]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/statem_clnt.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Simplify SSL BIO buffering logic
[thirdparty/openssl.git] / ssl / statem / statem_clnt.c
1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
12 *
13 * Portions of the attached software ("Contribution") are developed by
14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
15 *
16 * The Contribution is licensed pursuant to the OpenSSL open source
17 * license provided above.
18 *
19 * ECC cipher suite support in OpenSSL originally written by
20 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
21 *
22 */
23 /* ====================================================================
24 * Copyright 2005 Nokia. All rights reserved.
25 *
26 * The portions of the attached software ("Contribution") is developed by
27 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
28 * license.
29 *
30 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
31 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
32 * support (see RFC 4279) to OpenSSL.
33 *
34 * No patent licenses or other rights except those expressly stated in
35 * the OpenSSL open source license shall be deemed granted or received
36 * expressly, by implication, estoppel, or otherwise.
37 *
38 * No assurances are provided by Nokia that the Contribution does not
39 * infringe the patent or other intellectual property rights of any third
40 * party or that the license provides you with all the necessary rights
41 * to make use of the Contribution.
42 *
43 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
44 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
45 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
46 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
47 * OTHERWISE.
48 */
49
50 #include <stdio.h>
51 #include "../ssl_locl.h"
52 #include "statem_locl.h"
53 #include <openssl/buffer.h>
54 #include <openssl/rand.h>
55 #include <openssl/objects.h>
56 #include <openssl/evp.h>
57 #include <openssl/md5.h>
58 #include <openssl/dh.h>
59 #include <openssl/bn.h>
60 #include <openssl/engine.h>
61
62 static ossl_inline int cert_req_allowed(SSL *s);
63 static int key_exchange_expected(SSL *s);
64 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
65 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
66 unsigned char *p);
67
68
69 /*
70 * Is a CertificateRequest message allowed at the moment or not?
71 *
72 * Return values are:
73 * 1: Yes
74 * 0: No
75 */
76 static ossl_inline int cert_req_allowed(SSL *s)
77 {
78 /* TLS does not like anon-DH with client cert */
79 if ((s->version > SSL3_VERSION
80 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
81 || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
82 return 0;
83
84 return 1;
85 }
86
87 /*
88 * Should we expect the ServerKeyExchange message or not?
89 *
90 * Return values are:
91 * 1: Yes
92 * 0: No
93 * -1: Error
94 */
95 static int key_exchange_expected(SSL *s)
96 {
97 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
98
99 /*
100 * Can't skip server key exchange if this is an ephemeral
101 * ciphersuite or for SRP
102 */
103 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
104 | SSL_kSRP)) {
105 return 1;
106 }
107
108 return 0;
109 }
110
111 /*
112 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
113 * handshake state transitions when the client is reading messages from the
114 * server. The message type that the server has sent is provided in |mt|. The
115 * current state is in |s->statem.hand_state|.
116 *
117 * Return values are:
118 * 1: Success (transition allowed)
119 * 0: Error (transition not allowed)
120 */
121 int ossl_statem_client_read_transition(SSL *s, int mt)
122 {
123 OSSL_STATEM *st = &s->statem;
124 int ske_expected;
125
126 switch(st->hand_state) {
127 case TLS_ST_CW_CLNT_HELLO:
128 if (mt == SSL3_MT_SERVER_HELLO) {
129 st->hand_state = TLS_ST_CR_SRVR_HELLO;
130 return 1;
131 }
132
133 if (SSL_IS_DTLS(s)) {
134 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
135 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
136 return 1;
137 }
138 }
139 break;
140
141 case TLS_ST_CR_SRVR_HELLO:
142 if (s->hit) {
143 if (s->tlsext_ticket_expected) {
144 if (mt == SSL3_MT_NEWSESSION_TICKET) {
145 st->hand_state = TLS_ST_CR_SESSION_TICKET;
146 return 1;
147 }
148 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
149 st->hand_state = TLS_ST_CR_CHANGE;
150 return 1;
151 }
152 } else {
153 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
154 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
155 return 1;
156 } else if (s->version >= TLS1_VERSION
157 && s->tls_session_secret_cb != NULL
158 && s->session->tlsext_tick != NULL
159 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
160 /*
161 * Normally, we can tell if the server is resuming the session
162 * from the session ID. EAP-FAST (RFC 4851), however, relies on
163 * the next server message after the ServerHello to determine if
164 * the server is resuming.
165 */
166 s->hit = 1;
167 st->hand_state = TLS_ST_CR_CHANGE;
168 return 1;
169 } else if (!(s->s3->tmp.new_cipher->algorithm_auth
170 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
171 if (mt == SSL3_MT_CERTIFICATE) {
172 st->hand_state = TLS_ST_CR_CERT;
173 return 1;
174 }
175 } else {
176 ske_expected = key_exchange_expected(s);
177 if (ske_expected < 0)
178 return 0;
179 /* SKE is optional for some PSK ciphersuites */
180 if (ske_expected
181 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
182 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
183 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
184 st->hand_state = TLS_ST_CR_KEY_EXCH;
185 return 1;
186 }
187 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
188 && cert_req_allowed(s)) {
189 st->hand_state = TLS_ST_CR_CERT_REQ;
190 return 1;
191 } else if (mt == SSL3_MT_SERVER_DONE) {
192 st->hand_state = TLS_ST_CR_SRVR_DONE;
193 return 1;
194 }
195 }
196 }
197 break;
198
199 case TLS_ST_CR_CERT:
200 /*
201 * The CertificateStatus message is optional even if
202 * |tlsext_status_expected| is set
203 */
204 if (s->tlsext_status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
205 st->hand_state = TLS_ST_CR_CERT_STATUS;
206 return 1;
207 }
208 /* Fall through */
209
210 case TLS_ST_CR_CERT_STATUS:
211 ske_expected = key_exchange_expected(s);
212 if (ske_expected < 0)
213 return 0;
214 /* SKE is optional for some PSK ciphersuites */
215 if (ske_expected
216 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
217 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
218 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
219 st->hand_state = TLS_ST_CR_KEY_EXCH;
220 return 1;
221 }
222 return 0;
223 }
224 /* Fall through */
225
226 case TLS_ST_CR_KEY_EXCH:
227 if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
228 if (cert_req_allowed(s)) {
229 st->hand_state = TLS_ST_CR_CERT_REQ;
230 return 1;
231 }
232 return 0;
233 }
234 /* Fall through */
235
236 case TLS_ST_CR_CERT_REQ:
237 if (mt == SSL3_MT_SERVER_DONE) {
238 st->hand_state = TLS_ST_CR_SRVR_DONE;
239 return 1;
240 }
241 break;
242
243 case TLS_ST_CW_FINISHED:
244 if (s->tlsext_ticket_expected) {
245 if (mt == SSL3_MT_NEWSESSION_TICKET) {
246 st->hand_state = TLS_ST_CR_SESSION_TICKET;
247 return 1;
248 }
249 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
250 st->hand_state = TLS_ST_CR_CHANGE;
251 return 1;
252 }
253 break;
254
255 case TLS_ST_CR_SESSION_TICKET:
256 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
257 st->hand_state = TLS_ST_CR_CHANGE;
258 return 1;
259 }
260 break;
261
262 case TLS_ST_CR_CHANGE:
263 if (mt == SSL3_MT_FINISHED) {
264 st->hand_state = TLS_ST_CR_FINISHED;
265 return 1;
266 }
267 break;
268
269 default:
270 break;
271 }
272
273 /* No valid transition found */
274 return 0;
275 }
276
277 /*
278 * client_write_transition() works out what handshake state to move to next
279 * when the client is writing messages to be sent to the server.
280 */
281 WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
282 {
283 OSSL_STATEM *st = &s->statem;
284
285 switch(st->hand_state) {
286 case TLS_ST_OK:
287 /* Renegotiation - fall through */
288 case TLS_ST_BEFORE:
289 st->hand_state = TLS_ST_CW_CLNT_HELLO;
290 return WRITE_TRAN_CONTINUE;
291
292 case TLS_ST_CW_CLNT_HELLO:
293 /*
294 * No transition at the end of writing because we don't know what
295 * we will be sent
296 */
297 return WRITE_TRAN_FINISHED;
298
299 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
300 st->hand_state = TLS_ST_CW_CLNT_HELLO;
301 return WRITE_TRAN_CONTINUE;
302
303 case TLS_ST_CR_SRVR_DONE:
304 if (s->s3->tmp.cert_req)
305 st->hand_state = TLS_ST_CW_CERT;
306 else
307 st->hand_state = TLS_ST_CW_KEY_EXCH;
308 return WRITE_TRAN_CONTINUE;
309
310 case TLS_ST_CW_CERT:
311 st->hand_state = TLS_ST_CW_KEY_EXCH;
312 return WRITE_TRAN_CONTINUE;
313
314 case TLS_ST_CW_KEY_EXCH:
315 /*
316 * For TLS, cert_req is set to 2, so a cert chain of nothing is
317 * sent, but no verify packet is sent
318 */
319 /*
320 * XXX: For now, we do not support client authentication in ECDH
321 * cipher suites with ECDH (rather than ECDSA) certificates. We
322 * need to skip the certificate verify message when client's
323 * ECDH public key is sent inside the client certificate.
324 */
325 if (s->s3->tmp.cert_req == 1) {
326 st->hand_state = TLS_ST_CW_CERT_VRFY;
327 } else {
328 st->hand_state = TLS_ST_CW_CHANGE;
329 }
330 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
331 st->hand_state = TLS_ST_CW_CHANGE;
332 }
333 return WRITE_TRAN_CONTINUE;
334
335 case TLS_ST_CW_CERT_VRFY:
336 st->hand_state = TLS_ST_CW_CHANGE;
337 return WRITE_TRAN_CONTINUE;
338
339 case TLS_ST_CW_CHANGE:
340 #if defined(OPENSSL_NO_NEXTPROTONEG)
341 st->hand_state = TLS_ST_CW_FINISHED;
342 #else
343 if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
344 st->hand_state = TLS_ST_CW_NEXT_PROTO;
345 else
346 st->hand_state = TLS_ST_CW_FINISHED;
347 #endif
348 return WRITE_TRAN_CONTINUE;
349
350 #if !defined(OPENSSL_NO_NEXTPROTONEG)
351 case TLS_ST_CW_NEXT_PROTO:
352 st->hand_state = TLS_ST_CW_FINISHED;
353 return WRITE_TRAN_CONTINUE;
354 #endif
355
356 case TLS_ST_CW_FINISHED:
357 if (s->hit) {
358 st->hand_state = TLS_ST_OK;
359 ossl_statem_set_in_init(s, 0);
360 return WRITE_TRAN_CONTINUE;
361 } else {
362 return WRITE_TRAN_FINISHED;
363 }
364
365 case TLS_ST_CR_FINISHED:
366 if (s->hit) {
367 st->hand_state = TLS_ST_CW_CHANGE;
368 return WRITE_TRAN_CONTINUE;
369 } else {
370 st->hand_state = TLS_ST_OK;
371 ossl_statem_set_in_init(s, 0);
372 return WRITE_TRAN_CONTINUE;
373 }
374
375 default:
376 /* Shouldn't happen */
377 return WRITE_TRAN_ERROR;
378 }
379 }
380
381 /*
382 * Perform any pre work that needs to be done prior to sending a message from
383 * the client to the server.
