
  1681. }
  1682. ERR_clear_error(); /* but we keep s->verify_result */
  1683. /*
  1684. * Inconsistency alert: cert_chain does include the peer's certificate,
  1685. * which we don't include in statem_srvr.c
  1686. */
  1687. x = sk_X509_value(s->session->peer_chain, 0);
  1688. pkey = X509_get0_pubkey(x);
  1689. if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
  1690. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1691. SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
  1692. return WORK_ERROR;
  1693. }
  1694. if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) {
  1695. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  1696. return WORK_ERROR;
  1697. }
  1698. /*
  1699. * Check certificate type is consistent with ciphersuite. For TLS 1.3
  1700. * skip check since TLS 1.3 ciphersuites can be used with any certificate
  1701. * type.
  1702. */
  1703. if (!SSL_IS_TLS13(s)) {
  1704. if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) {
  1705. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE);
  1706. return WORK_ERROR;
  1707. }
  1708. }
  1709. X509_free(s->session->peer);
  1710. X509_up_ref(x);
  1711. s->session->peer = x;
  1712. s->session->verify_result = s->verify_result;
  1713. /* Save the current hash state for when we receive the CertificateVerify */
  1714. if (SSL_IS_TLS13(s)
  1715. && !ssl_handshake_hash(s, s->cert_verify_hash,
  1716. sizeof(s->cert_verify_hash),
  1717. &s->cert_verify_hash_len)) {
  1718. /* SSLfatal() already called */;
  1719. return WORK_ERROR;
  1720. }
  1721. return WORK_FINISHED_CONTINUE;
  1722. }
  1723. static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt)
  1724. {
  1725. #ifndef OPENSSL_NO_PSK
  1726. PACKET psk_identity_hint;
  1727. /* PSK ciphersuites are preceded by an identity hint */
  1728. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
  1729. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1730. return 0;
  1731. }
  1732. /*
  1733. * Store PSK identity hint for later use, hint is used in
  1734. * tls_construct_client_key_exchange. Assume that the maximum length of
  1735. * a PSK identity hint can be as long as the maximum length of a PSK
  1736. * identity.
  1737. */
  1738. if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
  1739. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG);
  1740. return 0;
  1741. }
  1742. if (PACKET_remaining(&psk_identity_hint) == 0) {
  1743. OPENSSL_free(s->session->psk_identity_hint);
  1744. s->session->psk_identity_hint = NULL;
  1745. } else if (!PACKET_strndup(&psk_identity_hint,
  1746. &s->session->psk_identity_hint)) {
  1747. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1748. return 0;
  1749. }
  1750. return 1;
  1751. #else
  1752. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1753. return 0;
  1754. #endif
  1755. }
  1756. static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
  1757. {
  1758. #ifndef OPENSSL_NO_SRP
  1759. PACKET prime, generator, salt, server_pub;
  1760. if (!PACKET_get_length_prefixed_2(pkt, &prime)
  1761. || !PACKET_get_length_prefixed_2(pkt, &generator)
  1762. || !PACKET_get_length_prefixed_1(pkt, &salt)
  1763. || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
  1764. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1765. return 0;
  1766. }
  1767. if ((s->srp_ctx.N =
  1768. BN_bin2bn(PACKET_data(&prime),
  1769. (int)PACKET_remaining(&prime), NULL)) == NULL
  1770. || (s->srp_ctx.g =
  1771. BN_bin2bn(PACKET_data(&generator),
  1772. (int)PACKET_remaining(&generator), NULL)) == NULL
  1773. || (s->srp_ctx.s =
  1774. BN_bin2bn(PACKET_data(&salt),
  1775. (int)PACKET_remaining(&salt), NULL)) == NULL
  1776. || (s->srp_ctx.B =
  1777. BN_bin2bn(PACKET_data(&server_pub),
  1778. (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
  1779. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
  1780. return 0;
  1781. }
  1782. if (!srp_verify_server_param(s)) {
  1783. /* SSLfatal() already called */
  1784. return 0;
  1785. }
  1786. /* We must check if there is a certificate */
  1787. if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
  1788. *pkey = X509_get0_pubkey(s->session->peer);
  1789. return 1;
  1790. #else
  1791. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1792. return 0;
  1793. #endif
  1794. }
  1795. static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
  1796. {
  1797. PACKET prime, generator, pub_key;
  1798. EVP_PKEY *peer_tmp = NULL;
  1799. BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
  1800. EVP_PKEY_CTX *pctx = NULL;
  1801. OSSL_PARAM *params = NULL;
  1802. OSSL_PARAM_BLD *tmpl = NULL;
  1803. int ret = 0;
  1804. if (!PACKET_get_length_prefixed_2(pkt, &prime)
  1805. || !PACKET_get_length_prefixed_2(pkt, &generator)
  1806. || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
  1807. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1808. return 0;
  1809. }
  1810. p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
  1811. g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
  1812. NULL);
  1813. bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
  1814. (int)PACKET_remaining(&pub_key), NULL);
  1815. if (p == NULL || g == NULL || bnpub_key == NULL) {
  1816. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
  1817. goto err;
  1818. }
  1819. tmpl = OSSL_PARAM_BLD_new();
  1820. if (tmpl == NULL
  1821. || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
  1822. || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g)
  1823. || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY,
  1824. bnpub_key)
  1825. || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
  1826. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1827. goto err;
  1828. }
  1829. pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
  1830. if (pctx == NULL) {
  1831. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1832. goto err;
  1833. }
  1834. if (EVP_PKEY_fromdata_init(pctx) <= 0
  1835. || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) {
  1836. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE);
  1837. goto err;
  1838. }
  1839. EVP_PKEY_CTX_free(pctx);
  1840. pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq);
  1841. if (pctx == NULL
  1842. /*
  1843. * EVP_PKEY_param_check() will verify that the DH params are using
  1844. * a safe prime. In this context, because we're using ephemeral DH,
  1845. * we're ok with it not being a safe prime.
  1846. * EVP_PKEY_param_check_quick() skips the safe prime check.
  1847. */
  1848. || EVP_PKEY_param_check_quick(pctx) != 1
  1849. || EVP_PKEY_public_check(pctx) != 1) {
  1850. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE);
  1851. goto err;
  1852. }
  1853. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  1854. EVP_PKEY_get_security_bits(peer_tmp),
  1855. 0, peer_tmp)) {
  1856. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
  1857. goto err;
  1858. }
  1859. s->s3.peer_tmp = peer_tmp;
  1860. peer_tmp = NULL;
  1861. /*
  1862. * FIXME: This makes assumptions about which ciphersuites come with
  1863. * public keys. We should have a less ad-hoc way of doing this
  1864. */
  1865. if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
  1866. *pkey = X509_get0_pubkey(s->session->peer);
  1867. /* else anonymous DH, so no certificate or pkey. */
  1868. ret = 1;
  1869. err:
  1870. OSSL_PARAM_BLD_free(tmpl);
  1871. OSSL_PARAM_free(params);
  1872. EVP_PKEY_free(peer_tmp);
  1873. EVP_PKEY_CTX_free(pctx);
  1874. BN_free(p);
  1875. BN_free(g);
  1876. BN_free(bnpub_key);
  1877. return ret;
  1878. }
  1879. static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
  1880. {
  1881. PACKET encoded_pt;
  1882. unsigned int curve_type, curve_id;
  1883. /*
  1884. * Extract elliptic curve parameters and the server's ephemeral ECDH
  1885. * public key. We only support named (not generic) curves and
  1886. * ECParameters in this case is just three bytes.
