]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/statem_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Collapse ssl3_state_st (s3) into ssl_st
[thirdparty/openssl.git] / ssl / statem / statem_srvr.c
1 /*
2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include <stdio.h>
13 #include "../ssl_locl.h"
14 #include "statem_locl.h"
15 #include "internal/constant_time_locl.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/rand.h>
19 #include <openssl/objects.h>
20 #include <openssl/evp.h>
21 #include <openssl/hmac.h>
22 #include <openssl/x509.h>
23 #include <openssl/dh.h>
24 #include <openssl/bn.h>
25 #include <openssl/md5.h>
26 #include <openssl/trace.h>
27
28 #define TICKET_NONCE_SIZE 8
29
30 static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
31
32 /*
33 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
34 * handshake state transitions when a TLSv1.3 server is reading messages from
35 * the client. The message type that the client has sent is provided in |mt|.
36 * The current state is in |s->statem.hand_state|.
37 *
38 * Return values are 1 for success (transition allowed) and 0 on error
39 * (transition not allowed)
40 */
41 static int ossl_statem_server13_read_transition(SSL *s, int mt)
42 {
43 OSSL_STATEM *st = &s->statem;
44
45 /*
46 * Note: There is no case for TLS_ST_BEFORE because at that stage we have
47 * not negotiated TLSv1.3 yet, so that case is handled by
48 * ossl_statem_server_read_transition()
49 */
50 switch (st->hand_state) {
51 default:
52 break;
53
54 case TLS_ST_EARLY_DATA:
55 if (s->hello_retry_request == SSL_HRR_PENDING) {
56 if (mt == SSL3_MT_CLIENT_HELLO) {
57 st->hand_state = TLS_ST_SR_CLNT_HELLO;
58 return 1;
59 }
60 break;
61 } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
62 if (mt == SSL3_MT_END_OF_EARLY_DATA) {
63 st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
64 return 1;
65 }
66 break;
67 }
68 /* Fall through */
69
70 case TLS_ST_SR_END_OF_EARLY_DATA:
71 case TLS_ST_SW_FINISHED:
72 if (s->s3.tmp.cert_request) {
73 if (mt == SSL3_MT_CERTIFICATE) {
74 st->hand_state = TLS_ST_SR_CERT;
75 return 1;
76 }
77 } else {
78 if (mt == SSL3_MT_FINISHED) {
79 st->hand_state = TLS_ST_SR_FINISHED;
80 return 1;
81 }
82 }
83 break;
84
85 case TLS_ST_SR_CERT:
86 if (s->session->peer == NULL) {
87 if (mt == SSL3_MT_FINISHED) {
88 st->hand_state = TLS_ST_SR_FINISHED;
89 return 1;
90 }
91 } else {
92 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
93 st->hand_state = TLS_ST_SR_CERT_VRFY;
94 return 1;
95 }
96 }
97 break;
98
99 case TLS_ST_SR_CERT_VRFY:
100 if (mt == SSL3_MT_FINISHED) {
101 st->hand_state = TLS_ST_SR_FINISHED;
102 return 1;
103 }
104 break;
105
106 case TLS_ST_OK:
107 /*
108 * Its never ok to start processing handshake messages in the middle of
109 * early data (i.e. before we've received the end of early data alert)
110 */
111 if (s->early_data_state == SSL_EARLY_DATA_READING)
112 break;
113
114 if (mt == SSL3_MT_CERTIFICATE
115 && s->post_handshake_auth == SSL_PHA_REQUESTED) {
116 st->hand_state = TLS_ST_SR_CERT;
117 return 1;
118 }
119
120 if (mt == SSL3_MT_KEY_UPDATE) {
121 st->hand_state = TLS_ST_SR_KEY_UPDATE;
122 return 1;
123 }
124 break;
125 }
126
127 /* No valid transition found */
128 return 0;
129 }
130
131 /*
132 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
133 * handshake state transitions when the server is reading messages from the
134 * client. The message type that the client has sent is provided in |mt|. The
135 * current state is in |s->statem.hand_state|.
136 *
137 * Return values are 1 for success (transition allowed) and 0 on error
138 * (transition not allowed)
139 */
140 int ossl_statem_server_read_transition(SSL *s, int mt)
141 {
142 OSSL_STATEM *st = &s->statem;
143
144 if (SSL_IS_TLS13(s)) {
145 if (!ossl_statem_server13_read_transition(s, mt))
146 goto err;
147 return 1;
148 }
149
150 switch (st->hand_state) {
151 default:
152 break;
153
154 case TLS_ST_BEFORE:
155 case TLS_ST_OK:
156 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
157 if (mt == SSL3_MT_CLIENT_HELLO) {
158 st->hand_state = TLS_ST_SR_CLNT_HELLO;
159 return 1;
160 }
161 break;
162
163 case TLS_ST_SW_SRVR_DONE:
164 /*
165 * If we get a CKE message after a ServerDone then either
166 * 1) We didn't request a Certificate
167 * OR
168 * 2) If we did request one then
169 * a) We allow no Certificate to be returned
170 * AND
171 * b) We are running SSL3 (in TLS1.0+ the client must return a 0
172 * list if we requested a certificate)
173 */
174 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
175 if (s->s3.tmp.cert_request) {
176 if (s->version == SSL3_VERSION) {
177 if ((s->verify_mode & SSL_VERIFY_PEER)
178 && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
179 /*
180 * This isn't an unexpected message as such - we're just
181 * not going to accept it because we require a client
182 * cert.
183 */
184 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
185 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
186 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
187 return 0;
188 }
189 st->hand_state = TLS_ST_SR_KEY_EXCH;
190 return 1;
191 }
192 } else {
193 st->hand_state = TLS_ST_SR_KEY_EXCH;
194 return 1;
195 }
196 } else if (s->s3.tmp.cert_request) {
197 if (mt == SSL3_MT_CERTIFICATE) {
198 st->hand_state = TLS_ST_SR_CERT;
199 return 1;
200 }
201 }
202 break;
203
204 case TLS_ST_SR_CERT:
205 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
206 st->hand_state = TLS_ST_SR_KEY_EXCH;
207 return 1;
208 }
209 break;
210
211 case TLS_ST_SR_KEY_EXCH:
212 /*
213 * We should only process a CertificateVerify message if we have
214 * received a Certificate from the client. If so then |s->session->peer|
215 * will be non NULL. In some instances a CertificateVerify message is
216 * not required even if the peer has sent a Certificate (e.g. such as in
217 * the case of static DH). In that case |st->no_cert_verify| should be
218 * set.
219 */
220 if (s->session->peer == NULL || st->no_cert_verify) {
221 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
222 /*
223 * For the ECDH ciphersuites when the client sends its ECDH
224 * pub key in a certificate, the CertificateVerify message is
225 * not sent. Also for GOST ciphersuites when the client uses
226 * its key from the certificate for key exchange.
227 */
228 st->hand_state = TLS_ST_SR_CHANGE;
229 return 1;
230 }
231 } else {
232 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
233 st->hand_state = TLS_ST_SR_CERT_VRFY;
234 return 1;
235 }
236 }
237 break;
238
239 case TLS_ST_SR_CERT_VRFY:
240 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
241 st->hand_state = TLS_ST_SR_CHANGE;
242 return 1;
243 }
244 break;
245
246 case TLS_ST_SR_CHANGE:
247 #ifndef OPENSSL_NO_NEXTPROTONEG
248 if (s->s3.npn_seen) {
249 if (mt == SSL3_MT_NEXT_PROTO) {
250 st->hand_state = TLS_ST_SR_NEXT_PROTO;
251 return 1;
252 }
253 } else {
254 #endif
255 if (mt == SSL3_MT_FINISHED) {
256 st->hand_state = TLS_ST_SR_FINISHED;
257 return 1;
258 }
259 #ifndef OPENSSL_NO_NEXTPROTONEG
260 }
261 #endif
262 break;
263
264 #ifndef OPENSSL_NO_NEXTPROTONEG
265 case TLS_ST_SR_NEXT_PROTO:
266 if (mt == SSL3_MT_FINISHED) {
267 st->hand_state = TLS_ST_SR_FINISHED;
268 return 1;
269 }
270 break;
271 #endif
272
273 case TLS_ST_SW_FINISHED:
274 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
275 st->hand_state = TLS_ST_SR_CHANGE;
276 return 1;
277 }
278 break;
279 }
280
281 err:
282 /* No valid transition found */
283 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
284 BIO *rbio;
285
286 /*
287 * CCS messages don't have a message sequence number so this is probably
288 * because of an out-of-order CCS. We'll just drop it.
289 */
290 s->init_num = 0;
291 s->rwstate = SSL_READING;
292 rbio = SSL_get_rbio(s);
293 BIO_clear_retry_flags(rbio);
294 BIO_set_retry_read(rbio);
295 return 0;
296 }
297 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
298 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
299 SSL_R_UNEXPECTED_MESSAGE);
300 return 0;
301 }
302
303 /*
304 * Should we send a ServerKeyExchange message?
305 *
306 * Valid return values are:
307 * 1: Yes
308 * 0: No
309 */
310 static int send_server_key_exchange(SSL *s)
311 {
312 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
313
314 /*
315 * only send a ServerKeyExchange if DH or fortezza but we have a
316 * sign only certificate PSK: may send PSK identity hints For
317 * ECC ciphersuites, we send a serverKeyExchange message only if
318 * the cipher suite is either ECDH-anon or ECDHE. In other cases,
319 * the server certificate contains the server's public key for
320 * key exchange.
321 */
322 if (alg_k & (SSL_kDHE | SSL_kECDHE)
323 /*
324 * PSK: send ServerKeyExchange if PSK identity hint if
325 * provided
326 */
327 #ifndef OPENSSL_NO_PSK
328 /* Only send SKE if we have identity hint for plain PSK */
329 || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
330 && s->cert->psk_identity_hint)
331 /* For other PSK always send SKE */
332 || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
333 #endif
334 #ifndef OPENSSL_NO_SRP
335 /* SRP: send ServerKeyExchange */
336 || (alg_k & SSL_kSRP)
337 #endif
338 ) {
339 return 1;
340 }
341
342 return 0;
343 }
344
345 /*
346 * Should we send a CertificateRequest message?
