2
0

statem_srvr.c 142 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299
  1. /*
  2. * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the OpenSSL license (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include "../ssl_local.h"
  13. #include "statem_local.h"
  14. #include "internal/constant_time.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/hmac.h>
  21. #include <openssl/x509.h>
  22. #include <openssl/dh.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/md5.h>
  25. #include <openssl/asn1t.h>
  26. #define TICKET_NONCE_SIZE 8
  27. typedef struct {
  28. ASN1_TYPE *kxBlob;
  29. ASN1_TYPE *opaqueBlob;
  30. } GOST_KX_MESSAGE;
  31. DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  32. ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
  33. ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
  34. ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
  35. } ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
  36. IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  37. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
  38. /*
  39. * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
  40. * handshake state transitions when a TLSv1.3 server is reading messages from
  41. * the client. The message type that the client has sent is provided in |mt|.
  42. * The current state is in |s->statem.hand_state|.
  43. *
  44. * Return values are 1 for success (transition allowed) and 0 on error
  45. * (transition not allowed)
  46. */
  47. static int ossl_statem_server13_read_transition(SSL *s, int mt)
  48. {
  49. OSSL_STATEM *st = &s->statem;
  50. /*
  51. * Note: There is no case for TLS_ST_BEFORE because at that stage we have
  52. * not negotiated TLSv1.3 yet, so that case is handled by
  53. * ossl_statem_server_read_transition()
  54. */
  55. switch (st->hand_state) {
  56. default:
  57. break;
  58. case TLS_ST_EARLY_DATA:
  59. if (s->hello_retry_request == SSL_HRR_PENDING) {
  60. if (mt == SSL3_MT_CLIENT_HELLO) {
  61. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  62. return 1;
  63. }
  64. break;
  65. } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  66. if (mt == SSL3_MT_END_OF_EARLY_DATA) {
  67. st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
  68. return 1;
  69. }
  70. break;
  71. }
  72. /* Fall through */
  73. case TLS_ST_SR_END_OF_EARLY_DATA:
  74. case TLS_ST_SW_FINISHED:
  75. if (s->s3->tmp.cert_request) {
  76. if (mt == SSL3_MT_CERTIFICATE) {
  77. st->hand_state = TLS_ST_SR_CERT;
  78. return 1;
  79. }
  80. } else {
  81. if (mt == SSL3_MT_FINISHED) {
  82. st->hand_state = TLS_ST_SR_FINISHED;
  83. return 1;
  84. }
  85. }
  86. break;
  87. case TLS_ST_SR_CERT:
  88. if (s->session->peer == NULL) {
  89. if (mt == SSL3_MT_FINISHED) {
  90. st->hand_state = TLS_ST_SR_FINISHED;
  91. return 1;
  92. }
  93. } else {
  94. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  95. st->hand_state = TLS_ST_SR_CERT_VRFY;
  96. return 1;
  97. }
  98. }
  99. break;
  100. case TLS_ST_SR_CERT_VRFY:
  101. if (mt == SSL3_MT_FINISHED) {
  102. st->hand_state = TLS_ST_SR_FINISHED;
  103. return 1;
  104. }
  105. break;
  106. case TLS_ST_OK:
  107. /*
  108. * Its never ok to start processing handshake messages in the middle of
  109. * early data (i.e. before we've received the end of early data alert)
  110. */
  111. if (s->early_data_state == SSL_EARLY_DATA_READING)
  112. break;
  113. if (mt == SSL3_MT_CERTIFICATE
  114. && s->post_handshake_auth == SSL_PHA_REQUESTED) {
  115. st->hand_state = TLS_ST_SR_CERT;
  116. return 1;
  117. }
  118. if (mt == SSL3_MT_KEY_UPDATE) {
  119. st->hand_state = TLS_ST_SR_KEY_UPDATE;
  120. return 1;
  121. }
  122. break;
  123. }
  124. /* No valid transition found */
  125. return 0;
  126. }
  127. /*
  128. * ossl_statem_server_read_transition() encapsulates the logic for the allowed
  129. * handshake state transitions when the server is reading messages from the
  130. * client. The message type that the client has sent is provided in |mt|. The
  131. * current state is in |s->statem.hand_state|.
  132. *
  133. * Return values are 1 for success (transition allowed) and 0 on error
  134. * (transition not allowed)
  135. */
  136. int ossl_statem_server_read_transition(SSL *s, int mt)
  137. {
  138. OSSL_STATEM *st = &s->statem;
  139. if (SSL_IS_TLS13(s)) {
  140. if (!ossl_statem_server13_read_transition(s, mt))
  141. goto err;
  142. return 1;
  143. }
  144. switch (st->hand_state) {
  145. default:
  146. break;
  147. case TLS_ST_BEFORE:
  148. case TLS_ST_OK:
  149. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  150. if (mt == SSL3_MT_CLIENT_HELLO) {
  151. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  152. return 1;
  153. }
  154. break;
  155. case TLS_ST_SW_SRVR_DONE:
  156. /*
  157. * If we get a CKE message after a ServerDone then either
  158. * 1) We didn't request a Certificate
  159. * OR
  160. * 2) If we did request one then
  161. * a) We allow no Certificate to be returned
  162. * AND
  163. * b) We are running SSL3 (in TLS1.0+ the client must return a 0
  164. * list if we requested a certificate)
  165. */
  166. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  167. if (s->s3->tmp.cert_request) {
  168. if (s->version == SSL3_VERSION) {
  169. if ((s->verify_mode & SSL_VERIFY_PEER)
  170. && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  171. /*
  172. * This isn't an unexpected message as such - we're just
  173. * not going to accept it because we require a client
  174. * cert.
  175. */
  176. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  177. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  178. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  179. return 0;
  180. }
  181. st->hand_state = TLS_ST_SR_KEY_EXCH;
  182. return 1;
  183. }
  184. } else {
  185. st->hand_state = TLS_ST_SR_KEY_EXCH;
  186. return 1;
  187. }
  188. } else if (s->s3->tmp.cert_request) {
  189. if (mt == SSL3_MT_CERTIFICATE) {
  190. st->hand_state = TLS_ST_SR_CERT;
  191. return 1;
  192. }
  193. }
  194. break;
  195. case TLS_ST_SR_CERT:
  196. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  197. st->hand_state = TLS_ST_SR_KEY_EXCH;
  198. return 1;
  199. }
  200. break;
  201. case TLS_ST_SR_KEY_EXCH:
  202. /*
  203. * We should only process a CertificateVerify message if we have
  204. * received a Certificate from the client. If so then |s->session->peer|
  205. * will be non NULL. In some instances a CertificateVerify message is
  206. * not required even if the peer has sent a Certificate (e.g. such as in
  207. * the case of static DH). In that case |st->no_cert_verify| should be
  208. * set.
  209. */
  210. if (s->session->peer == NULL || st->no_cert_verify) {
  211. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  212. /*
  213. * For the ECDH ciphersuites when the client sends its ECDH
  214. * pub key in a certificate, the CertificateVerify message is
  215. * not sent. Also for GOST ciphersuites when the client uses
  216. * its key from the certificate for key exchange.
  217. */
  218. st->hand_state = TLS_ST_SR_CHANGE;
  219. return 1;
  220. }
  221. } else {
  222. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  223. st->hand_state = TLS_ST_SR_CERT_VRFY;
  224. return 1;
  225. }
  226. }
  227. break;
  228. case TLS_ST_SR_CERT_VRFY:
  229. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  230. st->hand_state = TLS_ST_SR_CHANGE;
  231. return 1;
  232. }
  233. break;
  234. case TLS_ST_SR_CHANGE:
  235. #ifndef OPENSSL_NO_NEXTPROTONEG
  236. if (s->s3->npn_seen) {
  237. if (mt == SSL3_MT_NEXT_PROTO) {
  238. st->hand_state = TLS_ST_SR_NEXT_PROTO;
  239. return 1;
  240. }
  241. } else {
  242. #endif
  243. if (mt == SSL3_MT_FINISHED) {
  244. st->hand_state = TLS_ST_SR_FINISHED;
  245. return 1;
  246. }
  247. #ifndef OPENSSL_NO_NEXTPROTONEG
  248. }
  249. #endif
  250. break;
  251. #ifndef OPENSSL_NO_NEXTPROTONEG
  252. case TLS_ST_SR_NEXT_PROTO:
  253. if (mt == SSL3_MT_FINISHED) {
  254. st->hand_state = TLS_ST_SR_FINISHED;
  255. return 1;
  256. }
  257. break;
  258. #endif
  259. case TLS_ST_SW_FINISHED:
  260. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  261. st->hand_state = TLS_ST_SR_CHANGE;
  262. return 1;
  263. }
  264. break;
  265. }
  266. err:
  267. /* No valid transition found */
  268. if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  269. BIO *rbio;
  270. /*
  271. * CCS messages don't have a message sequence number so this is probably
  272. * because of an out-of-order CCS. We'll just drop it.
  273. */
  274. s->init_num = 0;
  275. s->rwstate = SSL_READING;
  276. rbio = SSL_get_rbio(s);
  277. BIO_clear_retry_flags(rbio);
  278. BIO_set_retry_read(rbio);
  279. return 0;
  280. }
  281. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
  282. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  283. SSL_R_UNEXPECTED_MESSAGE);
  284. return 0;
  285. }
  286. /*
  287. * Should we send a ServerKeyExchange message?
  288. *
  289. * Valid return values are:
  290. * 1: Yes
  291. * 0: No
  292. */
  293. static int send_server_key_exchange(SSL *s)
  294. {
  295. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  296. /*
  297. * only send a ServerKeyExchange if DH or fortezza but we have a
  298. * sign only certificate PSK: may send PSK identity hints For
  299. * ECC ciphersuites, we send a serverKeyExchange message only if
  300. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  301. * the server certificate contains the server's public key for
  302. * key exchange.
  303. */
  304. if (alg_k & (SSL_kDHE | SSL_kECDHE)
  305. /*
  306. * PSK: send ServerKeyExchange if PSK identity hint if
  307. * provided
  308. */
  309. #ifndef OPENSSL_NO_PSK
  310. /* Only send SKE if we have identity hint for plain PSK */
  311. || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
  312. && s->cert->psk_identity_hint)
  313. /* For other PSK always send SKE */
  314. || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
  315. #endif
  316. #ifndef OPENSSL_NO_SRP
  317. /* SRP: send ServerKeyExchange */
  318. || (alg_k & SSL_kSRP)
  319. #endif
  320. ) {
  321. return 1;
  322. }
  323. return 0;
  324. }
  325. /*
  326. * Should we send a CertificateRequest message?
  327. *
  328. * Valid return values are:
  329. * 1: Yes
  330. * 0: No
  331. */
  332. int send_certificate_request(SSL *s)
  333. {
  334. if (
  335. /* don't request cert unless asked for it: */
  336. s->verify_mode & SSL_VERIFY_PEER
  337. /*
  338. * don't request if post-handshake-only unless doing
  339. * post-handshake in TLSv1.3:
  340. */
  341. && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
  342. || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
  343. /*
  344. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  345. * a second time:
  346. */
  347. && (s->certreqs_sent < 1 ||
  348. !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
  349. /*
  350. * never request cert in anonymous ciphersuites (see
  351. * section "Certificate request" in SSL 3 drafts and in
  352. * RFC 2246):
  353. */
  354. && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  355. /*
  356. * ... except when the application insists on
  357. * verification (against the specs, but statem_clnt.c accepts
  358. * this for SSL 3)
  359. */
  360. || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  361. /* don't request certificate for SRP auth */
  362. && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
  363. /*
  364. * With normal PSK Certificates and Certificate Requests
  365. * are omitted
  366. */
  367. && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
  368. return 1;
  369. }
  370. return 0;
  371. }
  372. /*
  373. * ossl_statem_server13_write_transition() works out what handshake state to
  374. * move to next when a TLSv1.3 server is writing messages to be sent to the
  375. * client.
  376. */
  377. static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
  378. {
  379. OSSL_STATEM *st = &s->statem;
  380. /*
  381. * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
  382. * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
  383. */
  384. switch (st->hand_state) {
  385. default:
  386. /* Shouldn't happen */
  387. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  388. SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION,
  389. ERR_R_INTERNAL_ERROR);
  390. return WRITE_TRAN_ERROR;
  391. case TLS_ST_OK:
  392. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  393. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  394. return WRITE_TRAN_CONTINUE;
  395. }
  396. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  397. st->hand_state = TLS_ST_SW_CERT_REQ;
  398. return WRITE_TRAN_CONTINUE;
  399. }
  400. /* Try to read from the client instead */
  401. return WRITE_TRAN_FINISHED;
  402. case TLS_ST_SR_CLNT_HELLO:
  403. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  404. return WRITE_TRAN_CONTINUE;
  405. case TLS_ST_SW_SRVR_HELLO:
  406. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  407. && s->hello_retry_request != SSL_HRR_COMPLETE)
  408. st->hand_state = TLS_ST_SW_CHANGE;
  409. else if (s->hello_retry_request == SSL_HRR_PENDING)
  410. st->hand_state = TLS_ST_EARLY_DATA;
  411. else
  412. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  413. return WRITE_TRAN_CONTINUE;
  414. case TLS_ST_SW_CHANGE:
  415. if (s->hello_retry_request == SSL_HRR_PENDING)
  416. st->hand_state = TLS_ST_EARLY_DATA;
  417. else
  418. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  419. return WRITE_TRAN_CONTINUE;
  420. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  421. if (s->hit)
  422. st->hand_state = TLS_ST_SW_FINISHED;
  423. else if (send_certificate_request(s))
  424. st->hand_state = TLS_ST_SW_CERT_REQ;
  425. else
  426. st->hand_state = TLS_ST_SW_CERT;
  427. return WRITE_TRAN_CONTINUE;
  428. case TLS_ST_SW_CERT_REQ:
  429. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  430. s->post_handshake_auth = SSL_PHA_REQUESTED;
  431. st->hand_state = TLS_ST_OK;
  432. } else {
  433. st->hand_state = TLS_ST_SW_CERT;
  434. }
  435. return WRITE_TRAN_CONTINUE;
  436. case TLS_ST_SW_CERT:
  437. st->hand_state = TLS_ST_SW_CERT_VRFY;
  438. return WRITE_TRAN_CONTINUE;
  439. case TLS_ST_SW_CERT_VRFY:
  440. st->hand_state = TLS_ST_SW_FINISHED;
  441. return WRITE_TRAN_CONTINUE;
  442. case TLS_ST_SW_FINISHED:
  443. st->hand_state = TLS_ST_EARLY_DATA;
  444. return WRITE_TRAN_CONTINUE;
  445. case TLS_ST_EARLY_DATA:
  446. return WRITE_TRAN_FINISHED;
  447. case TLS_ST_SR_FINISHED:
  448. /*
  449. * Technically we have finished the handshake at this point, but we're
  450. * going to remain "in_init" for now and write out any session tickets
  451. * immediately.
  452. */
  453. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  454. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  455. } else if (!s->ext.ticket_expected) {
  456. /*
  457. * If we're not going to renew the ticket then we just finish the
  458. * handshake at this point.
  459. */
  460. st->hand_state = TLS_ST_OK;
  461. return WRITE_TRAN_CONTINUE;
  462. }
  463. if (s->num_tickets > s->sent_tickets)
  464. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  465. else
  466. st->hand_state = TLS_ST_OK;
  467. return WRITE_TRAN_CONTINUE;
  468. case TLS_ST_SR_KEY_UPDATE:
  469. case TLS_ST_SW_KEY_UPDATE:
  470. st->hand_state = TLS_ST_OK;
  471. return WRITE_TRAN_CONTINUE;
  472. case TLS_ST_SW_SESSION_TICKET:
  473. /* In a resumption we only ever send a maximum of one new ticket.
  474. * Following an initial handshake we send the number of tickets we have
  475. * been configured for.
  476. */
  477. if (s->hit || s->num_tickets <= s->sent_tickets) {
  478. /* We've written enough tickets out. */
  479. st->hand_state = TLS_ST_OK;
  480. }
  481. return WRITE_TRAN_CONTINUE;
  482. }
  483. }
  484. /*
  485. * ossl_statem_server_write_transition() works out what handshake state to move
  486. * to next when the server is writing messages to be sent to the client.