  1887. */
  1888. if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) {
  1889. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  1890. return 0;
  1891. }
  1892. /*
  1893. * Check curve is named curve type and one of our preferences, if not
  1894. * server has sent an invalid curve.
  1895. */
  1896. if (curve_type != NAMED_CURVE_TYPE
  1897. || !tls1_check_group_id(s, curve_id, 1)) {
  1898. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
  1899. return 0;
  1900. }
  1901. if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) {
  1902. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1903. SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
  1904. return 0;
  1905. }
  1906. if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
  1907. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1908. return 0;
  1909. }
  1910. if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
  1911. PACKET_data(&encoded_pt),
  1912. PACKET_remaining(&encoded_pt)) <= 0) {
  1913. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
  1914. return 0;
  1915. }
  1916. /*
  1917. * The ECC/TLS specification does not mention the use of DSA to sign
  1918. * ECParameters in the server key exchange message. We do support RSA
  1919. * and ECDSA.
  1920. */
  1921. if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA)
  1922. *pkey = X509_get0_pubkey(s->session->peer);
  1923. else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA)
  1924. *pkey = X509_get0_pubkey(s->session->peer);
  1925. /* else anonymous ECDH, so no certificate or pkey. */
  1926. /* Cache the agreed upon group in the SSL_SESSION */
  1927. s->session->kex_group = curve_id;
  1928. return 1;
  1929. }
  1930. MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
  1931. {
  1932. long alg_k;
  1933. EVP_PKEY *pkey = NULL;
  1934. EVP_MD_CTX *md_ctx = NULL;
  1935. EVP_PKEY_CTX *pctx = NULL;
  1936. PACKET save_param_start, signature;
  1937. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  1938. save_param_start = *pkt;
  1939. EVP_PKEY_free(s->s3.peer_tmp);
  1940. s->s3.peer_tmp = NULL;
  1941. if (alg_k & SSL_PSK) {
  1942. if (!tls_process_ske_psk_preamble(s, pkt)) {
  1943. /* SSLfatal() already called */
  1944. goto err;
  1945. }
  1946. }
  1947. /* Nothing else to do for plain PSK or RSAPSK */
  1948. if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
  1949. } else if (alg_k & SSL_kSRP) {
  1950. if (!tls_process_ske_srp(s, pkt, &pkey)) {
  1951. /* SSLfatal() already called */
  1952. goto err;
  1953. }
  1954. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  1955. if (!tls_process_ske_dhe(s, pkt, &pkey)) {
  1956. /* SSLfatal() already called */
  1957. goto err;
  1958. }
  1959. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  1960. if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
  1961. /* SSLfatal() already called */
  1962. goto err;
  1963. }
  1964. } else if (alg_k) {
  1965. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  1966. goto err;
  1967. }
  1968. /* if it was signed, check the signature */
  1969. if (pkey != NULL) {
  1970. PACKET params;
  1971. const EVP_MD *md = NULL;
  1972. unsigned char *tbs;
  1973. size_t tbslen;
  1974. int rv;
  1975. /*
  1976. * |pkt| now points to the beginning of the signature, so the difference
  1977. * equals the length of the parameters.
  1978. */
  1979. if (!PACKET_get_sub_packet(&save_param_start, &params,
  1980. PACKET_remaining(&save_param_start) -
  1981. PACKET_remaining(pkt))) {
  1982. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
  1983. goto err;
  1984. }
  1985. if (SSL_USE_SIGALGS(s)) {
  1986. unsigned int sigalg;
  1987. if (!PACKET_get_net_2(pkt, &sigalg)) {
  1988. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  1989. goto err;
  1990. }
  1991. if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
  1992. /* SSLfatal() already called */
  1993. goto err;
  1994. }
  1995. } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
  1996. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1997. goto err;
  1998. }
  1999. if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
  2000. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2001. SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
  2002. goto err;
  2003. }
  2004. if (SSL_USE_SIGALGS(s))
  2005. OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
  2006. md == NULL ? "n/a" : EVP_MD_get0_name(md));
  2007. if (!PACKET_get_length_prefixed_2(pkt, &signature)
  2008. || PACKET_remaining(pkt) != 0) {
  2009. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2010. goto err;
  2011. }
  2012. md_ctx = EVP_MD_CTX_new();
  2013. if (md_ctx == NULL) {
  2014. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2015. goto err;
  2016. }
  2017. if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
  2018. md == NULL ? NULL : EVP_MD_get0_name(md),
  2019. s->ctx->libctx, s->ctx->propq, pkey,
  2020. NULL) <= 0) {
  2021. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2022. goto err;
  2023. }
  2024. if (SSL_USE_PSS(s)) {
  2025. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2026. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
  2027. RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2028. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2029. goto err;
  2030. }
  2031. }
  2032. tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
  2033. PACKET_remaining(&params));
  2034. if (tbslen == 0) {
  2035. /* SSLfatal() already called */
  2036. goto err;
  2037. }
  2038. rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
  2039. PACKET_remaining(&signature), tbs, tbslen);
  2040. OPENSSL_free(tbs);
  2041. if (rv <= 0) {
  2042. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
  2043. goto err;
  2044. }
  2045. EVP_MD_CTX_free(md_ctx);
  2046. md_ctx = NULL;
  2047. } else {
  2048. /* aNULL, aSRP or PSK do not need public keys */
  2049. if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
  2050. && !(alg_k & SSL_PSK)) {
  2051. /* Might be wrong key type, check it */
  2052. if (ssl3_check_cert_and_algorithm(s)) {
  2053. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA);
  2054. }
  2055. /* else this shouldn't happen, SSLfatal() already called */
  2056. goto err;
  2057. }
  2058. /* still data left over */
  2059. if (PACKET_remaining(pkt) != 0) {
  2060. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE);
  2061. goto err;
  2062. }
  2063. }
  2064. return MSG_PROCESS_CONTINUE_READING;
  2065. err:
  2066. EVP_MD_CTX_free(md_ctx);
  2067. return MSG_PROCESS_ERROR;
  2068. }
  2069. MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
  2070. {
  2071. size_t i;
  2072. /* Clear certificate validity flags */
  2073. for (i = 0; i < SSL_PKEY_NUM; i++)
  2074. s->s3.tmp.valid_flags[i] = 0;
  2075. if (SSL_IS_TLS13(s)) {
  2076. PACKET reqctx, extensions;
  2077. RAW_EXTENSION *rawexts = NULL;
  2078. if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
  2079. /*
  2080. * We already sent close_notify. This can only happen in TLSv1.3
  2081. * post-handshake messages. We can't reasonably respond to this, so
  2082. * we just ignore it
  2083. */
  2084. return MSG_PROCESS_FINISHED_READING;
  2085. }
  2086. /* Free and zero certificate types: it is not present in TLS 1.3 */
  2087. OPENSSL_free(s->s3.tmp.ctype);
  2088. s->s3.tmp.ctype = NULL;
  2089. s->s3.tmp.ctype_len = 0;
  2090. OPENSSL_free(s->pha_context);
  2091. s->pha_context = NULL;
  2092. s->pha_context_len = 0;
  2093. if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
  2094. !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
  2095. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2096. return MSG_PROCESS_ERROR;
  2097. }
  2098. if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
  2099. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  2100. return MSG_PROCESS_ERROR;
  2101. }
  2102. if (!tls_collect_extensions(s, &extensions,
  2103. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  2104. &rawexts, NULL, 1)
  2105. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  2106. rawexts, NULL, 0, 1)) {
  2107. /* SSLfatal() already called */
  2108. OPENSSL_free(rawexts);
  2109. return MSG_PROCESS_ERROR;
  2110. }
  2111. OPENSSL_free(rawexts);
  2112. if (!tls1_process_sigalgs(s)) {
  2113. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH);
  2114. return MSG_PROCESS_ERROR;
  2115. }
  2116. } else {
  2117. PACKET ctypes;
  2118. /* get the certificate types */
  2119. if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
  2120. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2121. return MSG_PROCESS_ERROR;
  2122. }
  2123. if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) {
  2124. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2125. return MSG_PROCESS_ERROR;
  2126. }
  2127. if (SSL_USE_SIGALGS(s)) {
  2128. PACKET sigalgs;
  2129. if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
  2130. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2131. return MSG_PROCESS_ERROR;
  2132. }
  2133. /*
  2134. * Despite this being for certificates, preserve compatibility
  2135. * with pre-TLS 1.3 and use the regular sigalgs field.