347 *
348 * Valid return values are:
349 * 1: Yes
350 * 0: No
351 */
352 int send_certificate_request(SSL *s)
353 {
354 if (
355 /* don't request cert unless asked for it: */
356 s->verify_mode & SSL_VERIFY_PEER
357 /*
358 * don't request if post-handshake-only unless doing
359 * post-handshake in TLSv1.3:
360 */
361 && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
362 || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
363 /*
364 * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
365 * a second time:
366 */
367 && (s->certreqs_sent < 1 ||
368 !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
369 /*
370 * never request cert in anonymous ciphersuites (see
371 * section "Certificate request" in SSL 3 drafts and in
372 * RFC 2246):
373 */
374 && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)
375 /*
376 * ... except when the application insists on
377 * verification (against the specs, but statem_clnt.c accepts
378 * this for SSL 3)
379 */
380 || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
381 /* don't request certificate for SRP auth */
382 && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP)
383 /*
384 * With normal PSK Certificates and Certificate Requests
385 * are omitted
386 */
387 && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
388 return 1;
389 }
390
391 return 0;
392 }
393
394 /*
395 * ossl_statem_server13_write_transition() works out what handshake state to
396 * move to next when a TLSv1.3 server is writing messages to be sent to the
397 * client.
398 */
399 static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
400 {
401 OSSL_STATEM *st = &s->statem;
402
403 /*
404 * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
405 * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
406 */
407
408 switch (st->hand_state) {
409 default:
410 /* Shouldn't happen */
411 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
412 SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION,
413 ERR_R_INTERNAL_ERROR);
414 return WRITE_TRAN_ERROR;
415
416 case TLS_ST_OK:
417 if (s->key_update != SSL_KEY_UPDATE_NONE) {
418 st->hand_state = TLS_ST_SW_KEY_UPDATE;
419 return WRITE_TRAN_CONTINUE;
420 }
421 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
422 st->hand_state = TLS_ST_SW_CERT_REQ;
423 return WRITE_TRAN_CONTINUE;
424 }
425 /* Try to read from the client instead */
426 return WRITE_TRAN_FINISHED;
427
428 case TLS_ST_SR_CLNT_HELLO:
429 st->hand_state = TLS_ST_SW_SRVR_HELLO;
430 return WRITE_TRAN_CONTINUE;
431
432 case TLS_ST_SW_SRVR_HELLO:
433 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
434 && s->hello_retry_request != SSL_HRR_COMPLETE)
435 st->hand_state = TLS_ST_SW_CHANGE;
436 else if (s->hello_retry_request == SSL_HRR_PENDING)
437 st->hand_state = TLS_ST_EARLY_DATA;
438 else
439 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
440 return WRITE_TRAN_CONTINUE;
441
442 case TLS_ST_SW_CHANGE:
443 if (s->hello_retry_request == SSL_HRR_PENDING)
444 st->hand_state = TLS_ST_EARLY_DATA;
445 else
446 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
447 return WRITE_TRAN_CONTINUE;
448
449 case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
450 if (s->hit)
451 st->hand_state = TLS_ST_SW_FINISHED;
452 else if (send_certificate_request(s))
453 st->hand_state = TLS_ST_SW_CERT_REQ;
454 else
455 st->hand_state = TLS_ST_SW_CERT;
456
457 return WRITE_TRAN_CONTINUE;
458
459 case TLS_ST_SW_CERT_REQ:
460 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
461 s->post_handshake_auth = SSL_PHA_REQUESTED;
462 st->hand_state = TLS_ST_OK;
463 } else {
464 st->hand_state = TLS_ST_SW_CERT;
465 }
466 return WRITE_TRAN_CONTINUE;
467
468 case TLS_ST_SW_CERT:
469 st->hand_state = TLS_ST_SW_CERT_VRFY;
470 return WRITE_TRAN_CONTINUE;
471
472 case TLS_ST_SW_CERT_VRFY:
473 st->hand_state = TLS_ST_SW_FINISHED;
474 return WRITE_TRAN_CONTINUE;
475
476 case TLS_ST_SW_FINISHED:
477 st->hand_state = TLS_ST_EARLY_DATA;
478 return WRITE_TRAN_CONTINUE;
479
480 case TLS_ST_EARLY_DATA:
481 return WRITE_TRAN_FINISHED;
482
483 case TLS_ST_SR_FINISHED:
484 /*
485 * Technically we have finished the handshake at this point, but we're
486 * going to remain "in_init" for now and write out any session tickets
487 * immediately.
488 */
489 if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
490 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
491 } else if (!s->ext.ticket_expected) {
492 /*
493 * If we're not going to renew the ticket then we just finish the
494 * handshake at this point.
495 */
496 st->hand_state = TLS_ST_OK;
497 return WRITE_TRAN_CONTINUE;
498 }
499 if (s->num_tickets > s->sent_tickets)
500 st->hand_state = TLS_ST_SW_SESSION_TICKET;
501 else
502 st->hand_state = TLS_ST_OK;
503 return WRITE_TRAN_CONTINUE;
504
505 case TLS_ST_SR_KEY_UPDATE:
506 if (s->key_update != SSL_KEY_UPDATE_NONE) {
507 st->hand_state = TLS_ST_SW_KEY_UPDATE;
508 return WRITE_TRAN_CONTINUE;
509 }
510 /* Fall through */
511
512 case TLS_ST_SW_KEY_UPDATE:
513 st->hand_state = TLS_ST_OK;
514 return WRITE_TRAN_CONTINUE;
515
516 case TLS_ST_SW_SESSION_TICKET:
517 /* In a resumption we only ever send a maximum of one new ticket.
518 * Following an initial handshake we send the number of tickets we have
519 * been configured for.
520 */
521 if (s->hit || s->num_tickets <= s->sent_tickets) {
522 /* We've written enough tickets out. */
523 st->hand_state = TLS_ST_OK;
524 }
525 return WRITE_TRAN_CONTINUE;
526 }
527 }
528
529 /*
530 * ossl_statem_server_write_transition() works out what handshake state to move
531 * to next when the server is writing messages to be sent to the client.
532 */
533 WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
534 {
535 OSSL_STATEM *st = &s->statem;
536
537 /*
538 * Note that before the ClientHello we don't know what version we are going
539 * to negotiate yet, so we don't take this branch until later
540 */
541
542 if (SSL_IS_TLS13(s))
543 return ossl_statem_server13_write_transition(s);
544
545 switch (st->hand_state) {
546 default:
547 /* Shouldn't happen */
548 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
549 SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION,
550 ERR_R_INTERNAL_ERROR);
551 return WRITE_TRAN_ERROR;
552
553 case TLS_ST_OK:
554 if (st->request_state == TLS_ST_SW_HELLO_REQ) {
555 /* We must be trying to renegotiate */
556 st->hand_state = TLS_ST_SW_HELLO_REQ;
557 st->request_state = TLS_ST_BEFORE;
558 return WRITE_TRAN_CONTINUE;
559 }
560 /* Must be an incoming ClientHello */
561 if (!tls_setup_handshake(s)) {
562 /* SSLfatal() already called */
563 return WRITE_TRAN_ERROR;
564 }
565 /* Fall through */
566
567 case TLS_ST_BEFORE:
568 /* Just go straight to trying to read from the client */
569 return WRITE_TRAN_FINISHED;
570
571 case TLS_ST_SW_HELLO_REQ:
572 st->hand_state = TLS_ST_OK;
573 return WRITE_TRAN_CONTINUE;
574
575 case TLS_ST_SR_CLNT_HELLO:
576 if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
577 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
578 st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
579 } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
580 /* We must have rejected the renegotiation */
581 st->hand_state = TLS_ST_OK;
582 return WRITE_TRAN_CONTINUE;
583 } else {
584 st->hand_state = TLS_ST_SW_SRVR_HELLO;
585 }
586 return WRITE_TRAN_CONTINUE;
587
588 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
589 return WRITE_TRAN_FINISHED;
590
591 case TLS_ST_SW_SRVR_HELLO:
592 if (s->hit) {
593 if (s->ext.ticket_expected)
594 st->hand_state = TLS_ST_SW_SESSION_TICKET;
595 else
596 st->hand_state = TLS_ST_SW_CHANGE;
597 } else {
598 /* Check if it is anon DH or anon ECDH, */
599 /* normal PSK or SRP */
600 if (!(s->s3.tmp.new_cipher->algorithm_auth &
601 (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
602 st->hand_state = TLS_ST_SW_CERT;
603 } else if (send_server_key_exchange(s)) {
604 st->hand_state = TLS_ST_SW_KEY_EXCH;
605 } else if (send_certificate_request(s)) {
606 st->hand_state = TLS_ST_SW_CERT_REQ;
607 } else {
608 st->hand_state = TLS_ST_SW_SRVR_DONE;
609 }
610 }
611 return WRITE_TRAN_CONTINUE;
612
613 case TLS_ST_SW_CERT:
614 if (s->ext.status_expected) {
615 st->hand_state = TLS_ST_SW_CERT_STATUS;
616 return WRITE_TRAN_CONTINUE;
617 }
618 /* Fall through */
619
620 case TLS_ST_SW_CERT_STATUS:
621 if (send_server_key_exchange(s)) {
622 st->hand_state = TLS_ST_SW_KEY_EXCH;
623 return WRITE_TRAN_CONTINUE;
624 }
625 /* Fall through */
626
627 case TLS_ST_SW_KEY_EXCH:
628 if (send_certificate_request(s)) {
629 st->hand_state = TLS_ST_SW_CERT_REQ;
630 return WRITE_TRAN_CONTINUE;
631 }
632 /* Fall through */
633
634 case TLS_ST_SW_CERT_REQ:
635 st->hand_state = TLS_ST_SW_SRVR_DONE;
636 return WRITE_TRAN_CONTINUE;
637
638 case TLS_ST_SW_SRVR_DONE:
639 return WRITE_TRAN_FINISHED;
640
641 case TLS_ST_SR_FINISHED:
642 if (s->hit) {
643 st->hand_state = TLS_ST_OK;
644 return WRITE_TRAN_CONTINUE;
645 } else if (s->ext.ticket_expected) {
646 st->hand_state = TLS_ST_SW_SESSION_TICKET;
647 } else {
648 st->hand_state = TLS_ST_SW_CHANGE;
649 }
650 return WRITE_TRAN_CONTINUE;
651
652 case TLS_ST_SW_SESSION_TICKET:
653 st->hand_state = TLS_ST_SW_CHANGE;
654 return WRITE_TRAN_CONTINUE;
655
656 case TLS_ST_SW_CHANGE:
657 st->hand_state = TLS_ST_SW_FINISHED;
658 return WRITE_TRAN_CONTINUE;
659
660 case TLS_ST_SW_FINISHED:
661 if (s->hit) {
662 return WRITE_TRAN_FINISHED;
663 }
664 st->hand_state = TLS_ST_OK;
665 return WRITE_TRAN_CONTINUE;
666 }
667 }
668
669 /*
670 * Perform any pre work that needs to be done prior to sending a message from
671 * the server to the client.