  487. */
  488. WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
  489. {
  490. OSSL_STATEM *st = &s->statem;
  491. /*
  492. * Note that before the ClientHello we don't know what version we are going
  493. * to negotiate yet, so we don't take this branch until later
  494. */
  495. if (SSL_IS_TLS13(s))
  496. return ossl_statem_server13_write_transition(s);
  497. switch (st->hand_state) {
  498. default:
  499. /* Shouldn't happen */
  500. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  501. SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION,
  502. ERR_R_INTERNAL_ERROR);
  503. return WRITE_TRAN_ERROR;
  504. case TLS_ST_OK:
  505. if (st->request_state == TLS_ST_SW_HELLO_REQ) {
  506. /* We must be trying to renegotiate */
  507. st->hand_state = TLS_ST_SW_HELLO_REQ;
  508. st->request_state = TLS_ST_BEFORE;
  509. return WRITE_TRAN_CONTINUE;
  510. }
  511. /* Must be an incoming ClientHello */
  512. if (!tls_setup_handshake(s)) {
  513. /* SSLfatal() already called */
  514. return WRITE_TRAN_ERROR;
  515. }
  516. /* Fall through */
  517. case TLS_ST_BEFORE:
  518. /* Just go straight to trying to read from the client */
  519. return WRITE_TRAN_FINISHED;
  520. case TLS_ST_SW_HELLO_REQ:
  521. st->hand_state = TLS_ST_OK;
  522. return WRITE_TRAN_CONTINUE;
  523. case TLS_ST_SR_CLNT_HELLO:
  524. if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
  525. && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
  526. st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
  527. } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  528. /* We must have rejected the renegotiation */
  529. st->hand_state = TLS_ST_OK;
  530. return WRITE_TRAN_CONTINUE;
  531. } else {
  532. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  533. }
  534. return WRITE_TRAN_CONTINUE;
  535. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  536. return WRITE_TRAN_FINISHED;
  537. case TLS_ST_SW_SRVR_HELLO:
  538. if (s->hit) {
  539. if (s->ext.ticket_expected)
  540. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  541. else
  542. st->hand_state = TLS_ST_SW_CHANGE;
  543. } else {
  544. /* Check if it is anon DH or anon ECDH, */
  545. /* normal PSK or SRP */
  546. if (!(s->s3->tmp.new_cipher->algorithm_auth &
  547. (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  548. st->hand_state = TLS_ST_SW_CERT;
  549. } else if (send_server_key_exchange(s)) {
  550. st->hand_state = TLS_ST_SW_KEY_EXCH;
  551. } else if (send_certificate_request(s)) {
  552. st->hand_state = TLS_ST_SW_CERT_REQ;
  553. } else {
  554. st->hand_state = TLS_ST_SW_SRVR_DONE;
  555. }
  556. }
  557. return WRITE_TRAN_CONTINUE;
  558. case TLS_ST_SW_CERT:
  559. if (s->ext.status_expected) {
  560. st->hand_state = TLS_ST_SW_CERT_STATUS;
  561. return WRITE_TRAN_CONTINUE;
  562. }
  563. /* Fall through */
  564. case TLS_ST_SW_CERT_STATUS:
  565. if (send_server_key_exchange(s)) {
  566. st->hand_state = TLS_ST_SW_KEY_EXCH;
  567. return WRITE_TRAN_CONTINUE;
  568. }
  569. /* Fall through */
  570. case TLS_ST_SW_KEY_EXCH:
  571. if (send_certificate_request(s)) {
  572. st->hand_state = TLS_ST_SW_CERT_REQ;
  573. return WRITE_TRAN_CONTINUE;
  574. }
  575. /* Fall through */
  576. case TLS_ST_SW_CERT_REQ:
  577. st->hand_state = TLS_ST_SW_SRVR_DONE;
  578. return WRITE_TRAN_CONTINUE;
  579. case TLS_ST_SW_SRVR_DONE:
  580. return WRITE_TRAN_FINISHED;
  581. case TLS_ST_SR_FINISHED:
  582. if (s->hit) {
  583. st->hand_state = TLS_ST_OK;
  584. return WRITE_TRAN_CONTINUE;
  585. } else if (s->ext.ticket_expected) {
  586. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  587. } else {
  588. st->hand_state = TLS_ST_SW_CHANGE;
  589. }
  590. return WRITE_TRAN_CONTINUE;
  591. case TLS_ST_SW_SESSION_TICKET:
  592. st->hand_state = TLS_ST_SW_CHANGE;
  593. return WRITE_TRAN_CONTINUE;
  594. case TLS_ST_SW_CHANGE:
  595. st->hand_state = TLS_ST_SW_FINISHED;
  596. return WRITE_TRAN_CONTINUE;
  597. case TLS_ST_SW_FINISHED:
  598. if (s->hit) {
  599. return WRITE_TRAN_FINISHED;
  600. }
  601. st->hand_state = TLS_ST_OK;
  602. return WRITE_TRAN_CONTINUE;
  603. }
  604. }
  605. /*
  606. * Perform any pre work that needs to be done prior to sending a message from
  607. * the server to the client.
  608. */
  609. WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
  610. {
  611. OSSL_STATEM *st = &s->statem;
  612. switch (st->hand_state) {
  613. default:
  614. /* No pre work to be done */
  615. break;
  616. case TLS_ST_SW_HELLO_REQ:
  617. s->shutdown = 0;
  618. if (SSL_IS_DTLS(s))
  619. dtls1_clear_sent_buffer(s);
  620. break;
  621. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  622. s->shutdown = 0;
  623. if (SSL_IS_DTLS(s)) {
  624. dtls1_clear_sent_buffer(s);
  625. /* We don't buffer this message so don't use the timer */
  626. st->use_timer = 0;
  627. }
  628. break;
  629. case TLS_ST_SW_SRVR_HELLO:
  630. if (SSL_IS_DTLS(s)) {
  631. /*
  632. * Messages we write from now on should be buffered and
  633. * retransmitted if necessary, so we need to use the timer now
  634. */
  635. st->use_timer = 1;
  636. }
  637. break;
  638. case TLS_ST_SW_SRVR_DONE:
  639. #ifndef OPENSSL_NO_SCTP
  640. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  641. /* Calls SSLfatal() as required */
  642. return dtls_wait_for_dry(s);
  643. }
  644. #endif
  645. return WORK_FINISHED_CONTINUE;
  646. case TLS_ST_SW_SESSION_TICKET:
  647. if (SSL_IS_TLS13(s) && s->sent_tickets == 0) {
  648. /*
  649. * Actually this is the end of the handshake, but we're going
  650. * straight into writing the session ticket out. So we finish off
  651. * the handshake, but keep the various buffers active.
  652. *
  653. * Calls SSLfatal as required.
  654. */
  655. return tls_finish_handshake(s, wst, 0, 0);
  656. } if (SSL_IS_DTLS(s)) {
  657. /*
  658. * We're into the last flight. We don't retransmit the last flight
  659. * unless we need to, so we don't use the timer
  660. */
  661. st->use_timer = 0;
  662. }
  663. break;
  664. case TLS_ST_SW_CHANGE:
  665. if (SSL_IS_TLS13(s))
  666. break;
  667. /* Writes to s->session are only safe for initial handshakes */
  668. if (s->session->cipher == NULL) {
  669. s->session->cipher = s->s3->tmp.new_cipher;
  670. } else if (s->session->cipher != s->s3->tmp.new_cipher) {
  671. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  672. SSL_F_OSSL_STATEM_SERVER_PRE_WORK,
  673. ERR_R_INTERNAL_ERROR);
  674. return WORK_ERROR;
  675. }
  676. if (!s->method->ssl3_enc->setup_key_block(s)) {
  677. /* SSLfatal() already called */
  678. return WORK_ERROR;
  679. }
  680. if (SSL_IS_DTLS(s)) {
  681. /*
  682. * We're into the last flight. We don't retransmit the last flight
  683. * unless we need to, so we don't use the timer. This might have
  684. * already been set to 0 if we sent a NewSessionTicket message,
  685. * but we'll set it again here in case we didn't.
  686. */
  687. st->use_timer = 0;
  688. }
  689. return WORK_FINISHED_CONTINUE;
  690. case TLS_ST_EARLY_DATA:
  691. if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  692. && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
  693. return WORK_FINISHED_CONTINUE;
  694. /* Fall through */
  695. case TLS_ST_OK:
  696. /* Calls SSLfatal() as required */
  697. return tls_finish_handshake(s, wst, 1, 1);
  698. }
  699. return WORK_FINISHED_CONTINUE;
  700. }
  701. static ossl_inline int conn_is_closed(void)
  702. {
  703. switch (get_last_sys_error()) {
  704. #if defined(EPIPE)
  705. case EPIPE:
  706. return 1;
  707. #endif
  708. #if defined(ECONNRESET)
  709. case ECONNRESET:
  710. return 1;
  711. #endif
  712. #if defined(WSAECONNRESET)
  713. case WSAECONNRESET:
  714. return 1;
  715. #endif
  716. default:
  717. return 0;
  718. }
  719. }
  720. /*
  721. * Perform any work that needs to be done after sending a message from the
  722. * server to the client.
  723. */
  724. WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
  725. {
  726. OSSL_STATEM *st = &s->statem;
  727. s->init_num = 0;
  728. switch (st->hand_state) {
  729. default:
  730. /* No post work to be done */
  731. break;
  732. case TLS_ST_SW_HELLO_REQ:
  733. if (statem_flush(s) != 1)
  734. return WORK_MORE_A;
  735. if (!ssl3_init_finished_mac(s)) {
  736. /* SSLfatal() already called */
  737. return WORK_ERROR;
  738. }
  739. break;
  740. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  741. if (statem_flush(s) != 1)
  742. return WORK_MORE_A;
  743. /* HelloVerifyRequest resets Finished MAC */
  744. if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
  745. /* SSLfatal() already called */
  746. return WORK_ERROR;
  747. }
  748. /*
  749. * The next message should be another ClientHello which we need to
  750. * treat like it was the first packet
  751. */
  752. s->first_packet = 1;
  753. break;
  754. case TLS_ST_SW_SRVR_HELLO:
  755. if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
  756. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
  757. && statem_flush(s) != 1)
  758. return WORK_MORE_A;
  759. break;
  760. }
  761. #ifndef OPENSSL_NO_SCTP
  762. if (SSL_IS_DTLS(s) && s->hit) {
  763. unsigned char sctpauthkey[64];
  764. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  765. size_t labellen;
  766. /*
  767. * Add new shared key for SCTP-Auth, will be ignored if no
  768. * SCTP used.
  769. */
  770. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  771. sizeof(DTLS1_SCTP_AUTH_LABEL));
  772. /* Don't include the terminating zero. */
  773. labellen = sizeof(labelbuffer) - 1;
  774. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  775. labellen += 1;
  776. if (SSL_export_keying_material(s, sctpauthkey,
  777. sizeof(sctpauthkey), labelbuffer,
  778. labellen, NULL, 0,
  779. 0) <= 0) {
  780. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  781. SSL_F_OSSL_STATEM_SERVER_POST_WORK,
  782. ERR_R_INTERNAL_ERROR);
  783. return WORK_ERROR;
  784. }
  785. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  786. sizeof(sctpauthkey), sctpauthkey);
  787. }
  788. #endif
  789. if (!SSL_IS_TLS13(s)
  790. || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  791. && s->hello_retry_request != SSL_HRR_COMPLETE))
  792. break;
  793. /* Fall through */
  794. case TLS_ST_SW_CHANGE:
  795. if (s->hello_retry_request == SSL_HRR_PENDING) {
  796. if (!statem_flush(s))
  797. return WORK_MORE_A;
  798. break;
  799. }
  800. if (SSL_IS_TLS13(s)) {
  801. if (!s->method->ssl3_enc->setup_key_block(s)
  802. || !s->method->ssl3_enc->change_cipher_state(s,
  803. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  804. /* SSLfatal() already called */
  805. return WORK_ERROR;
  806. }
  807. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
  808. && !s->method->ssl3_enc->change_cipher_state(s,
  809. SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
  810. /* SSLfatal() already called */
  811. return WORK_ERROR;
  812. }
  813. /*
  814. * We don't yet know whether the next record we are going to receive
  815. * is an unencrypted alert, an encrypted alert, or an encrypted
  816. * handshake message. We temporarily tolerate unencrypted alerts.
  817. */
  818. s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS;
  819. break;
  820. }
  821. #ifndef OPENSSL_NO_SCTP
  822. if (SSL_IS_DTLS(s) && !s->hit) {
  823. /*
  824. * Change to new shared key of SCTP-Auth, will be ignored if
  825. * no SCTP used.
  826. */
  827. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  828. 0, NULL);
  829. }
  830. #endif
  831. if (!s->method->ssl3_enc->change_cipher_state(s,
  832. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  833. {
  834. /* SSLfatal() already called */
  835. return WORK_ERROR;
  836. }
  837. if (SSL_IS_DTLS(s))
  838. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  839. break;
  840. case TLS_ST_SW_SRVR_DONE:
  841. if (statem_flush(s) != 1)
  842. return WORK_MORE_A;
  843. break;
  844. case TLS_ST_SW_FINISHED:
  845. if (statem_flush(s) != 1)
  846. return WORK_MORE_A;
  847. #ifndef OPENSSL_NO_SCTP
  848. if (SSL_IS_DTLS(s) && s->hit) {
  849. /*
  850. * Change to new shared key of SCTP-Auth, will be ignored if
  851. * no SCTP used.
  852. */
  853. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  854. 0, NULL);
  855. }
  856. #endif
  857. if (SSL_IS_TLS13(s)) {
  858. /* TLS 1.3 gets the secret size from the handshake md */
  859. size_t dummy;
  860. if (!s->method->ssl3_enc->generate_master_secret(s,
  861. s->master_secret, s->handshake_secret, 0,
  862. &dummy)
  863. || !s->method->ssl3_enc->change_cipher_state(s,
  864. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
  865. /* SSLfatal() already called */
  866. return WORK_ERROR;
  867. }
  868. break;
  869. case TLS_ST_SW_CERT_REQ:
  870. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  871. if (statem_flush(s) != 1)
  872. return WORK_MORE_A;
  873. }
  874. break;
  875. case TLS_ST_SW_KEY_UPDATE:
  876. if (statem_flush(s) != 1)
  877. return WORK_MORE_A;
  878. if (!tls13_update_key(s, 1)) {
  879. /* SSLfatal() already called */
  880. return WORK_ERROR;
  881. }
  882. break;
  883. case TLS_ST_SW_SESSION_TICKET:
  884. clear_sys_error();
  885. if (SSL_IS_TLS13(s) && statem_flush(s) != 1) {
  886. if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL
  887. && conn_is_closed()) {
  888. /*
  889. * We ignore connection closed errors in TLSv1.3 when sending a
  890. * NewSessionTicket and behave as if we were successful. This is
  891. * so that we are still able to read data sent to us by a client
  892. * that closes soon after the end of the handshake without
  893. * waiting to read our post-handshake NewSessionTickets.