  2136. */
  2137. if (!tls1_save_sigalgs(s, &sigalgs, 0)) {
  2138. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2139. SSL_R_SIGNATURE_ALGORITHMS_ERROR);
  2140. return MSG_PROCESS_ERROR;
  2141. }
  2142. if (!tls1_process_sigalgs(s)) {
  2143. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2144. return MSG_PROCESS_ERROR;
  2145. }
  2146. }
  2147. /* get the CA RDNs */
  2148. if (!parse_ca_names(s, pkt)) {
  2149. /* SSLfatal() already called */
  2150. return MSG_PROCESS_ERROR;
  2151. }
  2152. }
  2153. if (PACKET_remaining(pkt) != 0) {
  2154. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2155. return MSG_PROCESS_ERROR;
  2156. }
  2157. /* we should setup a certificate to return.... */
  2158. s->s3.tmp.cert_req = 1;
  2159. /*
  2160. * In TLSv1.3 we don't prepare the client certificate yet. We wait until
  2161. * after the CertificateVerify message has been received. This is because
  2162. * in TLSv1.3 the CertificateRequest arrives before the Certificate message
  2163. * but in TLSv1.2 it is the other way around. We want to make sure that
  2164. * SSL_get1_peer_certificate() returns something sensible in
  2165. * client_cert_cb.
  2166. */
  2167. if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED)
  2168. return MSG_PROCESS_CONTINUE_READING;
  2169. return MSG_PROCESS_CONTINUE_PROCESSING;
  2170. }
  2171. MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
  2172. {
  2173. unsigned int ticklen;
  2174. unsigned long ticket_lifetime_hint, age_add = 0;
  2175. unsigned int sess_len;
  2176. RAW_EXTENSION *exts = NULL;
  2177. PACKET nonce;
  2178. EVP_MD *sha256 = NULL;
  2179. PACKET_null_init(&nonce);
  2180. if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
  2181. || (SSL_IS_TLS13(s)
  2182. && (!PACKET_get_net_4(pkt, &age_add)
  2183. || !PACKET_get_length_prefixed_1(pkt, &nonce)))
  2184. || !PACKET_get_net_2(pkt, &ticklen)
  2185. || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen)
  2186. : PACKET_remaining(pkt) != ticklen)) {
  2187. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2188. goto err;
  2189. }
  2190. /*
  2191. * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
  2192. * ticket. We already checked this TLSv1.3 case above, so it should never
  2193. * be 0 here in that instance
  2194. */
  2195. if (ticklen == 0)
  2196. return MSG_PROCESS_CONTINUE_READING;
  2197. /*
  2198. * Sessions must be immutable once they go into the session cache. Otherwise
  2199. * we can get multi-thread problems. Therefore we don't "update" sessions,
  2200. * we replace them with a duplicate. In TLSv1.3 we need to do this every
  2201. * time a NewSessionTicket arrives because those messages arrive
  2202. * post-handshake and the session may have already gone into the session
  2203. * cache.
  2204. */
  2205. if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {
  2206. SSL_SESSION *new_sess;
  2207. /*
  2208. * We reused an existing session, so we need to replace it with a new
  2209. * one
  2210. */
  2211. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  2212. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2213. goto err;
  2214. }
  2215. if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
  2216. && !SSL_IS_TLS13(s)) {
  2217. /*
  2218. * In TLSv1.2 and below the arrival of a new tickets signals that
  2219. * any old ticket we were using is now out of date, so we remove the
  2220. * old session from the cache. We carry on if this fails
  2221. */
  2222. SSL_CTX_remove_session(s->session_ctx, s->session);
  2223. }
  2224. SSL_SESSION_free(s->session);
  2225. s->session = new_sess;
  2226. }
  2227. s->session->time = time(NULL);
  2228. ssl_session_calculate_timeout(s->session);
  2229. OPENSSL_free(s->session->ext.tick);
  2230. s->session->ext.tick = NULL;
  2231. s->session->ext.ticklen = 0;
  2232. s->session->ext.tick = OPENSSL_malloc(ticklen);
  2233. if (s->session->ext.tick == NULL) {
  2234. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2235. goto err;
  2236. }
  2237. if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
  2238. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2239. goto err;
  2240. }
  2241. s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
  2242. s->session->ext.tick_age_add = age_add;
  2243. s->session->ext.ticklen = ticklen;
  2244. if (SSL_IS_TLS13(s)) {
  2245. PACKET extpkt;
  2246. if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
  2247. || PACKET_remaining(pkt) != 0) {
  2248. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2249. goto err;
  2250. }
  2251. if (!tls_collect_extensions(s, &extpkt,
  2252. SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts,
  2253. NULL, 1)
  2254. || !tls_parse_all_extensions(s,
  2255. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  2256. exts, NULL, 0, 1)) {
  2257. /* SSLfatal() already called */
  2258. goto err;
  2259. }
  2260. }
  2261. /*
  2262. * There are two ways to detect a resumed ticket session. One is to set
  2263. * an appropriate session ID and then the server must return a match in
  2264. * ServerHello. This allows the normal client session ID matching to work
  2265. * and we know much earlier that the ticket has been accepted. The
  2266. * other way is to set zero length session ID when the ticket is
  2267. * presented and rely on the handshake to determine session resumption.