672 */
673 WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
674 {
675 OSSL_STATEM *st = &s->statem;
676
677 switch (st->hand_state) {
678 default:
679 /* No pre work to be done */
680 break;
681
682 case TLS_ST_SW_HELLO_REQ:
683 s->shutdown = 0;
684 if (SSL_IS_DTLS(s))
685 dtls1_clear_sent_buffer(s);
686 break;
687
688 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
689 s->shutdown = 0;
690 if (SSL_IS_DTLS(s)) {
691 dtls1_clear_sent_buffer(s);
692 /* We don't buffer this message so don't use the timer */
693 st->use_timer = 0;
694 }
695 break;
696
697 case TLS_ST_SW_SRVR_HELLO:
698 if (SSL_IS_DTLS(s)) {
699 /*
700 * Messages we write from now on should be buffered and
701 * retransmitted if necessary, so we need to use the timer now
702 */
703 st->use_timer = 1;
704 }
705 break;
706
707 case TLS_ST_SW_SRVR_DONE:
708 #ifndef OPENSSL_NO_SCTP
709 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
710 /* Calls SSLfatal() as required */
711 return dtls_wait_for_dry(s);
712 }
713 #endif
714 return WORK_FINISHED_CONTINUE;
715
716 case TLS_ST_SW_SESSION_TICKET:
717 if (SSL_IS_TLS13(s) && s->sent_tickets == 0) {
718 /*
719 * Actually this is the end of the handshake, but we're going
720 * straight into writing the session ticket out. So we finish off
721 * the handshake, but keep the various buffers active.
722 *
723 * Calls SSLfatal as required.
724 */
725 return tls_finish_handshake(s, wst, 0, 0);
726 } if (SSL_IS_DTLS(s)) {
727 /*
728 * We're into the last flight. We don't retransmit the last flight
729 * unless we need to, so we don't use the timer
730 */
731 st->use_timer = 0;
732 }
733 break;
734
735 case TLS_ST_SW_CHANGE:
736 if (SSL_IS_TLS13(s))
737 break;
738 s->session->cipher = s->s3.tmp.new_cipher;
739 if (!s->method->ssl3_enc->setup_key_block(s)) {
740 /* SSLfatal() already called */
741 return WORK_ERROR;
742 }
743 if (SSL_IS_DTLS(s)) {
744 /*
745 * We're into the last flight. We don't retransmit the last flight
746 * unless we need to, so we don't use the timer. This might have
747 * already been set to 0 if we sent a NewSessionTicket message,
748 * but we'll set it again here in case we didn't.
749 */
750 st->use_timer = 0;
751 }
752 return WORK_FINISHED_CONTINUE;
753
754 case TLS_ST_EARLY_DATA:
755 if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
756 && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
757 return WORK_FINISHED_CONTINUE;
758 /* Fall through */
759
760 case TLS_ST_OK:
761 /* Calls SSLfatal() as required */
762 return tls_finish_handshake(s, wst, 1, 1);
763 }
764
765 return WORK_FINISHED_CONTINUE;
766 }
767
768 static ossl_inline int conn_is_closed(void)
769 {
770 switch (get_last_sys_error()) {
771 #if defined(EPIPE)
772 case EPIPE:
773 return 1;
774 #endif
775 #if defined(ECONNRESET)
776 case ECONNRESET:
777 return 1;
778 #endif
779 #if defined(WSAECONNRESET)
780 case WSAECONNRESET:
781 return 1;
782 #endif
783 default:
784 return 0;
785 }
786 }
787
788 /*
789 * Perform any work that needs to be done after sending a message from the
790 * server to the client.
791 */
792 WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
793 {
794 OSSL_STATEM *st = &s->statem;
795
796 s->init_num = 0;
797
798 switch (st->hand_state) {
799 default:
800 /* No post work to be done */
801 break;
802
803 case TLS_ST_SW_HELLO_REQ:
804 if (statem_flush(s) != 1)
805 return WORK_MORE_A;
806 if (!ssl3_init_finished_mac(s)) {
807 /* SSLfatal() already called */
808 return WORK_ERROR;
809 }
810 break;
811
812 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
813 if (statem_flush(s) != 1)
814 return WORK_MORE_A;
815 /* HelloVerifyRequest resets Finished MAC */
816 if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
817 /* SSLfatal() already called */
818 return WORK_ERROR;
819 }
820 /*
821 * The next message should be another ClientHello which we need to
822 * treat like it was the first packet
823 */
824 s->first_packet = 1;
825 break;
826
827 case TLS_ST_SW_SRVR_HELLO:
828 if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
829 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
830 && statem_flush(s) != 1)
831 return WORK_MORE_A;
832 break;
833 }
834 #ifndef OPENSSL_NO_SCTP
835 if (SSL_IS_DTLS(s) && s->hit) {
836 unsigned char sctpauthkey[64];
837 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
838 size_t labellen;
839
840 /*
841 * Add new shared key for SCTP-Auth, will be ignored if no
842 * SCTP used.
843 */
844 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
845 sizeof(DTLS1_SCTP_AUTH_LABEL));
846
847 /* Don't include the terminating zero. */
848 labellen = sizeof(labelbuffer) - 1;
849 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
850 labellen += 1;
851
852 if (SSL_export_keying_material(s, sctpauthkey,
853 sizeof(sctpauthkey), labelbuffer,
854 labellen, NULL, 0,
855 0) <= 0) {
856 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
857 SSL_F_OSSL_STATEM_SERVER_POST_WORK,
858 ERR_R_INTERNAL_ERROR);
859 return WORK_ERROR;
860 }
861
862 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
863 sizeof(sctpauthkey), sctpauthkey);
864 }
865 #endif
866 if (!SSL_IS_TLS13(s)
867 || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
868 && s->hello_retry_request != SSL_HRR_COMPLETE))
869 break;
870 /* Fall through */
871
872 case TLS_ST_SW_CHANGE:
873 if (s->hello_retry_request == SSL_HRR_PENDING) {
874 if (!statem_flush(s))
875 return WORK_MORE_A;
876 break;
877 }
878
879 if (SSL_IS_TLS13(s)) {
880 if (!s->method->ssl3_enc->setup_key_block(s)
881 || !s->method->ssl3_enc->change_cipher_state(s,
882 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
883 /* SSLfatal() already called */
884 return WORK_ERROR;
885 }
886
887 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
888 && !s->method->ssl3_enc->change_cipher_state(s,
889 SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
890 /* SSLfatal() already called */
891 return WORK_ERROR;
892 }
893 /*
894 * We don't yet know whether the next record we are going to receive
895 * is an unencrypted alert, an encrypted alert, or an encrypted
896 * handshake message. We temporarily tolerate unencrypted alerts.
897 */
898 s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS;
899 break;
900 }
901
902 #ifndef OPENSSL_NO_SCTP
903 if (SSL_IS_DTLS(s) && !s->hit) {
904 /*
905 * Change to new shared key of SCTP-Auth, will be ignored if
906 * no SCTP used.
907 */
908 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
909 0, NULL);
910 }
911 #endif
912 if (!s->method->ssl3_enc->change_cipher_state(s,
913 SSL3_CHANGE_CIPHER_SERVER_WRITE))
914 {
915 /* SSLfatal() already called */
916 return WORK_ERROR;
917 }
918
919 if (SSL_IS_DTLS(s))
920 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
921 break;
922
923 case TLS_ST_SW_SRVR_DONE:
924 if (statem_flush(s) != 1)
925 return WORK_MORE_A;
926 break;
927
928 case TLS_ST_SW_FINISHED:
929 if (statem_flush(s) != 1)
930 return WORK_MORE_A;
931 #ifndef OPENSSL_NO_SCTP
932 if (SSL_IS_DTLS(s) && s->hit) {
933 /*
934 * Change to new shared key of SCTP-Auth, will be ignored if
935 * no SCTP used.
936 */
937 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
938 0, NULL);
939 }
940 #endif
941 if (SSL_IS_TLS13(s)) {
942 if (!s->method->ssl3_enc->generate_master_secret(s,
943 s->master_secret, s->handshake_secret, 0,
944 &s->session->master_key_length)
945 || !s->method->ssl3_enc->change_cipher_state(s,
946 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
947 /* SSLfatal() already called */
948 return WORK_ERROR;
949 }
950 break;
951
952 case TLS_ST_SW_CERT_REQ:
953 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
954 if (statem_flush(s) != 1)
955 return WORK_MORE_A;
956 }
957 break;
958
959 case TLS_ST_SW_KEY_UPDATE:
960 if (statem_flush(s) != 1)
961 return WORK_MORE_A;
962 if (!tls13_update_key(s, 1)) {
963 /* SSLfatal() already called */
964 return WORK_ERROR;
965 }
966 break;
967
968 case TLS_ST_SW_SESSION_TICKET:
969 clear_sys_error();
970 if (SSL_IS_TLS13(s) && statem_flush(s) != 1) {
971 if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL
972 && conn_is_closed()) {
973 /*
974 * We ignore connection closed errors in TLSv1.3 when sending a
975 * NewSessionTicket and behave as if we were successful. This is
976 * so that we are still able to read data sent to us by a client
977 * that closes soon after the end of the handshake without
978 * waiting to read our post-handshake NewSessionTickets.