  894. */
  895. s->rwstate = SSL_NOTHING;
  896. break;
  897. }
  898. return WORK_MORE_A;
  899. }
  900. break;
  901. }
  902. return WORK_FINISHED_CONTINUE;
  903. }
  904. /*
  905. * Get the message construction function and message type for sending from the
  906. * server
  907. *
  908. * Valid return values are:
  909. * 1: Success
  910. * 0: Error
  911. */
  912. int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
  913. confunc_f *confunc, int *mt)
  914. {
  915. OSSL_STATEM *st = &s->statem;
  916. switch (st->hand_state) {
  917. default:
  918. /* Shouldn't happen */
  919. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  920. SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
  921. SSL_R_BAD_HANDSHAKE_STATE);
  922. return 0;
  923. case TLS_ST_SW_CHANGE:
  924. if (SSL_IS_DTLS(s))
  925. *confunc = dtls_construct_change_cipher_spec;
  926. else
  927. *confunc = tls_construct_change_cipher_spec;
  928. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  929. break;
  930. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  931. *confunc = dtls_construct_hello_verify_request;
  932. *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
  933. break;
  934. case TLS_ST_SW_HELLO_REQ:
  935. /* No construction function needed */
  936. *confunc = NULL;
  937. *mt = SSL3_MT_HELLO_REQUEST;
  938. break;
  939. case TLS_ST_SW_SRVR_HELLO:
  940. *confunc = tls_construct_server_hello;
  941. *mt = SSL3_MT_SERVER_HELLO;
  942. break;
  943. case TLS_ST_SW_CERT:
  944. *confunc = tls_construct_server_certificate;
  945. *mt = SSL3_MT_CERTIFICATE;
  946. break;
  947. case TLS_ST_SW_CERT_VRFY:
  948. *confunc = tls_construct_cert_verify;
  949. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  950. break;
  951. case TLS_ST_SW_KEY_EXCH:
  952. *confunc = tls_construct_server_key_exchange;
  953. *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
  954. break;
  955. case TLS_ST_SW_CERT_REQ:
  956. *confunc = tls_construct_certificate_request;
  957. *mt = SSL3_MT_CERTIFICATE_REQUEST;
  958. break;
  959. case TLS_ST_SW_SRVR_DONE:
  960. *confunc = tls_construct_server_done;
  961. *mt = SSL3_MT_SERVER_DONE;
  962. break;
  963. case TLS_ST_SW_SESSION_TICKET:
  964. *confunc = tls_construct_new_session_ticket;
  965. *mt = SSL3_MT_NEWSESSION_TICKET;
  966. break;
  967. case TLS_ST_SW_CERT_STATUS:
  968. *confunc = tls_construct_cert_status;
  969. *mt = SSL3_MT_CERTIFICATE_STATUS;
  970. break;
  971. case TLS_ST_SW_FINISHED:
  972. *confunc = tls_construct_finished;
  973. *mt = SSL3_MT_FINISHED;
  974. break;
  975. case TLS_ST_EARLY_DATA:
  976. *confunc = NULL;
  977. *mt = SSL3_MT_DUMMY;
  978. break;
  979. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  980. *confunc = tls_construct_encrypted_extensions;
  981. *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
  982. break;
  983. case TLS_ST_SW_KEY_UPDATE:
  984. *confunc = tls_construct_key_update;
  985. *mt = SSL3_MT_KEY_UPDATE;
  986. break;
  987. }
  988. return 1;
  989. }
  990. /*
  991. * Maximum size (excluding the Handshake header) of a ClientHello message,
  992. * calculated as follows:
  993. *
  994. * 2 + # client_version
  995. * 32 + # only valid length for random
  996. * 1 + # length of session_id
  997. * 32 + # maximum size for session_id
  998. * 2 + # length of cipher suites
  999. * 2^16-2 + # maximum length of cipher suites array
  1000. * 1 + # length of compression_methods
  1001. * 2^8-1 + # maximum length of compression methods
  1002. * 2 + # length of extensions
  1003. * 2^16-1 # maximum length of extensions
  1004. */
  1005. #define CLIENT_HELLO_MAX_LENGTH 131396
  1006. #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
  1007. #define NEXT_PROTO_MAX_LENGTH 514
  1008. /*
  1009. * Returns the maximum allowed length for the current message that we are
  1010. * reading. Excludes the message header.
  1011. */
  1012. size_t ossl_statem_server_max_message_size(SSL *s)
  1013. {
  1014. OSSL_STATEM *st = &s->statem;
  1015. switch (st->hand_state) {
  1016. default:
  1017. /* Shouldn't happen */
  1018. return 0;
  1019. case TLS_ST_SR_CLNT_HELLO:
  1020. return CLIENT_HELLO_MAX_LENGTH;
  1021. case TLS_ST_SR_END_OF_EARLY_DATA:
  1022. return END_OF_EARLY_DATA_MAX_LENGTH;
  1023. case TLS_ST_SR_CERT:
  1024. return s->max_cert_list;
  1025. case TLS_ST_SR_KEY_EXCH:
  1026. return CLIENT_KEY_EXCH_MAX_LENGTH;
  1027. case TLS_ST_SR_CERT_VRFY:
  1028. return SSL3_RT_MAX_PLAIN_LENGTH;
  1029. #ifndef OPENSSL_NO_NEXTPROTONEG
  1030. case TLS_ST_SR_NEXT_PROTO:
  1031. return NEXT_PROTO_MAX_LENGTH;
  1032. #endif
  1033. case TLS_ST_SR_CHANGE:
  1034. return CCS_MAX_LENGTH;
  1035. case TLS_ST_SR_FINISHED:
  1036. return FINISHED_MAX_LENGTH;
  1037. case TLS_ST_SR_KEY_UPDATE:
  1038. return KEY_UPDATE_MAX_LENGTH;
  1039. }
  1040. }
  1041. /*
  1042. * Process a message that the server has received from the client.
  1043. */
  1044. MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
  1045. {
  1046. OSSL_STATEM *st = &s->statem;
  1047. switch (st->hand_state) {
  1048. default:
  1049. /* Shouldn't happen */
  1050. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1051. SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE,
  1052. ERR_R_INTERNAL_ERROR);
  1053. return MSG_PROCESS_ERROR;
  1054. case TLS_ST_SR_CLNT_HELLO:
  1055. return tls_process_client_hello(s, pkt);
  1056. case TLS_ST_SR_END_OF_EARLY_DATA:
  1057. return tls_process_end_of_early_data(s, pkt);
  1058. case TLS_ST_SR_CERT:
  1059. return tls_process_client_certificate(s, pkt);
  1060. case TLS_ST_SR_KEY_EXCH:
  1061. return tls_process_client_key_exchange(s, pkt);
  1062. case TLS_ST_SR_CERT_VRFY:
  1063. return tls_process_cert_verify(s, pkt);
  1064. #ifndef OPENSSL_NO_NEXTPROTONEG
  1065. case TLS_ST_SR_NEXT_PROTO:
  1066. return tls_process_next_proto(s, pkt);
  1067. #endif
  1068. case TLS_ST_SR_CHANGE:
  1069. return tls_process_change_cipher_spec(s, pkt);
  1070. case TLS_ST_SR_FINISHED:
  1071. return tls_process_finished(s, pkt);
  1072. case TLS_ST_SR_KEY_UPDATE:
  1073. return tls_process_key_update(s, pkt);
  1074. }
  1075. }
  1076. /*
  1077. * Perform any further processing required following the receipt of a message
  1078. * from the client
  1079. */
  1080. WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
  1081. {
  1082. OSSL_STATEM *st = &s->statem;
  1083. switch (st->hand_state) {
  1084. default:
  1085. /* Shouldn't happen */
  1086. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1087. SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE,
  1088. ERR_R_INTERNAL_ERROR);
  1089. return WORK_ERROR;
  1090. case TLS_ST_SR_CLNT_HELLO:
  1091. return tls_post_process_client_hello(s, wst);
  1092. case TLS_ST_SR_KEY_EXCH:
  1093. return tls_post_process_client_key_exchange(s, wst);
  1094. }
  1095. }
  1096. #ifndef OPENSSL_NO_SRP
  1097. /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
  1098. static int ssl_check_srp_ext_ClientHello(SSL *s)
  1099. {
  1100. int ret;
  1101. int al = SSL_AD_UNRECOGNIZED_NAME;
  1102. if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  1103. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  1104. if (s->srp_ctx.login == NULL) {
  1105. /*
  1106. * RFC 5054 says SHOULD reject, we do so if There is no srp
  1107. * login name
  1108. */
  1109. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  1110. SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1111. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1112. return -1;
  1113. } else {
  1114. ret = SSL_srp_server_param_with_username(s, &al);
  1115. if (ret < 0)
  1116. return 0;
  1117. if (ret == SSL3_AL_FATAL) {
  1118. SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1119. al == SSL_AD_UNKNOWN_PSK_IDENTITY
  1120. ? SSL_R_PSK_IDENTITY_NOT_FOUND
  1121. : SSL_R_CLIENTHELLO_TLSEXT);
  1122. return -1;
  1123. }
  1124. }
  1125. }
  1126. return 1;
  1127. }
  1128. #endif
  1129. int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
  1130. size_t cookie_len)
  1131. {
  1132. /* Always use DTLS 1.0 version: see RFC 6347 */
  1133. if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
  1134. || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
  1135. return 0;
  1136. return 1;
  1137. }
  1138. int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
  1139. {
  1140. unsigned int cookie_leni;
  1141. if (s->ctx->app_gen_cookie_cb == NULL ||
  1142. s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
  1143. &cookie_leni) == 0 ||
  1144. cookie_leni > 255) {
  1145. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1146. SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1147. return 0;
  1148. }
  1149. s->d1->cookie_len = cookie_leni;
  1150. if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
  1151. s->d1->cookie_len)) {
  1152. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1153. ERR_R_INTERNAL_ERROR);
  1154. return 0;
  1155. }
  1156. return 1;
  1157. }
  1158. #ifndef OPENSSL_NO_EC
  1159. /*-
  1160. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1161. * SecureTransport using the TLS extension block in |hello|.
  1162. * Safari, since 10.6, sends exactly these extensions, in this order:
  1163. * SNI,
  1164. * elliptic_curves
  1165. * ec_point_formats
  1166. * signature_algorithms (for TLSv1.2 only)
  1167. *
  1168. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1169. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1170. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1171. * 10.8..10.8.3 (which don't work).
  1172. */
  1173. static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
  1174. {
  1175. static const unsigned char kSafariExtensionsBlock[] = {
  1176. 0x00, 0x0a, /* elliptic_curves extension */
  1177. 0x00, 0x08, /* 8 bytes */
  1178. 0x00, 0x06, /* 6 bytes of curve ids */
  1179. 0x00, 0x17, /* P-256 */
  1180. 0x00, 0x18, /* P-384 */
  1181. 0x00, 0x19, /* P-521 */
  1182. 0x00, 0x0b, /* ec_point_formats */
  1183. 0x00, 0x02, /* 2 bytes */
  1184. 0x01, /* 1 point format */
  1185. 0x00, /* uncompressed */
  1186. /* The following is only present in TLS 1.2 */
  1187. 0x00, 0x0d, /* signature_algorithms */
  1188. 0x00, 0x0c, /* 12 bytes */
  1189. 0x00, 0x0a, /* 10 bytes */
  1190. 0x05, 0x01, /* SHA-384/RSA */
  1191. 0x04, 0x01, /* SHA-256/RSA */
  1192. 0x02, 0x01, /* SHA-1/RSA */
  1193. 0x04, 0x03, /* SHA-256/ECDSA */
  1194. 0x02, 0x03, /* SHA-1/ECDSA */
  1195. };
  1196. /* Length of the common prefix (first two extensions). */
  1197. static const size_t kSafariCommonExtensionsLength = 18;
  1198. unsigned int type;
  1199. PACKET sni, tmppkt;
  1200. size_t ext_len;
  1201. tmppkt = hello->extensions;
  1202. if (!PACKET_forward(&tmppkt, 2)
  1203. || !PACKET_get_net_2(&tmppkt, &type)
  1204. || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
  1205. return;
  1206. }
  1207. if (type != TLSEXT_TYPE_server_name)
  1208. return;
  1209. ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
  1210. sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
  1211. s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
  1212. ext_len);
  1213. }
  1214. #endif /* !OPENSSL_NO_EC */
  1215. MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
  1216. {
  1217. /* |cookie| will only be initialized for DTLS. */
  1218. PACKET session_id, compression, extensions, cookie;
  1219. static const unsigned char null_compression = 0;
  1220. CLIENTHELLO_MSG *clienthello = NULL;
  1221. /* Check if this is actually an unexpected renegotiation ClientHello */
  1222. if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  1223. if (!ossl_assert(!SSL_IS_TLS13(s))) {
  1224. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1225. ERR_R_INTERNAL_ERROR);
  1226. goto err;
  1227. }
  1228. if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
  1229. || (!s->s3->send_connection_binding
  1230. && (s->options
  1231. & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
  1232. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1233. return MSG_PROCESS_FINISHED_READING;
  1234. }
  1235. s->renegotiate = 1;
  1236. s->new_session = 1;
  1237. }
  1238. clienthello = OPENSSL_zalloc(sizeof(*clienthello));
  1239. if (clienthello == NULL) {
  1240. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1241. ERR_R_INTERNAL_ERROR);
  1242. goto err;
  1243. }
  1244. /*
  1245. * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
  1246. */
  1247. clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
  1248. PACKET_null_init(&cookie);
  1249. if (clienthello->isv2) {
  1250. unsigned int mt;
  1251. if (!SSL_IS_FIRST_HANDSHAKE(s)
  1252. || s->hello_retry_request != SSL_HRR_NONE) {
  1253. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1254. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
  1255. goto err;
  1256. }
  1257. /*-
  1258. * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
  1259. * header is sent directly on the wire, not wrapped as a TLS
  1260. * record. Our record layer just processes the message length and passes
  1261. * the rest right through. Its format is:
  1262. * Byte Content
  1263. * 0-1 msg_length - decoded by the record layer
  1264. * 2 msg_type - s->init_msg points here
  1265. * 3-4 version
  1266. * 5-6 cipher_spec_length
  1267. * 7-8 session_id_length
  1268. * 9-10 challenge_length
  1269. * ... ...
  1270. */
  1271. if (!PACKET_get_1(pkt, &mt)
  1272. || mt != SSL2_MT_CLIENT_HELLO) {
  1273. /*
  1274. * Should never happen. We should have tested this in the record
  1275. * layer in order to have determined that this is a SSLv2 record
  1276. * in the first place
  1277. */
  1278. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1279. ERR_R_INTERNAL_ERROR);
  1280. goto err;
  1281. }
  1282. }
  1283. if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
  1284. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1285. SSL_R_LENGTH_TOO_SHORT);
  1286. goto err;
  1287. }
  1288. /* Parse the message and load client random. */
  1289. if (clienthello->isv2) {
  1290. /*
  1291. * Handle an SSLv2 backwards compatible ClientHello
  1292. * Note, this is only for SSLv3+ using the backward compatible format.
  1293. * Real SSLv2 is not supported, and is rejected below.
  1294. */
  1295. unsigned int ciphersuite_len, session_id_len, challenge_len;
  1296. PACKET challenge;
  1297. if (!PACKET_get_net_2(pkt, &ciphersuite_len)
  1298. || !PACKET_get_net_2(pkt, &session_id_len)
  1299. || !PACKET_get_net_2(pkt, &challenge_len)) {
  1300. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1301. SSL_R_RECORD_LENGTH_MISMATCH);
  1302. goto err;
  1303. }
  1304. if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
  1305. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1306. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  1307. goto err;
  1308. }
  1309. if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
  1310. ciphersuite_len)
  1311. || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
  1312. || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
  1313. /* No extensions. */
  1314. || PACKET_remaining(pkt) != 0) {
  1315. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1316. SSL_R_RECORD_LENGTH_MISMATCH);
  1317. goto err;
  1318. }
  1319. clienthello->session_id_len = session_id_len;
  1320. /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
  1321. * here rather than sizeof(clienthello->random) because that is the limit
  1322. * for SSLv3 and it is fixed. It won't change even if
  1323. * sizeof(clienthello->random) does.
  1324. */
  1325. challenge_len = challenge_len > SSL3_RANDOM_SIZE
  1326. ? SSL3_RANDOM_SIZE : challenge_len;
  1327. memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
  1328. if (!PACKET_copy_bytes(&challenge,
  1329. clienthello->random + SSL3_RANDOM_SIZE -
  1330. challenge_len, challenge_len)
  1331. /* Advertise only null compression. */
  1332. || !PACKET_buf_init(&compression, &null_compression, 1)) {
  1333. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1334. ERR_R_INTERNAL_ERROR);
  1335. goto err;
  1336. }
  1337. PACKET_null_init(&clienthello->extensions);
  1338. } else {
  1339. /* Regular ClientHello. */
  1340. if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
  1341. || !PACKET_get_length_prefixed_1(pkt, &session_id)
  1342. || !PACKET_copy_all(&session_id, clienthello->session_id,
  1343. SSL_MAX_SSL_SESSION_ID_LENGTH,
  1344. &clienthello->session_id_len)) {
  1345. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1346. SSL_R_LENGTH_MISMATCH);
  1347. goto err;
  1348. }
  1349. if (SSL_IS_DTLS(s)) {
  1350. if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
  1351. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1352. SSL_R_LENGTH_MISMATCH);
  1353. goto err;
  1354. }
  1355. if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
  1356. DTLS1_COOKIE_LENGTH,
  1357. &clienthello->dtls_cookie_len)) {
  1358. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1359. SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  1360. goto err;
  1361. }
  1362. /*
  1363. * If we require cookies and this ClientHello doesn't contain one,
  1364. * just return since we do not want to allocate any memory yet.
  1365. * So check cookie length...
