2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
13 * Portions of the attached software ("Contribution") are developed by
14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
16 * The Contribution is licensed pursuant to the OpenSSL open source
17 * license provided above.
19 * ECC cipher suite support in OpenSSL originally written by
20 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
23 /* ====================================================================
24 * Copyright 2005 Nokia. All rights reserved.
26 * The portions of the attached software ("Contribution") is developed by
27 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
30 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
31 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
32 * support (see RFC 4279) to OpenSSL.
34 * No patent licenses or other rights except those expressly stated in
35 * the OpenSSL open source license shall be deemed granted or received
36 * expressly, by implication, estoppel, or otherwise.
38 * No assurances are provided by Nokia that the Contribution does not
39 * infringe the patent or other intellectual property rights of any third
40 * party or that the license provides you with all the necessary rights
41 * to make use of the Contribution.
43 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
44 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
45 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
46 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
51 #include "../ssl_locl.h"
52 #include "statem_locl.h"
53 #include <openssl/buffer.h>
54 #include <openssl/rand.h>
55 #include <openssl/objects.h>
56 #include <openssl/evp.h>
57 #include <openssl/md5.h>
58 #include <openssl/dh.h>
59 #include <openssl/bn.h>
60 #include <openssl/engine.h>
62 static ossl_inline
int cert_req_allowed(SSL
*s
);
63 static int key_exchange_expected(SSL
*s
);
64 static int ca_dn_cmp(const X509_NAME
*const *a
, const X509_NAME
*const *b
);
65 static int ssl_cipher_list_to_bytes(SSL
*s
, STACK_OF(SSL_CIPHER
) *sk
,
69 * Is a CertificateRequest message allowed at the moment or not?
75 static ossl_inline
int cert_req_allowed(SSL
*s
)
77 /* TLS does not like anon-DH with client cert */
78 if ((s
->version
> SSL3_VERSION
79 && (s
->s3
->tmp
.new_cipher
->algorithm_auth
& SSL_aNULL
))
80 || (s
->s3
->tmp
.new_cipher
->algorithm_auth
& (SSL_aSRP
| SSL_aPSK
)))
87 * Should we expect the ServerKeyExchange message or not?
93 static int key_exchange_expected(SSL
*s
)
95 long alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
98 * Can't skip server key exchange if this is an ephemeral
99 * ciphersuite or for SRP
101 if (alg_k
& (SSL_kDHE
| SSL_kECDHE
| SSL_kDHEPSK
| SSL_kECDHEPSK
110 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
111 * handshake state transitions when the client is reading messages from the
112 * server. The message type that the server has sent is provided in |mt|. The
113 * current state is in |s->statem.hand_state|.
116 * 1: Success (transition allowed)
117 * 0: Error (transition not allowed)
119 int ossl_statem_client_read_transition(SSL
*s
, int mt
)
121 OSSL_STATEM
*st
= &s
->statem
;
124 switch (st
->hand_state
) {
125 case TLS_ST_CW_CLNT_HELLO
:
126 if (mt
== SSL3_MT_SERVER_HELLO
) {
127 st
->hand_state
= TLS_ST_CR_SRVR_HELLO
;
131 if (SSL_IS_DTLS(s
)) {
132 if (mt
== DTLS1_MT_HELLO_VERIFY_REQUEST
) {
133 st
->hand_state
= DTLS_ST_CR_HELLO_VERIFY_REQUEST
;
139 case TLS_ST_CR_SRVR_HELLO
:
141 if (s
->tlsext_ticket_expected
) {
142 if (mt
== SSL3_MT_NEWSESSION_TICKET
) {
143 st
->hand_state
= TLS_ST_CR_SESSION_TICKET
;
146 } else if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
147 st
->hand_state
= TLS_ST_CR_CHANGE
;
151 if (SSL_IS_DTLS(s
) && mt
== DTLS1_MT_HELLO_VERIFY_REQUEST
) {
152 st
->hand_state
= DTLS_ST_CR_HELLO_VERIFY_REQUEST
;
154 } else if (s
->version
>= TLS1_VERSION
155 && s
->tls_session_secret_cb
!= NULL
156 && s
->session
->tlsext_tick
!= NULL
157 && mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
159 * Normally, we can tell if the server is resuming the session
160 * from the session ID. EAP-FAST (RFC 4851), however, relies on
161 * the next server message after the ServerHello to determine if
162 * the server is resuming.
165 st
->hand_state
= TLS_ST_CR_CHANGE
;
167 } else if (!(s
->s3
->tmp
.new_cipher
->algorithm_auth
168 & (SSL_aNULL
| SSL_aSRP
| SSL_aPSK
))) {
169 if (mt
== SSL3_MT_CERTIFICATE
) {
170 st
->hand_state
= TLS_ST_CR_CERT
;
174 ske_expected
= key_exchange_expected(s
);
175 /* SKE is optional for some PSK ciphersuites */
177 || ((s
->s3
->tmp
.new_cipher
->algorithm_mkey
& SSL_PSK
)
178 && mt
== SSL3_MT_SERVER_KEY_EXCHANGE
)) {
179 if (mt
== SSL3_MT_SERVER_KEY_EXCHANGE
) {
180 st
->hand_state
= TLS_ST_CR_KEY_EXCH
;
183 } else if (mt
== SSL3_MT_CERTIFICATE_REQUEST
184 && cert_req_allowed(s
)) {
185 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
187 } else if (mt
== SSL3_MT_SERVER_DONE
) {
188 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
197 * The CertificateStatus message is optional even if
198 * |tlsext_status_expected| is set
200 if (s
->tlsext_status_expected
&& mt
== SSL3_MT_CERTIFICATE_STATUS
) {
201 st
->hand_state
= TLS_ST_CR_CERT_STATUS
;
206 case TLS_ST_CR_CERT_STATUS
:
207 ske_expected
= key_exchange_expected(s
);
208 /* SKE is optional for some PSK ciphersuites */
209 if (ske_expected
|| ((s
->s3
->tmp
.new_cipher
->algorithm_mkey
& SSL_PSK
)
210 && mt
== SSL3_MT_SERVER_KEY_EXCHANGE
)) {
211 if (mt
== SSL3_MT_SERVER_KEY_EXCHANGE
) {
212 st
->hand_state
= TLS_ST_CR_KEY_EXCH
;
219 case TLS_ST_CR_KEY_EXCH
:
220 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
) {
221 if (cert_req_allowed(s
)) {
222 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
229 case TLS_ST_CR_CERT_REQ
:
230 if (mt
== SSL3_MT_SERVER_DONE
) {
231 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
236 case TLS_ST_CW_FINISHED
:
237 if (s
->tlsext_ticket_expected
) {
238 if (mt
== SSL3_MT_NEWSESSION_TICKET
) {
239 st
->hand_state
= TLS_ST_CR_SESSION_TICKET
;
242 } else if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
243 st
->hand_state
= TLS_ST_CR_CHANGE
;
248 case TLS_ST_CR_SESSION_TICKET
:
249 if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
250 st
->hand_state
= TLS_ST_CR_CHANGE
;
255 case TLS_ST_CR_CHANGE
:
256 if (mt
== SSL3_MT_FINISHED
) {
257 st
->hand_state
= TLS_ST_CR_FINISHED
;
267 /* No valid transition found */
268 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL3_AD_UNEXPECTED_MESSAGE
);
269 SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION
, SSL_R_UNEXPECTED_MESSAGE
);
274 * client_write_transition() works out what handshake state to move to next
275 * when the client is writing messages to be sent to the server.
277 WRITE_TRAN
ossl_statem_client_write_transition(SSL
*s
)
279 OSSL_STATEM
*st
= &s
->statem
;
281 switch (st
->hand_state
) {
283 /* Renegotiation - fall through */
285 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
286 return WRITE_TRAN_CONTINUE
;
288 case TLS_ST_CW_CLNT_HELLO
:
290 * No transition at the end of writing because we don't know what
293 return WRITE_TRAN_FINISHED
;
295 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
296 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
297 return WRITE_TRAN_CONTINUE
;
299 case TLS_ST_CR_SRVR_DONE
:
300 if (s
->s3
->tmp
.cert_req
)
301 st
->hand_state
= TLS_ST_CW_CERT
;
303 st
->hand_state
= TLS_ST_CW_KEY_EXCH
;
304 return WRITE_TRAN_CONTINUE
;
307 st
->hand_state
= TLS_ST_CW_KEY_EXCH
;
308 return WRITE_TRAN_CONTINUE
;
310 case TLS_ST_CW_KEY_EXCH
:
312 * For TLS, cert_req is set to 2, so a cert chain of nothing is
313 * sent, but no verify packet is sent
316 * XXX: For now, we do not support client authentication in ECDH
317 * cipher suites with ECDH (rather than ECDSA) certificates. We
318 * need to skip the certificate verify message when client's
319 * ECDH public key is sent inside the client certificate.
321 if (s
->s3
->tmp
.cert_req
== 1) {
322 st
->hand_state
= TLS_ST_CW_CERT_VRFY
;
324 st
->hand_state
= TLS_ST_CW_CHANGE
;
326 if (s
->s3
->flags
& TLS1_FLAGS_SKIP_CERT_VERIFY
) {
327 st
->hand_state
= TLS_ST_CW_CHANGE
;
329 return WRITE_TRAN_CONTINUE
;
331 case TLS_ST_CW_CERT_VRFY
:
332 st
->hand_state
= TLS_ST_CW_CHANGE
;
333 return WRITE_TRAN_CONTINUE
;
335 case TLS_ST_CW_CHANGE
:
336 #if defined(OPENSSL_NO_NEXTPROTONEG)
337 st
->hand_state
= TLS_ST_CW_FINISHED
;
339 if (!SSL_IS_DTLS(s
) && s
->s3
->next_proto_neg_seen
)
340 st
->hand_state
= TLS_ST_CW_NEXT_PROTO
;
342 st
->hand_state
= TLS_ST_CW_FINISHED
;
344 return WRITE_TRAN_CONTINUE
;
346 #if !defined(OPENSSL_NO_NEXTPROTONEG)
347 case TLS_ST_CW_NEXT_PROTO
:
348 st
->hand_state
= TLS_ST_CW_FINISHED
;
349 return WRITE_TRAN_CONTINUE
;
352 case TLS_ST_CW_FINISHED
:
354 st
->hand_state
= TLS_ST_OK
;
355 ossl_statem_set_in_init(s
, 0);
356 return WRITE_TRAN_CONTINUE
;
358 return WRITE_TRAN_FINISHED
;
361 case TLS_ST_CR_FINISHED
:
363 st
->hand_state
= TLS_ST_CW_CHANGE
;
364 return WRITE_TRAN_CONTINUE
;
366 st
->hand_state
= TLS_ST_OK
;
367 ossl_statem_set_in_init(s
, 0);
368 return WRITE_TRAN_CONTINUE
;
372 /* Shouldn't happen */
373 return WRITE_TRAN_ERROR
;
378 * Perform any pre work that needs to be done prior to sending a message from
379 * the client to the server.
381 WORK_STATE
ossl_statem_client_pre_work(SSL
*s
, WORK_STATE wst
)
383 OSSL_STATEM
*st
= &s
->statem
;
385 switch (st
->hand_state
) {
386 case TLS_ST_CW_CLNT_HELLO
:
388 if (SSL_IS_DTLS(s
)) {
389 /* every DTLS ClientHello resets Finished MAC */
390 if (!ssl3_init_finished_mac(s
)) {
391 ossl_statem_set_error(s
);
397 case TLS_ST_CW_CHANGE
:
398 if (SSL_IS_DTLS(s
)) {
401 * We're into the last flight so we don't retransmit these
402 * messages unless we need to.
406 #ifndef OPENSSL_NO_SCTP
407 if (BIO_dgram_is_sctp(SSL_get_wbio(s
)))
408 return dtls_wait_for_dry(s
);
411 return WORK_FINISHED_CONTINUE
;
414 return tls_finish_handshake(s
, wst
);
417 /* No pre work to be done */
421 return WORK_FINISHED_CONTINUE
;
425 * Perform any work that needs to be done after sending a message from the
426 * client to the server.