979 */
980 s->rwstate = SSL_NOTHING;
981 break;
982 }
983
984 return WORK_MORE_A;
985 }
986 break;
987 }
988
989 return WORK_FINISHED_CONTINUE;
990 }
991
992 /*
993 * Get the message construction function and message type for sending from the
994 * server
995 *
996 * Valid return values are:
997 * 1: Success
998 * 0: Error
999 */
1000 int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
1001 confunc_f *confunc, int *mt)
1002 {
1003 OSSL_STATEM *st = &s->statem;
1004
1005 switch (st->hand_state) {
1006 default:
1007 /* Shouldn't happen */
1008 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1009 SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
1010 SSL_R_BAD_HANDSHAKE_STATE);
1011 return 0;
1012
1013 case TLS_ST_SW_CHANGE:
1014 if (SSL_IS_DTLS(s))
1015 *confunc = dtls_construct_change_cipher_spec;
1016 else
1017 *confunc = tls_construct_change_cipher_spec;
1018 *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1019 break;
1020
1021 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
1022 *confunc = dtls_construct_hello_verify_request;
1023 *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
1024 break;
1025
1026 case TLS_ST_SW_HELLO_REQ:
1027 /* No construction function needed */
1028 *confunc = NULL;
1029 *mt = SSL3_MT_HELLO_REQUEST;
1030 break;
1031
1032 case TLS_ST_SW_SRVR_HELLO:
1033 *confunc = tls_construct_server_hello;
1034 *mt = SSL3_MT_SERVER_HELLO;
1035 break;
1036
1037 case TLS_ST_SW_CERT:
1038 *confunc = tls_construct_server_certificate;
1039 *mt = SSL3_MT_CERTIFICATE;
1040 break;
1041
1042 case TLS_ST_SW_CERT_VRFY:
1043 *confunc = tls_construct_cert_verify;
1044 *mt = SSL3_MT_CERTIFICATE_VERIFY;
1045 break;
1046
1047
1048 case TLS_ST_SW_KEY_EXCH:
1049 *confunc = tls_construct_server_key_exchange;
1050 *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
1051 break;
1052
1053 case TLS_ST_SW_CERT_REQ:
1054 *confunc = tls_construct_certificate_request;
1055 *mt = SSL3_MT_CERTIFICATE_REQUEST;
1056 break;
1057
1058 case TLS_ST_SW_SRVR_DONE:
1059 *confunc = tls_construct_server_done;
1060 *mt = SSL3_MT_SERVER_DONE;
1061 break;
1062
1063 case TLS_ST_SW_SESSION_TICKET:
1064 *confunc = tls_construct_new_session_ticket;
1065 *mt = SSL3_MT_NEWSESSION_TICKET;
1066 break;
1067
1068 case TLS_ST_SW_CERT_STATUS:
1069 *confunc = tls_construct_cert_status;
1070 *mt = SSL3_MT_CERTIFICATE_STATUS;
1071 break;
1072
1073 case TLS_ST_SW_FINISHED:
1074 *confunc = tls_construct_finished;
1075 *mt = SSL3_MT_FINISHED;
1076 break;
1077
1078 case TLS_ST_EARLY_DATA:
1079 *confunc = NULL;
1080 *mt = SSL3_MT_DUMMY;
1081 break;
1082
1083 case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
1084 *confunc = tls_construct_encrypted_extensions;
1085 *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
1086 break;
1087
1088 case TLS_ST_SW_KEY_UPDATE:
1089 *confunc = tls_construct_key_update;
1090 *mt = SSL3_MT_KEY_UPDATE;
1091 break;
1092 }
1093
1094 return 1;
1095 }
1096
1097 /*
1098 * Maximum size (excluding the Handshake header) of a ClientHello message,
1099 * calculated as follows:
1100 *
1101 * 2 + # client_version
1102 * 32 + # only valid length for random
1103 * 1 + # length of session_id
1104 * 32 + # maximum size for session_id
1105 * 2 + # length of cipher suites
1106 * 2^16-2 + # maximum length of cipher suites array
1107 * 1 + # length of compression_methods
1108 * 2^8-1 + # maximum length of compression methods
1109 * 2 + # length of extensions
1110 * 2^16-1 # maximum length of extensions
1111 */
1112 #define CLIENT_HELLO_MAX_LENGTH 131396
1113
1114 #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
1115 #define NEXT_PROTO_MAX_LENGTH 514
1116
1117 /*
1118 * Returns the maximum allowed length for the current message that we are
1119 * reading. Excludes the message header.
1120 */
1121 size_t ossl_statem_server_max_message_size(SSL *s)
1122 {
1123 OSSL_STATEM *st = &s->statem;
1124
1125 switch (st->hand_state) {
1126 default:
1127 /* Shouldn't happen */
1128 return 0;
1129
1130 case TLS_ST_SR_CLNT_HELLO:
1131 return CLIENT_HELLO_MAX_LENGTH;
1132
1133 case TLS_ST_SR_END_OF_EARLY_DATA:
1134 return END_OF_EARLY_DATA_MAX_LENGTH;
1135
1136 case TLS_ST_SR_CERT:
1137 return s->max_cert_list;
1138
1139 case TLS_ST_SR_KEY_EXCH:
1140 return CLIENT_KEY_EXCH_MAX_LENGTH;
1141
1142 case TLS_ST_SR_CERT_VRFY:
1143 return SSL3_RT_MAX_PLAIN_LENGTH;
1144
1145 #ifndef OPENSSL_NO_NEXTPROTONEG
1146 case TLS_ST_SR_NEXT_PROTO:
1147 return NEXT_PROTO_MAX_LENGTH;
1148 #endif
1149
1150 case TLS_ST_SR_CHANGE:
1151 return CCS_MAX_LENGTH;
1152
1153 case TLS_ST_SR_FINISHED:
1154 return FINISHED_MAX_LENGTH;
1155
1156 case TLS_ST_SR_KEY_UPDATE:
1157 return KEY_UPDATE_MAX_LENGTH;
1158 }
1159 }
1160
1161 /*
1162 * Process a message that the server has received from the client.
1163 */
1164 MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
1165 {
1166 OSSL_STATEM *st = &s->statem;
1167
1168 switch (st->hand_state) {
1169 default:
1170 /* Shouldn't happen */
1171 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1172 SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE,
1173 ERR_R_INTERNAL_ERROR);
1174 return MSG_PROCESS_ERROR;
1175
1176 case TLS_ST_SR_CLNT_HELLO:
1177 return tls_process_client_hello(s, pkt);
1178
1179 case TLS_ST_SR_END_OF_EARLY_DATA:
1180 return tls_process_end_of_early_data(s, pkt);
1181
1182 case TLS_ST_SR_CERT:
1183 return tls_process_client_certificate(s, pkt);
1184
1185 case TLS_ST_SR_KEY_EXCH:
1186 return tls_process_client_key_exchange(s, pkt);
1187
1188 case TLS_ST_SR_CERT_VRFY:
1189 return tls_process_cert_verify(s, pkt);
1190
1191 #ifndef OPENSSL_NO_NEXTPROTONEG
1192 case TLS_ST_SR_NEXT_PROTO:
1193 return tls_process_next_proto(s, pkt);
1194 #endif
1195
1196 case TLS_ST_SR_CHANGE:
1197 return tls_process_change_cipher_spec(s, pkt);
1198
1199 case TLS_ST_SR_FINISHED:
1200 return tls_process_finished(s, pkt);
1201
1202 case TLS_ST_SR_KEY_UPDATE:
1203 return tls_process_key_update(s, pkt);
1204
1205 }
1206 }
1207
1208 /*
1209 * Perform any further processing required following the receipt of a message
1210 * from the client
1211 */
1212 WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
1213 {
1214 OSSL_STATEM *st = &s->statem;
1215
1216 switch (st->hand_state) {
1217 default:
1218 /* Shouldn't happen */
1219 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1220 SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE,
1221 ERR_R_INTERNAL_ERROR);
1222 return WORK_ERROR;
1223
1224 case TLS_ST_SR_CLNT_HELLO:
1225 return tls_post_process_client_hello(s, wst);
1226
1227 case TLS_ST_SR_KEY_EXCH:
1228 return tls_post_process_client_key_exchange(s, wst);
1229 }
1230 }
1231
1232 #ifndef OPENSSL_NO_SRP
1233 /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
1234 static int ssl_check_srp_ext_ClientHello(SSL *s)
1235 {
1236 int ret;
1237 int al = SSL_AD_UNRECOGNIZED_NAME;
1238
1239 if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
1240 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
1241 if (s->srp_ctx.login == NULL) {
1242 /*
1243 * RFC 5054 says SHOULD reject, we do so if There is no srp
1244 * login name
1245 */
1246 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
1247 SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
1248 SSL_R_PSK_IDENTITY_NOT_FOUND);
1249 return -1;
1250 } else {
1251 ret = SSL_srp_server_param_with_username(s, &al);
1252 if (ret < 0)
1253 return 0;
1254 if (ret == SSL3_AL_FATAL) {
1255 SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
1256 al == SSL_AD_UNKNOWN_PSK_IDENTITY
1257 ? SSL_R_PSK_IDENTITY_NOT_FOUND
1258 : SSL_R_CLIENTHELLO_TLSEXT);
1259 return -1;
1260 }
1261 }
1262 }
1263 return 1;
1264 }
1265 #endif
1266
1267 int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
1268 size_t cookie_len)
1269 {
1270 /* Always use DTLS 1.0 version: see RFC 6347 */
1271 if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
1272 || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
1273 return 0;
1274
1275 return 1;
1276 }
1277
1278 int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
1279 {
1280 unsigned int cookie_leni;
1281 if (s->ctx->app_gen_cookie_cb == NULL ||
1282 s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
1283 &cookie_leni) == 0 ||
1284 cookie_leni > 255) {
1285 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
1286 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1287 return 0;
1288 }
1289 s->d1->cookie_len = cookie_leni;
1290
1291 if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
1292 s->d1->cookie_len)) {
1293 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
1294 ERR_R_INTERNAL_ERROR);
1295 return 0;
1296 }
1297
1298 return 1;
1299 }
1300
1301 #ifndef OPENSSL_NO_EC
1302 /*-
1303 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1304 * SecureTransport using the TLS extension block in |hello|.