384 */
385 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
386 {
387 OSSL_STATEM *st = &s->statem;
388
389 switch(st->hand_state) {
390 case TLS_ST_CW_CLNT_HELLO:
391 s->shutdown = 0;
392 if (SSL_IS_DTLS(s)) {
393 /* every DTLS ClientHello resets Finished MAC */
394 ssl3_init_finished_mac(s);
395 }
396 break;
397
398 case TLS_ST_CW_CERT:
399 return tls_prepare_client_certificate(s, wst);
400
401 case TLS_ST_CW_CHANGE:
402 if (SSL_IS_DTLS(s)) {
403 if (s->hit) {
404 /*
405 * We're into the last flight so we don't retransmit these
406 * messages unless we need to.
407 */
408 st->use_timer = 0;
409 }
410 #ifndef OPENSSL_NO_SCTP
411 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
412 return dtls_wait_for_dry(s);
413 #endif
414 }
415 return WORK_FINISHED_CONTINUE;
416
417 case TLS_ST_OK:
418 return tls_finish_handshake(s, wst);
419
420 default:
421 /* No pre work to be done */
422 break;
423 }
424
425 return WORK_FINISHED_CONTINUE;
426 }
427
428 /*
429 * Perform any work that needs to be done after sending a message from the
430 * client to the server.
431 */
432 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
433 {
434 OSSL_STATEM *st = &s->statem;
435
436 s->init_num = 0;
437
438 switch(st->hand_state) {
439 case TLS_ST_CW_CLNT_HELLO:
440 if (wst == WORK_MORE_A && statem_flush(s) != 1)
441 return WORK_MORE_A;
442
443 if (SSL_IS_DTLS(s)) {
444 /* Treat the next message as the first packet */
445 s->first_packet = 1;
446 }
447 break;
448
449 case TLS_ST_CW_KEY_EXCH:
450 if (tls_client_key_exchange_post_work(s) == 0)
451 return WORK_ERROR;
452 break;
453
454 case TLS_ST_CW_CHANGE:
455 s->session->cipher = s->s3->tmp.new_cipher;
456 #ifdef OPENSSL_NO_COMP
457 s->session->compress_meth = 0;
458 #else
459 if (s->s3->tmp.new_compression == NULL)
460 s->session->compress_meth = 0;
461 else
462 s->session->compress_meth = s->s3->tmp.new_compression->id;
463 #endif
464 if (!s->method->ssl3_enc->setup_key_block(s))
465 return WORK_ERROR;
466
467 if (!s->method->ssl3_enc->change_cipher_state(s,
468 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
469 return WORK_ERROR;
470
471 if (SSL_IS_DTLS(s)) {
472 #ifndef OPENSSL_NO_SCTP
473 if (s->hit) {
474 /*
475 * Change to new shared key of SCTP-Auth, will be ignored if
476 * no SCTP used.
477 */
478 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
479 0, NULL);
480 }
481 #endif
482
483 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
484 }
485 break;
486
487 case TLS_ST_CW_FINISHED:
488 #ifndef OPENSSL_NO_SCTP
489 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
490 /*
491 * Change to new shared key of SCTP-Auth, will be ignored if
492 * no SCTP used.
493 */
494 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
495 0, NULL);
496 }
497 #endif
498 if (statem_flush(s) != 1)
499 return WORK_MORE_B;
500 break;
501
502 default:
503 /* No post work to be done */
504 break;
505 }
506
507 return WORK_FINISHED_CONTINUE;
508 }
509
510 /*
511 * Construct a message to be sent from the client to the server.
512 *
513 * Valid return values are:
514 * 1: Success
515 * 0: Error
516 */
517 int ossl_statem_client_construct_message(SSL *s)
518 {
519 OSSL_STATEM *st = &s->statem;
520
521 switch(st->hand_state) {
522 case TLS_ST_CW_CLNT_HELLO:
523 return tls_construct_client_hello(s);
524
525 case TLS_ST_CW_CERT:
526 return tls_construct_client_certificate(s);
527
528 case TLS_ST_CW_KEY_EXCH:
529 return tls_construct_client_key_exchange(s);
530
531 case TLS_ST_CW_CERT_VRFY:
532 return tls_construct_client_verify(s);
533
534 case TLS_ST_CW_CHANGE:
535 if (SSL_IS_DTLS(s))
536 return dtls_construct_change_cipher_spec(s);
537 else
538 return tls_construct_change_cipher_spec(s);
539
540 #if !defined(OPENSSL_NO_NEXTPROTONEG)
541 case TLS_ST_CW_NEXT_PROTO:
542 return tls_construct_next_proto(s);
543 #endif
544 case TLS_ST_CW_FINISHED:
545 return tls_construct_finished(s,
546 s->method->
547 ssl3_enc->client_finished_label,
548 s->method->
549 ssl3_enc->client_finished_label_len);
550
551 default:
552 /* Shouldn't happen */
553 break;
554 }
555
556 return 0;
557 }
558
559 /*
560 * Returns the maximum allowed length for the current message that we are
561 * reading. Excludes the message header.
562 */
563 unsigned long ossl_statem_client_max_message_size(SSL *s)
564 {
565 OSSL_STATEM *st = &s->statem;
566
567 switch(st->hand_state) {
568 case TLS_ST_CR_SRVR_HELLO:
569 return SERVER_HELLO_MAX_LENGTH;
570
571 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
572 return HELLO_VERIFY_REQUEST_MAX_LENGTH;
573
574 case TLS_ST_CR_CERT:
575 return s->max_cert_list;
576
577 case TLS_ST_CR_CERT_STATUS:
578 return SSL3_RT_MAX_PLAIN_LENGTH;
579
580 case TLS_ST_CR_KEY_EXCH:
581 return SERVER_KEY_EXCH_MAX_LENGTH;
582
583 case TLS_ST_CR_CERT_REQ:
584 /* Set to s->max_cert_list for compatibility with previous releases.
585 * In practice these messages can get quite long if servers are
586 * configured to provide a long list of acceptable CAs
587 */
588 return s->max_cert_list;
589
590 case TLS_ST_CR_SRVR_DONE:
591 return SERVER_HELLO_DONE_MAX_LENGTH;
592
593 case TLS_ST_CR_CHANGE:
594 return CCS_MAX_LENGTH;
595
596 case TLS_ST_CR_SESSION_TICKET:
597 return SSL3_RT_MAX_PLAIN_LENGTH;
598
599 case TLS_ST_CR_FINISHED:
600 return FINISHED_MAX_LENGTH;
601
602 default:
603 /* Shouldn't happen */
604 break;
605 }
606
607 return 0;
608 }
609
610 /*
611 * Process a message that the client has been received from the server.
612 */
613 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
614 {
615 OSSL_STATEM *st = &s->statem;
616
617 switch(st->hand_state) {
618 case TLS_ST_CR_SRVR_HELLO:
619 return tls_process_server_hello(s, pkt);
620
621 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
622 return dtls_process_hello_verify(s, pkt);
623
624 case TLS_ST_CR_CERT:
625 return tls_process_server_certificate(s, pkt);
626
627 case TLS_ST_CR_CERT_STATUS:
628 return tls_process_cert_status(s, pkt);
629
630 case TLS_ST_CR_KEY_EXCH:
631 return tls_process_key_exchange(s, pkt);
632
633 case TLS_ST_CR_CERT_REQ:
634 return tls_process_certificate_request(s, pkt);
635
636 case TLS_ST_CR_SRVR_DONE:
637 return tls_process_server_done(s, pkt);
638
639 case TLS_ST_CR_CHANGE:
640 return tls_process_change_cipher_spec(s, pkt);
641
642 case TLS_ST_CR_SESSION_TICKET:
643 return tls_process_new_session_ticket(s, pkt);
644
645 case TLS_ST_CR_FINISHED:
646 return tls_process_finished(s, pkt);
647
648 default:
649 /* Shouldn't happen */
650 break;
651 }
652
653 return MSG_PROCESS_ERROR;
654 }
655
656 /*
657 * Perform any further processing required following the receipt of a message
658 * from the server
659 */
660 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
661 {
662 OSSL_STATEM *st = &s->statem;
663
664 switch(st->hand_state) {
665 #ifndef OPENSSL_NO_SCTP
666 case TLS_ST_CR_SRVR_DONE:
667 /* We only get here if we are using SCTP and we are renegotiating */
668 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
669 s->s3->in_read_app_data = 2;
670 s->rwstate = SSL_READING;
671 BIO_clear_retry_flags(SSL_get_rbio(s));
672 BIO_set_retry_read(SSL_get_rbio(s));
673 ossl_statem_set_sctp_read_sock(s, 1);
674 return WORK_MORE_A;
675 }
676 ossl_statem_set_sctp_read_sock(s, 0);
677 return WORK_FINISHED_STOP;
678 #endif
679
680 default:
681 break;
682 }
683
684 /* Shouldn't happen */
685 return WORK_ERROR;
686 }
687
688 int tls_construct_client_hello(SSL *s)
689 {
690 unsigned char *buf;
691 unsigned char *p, *d;
692 int i;
693 int protverr;
694 unsigned long l;
695 int al = 0;
696 #ifndef OPENSSL_NO_COMP
697 int j;
698 SSL_COMP *comp;
699 #endif
700 SSL_SESSION *sess = s->session;
701
702 buf = (unsigned char *)s->init_buf->data;
703
704 /* Work out what SSL/TLS/DTLS version to use */
705 protverr = ssl_set_client_hello_version(s);
706 if (protverr != 0) {
707 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr);
708 goto err;
709 }
710
711 if ((sess == NULL) ||
712 !ssl_version_supported(s, sess->ssl_version) ||
713 /*
714 * In the case of EAP-FAST, we can have a pre-shared
715 * "ticket" without a session ID.
716 */
717 (!sess->session_id_length && !sess->tlsext_tick) ||
718 (sess->not_resumable)) {
719 if (!ssl_get_new_session(s, 0))
720 goto err;
721 }
722 /* else use the pre-loaded session */
723
724 p = s->s3->client_random;
725
726 /*
727 * for DTLS if client_random is initialized, reuse it, we are
728 * required to use same upon reply to HelloVerify
729 */
730 if (SSL_IS_DTLS(s)) {
731 size_t idx;
732 i = 1;
733 for (idx = 0; idx < sizeof(s->s3->client_random); idx++) {
734 if (p[idx]) {
735 i = 0;
736 break;
737 }
738 }
739 } else
740 i = 1;
741
742 if (i && ssl_fill_hello_random(s, 0, p,
743 sizeof(s->s3->client_random)) <= 0)
744 goto err;
745
746 /* Do the message type and length last */
747 d = p = ssl_handshake_start(s);
748
749 /*-
750 * version indicates the negotiated version: for example from
751 * an SSLv2/v3 compatible client hello). The client_version
752 * field is the maximum version we permit and it is also
753 * used in RSA encrypted premaster secrets. Some servers can
754 * choke if we initially report a higher version then
755 * renegotiate to a lower one in the premaster secret. This
756 * didn't happen with TLS 1.0 as most servers supported it
757 * but it can with TLS 1.1 or later if the server only supports
758 * 1.0.