428 WORK_STATE
ossl_statem_client_post_work(SSL
*s
, WORK_STATE wst
)
430 OSSL_STATEM
*st
= &s
->statem
;
434 switch (st
->hand_state
) {
435 case TLS_ST_CW_CLNT_HELLO
:
436 if (wst
== WORK_MORE_A
&& statem_flush(s
) != 1)
439 if (SSL_IS_DTLS(s
)) {
440 /* Treat the next message as the first packet */
445 case TLS_ST_CW_KEY_EXCH
:
446 if (tls_client_key_exchange_post_work(s
) == 0)
450 case TLS_ST_CW_CHANGE
:
451 s
->session
->cipher
= s
->s3
->tmp
.new_cipher
;
452 #ifdef OPENSSL_NO_COMP
453 s
->session
->compress_meth
= 0;
455 if (s
->s3
->tmp
.new_compression
== NULL
)
456 s
->session
->compress_meth
= 0;
458 s
->session
->compress_meth
= s
->s3
->tmp
.new_compression
->id
;
460 if (!s
->method
->ssl3_enc
->setup_key_block(s
))
463 if (!s
->method
->ssl3_enc
->change_cipher_state(s
,
464 SSL3_CHANGE_CIPHER_CLIENT_WRITE
))
467 if (SSL_IS_DTLS(s
)) {
468 #ifndef OPENSSL_NO_SCTP
471 * Change to new shared key of SCTP-Auth, will be ignored if
474 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
479 dtls1_reset_seq_numbers(s
, SSL3_CC_WRITE
);
483 case TLS_ST_CW_FINISHED
:
484 #ifndef OPENSSL_NO_SCTP
485 if (wst
== WORK_MORE_A
&& SSL_IS_DTLS(s
) && s
->hit
== 0) {
487 * Change to new shared key of SCTP-Auth, will be ignored if
490 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
494 if (statem_flush(s
) != 1)
499 /* No post work to be done */
503 return WORK_FINISHED_CONTINUE
;
507 * Construct a message to be sent from the client to the server.
509 * Valid return values are:
513 int ossl_statem_client_construct_message(SSL
*s
)
515 OSSL_STATEM
*st
= &s
->statem
;
517 switch (st
->hand_state
) {
518 case TLS_ST_CW_CLNT_HELLO
:
519 return tls_construct_client_hello(s
);
522 return tls_construct_client_certificate(s
);
524 case TLS_ST_CW_KEY_EXCH
:
525 return tls_construct_client_key_exchange(s
);
527 case TLS_ST_CW_CERT_VRFY
:
528 return tls_construct_client_verify(s
);
530 case TLS_ST_CW_CHANGE
:
532 return dtls_construct_change_cipher_spec(s
);
534 return tls_construct_change_cipher_spec(s
);
536 #if !defined(OPENSSL_NO_NEXTPROTONEG)
537 case TLS_ST_CW_NEXT_PROTO
:
538 return tls_construct_next_proto(s
);
540 case TLS_ST_CW_FINISHED
:
541 return tls_construct_finished(s
,
543 ssl3_enc
->client_finished_label
,
545 ssl3_enc
->client_finished_label_len
);
548 /* Shouldn't happen */
556 * Returns the maximum allowed length for the current message that we are
557 * reading. Excludes the message header.
559 unsigned long ossl_statem_client_max_message_size(SSL
*s
)
561 OSSL_STATEM
*st
= &s
->statem
;
563 switch (st
->hand_state
) {
564 case TLS_ST_CR_SRVR_HELLO
:
565 return SERVER_HELLO_MAX_LENGTH
;
567 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
568 return HELLO_VERIFY_REQUEST_MAX_LENGTH
;
571 return s
->max_cert_list
;
573 case TLS_ST_CR_CERT_STATUS
:
574 return SSL3_RT_MAX_PLAIN_LENGTH
;
576 case TLS_ST_CR_KEY_EXCH
:
577 return SERVER_KEY_EXCH_MAX_LENGTH
;
579 case TLS_ST_CR_CERT_REQ
:
581 * Set to s->max_cert_list for compatibility with previous releases. In
582 * practice these messages can get quite long if servers are configured
583 * to provide a long list of acceptable CAs
585 return s
->max_cert_list
;
587 case TLS_ST_CR_SRVR_DONE
:
588 return SERVER_HELLO_DONE_MAX_LENGTH
;
590 case TLS_ST_CR_CHANGE
:
591 if (s
->version
== DTLS1_BAD_VER
)
593 return CCS_MAX_LENGTH
;
595 case TLS_ST_CR_SESSION_TICKET
:
596 return SSL3_RT_MAX_PLAIN_LENGTH
;
598 case TLS_ST_CR_FINISHED
:
599 return FINISHED_MAX_LENGTH
;
602 /* Shouldn't happen */
610 * Process a message that the client has been received from the server.
612 MSG_PROCESS_RETURN
ossl_statem_client_process_message(SSL
*s
, PACKET
*pkt
)
614 OSSL_STATEM
*st
= &s
->statem
;
616 switch (st
->hand_state
) {
617 case TLS_ST_CR_SRVR_HELLO
:
618 return tls_process_server_hello(s
, pkt
);
620 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
621 return dtls_process_hello_verify(s
, pkt
);
624 return tls_process_server_certificate(s
, pkt
);
626 case TLS_ST_CR_CERT_STATUS
:
627 return tls_process_cert_status(s
, pkt
);
629 case TLS_ST_CR_KEY_EXCH
:
630 return tls_process_key_exchange(s
, pkt
);
632 case TLS_ST_CR_CERT_REQ
:
633 return tls_process_certificate_request(s
, pkt
);
635 case TLS_ST_CR_SRVR_DONE
:
636 return tls_process_server_done(s
, pkt
);
638 case TLS_ST_CR_CHANGE
:
639 return tls_process_change_cipher_spec(s
, pkt
);
641 case TLS_ST_CR_SESSION_TICKET
:
642 return tls_process_new_session_ticket(s
, pkt
);
644 case TLS_ST_CR_FINISHED
:
645 return tls_process_finished(s
, pkt
);
648 /* Shouldn't happen */
652 return MSG_PROCESS_ERROR
;
656 * Perform any further processing required following the receipt of a message
659 WORK_STATE
ossl_statem_client_post_process_message(SSL
*s
, WORK_STATE wst
)
661 OSSL_STATEM
*st
= &s
->statem
;
663 switch (st
->hand_state
) {
664 case TLS_ST_CR_CERT_REQ
:
665 return tls_prepare_client_certificate(s
, wst
);
667 #ifndef OPENSSL_NO_SCTP
668 case TLS_ST_CR_SRVR_DONE
:
669 /* We only get here if we are using SCTP and we are renegotiating */
670 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s
))) {
671 s
->s3
->in_read_app_data
= 2;
672 s
->rwstate
= SSL_READING
;
673 BIO_clear_retry_flags(SSL_get_rbio(s
));
674 BIO_set_retry_read(SSL_get_rbio(s
));
675 ossl_statem_set_sctp_read_sock(s
, 1);
678 ossl_statem_set_sctp_read_sock(s
, 0);
679 return WORK_FINISHED_STOP
;
686 /* Shouldn't happen */
690 int tls_construct_client_hello(SSL
*s
)
695 int al
= SSL_AD_HANDSHAKE_FAILURE
;
696 #ifndef OPENSSL_NO_COMP
699 SSL_SESSION
*sess
= s
->session
;
702 if (!WPACKET_init(&pkt
, s
->init_buf
)
703 || !WPACKET_set_max_size(&pkt
, SSL3_RT_MAX_PLAIN_LENGTH
)) {
704 /* Should not happen */
705 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
709 /* Work out what SSL/TLS/DTLS version to use */
710 protverr
= ssl_set_client_hello_version(s
);
712 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, protverr
);
716 if ((sess
== NULL
) || !ssl_version_supported(s
, sess
->ssl_version
) ||
718 * In the case of EAP-FAST, we can have a pre-shared
719 * "ticket" without a session ID.
721 (!sess
->session_id_length
&& !sess
->tlsext_tick
) ||
722 (sess
->not_resumable
)) {
723 if (!ssl_get_new_session(s
, 0))
726 /* else use the pre-loaded session */
728 p
= s
->s3
->client_random
;
731 * for DTLS if client_random is initialized, reuse it, we are
732 * required to use same upon reply to HelloVerify
734 if (SSL_IS_DTLS(s
)) {
737 for (idx
= 0; idx
< sizeof(s
->s3
->client_random
); idx
++) {
746 if (i
&& ssl_fill_hello_random(s
, 0, p
, sizeof(s
->s3
->client_random
)) <= 0)
749 if (!ssl_set_handshake_header2(s
, &pkt
, SSL3_MT_CLIENT_HELLO
)) {
750 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
751 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
756 * version indicates the negotiated version: for example from
757 * an SSLv2/v3 compatible client hello). The client_version
758 * field is the maximum version we permit and it is also
759 * used in RSA encrypted premaster secrets. Some servers can
760 * choke if we initially report a higher version then
761 * renegotiate to a lower one in the premaster secret. This
762 * didn't happen with TLS 1.0 as most servers supported it
763 * but it can with TLS 1.1 or later if the server only supports
766 * Possible scenario with previous logic:
767 * 1. Client hello indicates TLS 1.2
768 * 2. Server hello says TLS 1.0
769 * 3. RSA encrypted premaster secret uses 1.2.
770 * 4. Handshake proceeds using TLS 1.0.
771 * 5. Server sends hello request to renegotiate.
772 * 6. Client hello indicates TLS v1.0 as we now
773 * know that is maximum server supports.
774 * 7. Server chokes on RSA encrypted premaster secret
775 * containing version 1.0.
777 * For interoperability it should be OK to always use the
778 * maximum version we support in client hello and then rely
779 * on the checking of version to ensure the servers isn't
780 * being inconsistent: for example initially negotiating with
781 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
782 * client_version in client hello and not resetting it to
783 * the negotiated version.