1305 * Safari, since 10.6, sends exactly these extensions, in this order:
1306 * SNI,
1307 * elliptic_curves
1308 * ec_point_formats
1309 * signature_algorithms (for TLSv1.2 only)
1310 *
1311 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1312 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1313 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1314 * 10.8..10.8.3 (which don't work).
1315 */
1316 static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
1317 {
1318 static const unsigned char kSafariExtensionsBlock[] = {
1319 0x00, 0x0a, /* elliptic_curves extension */
1320 0x00, 0x08, /* 8 bytes */
1321 0x00, 0x06, /* 6 bytes of curve ids */
1322 0x00, 0x17, /* P-256 */
1323 0x00, 0x18, /* P-384 */
1324 0x00, 0x19, /* P-521 */
1325
1326 0x00, 0x0b, /* ec_point_formats */
1327 0x00, 0x02, /* 2 bytes */
1328 0x01, /* 1 point format */
1329 0x00, /* uncompressed */
1330 /* The following is only present in TLS 1.2 */
1331 0x00, 0x0d, /* signature_algorithms */
1332 0x00, 0x0c, /* 12 bytes */
1333 0x00, 0x0a, /* 10 bytes */
1334 0x05, 0x01, /* SHA-384/RSA */
1335 0x04, 0x01, /* SHA-256/RSA */
1336 0x02, 0x01, /* SHA-1/RSA */
1337 0x04, 0x03, /* SHA-256/ECDSA */
1338 0x02, 0x03, /* SHA-1/ECDSA */
1339 };
1340 /* Length of the common prefix (first two extensions). */
1341 static const size_t kSafariCommonExtensionsLength = 18;
1342 unsigned int type;
1343 PACKET sni, tmppkt;
1344 size_t ext_len;
1345
1346 tmppkt = hello->extensions;
1347
1348 if (!PACKET_forward(&tmppkt, 2)
1349 || !PACKET_get_net_2(&tmppkt, &type)
1350 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1351 return;
1352 }
1353
1354 if (type != TLSEXT_TYPE_server_name)
1355 return;
1356
1357 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1358 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1359
1360 s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1361 ext_len);
1362 }
1363 #endif /* !OPENSSL_NO_EC */
1364
1365 MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
1366 {
1367 /* |cookie| will only be initialized for DTLS. */
1368 PACKET session_id, compression, extensions, cookie;
1369 static const unsigned char null_compression = 0;
1370 CLIENTHELLO_MSG *clienthello = NULL;
1371
1372 /* Check if this is actually an unexpected renegotiation ClientHello */
1373 if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
1374 if (!ossl_assert(!SSL_IS_TLS13(s))) {
1375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1376 ERR_R_INTERNAL_ERROR);
1377 goto err;
1378 }
1379 if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
1380 || (!s->s3.send_connection_binding
1381 && (s->options
1382 & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
1383 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
1384 return MSG_PROCESS_FINISHED_READING;
1385 }
1386 s->renegotiate = 1;
1387 s->new_session = 1;
1388 }
1389
1390 clienthello = OPENSSL_zalloc(sizeof(*clienthello));
1391 if (clienthello == NULL) {
1392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1393 ERR_R_INTERNAL_ERROR);
1394 goto err;
1395 }
1396
1397 /*
1398 * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1399 */
1400 clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
1401 PACKET_null_init(&cookie);
1402
1403 if (clienthello->isv2) {
1404 unsigned int mt;
1405
1406 if (!SSL_IS_FIRST_HANDSHAKE(s)
1407 || s->hello_retry_request != SSL_HRR_NONE) {
1408 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1409 SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
1410 goto err;
1411 }
1412
1413 /*-
1414 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
1415 * header is sent directly on the wire, not wrapped as a TLS
1416 * record. Our record layer just processes the message length and passes
1417 * the rest right through. Its format is:
1418 * Byte Content
1419 * 0-1 msg_length - decoded by the record layer
1420 * 2 msg_type - s->init_msg points here
1421 * 3-4 version
1422 * 5-6 cipher_spec_length
1423 * 7-8 session_id_length
1424 * 9-10 challenge_length
1425 * ... ...
1426 */
1427
1428 if (!PACKET_get_1(pkt, &mt)
1429 || mt != SSL2_MT_CLIENT_HELLO) {
1430 /*
1431 * Should never happen. We should have tested this in the record
1432 * layer in order to have determined that this is a SSLv2 record
1433 * in the first place
1434 */
1435 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1436 ERR_R_INTERNAL_ERROR);
1437 goto err;
1438 }
1439 }
1440
1441 if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
1442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1443 SSL_R_LENGTH_TOO_SHORT);
1444 goto err;
1445 }
1446
1447 /* Parse the message and load client random. */
1448 if (clienthello->isv2) {
1449 /*
1450 * Handle an SSLv2 backwards compatible ClientHello
1451 * Note, this is only for SSLv3+ using the backward compatible format.
1452 * Real SSLv2 is not supported, and is rejected below.
1453 */
1454 unsigned int ciphersuite_len, session_id_len, challenge_len;
1455 PACKET challenge;
1456
1457 if (!PACKET_get_net_2(pkt, &ciphersuite_len)
1458 || !PACKET_get_net_2(pkt, &session_id_len)
1459 || !PACKET_get_net_2(pkt, &challenge_len)) {
1460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1461 SSL_R_RECORD_LENGTH_MISMATCH);
1462 goto err;
1463 }
1464
1465 if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
1466 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1467 SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1468 goto err;
1469 }
1470
1471 if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
1472 ciphersuite_len)
1473 || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
1474 || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1475 /* No extensions. */
1476 || PACKET_remaining(pkt) != 0) {
1477 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1478 SSL_R_RECORD_LENGTH_MISMATCH);
1479 goto err;
1480 }
1481 clienthello->session_id_len = session_id_len;
1482
1483 /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
1484 * here rather than sizeof(clienthello->random) because that is the limit
1485 * for SSLv3 and it is fixed. It won't change even if
1486 * sizeof(clienthello->random) does.
1487 */
1488 challenge_len = challenge_len > SSL3_RANDOM_SIZE
1489 ? SSL3_RANDOM_SIZE : challenge_len;
1490 memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
1491 if (!PACKET_copy_bytes(&challenge,
1492 clienthello->random + SSL3_RANDOM_SIZE -
1493 challenge_len, challenge_len)
1494 /* Advertise only null compression. */
1495 || !PACKET_buf_init(&compression, &null_compression, 1)) {
1496 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1497 ERR_R_INTERNAL_ERROR);
1498 goto err;
1499 }
1500
1501 PACKET_null_init(&clienthello->extensions);
1502 } else {
1503 /* Regular ClientHello. */
1504 if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
1505 || !PACKET_get_length_prefixed_1(pkt, &session_id)
1506 || !PACKET_copy_all(&session_id, clienthello->session_id,
1507 SSL_MAX_SSL_SESSION_ID_LENGTH,
1508 &clienthello->session_id_len)) {
1509 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1510 SSL_R_LENGTH_MISMATCH);
1511 goto err;
1512 }
1513
1514 if (SSL_IS_DTLS(s)) {
1515 if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1516 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1517 SSL_R_LENGTH_MISMATCH);
1518 goto err;
1519 }
1520 if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
1521 DTLS1_COOKIE_LENGTH,
1522 &clienthello->dtls_cookie_len)) {
1523 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1524 SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1525 goto err;
1526 }
1527 /*
1528 * If we require cookies and this ClientHello doesn't contain one,
1529 * just return since we do not want to allocate any memory yet.
1530 * So check cookie length...
1531 */
1532 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1533 if (clienthello->dtls_cookie_len == 0) {
1534 OPENSSL_free(clienthello);
1535 return MSG_PROCESS_FINISHED_READING;
1536 }
1537 }
1538 }
1539
1540 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
1541 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1542 SSL_R_LENGTH_MISMATCH);
1543 goto err;
1544 }
1545
1546 if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
1547 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1548 SSL_R_LENGTH_MISMATCH);
1549 goto err;
1550 }
1551
1552 /* Could be empty. */
1553 if (PACKET_remaining(pkt) == 0) {
1554 PACKET_null_init(&clienthello->extensions);
1555 } else {
1556 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
1557 || PACKET_remaining(pkt) != 0) {
1558 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1559 SSL_R_LENGTH_MISMATCH);
1560 goto err;
1561 }
1562 }
1563 }
1564
1565 if (!PACKET_copy_all(&compression, clienthello->compressions,
1566 MAX_COMPRESSIONS_SIZE,
1567 &clienthello->compressions_len)) {
1568 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
1569 ERR_R_INTERNAL_ERROR);
1570 goto err;
1571 }
1572
1573 /* Preserve the raw extensions PACKET for later use */
1574 extensions = clienthello->extensions;
1575 if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
1576 &clienthello->pre_proc_exts,
1577 &clienthello->pre_proc_exts_len, 1)) {
1578 /* SSLfatal already been called */
1579 goto err;
1580 }
1581 s->clienthello = clienthello;
1582
1583 return MSG_PROCESS_CONTINUE_PROCESSING;
1584
1585 err:
1586 if (clienthello != NULL)
1587 OPENSSL_free(clienthello->pre_proc_exts);
1588 OPENSSL_free(clienthello);
1589
1590 return MSG_PROCESS_ERROR;
1591 }
1592
1593 static int tls_early_post_process_client_hello(SSL *s)
1594 {
1595 unsigned int j;
1596 int i, al = SSL_AD_INTERNAL_ERROR;
1597 int protverr;
1598 size_t loop;
1599 unsigned long id;
1600 #ifndef OPENSSL_NO_COMP
1601 SSL_COMP *comp = NULL;
1602 #endif
1603 const SSL_CIPHER *c;
1604 STACK_OF(SSL_CIPHER) *ciphers = NULL;
1605 STACK_OF(SSL_CIPHER) *scsvs = NULL;
1606 CLIENTHELLO_MSG *clienthello = s->clienthello;
1607 DOWNGRADE dgrd = DOWNGRADE_NONE;
1608
1609 /* Finished parsing the ClientHello, now we can start processing it */
1610 /* Give the ClientHello callback a crack at things */
1611 if (s->ctx->client_hello_cb != NULL) {
1612 /* A failure in the ClientHello callback terminates the connection. */
1613 switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
1614 case SSL_CLIENT_HELLO_SUCCESS:
1615 break;
1616 case SSL_CLIENT_HELLO_RETRY:
1617 s->rwstate = SSL_CLIENT_HELLO_CB;
1618 return -1;
1619 case SSL_CLIENT_HELLO_ERROR:
1620 default:
1621 SSLfatal(s, al,
1622 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1623 SSL_R_CALLBACK_FAILED);
1624 goto err;
1625 }
1626 }
1627
1628 /* Set up the client_random */
1629 memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE);
1630
1631 /* Choose the version */
1632
1633 if (clienthello->isv2) {
1634 if (clienthello->legacy_version == SSL2_VERSION
1635 || (clienthello->legacy_version & 0xff00)
1636 != (SSL3_VERSION_MAJOR << 8)) {
1637 /*
1638 * This is real SSLv2 or something completely unknown. We don't
1639 * support it.