759 *
760 * Possible scenario with previous logic:
761 * 1. Client hello indicates TLS 1.2
762 * 2. Server hello says TLS 1.0
763 * 3. RSA encrypted premaster secret uses 1.2.
764 * 4. Handshake proceeds using TLS 1.0.
765 * 5. Server sends hello request to renegotiate.
766 * 6. Client hello indicates TLS v1.0 as we now
767 * know that is maximum server supports.
768 * 7. Server chokes on RSA encrypted premaster secret
769 * containing version 1.0.
770 *
771 * For interoperability it should be OK to always use the
772 * maximum version we support in client hello and then rely
773 * on the checking of version to ensure the servers isn't
774 * being inconsistent: for example initially negotiating with
775 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
776 * client_version in client hello and not resetting it to
777 * the negotiated version.
778 */
779 *(p++) = s->client_version >> 8;
780 *(p++) = s->client_version & 0xff;
781
782 /* Random stuff */
783 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
784 p += SSL3_RANDOM_SIZE;
785
786 /* Session ID */
787 if (s->new_session)
788 i = 0;
789 else
790 i = s->session->session_id_length;
791 *(p++) = i;
792 if (i != 0) {
793 if (i > (int)sizeof(s->session->session_id)) {
794 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
795 goto err;
796 }
797 memcpy(p, s->session->session_id, i);
798 p += i;
799 }
800
801 /* cookie stuff for DTLS */
802 if (SSL_IS_DTLS(s)) {
803 if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
804 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
805 goto err;
806 }
807 *(p++) = s->d1->cookie_len;
808 memcpy(p, s->d1->cookie, s->d1->cookie_len);
809 p += s->d1->cookie_len;
810 }
811
812 /* Ciphers supported */
813 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]));
814 if (i == 0) {
815 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
816 goto err;
817 }
818 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
819 /*
820 * Some servers hang if client hello > 256 bytes as hack workaround
821 * chop number of supported ciphers to keep it well below this if we
822 * use TLS v1.2
823 */
824 if (TLS1_get_version(s) >= TLS1_2_VERSION
825 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
826 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
827 #endif
828 s2n(i, p);
829 p += i;
830
831 /* COMPRESSION */
832 #ifdef OPENSSL_NO_COMP
833 *(p++) = 1;
834 #else
835
836 if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
837 j = 0;
838 else
839 j = sk_SSL_COMP_num(s->ctx->comp_methods);
840 *(p++) = 1 + j;
841 for (i = 0; i < j; i++) {
842 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
843 *(p++) = comp->id;
844 }
845 #endif
846 *(p++) = 0; /* Add the NULL method */
847
848 /* TLS extensions */
849 if (ssl_prepare_clienthello_tlsext(s) <= 0) {
850 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
851 goto err;
852 }
853 if ((p =
854 ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
855 &al)) == NULL) {
856 ssl3_send_alert(s, SSL3_AL_FATAL, al);
857 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
858 goto err;
859 }
860
861 l = p - d;
862 if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
863 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
864 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
865 goto err;
866 }
867
868 return 1;
869 err:
870 ossl_statem_set_error(s);
871 return 0;
872 }
873
874 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
875 {
876 int al;
877 unsigned int cookie_len;
878 PACKET cookiepkt;
879
880 if (!PACKET_forward(pkt, 2)
881 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
882 al = SSL_AD_DECODE_ERROR;
883 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
884 goto f_err;
885 }
886
887 cookie_len = PACKET_remaining(&cookiepkt);
888 if (cookie_len > sizeof(s->d1->cookie)) {
889 al = SSL_AD_ILLEGAL_PARAMETER;
890 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_TOO_LONG);
891 goto f_err;
892 }
893
894 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
895 al = SSL_AD_DECODE_ERROR;
896 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
897 goto f_err;
898 }
899 s->d1->cookie_len = cookie_len;
900
901 return MSG_PROCESS_FINISHED_READING;
902 f_err:
903 ssl3_send_alert(s, SSL3_AL_FATAL, al);
904 ossl_statem_set_error(s);
905 return MSG_PROCESS_ERROR;
906 }
907
908 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
909 {
910 STACK_OF(SSL_CIPHER) *sk;
911 const SSL_CIPHER *c;
912 PACKET session_id;
913 size_t session_id_len;
914 const unsigned char *cipherchars;
915 int i, al = SSL_AD_INTERNAL_ERROR;
916 unsigned int compression;
917 unsigned int sversion;
918 int protverr;
919 #ifndef OPENSSL_NO_COMP
920 SSL_COMP *comp;
921 #endif
922
923 if (!PACKET_get_net_2(pkt, &sversion)) {
924 al = SSL_AD_DECODE_ERROR;
925 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
926 goto f_err;
927 }
928
929 protverr = ssl_choose_client_version(s, sversion);
930 if (protverr != 0) {
931 al = SSL_AD_PROTOCOL_VERSION;
932 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr);
933 goto f_err;
934 }
935
936 /* load the server hello data */
937 /* load the server random */
938 if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
939 al = SSL_AD_DECODE_ERROR;
940 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
941 goto f_err;
942 }
943
944 s->hit = 0;
945
946 /* Get the session-id. */
947 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
948 al = SSL_AD_DECODE_ERROR;
949 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
950 goto f_err;
951 }
952 session_id_len = PACKET_remaining(&session_id);
953 if (session_id_len > sizeof s->session->session_id
954 || session_id_len > SSL3_SESSION_ID_SIZE) {
955 al = SSL_AD_ILLEGAL_PARAMETER;
956 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
957 goto f_err;
958 }
959
960 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
961 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
962 al = SSL_AD_DECODE_ERROR;
963 goto f_err;
964 }
965
966 /*
967 * Check if we can resume the session based on external pre-shared secret.
968 * EAP-FAST (RFC 4851) supports two types of session resumption.
969 * Resumption based on server-side state works with session IDs.
970 * Resumption based on pre-shared Protected Access Credentials (PACs)
971 * works by overriding the SessionTicket extension at the application
972 * layer, and does not send a session ID. (We do not know whether EAP-FAST
973 * servers would honour the session ID.) Therefore, the session ID alone
974 * is not a reliable indicator of session resumption, so we first check if
975 * we can resume, and later peek at the next handshake message to see if the
976 * server wants to resume.
977 */
978 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb &&
979 s->session->tlsext_tick) {
980 const SSL_CIPHER *pref_cipher = NULL;
981 s->session->master_key_length = sizeof(s->session->master_key);
982 if (s->tls_session_secret_cb(s, s->session->master_key,
983 &s->session->master_key_length,
984 NULL, &pref_cipher,
985 s->tls_session_secret_cb_arg)) {
986 s->session->cipher = pref_cipher ?
987 pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
988 } else {
989 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
990 al = SSL_AD_INTERNAL_ERROR;
991 goto f_err;
992 }
993 }
994
995 if (session_id_len != 0 && session_id_len == s->session->session_id_length
996 && memcmp(PACKET_data(&session_id), s->session->session_id,
997 session_id_len) == 0) {
998 if (s->sid_ctx_length != s->session->sid_ctx_length
999 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1000 /* actually a client application bug */
1001 al = SSL_AD_ILLEGAL_PARAMETER;
1002 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1003 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1004 goto f_err;
1005 }
1006 s->hit = 1;
1007 } else {
1008 /*
1009 * If we were trying for session-id reuse but the server
1010 * didn't echo the ID, make a new SSL_SESSION.
1011 * In the case of EAP-FAST and PAC, we do not send a session ID,
1012 * so the PAC-based session secret is always preserved. It'll be
1013 * overwritten if the server refuses resumption.
1014 */
1015 if (s->session->session_id_length > 0) {
1016 if (!ssl_get_new_session(s, 0)) {
1017 goto f_err;
1018 }
1019 }
1020
1021 s->session->ssl_version = s->version;
1022 s->session->session_id_length = session_id_len;
1023 /* session_id_len could be 0 */
1024 memcpy(s->session->session_id, PACKET_data(&session_id),
1025 session_id_len);
1026 }
1027
1028 /* Session version and negotiated protocol version should match */
1029 if (s->version != s->session->ssl_version) {
1030 al = SSL_AD_PROTOCOL_VERSION;
1031
1032 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1033 SSL_R_SSL_SESSION_VERSION_MISMATCH);
1034 goto f_err;
1035 }
1036
1037 c = ssl_get_cipher_by_char(s, cipherchars);
1038 if (c == NULL) {
1039 /* unknown cipher */
1040 al = SSL_AD_ILLEGAL_PARAMETER;
1041 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
1042 goto f_err;
1043 }
1044 /*
1045 * Now that we know the version, update the check to see if it's an allowed
1046 * version.
1047 */
1048 s->s3->tmp.min_ver = s->version;
1049 s->s3->tmp.max_ver = s->version;
1050 /*
1051 * If it is a disabled cipher we either didn't send it in client hello,
1052 * or it's not allowed for the selected protocol. So we return an error.
1053 */
1054 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
1055 al = SSL_AD_ILLEGAL_PARAMETER;
1056 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
1057 goto f_err;
1058 }
1059
1060 sk = ssl_get_ciphers_by_id(s);
1061 i = sk_SSL_CIPHER_find(sk, c);
1062 if (i < 0) {
1063 /* we did not say we would use this cipher */
1064 al = SSL_AD_ILLEGAL_PARAMETER;
1065 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
1066 goto f_err;
1067 }
1068
1069 /*
1070 * Depending on the session caching (internal/external), the cipher
1071 * and/or cipher_id values may not be set. Make sure that cipher_id is
1072 * set and use it for comparison.
1073 */
1074 if (s->session->cipher)
1075 s->session->cipher_id = s->session->cipher->id;
1076 if (s->hit && (s->session->cipher_id != c->id)) {
1077 al = SSL_AD_ILLEGAL_PARAMETER;
1078 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1079 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1080 goto f_err;
1081 }
1082 s->s3->tmp.new_cipher = c;
1083 /* lets get the compression algorithm */
1084 /* COMPRESSION */
1085 if (!PACKET_get_1(pkt, &compression)) {
1086 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
1087 al = SSL_AD_DECODE_ERROR;
1088 goto f_err;
1089 }
1090 #ifdef OPENSSL_NO_COMP
1091 if (compression != 0) {
1092 al = SSL_AD_ILLEGAL_PARAMETER;
1093 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1094 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1095 goto f_err;
1096 }
1097 /*
1098 * If compression is disabled we'd better not try to resume a session
1099 * using compression.