785 if (!WPACKET_put_bytes(&pkt
, s
->client_version
, 2)
786 || !WPACKET_memcpy(&pkt
, s
->s3
->client_random
, SSL3_RANDOM_SIZE
)) {
787 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
795 i
= s
->session
->session_id_length
;
796 if (i
> (int)sizeof(s
->session
->session_id
)
797 || !WPACKET_start_sub_packet_u8(&pkt
)
798 || (i
!= 0 && !WPACKET_memcpy(&pkt
, s
->session
->session_id
, i
))
799 || !WPACKET_close(&pkt
)) {
800 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
804 /* cookie stuff for DTLS */
805 if (SSL_IS_DTLS(s
)) {
806 if (s
->d1
->cookie_len
> sizeof(s
->d1
->cookie
)
807 || !WPACKET_sub_memcpy_u8(&pkt
, s
->d1
->cookie
,
808 s
->d1
->cookie_len
)) {
809 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
814 /* Ciphers supported */
815 if (!WPACKET_start_sub_packet_u16(&pkt
)) {
816 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
819 /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
820 if (!ssl_cipher_list_to_bytes(s
, SSL_get_ciphers(s
), &pkt
))
822 if (!WPACKET_close(&pkt
)) {
823 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
828 if (!WPACKET_start_sub_packet_u8(&pkt
)) {
829 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
832 #ifndef OPENSSL_NO_COMP
833 if (ssl_allow_compression(s
) && s
->ctx
->comp_methods
) {
834 int compnum
= sk_SSL_COMP_num(s
->ctx
->comp_methods
);
835 for (i
= 0; i
< compnum
; i
++) {
836 comp
= sk_SSL_COMP_value(s
->ctx
->comp_methods
, i
);
837 if (!WPACKET_put_bytes(&pkt
, comp
->id
, 1)) {
838 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
844 /* Add the NULL method */
845 if (!WPACKET_put_bytes(&pkt
, 0, 1) || !WPACKET_close(&pkt
)) {
846 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
851 if (ssl_prepare_clienthello_tlsext(s
) <= 0) {
852 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, SSL_R_CLIENTHELLO_TLSEXT
);
855 if (!WPACKET_start_sub_packet_u16(&pkt
)
857 * If extensions are of zero length then we don't even add the
858 * extensions length bytes
860 || !WPACKET_set_flags(&pkt
, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH
)
861 || !ssl_add_clienthello_tlsext(s
, &pkt
, &al
)
862 || !WPACKET_close(&pkt
)) {
863 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
864 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
868 if (!ssl_close_construct_packet(s
, &pkt
)) {
869 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
870 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
876 ossl_statem_set_error(s
);
877 WPACKET_cleanup(&pkt
);
881 MSG_PROCESS_RETURN
dtls_process_hello_verify(SSL
*s
, PACKET
*pkt
)
884 unsigned int cookie_len
;
887 if (!PACKET_forward(pkt
, 2)
888 || !PACKET_get_length_prefixed_1(pkt
, &cookiepkt
)) {
889 al
= SSL_AD_DECODE_ERROR
;
890 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY
, SSL_R_LENGTH_MISMATCH
);
894 cookie_len
= PACKET_remaining(&cookiepkt
);
895 if (cookie_len
> sizeof(s
->d1
->cookie
)) {
896 al
= SSL_AD_ILLEGAL_PARAMETER
;
897 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY
, SSL_R_LENGTH_TOO_LONG
);
901 if (!PACKET_copy_bytes(&cookiepkt
, s
->d1
->cookie
, cookie_len
)) {
902 al
= SSL_AD_DECODE_ERROR
;
903 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY
, SSL_R_LENGTH_MISMATCH
);
906 s
->d1
->cookie_len
= cookie_len
;
908 return MSG_PROCESS_FINISHED_READING
;
910 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
911 ossl_statem_set_error(s
);
912 return MSG_PROCESS_ERROR
;
915 MSG_PROCESS_RETURN
tls_process_server_hello(SSL
*s
, PACKET
*pkt
)
917 STACK_OF(SSL_CIPHER
) *sk
;
920 size_t session_id_len
;
921 const unsigned char *cipherchars
;
922 int i
, al
= SSL_AD_INTERNAL_ERROR
;
923 unsigned int compression
;
924 unsigned int sversion
;
926 #ifndef OPENSSL_NO_COMP
930 if (!PACKET_get_net_2(pkt
, &sversion
)) {
931 al
= SSL_AD_DECODE_ERROR
;
932 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_LENGTH_MISMATCH
);
936 protverr
= ssl_choose_client_version(s
, sversion
);
938 al
= SSL_AD_PROTOCOL_VERSION
;
939 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, protverr
);
943 /* load the server hello data */
944 /* load the server random */
945 if (!PACKET_copy_bytes(pkt
, s
->s3
->server_random
, SSL3_RANDOM_SIZE
)) {
946 al
= SSL_AD_DECODE_ERROR
;
947 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_LENGTH_MISMATCH
);
953 /* Get the session-id. */
954 if (!PACKET_get_length_prefixed_1(pkt
, &session_id
)) {
955 al
= SSL_AD_DECODE_ERROR
;
956 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_LENGTH_MISMATCH
);
959 session_id_len
= PACKET_remaining(&session_id
);
960 if (session_id_len
> sizeof s
->session
->session_id
961 || session_id_len
> SSL3_SESSION_ID_SIZE
) {
962 al
= SSL_AD_ILLEGAL_PARAMETER
;
963 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_SSL3_SESSION_ID_TOO_LONG
);
967 if (!PACKET_get_bytes(pkt
, &cipherchars
, TLS_CIPHER_LEN
)) {
968 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_LENGTH_MISMATCH
);
969 al
= SSL_AD_DECODE_ERROR
;
974 * Check if we can resume the session based on external pre-shared secret.
975 * EAP-FAST (RFC 4851) supports two types of session resumption.
976 * Resumption based on server-side state works with session IDs.
977 * Resumption based on pre-shared Protected Access Credentials (PACs)
978 * works by overriding the SessionTicket extension at the application
979 * layer, and does not send a session ID. (We do not know whether EAP-FAST
980 * servers would honour the session ID.) Therefore, the session ID alone
981 * is not a reliable indicator of session resumption, so we first check if
982 * we can resume, and later peek at the next handshake message to see if the
983 * server wants to resume.
985 if (s
->version
>= TLS1_VERSION
&& s
->tls_session_secret_cb
&&
986 s
->session
->tlsext_tick
) {
987 const SSL_CIPHER
*pref_cipher
= NULL
;
988 s
->session
->master_key_length
= sizeof(s
->session
->master_key
);
989 if (s
->tls_session_secret_cb(s
, s
->session
->master_key
,
990 &s
->session
->master_key_length
,
992 s
->tls_session_secret_cb_arg
)) {
993 s
->session
->cipher
= pref_cipher
?
994 pref_cipher
: ssl_get_cipher_by_char(s
, cipherchars
);
996 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, ERR_R_INTERNAL_ERROR
);
997 al
= SSL_AD_INTERNAL_ERROR
;
1002 if (session_id_len
!= 0 && session_id_len
== s
->session
->session_id_length
1003 && memcmp(PACKET_data(&session_id
), s
->session
->session_id
,
1004 session_id_len
) == 0) {
1005 if (s
->sid_ctx_length
!= s
->session
->sid_ctx_length
1006 || memcmp(s
->session
->sid_ctx
, s
->sid_ctx
, s
->sid_ctx_length
)) {
1007 /* actually a client application bug */
1008 al
= SSL_AD_ILLEGAL_PARAMETER
;
1009 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
,
1010 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT
);
1016 * If we were trying for session-id reuse but the server
1017 * didn't echo the ID, make a new SSL_SESSION.
1018 * In the case of EAP-FAST and PAC, we do not send a session ID,
1019 * so the PAC-based session secret is always preserved. It'll be
1020 * overwritten if the server refuses resumption.
1022 if (s
->session
->session_id_length
> 0) {
1023 s
->ctx
->stats
.sess_miss
++;
1024 if (!ssl_get_new_session(s
, 0)) {
1029 s
->session
->ssl_version
= s
->version
;
1030 s
->session
->session_id_length
= session_id_len
;
1031 /* session_id_len could be 0 */
1032 memcpy(s
->session
->session_id
, PACKET_data(&session_id
),
1036 /* Session version and negotiated protocol version should match */
1037 if (s
->version
!= s
->session
->ssl_version
) {
1038 al
= SSL_AD_PROTOCOL_VERSION
;
1040 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
,
1041 SSL_R_SSL_SESSION_VERSION_MISMATCH
);
1045 c
= ssl_get_cipher_by_char(s
, cipherchars
);
1047 /* unknown cipher */
1048 al
= SSL_AD_ILLEGAL_PARAMETER
;
1049 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_UNKNOWN_CIPHER_RETURNED
);
1053 * Now that we know the version, update the check to see if it's an allowed
1056 s
->s3
->tmp
.min_ver
= s
->version
;
1057 s
->s3
->tmp
.max_ver
= s
->version
;
1059 * If it is a disabled cipher we either didn't send it in client hello,
1060 * or it's not allowed for the selected protocol. So we return an error.
1062 if (ssl_cipher_disabled(s
, c
, SSL_SECOP_CIPHER_CHECK
)) {
1063 al
= SSL_AD_ILLEGAL_PARAMETER
;
1064 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_WRONG_CIPHER_RETURNED
);
1068 sk
= ssl_get_ciphers_by_id(s
);
1069 i
= sk_SSL_CIPHER_find(sk
, c
);
1071 /* we did not say we would use this cipher */
1072 al
= SSL_AD_ILLEGAL_PARAMETER
;
1073 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_WRONG_CIPHER_RETURNED
);
1078 * Depending on the session caching (internal/external), the cipher
1079 * and/or cipher_id values may not be set. Make sure that cipher_id is
1080 * set and use it for comparison.
1082 if (s
->session
->cipher
)
1083 s
->session
->cipher_id
= s
->session
->cipher
->id
;
1084 if (s
->hit
&& (s
->session
->cipher_id
!= c
->id
)) {
1085 al
= SSL_AD_ILLEGAL_PARAMETER
;
1086 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
,
1087 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
);
1090 s
->s3
->tmp
.new_cipher
= c
;
1091 /* lets get the compression algorithm */
1093 if (!PACKET_get_1(pkt
, &compression
)) {
1094 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_LENGTH_MISMATCH
);
1095 al
= SSL_AD_DECODE_ERROR
;
1098 #ifdef OPENSSL_NO_COMP
1099 if (compression
!= 0) {
1100 al
= SSL_AD_ILLEGAL_PARAMETER
;
1101 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
,
1102 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM
);
1106 * If compression is disabled we'd better not try to resume a session
1107 * using compression.
1109 if (s
->session
->compress_meth
!= 0) {
1110 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_INCONSISTENT_COMPRESSION
);
1114 if (s
->hit
&& compression
!= s
->session
->compress_meth
) {
1115 al
= SSL_AD_ILLEGAL_PARAMETER
;
1116 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
,
1117 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED
);
1120 if (compression
== 0)
1122 else if (!ssl_allow_compression(s
)) {
1123 al
= SSL_AD_ILLEGAL_PARAMETER
;
1124 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_COMPRESSION_DISABLED
);
1127 comp
= ssl3_comp_find(s
->ctx
->comp_methods
, compression
);
1130 if (compression
!= 0 && comp
== NULL
) {
1131 al
= SSL_AD_ILLEGAL_PARAMETER
;
1132 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
,
1133 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM
);
1136 s
->s3
->tmp
.new_compression
= comp
;
1140 /* TLS extensions */
1141 if (!ssl_parse_serverhello_tlsext(s
, pkt
)) {
1142 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_PARSE_TLSEXT
);
1146 if (PACKET_remaining(pkt
) != 0) {
1147 /* wrong packet length */
1148 al
= SSL_AD_DECODE_ERROR
;
1149 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO
, SSL_R_BAD_PACKET_LENGTH
);
1152 #ifndef OPENSSL_NO_SCTP
1153 if (SSL_IS_DTLS(s
) && s
->hit
) {
1154 unsigned char sctpauthkey
[64];
1155 char labelbuffer
[sizeof(DTLS1_SCTP_AUTH_LABEL
)];
1158 * Add new shared key for SCTP-Auth, will be ignored if
1161 memcpy(labelbuffer
, DTLS1_SCTP_AUTH_LABEL
,
1162 sizeof(DTLS1_SCTP_AUTH_LABEL
));
1164 if (SSL_export_keying_material(s
, sctpauthkey
,
1165 sizeof(sctpauthkey
),
1167 sizeof(labelbuffer
), NULL
, 0, 0) <= 0)
1170 BIO_ctrl(SSL_get_wbio(s
),
1171 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY
,
1172 sizeof(sctpauthkey
), sctpauthkey
);
1176 return MSG_PROCESS_CONTINUE_READING
;
1178 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1180 ossl_statem_set_error(s
);
1181 return MSG_PROCESS_ERROR
;
1184 MSG_PROCESS_RETURN
tls_process_server_certificate(SSL
*s
, PACKET
*pkt
)
1186 int al
, i
, ret
= MSG_PROCESS_ERROR
, exp_idx
;
1187 unsigned long cert_list_len
, cert_len
;
1189 const unsigned char *certstart
, *certbytes
;
1190 STACK_OF(X509
) *sk
= NULL
;
1191 EVP_PKEY
*pkey
= NULL
;
1193 if ((sk
= sk_X509_new_null()) == NULL
) {
1194 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