1640 */
1641 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1642 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1643 SSL_R_UNKNOWN_PROTOCOL);
1644 goto err;
1645 }
1646 /* SSLv3/TLS */
1647 s->client_version = clienthello->legacy_version;
1648 }
1649 /*
1650 * Do SSL/TLS version negotiation if applicable. For DTLS we just check
1651 * versions are potentially compatible. Version negotiation comes later.
1652 */
1653 if (!SSL_IS_DTLS(s)) {
1654 protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1655 } else if (s->method->version != DTLS_ANY_VERSION &&
1656 DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
1657 protverr = SSL_R_VERSION_TOO_LOW;
1658 } else {
1659 protverr = 0;
1660 }
1661
1662 if (protverr) {
1663 if (SSL_IS_FIRST_HANDSHAKE(s)) {
1664 /* like ssl3_get_record, send alert using remote version number */
1665 s->version = s->client_version = clienthello->legacy_version;
1666 }
1667 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1668 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
1669 goto err;
1670 }
1671
1672 /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
1673 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1674 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1675 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1676 SSL_R_NOT_ON_RECORD_BOUNDARY);
1677 goto err;
1678 }
1679
1680 if (SSL_IS_DTLS(s)) {
1681 /* Empty cookie was already handled above by returning early. */
1682 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1683 if (s->ctx->app_verify_cookie_cb != NULL) {
1684 if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
1685 clienthello->dtls_cookie_len) == 0) {
1686 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1687 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1688 SSL_R_COOKIE_MISMATCH);
1689 goto err;
1690 /* else cookie verification succeeded */
1691 }
1692 /* default verification */
1693 } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
1694 || memcmp(clienthello->dtls_cookie, s->d1->cookie,
1695 s->d1->cookie_len) != 0) {
1696 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1697 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1698 SSL_R_COOKIE_MISMATCH);
1699 goto err;
1700 }
1701 s->d1->cookie_verified = 1;
1702 }
1703 if (s->method->version == DTLS_ANY_VERSION) {
1704 protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1705 if (protverr != 0) {
1706 s->version = s->client_version;
1707 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1708 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
1709 goto err;
1710 }
1711 }
1712 }
1713
1714 s->hit = 0;
1715
1716 if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
1717 clienthello->isv2) ||
1718 !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
1719 clienthello->isv2, 1)) {
1720 /* SSLfatal() already called */
1721 goto err;
1722 }
1723
1724 s->s3.send_connection_binding = 0;
1725 /* Check what signalling cipher-suite values were received. */
1726 if (scsvs != NULL) {
1727 for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
1728 c = sk_SSL_CIPHER_value(scsvs, i);
1729 if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
1730 if (s->renegotiate) {
1731 /* SCSV is fatal if renegotiating */
1732 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1733 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1734 SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1735 goto err;
1736 }
1737 s->s3.send_connection_binding = 1;
1738 } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
1739 !ssl_check_version_downgrade(s)) {
1740 /*
1741 * This SCSV indicates that the client previously tried
1742 * a higher version. We should fail if the current version
1743 * is an unexpected downgrade, as that indicates that the first
1744 * connection may have been tampered with in order to trigger
1745 * an insecure downgrade.
1746 */
1747 SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
1748 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1749 SSL_R_INAPPROPRIATE_FALLBACK);
1750 goto err;
1751 }
1752 }
1753 }
1754
1755 /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
1756 if (SSL_IS_TLS13(s)) {
1757 const SSL_CIPHER *cipher =
1758 ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
1759
1760 if (cipher == NULL) {
1761 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1762 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1763 SSL_R_NO_SHARED_CIPHER);
1764 goto err;
1765 }
1766 if (s->hello_retry_request == SSL_HRR_PENDING
1767 && (s->s3.tmp.new_cipher == NULL
1768 || s->s3.tmp.new_cipher->id != cipher->id)) {
1769 /*
1770 * A previous HRR picked a different ciphersuite to the one we
1771 * just selected. Something must have changed.
1772 */
1773 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1774 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1775 SSL_R_BAD_CIPHER);
1776 goto err;
1777 }
1778 s->s3.tmp.new_cipher = cipher;
1779 }
1780
1781 /* We need to do this before getting the session */
1782 if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
1783 SSL_EXT_CLIENT_HELLO,
1784 clienthello->pre_proc_exts, NULL, 0)) {
1785 /* SSLfatal() already called */
1786 goto err;
1787 }
1788
1789 /*
1790 * We don't allow resumption in a backwards compatible ClientHello.
1791 * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
1792 *
1793 * Versions before 0.9.7 always allow clients to resume sessions in
1794 * renegotiation. 0.9.7 and later allow this by default, but optionally
1795 * ignore resumption requests with flag
1796 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
1797 * than a change to default behavior so that applications relying on
1798 * this for security won't even compile against older library versions).
1799 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
1800 * request renegotiation but not a new session (s->new_session remains
1801 * unset): for servers, this essentially just means that the
1802 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
1803 * ignored.
1804 */
1805 if (clienthello->isv2 ||
1806 (s->new_session &&
1807 (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1808 if (!ssl_get_new_session(s, 1)) {
1809 /* SSLfatal() already called */
1810 goto err;
1811 }
1812 } else {
1813 i = ssl_get_prev_session(s, clienthello);
1814 if (i == 1) {
1815 /* previous session */
1816 s->hit = 1;
1817 } else if (i == -1) {
1818 /* SSLfatal() already called */
1819 goto err;
1820 } else {
1821 /* i == 0 */
1822 if (!ssl_get_new_session(s, 1)) {
1823 /* SSLfatal() already called */
1824 goto err;
1825 }
1826 }
1827 }
1828
1829 if (SSL_IS_TLS13(s)) {
1830 memcpy(s->tmp_session_id, s->clienthello->session_id,
1831 s->clienthello->session_id_len);
1832 s->tmp_session_id_len = s->clienthello->session_id_len;
1833 }
1834
1835 /*
1836 * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
1837 * ciphersuite compatibility with the session as part of resumption.
1838 */
1839 if (!SSL_IS_TLS13(s) && s->hit) {
1840 j = 0;
1841 id = s->session->cipher->id;
1842
1843 OSSL_TRACE_BEGIN(TLS_CIPHER) {
1844 BIO_printf(trc_out, "client sent %d ciphers\n",
1845 sk_SSL_CIPHER_num(ciphers));
1846 }
1847 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1848 c = sk_SSL_CIPHER_value(ciphers, i);
1849 if (trc_out != NULL)
1850 BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i,
1851 sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1852 if (c->id == id) {
1853 j = 1;
1854 break;
1855 }
1856 }
1857 if (j == 0) {
1858 /*
1859 * we need to have the cipher in the cipher list if we are asked
1860 * to reuse it
1861 */
1862 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1863 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1864 SSL_R_REQUIRED_CIPHER_MISSING);
1865 OSSL_TRACE_CANCEL(TLS_CIPHER);
1866 goto err;
1867 }
1868 OSSL_TRACE_END(TLS_CIPHER);
1869 }
1870
1871 for (loop = 0; loop < clienthello->compressions_len; loop++) {
1872 if (clienthello->compressions[loop] == 0)
1873 break;
1874 }
1875
1876 if (loop >= clienthello->compressions_len) {
1877 /* no compress */
1878 SSLfatal(s, SSL_AD_DECODE_ERROR,
1879 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1880 SSL_R_NO_COMPRESSION_SPECIFIED);
1881 goto err;
1882 }
1883
1884 #ifndef OPENSSL_NO_EC
1885 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1886 ssl_check_for_safari(s, clienthello);
1887 #endif /* !OPENSSL_NO_EC */
1888
1889 /* TLS extensions */
1890 if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
1891 clienthello->pre_proc_exts, NULL, 0, 1)) {
1892 /* SSLfatal() already called */
1893 goto err;
1894 }
1895
1896 /*
1897 * Check if we want to use external pre-shared secret for this handshake
1898 * for not reused session only. We need to generate server_random before
1899 * calling tls_session_secret_cb in order to allow SessionTicket
1900 * processing to use it in key derivation.