1100 */
1101 if (s->session->compress_meth != 0) {
1102 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1103 goto f_err;
1104 }
1105 #else
1106 if (s->hit && compression != s->session->compress_meth) {
1107 al = SSL_AD_ILLEGAL_PARAMETER;
1108 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1109 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1110 goto f_err;
1111 }
1112 if (compression == 0)
1113 comp = NULL;
1114 else if (!ssl_allow_compression(s)) {
1115 al = SSL_AD_ILLEGAL_PARAMETER;
1116 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
1117 goto f_err;
1118 } else {
1119 comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1120 }
1121
1122 if (compression != 0 && comp == NULL) {
1123 al = SSL_AD_ILLEGAL_PARAMETER;
1124 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1125 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1126 goto f_err;
1127 } else {
1128 s->s3->tmp.new_compression = comp;
1129 }
1130 #endif
1131
1132 /* TLS extensions */
1133 if (!ssl_parse_serverhello_tlsext(s, pkt)) {
1134 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
1135 goto err;
1136 }
1137
1138 if (PACKET_remaining(pkt) != 0) {
1139 /* wrong packet length */
1140 al = SSL_AD_DECODE_ERROR;
1141 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
1142 goto f_err;
1143 }
1144
1145 #ifndef OPENSSL_NO_SCTP
1146 if (SSL_IS_DTLS(s) && s->hit) {
1147 unsigned char sctpauthkey[64];
1148 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1149
1150 /*
1151 * Add new shared key for SCTP-Auth, will be ignored if
1152 * no SCTP used.
1153 */
1154 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1155 sizeof(DTLS1_SCTP_AUTH_LABEL));
1156
1157 if (SSL_export_keying_material(s, sctpauthkey,
1158 sizeof(sctpauthkey),
1159 labelbuffer,
1160 sizeof(labelbuffer), NULL, 0,
1161 0) <= 0)
1162 goto err;
1163
1164 BIO_ctrl(SSL_get_wbio(s),
1165 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1166 sizeof(sctpauthkey), sctpauthkey);
1167 }
1168 #endif
1169
1170 return MSG_PROCESS_CONTINUE_READING;
1171 f_err:
1172 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1173 err:
1174 ossl_statem_set_error(s);
1175 return MSG_PROCESS_ERROR;
1176 }
1177
1178 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
1179 {
1180 int al, i, ret = MSG_PROCESS_ERROR, exp_idx;
1181 unsigned long cert_list_len, cert_len;
1182 X509 *x = NULL;
1183 const unsigned char *certstart, *certbytes;
1184 STACK_OF(X509) *sk = NULL;
1185 EVP_PKEY *pkey = NULL;
1186
1187 if ((sk = sk_X509_new_null()) == NULL) {
1188 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1189 goto err;
1190 }
1191
1192 if (!PACKET_get_net_3(pkt, &cert_list_len)
1193 || PACKET_remaining(pkt) != cert_list_len) {
1194 al = SSL_AD_DECODE_ERROR;
1195 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
1196 goto f_err;
1197 }
1198 while (PACKET_remaining(pkt)) {
1199 if (!PACKET_get_net_3(pkt, &cert_len)
1200 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
1201 al = SSL_AD_DECODE_ERROR;
1202 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1203 SSL_R_CERT_LENGTH_MISMATCH);
1204 goto f_err;
1205 }
1206
1207 certstart = certbytes;
1208 x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
1209 if (x == NULL) {
1210 al = SSL_AD_BAD_CERTIFICATE;
1211 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1212 goto f_err;
1213 }
1214 if (certbytes != (certstart + cert_len)) {
1215 al = SSL_AD_DECODE_ERROR;
1216 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1217 SSL_R_CERT_LENGTH_MISMATCH);
1218 goto f_err;
1219 }
1220 if (!sk_X509_push(sk, x)) {
1221 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1222 goto err;
1223 }
1224 x = NULL;
1225 }
1226
1227 i = ssl_verify_cert_chain(s, sk);
1228 if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
1229 al = ssl_verify_alarm_type(s->verify_result);
1230 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1231 SSL_R_CERTIFICATE_VERIFY_FAILED);
1232 goto f_err;
1233 }
1234 ERR_clear_error(); /* but we keep s->verify_result */
1235 if (i > 1) {
1236 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i);
1237 al = SSL_AD_HANDSHAKE_FAILURE;
1238 goto f_err;
1239 }
1240
1241 s->session->peer_chain = sk;
1242 /*
1243 * Inconsistency alert: cert_chain does include the peer's certificate,
1244 * which we don't include in statem_srvr.c
1245 */
1246 x = sk_X509_value(sk, 0);
1247 sk = NULL;
1248 /*
1249 * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
1250 */
1251
1252 pkey = X509_get0_pubkey(x);
1253
1254 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
1255 x = NULL;
1256 al = SSL3_AL_FATAL;
1257 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1258 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1259 goto f_err;
1260 }
1261
1262 i = ssl_cert_type(x, pkey);
1263 if (i < 0) {
1264 x = NULL;
1265 al = SSL3_AL_FATAL;
1266 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1267 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1268 goto f_err;
1269 }
1270
1271 exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1272 if (exp_idx >= 0 && i != exp_idx
1273 && (exp_idx != SSL_PKEY_GOST_EC ||
1274 (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
1275 && i != SSL_PKEY_GOST01))) {
1276 x = NULL;
1277 al = SSL_AD_ILLEGAL_PARAMETER;
1278 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1279 SSL_R_WRONG_CERTIFICATE_TYPE);
1280 goto f_err;
1281 }
1282 s->session->peer_type = i;
1283
1284 X509_free(s->session->peer);
1285 X509_up_ref(x);
1286 s->session->peer = x;
1287 s->session->verify_result = s->verify_result;
1288
1289 x = NULL;
1290 ret = MSG_PROCESS_CONTINUE_READING;
1291 goto done;
1292
1293 f_err:
1294 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1295 err:
1296 ossl_statem_set_error(s);
1297 done:
1298 X509_free(x);
1299 sk_X509_pop_free(sk, X509_free);
1300 return ret;
1301 }
1302
1303 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
1304 {
1305 EVP_MD_CTX *md_ctx;
1306 int al, j;
1307 long alg_k, alg_a;
1308 EVP_PKEY *pkey = NULL;
1309 const EVP_MD *md = NULL;
1310 #ifndef OPENSSL_NO_RSA
1311 RSA *rsa = NULL;
1312 #endif
1313 #ifndef OPENSSL_NO_EC
1314 EVP_PKEY_CTX *pctx = NULL;
1315 #endif
1316 PACKET save_param_start, signature;
1317
1318 md_ctx = EVP_MD_CTX_new();
1319 if (md_ctx == NULL) {
1320 al = SSL_AD_INTERNAL_ERROR;
1321 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1322 goto f_err;
1323 }
1324
1325 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1326
1327 save_param_start = *pkt;
1328
1329 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1330 EVP_PKEY_free(s->s3->peer_tmp);
1331 s->s3->peer_tmp = NULL;
1332 #endif
1333
1334 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1335
1336 al = SSL_AD_DECODE_ERROR;
1337
1338 #ifndef OPENSSL_NO_PSK
1339 /* PSK ciphersuites are preceded by an identity hint */
1340 if (alg_k & SSL_PSK) {
1341 PACKET psk_identity_hint;
1342 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
1343 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
1344 goto f_err;
1345 }
1346
1347 /*
1348 * Store PSK identity hint for later use, hint is used in
1349 * ssl3_send_client_key_exchange. Assume that the maximum length of
1350 * a PSK identity hint can be as long as the maximum length of a PSK
1351 * identity.
1352 */
1353 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
1354 al = SSL_AD_HANDSHAKE_FAILURE;
1355 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG);
1356 goto f_err;
1357 }
1358
1359 if (PACKET_remaining(&psk_identity_hint) == 0) {
1360 OPENSSL_free(s->session->psk_identity_hint);
1361 s->session->psk_identity_hint = NULL;
1362 } else if (!PACKET_strndup(&psk_identity_hint,
1363 &s->session->psk_identity_hint)) {
1364 al = SSL_AD_INTERNAL_ERROR;
1365 goto f_err;
1366 }
1367 }
1368
1369 /* Nothing else to do for plain PSK or RSAPSK */
1370 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
1371 } else
1372 #endif /* !OPENSSL_NO_PSK */
1373 /*
1374 * Dummy "if" to ensure sane C code in the event of various OPENSSL_NO_*
1375 * options
1376 */
1377 if (0) {
1378 }
1379 #ifndef OPENSSL_NO_SRP
1380 else if (alg_k & SSL_kSRP) {
1381 PACKET prime, generator, salt, server_pub;
1382 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1383 || !PACKET_get_length_prefixed_2(pkt, &generator)
1384 || !PACKET_get_length_prefixed_1(pkt, &salt)
1385 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
1386 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
1387 goto f_err;
1388 }
1389
1390 if ((s->srp_ctx.N =
1391 BN_bin2bn(PACKET_data(&prime),
1392 PACKET_remaining(&prime), NULL)) == NULL
1393 || (s->srp_ctx.g =
1394 BN_bin2bn(PACKET_data(&generator),
1395 PACKET_remaining(&generator), NULL)) == NULL
1396 || (s->srp_ctx.s =
1397 BN_bin2bn(PACKET_data(&salt),
1398 PACKET_remaining(&salt), NULL)) == NULL
1399 || (s->srp_ctx.B =
1400 BN_bin2bn(PACKET_data(&server_pub),
1401 PACKET_remaining(&server_pub), NULL)) == NULL) {
1402 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
1403 goto err;
1404 }
1405
1406 if (!srp_verify_server_param(s, &al)) {
1407 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SRP_PARAMETERS);
1408 goto f_err;
1409 }
1410
1411 /* We must check if there is a certificate */
1412 if (alg_a & (SSL_aRSA|SSL_aDSS))
1413 pkey = X509_get0_pubkey(s->session->peer);
1414 }
1415 #endif /* !OPENSSL_NO_SRP */
1416 #ifndef OPENSSL_NO_DH
1417 else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
1418 PACKET prime, generator, pub_key;
1419 EVP_PKEY *peer_tmp = NULL;
1420
1421 DH *dh = NULL;
1422 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
1423
1424 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1425 || !PACKET_get_length_prefixed_2(pkt, &generator)
1426 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
1427 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
1428 goto f_err;
1429 }
1430
1431 peer_tmp = EVP_PKEY_new();
1432 dh = DH_new();
1433
1434 if (peer_tmp == NULL || dh == NULL) {
1435 al = SSL_AD_INTERNAL_ERROR;
1436 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1437 goto dherr;
1438 }
1439
1440 p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL);
1441 g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator),
1442 NULL);
1443 bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key),
1444 NULL);
1445 if (p == NULL || g == NULL || bnpub_key == NULL) {
1446 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
1447 goto dherr;
1448 }
1449
1450 if (BN_is_zero(p) || BN_is_zero(g) || BN_is_zero(bnpub_key)) {
1451 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_DH_VALUE);
1452 goto dherr;
1453 }
1454
1455 if (!DH_set0_pqg(dh, p, NULL, g)) {
1456 al = SSL_AD_INTERNAL_ERROR;
1457 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
1458 goto dherr;
1459 }
1460
1461 if (!DH_set0_key(dh, bnpub_key, NULL)) {
1462 al = SSL_AD_INTERNAL_ERROR;
1463 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
1464 goto dherr;
1465 }
1466
1467 if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
1468 al = SSL_AD_HANDSHAKE_FAILURE;
1469 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_DH_KEY_TOO_SMALL);
1470 goto dherr;
1471 }
1472
1473 if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
1474 al = SSL_AD_INTERNAL_ERROR;
1475 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
1476 goto dherr;
1477 }
1478
1479 s->s3->peer_tmp = peer_tmp;
1480
1481 goto dhend;
1482 dherr:
1483 BN_free(p);
1484 BN_free(g);
1485 BN_free(bnpub_key);
1486 DH_free(dh);
1487 EVP_PKEY_free(peer_tmp);
1488 goto f_err;
1489 dhend:
1490 /*
1491 * FIXME: This makes assumptions about which ciphersuites come with
1492 * public keys. We should have a less ad-hoc way of doing this
1493 */
1494 if (alg_a & (SSL_aRSA|SSL_aDSS))
1495 pkey = X509_get0_pubkey(s->session->peer);
1496 /* else anonymous DH, so no certificate or pkey. */
1497 }
1498 #endif /* !OPENSSL_NO_DH */
1499
1500 #ifndef OPENSSL_NO_EC
1501 else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
1502 PACKET encoded_pt;
1503 const unsigned char *ecparams;
1504 int curve_nid;
1505
1506 /*
1507 * Extract elliptic curve parameters and the server's ephemeral ECDH
1508 * public key. For now we only support named (not generic) curves and
1509 * ECParameters in this case is just three bytes.