  1366. */
  1367. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1368. if (clienthello->dtls_cookie_len == 0) {
  1369. OPENSSL_free(clienthello);
  1370. return MSG_PROCESS_FINISHED_READING;
  1371. }
  1372. }
  1373. }
  1374. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
  1375. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1376. SSL_R_LENGTH_MISMATCH);
  1377. goto err;
  1378. }
  1379. if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
  1380. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1381. SSL_R_LENGTH_MISMATCH);
  1382. goto err;
  1383. }
  1384. /* Could be empty. */
  1385. if (PACKET_remaining(pkt) == 0) {
  1386. PACKET_null_init(&clienthello->extensions);
  1387. } else {
  1388. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
  1389. || PACKET_remaining(pkt) != 0) {
  1390. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1391. SSL_R_LENGTH_MISMATCH);
  1392. goto err;
  1393. }
  1394. }
  1395. }
  1396. if (!PACKET_copy_all(&compression, clienthello->compressions,
  1397. MAX_COMPRESSIONS_SIZE,
  1398. &clienthello->compressions_len)) {
  1399. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1400. ERR_R_INTERNAL_ERROR);
  1401. goto err;
  1402. }
  1403. /* Preserve the raw extensions PACKET for later use */
  1404. extensions = clienthello->extensions;
  1405. if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
  1406. &clienthello->pre_proc_exts,
  1407. &clienthello->pre_proc_exts_len, 1)) {
  1408. /* SSLfatal already been called */
  1409. goto err;
  1410. }
  1411. s->clienthello = clienthello;
  1412. return MSG_PROCESS_CONTINUE_PROCESSING;
  1413. err:
  1414. if (clienthello != NULL)
  1415. OPENSSL_free(clienthello->pre_proc_exts);
  1416. OPENSSL_free(clienthello);
  1417. return MSG_PROCESS_ERROR;
  1418. }
  1419. static int tls_early_post_process_client_hello(SSL *s)
  1420. {
  1421. unsigned int j;
  1422. int i, al = SSL_AD_INTERNAL_ERROR;
  1423. int protverr;
  1424. size_t loop;
  1425. unsigned long id;
  1426. #ifndef OPENSSL_NO_COMP
  1427. SSL_COMP *comp = NULL;
  1428. #endif
  1429. const SSL_CIPHER *c;
  1430. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  1431. STACK_OF(SSL_CIPHER) *scsvs = NULL;
  1432. CLIENTHELLO_MSG *clienthello = s->clienthello;
  1433. DOWNGRADE dgrd = DOWNGRADE_NONE;
  1434. /* Finished parsing the ClientHello, now we can start processing it */
  1435. /* Give the ClientHello callback a crack at things */
  1436. if (s->ctx->client_hello_cb != NULL) {
  1437. /* A failure in the ClientHello callback terminates the connection. */
  1438. switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
  1439. case SSL_CLIENT_HELLO_SUCCESS:
  1440. break;
  1441. case SSL_CLIENT_HELLO_RETRY:
  1442. s->rwstate = SSL_CLIENT_HELLO_CB;
  1443. return -1;
  1444. case SSL_CLIENT_HELLO_ERROR:
  1445. default:
  1446. SSLfatal(s, al,
  1447. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1448. SSL_R_CALLBACK_FAILED);
  1449. goto err;
  1450. }
  1451. }
  1452. /* Set up the client_random */
  1453. memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
  1454. /* Choose the version */
  1455. if (clienthello->isv2) {
  1456. if (clienthello->legacy_version == SSL2_VERSION
  1457. || (clienthello->legacy_version & 0xff00)
  1458. != (SSL3_VERSION_MAJOR << 8)) {
  1459. /*
  1460. * This is real SSLv2 or something completely unknown. We don't
  1461. * support it.
  1462. */
  1463. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1464. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1465. SSL_R_UNKNOWN_PROTOCOL);
  1466. goto err;
  1467. }
  1468. /* SSLv3/TLS */
  1469. s->client_version = clienthello->legacy_version;
  1470. }
  1471. /*
  1472. * Do SSL/TLS version negotiation if applicable. For DTLS we just check
  1473. * versions are potentially compatible. Version negotiation comes later.
  1474. */
  1475. if (!SSL_IS_DTLS(s)) {
  1476. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1477. } else if (s->method->version != DTLS_ANY_VERSION &&
  1478. DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
  1479. protverr = SSL_R_VERSION_TOO_LOW;
  1480. } else {
  1481. protverr = 0;
  1482. }
  1483. if (protverr) {
  1484. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  1485. /* like ssl3_get_record, send alert using remote version number */
  1486. s->version = s->client_version = clienthello->legacy_version;
  1487. }
  1488. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1489. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1490. goto err;
  1491. }
  1492. /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
  1493. if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1494. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1495. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1496. SSL_R_NOT_ON_RECORD_BOUNDARY);
  1497. goto err;
  1498. }
  1499. if (SSL_IS_DTLS(s)) {
  1500. /* Empty cookie was already handled above by returning early. */
  1501. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1502. if (s->ctx->app_verify_cookie_cb != NULL) {
  1503. if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
  1504. clienthello->dtls_cookie_len) == 0) {
  1505. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1506. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1507. SSL_R_COOKIE_MISMATCH);
  1508. goto err;
  1509. /* else cookie verification succeeded */
  1510. }
  1511. /* default verification */
  1512. } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
  1513. || memcmp(clienthello->dtls_cookie, s->d1->cookie,
  1514. s->d1->cookie_len) != 0) {
  1515. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1516. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1517. SSL_R_COOKIE_MISMATCH);
  1518. goto err;
  1519. }
  1520. s->d1->cookie_verified = 1;
  1521. }
  1522. if (s->method->version == DTLS_ANY_VERSION) {
  1523. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1524. if (protverr != 0) {
  1525. s->version = s->client_version;
  1526. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1527. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1528. goto err;
  1529. }
  1530. }
  1531. }
  1532. s->hit = 0;
  1533. if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
  1534. clienthello->isv2) ||
  1535. !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
  1536. clienthello->isv2, 1)) {
  1537. /* SSLfatal() already called */
  1538. goto err;
  1539. }
  1540. s->s3->send_connection_binding = 0;
  1541. /* Check what signalling cipher-suite values were received. */
  1542. if (scsvs != NULL) {
  1543. for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
  1544. c = sk_SSL_CIPHER_value(scsvs, i);
  1545. if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
  1546. if (s->renegotiate) {
  1547. /* SCSV is fatal if renegotiating */
  1548. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1549. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1550. SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
  1551. goto err;
  1552. }
  1553. s->s3->send_connection_binding = 1;
  1554. } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
  1555. !ssl_check_version_downgrade(s)) {
  1556. /*
  1557. * This SCSV indicates that the client previously tried
  1558. * a higher version. We should fail if the current version
  1559. * is an unexpected downgrade, as that indicates that the first
  1560. * connection may have been tampered with in order to trigger
  1561. * an insecure downgrade.
  1562. */
  1563. SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
  1564. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1565. SSL_R_INAPPROPRIATE_FALLBACK);
  1566. goto err;
  1567. }
  1568. }
  1569. }
  1570. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1571. if (SSL_IS_TLS13(s)) {
  1572. const SSL_CIPHER *cipher =
  1573. ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  1574. if (cipher == NULL) {
  1575. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1576. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1577. SSL_R_NO_SHARED_CIPHER);
  1578. goto err;
  1579. }
  1580. if (s->hello_retry_request == SSL_HRR_PENDING
  1581. && (s->s3->tmp.new_cipher == NULL
  1582. || s->s3->tmp.new_cipher->id != cipher->id)) {
  1583. /*
  1584. * A previous HRR picked a different ciphersuite to the one we
  1585. * just selected. Something must have changed.
  1586. */
  1587. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1588. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1589. SSL_R_BAD_CIPHER);
  1590. goto err;
  1591. }
  1592. s->s3->tmp.new_cipher = cipher;
  1593. }
  1594. /* We need to do this before getting the session */
  1595. if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
  1596. SSL_EXT_CLIENT_HELLO,
  1597. clienthello->pre_proc_exts, NULL, 0)) {
  1598. /* SSLfatal() already called */
  1599. goto err;
  1600. }
  1601. /*
  1602. * We don't allow resumption in a backwards compatible ClientHello.
  1603. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
  1604. *
  1605. * Versions before 0.9.7 always allow clients to resume sessions in
  1606. * renegotiation. 0.9.7 and later allow this by default, but optionally
  1607. * ignore resumption requests with flag
  1608. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  1609. * than a change to default behavior so that applications relying on
  1610. * this for security won't even compile against older library versions).
  1611. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  1612. * request renegotiation but not a new session (s->new_session remains
  1613. * unset): for servers, this essentially just means that the
  1614. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
  1615. * ignored.
  1616. */
  1617. if (clienthello->isv2 ||
  1618. (s->new_session &&
  1619. (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  1620. if (!ssl_get_new_session(s, 1)) {
  1621. /* SSLfatal() already called */
  1622. goto err;
  1623. }
  1624. } else {
  1625. i = ssl_get_prev_session(s, clienthello);
  1626. if (i == 1) {
  1627. /* previous session */
  1628. s->hit = 1;
  1629. } else if (i == -1) {
  1630. /* SSLfatal() already called */
  1631. goto err;
  1632. } else {
  1633. /* i == 0 */
  1634. if (!ssl_get_new_session(s, 1)) {
  1635. /* SSLfatal() already called */
  1636. goto err;
  1637. }
  1638. }
  1639. }
  1640. if (SSL_IS_TLS13(s)) {
  1641. memcpy(s->tmp_session_id, s->clienthello->session_id,
  1642. s->clienthello->session_id_len);
  1643. s->tmp_session_id_len = s->clienthello->session_id_len;
  1644. }
  1645. /*
  1646. * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
  1647. * ciphersuite compatibility with the session as part of resumption.
  1648. */
  1649. if (!SSL_IS_TLS13(s) && s->hit) {
  1650. j = 0;
  1651. id = s->session->cipher->id;
  1652. #ifdef CIPHER_DEBUG
  1653. fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
  1654. #endif
  1655. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1656. c = sk_SSL_CIPHER_value(ciphers, i);
  1657. #ifdef CIPHER_DEBUG
  1658. fprintf(stderr, "client [%2d of %2d]:%s\n",
  1659. i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1660. #endif
  1661. if (c->id == id) {
  1662. j = 1;
  1663. break;
  1664. }
  1665. }
  1666. if (j == 0) {
  1667. /*
  1668. * we need to have the cipher in the cipher list if we are asked
  1669. * to reuse it
  1670. */
  1671. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1672. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1673. SSL_R_REQUIRED_CIPHER_MISSING);
  1674. goto err;
  1675. }
  1676. }
  1677. for (loop = 0; loop < clienthello->compressions_len; loop++) {
  1678. if (clienthello->compressions[loop] == 0)
  1679. break;
  1680. }
  1681. if (loop >= clienthello->compressions_len) {
  1682. /* no compress */
  1683. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1684. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1685. SSL_R_NO_COMPRESSION_SPECIFIED);
  1686. goto err;
  1687. }
  1688. #ifndef OPENSSL_NO_EC
  1689. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1690. ssl_check_for_safari(s, clienthello);
  1691. #endif /* !OPENSSL_NO_EC */
  1692. /* TLS extensions */
  1693. if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
  1694. clienthello->pre_proc_exts, NULL, 0, 1)) {
  1695. /* SSLfatal() already called */
  1696. goto err;
  1697. }
  1698. /*
  1699. * Check if we want to use external pre-shared secret for this handshake
  1700. * for not reused session only. We need to generate server_random before
  1701. * calling tls_session_secret_cb in order to allow SessionTicket
  1702. * processing to use it in key derivation.
  1703. */
  1704. {
  1705. unsigned char *pos;
  1706. pos = s->s3->server_random;
  1707. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
  1708. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1709. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1710. ERR_R_INTERNAL_ERROR);
  1711. goto err;
  1712. }
  1713. }
  1714. if (!s->hit
  1715. && s->version >= TLS1_VERSION
  1716. && !SSL_IS_TLS13(s)
  1717. && !SSL_IS_DTLS(s)
  1718. && s->ext.session_secret_cb) {
  1719. const SSL_CIPHER *pref_cipher = NULL;
  1720. /*
  1721. * s->session->master_key_length is a size_t, but this is an int for
  1722. * backwards compat reasons
  1723. */
  1724. int master_key_length;
  1725. master_key_length = sizeof(s->session->master_key);
  1726. if (s->ext.session_secret_cb(s, s->session->master_key,
  1727. &master_key_length, ciphers,
  1728. &pref_cipher,
  1729. s->ext.session_secret_cb_arg)
  1730. && master_key_length > 0) {
  1731. s->session->master_key_length = master_key_length;
  1732. s->hit = 1;
  1733. s->peer_ciphers = ciphers;
  1734. s->session->verify_result = X509_V_OK;
  1735. ciphers = NULL;
  1736. /* check if some cipher was preferred by call back */
  1737. if (pref_cipher == NULL)
  1738. pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
  1739. SSL_get_ciphers(s));
  1740. if (pref_cipher == NULL) {
  1741. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1742. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1743. SSL_R_NO_SHARED_CIPHER);
  1744. goto err;
  1745. }
  1746. s->session->cipher = pref_cipher;
  1747. sk_SSL_CIPHER_free(s->cipher_list);
  1748. s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1749. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1750. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1751. }
  1752. }
  1753. /*
  1754. * Worst case, we will use the NULL compression, but if we have other
  1755. * options, we will now look for them. We have complen-1 compression
  1756. * algorithms from the client, starting at q.
  1757. */
  1758. s->s3->tmp.new_compression = NULL;
  1759. if (SSL_IS_TLS13(s)) {
  1760. /*
  1761. * We already checked above that the NULL compression method appears in
  1762. * the list. Now we check there aren't any others (which is illegal in
  1763. * a TLSv1.3 ClientHello.
  1764. */
  1765. if (clienthello->compressions_len != 1) {
  1766. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1767. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1768. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1769. goto err;
  1770. }
  1771. }
  1772. #ifndef OPENSSL_NO_COMP
  1773. /* This only happens if we have a cache hit */
  1774. else if (s->session->compress_meth != 0) {
  1775. int m, comp_id = s->session->compress_meth;
  1776. unsigned int k;
  1777. /* Perform sanity checks on resumed compression algorithm */
  1778. /* Can't disable compression */
  1779. if (!ssl_allow_compression(s)) {
  1780. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1781. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1782. SSL_R_INCONSISTENT_COMPRESSION);
  1783. goto err;
  1784. }
  1785. /* Look for resumed compression method */
  1786. for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
  1787. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1788. if (comp_id == comp->id) {
  1789. s->s3->tmp.new_compression = comp;
  1790. break;
  1791. }
  1792. }
  1793. if (s->s3->tmp.new_compression == NULL) {
  1794. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1795. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1796. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1797. goto err;
  1798. }
  1799. /* Look for resumed method in compression list */
  1800. for (k = 0; k < clienthello->compressions_len; k++) {
  1801. if (clienthello->compressions[k] == comp_id)
  1802. break;
  1803. }
  1804. if (k >= clienthello->compressions_len) {
  1805. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1806. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1807. SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
  1808. goto err;
  1809. }
  1810. } else if (s->hit) {
  1811. comp = NULL;
  1812. } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
  1813. /* See if we have a match */
  1814. int m, nn, v, done = 0;
  1815. unsigned int o;
  1816. nn = sk_SSL_COMP_num(s->ctx->comp_methods);
  1817. for (m = 0; m < nn; m++) {
  1818. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1819. v = comp->id;
  1820. for (o = 0; o < clienthello->compressions_len; o++) {
  1821. if (v == clienthello->compressions[o]) {
  1822. done = 1;
  1823. break;
  1824. }
  1825. }
  1826. if (done)
  1827. break;
  1828. }
  1829. if (done)
  1830. s->s3->tmp.new_compression = comp;
  1831. else
  1832. comp = NULL;
  1833. }
  1834. #else
  1835. /*
  1836. * If compression is disabled we'd better not try to resume a session
  1837. * using compression.
  1838. */
  1839. if (s->session->compress_meth != 0) {
  1840. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1841. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1842. SSL_R_INCONSISTENT_COMPRESSION);
  1843. goto err;
  1844. }
  1845. #endif
  1846. /*
  1847. * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
  1848. */
  1849. if (!s->hit || SSL_IS_TLS13(s)) {
  1850. sk_SSL_CIPHER_free(s->peer_ciphers);
  1851. s->peer_ciphers = ciphers;
  1852. if (ciphers == NULL) {
  1853. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1854. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1855. ERR_R_INTERNAL_ERROR);
  1856. goto err;
  1857. }
  1858. ciphers = NULL;
  1859. }
  1860. if (!s->hit) {
  1861. #ifdef OPENSSL_NO_COMP
  1862. s->session->compress_meth = 0;
  1863. #else
  1864. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1865. #endif
  1866. if (!tls1_set_server_sigalgs(s)) {
  1867. /* SSLfatal() already called */
  1868. goto err;
  1869. }
  1870. }
  1871. sk_SSL_CIPHER_free(ciphers);
  1872. sk_SSL_CIPHER_free(scsvs);
  1873. OPENSSL_free(clienthello->pre_proc_exts);
  1874. OPENSSL_free(s->clienthello);
  1875. s->clienthello = NULL;
  1876. return 1;
  1877. err:
  1878. sk_SSL_CIPHER_free(ciphers);
  1879. sk_SSL_CIPHER_free(scsvs);
  1880. OPENSSL_free(clienthello->pre_proc_exts);
  1881. OPENSSL_free(s->clienthello);
  1882. s->clienthello = NULL;
  1883. return 0;
  1884. }
  1885. /*
  1886. * Call the status request callback if needed. Upon success, returns 1.