  2268. * We choose the former approach because this fits in with assumptions
  2269. * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
  2270. * ticket.
  2271. */
  2272. sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq);
  2273. if (sha256 == NULL) {
  2274. /* Error is already recorded */
  2275. SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
  2276. goto err;
  2277. }
  2278. /*
  2279. * We use sess_len here because EVP_Digest expects an int
  2280. * but s->session->session_id_length is a size_t
  2281. */
  2282. if (!EVP_Digest(s->session->ext.tick, ticklen,
  2283. s->session->session_id, &sess_len,
  2284. sha256, NULL)) {
  2285. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2286. goto err;
  2287. }
  2288. EVP_MD_free(sha256);
  2289. sha256 = NULL;
  2290. s->session->session_id_length = sess_len;
  2291. s->session->not_resumable = 0;
  2292. /* This is a standalone message in TLSv1.3, so there is no more to read */
  2293. if (SSL_IS_TLS13(s)) {
  2294. const EVP_MD *md = ssl_handshake_md(s);
  2295. int hashleni = EVP_MD_get_size(md);
  2296. size_t hashlen;
  2297. static const unsigned char nonce_label[] = "resumption";
  2298. /* Ensure cast to size_t is safe */
  2299. if (!ossl_assert(hashleni >= 0)) {
  2300. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2301. goto err;
  2302. }
  2303. hashlen = (size_t)hashleni;
  2304. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  2305. nonce_label,
  2306. sizeof(nonce_label) - 1,
  2307. PACKET_data(&nonce),
  2308. PACKET_remaining(&nonce),
  2309. s->session->master_key,
  2310. hashlen, 1)) {
  2311. /* SSLfatal() already called */
  2312. goto err;
  2313. }
  2314. s->session->master_key_length = hashlen;
  2315. OPENSSL_free(exts);
  2316. ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
  2317. return MSG_PROCESS_FINISHED_READING;
  2318. }
  2319. return MSG_PROCESS_CONTINUE_READING;
  2320. err:
  2321. EVP_MD_free(sha256);
  2322. OPENSSL_free(exts);
  2323. return MSG_PROCESS_ERROR;
  2324. }
  2325. /*
  2326. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  2327. * parse a separate message. Returns 1 on success or 0 on failure
  2328. */
  2329. int tls_process_cert_status_body(SSL *s, PACKET *pkt)
  2330. {
  2331. size_t resplen;
  2332. unsigned int type;
  2333. if (!PACKET_get_1(pkt, &type)
  2334. || type != TLSEXT_STATUSTYPE_ocsp) {
  2335. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE);
  2336. return 0;
  2337. }
  2338. if (!PACKET_get_net_3_len(pkt, &resplen)
  2339. || PACKET_remaining(pkt) != resplen) {
  2340. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2341. return 0;
  2342. }
  2343. s->ext.ocsp.resp = OPENSSL_malloc(resplen);
  2344. if (s->ext.ocsp.resp == NULL) {
  2345. s->ext.ocsp.resp_len = 0;
  2346. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2347. return 0;
  2348. }
  2349. s->ext.ocsp.resp_len = resplen;
  2350. if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
  2351. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2352. return 0;
  2353. }
  2354. return 1;
  2355. }
  2356. MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
  2357. {
  2358. if (!tls_process_cert_status_body(s, pkt)) {
  2359. /* SSLfatal() already called */
  2360. return MSG_PROCESS_ERROR;
  2361. }
  2362. return MSG_PROCESS_CONTINUE_READING;
  2363. }
  2364. /*
  2365. * Perform miscellaneous checks and processing after we have received the
  2366. * server's initial flight. In TLS1.3 this is after the Server Finished message.
  2367. * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
  2368. * on failure.
  2369. */
  2370. int tls_process_initial_server_flight(SSL *s)
  2371. {
  2372. /*
  2373. * at this point we check that we have the required stuff from
  2374. * the server
  2375. */
  2376. if (!ssl3_check_cert_and_algorithm(s)) {
  2377. /* SSLfatal() already called */
  2378. return 0;
  2379. }
  2380. /*
  2381. * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
  2382. * |ext.ocsp.resp_len| values will be set if we actually received a status
  2383. * message, or NULL and -1 otherwise
  2384. */
  2385. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
  2386. && s->ctx->ext.status_cb != NULL) {
  2387. int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
  2388. if (ret == 0) {
  2389. SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
  2390. SSL_R_INVALID_STATUS_RESPONSE);
  2391. return 0;
  2392. }
  2393. if (ret < 0) {
  2394. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2395. SSL_R_OCSP_CALLBACK_FAILURE);
  2396. return 0;
  2397. }
  2398. }
  2399. #ifndef OPENSSL_NO_CT
  2400. if (s->ct_validation_callback != NULL) {
  2401. /* Note we validate the SCTs whether or not we abort on error */
  2402. if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
  2403. /* SSLfatal() already called */
  2404. return 0;
  2405. }
  2406. }
  2407. #endif
  2408. return 1;
  2409. }
  2410. MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
  2411. {
  2412. if (PACKET_remaining(pkt) > 0) {
  2413. /* should contain no data */
  2414. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2415. return MSG_PROCESS_ERROR;
  2416. }
  2417. #ifndef OPENSSL_NO_SRP
  2418. if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
  2419. if (ssl_srp_calc_a_param_intern(s) <= 0) {
  2420. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC);
  2421. return MSG_PROCESS_ERROR;
  2422. }
  2423. }
  2424. #endif
  2425. if (!tls_process_initial_server_flight(s)) {
  2426. /* SSLfatal() already called */
  2427. return MSG_PROCESS_ERROR;
  2428. }
  2429. return MSG_PROCESS_FINISHED_READING;
  2430. }
  2431. static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)
  2432. {
  2433. #ifndef OPENSSL_NO_PSK
  2434. int ret = 0;
  2435. /*
  2436. * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
  2437. * \0-terminated identity. The last byte is for us for simulating
  2438. * strnlen.