1510 */
1511 if (!PACKET_get_bytes(pkt, &ecparams, 3)) {
1512 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1513 goto f_err;
1514 }
1515 /*
1516 * Check curve is one of our preferences, if not server has sent an
1517 * invalid curve. ECParameters is 3 bytes.
1518 */
1519 if (!tls1_check_curve(s, ecparams, 3)) {
1520 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
1521 goto f_err;
1522 }
1523
1524 curve_nid = tls1_ec_curve_id2nid(*(ecparams + 2));
1525 if (curve_nid == 0) {
1526 al = SSL_AD_INTERNAL_ERROR;
1527 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
1528 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1529 goto f_err;
1530 }
1531
1532 /* Set up EVP_PKEY with named curve as parameters */
1533 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1534 if (pctx == NULL
1535 || EVP_PKEY_paramgen_init(pctx) <= 0
1536 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, curve_nid) <= 0
1537 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
1538 al = SSL_AD_INTERNAL_ERROR;
1539 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
1540 goto f_err;
1541 }
1542 EVP_PKEY_CTX_free(pctx);
1543 pctx = NULL;
1544
1545 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
1546 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
1547 goto f_err;
1548 }
1549
1550 if (EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(s->s3->peer_tmp),
1551 PACKET_data(&encoded_pt),
1552 PACKET_remaining(&encoded_pt), NULL) == 0) {
1553 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
1554 goto f_err;
1555 }
1556
1557 /*
1558 * The ECC/TLS specification does not mention the use of DSA to sign
1559 * ECParameters in the server key exchange message. We do support RSA
1560 * and ECDSA.
1561 */
1562 if (0) ;
1563 # ifndef OPENSSL_NO_RSA
1564 else if (alg_a & SSL_aRSA)
1565 pkey = X509_get0_pubkey(s->session->peer);
1566 # endif
1567 # ifndef OPENSSL_NO_EC
1568 else if (alg_a & SSL_aECDSA)
1569 pkey = X509_get0_pubkey(s->session->peer);
1570 # endif
1571 /* else anonymous ECDH, so no certificate or pkey. */
1572 } else if (alg_k) {
1573 al = SSL_AD_UNEXPECTED_MESSAGE;
1574 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1575 goto f_err;
1576 }
1577 #endif /* !OPENSSL_NO_EC */
1578
1579 /* if it was signed, check the signature */
1580 if (pkey != NULL) {
1581 PACKET params;
1582 /*
1583 * |pkt| now points to the beginning of the signature, so the difference
1584 * equals the length of the parameters.
1585 */
1586 if (!PACKET_get_sub_packet(&save_param_start, &params,
1587 PACKET_remaining(&save_param_start) -
1588 PACKET_remaining(pkt))) {
1589 al = SSL_AD_INTERNAL_ERROR;
1590 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1591 goto f_err;
1592 }
1593
1594 if (SSL_USE_SIGALGS(s)) {
1595 const unsigned char *sigalgs;
1596 int rv;
1597 if (!PACKET_get_bytes(pkt, &sigalgs, 2)) {
1598 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1599 goto f_err;
1600 }
1601 rv = tls12_check_peer_sigalg(&md, s, sigalgs, pkey);
1602 if (rv == -1)
1603 goto err;
1604 else if (rv == 0) {
1605 goto f_err;
1606 }
1607 #ifdef SSL_DEBUG
1608 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1609 #endif
1610 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
1611 md = EVP_md5_sha1();
1612 } else {
1613 md = EVP_sha1();
1614 }
1615
1616 if (!PACKET_get_length_prefixed_2(pkt, &signature)
1617 || PACKET_remaining(pkt) != 0) {
1618 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
1619 goto f_err;
1620 }
1621 j = EVP_PKEY_size(pkey);
1622 if (j < 0) {
1623 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1624 goto f_err;
1625 }
1626
1627 /*
1628 * Check signature length
1629 */
1630 if (PACKET_remaining(&signature) > (size_t)j) {
1631 /* wrong packet length */
1632 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
1633 goto f_err;
1634 }
1635 if (EVP_VerifyInit_ex(md_ctx, md, NULL) <= 0
1636 || EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]),
1637 SSL3_RANDOM_SIZE) <= 0
1638 || EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]),
1639 SSL3_RANDOM_SIZE) <= 0
1640 || EVP_VerifyUpdate(md_ctx, PACKET_data(&params),
1641 PACKET_remaining(&params)) <= 0) {
1642 al = SSL_AD_INTERNAL_ERROR;
1643 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
1644 goto f_err;
1645 }
1646 if (EVP_VerifyFinal(md_ctx, PACKET_data(&signature),
1647 PACKET_remaining(&signature), pkey) <= 0) {
1648 /* bad signature */
1649 al = SSL_AD_DECRYPT_ERROR;
1650 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1651 goto f_err;
1652 }
1653 } else {
1654 /* aNULL, aSRP or PSK do not need public keys */
1655 if (!(alg_a & (SSL_aNULL | SSL_aSRP)) && !(alg_k & SSL_PSK)) {
1656 /* Might be wrong key type, check it */
1657 if (ssl3_check_cert_and_algorithm(s))
1658 /* Otherwise this shouldn't happen */
1659 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1660 goto err;
1661 }
1662 /* still data left over */
1663 if (PACKET_remaining(pkt) != 0) {
1664 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
1665 goto f_err;
1666 }
1667 }
1668 EVP_MD_CTX_free(md_ctx);
1669 return MSG_PROCESS_CONTINUE_READING;
1670 f_err:
1671 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1672 err:
1673 #ifndef OPENSSL_NO_RSA
1674 RSA_free(rsa);
1675 #endif
1676 #ifndef OPENSSL_NO_EC
1677 EVP_PKEY_CTX_free(pctx);
1678 #endif
1679 EVP_MD_CTX_free(md_ctx);
1680 ossl_statem_set_error(s);
1681 return MSG_PROCESS_ERROR;
1682 }
1683
1684 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
1685 {
1686 int ret = MSG_PROCESS_ERROR;
1687 unsigned int list_len, ctype_num, i, name_len;
1688 X509_NAME *xn = NULL;
1689 const unsigned char *data;
1690 const unsigned char *namestart, *namebytes;
1691 STACK_OF(X509_NAME) *ca_sk = NULL;
1692
1693 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1694 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1695 goto err;
1696 }
1697
1698 /* get the certificate types */
1699 if (!PACKET_get_1(pkt, &ctype_num)
1700 || !PACKET_get_bytes(pkt, &data, ctype_num)) {
1701 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1702 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
1703 goto err;
1704 }
1705 OPENSSL_free(s->cert->ctypes);
1706 s->cert->ctypes = NULL;
1707 if (ctype_num > SSL3_CT_NUMBER) {
1708 /* If we exceed static buffer copy all to cert structure */
1709 s->cert->ctypes = OPENSSL_malloc(ctype_num);
1710 if (s->cert->ctypes == NULL) {
1711 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1712 goto err;
1713 }
1714 memcpy(s->cert->ctypes, data, ctype_num);
1715 s->cert->ctype_num = (size_t)ctype_num;
1716 ctype_num = SSL3_CT_NUMBER;
1717 }
1718 for (i = 0; i < ctype_num; i++)
1719 s->s3->tmp.ctype[i] = data[i];
1720
1721 if (SSL_USE_SIGALGS(s)) {
1722 if (!PACKET_get_net_2(pkt, &list_len)
1723 || !PACKET_get_bytes(pkt, &data, list_len)) {
1724 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1725 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
1726 SSL_R_LENGTH_MISMATCH);
1727 goto err;
1728 }
1729
1730 /* Clear certificate digests and validity flags */
1731 for (i = 0; i < SSL_PKEY_NUM; i++) {
1732 s->s3->tmp.md[i] = NULL;
1733 s->s3->tmp.valid_flags[i] = 0;
1734 }
1735 if ((list_len & 1) || !tls1_save_sigalgs(s, data, list_len)) {
1736 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1737 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
1738 SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1739 goto err;
1740 }
1741 if (!tls1_process_sigalgs(s)) {
1742 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1743 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1744 goto err;
1745 }
1746 } else {
1747 ssl_set_default_md(s);
1748 }
1749
1750 /* get the CA RDNs */
1751 if (!PACKET_get_net_2(pkt, &list_len)
1752 || PACKET_remaining(pkt) != list_len) {
1753 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1754 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
1755 goto err;
1756 }
1757
1758 while (PACKET_remaining(pkt)) {
1759 if (!PACKET_get_net_2(pkt, &name_len)
1760 || !PACKET_get_bytes(pkt, &namebytes, name_len)) {
1761 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1762 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
1763 SSL_R_LENGTH_MISMATCH);
1764 goto err;
1765 }
1766
1767 namestart = namebytes;
1768
1769 if ((xn = d2i_X509_NAME(NULL, (const unsigned char **)&namebytes,
1770 name_len)) == NULL) {
1771 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1772 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
1773 goto err;
1774 }
1775
1776 if (namebytes != (namestart + name_len)) {
1777 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1778 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
1779 SSL_R_CA_DN_LENGTH_MISMATCH);
1780 goto err;
1781 }
1782 if (!sk_X509_NAME_push(ca_sk, xn)) {
1783 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1784 goto err;
1785 }
1786 xn = NULL;
1787 }
1788
1789 /* we should setup a certificate to return.... */
1790 s->s3->tmp.cert_req = 1;
1791 s->s3->tmp.ctype_num = ctype_num;
1792 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
1793 s->s3->tmp.ca_names = ca_sk;
1794 ca_sk = NULL;
1795
1796 ret = MSG_PROCESS_CONTINUE_READING;
1797 goto done;
1798 err:
1799 ossl_statem_set_error(s);
1800 done:
1801 X509_NAME_free(xn);
1802 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
1803 return ret;
1804 }
1805
1806 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
1807 {
1808 return (X509_NAME_cmp(*a, *b));
1809 }
1810
1811 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
1812 {
1813 int al;
1814 unsigned int ticklen;
1815 unsigned long ticket_lifetime_hint;
1816