1901 */
1902 {
1903 unsigned char *pos;
1904 pos = s->s3.server_random;
1905 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
1906 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1907 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1908 ERR_R_INTERNAL_ERROR);
1909 goto err;
1910 }
1911 }
1912
1913 if (!s->hit
1914 && s->version >= TLS1_VERSION
1915 && !SSL_IS_TLS13(s)
1916 && !SSL_IS_DTLS(s)
1917 && s->ext.session_secret_cb) {
1918 const SSL_CIPHER *pref_cipher = NULL;
1919 /*
1920 * s->session->master_key_length is a size_t, but this is an int for
1921 * backwards compat reasons
1922 */
1923 int master_key_length;
1924
1925 master_key_length = sizeof(s->session->master_key);
1926 if (s->ext.session_secret_cb(s, s->session->master_key,
1927 &master_key_length, ciphers,
1928 &pref_cipher,
1929 s->ext.session_secret_cb_arg)
1930 && master_key_length > 0) {
1931 s->session->master_key_length = master_key_length;
1932 s->hit = 1;
1933 s->session->ciphers = ciphers;
1934 s->session->verify_result = X509_V_OK;
1935
1936 ciphers = NULL;
1937
1938 /* check if some cipher was preferred by call back */
1939 if (pref_cipher == NULL)
1940 pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
1941 SSL_get_ciphers(s));
1942 if (pref_cipher == NULL) {
1943 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1944 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1945 SSL_R_NO_SHARED_CIPHER);
1946 goto err;
1947 }
1948
1949 s->session->cipher = pref_cipher;
1950 sk_SSL_CIPHER_free(s->cipher_list);
1951 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1952 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1953 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1954 }
1955 }
1956
1957 /*
1958 * Worst case, we will use the NULL compression, but if we have other
1959 * options, we will now look for them. We have complen-1 compression
1960 * algorithms from the client, starting at q.
1961 */
1962 s->s3.tmp.new_compression = NULL;
1963 if (SSL_IS_TLS13(s)) {
1964 /*
1965 * We already checked above that the NULL compression method appears in
1966 * the list. Now we check there aren't any others (which is illegal in
1967 * a TLSv1.3 ClientHello.
1968 */
1969 if (clienthello->compressions_len != 1) {
1970 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1971 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1972 SSL_R_INVALID_COMPRESSION_ALGORITHM);
1973 goto err;
1974 }
1975 }
1976 #ifndef OPENSSL_NO_COMP
1977 /* This only happens if we have a cache hit */
1978 else if (s->session->compress_meth != 0) {
1979 int m, comp_id = s->session->compress_meth;
1980 unsigned int k;
1981 /* Perform sanity checks on resumed compression algorithm */
1982 /* Can't disable compression */
1983 if (!ssl_allow_compression(s)) {
1984 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1985 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1986 SSL_R_INCONSISTENT_COMPRESSION);
1987 goto err;
1988 }
1989 /* Look for resumed compression method */
1990 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1991 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1992 if (comp_id == comp->id) {
1993 s->s3.tmp.new_compression = comp;
1994 break;
1995 }
1996 }
1997 if (s->s3.tmp.new_compression == NULL) {
1998 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1999 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
2000 SSL_R_INVALID_COMPRESSION_ALGORITHM);
2001 goto err;
2002 }
2003 /* Look for resumed method in compression list */
2004 for (k = 0; k < clienthello->compressions_len; k++) {
2005 if (clienthello->compressions[k] == comp_id)
2006 break;
2007 }
2008 if (k >= clienthello->compressions_len) {
2009 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2010 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
2011 SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
2012 goto err;
2013 }
2014 } else if (s->hit) {
2015 comp = NULL;
2016 } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
2017 /* See if we have a match */
2018 int m, nn, v, done = 0;
2019 unsigned int o;
2020
2021 nn = sk_SSL_COMP_num(s->ctx->comp_methods);
2022 for (m = 0; m < nn; m++) {
2023 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
2024 v = comp->id;
2025 for (o = 0; o < clienthello->compressions_len; o++) {
2026 if (v == clienthello->compressions[o]) {
2027 done = 1;
2028 break;
2029 }
2030 }
2031 if (done)
2032 break;
2033 }
2034 if (done)
2035 s->s3.tmp.new_compression = comp;
2036 else
2037 comp = NULL;
2038 }
2039 #else
2040 /*
2041 * If compression is disabled we'd better not try to resume a session
2042 * using compression.
2043 */
2044 if (s->session->compress_meth != 0) {
2045 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2046 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
2047 SSL_R_INCONSISTENT_COMPRESSION);
2048 goto err;
2049 }
2050 #endif
2051
2052 /*
2053 * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
2054 */
2055
2056 if (!s->hit || SSL_IS_TLS13(s)) {
2057 sk_SSL_CIPHER_free(s->session->ciphers);
2058 s->session->ciphers = ciphers;
2059 if (ciphers == NULL) {
2060 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2061 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
2062 ERR_R_INTERNAL_ERROR);
2063 goto err;
2064 }
2065 ciphers = NULL;
2066 }
2067
2068 if (!s->hit) {
2069 #ifdef OPENSSL_NO_COMP
2070 s->session->compress_meth = 0;
2071 #else
2072 s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
2073 #endif
2074 }
2075
2076 sk_SSL_CIPHER_free(ciphers);
2077 sk_SSL_CIPHER_free(scsvs);
2078 OPENSSL_free(clienthello->pre_proc_exts);
2079 OPENSSL_free(s->clienthello);
2080 s->clienthello = NULL;
2081 return 1;
2082 err:
2083 sk_SSL_CIPHER_free(ciphers);
2084 sk_SSL_CIPHER_free(scsvs);
2085 OPENSSL_free(clienthello->pre_proc_exts);
2086 OPENSSL_free(s->clienthello);
2087 s->clienthello = NULL;
2088
2089 return 0;
2090 }
2091
2092 /*
2093 * Call the status request callback if needed. Upon success, returns 1.
2094 * Upon failure, returns 0.
2095 */
2096 static int tls_handle_status_request(SSL *s)
2097 {
2098 s->ext.status_expected = 0;
2099
2100 /*
2101 * If status request then ask callback what to do. Note: this must be
2102 * called after servername callbacks in case the certificate has changed,
2103 * and must be called after the cipher has been chosen because this may
2104 * influence which certificate is sent
2105 */
2106 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
2107 && s->ctx->ext.status_cb != NULL) {
2108 int ret;
2109
2110 /* If no certificate can't return certificate status */
2111 if (s->s3.tmp.cert != NULL) {
2112 /*
2113 * Set current certificate to one we will use so SSL_get_certificate
2114 * et al can pick it up.
2115 */
2116 s->cert->key = s->s3.tmp.cert;
2117 ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2118 switch (ret) {
2119 /* We don't want to send a status request response */
2120 case SSL_TLSEXT_ERR_NOACK:
2121 s->ext.status_expected = 0;
2122 break;
2123 /* status request response should be sent */
2124 case SSL_TLSEXT_ERR_OK:
2125 if (s->ext.ocsp.resp)
2126 s->ext.status_expected = 1;
2127 break;
2128 /* something bad happened */
2129 case SSL_TLSEXT_ERR_ALERT_FATAL:
2130 default:
2131 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2132 SSL_F_TLS_HANDLE_STATUS_REQUEST,
2133 SSL_R_CLIENTHELLO_TLSEXT);
2134 return 0;
2135 }
2136 }
2137 }
2138
2139 return 1;
2140 }
2141
2142 /*
2143 * Call the alpn_select callback if needed. Upon success, returns 1.
2144 * Upon failure, returns 0.
2145 */
2146 int tls_handle_alpn(SSL *s)
2147 {
2148 const unsigned char *selected = NULL;
2149 unsigned char selected_len = 0;
2150
2151 if (s->ctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
2152 int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
2153 s->s3.alpn_proposed,
2154 (unsigned int)s->s3.alpn_proposed_len,
2155 s->ctx->ext.alpn_select_cb_arg);
2156
2157 if (r == SSL_TLSEXT_ERR_OK) {
2158 OPENSSL_free(s->s3.alpn_selected);
2159 s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len);
2160 if (s->s3.alpn_selected == NULL) {
2161 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
2162 ERR_R_INTERNAL_ERROR);
2163 return 0;
2164 }
2165 s->s3.alpn_selected_len = selected_len;
2166 #ifndef OPENSSL_NO_NEXTPROTONEG
2167 /* ALPN takes precedence over NPN. */
2168 s->s3.npn_seen = 0;
2169 #endif
2170
2171 /* Check ALPN is consistent with session */
2172 if (s->session->ext.alpn_selected == NULL
2173 || selected_len != s->session->ext.alpn_selected_len
2174 || memcmp(selected, s->session->ext.alpn_selected,
2175 selected_len) != 0) {
2176 /* Not consistent so can't be used for early_data */
2177 s->ext.early_data_ok = 0;
2178
2179 if (!s->hit) {
2180 /*
2181 * This is a new session and so alpn_selected should have
2182 * been initialised to NULL. We should update it with the
2183 * selected ALPN.
2184 */
2185 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
2186 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2187 SSL_F_TLS_HANDLE_ALPN,
2188 ERR_R_INTERNAL_ERROR);
2189 return 0;
2190 }
2191 s->session->ext.alpn_selected = OPENSSL_memdup(selected,
2192 selected_len);
2193 if (s->session->ext.alpn_selected == NULL) {
2194 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2195 SSL_F_TLS_HANDLE_ALPN,
2196 ERR_R_INTERNAL_ERROR);
2197 return 0;
2198 }
2199 s->session->ext.alpn_selected_len = selected_len;
2200 }
2201 }
2202
2203 return 1;
2204 } else if (r != SSL_TLSEXT_ERR_NOACK) {
2205 SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
2206 SSL_R_NO_APPLICATION_PROTOCOL);
2207 return 0;
2208 }
2209 /*
2210 * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
2211 * present.