, ERR_R_MALLOC_FAILURE
);
1198 if (!PACKET_get_net_3(pkt
, &cert_list_len
)
1199 || PACKET_remaining(pkt
) != cert_list_len
) {
1200 al
= SSL_AD_DECODE_ERROR
;
1201 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
, SSL_R_LENGTH_MISMATCH
);
1204 while (PACKET_remaining(pkt
)) {
1205 if (!PACKET_get_net_3(pkt
, &cert_len
)
1206 || !PACKET_get_bytes(pkt
, &certbytes
, cert_len
)) {
1207 al
= SSL_AD_DECODE_ERROR
;
1208 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
,
1209 SSL_R_CERT_LENGTH_MISMATCH
);
1213 certstart
= certbytes
;
1214 x
= d2i_X509(NULL
, (const unsigned char **)&certbytes
, cert_len
);
1216 al
= SSL_AD_BAD_CERTIFICATE
;
1217 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
, ERR_R_ASN1_LIB
);
1220 if (certbytes
!= (certstart
+ cert_len
)) {
1221 al
= SSL_AD_DECODE_ERROR
;
1222 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
,
1223 SSL_R_CERT_LENGTH_MISMATCH
);
1226 if (!sk_X509_push(sk
, x
)) {
1227 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
, ERR_R_MALLOC_FAILURE
);
1233 i
= ssl_verify_cert_chain(s
, sk
);
1234 if ((s
->verify_mode
& SSL_VERIFY_PEER
) && i
<= 0) {
1235 al
= ssl_verify_alarm_type(s
->verify_result
);
1236 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
,
1237 SSL_R_CERTIFICATE_VERIFY_FAILED
);
1240 ERR_clear_error(); /* but we keep s->verify_result */
1242 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
, i
);
1243 al
= SSL_AD_HANDSHAKE_FAILURE
;
1247 s
->session
->peer_chain
= sk
;
1249 * Inconsistency alert: cert_chain does include the peer's certificate,
1250 * which we don't include in statem_srvr.c
1252 x
= sk_X509_value(sk
, 0);
1255 * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
1258 pkey
= X509_get0_pubkey(x
);
1260 if (pkey
== NULL
|| EVP_PKEY_missing_parameters(pkey
)) {
1263 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
,
1264 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS
);
1268 i
= ssl_cert_type(x
, pkey
);
1272 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
,
1273 SSL_R_UNKNOWN_CERTIFICATE_TYPE
);
1277 exp_idx
= ssl_cipher_get_cert_index(s
->s3
->tmp
.new_cipher
);
1278 if (exp_idx
>= 0 && i
!= exp_idx
1279 && (exp_idx
!= SSL_PKEY_GOST_EC
||
1280 (i
!= SSL_PKEY_GOST12_512
&& i
!= SSL_PKEY_GOST12_256
1281 && i
!= SSL_PKEY_GOST01
))) {
1283 al
= SSL_AD_ILLEGAL_PARAMETER
;
1284 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE
,
1285 SSL_R_WRONG_CERTIFICATE_TYPE
);
1288 s
->session
->peer_type
= i
;
1290 X509_free(s
->session
->peer
);
1292 s
->session
->peer
= x
;
1293 s
->session
->verify_result
= s
->verify_result
;
1296 ret
= MSG_PROCESS_CONTINUE_READING
;
1300 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1302 ossl_statem_set_error(s
);
1305 sk_X509_pop_free(sk
, X509_free
);
1309 static int tls_process_ske_psk_preamble(SSL
*s
, PACKET
*pkt
, int *al
)
1311 #ifndef OPENSSL_NO_PSK
1312 PACKET psk_identity_hint
;
1314 /* PSK ciphersuites are preceded by an identity hint */
1316 if (!PACKET_get_length_prefixed_2(pkt
, &psk_identity_hint
)) {
1317 *al
= SSL_AD_DECODE_ERROR
;
1318 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE
, SSL_R_LENGTH_MISMATCH
);
1323 * Store PSK identity hint for later use, hint is used in
1324 * tls_construct_client_key_exchange. Assume that the maximum length of
1325 * a PSK identity hint can be as long as the maximum length of a PSK
1328 if (PACKET_remaining(&psk_identity_hint
) > PSK_MAX_IDENTITY_LEN
) {
1329 *al
= SSL_AD_HANDSHAKE_FAILURE
;
1330 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE
, SSL_R_DATA_LENGTH_TOO_LONG
);
1334 if (PACKET_remaining(&psk_identity_hint
) == 0) {
1335 OPENSSL_free(s
->session
->psk_identity_hint
);
1336 s
->session
->psk_identity_hint
= NULL
;
1337 } else if (!PACKET_strndup(&psk_identity_hint
,
1338 &s
->session
->psk_identity_hint
)) {
1339 *al
= SSL_AD_INTERNAL_ERROR
;
1345 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE
, ERR_R_INTERNAL_ERROR
);
1346 *al
= SSL_AD_INTERNAL_ERROR
;
1351 static int tls_process_ske_srp(SSL
*s
, PACKET
*pkt
, EVP_PKEY
**pkey
, int *al
)
1353 #ifndef OPENSSL_NO_SRP
1354 PACKET prime
, generator
, salt
, server_pub
;
1356 if (!PACKET_get_length_prefixed_2(pkt
, &prime
)
1357 || !PACKET_get_length_prefixed_2(pkt
, &generator
)
1358 || !PACKET_get_length_prefixed_1(pkt
, &salt
)
1359 || !PACKET_get_length_prefixed_2(pkt
, &server_pub
)) {
1360 *al
= SSL_AD_DECODE_ERROR
;
1361 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP
, SSL_R_LENGTH_MISMATCH
);
1366 BN_bin2bn(PACKET_data(&prime
),
1367 PACKET_remaining(&prime
), NULL
)) == NULL
1369 BN_bin2bn(PACKET_data(&generator
),
1370 PACKET_remaining(&generator
), NULL
)) == NULL
1372 BN_bin2bn(PACKET_data(&salt
),
1373 PACKET_remaining(&salt
), NULL
)) == NULL
1375 BN_bin2bn(PACKET_data(&server_pub
),
1376 PACKET_remaining(&server_pub
), NULL
)) == NULL
) {
1377 *al
= SSL_AD_INTERNAL_ERROR
;
1378 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP
, ERR_R_BN_LIB
);
1382 if (!srp_verify_server_param(s
, al
)) {
1383 *al
= SSL_AD_DECODE_ERROR
;
1384 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP
, SSL_R_BAD_SRP_PARAMETERS
);
1388 /* We must check if there is a certificate */
1389 if (s
->s3
->tmp
.new_cipher
->algorithm_auth
& (SSL_aRSA
| SSL_aDSS
))
1390 *pkey
= X509_get0_pubkey(s
->session
->peer
);
1394 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP
, ERR_R_INTERNAL_ERROR
);
1395 *al
= SSL_AD_INTERNAL_ERROR
;
1400 static int tls_process_ske_dhe(SSL
*s
, PACKET
*pkt
, EVP_PKEY
**pkey
, int *al
)
1402 #ifndef OPENSSL_NO_DH
1403 PACKET prime
, generator
, pub_key
;
1404 EVP_PKEY
*peer_tmp
= NULL
;
1407 BIGNUM
*p
= NULL
, *g
= NULL
, *bnpub_key
= NULL
;
1409 if (!PACKET_get_length_prefixed_2(pkt
, &prime
)
1410 || !PACKET_get_length_prefixed_2(pkt
, &generator
)
1411 || !PACKET_get_length_prefixed_2(pkt
, &pub_key
)) {
1412 *al
= SSL_AD_DECODE_ERROR
;
1413 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, SSL_R_LENGTH_MISMATCH
);
1417 peer_tmp
= EVP_PKEY_new();
1420 if (peer_tmp
== NULL
|| dh
== NULL
) {
1421 *al
= SSL_AD_INTERNAL_ERROR
;
1422 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, ERR_R_MALLOC_FAILURE
);
1426 p
= BN_bin2bn(PACKET_data(&prime
), PACKET_remaining(&prime
), NULL
);
1427 g
= BN_bin2bn(PACKET_data(&generator
), PACKET_remaining(&generator
), NULL
);
1428 bnpub_key
= BN_bin2bn(PACKET_data(&pub_key
), PACKET_remaining(&pub_key
),
1430 if (p
== NULL
|| g
== NULL
|| bnpub_key
== NULL
) {
1431 *al
= SSL_AD_INTERNAL_ERROR
;
1432 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, ERR_R_BN_LIB
);
1436 if (BN_is_zero(p
) || BN_is_zero(g
) || BN_is_zero(bnpub_key
)) {
1437 *al
= SSL_AD_DECODE_ERROR
;
1438 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, SSL_R_BAD_DH_VALUE
);
1442 if (!DH_set0_pqg(dh
, p
, NULL
, g
)) {
1443 *al
= SSL_AD_INTERNAL_ERROR
;
1444 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, ERR_R_BN_LIB
);
1449 if (!DH_set0_key(dh
, bnpub_key
, NULL
)) {
1450 *al
= SSL_AD_INTERNAL_ERROR
;
1451 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, ERR_R_BN_LIB
);
1456 if (!ssl_security(s
, SSL_SECOP_TMP_DH
, DH_security_bits(dh
), 0, dh
)) {
1457 *al
= SSL_AD_HANDSHAKE_FAILURE
;
1458 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, SSL_R_DH_KEY_TOO_SMALL
);
1462 if (EVP_PKEY_assign_DH(peer_tmp
, dh
) == 0) {
1463 *al
= SSL_AD_INTERNAL_ERROR
;
1464 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, ERR_R_EVP_LIB
);
1468 s
->s3
->peer_tmp
= peer_tmp
;
1471 * FIXME: This makes assumptions about which ciphersuites come with
1472 * public keys. We should have a less ad-hoc way of doing this
1474 if (s
->s3
->tmp
.new_cipher
->algorithm_auth
& (SSL_aRSA
| SSL_aDSS
))
1475 *pkey
= X509_get0_pubkey(s
->session
->peer
);
1476 /* else anonymous DH, so no certificate or pkey. */
1485 EVP_PKEY_free(peer_tmp
);
1489 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE
, ERR_R_INTERNAL_ERROR
);
1490 *al
= SSL_AD_INTERNAL_ERROR
;
1495 static int tls_process_ske_ecdhe(SSL
*s
, PACKET
*pkt
, EVP_PKEY
**pkey
, int *al
)
1497 #ifndef OPENSSL_NO_EC
1499 const unsigned char *ecparams
;
1501 unsigned int curve_flags
;
1502 EVP_PKEY_CTX
*pctx
= NULL
;
1505 * Extract elliptic curve parameters and the server's ephemeral ECDH
1506 * public key. For now we only support named (not generic) curves and
1507 * ECParameters in this case is just three bytes.
1509 if (!PACKET_get_bytes(pkt
, &ecparams
, 3)) {
1510 *al
= SSL_AD_DECODE_ERROR
;
1511 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
, SSL_R_LENGTH_TOO_SHORT
);
1515 * Check curve is one of our preferences, if not server has sent an
1516 * invalid curve. ECParameters is 3 bytes.
1518 if (!tls1_check_curve(s
, ecparams
, 3)) {
1519 *al
= SSL_AD_DECODE_ERROR
;
1520 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
, SSL_R_WRONG_CURVE
);
1524 curve_nid
= tls1_ec_curve_id2nid(*(ecparams
+ 2), &curve_flags
);
1526 if (curve_nid
== 0) {
1527 *al
= SSL_AD_INTERNAL_ERROR
;
1528 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
,
1529 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS
);
1533 if ((curve_flags
& TLS_CURVE_TYPE
) == TLS_CURVE_CUSTOM
) {
1534 EVP_PKEY
*key
= EVP_PKEY_new();
1536 if (key
== NULL
|| !EVP_PKEY_set_type(key
, curve_nid
)) {
1537 *al
= SSL_AD_INTERNAL_ERROR
;
1538 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
, ERR_R_EVP_LIB
);
1542 s
->s3
->peer_tmp
= key
;
1544 /* Set up EVP_PKEY with named curve as parameters */
1545 pctx
= EVP_PKEY_CTX_new_id(EVP_PKEY_EC
, NULL
);
1547 || EVP_PKEY_paramgen_init(pctx
) <= 0
1548 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx
, curve_nid
) <= 0
1549 || EVP_PKEY_paramgen(pctx
, &s
->s3
->peer_tmp
) <= 0) {
1550 *al
= SSL_AD_INTERNAL_ERROR
;
1551 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
, ERR_R_EVP_LIB
);
1552 EVP_PKEY_CTX_free(pctx
);
1555 EVP_PKEY_CTX_free(pctx
);
1559 if (!PACKET_get_length_prefixed_1(pkt
, &encoded_pt
)) {
1560 *al
= SSL_AD_DECODE_ERROR
;
1561 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
, SSL_R_LENGTH_MISMATCH
);
1565 if (!EVP_PKEY_set1_tls_encodedpoint(s
->s3
->peer_tmp
,
1566 PACKET_data(&encoded_pt
),
1567 PACKET_remaining(&encoded_pt
))) {
1568 *al
= SSL_AD_DECODE_ERROR
;
1569 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
, SSL_R_BAD_ECPOINT
);
1574 * The ECC/TLS specification does not mention the use of DSA to sign
1575 * ECParameters in the server key exchange message. We do support RSA
1578 if (s
->s3
->tmp
.new_cipher
->algorithm_auth
& SSL_aECDSA
)
1579 *pkey
= X509_get0_pubkey(s
->session
->peer
);
1580 else if (s
->s3
->tmp
.new_cipher
->algorithm_auth
& SSL_aRSA
)
1581 *pkey
= X509_get0_pubkey(s
->session
->peer
);
1582 /* else anonymous ECDH, so no certificate or pkey. */
1586 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE
, ERR_R_INTERNAL_ERROR
);
1587 *al
= SSL_AD_INTERNAL_ERROR
;
1592 MSG_PROCESS_RETURN
tls_process_key_exchange(SSL
*s
, PACKET
*pkt
)
1596 EVP_PKEY
*pkey
= NULL
;
1597 PACKET save_param_start
, signature
;
1599 alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
1601 save_param_start
= *pkt
;
1603 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1604 EVP_PKEY_free(s
->s3
->peer_tmp
);
1605 s
->s3
->peer_tmp
= NULL
;
1608 if (alg_k
& SSL_PSK
) {
1609 if (!tls_process_ske_psk_preamble(s
, pkt
, &al
))
1613 /* Nothing else to do for plain PSK or RSAPSK */
1614 if (alg_k
& (SSL_kPSK
| SSL_kRSAPSK
)) {
1615 } else if (alg_k
& SSL_kSRP
) {
1616 if (!tls_process_ske_srp(s
, pkt
, &pkey
, &al
))
1618 } else if (alg_k
& (SSL_kDHE
| SSL_kDHEPSK
)) {
1619 if (!tls_process_ske_dhe(s
, pkt
, &pkey
, &al
))
1621 } else if (alg_k
& (SSL_kECDHE
| SSL_kECDHEPSK
)) {
1622 if (!tls_process_ske_ecdhe(s
, pkt
, &pkey
, &al
))
1625 al
= SSL_AD_UNEXPECTED_MESSAGE
;
1626 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, SSL_R_UNEXPECTED_MESSAGE
);
1630 /* if it was signed, check the signature */
1634 const EVP_MD
*md
= NULL
;
1638 * |pkt| now points to the beginning of the signature, so the difference
1639 * equals the length of the parameters.