  2439. */
  2440. char identity[PSK_MAX_IDENTITY_LEN + 1];
  2441. size_t identitylen = 0;
  2442. unsigned char psk[PSK_MAX_PSK_LEN];
  2443. unsigned char *tmppsk = NULL;
  2444. char *tmpidentity = NULL;
  2445. size_t psklen = 0;
  2446. if (s->psk_client_callback == NULL) {
  2447. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB);
  2448. goto err;
  2449. }
  2450. memset(identity, 0, sizeof(identity));
  2451. psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
  2452. identity, sizeof(identity) - 1,
  2453. psk, sizeof(psk));
  2454. if (psklen > PSK_MAX_PSK_LEN) {
  2455. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
  2456. psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */
  2457. goto err;
  2458. } else if (psklen == 0) {
  2459. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND);
  2460. goto err;
  2461. }
  2462. identitylen = strlen(identity);
  2463. if (identitylen > PSK_MAX_IDENTITY_LEN) {
  2464. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2465. goto err;
  2466. }
  2467. tmppsk = OPENSSL_memdup(psk, psklen);
  2468. tmpidentity = OPENSSL_strdup(identity);
  2469. if (tmppsk == NULL || tmpidentity == NULL) {
  2470. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2471. goto err;
  2472. }
  2473. OPENSSL_free(s->s3.tmp.psk);
  2474. s->s3.tmp.psk = tmppsk;
  2475. s->s3.tmp.psklen = psklen;
  2476. tmppsk = NULL;
  2477. OPENSSL_free(s->session->psk_identity);
  2478. s->session->psk_identity = tmpidentity;
  2479. tmpidentity = NULL;
  2480. if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) {
  2481. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2482. goto err;
  2483. }
  2484. ret = 1;
  2485. err:
  2486. OPENSSL_cleanse(psk, psklen);
  2487. OPENSSL_cleanse(identity, sizeof(identity));
  2488. OPENSSL_clear_free(tmppsk, psklen);
  2489. OPENSSL_clear_free(tmpidentity, identitylen);
  2490. return ret;
  2491. #else
  2492. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2493. return 0;
  2494. #endif
  2495. }
  2496. static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
  2497. {
  2498. unsigned char *encdata = NULL;
  2499. EVP_PKEY *pkey = NULL;
  2500. EVP_PKEY_CTX *pctx = NULL;
  2501. size_t enclen;
  2502. unsigned char *pms = NULL;
  2503. size_t pmslen = 0;
  2504. if (s->session->peer == NULL) {
  2505. /*
  2506. * We should always have a server certificate with SSL_kRSA.
  2507. */
  2508. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2509. return 0;
  2510. }
  2511. pkey = X509_get0_pubkey(s->session->peer);
  2512. if (!EVP_PKEY_is_a(pkey, "RSA")) {
  2513. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2514. return 0;
  2515. }
  2516. pmslen = SSL_MAX_MASTER_KEY_LENGTH;
  2517. pms = OPENSSL_malloc(pmslen);
  2518. if (pms == NULL) {
  2519. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2520. return 0;
  2521. }
  2522. pms[0] = s->client_version >> 8;
  2523. pms[1] = s->client_version & 0xff;
  2524. if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) {
  2525. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2526. goto err;
  2527. }
  2528. /* Fix buf for TLS and beyond */
  2529. if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
  2530. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2531. goto err;
  2532. }
  2533. pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pkey, s->ctx->propq);
  2534. if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
  2535. || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
  2536. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2537. goto err;
  2538. }
  2539. if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
  2540. || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
  2541. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT);
  2542. goto err;
  2543. }
  2544. EVP_PKEY_CTX_free(pctx);
  2545. pctx = NULL;
  2546. /* Fix buf for TLS and beyond */
  2547. if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
  2548. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2549. goto err;
  2550. }
  2551. /* Log the premaster secret, if logging is enabled. */
  2552. if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
  2553. /* SSLfatal() already called */
  2554. goto err;
  2555. }
  2556. s->s3.tmp.pms = pms;
  2557. s->s3.tmp.pmslen = pmslen;
  2558. return 1;
  2559. err:
  2560. OPENSSL_clear_free(pms, pmslen);
  2561. EVP_PKEY_CTX_free(pctx);
  2562. return 0;
  2563. }
  2564. static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt)
  2565. {
  2566. EVP_PKEY *ckey = NULL, *skey = NULL;
  2567. unsigned char *keybytes = NULL;
  2568. int prime_len;
  2569. unsigned char *encoded_pub = NULL;
  2570. size_t encoded_pub_len, pad_len;
  2571. int ret = 0;
  2572. skey = s->s3.peer_tmp;
  2573. if (skey == NULL) {
  2574. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2575. goto err;
  2576. }
  2577. ckey = ssl_generate_pkey(s, skey);
  2578. if (ckey == NULL) {
  2579. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2580. goto err;
  2581. }
  2582. if (ssl_derive(s, ckey, skey, 0) == 0) {
  2583. /* SSLfatal() already called */
  2584. goto err;
  2585. }
  2586. /* send off the data */
  2587. /* Generate encoding of server key */
  2588. encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub);
  2589. if (encoded_pub_len == 0) {
  2590. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2591. EVP_PKEY_free(ckey);
  2592. return EXT_RETURN_FAIL;
  2593. }
  2594. /*
  2595. * For interoperability with some versions of the Microsoft TLS
  2596. * stack, we need to zero pad the DHE pub key to the same length
  2597. * as the prime.
  2598. */
  2599. prime_len = EVP_PKEY_get_size(ckey);
  2600. pad_len = prime_len - encoded_pub_len;
  2601. if (pad_len > 0) {
  2602. if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) {
  2603. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2604. goto err;
  2605. }
  2606. memset(keybytes, 0, pad_len);
  2607. }
  2608. if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)) {
  2609. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2610. goto err;
  2611. }
  2612. ret = 1;
  2613. err:
  2614. OPENSSL_free(encoded_pub);
  2615. EVP_PKEY_free(ckey);
  2616. return ret;
  2617. }
  2618. static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt)
  2619. {
  2620. unsigned char *encodedPoint = NULL;
  2621. size_t encoded_pt_len = 0;
  2622. EVP_PKEY *ckey = NULL, *skey = NULL;
  2623. int ret = 0;
  2624. skey = s->s3.peer_tmp;
  2625. if (skey == NULL) {
  2626. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2627. return 0;
  2628. }
  2629. ckey = ssl_generate_pkey(s, skey);
  2630. if (ckey == NULL) {
  2631. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2632. goto err;
  2633. }
  2634. if (ssl_derive(s, ckey, skey, 0) == 0) {
  2635. /* SSLfatal() already called */
  2636. goto err;
  2637. }
  2638. /* Generate encoding of client key */
  2639. encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint);
  2640. if (encoded_pt_len == 0) {
  2641. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2642. goto err;
  2643. }
  2644. if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
  2645. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2646. goto err;
  2647. }
  2648. ret = 1;
  2649. err:
  2650. OPENSSL_free(encodedPoint);
  2651. EVP_PKEY_free(ckey);
  2652. return ret;
  2653. }
  2654. static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
  2655. {
  2656. #ifndef OPENSSL_NO_GOST
  2657. /* GOST key exchange message creation */
  2658. EVP_PKEY_CTX *pkey_ctx = NULL;
  2659. X509 *peer_cert;
  2660. size_t msglen;
  2661. unsigned int md_len;
  2662. unsigned char shared_ukm[32], tmp[256];
  2663. EVP_MD_CTX *ukm_hash = NULL;
  2664. int dgst_nid = NID_id_GostR3411_94;
  2665. unsigned char *pms = NULL;
  2666. size_t pmslen = 0;
  2667. if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
  2668. dgst_nid = NID_id_GostR3411_2012_256;
  2669. /*
  2670. * Get server certificate PKEY and create ctx from it