  1887. * Upon failure, returns 0.
  1888. */
  1889. static int tls_handle_status_request(SSL *s)
  1890. {
  1891. s->ext.status_expected = 0;
  1892. /*
  1893. * If status request then ask callback what to do. Note: this must be
  1894. * called after servername callbacks in case the certificate has changed,
  1895. * and must be called after the cipher has been chosen because this may
  1896. * influence which certificate is sent
  1897. */
  1898. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
  1899. && s->ctx->ext.status_cb != NULL) {
  1900. int ret;
  1901. /* If no certificate can't return certificate status */
  1902. if (s->s3->tmp.cert != NULL) {
  1903. /*
  1904. * Set current certificate to one we will use so SSL_get_certificate
  1905. * et al can pick it up.
  1906. */
  1907. s->cert->key = s->s3->tmp.cert;
  1908. ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
  1909. switch (ret) {
  1910. /* We don't want to send a status request response */
  1911. case SSL_TLSEXT_ERR_NOACK:
  1912. s->ext.status_expected = 0;
  1913. break;
  1914. /* status request response should be sent */
  1915. case SSL_TLSEXT_ERR_OK:
  1916. if (s->ext.ocsp.resp)
  1917. s->ext.status_expected = 1;
  1918. break;
  1919. /* something bad happened */
  1920. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1921. default:
  1922. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1923. SSL_F_TLS_HANDLE_STATUS_REQUEST,
  1924. SSL_R_CLIENTHELLO_TLSEXT);
  1925. return 0;
  1926. }
  1927. }
  1928. }
  1929. return 1;
  1930. }
  1931. /*
  1932. * Call the alpn_select callback if needed. Upon success, returns 1.
  1933. * Upon failure, returns 0.
  1934. */
  1935. int tls_handle_alpn(SSL *s)
  1936. {
  1937. const unsigned char *selected = NULL;
  1938. unsigned char selected_len = 0;
  1939. if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
  1940. int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
  1941. s->s3->alpn_proposed,
  1942. (unsigned int)s->s3->alpn_proposed_len,
  1943. s->ctx->ext.alpn_select_cb_arg);
  1944. if (r == SSL_TLSEXT_ERR_OK) {
  1945. OPENSSL_free(s->s3->alpn_selected);
  1946. s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
  1947. if (s->s3->alpn_selected == NULL) {
  1948. s->s3->alpn_selected_len = 0;
  1949. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
  1950. ERR_R_INTERNAL_ERROR);
  1951. return 0;
  1952. }
  1953. s->s3->alpn_selected_len = selected_len;
  1954. #ifndef OPENSSL_NO_NEXTPROTONEG
  1955. /* ALPN takes precedence over NPN. */
  1956. s->s3->npn_seen = 0;
  1957. #endif
  1958. /* Check ALPN is consistent with session */
  1959. if (s->session->ext.alpn_selected == NULL
  1960. || selected_len != s->session->ext.alpn_selected_len
  1961. || memcmp(selected, s->session->ext.alpn_selected,
  1962. selected_len) != 0) {
  1963. /* Not consistent so can't be used for early_data */
  1964. s->ext.early_data_ok = 0;
  1965. if (!s->hit) {
  1966. /*
  1967. * This is a new session and so alpn_selected should have
  1968. * been initialised to NULL. We should update it with the
  1969. * selected ALPN.
  1970. */
  1971. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1972. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1973. SSL_F_TLS_HANDLE_ALPN,
  1974. ERR_R_INTERNAL_ERROR);
  1975. return 0;
  1976. }
  1977. s->session->ext.alpn_selected = OPENSSL_memdup(selected,
  1978. selected_len);
  1979. if (s->session->ext.alpn_selected == NULL) {
  1980. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1981. SSL_F_TLS_HANDLE_ALPN,
  1982. ERR_R_INTERNAL_ERROR);
  1983. return 0;
  1984. }
  1985. s->session->ext.alpn_selected_len = selected_len;
  1986. }
  1987. }
  1988. return 1;
  1989. } else if (r != SSL_TLSEXT_ERR_NOACK) {
  1990. SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
  1991. SSL_R_NO_APPLICATION_PROTOCOL);
  1992. return 0;
  1993. }
  1994. /*
  1995. * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
  1996. * present.
  1997. */
  1998. }
  1999. /* Check ALPN is consistent with session */
  2000. if (s->session->ext.alpn_selected != NULL) {
  2001. /* Not consistent so can't be used for early_data */
  2002. s->ext.early_data_ok = 0;
  2003. }
  2004. return 1;
  2005. }
  2006. WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  2007. {
  2008. const SSL_CIPHER *cipher;
  2009. if (wst == WORK_MORE_A) {
  2010. int rv = tls_early_post_process_client_hello(s);
  2011. if (rv == 0) {
  2012. /* SSLfatal() was already called */
  2013. goto err;
  2014. }
  2015. if (rv < 0)
  2016. return WORK_MORE_A;
  2017. wst = WORK_MORE_B;
  2018. }
  2019. if (wst == WORK_MORE_B) {
  2020. if (!s->hit || SSL_IS_TLS13(s)) {
  2021. /* Let cert callback update server certificates if required */
  2022. if (!s->hit && s->cert->cert_cb != NULL) {
  2023. int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
  2024. if (rv == 0) {
  2025. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2026. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  2027. SSL_R_CERT_CB_ERROR);
  2028. goto err;
  2029. }
  2030. if (rv < 0) {
  2031. s->rwstate = SSL_X509_LOOKUP;
  2032. return WORK_MORE_B;
  2033. }
  2034. s->rwstate = SSL_NOTHING;
  2035. }
  2036. /* In TLSv1.3 we selected the ciphersuite before resumption */
  2037. if (!SSL_IS_TLS13(s)) {
  2038. cipher =
  2039. ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
  2040. if (cipher == NULL) {
  2041. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2042. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  2043. SSL_R_NO_SHARED_CIPHER);
  2044. goto err;
  2045. }
  2046. s->s3->tmp.new_cipher = cipher;
  2047. }
  2048. if (!s->hit) {
  2049. if (!tls_choose_sigalg(s, 1)) {
  2050. /* SSLfatal already called */
  2051. goto err;
  2052. }
  2053. /* check whether we should disable session resumption */
  2054. if (s->not_resumable_session_cb != NULL)
  2055. s->session->not_resumable =
  2056. s->not_resumable_session_cb(s,
  2057. ((s->s3->tmp.new_cipher->algorithm_mkey
  2058. & (SSL_kDHE | SSL_kECDHE)) != 0));
  2059. if (s->session->not_resumable)
  2060. /* do not send a session ticket */
  2061. s->ext.ticket_expected = 0;
  2062. }
  2063. } else {
  2064. /* Session-id reuse */
  2065. s->s3->tmp.new_cipher = s->session->cipher;
  2066. }
  2067. /*-
  2068. * we now have the following setup.
  2069. * client_random
  2070. * cipher_list - our preferred list of ciphers
  2071. * ciphers - the clients preferred list of ciphers
  2072. * compression - basically ignored right now
  2073. * ssl version is set - sslv3
  2074. * s->session - The ssl session has been setup.
  2075. * s->hit - session reuse flag
  2076. * s->s3->tmp.new_cipher- the new cipher to use.
  2077. */
  2078. /*
  2079. * Call status_request callback if needed. Has to be done after the
  2080. * certificate callbacks etc above.
  2081. */
  2082. if (!tls_handle_status_request(s)) {
  2083. /* SSLfatal() already called */
  2084. goto err;
  2085. }
  2086. /*
  2087. * Call alpn_select callback if needed. Has to be done after SNI and
  2088. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  2089. * we already did this because cipher negotiation happens earlier, and
  2090. * we must handle ALPN before we decide whether to accept early_data.
  2091. */
  2092. if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
  2093. /* SSLfatal() already called */
  2094. goto err;
  2095. }
  2096. wst = WORK_MORE_C;
  2097. }
  2098. #ifndef OPENSSL_NO_SRP
  2099. if (wst == WORK_MORE_C) {
  2100. int ret;
  2101. if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
  2102. /*
  2103. * callback indicates further work to be done
  2104. */
  2105. s->rwstate = SSL_X509_LOOKUP;
  2106. return WORK_MORE_C;
  2107. }
  2108. if (ret < 0) {
  2109. /* SSLfatal() already called */
  2110. goto err;
  2111. }
  2112. }
  2113. #endif
  2114. return WORK_FINISHED_STOP;
  2115. err:
  2116. return WORK_ERROR;
  2117. }
  2118. int tls_construct_server_hello(SSL *s, WPACKET *pkt)
  2119. {
  2120. int compm;
  2121. size_t sl, len;
  2122. int version;
  2123. unsigned char *session_id;
  2124. int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
  2125. version = usetls13 ? TLS1_2_VERSION : s->version;
  2126. if (!WPACKET_put_bytes_u16(pkt, version)
  2127. /*
  2128. * Random stuff. Filling of the server_random takes place in
  2129. * tls_process_client_hello()
  2130. */
  2131. || !WPACKET_memcpy(pkt,
  2132. s->hello_retry_request == SSL_HRR_PENDING
  2133. ? hrrrandom : s->s3->server_random,
  2134. SSL3_RANDOM_SIZE)) {
  2135. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2136. ERR_R_INTERNAL_ERROR);
  2137. return 0;
  2138. }
  2139. /*-
  2140. * There are several cases for the session ID to send
  2141. * back in the server hello:
  2142. * - For session reuse from the session cache,
  2143. * we send back the old session ID.
  2144. * - If stateless session reuse (using a session ticket)
  2145. * is successful, we send back the client's "session ID"
  2146. * (which doesn't actually identify the session).
  2147. * - If it is a new session, we send back the new
  2148. * session ID.
  2149. * - However, if we want the new session to be single-use,
  2150. * we send back a 0-length session ID.
  2151. * - In TLSv1.3 we echo back the session id sent to us by the client
  2152. * regardless
  2153. * s->hit is non-zero in either case of session reuse,
  2154. * so the following won't overwrite an ID that we're supposed
  2155. * to send back.
  2156. */
  2157. if (s->session->not_resumable ||
  2158. (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
  2159. && !s->hit))
  2160. s->session->session_id_length = 0;
  2161. if (usetls13) {
  2162. sl = s->tmp_session_id_len;
  2163. session_id = s->tmp_session_id;
  2164. } else {
  2165. sl = s->session->session_id_length;
  2166. session_id = s->session->session_id;
  2167. }
  2168. if (sl > sizeof(s->session->session_id)) {
  2169. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2170. ERR_R_INTERNAL_ERROR);
  2171. return 0;
  2172. }
  2173. /* set up the compression method */
  2174. #ifdef OPENSSL_NO_COMP
  2175. compm = 0;
  2176. #else
  2177. if (usetls13 || s->s3->tmp.new_compression == NULL)
  2178. compm = 0;
  2179. else
  2180. compm = s->s3->tmp.new_compression->id;
  2181. #endif
  2182. if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
  2183. || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
  2184. || !WPACKET_put_bytes_u8(pkt, compm)) {
  2185. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2186. ERR_R_INTERNAL_ERROR);
  2187. return 0;
  2188. }
  2189. if (!tls_construct_extensions(s, pkt,
  2190. s->hello_retry_request == SSL_HRR_PENDING
  2191. ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  2192. : (SSL_IS_TLS13(s)
  2193. ? SSL_EXT_TLS1_3_SERVER_HELLO
  2194. : SSL_EXT_TLS1_2_SERVER_HELLO),
  2195. NULL, 0)) {
  2196. /* SSLfatal() already called */
  2197. return 0;
  2198. }
  2199. if (s->hello_retry_request == SSL_HRR_PENDING) {
  2200. /* Ditch the session. We'll create a new one next time around */
  2201. SSL_SESSION_free(s->session);
  2202. s->session = NULL;
  2203. s->hit = 0;
  2204. /*
  2205. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  2206. * a synthetic message_hash in place of ClientHello1.