1817 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
1818 || !PACKET_get_net_2(pkt, &ticklen)
1819 || PACKET_remaining(pkt) != ticklen) {
1820 al = SSL_AD_DECODE_ERROR;
1821 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
1822 goto f_err;
1823 }
1824
1825 /* Server is allowed to change its mind and send an empty ticket. */
1826 if (ticklen == 0)
1827 return MSG_PROCESS_CONTINUE_READING;
1828
1829 if (s->session->session_id_length > 0) {
1830 int i = s->session_ctx->session_cache_mode;
1831 SSL_SESSION *new_sess;
1832 /*
1833 * We reused an existing session, so we need to replace it with a new
1834 * one
1835 */
1836 if (i & SSL_SESS_CACHE_CLIENT) {
1837 /*
1838 * Remove the old session from the cache
1839 */
1840 if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) {
1841 if (s->session_ctx->remove_session_cb != NULL)
1842 s->session_ctx->remove_session_cb(s->session_ctx,
1843 s->session);
1844 } else {
1845 /* We carry on if this fails */
1846 SSL_CTX_remove_session(s->session_ctx, s->session);
1847 }
1848 }
1849
1850 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
1851 al = SSL_AD_INTERNAL_ERROR;
1852 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
1853 goto f_err;
1854 }
1855
1856 SSL_SESSION_free(s->session);
1857 s->session = new_sess;
1858 }
1859
1860 OPENSSL_free(s->session->tlsext_tick);
1861 s->session->tlsext_ticklen = 0;
1862
1863 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1864 if (s->session->tlsext_tick == NULL) {
1865 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
1866 goto err;
1867 }
1868 if (!PACKET_copy_bytes(pkt, s->session->tlsext_tick, ticklen)) {
1869 al = SSL_AD_DECODE_ERROR;
1870 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
1871 goto f_err;
1872 }
1873
1874 s->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint;
1875 s->session->tlsext_ticklen = ticklen;
1876 /*
1877 * There are two ways to detect a resumed ticket session. One is to set
1878 * an appropriate session ID and then the server must return a match in
1879 * ServerHello. This allows the normal client session ID matching to work
1880 * and we know much earlier that the ticket has been accepted. The
1881 * other way is to set zero length session ID when the ticket is
1882 * presented and rely on the handshake to determine session resumption.
1883 * We choose the former approach because this fits in with assumptions
1884 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
1885 * SHA256 is disabled) hash of the ticket.
1886 */
1887 EVP_Digest(s->session->tlsext_tick, ticklen,
1888 s->session->session_id, &s->session->session_id_length,
1889 EVP_sha256(), NULL);
1890 return MSG_PROCESS_CONTINUE_READING;
1891 f_err:
1892 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1893 err:
1894 ossl_statem_set_error(s);
1895 return MSG_PROCESS_ERROR;
1896 }
1897
1898 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
1899 {
1900 int al;
1901 unsigned long resplen;
1902 unsigned int type;
1903
1904 if (!PACKET_get_1(pkt, &type)
1905 || type != TLSEXT_STATUSTYPE_ocsp) {
1906 al = SSL_AD_DECODE_ERROR;
1907 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
1908 goto f_err;
1909 }
1910 if (!PACKET_get_net_3(pkt, &resplen)
1911 || PACKET_remaining(pkt) != resplen) {
1912 al = SSL_AD_DECODE_ERROR;
1913 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
1914 goto f_err;
1915 }
1916 s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
1917 if (s->tlsext_ocsp_resp == NULL) {
1918 al = SSL_AD_INTERNAL_ERROR;
1919 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, ERR_R_MALLOC_FAILURE);
1920 goto f_err;
1921 }
1922 if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) {
1923 al = SSL_AD_DECODE_ERROR;
1924 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
1925 goto f_err;
1926 }
1927 s->tlsext_ocsp_resplen = resplen;
1928 return MSG_PROCESS_CONTINUE_READING;
1929 f_err:
1930 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1931 ossl_statem_set_error(s);
1932 return MSG_PROCESS_ERROR;
1933 }
1934
1935 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
1936 {
1937 if (PACKET_remaining(pkt) > 0) {
1938 /* should contain no data */
1939 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1940 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
1941 ossl_statem_set_error(s);
1942 return MSG_PROCESS_ERROR;
1943 }
1944
1945 #ifndef OPENSSL_NO_SRP
1946 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
1947 if (SRP_Calc_A_param(s) <= 0) {
1948 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC);
1949 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1950 ossl_statem_set_error(s);
1951 return MSG_PROCESS_ERROR;
1952 }
1953 }
1954 #endif
1955
1956 /*
1957 * at this point we check that we have the required stuff from
1958 * the server
1959 */
1960 if (!ssl3_check_cert_and_algorithm(s)) {
1961 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1962 ossl_statem_set_error(s);
1963 return MSG_PROCESS_ERROR;
1964 }
1965
1966 /*
1967 * Call the ocsp status callback if needed. The |tlsext_ocsp_resp| and
1968 * |tlsext_ocsp_resplen| values will be set if we actually received a status
1969 * message, or NULL and -1 otherwise
1970 */
1971 if (s->tlsext_status_type != -1 && s->ctx->tlsext_status_cb != NULL) {
1972 int ret;
1973 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1974 if (ret == 0) {
1975 ssl3_send_alert(s, SSL3_AL_FATAL,
1976 SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
1977 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE,
1978 SSL_R_INVALID_STATUS_RESPONSE);
1979 return MSG_PROCESS_ERROR;
1980 }
1981 if (ret < 0) {
1982 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1983 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, ERR_R_MALLOC_FAILURE);
1984 return MSG_PROCESS_ERROR;
1985 }
1986 }
1987
1988 #ifndef OPENSSL_NO_CT
1989 if (s->ct_validation_callback != NULL) {
1990 /* Note we validate the SCTs whether or not we abort on error */
1991 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
1992 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1993 return MSG_PROCESS_ERROR;
1994 }
1995 }
1996 #endif
1997
1998 #ifndef OPENSSL_NO_SCTP
1999 /* Only applies to renegotiation */
2000 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
2001 && s->renegotiate != 0)
2002 return MSG_PROCESS_CONTINUE_PROCESSING;
2003 else
2004 #endif
2005 return MSG_PROCESS_FINISHED_READING;
2006 }
2007
2008 int tls_construct_client_key_exchange(SSL *s)
2009 {
2010 unsigned char *p;
2011 int n;
2012 #ifndef OPENSSL_NO_PSK
2013 size_t pskhdrlen = 0;
2014 #endif
2015 unsigned long alg_k;
2016 #ifndef OPENSSL_NO_RSA
2017 unsigned char *q;
2018 EVP_PKEY *pkey = NULL;
2019 EVP_PKEY_CTX *pctx = NULL;
2020 #endif
2021 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
2022 EVP_PKEY *ckey = NULL, *skey = NULL;
2023 #endif
2024 #ifndef OPENSSL_NO_EC
2025 unsigned char *encodedPoint = NULL;
2026 int encoded_pt_len = 0;
2027 #endif
2028 unsigned char *pms = NULL;
2029 size_t pmslen = 0;
2030 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2031
2032 p = ssl_handshake_start(s);
2033
2034
2035 #ifndef OPENSSL_NO_PSK
2036 if (alg_k & SSL_PSK) {
2037 int psk_err = 1;
2038 /*
2039 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2040 * \0-terminated identity. The last byte is for us for simulating
2041 * strnlen.
2042 */
2043 char identity[PSK_MAX_IDENTITY_LEN + 1];
2044 size_t identitylen;
2045 unsigned char psk[PSK_MAX_PSK_LEN];
2046 size_t psklen;
2047
2048 if (s->psk_client_callback == NULL) {
2049 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2050 SSL_R_PSK_NO_CLIENT_CB);
2051 goto err;
2052 }
2053
2054 memset(identity, 0, sizeof(identity));
2055
2056 psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2057 identity, sizeof(identity) - 1,
2058 psk, sizeof(psk));
2059
2060 if (psklen > PSK_MAX_PSK_LEN) {
2061 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2062 ERR_R_INTERNAL_ERROR);
2063 goto psk_err;
2064 } else if (psklen == 0) {
2065 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2066 SSL_R_PSK_IDENTITY_NOT_FOUND);
2067 goto psk_err;
2068 }
2069 OPENSSL_free(s->s3->tmp.psk);
2070 s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
2071 OPENSSL_cleanse(psk, psklen);
2072
2073 if (s->s3->tmp.psk == NULL) {
2074 OPENSSL_cleanse(identity, sizeof(identity));
2075 goto memerr;
2076 }
2077
2078 s->s3->tmp.psklen = psklen;
2079 identitylen = strlen(identity);
2080 if (identitylen > PSK_MAX_IDENTITY_LEN) {
2081 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2082 ERR_R_INTERNAL_ERROR);
2083 goto psk_err;
2084 }
2085 OPENSSL_free(s->session->psk_identity);
2086 s->session->psk_identity = OPENSSL_strdup(identity);
2087 if (s->session->psk_identity == NULL) {
2088 OPENSSL_cleanse(identity, sizeof(identity));
2089 goto memerr;
2090 }
2091
2092 s2n(identitylen, p);
2093 memcpy(p, identity, identitylen);
2094 pskhdrlen = 2 + identitylen;
2095 p += identitylen;
2096 psk_err = 0;
2097 psk_err:
2098 OPENSSL_cleanse(identity, sizeof(identity));
2099 if (psk_err != 0) {
2100 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2101 goto err;
2102 }
2103 }
2104 if (alg_k & SSL_kPSK) {
2105 n = 0;
2106 } else
2107 #endif
2108
2109 /* Fool emacs indentation */
2110 if (0) {
2111 }
2112 #ifndef OPENSSL_NO_RSA
2113 else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
2114 size_t enclen;
2115 pmslen = SSL_MAX_MASTER_KEY_LENGTH;
2116 pms = OPENSSL_malloc(pmslen);
2117 if (pms == NULL)
2118 goto memerr;
2119
2120 if (s->session->peer == NULL) {
2121 /*
2122 * We should always have a server certificate with SSL_kRSA.