  2671. */
  2672. peer_cert = s->session->peer;
  2673. if (peer_cert == NULL) {
  2674. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2675. SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
  2676. return 0;
  2677. }
  2678. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
  2679. X509_get0_pubkey(peer_cert),
  2680. s->ctx->propq);
  2681. if (pkey_ctx == NULL) {
  2682. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2683. return 0;
  2684. }
  2685. /*
  2686. * If we have send a certificate, and certificate key
  2687. * parameters match those of server certificate, use
  2688. * certificate key for key exchange
  2689. */
  2690. /* Otherwise, generate ephemeral key pair */
  2691. pmslen = 32;
  2692. pms = OPENSSL_malloc(pmslen);
  2693. if (pms == NULL) {
  2694. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2695. goto err;
  2696. }
  2697. if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
  2698. /* Generate session key
  2699. */
  2700. || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
  2701. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2702. goto err;
  2703. };
  2704. /*
  2705. * Compute shared IV and store it in algorithm-specific context
  2706. * data
  2707. */
  2708. ukm_hash = EVP_MD_CTX_new();
  2709. if (ukm_hash == NULL
  2710. || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
  2711. || EVP_DigestUpdate(ukm_hash, s->s3.client_random,
  2712. SSL3_RANDOM_SIZE) <= 0
  2713. || EVP_DigestUpdate(ukm_hash, s->s3.server_random,
  2714. SSL3_RANDOM_SIZE) <= 0
  2715. || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
  2716. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2717. goto err;
  2718. }
  2719. EVP_MD_CTX_free(ukm_hash);
  2720. ukm_hash = NULL;
  2721. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
  2722. EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) <= 0) {
  2723. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2724. goto err;
  2725. }
  2726. /* Make GOST keytransport blob message */
  2727. /*
  2728. * Encapsulate it into sequence
  2729. */
  2730. msglen = 255;
  2731. if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
  2732. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2733. goto err;
  2734. }
  2735. if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
  2736. || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
  2737. || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
  2738. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2739. goto err;
  2740. }
  2741. EVP_PKEY_CTX_free(pkey_ctx);
  2742. s->s3.tmp.pms = pms;
  2743. s->s3.tmp.pmslen = pmslen;
  2744. return 1;
  2745. err:
  2746. EVP_PKEY_CTX_free(pkey_ctx);
  2747. OPENSSL_clear_free(pms, pmslen);
  2748. EVP_MD_CTX_free(ukm_hash);
  2749. return 0;
  2750. #else
  2751. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2752. return 0;
  2753. #endif
  2754. }
  2755. #ifndef OPENSSL_NO_GOST
  2756. int ossl_gost18_cke_cipher_nid(const SSL *s)
  2757. {
  2758. if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
  2759. return NID_magma_ctr;
  2760. else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
  2761. return NID_kuznyechik_ctr;
  2762. return NID_undef;
  2763. }
  2764. int ossl_gost_ukm(const SSL *s, unsigned char *dgst_buf)
  2765. {
  2766. EVP_MD_CTX * hash = NULL;
  2767. unsigned int md_len;
  2768. const EVP_MD *md = ssl_evp_md_fetch(s->ctx->libctx, NID_id_GostR3411_2012_256, s->ctx->propq);
  2769. if (md == NULL)
  2770. return 0;
  2771. if ((hash = EVP_MD_CTX_new()) == NULL
  2772. || EVP_DigestInit(hash, md) <= 0
  2773. || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0
  2774. || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0
  2775. || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
  2776. EVP_MD_CTX_free(hash);
  2777. ssl_evp_md_free(md);
  2778. return 0;
  2779. }
  2780. EVP_MD_CTX_free(hash);
  2781. ssl_evp_md_free(md);
  2782. return 1;
  2783. }
  2784. #endif
  2785. static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
  2786. {
  2787. #ifndef OPENSSL_NO_GOST
  2788. /* GOST 2018 key exchange message creation */
  2789. unsigned char rnd_dgst[32];
  2790. unsigned char *encdata = NULL;
  2791. EVP_PKEY_CTX *pkey_ctx = NULL;
  2792. X509 *peer_cert;
  2793. unsigned char *pms = NULL;
  2794. size_t pmslen = 0;
  2795. size_t msglen;
  2796. int cipher_nid = ossl_gost18_cke_cipher_nid(s);
  2797. if (cipher_nid == NID_undef) {
  2798. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2799. return 0;
  2800. }
  2801. if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
  2802. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2803. goto err;
  2804. }
  2805. /* Pre-master secret - random bytes */
  2806. pmslen = 32;
  2807. pms = OPENSSL_malloc(pmslen);
  2808. if (pms == NULL) {
  2809. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2810. goto err;
  2811. }
  2812. if (RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
  2813. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2814. goto err;
  2815. }
  2816. /* Get server certificate PKEY and create ctx from it */
  2817. peer_cert = s->session->peer;
  2818. if (peer_cert == NULL) {
  2819. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2820. SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
  2821. goto err;
  2822. }
  2823. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
  2824. X509_get0_pubkey(peer_cert),
  2825. s->ctx->propq);
  2826. if (pkey_ctx == NULL) {
  2827. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2828. goto err;
  2829. }
  2830. if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0) {
  2831. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2832. goto err;
  2833. };
  2834. /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */
  2835. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
  2836. EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
  2837. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2838. goto err;
  2839. }
  2840. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
  2841. EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
  2842. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2843. goto err;
  2844. }
  2845. if (EVP_PKEY_encrypt(pkey_ctx, NULL, &msglen, pms, pmslen) <= 0) {
  2846. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2847. goto err;
  2848. }
  2849. if (!WPACKET_allocate_bytes(pkt, msglen, &encdata)
  2850. || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) {
  2851. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2852. goto err;
  2853. }
  2854. EVP_PKEY_CTX_free(pkey_ctx);
  2855. pkey_ctx = NULL;
  2856. s->s3.tmp.pms = pms;
  2857. s->s3.tmp.pmslen = pmslen;
  2858. return 1;
  2859. err:
  2860. EVP_PKEY_CTX_free(pkey_ctx);
  2861. OPENSSL_clear_free(pms, pmslen);
  2862. return 0;
  2863. #else
  2864. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2865. return 0;
  2866. #endif
  2867. }
  2868. static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
  2869. {
  2870. #ifndef OPENSSL_NO_SRP
  2871. unsigned char *abytes = NULL;
  2872. if (s->srp_ctx.A == NULL
  2873. || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
  2874. &abytes)) {
  2875. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2876. return 0;
  2877. }
  2878. BN_bn2bin(s->srp_ctx.A, abytes);
  2879. OPENSSL_free(s->session->srp_username);
  2880. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2881. if (s->session->srp_username == NULL) {
  2882. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2883. return 0;
  2884. }
  2885. return 1;
  2886. #else
  2887. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2888. return 0;
  2889. #endif
  2890. }
  2891. int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
  2892. {
  2893. unsigned long alg_k;
  2894. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  2895. /*
  2896. * All of the construct functions below call SSLfatal() if necessary so
  2897. * no need to do so here.