  2207. */
  2208. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  2209. /* SSLfatal() already called */
  2210. return 0;
  2211. }
  2212. } else if (!(s->verify_mode & SSL_VERIFY_PEER)
  2213. && !ssl3_digest_cached_records(s, 0)) {
  2214. /* SSLfatal() already called */;
  2215. return 0;
  2216. }
  2217. return 1;
  2218. }
  2219. int tls_construct_server_done(SSL *s, WPACKET *pkt)
  2220. {
  2221. if (!s->s3->tmp.cert_request) {
  2222. if (!ssl3_digest_cached_records(s, 0)) {
  2223. /* SSLfatal() already called */
  2224. return 0;
  2225. }
  2226. }
  2227. return 1;
  2228. }
  2229. int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
  2230. {
  2231. #ifndef OPENSSL_NO_DH
  2232. EVP_PKEY *pkdh = NULL;
  2233. #endif
  2234. #ifndef OPENSSL_NO_EC
  2235. unsigned char *encodedPoint = NULL;
  2236. size_t encodedlen = 0;
  2237. int curve_id = 0;
  2238. #endif
  2239. const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
  2240. int i;
  2241. unsigned long type;
  2242. const BIGNUM *r[4];
  2243. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  2244. EVP_PKEY_CTX *pctx = NULL;
  2245. size_t paramlen, paramoffset;
  2246. if (!WPACKET_get_total_written(pkt, &paramoffset)) {
  2247. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2248. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2249. goto err;
  2250. }
  2251. if (md_ctx == NULL) {
  2252. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2253. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2254. goto err;
  2255. }
  2256. type = s->s3->tmp.new_cipher->algorithm_mkey;
  2257. r[0] = r[1] = r[2] = r[3] = NULL;
  2258. #ifndef OPENSSL_NO_PSK
  2259. /* Plain PSK or RSAPSK nothing to do */
  2260. if (type & (SSL_kPSK | SSL_kRSAPSK)) {
  2261. } else
  2262. #endif /* !OPENSSL_NO_PSK */
  2263. #ifndef OPENSSL_NO_DH
  2264. if (type & (SSL_kDHE | SSL_kDHEPSK)) {
  2265. CERT *cert = s->cert;
  2266. EVP_PKEY *pkdhp = NULL;
  2267. DH *dh;
  2268. if (s->cert->dh_tmp_auto) {
  2269. DH *dhp = ssl_get_auto_dh(s);
  2270. pkdh = EVP_PKEY_new();
  2271. if (pkdh == NULL || dhp == NULL) {
  2272. DH_free(dhp);
  2273. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2274. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2275. ERR_R_INTERNAL_ERROR);
  2276. goto err;
  2277. }
  2278. EVP_PKEY_assign_DH(pkdh, dhp);
  2279. pkdhp = pkdh;
  2280. } else {
  2281. pkdhp = cert->dh_tmp;
  2282. }
  2283. if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
  2284. DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
  2285. pkdh = ssl_dh_to_pkey(dhp);
  2286. if (pkdh == NULL) {
  2287. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2288. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2289. ERR_R_INTERNAL_ERROR);
  2290. goto err;
  2291. }
  2292. pkdhp = pkdh;
  2293. }
  2294. if (pkdhp == NULL) {
  2295. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2296. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2297. SSL_R_MISSING_TMP_DH_KEY);
  2298. goto err;
  2299. }
  2300. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  2301. EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
  2302. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2303. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2304. SSL_R_DH_KEY_TOO_SMALL);
  2305. goto err;
  2306. }
  2307. if (s->s3->tmp.pkey != NULL) {
  2308. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2309. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2310. ERR_R_INTERNAL_ERROR);
  2311. goto err;
  2312. }
  2313. s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
  2314. if (s->s3->tmp.pkey == NULL) {
  2315. SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0, ERR_R_INTERNAL_ERROR);
  2316. goto err;
  2317. }
  2318. dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);
  2319. if (dh == NULL) {
  2320. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2321. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2322. ERR_R_INTERNAL_ERROR);
  2323. goto err;
  2324. }
  2325. EVP_PKEY_free(pkdh);
  2326. pkdh = NULL;
  2327. DH_get0_pqg(dh, &r[0], NULL, &r[1]);
  2328. DH_get0_key(dh, &r[2], NULL);
  2329. } else
  2330. #endif
  2331. #ifndef OPENSSL_NO_EC
  2332. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2333. if (s->s3->tmp.pkey != NULL) {
  2334. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2335. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2336. ERR_R_INTERNAL_ERROR);
  2337. goto err;
  2338. }
  2339. /* Get NID of appropriate shared curve */
  2340. curve_id = tls1_shared_group(s, -2);
  2341. if (curve_id == 0) {
  2342. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2343. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2344. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  2345. goto err;
  2346. }
  2347. s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id);
  2348. /* Generate a new key for this curve */
  2349. if (s->s3->tmp.pkey == NULL) {
  2350. /* SSLfatal() already called */
  2351. goto err;
  2352. }
  2353. /* Encode the public key. */
  2354. encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
  2355. &encodedPoint);
  2356. if (encodedlen == 0) {
  2357. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2358. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
  2359. goto err;
  2360. }
  2361. /*
  2362. * We'll generate the serverKeyExchange message explicitly so we
  2363. * can set these to NULLs
  2364. */
  2365. r[0] = NULL;
  2366. r[1] = NULL;
  2367. r[2] = NULL;
  2368. r[3] = NULL;
  2369. } else
  2370. #endif /* !OPENSSL_NO_EC */
  2371. #ifndef OPENSSL_NO_SRP
  2372. if (type & SSL_kSRP) {
  2373. if ((s->srp_ctx.N == NULL) ||
  2374. (s->srp_ctx.g == NULL) ||
  2375. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  2376. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2377. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2378. SSL_R_MISSING_SRP_PARAM);
  2379. goto err;
  2380. }
  2381. r[0] = s->srp_ctx.N;
  2382. r[1] = s->srp_ctx.g;
  2383. r[2] = s->srp_ctx.s;
  2384. r[3] = s->srp_ctx.B;
  2385. } else
  2386. #endif
  2387. {
  2388. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2389. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2390. SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2391. goto err;
  2392. }
  2393. if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
  2394. || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
  2395. lu = NULL;
  2396. } else if (lu == NULL) {
  2397. SSLfatal(s, SSL_AD_DECODE_ERROR,
  2398. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2399. goto err;
  2400. }
  2401. #ifndef OPENSSL_NO_PSK
  2402. if (type & SSL_PSK) {
  2403. size_t len = (s->cert->psk_identity_hint == NULL)
  2404. ? 0 : strlen(s->cert->psk_identity_hint);
  2405. /*
  2406. * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
  2407. * checked this when we set the identity hint - but just in case
  2408. */
  2409. if (len > PSK_MAX_IDENTITY_LEN
  2410. || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
  2411. len)) {
  2412. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2413. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2414. ERR_R_INTERNAL_ERROR);
  2415. goto err;
  2416. }
  2417. }
  2418. #endif
  2419. for (i = 0; i < 4 && r[i] != NULL; i++) {
  2420. unsigned char *binval;
  2421. int res;
  2422. #ifndef OPENSSL_NO_SRP
  2423. if ((i == 2) && (type & SSL_kSRP)) {
  2424. res = WPACKET_start_sub_packet_u8(pkt);
  2425. } else
  2426. #endif
  2427. res = WPACKET_start_sub_packet_u16(pkt);
  2428. if (!res) {
  2429. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2430. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2431. ERR_R_INTERNAL_ERROR);
  2432. goto err;
  2433. }
  2434. #ifndef OPENSSL_NO_DH
  2435. /*-
  2436. * for interoperability with some versions of the Microsoft TLS
  2437. * stack, we need to zero pad the DHE pub key to the same length
  2438. * as the prime
  2439. */
  2440. if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
  2441. size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
  2442. if (len > 0) {
  2443. if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
  2444. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2445. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2446. ERR_R_INTERNAL_ERROR);
  2447. goto err;
  2448. }
  2449. memset(binval, 0, len);
  2450. }
  2451. }
  2452. #endif
  2453. if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
  2454. || !WPACKET_close(pkt)) {
  2455. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2456. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2457. ERR_R_INTERNAL_ERROR);
  2458. goto err;
  2459. }
  2460. BN_bn2bin(r[i], binval);
  2461. }
  2462. #ifndef OPENSSL_NO_EC
  2463. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2464. /*
  2465. * We only support named (not generic) curves. In this situation, the
  2466. * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
  2467. * [1 byte length of encoded point], followed by the actual encoded
  2468. * point itself
  2469. */
  2470. if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
  2471. || !WPACKET_put_bytes_u8(pkt, 0)
  2472. || !WPACKET_put_bytes_u8(pkt, curve_id)
  2473. || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
  2474. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2475. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2476. ERR_R_INTERNAL_ERROR);
  2477. goto err;
  2478. }
  2479. OPENSSL_free(encodedPoint);
  2480. encodedPoint = NULL;
  2481. }
  2482. #endif
  2483. /* not anonymous */
  2484. if (lu != NULL) {
  2485. EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
  2486. const EVP_MD *md;
  2487. unsigned char *sigbytes1, *sigbytes2, *tbs;
  2488. size_t siglen, tbslen;
  2489. int rv;
  2490. if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
  2491. /* Should never happen */
  2492. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2493. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2494. ERR_R_INTERNAL_ERROR);
  2495. goto err;
  2496. }
  2497. /* Get length of the parameters we have written above */
  2498. if (!WPACKET_get_length(pkt, &paramlen)) {
  2499. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2500. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2501. ERR_R_INTERNAL_ERROR);
  2502. goto err;
  2503. }
  2504. /* send signature algorithm */
  2505. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  2506. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2507. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2508. ERR_R_INTERNAL_ERROR);
  2509. goto err;
  2510. }
  2511. /*
  2512. * Create the signature. We don't know the actual length of the sig
  2513. * until after we've created it, so we reserve enough bytes for it
  2514. * up front, and then properly allocate them in the WPACKET
  2515. * afterwards.
  2516. */
  2517. siglen = EVP_PKEY_size(pkey);
  2518. if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
  2519. || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
  2520. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2521. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2522. ERR_R_INTERNAL_ERROR);
  2523. goto err;
  2524. }
  2525. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2526. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2527. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2528. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2529. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2530. ERR_R_EVP_LIB);
  2531. goto err;
  2532. }
  2533. }
  2534. tbslen = construct_key_exchange_tbs(s, &tbs,
  2535. s->init_buf->data + paramoffset,
  2536. paramlen);
  2537. if (tbslen == 0) {
  2538. /* SSLfatal() already called */
  2539. goto err;
  2540. }
  2541. rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
  2542. OPENSSL_free(tbs);
  2543. if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
  2544. || sigbytes1 != sigbytes2) {
  2545. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2546. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2547. ERR_R_INTERNAL_ERROR);
  2548. goto err;
  2549. }
  2550. }
  2551. EVP_MD_CTX_free(md_ctx);
  2552. return 1;
  2553. err:
  2554. #ifndef OPENSSL_NO_DH
  2555. EVP_PKEY_free(pkdh);
  2556. #endif
  2557. #ifndef OPENSSL_NO_EC
  2558. OPENSSL_free(encodedPoint);
  2559. #endif
  2560. EVP_MD_CTX_free(md_ctx);
  2561. return 0;
  2562. }
  2563. int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
  2564. {
  2565. if (SSL_IS_TLS13(s)) {
  2566. /* Send random context when doing post-handshake auth */
  2567. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  2568. OPENSSL_free(s->pha_context);
  2569. s->pha_context_len = 32;
  2570. if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
  2571. s->pha_context_len = 0;
  2572. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2573. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2574. ERR_R_INTERNAL_ERROR);
  2575. return 0;
  2576. }
  2577. if (RAND_bytes(s->pha_context, s->pha_context_len) <= 0
  2578. || !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
  2579. s->pha_context_len)) {
  2580. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2581. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2582. ERR_R_INTERNAL_ERROR);
  2583. return 0;
  2584. }
  2585. /* reset the handshake hash back to just after the ClientFinished */
  2586. if (!tls13_restore_handshake_digest_for_pha(s)) {
  2587. /* SSLfatal() already called */
  2588. return 0;
  2589. }
  2590. } else {
  2591. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  2592. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2593. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2594. ERR_R_INTERNAL_ERROR);
  2595. return 0;
  2596. }
  2597. }
  2598. if (!tls_construct_extensions(s, pkt,
  2599. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
  2600. 0)) {
  2601. /* SSLfatal() already called */
  2602. return 0;
  2603. }
  2604. goto done;
  2605. }
  2606. /* get the list of acceptable cert types */
  2607. if (!WPACKET_start_sub_packet_u8(pkt)
  2608. || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
  2609. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2610. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
  2611. return 0;
  2612. }
  2613. if (SSL_USE_SIGALGS(s)) {
  2614. const uint16_t *psigs;
  2615. size_t nl = tls12_get_psigalgs(s, 1, &psigs);
  2616. if (!WPACKET_start_sub_packet_u16(pkt)
  2617. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  2618. || !tls12_copy_sigalgs(s, pkt, psigs, nl)
  2619. || !WPACKET_close(pkt)) {
  2620. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2621. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2622. ERR_R_INTERNAL_ERROR);
  2623. return 0;
  2624. }
  2625. }
  2626. if (!construct_ca_names(s, get_ca_names(s), pkt)) {
  2627. /* SSLfatal() already called */
  2628. return 0;
  2629. }
  2630. done:
  2631. s->certreqs_sent++;
  2632. s->s3->tmp.cert_request = 1;
  2633. return 1;
  2634. }
  2635. static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
  2636. {
  2637. #ifndef OPENSSL_NO_PSK
  2638. unsigned char psk[PSK_MAX_PSK_LEN];
  2639. size_t psklen;
  2640. PACKET psk_identity;
  2641. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
  2642. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2643. SSL_R_LENGTH_MISMATCH);
  2644. return 0;
  2645. }
  2646. if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
  2647. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2648. SSL_R_DATA_LENGTH_TOO_LONG);
  2649. return 0;
  2650. }
  2651. if (s->psk_server_callback == NULL) {
  2652. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2653. SSL_R_PSK_NO_SERVER_CB);
  2654. return 0;
  2655. }
  2656. if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
  2657. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2658. ERR_R_INTERNAL_ERROR);
  2659. return 0;
  2660. }
  2661. psklen = s->psk_server_callback(s, s->session->psk_identity,
  2662. psk, sizeof(psk));
  2663. if (psklen > PSK_MAX_PSK_LEN) {
  2664. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2665. ERR_R_INTERNAL_ERROR);
  2666. return 0;
  2667. } else if (psklen == 0) {
  2668. /*
  2669. * PSK related to the given identity not found
  2670. */
  2671. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  2672. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2673. SSL_R_PSK_IDENTITY_NOT_FOUND);
  2674. return 0;
  2675. }
  2676. OPENSSL_free(s->s3->tmp.psk);
  2677. s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
  2678. OPENSSL_cleanse(psk, psklen);
  2679. if (s->s3->tmp.psk == NULL) {
  2680. s->s3->tmp.psklen = 0;
  2681. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2682. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
  2683. return 0;
  2684. }
  2685. s->s3->tmp.psklen = psklen;
  2686. return 1;
  2687. #else
  2688. /* Should never happen */
  2689. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2690. ERR_R_INTERNAL_ERROR);
  2691. return 0;
  2692. #endif
  2693. }
  2694. static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
  2695. {
  2696. #ifndef OPENSSL_NO_RSA
  2697. unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
  2698. int decrypt_len;
  2699. unsigned char decrypt_good, version_good;
  2700. size_t j, padding_len;
  2701. PACKET enc_premaster;
  2702. RSA *rsa = NULL;
  2703. unsigned char *rsa_decrypt = NULL;
  2704. int ret = 0;
  2705. rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
  2706. if (rsa == NULL) {
  2707. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2708. SSL_R_MISSING_RSA_CERTIFICATE);
  2709. return 0;
  2710. }
  2711. /* SSLv3 and pre-standard DTLS omit the length bytes. */
  2712. if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
  2713. enc_premaster = *pkt;
  2714. } else {
  2715. if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
  2716. || PACKET_remaining(pkt) != 0) {
  2717. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2718. SSL_R_LENGTH_MISMATCH);
  2719. return 0;
  2720. }
  2721. }
  2722. /*
  2723. * We want to be sure that the plaintext buffer size makes it safe to
  2724. * iterate over the entire size of a premaster secret
  2725. * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
  2726. * their ciphertext cannot accommodate a premaster secret anyway.
  2727. */
  2728. if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
  2729. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2730. RSA_R_KEY_SIZE_TOO_SMALL);
  2731. return 0;
  2732. }
  2733. rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
  2734. if (rsa_decrypt == NULL) {
  2735. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2736. ERR_R_MALLOC_FAILURE);
  2737. return 0;
  2738. }
  2739. /*
  2740. * We must not leak whether a decryption failure occurs because of
  2741. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2742. * section 7.4.7.1). The code follows that advice of the TLS RFC and
  2743. * generates a random premaster secret for the case that the decrypt
  2744. * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2745. */
  2746. if (RAND_priv_bytes(rand_premaster_secret,
  2747. sizeof(rand_premaster_secret)) <= 0) {
  2748. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2749. ERR_R_INTERNAL_ERROR);
  2750. goto err;
  2751. }
  2752. /*
  2753. * Decrypt with no padding. PKCS#1 padding will be removed as part of
  2754. * the timing-sensitive code below.
  2755. */
  2756. /* TODO(size_t): Convert this function */
  2757. decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
  2758. PACKET_data(&enc_premaster),
  2759. rsa_decrypt, rsa, RSA_NO_PADDING);
  2760. if (decrypt_len < 0) {
  2761. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2762. ERR_R_INTERNAL_ERROR);
  2763. goto err;
  2764. }
  2765. /* Check the padding. See RFC 3447, section 7.2.2. */
  2766. /*
  2767. * The smallest padded premaster is 11 bytes of overhead. Small keys
  2768. * are publicly invalid, so this may return immediately. This ensures
  2769. * PS is at least 8 bytes.
  2770. */
  2771. if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
  2772. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2773. SSL_R_DECRYPTION_FAILED);
  2774. goto err;
  2775. }
  2776. padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
  2777. decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
  2778. constant_time_eq_int_8(rsa_decrypt[1], 2);
  2779. for (j = 2; j < padding_len - 1; j++) {
  2780. decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
  2781. }
  2782. decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
  2783. /*
  2784. * If the version in the decrypted pre-master secret is correct then
  2785. * version_good will be 0xff, otherwise it'll be zero. The
  2786. * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
  2787. * (http://eprint.iacr.org/2003/052/) exploits the version number
  2788. * check as a "bad version oracle". Thus version checks are done in
  2789. * constant time and are treated like any other decryption error.
  2790. */
  2791. version_good =
  2792. constant_time_eq_8(rsa_decrypt[padding_len],
  2793. (unsigned)(s->client_version >> 8));
  2794. version_good &=
  2795. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2796. (unsigned)(s->client_version & 0xff));
  2797. /*
  2798. * The premaster secret must contain the same version number as the
  2799. * ClientHello to detect version rollback attacks (strangely, the
  2800. * protocol does not offer such protection for DH ciphersuites).
  2801. * However, buggy clients exist that send the negotiated protocol
  2802. * version instead if the server does not support the requested
  2803. * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
  2804. * clients.
  2805. */
  2806. if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
  2807. unsigned char workaround_good;
  2808. workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
  2809. (unsigned)(s->version >> 8));
  2810. workaround_good &=
  2811. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2812. (unsigned)(s->version & 0xff));
  2813. version_good |= workaround_good;
  2814. }
  2815. /*
  2816. * Both decryption and version must be good for decrypt_good to
  2817. * remain non-zero (0xff).
  2818. */
  2819. decrypt_good &= version_good;
  2820. /*
  2821. * Now copy rand_premaster_secret over from p using
  2822. * decrypt_good_mask. If decryption failed, then p does not
  2823. * contain valid plaintext, however, a check above guarantees
  2824. * it is still sufficiently large to read from.