2123 */
2124 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2125 ERR_R_INTERNAL_ERROR);
2126 goto err;
2127 }
2128
2129 pkey = X509_get0_pubkey(s->session->peer);
2130 if (EVP_PKEY_get0_RSA(pkey) == NULL) {
2131 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2132 ERR_R_INTERNAL_ERROR);
2133 goto err;
2134 }
2135
2136 pms[0] = s->client_version >> 8;
2137 pms[1] = s->client_version & 0xff;
2138 if (RAND_bytes(pms + 2, pmslen - 2) <= 0)
2139 goto err;
2140
2141 q = p;
2142 /* Fix buf for TLS and beyond */
2143 if (s->version > SSL3_VERSION)
2144 p += 2;
2145 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2146 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
2147 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
2148 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2149 ERR_R_EVP_LIB);
2150 goto err;
2151 }
2152 if (EVP_PKEY_encrypt(pctx, p, &enclen, pms, pmslen) <= 0) {
2153 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2154 SSL_R_BAD_RSA_ENCRYPT);
2155 goto err;
2156 }
2157 n = enclen;
2158 EVP_PKEY_CTX_free(pctx);
2159 pctx = NULL;
2160 # ifdef PKCS1_CHECK
2161 if (s->options & SSL_OP_PKCS1_CHECK_1)
2162 p[1]++;
2163 if (s->options & SSL_OP_PKCS1_CHECK_2)
2164 tmp_buf[0] = 0x70;
2165 # endif
2166
2167 /* Fix buf for TLS and beyond */
2168 if (s->version > SSL3_VERSION) {
2169 s2n(n, q);
2170 n += 2;
2171 }
2172 }
2173 #endif
2174 #ifndef OPENSSL_NO_DH
2175 else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2176 DH *dh_clnt = NULL;
2177 BIGNUM *pub_key;
2178 skey = s->s3->peer_tmp;
2179 if (skey == NULL) {
2180 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2181 ERR_R_INTERNAL_ERROR);
2182 goto err;
2183 }
2184 ckey = ssl_generate_pkey(skey, NID_undef);
2185 dh_clnt = EVP_PKEY_get0_DH(ckey);
2186
2187 if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0) {
2188 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2189 ERR_R_INTERNAL_ERROR);
2190 goto err;
2191 }
2192
2193
2194 /* send off the data */
2195 DH_get0_key(dh_clnt, &pub_key, NULL);
2196 n = BN_num_bytes(pub_key);
2197 s2n(n, p);
2198 BN_bn2bin(pub_key, p);
2199 n += 2;
2200 EVP_PKEY_free(ckey);
2201 ckey = NULL;
2202 }
2203 #endif
2204
2205 #ifndef OPENSSL_NO_EC
2206 else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
2207
2208 skey = s->s3->peer_tmp;
2209 if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) {
2210 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2211 ERR_R_INTERNAL_ERROR);
2212 goto err;
2213 }
2214
2215 ckey = ssl_generate_pkey(skey, NID_undef);
2216
2217 if (ssl_derive(s, ckey, skey) == 0) {
2218 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_EVP_LIB);
2219 goto err;
2220 }
2221
2222 /* Generate encoding of client key */
2223 encoded_pt_len = EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(ckey),
2224 POINT_CONVERSION_UNCOMPRESSED,
2225 &encodedPoint, NULL);
2226
2227 if (encoded_pt_len == 0) {
2228 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2229 goto err;
2230 }
2231
2232 EVP_PKEY_free(ckey);
2233 ckey = NULL;
2234
2235 n = encoded_pt_len;
2236
2237 *p = n; /* length of encoded point */
2238 /* Encoded point will be copied here */
2239 p += 1;
2240 /* copy the point */
2241 memcpy(p, encodedPoint, n);
2242 /* increment n to account for length field */
2243 n += 1;
2244
2245 /* Free allocated memory */
2246 OPENSSL_free(encodedPoint);
2247 }
2248 #endif /* !OPENSSL_NO_EC */
2249 #ifndef OPENSSL_NO_GOST
2250 else if (alg_k & SSL_kGOST) {
2251 /* GOST key exchange message creation */
2252 EVP_PKEY_CTX *pkey_ctx;
2253 X509 *peer_cert;
2254 size_t msglen;
2255 unsigned int md_len;
2256 unsigned char shared_ukm[32], tmp[256];
2257 EVP_MD_CTX *ukm_hash;
2258 int dgst_nid = NID_id_GostR3411_94;
2259 if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
2260 dgst_nid = NID_id_GostR3411_2012_256;
2261
2262
2263 pmslen = 32;
2264 pms = OPENSSL_malloc(pmslen);
2265 if (pms == NULL)
2266 goto memerr;
2267
2268 /*
2269 * Get server sertificate PKEY and create ctx from it
2270 */
2271 peer_cert = s->session->peer;
2272 if (!peer_cert) {
2273 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2274 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2275 goto err;
2276 }
2277
2278 pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
2279 if (pkey_ctx == NULL) {
2280 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2281 ERR_R_MALLOC_FAILURE);
2282 goto err;
2283 }
2284 /*
2285 * If we have send a certificate, and certificate key
2286 * parameters match those of server certificate, use
2287 * certificate key for key exchange
2288 */
2289
2290 /* Otherwise, generate ephemeral key pair */
2291
2292 if (pkey_ctx == NULL
2293 || EVP_PKEY_encrypt_init(pkey_ctx) <= 0
2294 /* Generate session key */
2295 || RAND_bytes(pms, pmslen) <= 0) {
2296 EVP_PKEY_CTX_free(pkey_ctx);
2297 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2298 ERR_R_INTERNAL_ERROR);
2299 goto err;
2300 };
2301 /*
2302 * If we have client certificate, use its secret as peer key
2303 */
2304 if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2305 if (EVP_PKEY_derive_set_peer
2306 (pkey_ctx, s->cert->key->privatekey) <= 0) {
2307 /*
2308 * If there was an error - just ignore it. Ephemeral key
2309 * * would be used
2310 */
2311 ERR_clear_error();
2312 }
2313 }
2314 /*
2315 * Compute shared IV and store it in algorithm-specific context
2316 * data
2317 */
2318 ukm_hash = EVP_MD_CTX_new();
2319 if (EVP_DigestInit(ukm_hash,
2320 EVP_get_digestbynid(dgst_nid)) <= 0
2321 || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
2322 SSL3_RANDOM_SIZE) <= 0
2323 || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
2324 SSL3_RANDOM_SIZE) <= 0
2325 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
2326 EVP_MD_CTX_free(ukm_hash);
2327 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2328 ERR_R_INTERNAL_ERROR);
2329 goto err;
2330 }
2331 EVP_MD_CTX_free(ukm_hash);
2332 if (EVP_PKEY_CTX_ctrl
2333 (pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8,
2334 shared_ukm) < 0) {
2335 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2336 SSL_R_LIBRARY_BUG);
2337 goto err;
2338 }
2339 /* Make GOST keytransport blob message */
2340 /*
2341 * Encapsulate it into sequence
2342 */
2343 *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2344 msglen = 255;
2345 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
2346 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2347 SSL_R_LIBRARY_BUG);
2348 goto err;
2349 }
2350 if (msglen >= 0x80) {
2351 *(p++) = 0x81;
2352 *(p++) = msglen & 0xff;
2353 n = msglen + 3;
2354 } else {
2355 *(p++) = msglen & 0xff;
2356 n = msglen + 2;
2357 }
2358 memcpy(p, tmp, msglen);
2359 /* Check if pubkey from client certificate was used */
2360 if (EVP_PKEY_CTX_ctrl
2361 (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) {
2362 /* Set flag "skip certificate verify" */
2363 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2364 }
2365 EVP_PKEY_CTX_free(pkey_ctx);
2366
2367 }
2368 #endif
2369 #ifndef OPENSSL_NO_SRP
2370 else if (alg_k & SSL_kSRP) {
2371 if (s->srp_ctx.A != NULL) {
2372 /* send off the data */
2373 n = BN_num_bytes(s->srp_ctx.A);
2374 s2n(n, p);
2375 BN_bn2bin(s->srp_ctx.A, p);
2376 n += 2;
2377 } else {
2378 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2379 ERR_R_INTERNAL_ERROR);
2380 goto err;
2381 }
2382 OPENSSL_free(s->session->srp_username);
2383 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
2384 if (s->session->srp_username == NULL) {
2385 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
2386 ERR_R_MALLOC_FAILURE);
2387 goto err;
2388 }
2389 }
2390 #endif
2391 else {
2392 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2393 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2394 goto err;
2395 }
2396
2397 #ifndef OPENSSL_NO_PSK
2398 n += pskhdrlen;
2399 #endif
2400
2401 if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) {
2402 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2403 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2404 goto err;
2405 }
2406
2407 if (pms != NULL) {
2408 s->s3->tmp.pms = pms;
2409 s->s3->tmp.pmslen = pmslen;
2410 }
2411
2412 return 1;
2413 memerr:
2414 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2415 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2416 err:
2417 OPENSSL_clear_free(pms, pmslen);
2418 s->s3->tmp.pms = NULL;
2419 #ifndef OPENSSL_NO_RSA
2420 EVP_PKEY_CTX_free(pctx);
2421 #endif
2422 #ifndef OPENSSL_NO_EC
2423 OPENSSL_free(encodedPoint);
2424 #endif
2425 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
2426 EVP_PKEY_free(ckey);
2427 #endif
2428 #ifndef OPENSSL_NO_PSK
2429 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
2430 s->s3->tmp.psk = NULL;
2431 #endif
2432 ossl_statem_set_error(s);
2433 return 0;
2434 }
2435
2436 int tls_client_key_exchange_post_work(SSL *s)
2437 {
2438 unsigned char *pms = NULL;
2439 size_t pmslen = 0;
2440
2441 pms = s->s3->tmp.pms;
2442 pmslen = s->s3->tmp.pmslen;
2443
2444 #ifndef OPENSSL_NO_SRP
2445 /* Check for SRP */
2446 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2447 if (!srp_generate_client_master_secret(s)) {
2448 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK,
2449 ERR_R_INTERNAL_ERROR);
2450 goto err;
2451 }
2452 return 1;
2453 }
2454 #endif
2455
2456 if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
2457 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2458 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE);
2459 goto err;
2460 }
2461 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
2462 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2463 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_INTERNAL_ERROR);
2464 /* ssl_generate_master_secret frees the pms even on error */
2465 pms = NULL;
2466 pmslen = 0;
2467 goto err;
2468 }
2469 pms = NULL;
2470 pmslen = 0;
2471
2472 #ifndef OPENSSL_NO_SCTP
2473 if (SSL_IS_DTLS(s)) {
2474 unsigned char sctpauthkey[64];
2475 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
2476
2477 /*
2478 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
2479 * used.