1641 if (!PACKET_get_sub_packet(&save_param_start
, ¶ms
,
1642 PACKET_remaining(&save_param_start
) -
1643 PACKET_remaining(pkt
))) {
1644 al
= SSL_AD_INTERNAL_ERROR
;
1645 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
1649 if (SSL_USE_SIGALGS(s
)) {
1650 const unsigned char *sigalgs
;
1652 if (!PACKET_get_bytes(pkt
, &sigalgs
, 2)) {
1653 al
= SSL_AD_DECODE_ERROR
;
1654 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, SSL_R_LENGTH_TOO_SHORT
);
1657 rv
= tls12_check_peer_sigalg(&md
, s
, sigalgs
, pkey
);
1659 al
= SSL_AD_INTERNAL_ERROR
;
1661 } else if (rv
== 0) {
1662 al
= SSL_AD_DECODE_ERROR
;
1666 fprintf(stderr
, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md
));
1668 } else if (EVP_PKEY_id(pkey
) == EVP_PKEY_RSA
) {
1669 md
= EVP_md5_sha1();
1674 if (!PACKET_get_length_prefixed_2(pkt
, &signature
)
1675 || PACKET_remaining(pkt
) != 0) {
1676 al
= SSL_AD_DECODE_ERROR
;
1677 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, SSL_R_LENGTH_MISMATCH
);
1680 maxsig
= EVP_PKEY_size(pkey
);
1682 al
= SSL_AD_INTERNAL_ERROR
;
1683 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
1688 * Check signature length
1690 if (PACKET_remaining(&signature
) > (size_t)maxsig
) {
1691 /* wrong packet length */
1692 al
= SSL_AD_DECODE_ERROR
;
1693 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
,
1694 SSL_R_WRONG_SIGNATURE_LENGTH
);
1698 md_ctx
= EVP_MD_CTX_new();
1699 if (md_ctx
== NULL
) {
1700 al
= SSL_AD_INTERNAL_ERROR
;
1701 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, ERR_R_MALLOC_FAILURE
);
1705 if (EVP_VerifyInit_ex(md_ctx
, md
, NULL
) <= 0
1706 || EVP_VerifyUpdate(md_ctx
, &(s
->s3
->client_random
[0]),
1707 SSL3_RANDOM_SIZE
) <= 0
1708 || EVP_VerifyUpdate(md_ctx
, &(s
->s3
->server_random
[0]),
1709 SSL3_RANDOM_SIZE
) <= 0
1710 || EVP_VerifyUpdate(md_ctx
, PACKET_data(¶ms
),
1711 PACKET_remaining(¶ms
)) <= 0) {
1712 EVP_MD_CTX_free(md_ctx
);
1713 al
= SSL_AD_INTERNAL_ERROR
;
1714 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, ERR_R_EVP_LIB
);
1717 if (EVP_VerifyFinal(md_ctx
, PACKET_data(&signature
),
1718 PACKET_remaining(&signature
), pkey
) <= 0) {
1720 EVP_MD_CTX_free(md_ctx
);
1721 al
= SSL_AD_DECRYPT_ERROR
;
1722 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, SSL_R_BAD_SIGNATURE
);
1725 EVP_MD_CTX_free(md_ctx
);
1727 /* aNULL, aSRP or PSK do not need public keys */
1728 if (!(s
->s3
->tmp
.new_cipher
->algorithm_auth
& (SSL_aNULL
| SSL_aSRP
))
1729 && !(alg_k
& SSL_PSK
)) {
1730 /* Might be wrong key type, check it */
1731 if (ssl3_check_cert_and_algorithm(s
)) {
1732 /* Otherwise this shouldn't happen */
1733 al
= SSL_AD_INTERNAL_ERROR
;
1734 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
1736 al
= SSL_AD_DECODE_ERROR
;
1740 /* still data left over */
1741 if (PACKET_remaining(pkt
) != 0) {
1742 al
= SSL_AD_DECODE_ERROR
;
1743 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE
, SSL_R_EXTRA_DATA_IN_MESSAGE
);
1748 return MSG_PROCESS_CONTINUE_READING
;
1751 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1752 ossl_statem_set_error(s
);
1753 return MSG_PROCESS_ERROR
;
1756 MSG_PROCESS_RETURN
tls_process_certificate_request(SSL
*s
, PACKET
*pkt
)
1758 int ret
= MSG_PROCESS_ERROR
;
1759 unsigned int list_len
, ctype_num
, i
, name_len
;
1760 X509_NAME
*xn
= NULL
;
1761 const unsigned char *data
;
1762 const unsigned char *namestart
, *namebytes
;
1763 STACK_OF(X509_NAME
) *ca_sk
= NULL
;
1765 if ((ca_sk
= sk_X509_NAME_new(ca_dn_cmp
)) == NULL
) {
1766 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
, ERR_R_MALLOC_FAILURE
);
1770 /* get the certificate types */
1771 if (!PACKET_get_1(pkt
, &ctype_num
)
1772 || !PACKET_get_bytes(pkt
, &data
, ctype_num
)) {
1773 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1774 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
, SSL_R_LENGTH_MISMATCH
);
1777 OPENSSL_free(s
->cert
->ctypes
);
1778 s
->cert
->ctypes
= NULL
;
1779 if (ctype_num
> SSL3_CT_NUMBER
) {
1780 /* If we exceed static buffer copy all to cert structure */
1781 s
->cert
->ctypes
= OPENSSL_malloc(ctype_num
);
1782 if (s
->cert
->ctypes
== NULL
) {
1783 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
, ERR_R_MALLOC_FAILURE
);
1786 memcpy(s
->cert
->ctypes
, data
, ctype_num
);
1787 s
->cert
->ctype_num
= (size_t)ctype_num
;
1788 ctype_num
= SSL3_CT_NUMBER
;
1790 for (i
= 0; i
< ctype_num
; i
++)
1791 s
->s3
->tmp
.ctype
[i
] = data
[i
];
1793 if (SSL_USE_SIGALGS(s
)) {
1794 if (!PACKET_get_net_2(pkt
, &list_len
)
1795 || !PACKET_get_bytes(pkt
, &data
, list_len
)) {
1796 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1797 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
,
1798 SSL_R_LENGTH_MISMATCH
);
1802 /* Clear certificate digests and validity flags */
1803 for (i
= 0; i
< SSL_PKEY_NUM
; i
++) {
1804 s
->s3
->tmp
.md
[i
] = NULL
;
1805 s
->s3
->tmp
.valid_flags
[i
] = 0;
1807 if ((list_len
& 1) || !tls1_save_sigalgs(s
, data
, list_len
)) {
1808 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1809 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
,
1810 SSL_R_SIGNATURE_ALGORITHMS_ERROR
);
1813 if (!tls1_process_sigalgs(s
)) {
1814 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
1815 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
, ERR_R_MALLOC_FAILURE
);
1819 ssl_set_default_md(s
);
1822 /* get the CA RDNs */
1823 if (!PACKET_get_net_2(pkt
, &list_len
)
1824 || PACKET_remaining(pkt
) != list_len
) {
1825 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1826 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
, SSL_R_LENGTH_MISMATCH
);
1830 while (PACKET_remaining(pkt
)) {
1831 if (!PACKET_get_net_2(pkt
, &name_len
)
1832 || !PACKET_get_bytes(pkt
, &namebytes
, name_len
)) {
1833 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1834 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
,
1835 SSL_R_LENGTH_MISMATCH
);
1839 namestart
= namebytes
;
1841 if ((xn
= d2i_X509_NAME(NULL
, (const unsigned char **)&namebytes
,
1842 name_len
)) == NULL
) {
1843 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1844 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
, ERR_R_ASN1_LIB
);
1848 if (namebytes
!= (namestart
+ name_len
)) {
1849 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1850 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
,
1851 SSL_R_CA_DN_LENGTH_MISMATCH
);
1854 if (!sk_X509_NAME_push(ca_sk
, xn
)) {
1855 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST
, ERR_R_MALLOC_FAILURE
);
1861 /* we should setup a certificate to return.... */
1862 s
->s3
->tmp
.cert_req
= 1;
1863 s
->s3
->tmp
.ctype_num
= ctype_num
;
1864 sk_X509_NAME_pop_free(s
->s3
->tmp
.ca_names
, X509_NAME_free
);
1865 s
->s3
->tmp
.ca_names
= ca_sk
;
1868 ret
= MSG_PROCESS_CONTINUE_PROCESSING
;
1871 ossl_statem_set_error(s
);
1874 sk_X509_NAME_pop_free(ca_sk
, X509_NAME_free
);
1878 static int ca_dn_cmp(const X509_NAME
*const *a
, const X509_NAME
*const *b
)
1880 return (X509_NAME_cmp(*a
, *b
));
1883 MSG_PROCESS_RETURN
tls_process_new_session_ticket(SSL
*s
, PACKET
*pkt
)
1886 unsigned int ticklen
;
1887 unsigned long ticket_lifetime_hint
;
1889 if (!PACKET_get_net_4(pkt
, &ticket_lifetime_hint
)
1890 || !PACKET_get_net_2(pkt
, &ticklen
)
1891 || PACKET_remaining(pkt
) != ticklen
) {
1892 al
= SSL_AD_DECODE_ERROR
;
1893 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET
, SSL_R_LENGTH_MISMATCH
);
1897 /* Server is allowed to change its mind and send an empty ticket. */
1899 return MSG_PROCESS_CONTINUE_READING
;
1901 if (s
->session
->session_id_length
> 0) {
1902 int i
= s
->session_ctx
->session_cache_mode
;
1903 SSL_SESSION
*new_sess
;
1905 * We reused an existing session, so we need to replace it with a new
1908 if (i
& SSL_SESS_CACHE_CLIENT
) {
1910 * Remove the old session from the cache. We carry on if this fails
1912 SSL_CTX_remove_session(s
->session_ctx
, s
->session
);
1915 if ((new_sess
= ssl_session_dup(s
->session
, 0)) == 0) {
1916 al
= SSL_AD_INTERNAL_ERROR
;
1917 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET
, ERR_R_MALLOC_FAILURE
);
1921 SSL_SESSION_free(s
->session
);
1922 s
->session
= new_sess
;
1925 OPENSSL_free(s
->session
->tlsext_tick
);
1926 s
->session
->tlsext_ticklen
= 0;
1928 s
->session
->tlsext_tick
= OPENSSL_malloc(ticklen
);
1929 if (s
->session
->tlsext_tick
== NULL
) {
1930 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET
, ERR_R_MALLOC_FAILURE
);
1933 if (!PACKET_copy_bytes(pkt
, s
->session
->tlsext_tick
, ticklen
)) {
1934 al
= SSL_AD_DECODE_ERROR
;
1935 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET
, SSL_R_LENGTH_MISMATCH
);
1939 s
->session
->tlsext_tick_lifetime_hint
= ticket_lifetime_hint
;
1940 s
->session
->tlsext_ticklen
= ticklen
;
1942 * There are two ways to detect a resumed ticket session. One is to set
1943 * an appropriate session ID and then the server must return a match in
1944 * ServerHello. This allows the normal client session ID matching to work
1945 * and we know much earlier that the ticket has been accepted. The
1946 * other way is to set zero length session ID when the ticket is
1947 * presented and rely on the handshake to determine session resumption.