  2825. */
  2826. for (j = 0; j < sizeof(rand_premaster_secret); j++) {
  2827. rsa_decrypt[padding_len + j] =
  2828. constant_time_select_8(decrypt_good,
  2829. rsa_decrypt[padding_len + j],
  2830. rand_premaster_secret[j]);
  2831. }
  2832. if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
  2833. sizeof(rand_premaster_secret), 0)) {
  2834. /* SSLfatal() already called */
  2835. goto err;
  2836. }
  2837. ret = 1;
  2838. err:
  2839. OPENSSL_free(rsa_decrypt);
  2840. return ret;
  2841. #else
  2842. /* Should never happen */
  2843. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2844. ERR_R_INTERNAL_ERROR);
  2845. return 0;
  2846. #endif
  2847. }
  2848. static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
  2849. {
  2850. #ifndef OPENSSL_NO_DH
  2851. EVP_PKEY *skey = NULL;
  2852. DH *cdh;
  2853. unsigned int i;
  2854. BIGNUM *pub_key;
  2855. const unsigned char *data;
  2856. EVP_PKEY *ckey = NULL;
  2857. int ret = 0;
  2858. if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
  2859. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2860. SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2861. goto err;
  2862. }
  2863. skey = s->s3->tmp.pkey;
  2864. if (skey == NULL) {
  2865. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2866. SSL_R_MISSING_TMP_DH_KEY);
  2867. goto err;
  2868. }
  2869. if (PACKET_remaining(pkt) == 0L) {
  2870. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2871. SSL_R_MISSING_TMP_DH_KEY);
  2872. goto err;
  2873. }
  2874. if (!PACKET_get_bytes(pkt, &data, i)) {
  2875. /* We already checked we have enough data */
  2876. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2877. ERR_R_INTERNAL_ERROR);
  2878. goto err;
  2879. }
  2880. ckey = EVP_PKEY_new();
  2881. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
  2882. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2883. SSL_R_BN_LIB);
  2884. goto err;
  2885. }
  2886. cdh = EVP_PKEY_get0_DH(ckey);
  2887. pub_key = BN_bin2bn(data, i, NULL);
  2888. if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
  2889. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2890. ERR_R_INTERNAL_ERROR);
  2891. BN_free(pub_key);
  2892. goto err;
  2893. }
  2894. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2895. /* SSLfatal() already called */
  2896. goto err;
  2897. }
  2898. ret = 1;
  2899. EVP_PKEY_free(s->s3->tmp.pkey);
  2900. s->s3->tmp.pkey = NULL;
  2901. err:
  2902. EVP_PKEY_free(ckey);
  2903. return ret;
  2904. #else
  2905. /* Should never happen */
  2906. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2907. ERR_R_INTERNAL_ERROR);
  2908. return 0;
  2909. #endif
  2910. }
  2911. static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
  2912. {
  2913. #ifndef OPENSSL_NO_EC
  2914. EVP_PKEY *skey = s->s3->tmp.pkey;
  2915. EVP_PKEY *ckey = NULL;
  2916. int ret = 0;
  2917. if (PACKET_remaining(pkt) == 0L) {
  2918. /* We don't support ECDH client auth */
  2919. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2920. SSL_R_MISSING_TMP_ECDH_KEY);
  2921. goto err;
  2922. } else {
  2923. unsigned int i;
  2924. const unsigned char *data;
  2925. /*
  2926. * Get client's public key from encoded point in the
  2927. * ClientKeyExchange message.
  2928. */
  2929. /* Get encoded point length */
  2930. if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
  2931. || PACKET_remaining(pkt) != 0) {
  2932. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2933. SSL_R_LENGTH_MISMATCH);
  2934. goto err;
  2935. }
  2936. if (skey == NULL) {
  2937. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2938. SSL_R_MISSING_TMP_ECDH_KEY);
  2939. goto err;
  2940. }
  2941. ckey = EVP_PKEY_new();
  2942. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
  2943. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2944. ERR_R_EVP_LIB);
  2945. goto err;
  2946. }
  2947. if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
  2948. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2949. ERR_R_EC_LIB);
  2950. goto err;
  2951. }
  2952. }
  2953. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2954. /* SSLfatal() already called */
  2955. goto err;
  2956. }
  2957. ret = 1;
  2958. EVP_PKEY_free(s->s3->tmp.pkey);
  2959. s->s3->tmp.pkey = NULL;
  2960. err:
  2961. EVP_PKEY_free(ckey);
  2962. return ret;
  2963. #else
  2964. /* Should never happen */
  2965. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2966. ERR_R_INTERNAL_ERROR);
  2967. return 0;
  2968. #endif
  2969. }
  2970. static int tls_process_cke_srp(SSL *s, PACKET *pkt)
  2971. {
  2972. #ifndef OPENSSL_NO_SRP
  2973. unsigned int i;
  2974. const unsigned char *data;
  2975. if (!PACKET_get_net_2(pkt, &i)
  2976. || !PACKET_get_bytes(pkt, &data, i)) {
  2977. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2978. SSL_R_BAD_SRP_A_LENGTH);
  2979. return 0;
  2980. }
  2981. if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
  2982. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2983. ERR_R_BN_LIB);
  2984. return 0;
  2985. }
  2986. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
  2987. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
  2988. SSL_R_BAD_SRP_PARAMETERS);
  2989. return 0;
  2990. }
  2991. OPENSSL_free(s->session->srp_username);
  2992. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2993. if (s->session->srp_username == NULL) {
  2994. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2995. ERR_R_MALLOC_FAILURE);
  2996. return 0;
  2997. }
  2998. if (!srp_generate_server_master_secret(s)) {
  2999. /* SSLfatal() already called */
  3000. return 0;
  3001. }
  3002. return 1;
  3003. #else
  3004. /* Should never happen */
  3005. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  3006. ERR_R_INTERNAL_ERROR);
  3007. return 0;
  3008. #endif
  3009. }
  3010. static int tls_process_cke_gost(SSL *s, PACKET *pkt)
  3011. {
  3012. #ifndef OPENSSL_NO_GOST
  3013. EVP_PKEY_CTX *pkey_ctx;
  3014. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  3015. unsigned char premaster_secret[32];
  3016. const unsigned char *start;
  3017. size_t outlen = 32, inlen;
  3018. unsigned long alg_a;
  3019. GOST_KX_MESSAGE *pKX = NULL;
  3020. const unsigned char *ptr;
  3021. int ret = 0;
  3022. /* Get our certificate private key */
  3023. alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  3024. if (alg_a & SSL_aGOST12) {
  3025. /*
  3026. * New GOST ciphersuites have SSL_aGOST01 bit too
  3027. */
  3028. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
  3029. if (pk == NULL) {
  3030. pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  3031. }
  3032. if (pk == NULL) {
  3033. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  3034. }
  3035. } else if (alg_a & SSL_aGOST01) {
  3036. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  3037. }
  3038. pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
  3039. if (pkey_ctx == NULL) {
  3040. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3041. ERR_R_MALLOC_FAILURE);
  3042. return 0;
  3043. }
  3044. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  3045. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3046. ERR_R_INTERNAL_ERROR);
  3047. return 0;
  3048. }
  3049. /*
  3050. * If client certificate is present and is of the same type, maybe
  3051. * use it for key exchange. Don't mind errors from
  3052. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  3053. * client certificate for authorization only.
  3054. */
  3055. client_pub_pkey = X509_get0_pubkey(s->session->peer);
  3056. if (client_pub_pkey) {
  3057. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  3058. ERR_clear_error();
  3059. }
  3060. ptr = PACKET_data(pkt);
  3061. /* Some implementations provide extra data in the opaqueBlob
  3062. * We have nothing to do with this blob so we just skip it */
  3063. pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
  3064. if (pKX == NULL
  3065. || pKX->kxBlob == NULL
  3066. || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
  3067. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3068. SSL_R_DECRYPTION_FAILED);
  3069. goto err;
  3070. }
  3071. if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
  3072. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3073. SSL_R_DECRYPTION_FAILED);
  3074. goto err;
  3075. }
  3076. if (PACKET_remaining(pkt) != 0) {
  3077. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3078. SSL_R_DECRYPTION_FAILED);
  3079. goto err;
  3080. }
  3081. inlen = pKX->kxBlob->value.sequence->length;
  3082. start = pKX->kxBlob->value.sequence->data;
  3083. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
  3084. inlen) <= 0) {
  3085. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3086. SSL_R_DECRYPTION_FAILED);
  3087. goto err;
  3088. }
  3089. /* Generate master secret */
  3090. if (!ssl_generate_master_secret(s, premaster_secret,
  3091. sizeof(premaster_secret), 0)) {
  3092. /* SSLfatal() already called */
  3093. goto err;
  3094. }
  3095. /* Check if pubkey from client certificate was used */
  3096. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
  3097. NULL) > 0)
  3098. s->statem.no_cert_verify = 1;
  3099. ret = 1;
  3100. err:
  3101. EVP_PKEY_CTX_free(pkey_ctx);
  3102. GOST_KX_MESSAGE_free(pKX);
  3103. return ret;
  3104. #else
  3105. /* Should never happen */
  3106. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3107. ERR_R_INTERNAL_ERROR);
  3108. return 0;
  3109. #endif
  3110. }
  3111. MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
  3112. {
  3113. unsigned long alg_k;
  3114. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  3115. /* For PSK parse and retrieve identity, obtain PSK key */
  3116. if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
  3117. /* SSLfatal() already called */
  3118. goto err;
  3119. }
  3120. if (alg_k & SSL_kPSK) {
  3121. /* Identity extracted earlier: should be nothing left */
  3122. if (PACKET_remaining(pkt) != 0) {
  3123. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3124. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3125. SSL_R_LENGTH_MISMATCH);
  3126. goto err;
  3127. }
  3128. /* PSK handled by ssl_generate_master_secret */
  3129. if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
  3130. /* SSLfatal() already called */
  3131. goto err;
  3132. }
  3133. } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  3134. if (!tls_process_cke_rsa(s, pkt)) {
  3135. /* SSLfatal() already called */
  3136. goto err;
  3137. }
  3138. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  3139. if (!tls_process_cke_dhe(s, pkt)) {
  3140. /* SSLfatal() already called */
  3141. goto err;
  3142. }
  3143. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  3144. if (!tls_process_cke_ecdhe(s, pkt)) {
  3145. /* SSLfatal() already called */
  3146. goto err;
  3147. }
  3148. } else if (alg_k & SSL_kSRP) {
  3149. if (!tls_process_cke_srp(s, pkt)) {
  3150. /* SSLfatal() already called */
  3151. goto err;
  3152. }
  3153. } else if (alg_k & SSL_kGOST) {
  3154. if (!tls_process_cke_gost(s, pkt)) {
  3155. /* SSLfatal() already called */
  3156. goto err;
  3157. }
  3158. } else {
  3159. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3160. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3161. SSL_R_UNKNOWN_CIPHER_TYPE);
  3162. goto err;
  3163. }
  3164. return MSG_PROCESS_CONTINUE_PROCESSING;
  3165. err:
  3166. #ifndef OPENSSL_NO_PSK
  3167. OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
  3168. s->s3->tmp.psk = NULL;
  3169. s->s3->tmp.psklen = 0;
  3170. #endif
  3171. return MSG_PROCESS_ERROR;
  3172. }
  3173. WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
  3174. {
  3175. #ifndef OPENSSL_NO_SCTP
  3176. if (wst == WORK_MORE_A) {
  3177. if (SSL_IS_DTLS(s)) {
  3178. unsigned char sctpauthkey[64];
  3179. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3180. size_t labellen;
  3181. /*
  3182. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3183. * used.
  3184. */
  3185. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3186. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3187. /* Don't include the terminating zero. */
  3188. labellen = sizeof(labelbuffer) - 1;
  3189. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  3190. labellen += 1;
  3191. if (SSL_export_keying_material(s, sctpauthkey,
  3192. sizeof(sctpauthkey), labelbuffer,
  3193. labellen, NULL, 0,
  3194. 0) <= 0) {
  3195. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3196. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3197. ERR_R_INTERNAL_ERROR);
  3198. return WORK_ERROR;
  3199. }
  3200. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3201. sizeof(sctpauthkey), sctpauthkey);
  3202. }
  3203. }
  3204. #endif
  3205. if (s->statem.no_cert_verify || !s->session->peer) {
  3206. /*
  3207. * No certificate verify or no peer certificate so we no longer need
  3208. * the handshake_buffer
  3209. */
  3210. if (!ssl3_digest_cached_records(s, 0)) {
  3211. /* SSLfatal() already called */
  3212. return WORK_ERROR;
  3213. }
  3214. return WORK_FINISHED_CONTINUE;
  3215. } else {
  3216. if (!s->s3->handshake_buffer) {
  3217. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3218. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3219. ERR_R_INTERNAL_ERROR);
  3220. return WORK_ERROR;
  3221. }
  3222. /*
  3223. * For sigalgs freeze the handshake buffer. If we support
  3224. * extms we've done this already so this is a no-op
  3225. */
  3226. if (!ssl3_digest_cached_records(s, 1)) {
  3227. /* SSLfatal() already called */
  3228. return WORK_ERROR;
  3229. }
  3230. }
  3231. return WORK_FINISHED_CONTINUE;
  3232. }
  3233. MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
  3234. {
  3235. int i;
  3236. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3237. X509 *x = NULL;
  3238. unsigned long l;
  3239. const unsigned char *certstart, *certbytes;
  3240. STACK_OF(X509) *sk = NULL;
  3241. PACKET spkt, context;
  3242. size_t chainidx;
  3243. SSL_SESSION *new_sess = NULL;
  3244. /*
  3245. * To get this far we must have read encrypted data from the client. We no
  3246. * longer tolerate unencrypted alerts. This value is ignored if less than
  3247. * TLSv1.3
  3248. */
  3249. s->statem.enc_read_state = ENC_READ_STATE_VALID;
  3250. if ((sk = sk_X509_new_null()) == NULL) {
  3251. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3252. ERR_R_MALLOC_FAILURE);
  3253. goto err;
  3254. }
  3255. if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
  3256. || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
  3257. || (s->pha_context != NULL &&
  3258. !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
  3259. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3260. SSL_R_INVALID_CONTEXT);
  3261. goto err;
  3262. }
  3263. if (!PACKET_get_length_prefixed_3(pkt, &spkt)
  3264. || PACKET_remaining(pkt) != 0) {
  3265. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3266. SSL_R_LENGTH_MISMATCH);
  3267. goto err;
  3268. }
  3269. for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
  3270. if (!PACKET_get_net_3(&spkt, &l)
  3271. || !PACKET_get_bytes(&spkt, &certbytes, l)) {
  3272. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3273. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3274. SSL_R_CERT_LENGTH_MISMATCH);
  3275. goto err;
  3276. }
  3277. certstart = certbytes;
  3278. x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
  3279. if (x == NULL) {
  3280. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3281. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
  3282. goto err;
  3283. }
  3284. if (certbytes != (certstart + l)) {
  3285. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3286. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3287. SSL_R_CERT_LENGTH_MISMATCH);
  3288. goto err;
  3289. }
  3290. if (SSL_IS_TLS13(s)) {
  3291. RAW_EXTENSION *rawexts = NULL;
  3292. PACKET extensions;
  3293. if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
  3294. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3295. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3296. SSL_R_BAD_LENGTH);
  3297. goto err;
  3298. }
  3299. if (!tls_collect_extensions(s, &extensions,
  3300. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  3301. NULL, chainidx == 0)
  3302. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  3303. rawexts, x, chainidx,
  3304. PACKET_remaining(&spkt) == 0)) {
  3305. OPENSSL_free(rawexts);
  3306. goto err;
  3307. }
  3308. OPENSSL_free(rawexts);
  3309. }
  3310. if (!sk_X509_push(sk, x)) {
  3311. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3312. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3313. ERR_R_MALLOC_FAILURE);
  3314. goto err;
  3315. }
  3316. x = NULL;
  3317. }
  3318. if (sk_X509_num(sk) <= 0) {
  3319. /* TLS does not mind 0 certs returned */
  3320. if (s->version == SSL3_VERSION) {
  3321. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3322. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3323. SSL_R_NO_CERTIFICATES_RETURNED);
  3324. goto err;
  3325. }
  3326. /* Fail for TLS only if we required a certificate */
  3327. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3328. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3329. SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
  3330. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3331. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3332. goto err;
  3333. }
  3334. /* No client certificate so digest cached records */
  3335. if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
  3336. /* SSLfatal() already called */
  3337. goto err;
  3338. }
  3339. } else {
  3340. EVP_PKEY *pkey;
  3341. i = ssl_verify_cert_chain(s, sk);
  3342. if (i <= 0) {
  3343. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  3344. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3345. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3346. goto err;
  3347. }
  3348. if (i > 1) {
  3349. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3350. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
  3351. goto err;
  3352. }
  3353. pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
  3354. if (pkey == NULL) {
  3355. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3356. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3357. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3358. goto err;
  3359. }
  3360. }
  3361. /*
  3362. * Sessions must be immutable once they go into the session cache. Otherwise
  3363. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3364. * we replace them with a duplicate. Here, we need to do this every time
  3365. * a new certificate is received via post-handshake authentication, as the
  3366. * session may have already gone into the session cache.