  2898. */
  2899. if ((alg_k & SSL_PSK)
  2900. && !tls_construct_cke_psk_preamble(s, pkt))
  2901. goto err;
  2902. if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  2903. if (!tls_construct_cke_rsa(s, pkt))
  2904. goto err;
  2905. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  2906. if (!tls_construct_cke_dhe(s, pkt))
  2907. goto err;
  2908. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2909. if (!tls_construct_cke_ecdhe(s, pkt))
  2910. goto err;
  2911. } else if (alg_k & SSL_kGOST) {
  2912. if (!tls_construct_cke_gost(s, pkt))
  2913. goto err;
  2914. } else if (alg_k & SSL_kGOST18) {
  2915. if (!tls_construct_cke_gost18(s, pkt))
  2916. goto err;
  2917. } else if (alg_k & SSL_kSRP) {
  2918. if (!tls_construct_cke_srp(s, pkt))
  2919. goto err;
  2920. } else if (!(alg_k & SSL_kPSK)) {
  2921. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2922. goto err;
  2923. }
  2924. return 1;
  2925. err:
  2926. OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen);
  2927. s->s3.tmp.pms = NULL;
  2928. s->s3.tmp.pmslen = 0;
  2929. #ifndef OPENSSL_NO_PSK
  2930. OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
  2931. s->s3.tmp.psk = NULL;
  2932. s->s3.tmp.psklen = 0;
  2933. #endif
  2934. return 0;
  2935. }
  2936. int tls_client_key_exchange_post_work(SSL *s)
  2937. {
  2938. unsigned char *pms = NULL;
  2939. size_t pmslen = 0;
  2940. pms = s->s3.tmp.pms;
  2941. pmslen = s->s3.tmp.pmslen;
  2942. #ifndef OPENSSL_NO_SRP
  2943. /* Check for SRP */
  2944. if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
  2945. if (!srp_generate_client_master_secret(s)) {
  2946. /* SSLfatal() already called */
  2947. goto err;
  2948. }
  2949. return 1;
  2950. }
  2951. #endif
  2952. if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
  2953. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2954. goto err;
  2955. }
  2956. if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
  2957. /* SSLfatal() already called */
  2958. /* ssl_generate_master_secret frees the pms even on error */
  2959. pms = NULL;
  2960. pmslen = 0;
  2961. goto err;
  2962. }
  2963. pms = NULL;
  2964. pmslen = 0;
  2965. #ifndef OPENSSL_NO_SCTP
  2966. if (SSL_IS_DTLS(s)) {
  2967. unsigned char sctpauthkey[64];
  2968. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  2969. size_t labellen;
  2970. /*
  2971. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  2972. * used.
  2973. */
  2974. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  2975. sizeof(DTLS1_SCTP_AUTH_LABEL));
  2976. /* Don't include the terminating zero. */
  2977. labellen = sizeof(labelbuffer) - 1;
  2978. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  2979. labellen += 1;
  2980. if (SSL_export_keying_material(s, sctpauthkey,
  2981. sizeof(sctpauthkey), labelbuffer,
  2982. labellen, NULL, 0, 0) <= 0) {
  2983. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2984. goto err;
  2985. }
  2986. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  2987. sizeof(sctpauthkey), sctpauthkey);
  2988. }
  2989. #endif
  2990. return 1;
  2991. err:
  2992. OPENSSL_clear_free(pms, pmslen);
  2993. s->s3.tmp.pms = NULL;
  2994. s->s3.tmp.pmslen = 0;
  2995. return 0;
  2996. }
  2997. /*
  2998. * Check a certificate can be used for client authentication. Currently check
  2999. * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
  3000. * certificates can be used and optionally checks suitability for Suite B.
  3001. */
  3002. static int ssl3_check_client_certificate(SSL *s)
  3003. {
  3004. /* If no suitable signature algorithm can't use certificate */
  3005. if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL)
  3006. return 0;
  3007. /*
  3008. * If strict mode check suitability of chain before using it. This also
  3009. * adjusts suite B digest if necessary.
  3010. */
  3011. if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
  3012. !tls1_check_chain(s, NULL, NULL, NULL, -2))
  3013. return 0;
  3014. return 1;
  3015. }
  3016. WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
  3017. {
  3018. X509 *x509 = NULL;
  3019. EVP_PKEY *pkey = NULL;
  3020. int i;
  3021. if (wst == WORK_MORE_A) {
  3022. /* Let cert callback update client certificates if required */
  3023. if (s->cert->cert_cb) {
  3024. i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
  3025. if (i < 0) {
  3026. s->rwstate = SSL_X509_LOOKUP;
  3027. return WORK_MORE_A;
  3028. }
  3029. if (i == 0) {
  3030. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
  3031. return WORK_ERROR;
  3032. }
  3033. s->rwstate = SSL_NOTHING;
  3034. }
  3035. if (ssl3_check_client_certificate(s)) {
  3036. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3037. return WORK_FINISHED_STOP;
  3038. }
  3039. return WORK_FINISHED_CONTINUE;
  3040. }
  3041. /* Fall through to WORK_MORE_B */
  3042. wst = WORK_MORE_B;
  3043. }
  3044. /* We need to get a client cert */
  3045. if (wst == WORK_MORE_B) {
  3046. /*
  3047. * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
  3048. * return(-1); We then get retied later
  3049. */
  3050. i = ssl_do_client_cert_cb(s, &x509, &pkey);
  3051. if (i < 0) {
  3052. s->rwstate = SSL_X509_LOOKUP;
  3053. return WORK_MORE_B;
  3054. }
  3055. s->rwstate = SSL_NOTHING;
  3056. if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
  3057. if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
  3058. i = 0;
  3059. } else if (i == 1) {
  3060. i = 0;
  3061. ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
  3062. }
  3063. X509_free(x509);
  3064. EVP_PKEY_free(pkey);
  3065. if (i && !ssl3_check_client_certificate(s))
  3066. i = 0;
  3067. if (i == 0) {
  3068. if (s->version == SSL3_VERSION) {
  3069. s->s3.tmp.cert_req = 0;
  3070. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
  3071. return WORK_FINISHED_CONTINUE;
  3072. } else {
  3073. s->s3.tmp.cert_req = 2;
  3074. if (!ssl3_digest_cached_records(s, 0)) {
  3075. /* SSLfatal() already called */
  3076. return WORK_ERROR;
  3077. }
  3078. }
  3079. }
  3080. if (s->post_handshake_auth == SSL_PHA_REQUESTED)
  3081. return WORK_FINISHED_STOP;
  3082. return WORK_FINISHED_CONTINUE;
  3083. }
  3084. /* Shouldn't ever get here */
  3085. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3086. return WORK_ERROR;
  3087. }
  3088. int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
  3089. {
  3090. if (SSL_IS_TLS13(s)) {
  3091. if (s->pha_context == NULL) {
  3092. /* no context available, add 0-length context */
  3093. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  3094. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3095. return 0;
  3096. }
  3097. } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
  3098. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3099. return 0;
  3100. }
  3101. }
  3102. if (!ssl3_output_cert_chain(s, pkt,
  3103. (s->s3.tmp.cert_req == 2) ? NULL
  3104. : s->cert->key)) {
  3105. /* SSLfatal() already called */
  3106. return 0;
  3107. }
  3108. if (SSL_IS_TLS13(s)
  3109. && SSL_IS_FIRST_HANDSHAKE(s)
  3110. && (!s->method->ssl3_enc->change_cipher_state(s,
  3111. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
  3112. /*
  3113. * This is a fatal error, which leaves enc_write_ctx in an inconsistent
  3114. * state and thus ssl3_send_alert may crash.