1948 * We choose the former approach because this fits in with assumptions
1949 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
1950 * SHA256 is disabled) hash of the ticket.
1952 if (!EVP_Digest(s
->session
->tlsext_tick
, ticklen
,
1953 s
->session
->session_id
, &s
->session
->session_id_length
,
1954 EVP_sha256(), NULL
)) {
1955 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET
, ERR_R_EVP_LIB
);
1958 return MSG_PROCESS_CONTINUE_READING
;
1960 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1962 ossl_statem_set_error(s
);
1963 return MSG_PROCESS_ERROR
;
1966 MSG_PROCESS_RETURN
tls_process_cert_status(SSL
*s
, PACKET
*pkt
)
1969 unsigned long resplen
;
1972 if (!PACKET_get_1(pkt
, &type
)
1973 || type
!= TLSEXT_STATUSTYPE_ocsp
) {
1974 al
= SSL_AD_DECODE_ERROR
;
1975 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS
, SSL_R_UNSUPPORTED_STATUS_TYPE
);
1978 if (!PACKET_get_net_3(pkt
, &resplen
)
1979 || PACKET_remaining(pkt
) != resplen
) {
1980 al
= SSL_AD_DECODE_ERROR
;
1981 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS
, SSL_R_LENGTH_MISMATCH
);
1984 s
->tlsext_ocsp_resp
= OPENSSL_malloc(resplen
);
1985 if (s
->tlsext_ocsp_resp
== NULL
) {
1986 al
= SSL_AD_INTERNAL_ERROR
;
1987 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS
, ERR_R_MALLOC_FAILURE
);
1990 if (!PACKET_copy_bytes(pkt
, s
->tlsext_ocsp_resp
, resplen
)) {
1991 al
= SSL_AD_DECODE_ERROR
;
1992 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS
, SSL_R_LENGTH_MISMATCH
);
1995 s
->tlsext_ocsp_resplen
= resplen
;
1996 return MSG_PROCESS_CONTINUE_READING
;
1998 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1999 ossl_statem_set_error(s
);
2000 return MSG_PROCESS_ERROR
;
2003 MSG_PROCESS_RETURN
tls_process_server_done(SSL
*s
, PACKET
*pkt
)
2005 if (PACKET_remaining(pkt
) > 0) {
2006 /* should contain no data */
2007 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
2008 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE
, SSL_R_LENGTH_MISMATCH
);
2009 ossl_statem_set_error(s
);
2010 return MSG_PROCESS_ERROR
;
2012 #ifndef OPENSSL_NO_SRP
2013 if (s
->s3
->tmp
.new_cipher
->algorithm_mkey
& SSL_kSRP
) {
2014 if (SRP_Calc_A_param(s
) <= 0) {
2015 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE
, SSL_R_SRP_A_CALC
);
2016 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2017 ossl_statem_set_error(s
);
2018 return MSG_PROCESS_ERROR
;
2024 * at this point we check that we have the required stuff from
2027 if (!ssl3_check_cert_and_algorithm(s
)) {
2028 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
2029 ossl_statem_set_error(s
);
2030 return MSG_PROCESS_ERROR
;
2034 * Call the ocsp status callback if needed. The |tlsext_ocsp_resp| and
2035 * |tlsext_ocsp_resplen| values will be set if we actually received a status
2036 * message, or NULL and -1 otherwise
2038 if (s
->tlsext_status_type
!= -1 && s
->ctx
->tlsext_status_cb
!= NULL
) {
2040 ret
= s
->ctx
->tlsext_status_cb(s
, s
->ctx
->tlsext_status_arg
);
2042 ssl3_send_alert(s
, SSL3_AL_FATAL
,
2043 SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
);
2044 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE
,
2045 SSL_R_INVALID_STATUS_RESPONSE
);
2046 return MSG_PROCESS_ERROR
;
2049 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2050 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE
, ERR_R_MALLOC_FAILURE
);
2051 return MSG_PROCESS_ERROR
;
2054 #ifndef OPENSSL_NO_CT
2055 if (s
->ct_validation_callback
!= NULL
) {
2056 /* Note we validate the SCTs whether or not we abort on error */
2057 if (!ssl_validate_ct(s
) && (s
->verify_mode
& SSL_VERIFY_PEER
)) {
2058 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
2059 return MSG_PROCESS_ERROR
;
2064 #ifndef OPENSSL_NO_SCTP
2065 /* Only applies to renegotiation */
2066 if (SSL_IS_DTLS(s
) && BIO_dgram_is_sctp(SSL_get_wbio(s
))
2067 && s
->renegotiate
!= 0)
2068 return MSG_PROCESS_CONTINUE_PROCESSING
;
2071 return MSG_PROCESS_FINISHED_READING
;
2074 static int tls_construct_cke_psk_preamble(SSL
*s
, WPACKET
*pkt
, int *al
)
2076 #ifndef OPENSSL_NO_PSK
2079 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2080 * \0-terminated identity. The last byte is for us for simulating
2083 char identity
[PSK_MAX_IDENTITY_LEN
+ 1];
2084 size_t identitylen
= 0;
2085 unsigned char psk
[PSK_MAX_PSK_LEN
];
2086 unsigned char *tmppsk
= NULL
;
2087 char *tmpidentity
= NULL
;
2090 if (s
->psk_client_callback
== NULL
) {
2091 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE
, SSL_R_PSK_NO_CLIENT_CB
);
2092 *al
= SSL_AD_INTERNAL_ERROR
;
2096 memset(identity
, 0, sizeof(identity
));
2098 psklen
= s
->psk_client_callback(s
, s
->session
->psk_identity_hint
,
2099 identity
, sizeof(identity
) - 1,
2102 if (psklen
> PSK_MAX_PSK_LEN
) {
2103 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE
, ERR_R_INTERNAL_ERROR
);
2104 *al
= SSL_AD_HANDSHAKE_FAILURE
;
2106 } else if (psklen
== 0) {
2107 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE
,
2108 SSL_R_PSK_IDENTITY_NOT_FOUND
);
2109 *al
= SSL_AD_HANDSHAKE_FAILURE
;
2113 identitylen
= strlen(identity
);
2114 if (identitylen
> PSK_MAX_IDENTITY_LEN
) {
2115 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE
, ERR_R_INTERNAL_ERROR
);
2116 *al
= SSL_AD_HANDSHAKE_FAILURE
;
2120 tmppsk
= OPENSSL_memdup(psk
, psklen
);
2121 tmpidentity
= OPENSSL_strdup(identity
);
2122 if (tmppsk
== NULL
|| tmpidentity
== NULL
) {
2123 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE
, ERR_R_MALLOC_FAILURE
);
2124 *al
= SSL_AD_INTERNAL_ERROR
;
2128 OPENSSL_free(s
->s3
->tmp
.psk
);
2129 s
->s3
->tmp
.psk
= tmppsk
;
2130 s
->s3
->tmp
.psklen
= psklen
;
2132 OPENSSL_free(s
->session
->psk_identity
);
2133 s
->session
->psk_identity
= tmpidentity
;
2136 if (!WPACKET_sub_memcpy_u16(pkt
, identity
, identitylen
)) {
2137 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE
, ERR_R_INTERNAL_ERROR
);
2138 *al
= SSL_AD_INTERNAL_ERROR
;
2145 OPENSSL_cleanse(psk
, psklen
);
2146 OPENSSL_cleanse(identity
, sizeof(identity
));
2147 OPENSSL_clear_free(tmppsk
, psklen
);
2148 OPENSSL_clear_free(tmpidentity
, identitylen
);
2152 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE
, ERR_R_INTERNAL_ERROR
);
2153 *al
= SSL_AD_INTERNAL_ERROR
;
2158 static int tls_construct_cke_rsa(SSL
*s
, WPACKET
*pkt
, int *al
)
2160 #ifndef OPENSSL_NO_RSA
2161 unsigned char *encdata
= NULL
;
2162 EVP_PKEY
*pkey
= NULL
;
2163 EVP_PKEY_CTX
*pctx
= NULL
;
2165 unsigned char *pms
= NULL
;
2168 if (s
->session
->peer
== NULL
) {
2170 * We should always have a server certificate with SSL_kRSA.