  3367. */
  3368. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3369. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  3370. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3371. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3372. ERR_R_MALLOC_FAILURE);
  3373. goto err;
  3374. }
  3375. SSL_SESSION_free(s->session);
  3376. s->session = new_sess;
  3377. }
  3378. X509_free(s->session->peer);
  3379. s->session->peer = sk_X509_shift(sk);
  3380. s->session->verify_result = s->verify_result;
  3381. sk_X509_pop_free(s->session->peer_chain, X509_free);
  3382. s->session->peer_chain = sk;
  3383. sk = NULL;
  3384. /*
  3385. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3386. * message
  3387. */
  3388. if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
  3389. /* SSLfatal() already called */
  3390. goto err;
  3391. }
  3392. /*
  3393. * Inconsistency alert: cert_chain does *not* include the peer's own
  3394. * certificate, while we do include it in statem_clnt.c
  3395. */
  3396. /* Save the current hash state for when we receive the CertificateVerify */
  3397. if (SSL_IS_TLS13(s)) {
  3398. if (!ssl_handshake_hash(s, s->cert_verify_hash,
  3399. sizeof(s->cert_verify_hash),
  3400. &s->cert_verify_hash_len)) {
  3401. /* SSLfatal() already called */
  3402. goto err;
  3403. }
  3404. /* Resend session tickets */
  3405. s->sent_tickets = 0;
  3406. }
  3407. ret = MSG_PROCESS_CONTINUE_READING;
  3408. err:
  3409. X509_free(x);
  3410. sk_X509_pop_free(sk, X509_free);
  3411. return ret;
  3412. }
  3413. int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
  3414. {
  3415. CERT_PKEY *cpk = s->s3->tmp.cert;
  3416. if (cpk == NULL) {
  3417. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3418. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3419. return 0;
  3420. }
  3421. /*
  3422. * In TLSv1.3 the certificate chain is always preceded by a 0 length context
  3423. * for the server Certificate message
  3424. */
  3425. if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
  3426. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3427. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3428. return 0;
  3429. }
  3430. if (!ssl3_output_cert_chain(s, pkt, cpk)) {
  3431. /* SSLfatal() already called */
  3432. return 0;
  3433. }
  3434. return 1;
  3435. }
  3436. static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
  3437. unsigned char *tick_nonce)
  3438. {
  3439. /*
  3440. * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
  3441. * unspecified for resumed session (for simplicity).
  3442. * In TLSv1.3 we reset the "time" field above, and always specify the
  3443. * timeout.
  3444. */
  3445. if (!WPACKET_put_bytes_u32(pkt,
  3446. (s->hit && !SSL_IS_TLS13(s))
  3447. ? 0 : s->session->timeout)) {
  3448. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3449. ERR_R_INTERNAL_ERROR);
  3450. return 0;
  3451. }
  3452. if (SSL_IS_TLS13(s)) {
  3453. if (!WPACKET_put_bytes_u32(pkt, age_add)
  3454. || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
  3455. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3456. ERR_R_INTERNAL_ERROR);
  3457. return 0;
  3458. }
  3459. }
  3460. /* Start the sub-packet for the actual ticket data */
  3461. if (!WPACKET_start_sub_packet_u16(pkt)) {
  3462. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3463. ERR_R_INTERNAL_ERROR);
  3464. return 0;
  3465. }
  3466. return 1;
  3467. }
  3468. static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
  3469. unsigned char *tick_nonce)
  3470. {
  3471. unsigned char *senc = NULL;
  3472. EVP_CIPHER_CTX *ctx = NULL;
  3473. HMAC_CTX *hctx = NULL;
  3474. unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
  3475. const unsigned char *const_p;
  3476. int len, slen_full, slen, lenfinal;
  3477. SSL_SESSION *sess;
  3478. unsigned int hlen;
  3479. SSL_CTX *tctx = s->session_ctx;
  3480. unsigned char iv[EVP_MAX_IV_LENGTH];
  3481. unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
  3482. int iv_len, ok = 0;
  3483. size_t macoffset, macendoffset;
  3484. /* get session encoding length */
  3485. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3486. /*
  3487. * Some length values are 16 bits, so forget it if session is too
  3488. * long
  3489. */
  3490. if (slen_full == 0 || slen_full > 0xFF00) {
  3491. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3492. ERR_R_INTERNAL_ERROR);
  3493. goto err;
  3494. }
  3495. senc = OPENSSL_malloc(slen_full);
  3496. if (senc == NULL) {
  3497. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3498. SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_MALLOC_FAILURE);
  3499. goto err;
  3500. }
  3501. ctx = EVP_CIPHER_CTX_new();
  3502. hctx = HMAC_CTX_new();
  3503. if (ctx == NULL || hctx == NULL) {
  3504. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3505. ERR_R_MALLOC_FAILURE);
  3506. goto err;
  3507. }
  3508. p = senc;
  3509. if (!i2d_SSL_SESSION(s->session, &p)) {
  3510. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3511. ERR_R_INTERNAL_ERROR);
  3512. goto err;
  3513. }
  3514. /*
  3515. * create a fresh copy (not shared with other threads) to clean up
  3516. */
  3517. const_p = senc;
  3518. sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
  3519. if (sess == NULL) {
  3520. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3521. ERR_R_INTERNAL_ERROR);
  3522. goto err;
  3523. }
  3524. slen = i2d_SSL_SESSION(sess, NULL);
  3525. if (slen == 0 || slen > slen_full) {
  3526. /* shouldn't ever happen */
  3527. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3528. ERR_R_INTERNAL_ERROR);
  3529. SSL_SESSION_free(sess);
  3530. goto err;
  3531. }
  3532. p = senc;
  3533. if (!i2d_SSL_SESSION(sess, &p)) {
  3534. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3535. ERR_R_INTERNAL_ERROR);
  3536. SSL_SESSION_free(sess);
  3537. goto err;
  3538. }
  3539. SSL_SESSION_free(sess);
  3540. /*
  3541. * Initialize HMAC and cipher contexts. If callback present it does
  3542. * all the work otherwise use generated values from parent ctx.
  3543. */
  3544. if (tctx->ext.ticket_key_cb) {
  3545. /* if 0 is returned, write an empty ticket */
  3546. int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
  3547. hctx, 1);
  3548. if (ret == 0) {
  3549. /* Put timeout and length */
  3550. if (!WPACKET_put_bytes_u32(pkt, 0)
  3551. || !WPACKET_put_bytes_u16(pkt, 0)) {
  3552. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3553. SSL_F_CONSTRUCT_STATELESS_TICKET,
  3554. ERR_R_INTERNAL_ERROR);
  3555. goto err;
  3556. }
  3557. OPENSSL_free(senc);
  3558. EVP_CIPHER_CTX_free(ctx);
  3559. HMAC_CTX_free(hctx);
  3560. return 1;
  3561. }
  3562. if (ret < 0) {
  3563. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3564. SSL_R_CALLBACK_FAILED);
  3565. goto err;
  3566. }
  3567. iv_len = EVP_CIPHER_CTX_iv_length(ctx);
  3568. } else {
  3569. const EVP_CIPHER *cipher = EVP_aes_256_cbc();
  3570. iv_len = EVP_CIPHER_iv_length(cipher);
  3571. if (RAND_bytes(iv, iv_len) <= 0
  3572. || !EVP_EncryptInit_ex(ctx, cipher, NULL,
  3573. tctx->ext.secure->tick_aes_key, iv)
  3574. || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  3575. sizeof(tctx->ext.secure->tick_hmac_key),
  3576. EVP_sha256(), NULL)) {
  3577. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3578. ERR_R_INTERNAL_ERROR);
  3579. goto err;
  3580. }
  3581. memcpy(key_name, tctx->ext.tick_key_name,
  3582. sizeof(tctx->ext.tick_key_name));
  3583. }
  3584. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3585. /* SSLfatal() already called */
  3586. goto err;
  3587. }
  3588. if (!WPACKET_get_total_written(pkt, &macoffset)
  3589. /* Output key name */
  3590. || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
  3591. /* output IV */
  3592. || !WPACKET_memcpy(pkt, iv, iv_len)
  3593. || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
  3594. &encdata1)
  3595. /* Encrypt session data */
  3596. || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
  3597. || !WPACKET_allocate_bytes(pkt, len, &encdata2)
  3598. || encdata1 != encdata2
  3599. || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
  3600. || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
  3601. || encdata1 + len != encdata2
  3602. || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
  3603. || !WPACKET_get_total_written(pkt, &macendoffset)
  3604. || !HMAC_Update(hctx,
  3605. (unsigned char *)s->init_buf->data + macoffset,
  3606. macendoffset - macoffset)
  3607. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
  3608. || !HMAC_Final(hctx, macdata1, &hlen)
  3609. || hlen > EVP_MAX_MD_SIZE
  3610. || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
  3611. || macdata1 != macdata2) {
  3612. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3613. SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_INTERNAL_ERROR);
  3614. goto err;
  3615. }
  3616. /* Close the sub-packet created by create_ticket_prequel() */
  3617. if (!WPACKET_close(pkt)) {
  3618. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3619. ERR_R_INTERNAL_ERROR);
  3620. goto err;
  3621. }
  3622. ok = 1;
  3623. err:
  3624. OPENSSL_free(senc);
  3625. EVP_CIPHER_CTX_free(ctx);
  3626. HMAC_CTX_free(hctx);
  3627. return ok;
  3628. }
  3629. static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
  3630. unsigned char *tick_nonce)
  3631. {
  3632. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3633. /* SSLfatal() already called */
  3634. return 0;
  3635. }
  3636. if (!WPACKET_memcpy(pkt, s->session->session_id,
  3637. s->session->session_id_length)
  3638. || !WPACKET_close(pkt)) {
  3639. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATEFUL_TICKET,
  3640. ERR_R_INTERNAL_ERROR);
  3641. return 0;
  3642. }
  3643. return 1;
  3644. }
  3645. int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
  3646. {
  3647. SSL_CTX *tctx = s->session_ctx;
  3648. unsigned char tick_nonce[TICKET_NONCE_SIZE];
  3649. union {
  3650. unsigned char age_add_c[sizeof(uint32_t)];
  3651. uint32_t age_add;
  3652. } age_add_u;
  3653. age_add_u.age_add = 0;
  3654. if (SSL_IS_TLS13(s)) {
  3655. size_t i, hashlen;
  3656. uint64_t nonce;
  3657. static const unsigned char nonce_label[] = "resumption";
  3658. const EVP_MD *md = ssl_handshake_md(s);
  3659. int hashleni = EVP_MD_size(md);
  3660. /* Ensure cast to size_t is safe */
  3661. if (!ossl_assert(hashleni >= 0)) {
  3662. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3663. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3664. ERR_R_INTERNAL_ERROR);
  3665. goto err;
  3666. }
  3667. hashlen = (size_t)hashleni;
  3668. /*
  3669. * If we already sent one NewSessionTicket, or we resumed then
  3670. * s->session may already be in a cache and so we must not modify it.
  3671. * Instead we need to take a copy of it and modify that.
  3672. */
  3673. if (s->sent_tickets != 0 || s->hit) {
  3674. SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
  3675. if (new_sess == NULL) {
  3676. /* SSLfatal already called */
  3677. goto err;
  3678. }
  3679. SSL_SESSION_free(s->session);
  3680. s->session = new_sess;
  3681. }
  3682. if (!ssl_generate_session_id(s, s->session)) {
  3683. /* SSLfatal() already called */
  3684. goto err;
  3685. }
  3686. if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
  3687. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3688. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3689. ERR_R_INTERNAL_ERROR);
  3690. goto err;
  3691. }
  3692. s->session->ext.tick_age_add = age_add_u.age_add;
  3693. nonce = s->next_ticket_nonce;
  3694. for (i = TICKET_NONCE_SIZE; i > 0; i--) {
  3695. tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
  3696. nonce >>= 8;
  3697. }
  3698. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  3699. nonce_label,
  3700. sizeof(nonce_label) - 1,
  3701. tick_nonce,
  3702. TICKET_NONCE_SIZE,
  3703. s->session->master_key,
  3704. hashlen, 1)) {
  3705. /* SSLfatal() already called */
  3706. goto err;
  3707. }
  3708. s->session->master_key_length = hashlen;
  3709. s->session->time = (long)time(NULL);
  3710. if (s->s3->alpn_selected != NULL) {
  3711. OPENSSL_free(s->session->ext.alpn_selected);
  3712. s->session->ext.alpn_selected =
  3713. OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
  3714. if (s->session->ext.alpn_selected == NULL) {
  3715. s->session->ext.alpn_selected_len = 0;
  3716. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3717. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3718. ERR_R_MALLOC_FAILURE);
  3719. goto err;
  3720. }
  3721. s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
  3722. }
  3723. s->session->ext.max_early_data = s->max_early_data;
  3724. }
  3725. if (tctx->generate_ticket_cb != NULL &&
  3726. tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) {
  3727. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3728. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3729. ERR_R_INTERNAL_ERROR);
  3730. goto err;
  3731. }
  3732. /*
  3733. * If we are using anti-replay protection then we behave as if
  3734. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  3735. * is no point in using full stateless tickets.
  3736. */
  3737. if (SSL_IS_TLS13(s)
  3738. && ((s->options & SSL_OP_NO_TICKET) != 0
  3739. || (s->max_early_data > 0
  3740. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
  3741. if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
  3742. /* SSLfatal() already called */
  3743. goto err;
  3744. }
  3745. } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add,
  3746. tick_nonce)) {
  3747. /* SSLfatal() already called */
  3748. goto err;
  3749. }
  3750. if (SSL_IS_TLS13(s)) {
  3751. if (!tls_construct_extensions(s, pkt,
  3752. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  3753. NULL, 0)) {
  3754. /* SSLfatal() already called */
  3755. goto err;
  3756. }
  3757. /*
  3758. * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
  3759. * gets reset to 0 if we send more tickets following a post-handshake
  3760. * auth, but |next_ticket_nonce| does not.
  3761. */
  3762. s->sent_tickets++;
  3763. s->next_ticket_nonce++;
  3764. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  3765. }
  3766. return 1;
  3767. err:
  3768. return 0;
  3769. }
  3770. /*
  3771. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  3772. * create a separate message. Returns 1 on success or 0 on failure.
  3773. */
  3774. int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
  3775. {
  3776. if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
  3777. || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
  3778. s->ext.ocsp.resp_len)) {
  3779. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY,
  3780. ERR_R_INTERNAL_ERROR);
  3781. return 0;
  3782. }
  3783. return 1;
  3784. }
  3785. int tls_construct_cert_status(SSL *s, WPACKET *pkt)
  3786. {
  3787. if (!tls_construct_cert_status_body(s, pkt)) {
  3788. /* SSLfatal() already called */
  3789. return 0;
  3790. }
  3791. return 1;
  3792. }
  3793. #ifndef OPENSSL_NO_NEXTPROTONEG
  3794. /*
  3795. * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
  3796. * It sets the next_proto member in s if found
  3797. */
  3798. MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
  3799. {
  3800. PACKET next_proto, padding;
  3801. size_t next_proto_len;
  3802. /*-
  3803. * The payload looks like:
  3804. * uint8 proto_len;
  3805. * uint8 proto[proto_len];
  3806. * uint8 padding_len;
  3807. * uint8 padding[padding_len];
  3808. */
  3809. if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
  3810. || !PACKET_get_length_prefixed_1(pkt, &padding)
  3811. || PACKET_remaining(pkt) > 0) {
  3812. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3813. SSL_R_LENGTH_MISMATCH);
  3814. return MSG_PROCESS_ERROR;
  3815. }
  3816. if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
  3817. s->ext.npn_len = 0;
  3818. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3819. ERR_R_INTERNAL_ERROR);
  3820. return MSG_PROCESS_ERROR;
  3821. }
  3822. s->ext.npn_len = (unsigned char)next_proto_len;
  3823. return MSG_PROCESS_CONTINUE_READING;
  3824. }
  3825. #endif
  3826. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
  3827. {
  3828. if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3829. NULL, 0)) {
  3830. /* SSLfatal() already called */
  3831. return 0;
  3832. }
  3833. return 1;
  3834. }
  3835. MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
  3836. {
  3837. if (PACKET_remaining(pkt) != 0) {
  3838. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3839. SSL_R_LENGTH_MISMATCH);
  3840. return MSG_PROCESS_ERROR;
  3841. }
  3842. if (s->early_data_state != SSL_EARLY_DATA_READING
  3843. && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
  3844. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3845. ERR_R_INTERNAL_ERROR);
  3846. return MSG_PROCESS_ERROR;
  3847. }
  3848. /*
  3849. * EndOfEarlyData signals a key change so the end of the message must be on
  3850. * a record boundary.
  3851. */
  3852. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  3853. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  3854. SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3855. SSL_R_NOT_ON_RECORD_BOUNDARY);
  3856. return MSG_PROCESS_ERROR;
  3857. }
  3858. s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
  3859. if (!s->method->ssl3_enc->change_cipher_state(s,
  3860. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  3861. /* SSLfatal() already called */
  3862. return MSG_PROCESS_ERROR;
  3863. }
  3864. return MSG_PROCESS_CONTINUE_READING;
  3865. }