  3115. */
  3116. SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER);
  3117. return 0;
  3118. }
  3119. return 1;
  3120. }
  3121. int ssl3_check_cert_and_algorithm(SSL *s)
  3122. {
  3123. const SSL_CERT_LOOKUP *clu;
  3124. size_t idx;
  3125. long alg_k, alg_a;
  3126. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  3127. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  3128. /* we don't have a certificate */
  3129. if (!(alg_a & SSL_aCERT))
  3130. return 1;
  3131. /* This is the passed certificate */
  3132. clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx);
  3133. /* Check certificate is recognised and suitable for cipher */
  3134. if (clu == NULL || (alg_a & clu->amask) == 0) {
  3135. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT);
  3136. return 0;
  3137. }
  3138. if (clu->amask & SSL_aECDSA) {
  3139. if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
  3140. return 1;
  3141. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT);
  3142. return 0;
  3143. }
  3144. if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) {
  3145. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3146. SSL_R_MISSING_RSA_ENCRYPTING_CERT);
  3147. return 0;
  3148. }
  3149. if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) {
  3150. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3151. return 0;
  3152. }
  3153. return 1;
  3154. }
  3155. #ifndef OPENSSL_NO_NEXTPROTONEG
  3156. int tls_construct_next_proto(SSL *s, WPACKET *pkt)
  3157. {
  3158. size_t len, padding_len;
  3159. unsigned char *padding = NULL;
  3160. len = s->ext.npn_len;
  3161. padding_len = 32 - ((len + 2) % 32);
  3162. if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
  3163. || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
  3164. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3165. return 0;
  3166. }
  3167. memset(padding, 0, padding_len);
  3168. return 1;
  3169. }
  3170. #endif
  3171. MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
  3172. {
  3173. if (PACKET_remaining(pkt) > 0) {
  3174. /* should contain no data */
  3175. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3176. return MSG_PROCESS_ERROR;
  3177. }
  3178. if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
  3179. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  3180. return MSG_PROCESS_FINISHED_READING;
  3181. }
  3182. /*
  3183. * This is a historical discrepancy (not in the RFC) maintained for
  3184. * compatibility reasons. If a TLS client receives a HelloRequest it will
  3185. * attempt an abbreviated handshake. However if a DTLS client receives a
  3186. * HelloRequest it will do a full handshake. Either behaviour is reasonable
  3187. * but doing one for TLS and another for DTLS is odd.
  3188. */
  3189. if (SSL_IS_DTLS(s))
  3190. SSL_renegotiate(s);
  3191. else
  3192. SSL_renegotiate_abbreviated(s);
  3193. return MSG_PROCESS_FINISHED_READING;
  3194. }
  3195. static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
  3196. {
  3197. PACKET extensions;
  3198. RAW_EXTENSION *rawexts = NULL;
  3199. if (!PACKET_as_length_prefixed_2(pkt, &extensions)
  3200. || PACKET_remaining(pkt) != 0) {
  3201. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3202. goto err;
  3203. }
  3204. if (!tls_collect_extensions(s, &extensions,
  3205. SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
  3206. NULL, 1)
  3207. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3208. rawexts, NULL, 0, 1)) {
  3209. /* SSLfatal() already called */
  3210. goto err;
  3211. }
  3212. OPENSSL_free(rawexts);
  3213. return MSG_PROCESS_CONTINUE_READING;
  3214. err:
  3215. OPENSSL_free(rawexts);
  3216. return MSG_PROCESS_ERROR;
  3217. }
  3218. int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
  3219. {
  3220. int i = 0;
  3221. #ifndef OPENSSL_NO_ENGINE
  3222. if (s->ctx->client_cert_engine) {
  3223. i = tls_engine_load_ssl_client_cert(s, px509, ppkey);
  3224. if (i != 0)
  3225. return i;
  3226. }
  3227. #endif
  3228. if (s->ctx->client_cert_cb)
  3229. i = s->ctx->client_cert_cb(s, px509, ppkey);
  3230. return i;
  3231. }
  3232. int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
  3233. {
  3234. int i;
  3235. size_t totlen = 0, len, maxlen, maxverok = 0;
  3236. int empty_reneg_info_scsv = !s->renegotiate;
  3237. /* Set disabled masks for this session */
  3238. if (!ssl_set_client_disabled(s)) {
  3239. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE);
  3240. return 0;
  3241. }
  3242. if (sk == NULL) {
  3243. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3244. return 0;
  3245. }
  3246. #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
  3247. # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
  3248. # error Max cipher length too short
  3249. # endif
  3250. /*
  3251. * Some servers hang if client hello > 256 bytes as hack workaround
  3252. * chop number of supported ciphers to keep it well below this if we
  3253. * use TLS v1.2
  3254. */
  3255. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  3256. maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
  3257. else
  3258. #endif
  3259. /* Maximum length that can be stored in 2 bytes. Length must be even */
  3260. maxlen = 0xfffe;
  3261. if (empty_reneg_info_scsv)
  3262. maxlen -= 2;
  3263. if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
  3264. maxlen -= 2;
  3265. for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
  3266. const SSL_CIPHER *c;
  3267. c = sk_SSL_CIPHER_value(sk, i);
  3268. /* Skip disabled ciphers */
  3269. if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
  3270. continue;
  3271. if (!s->method->put_cipher_by_char(c, pkt, &len)) {
  3272. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3273. return 0;
  3274. }
  3275. /* Sanity check that the maximum version we offer has ciphers enabled */
  3276. if (!maxverok) {
  3277. if (SSL_IS_DTLS(s)) {
  3278. if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver)
  3279. && DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver))
  3280. maxverok = 1;
  3281. } else {
  3282. if (c->max_tls >= s->s3.tmp.max_ver
  3283. && c->min_tls <= s->s3.tmp.max_ver)
  3284. maxverok = 1;
  3285. }
  3286. }
  3287. totlen += len;
  3288. }
  3289. if (totlen == 0 || !maxverok) {
  3290. const char *maxvertext =
  3291. !maxverok
  3292. ? "No ciphers enabled for max supported SSL/TLS version"
  3293. : NULL;
  3294. SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE,
  3295. maxvertext);
  3296. return 0;
  3297. }
  3298. if (totlen != 0) {
  3299. if (empty_reneg_info_scsv) {
  3300. static SSL_CIPHER scsv = {
  3301. 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
  3302. };
  3303. if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
  3304. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3305. return 0;
  3306. }
  3307. }
  3308. if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
  3309. static SSL_CIPHER scsv = {
  3310. 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
  3311. };
  3312. if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
  3313. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3314. return 0;
  3315. }
  3316. }
  3317. }
  3318. return 1;
  3319. }
  3320. int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt)
  3321. {
  3322. if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
  3323. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
  3324. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  3325. return 0;
  3326. }
  3327. s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
  3328. return 1;
  3329. }