2172 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, ERR_R_INTERNAL_ERROR
);
2176 pkey
= X509_get0_pubkey(s
->session
->peer
);
2177 if (EVP_PKEY_get0_RSA(pkey
) == NULL
) {
2178 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, ERR_R_INTERNAL_ERROR
);
2182 pmslen
= SSL_MAX_MASTER_KEY_LENGTH
;
2183 pms
= OPENSSL_malloc(pmslen
);
2185 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, ERR_R_MALLOC_FAILURE
);
2186 *al
= SSL_AD_INTERNAL_ERROR
;
2190 pms
[0] = s
->client_version
>> 8;
2191 pms
[1] = s
->client_version
& 0xff;
2192 if (RAND_bytes(pms
+ 2, pmslen
- 2) <= 0) {
2196 /* Fix buf for TLS and beyond */
2197 if (s
->version
> SSL3_VERSION
&& !WPACKET_start_sub_packet_u16(pkt
)) {
2198 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, ERR_R_INTERNAL_ERROR
);
2201 pctx
= EVP_PKEY_CTX_new(pkey
, NULL
);
2202 if (pctx
== NULL
|| EVP_PKEY_encrypt_init(pctx
) <= 0
2203 || EVP_PKEY_encrypt(pctx
, NULL
, &enclen
, pms
, pmslen
) <= 0) {
2204 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, ERR_R_EVP_LIB
);
2207 if (!WPACKET_allocate_bytes(pkt
, enclen
, &encdata
)
2208 || EVP_PKEY_encrypt(pctx
, encdata
, &enclen
, pms
, pmslen
) <= 0) {
2209 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, SSL_R_BAD_RSA_ENCRYPT
);
2212 EVP_PKEY_CTX_free(pctx
);
2215 if (s
->options
& SSL_OP_PKCS1_CHECK_1
)
2217 if (s
->options
& SSL_OP_PKCS1_CHECK_2
)
2221 /* Fix buf for TLS and beyond */
2222 if (s
->version
> SSL3_VERSION
&& !WPACKET_close(pkt
)) {
2223 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, ERR_R_INTERNAL_ERROR
);
2227 s
->s3
->tmp
.pms
= pms
;
2228 s
->s3
->tmp
.pmslen
= pmslen
;
2232 OPENSSL_clear_free(pms
, pmslen
);
2233 EVP_PKEY_CTX_free(pctx
);
2237 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA
, ERR_R_INTERNAL_ERROR
);
2238 *al
= SSL_AD_INTERNAL_ERROR
;
2243 static int tls_construct_cke_dhe(SSL
*s
, WPACKET
*pkt
, int *al
)
2245 #ifndef OPENSSL_NO_DH
2247 const BIGNUM
*pub_key
;
2248 EVP_PKEY
*ckey
= NULL
, *skey
= NULL
;
2249 unsigned char *keybytes
= NULL
;
2251 skey
= s
->s3
->peer_tmp
;
2255 ckey
= ssl_generate_pkey(skey
);
2256 dh_clnt
= EVP_PKEY_get0_DH(ckey
);
2258 if (dh_clnt
== NULL
|| ssl_derive(s
, ckey
, skey
) == 0)
2261 /* send off the data */
2262 DH_get0_key(dh_clnt
, &pub_key
, NULL
);
2263 if (!WPACKET_sub_allocate_bytes_u16(pkt
, BN_num_bytes(pub_key
), &keybytes
))
2266 BN_bn2bin(pub_key
, keybytes
);
2267 EVP_PKEY_free(ckey
);
2271 EVP_PKEY_free(ckey
);
2273 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE
, ERR_R_INTERNAL_ERROR
);
2274 *al
= SSL_AD_INTERNAL_ERROR
;
2278 static int tls_construct_cke_ecdhe(SSL
*s
, WPACKET
*pkt
, int *al
)
2280 #ifndef OPENSSL_NO_EC
2281 unsigned char *encodedPoint
= NULL
;
2282 int encoded_pt_len
= 0;
2283 EVP_PKEY
*ckey
= NULL
, *skey
= NULL
;
2286 skey
= s
->s3
->peer_tmp
;
2288 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE
, ERR_R_INTERNAL_ERROR
);
2292 ckey
= ssl_generate_pkey(skey
);
2294 if (ssl_derive(s
, ckey
, skey
) == 0) {
2295 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE
, ERR_R_EVP_LIB
);
2299 /* Generate encoding of client key */
2300 encoded_pt_len
= EVP_PKEY_get1_tls_encodedpoint(ckey
, &encodedPoint
);
2302 if (encoded_pt_len
== 0) {
2303 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE
, ERR_R_EC_LIB
);
2307 if (!WPACKET_sub_memcpy_u8(pkt
, encodedPoint
, encoded_pt_len
)) {
2308 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE
, ERR_R_INTERNAL_ERROR
);
2314 OPENSSL_free(encodedPoint
);
2315 EVP_PKEY_free(ckey
);
2318 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE
, ERR_R_INTERNAL_ERROR
);
2319 *al
= SSL_AD_INTERNAL_ERROR
;
2324 static int tls_construct_cke_gost(SSL
*s
, WPACKET
*pkt
, int *al
)
2326 #ifndef OPENSSL_NO_GOST
2327 /* GOST key exchange message creation */
2328 EVP_PKEY_CTX
*pkey_ctx
= NULL
;
2331 unsigned int md_len
;
2332 unsigned char shared_ukm
[32], tmp
[256];
2333 EVP_MD_CTX
*ukm_hash
= NULL
;
2334 int dgst_nid
= NID_id_GostR3411_94
;
2335 unsigned char *pms
= NULL
;
2338 if ((s
->s3
->tmp
.new_cipher
->algorithm_auth
& SSL_aGOST12
) != 0)
2339 dgst_nid
= NID_id_GostR3411_2012_256
;
2342 * Get server sertificate PKEY and create ctx from it
2344 peer_cert
= s
->session
->peer
;
2346 *al
= SSL_AD_HANDSHAKE_FAILURE
;
2347 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
,
2348 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER
);
2352 pkey_ctx
= EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert
), NULL
);
2353 if (pkey_ctx
== NULL
) {
2354 *al
= SSL_AD_INTERNAL_ERROR
;
2355 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, ERR_R_MALLOC_FAILURE
);
2359 * If we have send a certificate, and certificate key
2360 * parameters match those of server certificate, use
2361 * certificate key for key exchange
2364 /* Otherwise, generate ephemeral key pair */
2366 pms
= OPENSSL_malloc(pmslen
);
2368 *al
= SSL_AD_INTERNAL_ERROR
;
2369 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, ERR_R_MALLOC_FAILURE
);
2373 if (EVP_PKEY_encrypt_init(pkey_ctx
) <= 0
2374 /* Generate session key */
2375 || RAND_bytes(pms
, pmslen
) <= 0) {
2376 *al
= SSL_AD_INTERNAL_ERROR
;
2377 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, ERR_R_INTERNAL_ERROR
);
2381 * If we have client certificate, use its secret as peer key
2383 if (s
->s3
->tmp
.cert_req
&& s
->cert
->key
->privatekey
) {
2384 if (EVP_PKEY_derive_set_peer(pkey_ctx
, s
->cert
->key
->privatekey
) <= 0) {
2386 * If there was an error - just ignore it. Ephemeral key
2393 * Compute shared IV and store it in algorithm-specific context
2396 ukm_hash
= EVP_MD_CTX_new();
2397 if (ukm_hash
== NULL
2398 || EVP_DigestInit(ukm_hash
, EVP_get_digestbynid(dgst_nid
)) <= 0
2399 || EVP_DigestUpdate(ukm_hash
, s
->s3
->client_random
,
2400 SSL3_RANDOM_SIZE
) <= 0
2401 || EVP_DigestUpdate(ukm_hash
, s
->s3
->server_random
,
2402 SSL3_RANDOM_SIZE
) <= 0
2403 || EVP_DigestFinal_ex(ukm_hash
, shared_ukm
, &md_len
) <= 0) {
2404 *al
= SSL_AD_INTERNAL_ERROR
;
2405 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, ERR_R_INTERNAL_ERROR
);
2408 EVP_MD_CTX_free(ukm_hash
);
2410 if (EVP_PKEY_CTX_ctrl(pkey_ctx
, -1, EVP_PKEY_OP_ENCRYPT
,
2411 EVP_PKEY_CTRL_SET_IV
, 8, shared_ukm
) < 0) {
2412 *al
= SSL_AD_INTERNAL_ERROR
;
2413 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, SSL_R_LIBRARY_BUG
);
2416 /* Make GOST keytransport blob message */
2418 * Encapsulate it into sequence
2421 if (EVP_PKEY_encrypt(pkey_ctx
, tmp
, &msglen
, pms
, pmslen
) <= 0) {
2422 *al
= SSL_AD_INTERNAL_ERROR
;
2423 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, SSL_R_LIBRARY_BUG
);
2427 if (!WPACKET_put_bytes(pkt
, V_ASN1_SEQUENCE
| V_ASN1_CONSTRUCTED
, 1)
2428 || (msglen
>= 0x80 && !WPACKET_put_bytes(pkt
, 0x81, 1))
2429 || !WPACKET_sub_memcpy_u8(pkt
, tmp
, msglen
)) {
2430 *al
= SSL_AD_INTERNAL_ERROR
;
2431 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, ERR_R_INTERNAL_ERROR
);
2435 /* Check if pubkey from client certificate was used */
2436 if (EVP_PKEY_CTX_ctrl(pkey_ctx
, -1, -1, EVP_PKEY_CTRL_PEER_KEY
, 2,
2438 /* Set flag "skip certificate verify" */
2439 s
->s3
->flags
|= TLS1_FLAGS_SKIP_CERT_VERIFY
;
2441 EVP_PKEY_CTX_free(pkey_ctx
);
2442 s
->s3
->tmp
.pms
= pms
;
2443 s
->s3
->tmp
.pmslen
= pmslen
;
2447 EVP_PKEY_CTX_free(pkey_ctx
);
2448 OPENSSL_clear_free(pms
, pmslen
);
2449 EVP_MD_CTX_free(ukm_hash
);
2452 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST
, ERR_R_INTERNAL_ERROR
);
2453 *al
= SSL_AD_INTERNAL_ERROR
;
2458 static int tls_construct_cke_srp(SSL
*s
, WPACKET
*pkt
, int *al
)
2460 #ifndef OPENSSL_NO_SRP
2461 unsigned char *abytes
= NULL
;
2463 if (s
->srp_ctx
.A
== NULL
2464 || !WPACKET_sub_allocate_bytes_u16(pkt
, BN_num_bytes(s
->srp_ctx
.A
),
2466 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP
, ERR_R_INTERNAL_ERROR
);
2469 BN_bn2bin(s
->srp_ctx
.A
, abytes
);
2471 OPENSSL_free(s
->session
->srp_username
);
2472 s
->session
->srp_username
= OPENSSL_strdup(s
->srp_ctx
.login
);
2473 if (s
->session
->srp_username
== NULL
) {
2474 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP
, ERR_R_MALLOC_FAILURE
);
2480 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP
, ERR_R_INTERNAL_ERROR
);
2481 *al
= SSL_AD_INTERNAL_ERROR
;
2486 int tls_construct_client_key_exchange(SSL
*s
)
2488 unsigned long alg_k
;
2492 if (!WPACKET_init(&pkt
, s
->init_buf
)) {
2493 /* Should not happen */
2494 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
2498 if (!ssl_set_handshake_header2(s
, &pkt
, SSL3_MT_CLIENT_KEY_EXCHANGE
)) {
2499 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
2500 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
2504 alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
2506 if ((alg_k
& SSL_PSK
)
2507 && !tls_construct_cke_psk_preamble(s
, &pkt
, &al
))
2510 if (alg_k
& (SSL_kRSA
| SSL_kRSAPSK
)) {
2511 if (!tls_construct_cke_rsa(s
, &pkt
, &al
))
2513 } else if (alg_k
& (SSL_kDHE
| SSL_kDHEPSK
)) {
2514 if (!tls_construct_cke_dhe(s
, &pkt
, &al
))
2516 } else if (alg_k
& (SSL_kECDHE
| SSL_kECDHEPSK
)) {
2517 if (!tls_construct_cke_ecdhe(s
, &pkt
, &al
))
2519 } else if (alg_k
& SSL_kGOST
) {
2520 if (!tls_construct_cke_gost(s
, &pkt
, &al
))
2522 } else if (alg_k
& SSL_kSRP
) {
2523 if (!tls_construct_cke_srp(s
, &pkt
, &al
))
2526 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
2527 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
2531 if (!ssl_close_construct_packet(s
, &pkt
)) {
2532 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
2533 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
2540 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2541 OPENSSL_clear_free(s
->s3
->tmp
.pms
, s
->s3
->tmp
.pmslen
);
2542 s
->s3
->tmp
.pms
= NULL
;
2543 #ifndef OPENSSL_NO_PSK
2544 OPENSSL_clear_free(s
->s3
->tmp
.psk
, s
->s3
->tmp
.psklen
);
2545 s
->s3
->tmp
.psk
= NULL
;
2547 WPACKET_cleanup(&pkt
);
2548 ossl_statem_set_error(s
);
2552 int tls_client_key_exchange_post_work(SSL
*s
)
2554 unsigned char *pms
= NULL
;
2557 pms
= s
->s3
->tmp
.pms
;
2558 pmslen
= s
->s3
->tmp
.pmslen
;
2560 #ifndef OPENSSL_NO_SRP
2562 if (s
->s3
->tmp
.new_cipher
->algorithm_mkey
& SSL_kSRP
) {
2563 if (!srp_generate_client_master_secret(s
)) {
2564 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK
,
2565 ERR_R_INTERNAL_ERROR
);
2572 if (pms
== NULL
&& !(s
->s3
->tmp
.new_cipher
->algorithm_mkey
& SSL_kPSK
)) {
2573 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2574 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK
, ERR_R_MALLOC_FAILURE
);
2577 if (!ssl_generate_master_secret(s
, pms
, pmslen
, 1)) {
2578 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2579 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK
, ERR_R_INTERNAL_ERROR
);
2580 /* ssl_generate_master_secret frees the pms even on error */
2588 #ifndef OPENSSL_NO_SCTP
2589 if (SSL_IS_DTLS(s
)) {
2590 unsigned char sctpauthkey
[64];
2591 char labelbuffer
[sizeof(DTLS1_SCTP_AUTH_LABEL
)];
2594 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
2597 memcpy(labelbuffer
, DTLS1_SCTP_AUTH_LABEL
,
2598 sizeof(DTLS1_SCTP_AUTH_LABEL
));
2600 if (SSL_export_keying_material(s
, sctpauthkey
,
2601 sizeof(sctpauthkey
), labelbuffer
,
2602 sizeof(labelbuffer
), NULL
, 0, 0) <= 0)
2605 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY
,
2606 sizeof(sctpauthkey
), sctpauthkey
);
2612 OPENSSL_clear_free(pms
, pmslen
);
2613 s
->s3
->tmp
.pms
= NULL
;
2617 int tls_construct_client_verify(SSL
*s
)
2620 const EVP_MD
*md
= s
->s3
->tmp
.md
[s
->cert
->key
- s
->cert
->pkeys
];
2625 unsigned char *sig
= NULL
;
2629 if (!WPACKET_init(&pkt
, s
->init_buf
)) {
2630 /* Should not happen */
2631 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_INTERNAL_ERROR
);
2635 if (!ssl_set_handshake_header2(s
, &pkt
, SSL3_MT_CERTIFICATE_VERIFY
)) {
2636 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_INTERNAL_ERROR
);
2640 mctx
= EVP_MD_CTX_new();
2642 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_MALLOC_FAILURE
);
2645 pkey
= s
->cert
->key
->privatekey
;
2647 hdatalen
= BIO_get_mem_data(s
->s3
->handshake_buffer
, &hdata
);
2648 if (hdatalen
<= 0) {
2649 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_INTERNAL_ERROR
);
2652 if (SSL_USE_SIGALGS(s
)&& !tls12_get_sigandhash(&pkt
, pkey
, md
)) {
2653 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_INTERNAL_ERROR
);
2657 fprintf(stderr
, "Using client alg %s\n", EVP_MD_name(md
));
2659 sig
= OPENSSL_malloc(EVP_PKEY_size(pkey
));
2661 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_MALLOC_FAILURE
);
2664 if (!EVP_SignInit_ex(mctx
, md
, NULL
)
2665 || !EVP_SignUpdate(mctx
, hdata
, hdatalen
)
2666 || (s
->version
== SSL3_VERSION
2667 && !EVP_MD_CTX_ctrl(mctx
, EVP_CTRL_SSL3_MASTER_SECRET
,
2668 s
->session
->master_key_length
,
2669 s
->session
->master_key
))
2670 || !EVP_SignFinal(mctx
, sig
, &u
, pkey
)) {
2671 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_EVP_LIB
);
2674 #ifndef OPENSSL_NO_GOST
2676 int pktype
= EVP_PKEY_id(pkey
);
2677 if (pktype
== NID_id_GostR3410_2001
2678 || pktype
== NID_id_GostR3410_2012_256
2679 || pktype
== NID_id_GostR3410_2012_512
)
2680 BUF_reverse(sig
, NULL
, u
);
2684 if (!WPACKET_sub_memcpy_u16(&pkt
, sig
, u
)) {
2685 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_INTERNAL_ERROR
);
2689 /* Digest cached records and discard handshake buffer */
2690 if (!ssl3_digest_cached_records(s
, 0))
2693 if (!ssl_close_construct_packet(s
, &pkt
)) {
2694 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY
, ERR_R_INTERNAL_ERROR
);
2699 EVP_MD_CTX_free(mctx
);
2702 WPACKET_cleanup(&pkt
);
2704 EVP_MD_CTX_free(mctx
);
2705 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2710 * Check a certificate can be used for client authentication. Currently check
2711 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
2712 * certificates can be used and optionally checks suitability for Suite B.