2480 */
2481 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
2482 sizeof(DTLS1_SCTP_AUTH_LABEL));
2483
2484 if (SSL_export_keying_material(s, sctpauthkey,
2485 sizeof(sctpauthkey), labelbuffer,
2486 sizeof(labelbuffer), NULL, 0, 0) <= 0)
2487 goto err;
2488
2489 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
2490 sizeof(sctpauthkey), sctpauthkey);
2491 }
2492 #endif
2493
2494 return 1;
2495 err:
2496 OPENSSL_clear_free(pms, pmslen);
2497 s->s3->tmp.pms = NULL;
2498 return 0;
2499 }
2500
2501 int tls_construct_client_verify(SSL *s)
2502 {
2503 unsigned char *p;
2504 EVP_PKEY *pkey;
2505 const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
2506 EVP_MD_CTX *mctx;
2507 unsigned u = 0;
2508 unsigned long n = 0;
2509 long hdatalen = 0;
2510 void *hdata;
2511
2512 mctx = EVP_MD_CTX_new();
2513 if (mctx == NULL) {
2514 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
2515 goto err;
2516 }
2517
2518 p = ssl_handshake_start(s);
2519 pkey = s->cert->key->privatekey;
2520
2521 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2522 if (hdatalen <= 0) {
2523 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
2524 goto err;
2525 }
2526 if (SSL_USE_SIGALGS(s)) {
2527 if (!tls12_get_sigandhash(p, pkey, md)) {
2528 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
2529 goto err;
2530 }
2531 p += 2;
2532 n = 2;
2533 }
2534 #ifdef SSL_DEBUG
2535 fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
2536 #endif
2537 if (!EVP_SignInit_ex(mctx, md, NULL)
2538 || !EVP_SignUpdate(mctx, hdata, hdatalen)
2539 || (s->version == SSL3_VERSION
2540 && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
2541 s->session->master_key_length,
2542 s->session->master_key))
2543 || !EVP_SignFinal(mctx, p + 2, &u, pkey)) {
2544 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
2545 goto err;
2546 }
2547 #ifndef OPENSSL_NO_GOST
2548 {
2549 int pktype = EVP_PKEY_id(pkey);
2550 if (pktype == NID_id_GostR3410_2001
2551 || pktype == NID_id_GostR3410_2012_256
2552 || pktype == NID_id_GostR3410_2012_512)
2553 BUF_reverse(p + 2, NULL, u);
2554 }
2555 #endif
2556
2557 s2n(u, p);
2558 n += u + 2;
2559 /* Digest cached records and discard handshake buffer */
2560 if (!ssl3_digest_cached_records(s, 0))
2561 goto err;
2562 if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
2563 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
2564 goto err;
2565 }
2566
2567 EVP_MD_CTX_free(mctx);
2568 return 1;
2569 err:
2570 EVP_MD_CTX_free(mctx);
2571 return 0;
2572 }
2573
2574 /*
2575 * Check a certificate can be used for client authentication. Currently check
2576 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
2577 * certificates can be used and optionally checks suitability for Suite B.
2578 */
2579 static int ssl3_check_client_certificate(SSL *s)
2580 {
2581 if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
2582 return 0;
2583 /* If no suitable signature algorithm can't use certificate */
2584 if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys])
2585 return 0;
2586 /*
2587 * If strict mode check suitability of chain before using it. This also
2588 * adjusts suite B digest if necessary.
2589 */
2590 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
2591 !tls1_check_chain(s, NULL, NULL, NULL, -2))
2592 return 0;
2593 return 1;
2594 }
2595
2596 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
2597 {
2598 X509 *x509 = NULL;
2599 EVP_PKEY *pkey = NULL;
2600 int i;
2601
2602 if (wst == WORK_MORE_A) {
2603 /* Let cert callback update client certificates if required */
2604 if (s->cert->cert_cb) {
2605 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2606 if (i < 0) {
2607 s->rwstate = SSL_X509_LOOKUP;
2608 return WORK_MORE_A;
2609 }
2610 if (i == 0) {
2611 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2612 ossl_statem_set_error(s);
2613 return 0;
2614 }
2615 s->rwstate = SSL_NOTHING;
2616 }
2617 if (ssl3_check_client_certificate(s))
2618 return WORK_FINISHED_CONTINUE;
2619
2620 /* Fall through to WORK_MORE_B */
2621 wst = WORK_MORE_B;
2622 }
2623
2624 /* We need to get a client cert */
2625 if (wst == WORK_MORE_B) {
2626 /*
2627 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
2628 * return(-1); We then get retied later
2629 */
2630 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2631 if (i < 0) {
2632 s->rwstate = SSL_X509_LOOKUP;
2633 return WORK_MORE_B;
2634 }
2635 s->rwstate = SSL_NOTHING;
2636 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
2637 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
2638 i = 0;
2639 } else if (i == 1) {
2640 i = 0;
2641 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
2642 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2643 }
2644
2645 X509_free(x509);
2646 EVP_PKEY_free(pkey);
2647 if (i && !ssl3_check_client_certificate(s))
2648 i = 0;
2649 if (i == 0) {
2650 if (s->version == SSL3_VERSION) {
2651 s->s3->tmp.cert_req = 0;
2652 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
2653 return WORK_FINISHED_CONTINUE;
2654 } else {
2655 s->s3->tmp.cert_req = 2;
2656 if (!ssl3_digest_cached_records(s, 0)) {
2657 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2658 ossl_statem_set_error(s);
2659 return 0;
2660 }
2661 }
2662 }
2663
2664 return WORK_FINISHED_CONTINUE;
2665 }
2666
2667 /* Shouldn't ever get here */
2668 return WORK_ERROR;
2669 }
2670
2671 int tls_construct_client_certificate(SSL *s)
2672 {
2673 if (!ssl3_output_cert_chain(s,
2674 (s->s3->tmp.cert_req ==
2675 2) ? NULL : s->cert->key)) {
2676 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
2677 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2678 ossl_statem_set_error(s);
2679 return 0;
2680 }
2681
2682 return 1;
2683 }
2684
2685 #define has_bits(i,m) (((i)&(m)) == (m))
2686
2687 int ssl3_check_cert_and_algorithm(SSL *s)
2688 {
2689 int i;
2690 #ifndef OPENSSL_NO_EC
2691 int idx;
2692 #endif
2693 long alg_k, alg_a;
2694 EVP_PKEY *pkey = NULL;
2695 int al = SSL_AD_HANDSHAKE_FAILURE;
2696
2697 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2698 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2699
2700 /* we don't have a certificate */
2701 if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
2702 return (1);
2703
2704 /* This is the passed certificate */
2705
2706 #ifndef OPENSSL_NO_EC
2707 idx = s->session->peer_type;
2708 if (idx == SSL_PKEY_ECC) {
2709 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) {
2710 /* check failed */
2711 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
2712 goto f_err;
2713 } else {
2714 return 1;
2715 }
2716 } else if (alg_a & SSL_aECDSA) {
2717 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2718 SSL_R_MISSING_ECDSA_SIGNING_CERT);
2719 goto f_err;
2720 }
2721 #endif
2722 pkey = X509_get0_pubkey(s->session->peer);
2723 i = X509_certificate_type(s->session->peer, pkey);
2724
2725 /* Check that we have a certificate if we require one */
2726 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
2727 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2728 SSL_R_MISSING_RSA_SIGNING_CERT);
2729 goto f_err;
2730 }
2731 #ifndef OPENSSL_NO_DSA
2732 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA | EVP_PKT_SIGN)) {
2733 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2734 SSL_R_MISSING_DSA_SIGNING_CERT);
2735 goto f_err;
2736 }
2737 #endif
2738 #ifndef OPENSSL_NO_RSA
2739 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) &&
2740 !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
2741 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2742 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2743 goto f_err;
2744 }
2745 #endif
2746 #ifndef OPENSSL_NO_DH
2747 if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) {
2748 al = SSL_AD_INTERNAL_ERROR;
2749 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
2750 goto f_err;
2751 }
2752 #endif
2753
2754 return (1);
2755 f_err:
2756 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2757 return (0);
2758 }
2759
2760 #ifndef OPENSSL_NO_NEXTPROTONEG
2761 int tls_construct_next_proto(SSL *s)
2762 {
2763 unsigned int len, padding_len;
2764 unsigned char *d;
2765
2766 len = s->next_proto_negotiated_len;
2767 padding_len = 32 - ((len + 2) % 32);
2768 d = (unsigned char *)s->init_buf->data;
2769 d[4] = len;
2770 memcpy(d + 5, s->next_proto_negotiated, len);
2771 d[5 + len] = padding_len;
2772 memset(d + 6 + len, 0, padding_len);
2773 *(d++) = SSL3_MT_NEXT_PROTO;
2774 l2n3(2 + len + padding_len, d);
2775 s->init_num = 4 + 2 + len + padding_len;
2776 s->init_off = 0;
2777
2778 return 1;
2779 }
2780 #endif
2781
2782 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2783 {
2784 int i = 0;
2785 #ifndef OPENSSL_NO_ENGINE
2786 if (s->ctx->client_cert_engine) {
2787 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
2788 SSL_get_client_CA_list(s),
2789 px509, ppkey, NULL, NULL, NULL);
2790 if (i != 0)
2791 return i;
2792 }
2793 #endif
2794 if (s->ctx->client_cert_cb)
2795 i = s->ctx->client_cert_cb(s, px509, ppkey);
2796 return i;
2797 }
2798
2799 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
2800 unsigned char *p)
2801 {
2802 int i, j = 0;
2803 const SSL_CIPHER *c;
2804 unsigned char *q;
2805 int empty_reneg_info_scsv = !s->renegotiate;
2806 /* Set disabled masks for this session */
2807 ssl_set_client_disabled(s);
2808
2809 if (sk == NULL)
2810 return (0);
2811 q = p;
2812
2813 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
2814 c = sk_SSL_CIPHER_value(sk, i);
2815 /* Skip disabled ciphers */
2816 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
2817 continue;
2818 j = s->method->put_cipher_by_char(c, p);
2819 p += j;
2820 }
2821 /*
2822 * If p == q, no ciphers; caller indicates an error. Otherwise, add
2823 * applicable SCSVs.
2824 */
2825 if (p != q) {
2826 if (empty_reneg_info_scsv) {
2827 static SSL_CIPHER scsv = {
2828 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
2829 };
2830 j = s->method->put_cipher_by_char(&scsv, p);
2831 p += j;
2832 }
2833 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
2834 static SSL_CIPHER scsv = {
2835 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
2836 };
2837 j = s->method->put_cipher_by_char(&scsv, p);
2838 p += j;
2839 }
2840 }
2841
2842 return (p - q);
2843 }
A mirror of the official openssl repository