2714 static int ssl3_check_client_certificate(SSL
*s
)
2716 if (!s
->cert
|| !s
->cert
->key
->x509
|| !s
->cert
->key
->privatekey
)
2718 /* If no suitable signature algorithm can't use certificate */
2719 if (SSL_USE_SIGALGS(s
) && !s
->s3
->tmp
.md
[s
->cert
->key
- s
->cert
->pkeys
])
2722 * If strict mode check suitability of chain before using it. This also
2723 * adjusts suite B digest if necessary.
2725 if (s
->cert
->cert_flags
& SSL_CERT_FLAGS_CHECK_TLS_STRICT
&&
2726 !tls1_check_chain(s
, NULL
, NULL
, NULL
, -2))
2731 WORK_STATE
tls_prepare_client_certificate(SSL
*s
, WORK_STATE wst
)
2734 EVP_PKEY
*pkey
= NULL
;
2737 if (wst
== WORK_MORE_A
) {
2738 /* Let cert callback update client certificates if required */
2739 if (s
->cert
->cert_cb
) {
2740 i
= s
->cert
->cert_cb(s
, s
->cert
->cert_cb_arg
);
2742 s
->rwstate
= SSL_X509_LOOKUP
;
2746 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2747 ossl_statem_set_error(s
);
2750 s
->rwstate
= SSL_NOTHING
;
2752 if (ssl3_check_client_certificate(s
))
2753 return WORK_FINISHED_CONTINUE
;
2755 /* Fall through to WORK_MORE_B */
2759 /* We need to get a client cert */
2760 if (wst
== WORK_MORE_B
) {
2762 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
2763 * return(-1); We then get retied later
2765 i
= ssl_do_client_cert_cb(s
, &x509
, &pkey
);
2767 s
->rwstate
= SSL_X509_LOOKUP
;
2770 s
->rwstate
= SSL_NOTHING
;
2771 if ((i
== 1) && (pkey
!= NULL
) && (x509
!= NULL
)) {
2772 if (!SSL_use_certificate(s
, x509
) || !SSL_use_PrivateKey(s
, pkey
))
2774 } else if (i
== 1) {
2776 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE
,
2777 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK
);
2781 EVP_PKEY_free(pkey
);
2782 if (i
&& !ssl3_check_client_certificate(s
))
2785 if (s
->version
== SSL3_VERSION
) {
2786 s
->s3
->tmp
.cert_req
= 0;
2787 ssl3_send_alert(s
, SSL3_AL_WARNING
, SSL_AD_NO_CERTIFICATE
);
2788 return WORK_FINISHED_CONTINUE
;
2790 s
->s3
->tmp
.cert_req
= 2;
2791 if (!ssl3_digest_cached_records(s
, 0)) {
2792 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2793 ossl_statem_set_error(s
);
2799 return WORK_FINISHED_CONTINUE
;
2802 /* Shouldn't ever get here */
2806 int tls_construct_client_certificate(SSL
*s
)
2808 if (!ssl3_output_cert_chain(s
,
2809 (s
->s3
->tmp
.cert_req
==
2810 2) ? NULL
: s
->cert
->key
)) {
2811 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE
, ERR_R_INTERNAL_ERROR
);
2812 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
2813 ossl_statem_set_error(s
);
2820 #define has_bits(i,m) (((i)&(m)) == (m))
2822 int ssl3_check_cert_and_algorithm(SSL
*s
)
2825 #ifndef OPENSSL_NO_EC
2829 EVP_PKEY
*pkey
= NULL
;
2830 int al
= SSL_AD_HANDSHAKE_FAILURE
;
2832 alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
2833 alg_a
= s
->s3
->tmp
.new_cipher
->algorithm_auth
;
2835 /* we don't have a certificate */
2836 if ((alg_a
& SSL_aNULL
) || (alg_k
& SSL_kPSK
))
2839 /* This is the passed certificate */
2841 #ifndef OPENSSL_NO_EC
2842 idx
= s
->session
->peer_type
;
2843 if (idx
== SSL_PKEY_ECC
) {
2844 if (ssl_check_srvr_ecc_cert_and_alg(s
->session
->peer
, s
) == 0) {
2846 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
, SSL_R_BAD_ECC_CERT
);
2851 } else if (alg_a
& SSL_aECDSA
) {
2852 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,
2853 SSL_R_MISSING_ECDSA_SIGNING_CERT
);
2857 pkey
= X509_get0_pubkey(s
->session
->peer
);
2858 i
= X509_certificate_type(s
->session
->peer
, pkey
);
2860 /* Check that we have a certificate if we require one */
2861 if ((alg_a
& SSL_aRSA
) && !has_bits(i
, EVP_PK_RSA
| EVP_PKT_SIGN
)) {
2862 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,
2863 SSL_R_MISSING_RSA_SIGNING_CERT
);
2866 #ifndef OPENSSL_NO_DSA
2867 else if ((alg_a
& SSL_aDSS
) && !has_bits(i
, EVP_PK_DSA
| EVP_PKT_SIGN
)) {
2868 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,
2869 SSL_R_MISSING_DSA_SIGNING_CERT
);
2873 #ifndef OPENSSL_NO_RSA
2874 if (alg_k
& (SSL_kRSA
| SSL_kRSAPSK
) &&
2875 !has_bits(i
, EVP_PK_RSA
| EVP_PKT_ENC
)) {
2876 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,
2877 SSL_R_MISSING_RSA_ENCRYPTING_CERT
);
2881 #ifndef OPENSSL_NO_DH
2882 if ((alg_k
& SSL_kDHE
) && (s
->s3
->peer_tmp
== NULL
)) {
2883 al
= SSL_AD_INTERNAL_ERROR
;
2884 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
, ERR_R_INTERNAL_ERROR
);
2891 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2895 #ifndef OPENSSL_NO_NEXTPROTONEG
2896 int tls_construct_next_proto(SSL
*s
)
2898 unsigned int len
, padding_len
;
2901 len
= s
->next_proto_negotiated_len
;
2902 padding_len
= 32 - ((len
+ 2) % 32);
2903 d
= (unsigned char *)s
->init_buf
->data
;
2905 memcpy(d
+ 5, s
->next_proto_negotiated
, len
);
2906 d
[5 + len
] = padding_len
;
2907 memset(d
+ 6 + len
, 0, padding_len
);
2908 *(d
++) = SSL3_MT_NEXT_PROTO
;
2909 l2n3(2 + len
+ padding_len
, d
);
2910 s
->init_num
= 4 + 2 + len
+ padding_len
;
2917 int ssl_do_client_cert_cb(SSL
*s
, X509
**px509
, EVP_PKEY
**ppkey
)
2920 #ifndef OPENSSL_NO_ENGINE
2921 if (s
->ctx
->client_cert_engine
) {
2922 i
= ENGINE_load_ssl_client_cert(s
->ctx
->client_cert_engine
, s
,
2923 SSL_get_client_CA_list(s
),
2924 px509
, ppkey
, NULL
, NULL
, NULL
);
2929 if (s
->ctx
->client_cert_cb
)
2930 i
= s
->ctx
->client_cert_cb(s
, px509
, ppkey
);
2934 int ssl_cipher_list_to_bytes(SSL
*s
, STACK_OF(SSL_CIPHER
) *sk
, WPACKET
*pkt
)
2937 size_t totlen
= 0, len
, maxlen
;
2938 int empty_reneg_info_scsv
= !s
->renegotiate
;
2939 /* Set disabled masks for this session */
2940 ssl_set_client_disabled(s
);
2945 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
2946 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
2947 # error Max cipher length too short
2950 * Some servers hang if client hello > 256 bytes as hack workaround
2951 * chop number of supported ciphers to keep it well below this if we
2954 if (TLS1_get_version(s
) >= TLS1_2_VERSION
)
2955 maxlen
= OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
& ~1;
2958 /* Maximum length that can be stored in 2 bytes. Length must be even */
2961 if (empty_reneg_info_scsv
)
2963 if (s
->mode
& SSL_MODE_SEND_FALLBACK_SCSV
)
2966 for (i
= 0; i
< sk_SSL_CIPHER_num(sk
) && totlen
< maxlen
; i
++) {
2967 const SSL_CIPHER
*c
;
2969 c
= sk_SSL_CIPHER_value(sk
, i
);
2970 /* Skip disabled ciphers */
2971 if (ssl_cipher_disabled(s
, c
, SSL_SECOP_CIPHER_SUPPORTED
))
2974 if (!s
->method
->put_cipher_by_char(c
, pkt
, &len
)) {
2975 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES
, ERR_R_INTERNAL_ERROR
);
2983 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES
, SSL_R_NO_CIPHERS_AVAILABLE
);
2988 if (empty_reneg_info_scsv
) {
2989 static SSL_CIPHER scsv
= {
2990 0, NULL
, SSL3_CK_SCSV
, 0, 0, 0, 0, 0, 0, 0, 0, 0
2992 if (!s
->method
->put_cipher_by_char(&scsv
, pkt
, &len
)) {
2993 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES
, ERR_R_INTERNAL_ERROR
);
2997 if (s
->mode
& SSL_MODE_SEND_FALLBACK_SCSV
) {
2998 static SSL_CIPHER scsv
= {
2999 0, NULL
, SSL3_CK_FALLBACK_SCSV
, 0, 0, 0, 0, 0, 0, 0, 0, 0
3001 if (!s
->method
->put_cipher_by_char(&scsv
, pkt
, &len
)) {
3002 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES
, ERR_R_INTERNAL_ERROR
);