2212 */
2213 }
2214
2215 /* Check ALPN is consistent with session */
2216 if (s->session->ext.alpn_selected != NULL) {
2217 /* Not consistent so can't be used for early_data */
2218 s->ext.early_data_ok = 0;
2219 }
2220
2221 return 1;
2222 }
2223
2224 WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
2225 {
2226 const SSL_CIPHER *cipher;
2227
2228 if (wst == WORK_MORE_A) {
2229 int rv = tls_early_post_process_client_hello(s);
2230 if (rv == 0) {
2231 /* SSLfatal() was already called */
2232 goto err;
2233 }
2234 if (rv < 0)
2235 return WORK_MORE_A;
2236 wst = WORK_MORE_B;
2237 }
2238 if (wst == WORK_MORE_B) {
2239 if (!s->hit || SSL_IS_TLS13(s)) {
2240 /* Let cert callback update server certificates if required */
2241 if (!s->hit) {
2242 if (s->cert->cert_cb != NULL) {
2243 int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2244 if (rv == 0) {
2245 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2246 SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
2247 SSL_R_CERT_CB_ERROR);
2248 goto err;
2249 }
2250 if (rv < 0) {
2251 s->rwstate = SSL_X509_LOOKUP;
2252 return WORK_MORE_B;
2253 }
2254 s->rwstate = SSL_NOTHING;
2255 }
2256 if (!tls1_set_server_sigalgs(s)) {
2257 /* SSLfatal already called */
2258 goto err;
2259 }
2260 }
2261
2262 /* In TLSv1.3 we selected the ciphersuite before resumption */
2263 if (!SSL_IS_TLS13(s)) {
2264 cipher =
2265 ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
2266
2267 if (cipher == NULL) {
2268 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2269 SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
2270 SSL_R_NO_SHARED_CIPHER);
2271 goto err;
2272 }
2273 s->s3.tmp.new_cipher = cipher;
2274 }
2275 if (!s->hit) {
2276 if (!tls_choose_sigalg(s, 1)) {
2277 /* SSLfatal already called */
2278 goto err;
2279 }
2280 /* check whether we should disable session resumption */
2281 if (s->not_resumable_session_cb != NULL)
2282 s->session->not_resumable =
2283 s->not_resumable_session_cb(s,
2284 ((s->s3.tmp.new_cipher->algorithm_mkey
2285 & (SSL_kDHE | SSL_kECDHE)) != 0));
2286 if (s->session->not_resumable)
2287 /* do not send a session ticket */
2288 s->ext.ticket_expected = 0;
2289 }
2290 } else {
2291 /* Session-id reuse */
2292 s->s3.tmp.new_cipher = s->session->cipher;
2293 }
2294
2295 /*-
2296 * we now have the following setup.
2297 * client_random
2298 * cipher_list - our preferred list of ciphers
2299 * ciphers - the clients preferred list of ciphers
2300 * compression - basically ignored right now
2301 * ssl version is set - sslv3
2302 * s->session - The ssl session has been setup.
2303 * s->hit - session reuse flag
2304 * s->s3.tmp.new_cipher - the new cipher to use.
2305 */
2306
2307 /*
2308 * Call status_request callback if needed. Has to be done after the
2309 * certificate callbacks etc above.
2310 */
2311 if (!tls_handle_status_request(s)) {
2312 /* SSLfatal() already called */
2313 goto err;
2314 }
2315 /*
2316 * Call alpn_select callback if needed. Has to be done after SNI and
2317 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
2318 * we already did this because cipher negotiation happens earlier, and
2319 * we must handle ALPN before we decide whether to accept early_data.
2320 */
2321 if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
2322 /* SSLfatal() already called */
2323 goto err;
2324 }
2325
2326 wst = WORK_MORE_C;
2327 }
2328 #ifndef OPENSSL_NO_SRP
2329 if (wst == WORK_MORE_C) {
2330 int ret;
2331 if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
2332 /*
2333 * callback indicates further work to be done
2334 */
2335 s->rwstate = SSL_X509_LOOKUP;
2336 return WORK_MORE_C;
2337 }
2338 if (ret < 0) {
2339 /* SSLfatal() already called */
2340 goto err;
2341 }
2342 }
2343 #endif
2344
2345 return WORK_FINISHED_STOP;
2346 err:
2347 return WORK_ERROR;
2348 }
2349
2350 int tls_construct_server_hello(SSL *s, WPACKET *pkt)
2351 {
2352 int compm;
2353 size_t sl, len;
2354 int version;
2355 unsigned char *session_id;
2356 int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
2357
2358 version = usetls13 ? TLS1_2_VERSION : s->version;
2359 if (!WPACKET_put_bytes_u16(pkt, version)
2360 /*
2361 * Random stuff. Filling of the server_random takes place in
2362 * tls_process_client_hello()
2363 */
2364 || !WPACKET_memcpy(pkt,
2365 s->hello_retry_request == SSL_HRR_PENDING
2366 ? hrrrandom : s->s3.server_random,
2367 SSL3_RANDOM_SIZE)) {
2368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
2369 ERR_R_INTERNAL_ERROR);
2370 return 0;
2371 }
2372
2373 /*-
2374 * There are several cases for the session ID to send
2375 * back in the server hello:
2376 * - For session reuse from the session cache,
2377 * we send back the old session ID.
2378 * - If stateless session reuse (using a session ticket)
2379 * is successful, we send back the client's "session ID"
2380 * (which doesn't actually identify the session).
2381 * - If it is a new session, we send back the new
2382 * session ID.
2383 * - However, if we want the new session to be single-use,
2384 * we send back a 0-length session ID.
2385 * - In TLSv1.3 we echo back the session id sent to us by the client
2386 * regardless
2387 * s->hit is non-zero in either case of session reuse,
2388 * so the following won't overwrite an ID that we're supposed
2389 * to send back.
2390 */
2391 if (s->session->not_resumable ||
2392 (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
2393 && !s->hit))
2394 s->session->session_id_length = 0;
2395
2396 if (usetls13) {
2397 sl = s->tmp_session_id_len;
2398 session_id = s->tmp_session_id;
2399 } else {
2400 sl = s->session->session_id_length;
2401 session_id = s->session->session_id;
2402 }
2403
2404 if (sl > sizeof(s->session->session_id)) {
2405 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
2406 ERR_R_INTERNAL_ERROR);
2407 return 0;
2408 }
2409
2410 /* set up the compression method */
2411 #ifdef OPENSSL_NO_COMP
2412 compm = 0;
2413 #else
2414 if (usetls13 || s->s3.tmp.new_compression == NULL)
2415 compm = 0;
2416 else
2417 compm = s->s3.tmp.new_compression->id;
2418 #endif
2419
2420 if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
2421 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, &len)
2422 || !WPACKET_put_bytes_u8(pkt, compm)) {
2423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
2424 ERR_R_INTERNAL_ERROR);
2425 return 0;
2426 }
2427
2428 if (!tls_construct_extensions(s, pkt,
2429 s->hello_retry_request == SSL_HRR_PENDING
2430 ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
2431 : (SSL_IS_TLS13(s)
2432 ? SSL_EXT_TLS1_3_SERVER_HELLO
2433 : SSL_EXT_TLS1_2_SERVER_HELLO),
2434 NULL, 0)) {
2435 /* SSLfatal() already called */
2436 return 0;
2437 }
2438
2439 if (s->hello_retry_request == SSL_HRR_PENDING) {
2440 /* Ditch the session. We'll create a new one next time around */
2441 SSL_SESSION_free(s->session);
2442 s->session = NULL;
2443 s->hit = 0;
2444
2445 /*
2446 * Re-initialise the Transcript Hash. We're going to prepopulate it with
2447 * a synthetic message_hash in place of ClientHello1.
2448 */
2449 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
2450 /* SSLfatal() already called */
2451 return 0;
2452 }
2453 } else if (!(s->verify_mode & SSL_VERIFY_PEER)
2454 && !ssl3_digest_cached_records(s, 0)) {
2455 /* SSLfatal() already called */;
2456 return 0;
2457 }
2458
2459 return 1;
2460 }
2461
2462 int tls_construct_server_done(SSL *s, WPACKET *pkt)
2463 {
2464 if (!s->s3.tmp.cert_request) {
2465 if (!ssl3_digest_cached_records(s, 0)) {
2466 /* SSLfatal() already called */
2467 return 0;
2468 }
2469 }
2470 return 1;
2471 }
2472
2473 int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
2474 {
2475 #ifndef OPENSSL_NO_DH
2476 EVP_PKEY *pkdh = NULL;
2477 #endif
2478 #ifndef OPENSSL_NO_EC
2479 unsigned char *encodedPoint = NULL;
2480 size_t encodedlen = 0;
2481 int curve_id = 0;
2482 #endif
2483 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
2484 int i;
2485 unsigned long type;
2486 const BIGNUM *r[4];
2487 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
2488 EVP_PKEY_CTX *pctx = NULL;
2489 size_t paramlen, paramoffset;
2490
2491 if (!WPACKET_get_total_written(pkt, &paramoffset)) {
2492 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2493 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2494 goto err;
2495 }
2496
2497 if (md_ctx == NULL) {
2498 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2499 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2500 goto err;
2501 }
2502
2503 type = s->s3.tmp.new_cipher->algorithm_mkey;
2504
2505 r[0] = r[1] = r[2] = r[3] = NULL;
2506 #ifndef OPENSSL_NO_PSK
2507 /* Plain PSK or RSAPSK nothing to do */
2508 if (type & (SSL_kPSK | SSL_kRSAPSK)) {
2509 } else
2510 #endif /* !OPENSSL_NO_PSK */
2511 #ifndef OPENSSL_NO_DH
2512 if (type & (SSL_kDHE | SSL_kDHEPSK)) {
2513 CERT *cert = s->cert;
2514
2515 EVP_PKEY *pkdhp = NULL;
2516 DH *dh;
2517
2518 if (s->cert->dh_tmp_auto) {
2519 DH *dhp = ssl_get_auto_dh(s);
2520 pkdh = EVP_PKEY_new();
2521 if (pkdh == NULL || dhp == NULL) {
2522 DH_free(dhp);
2523 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2524 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2525 ERR_R_INTERNAL_ERROR);
2526 goto err;
2527 }
2528 EVP_PKEY_assign_DH(pkdh, dhp);
2529 pkdhp = pkdh;
2530 } else {
2531 pkdhp = cert->dh_tmp;
2532 }
2533 if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
2534 DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
2535 pkdh = ssl_dh_to_pkey(dhp);
2536 if (pkdh == NULL) {
2537 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2538 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2539 ERR_R_INTERNAL_ERROR);
2540 goto err;
2541 }
2542 pkdhp = pkdh;
2543 }
2544 if (pkdhp == NULL) {
2545 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2546 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2547 SSL_R_MISSING_TMP_DH_KEY);
2548 goto err;
2549 }
2550 if (!ssl_security(s, SSL_SECOP_TMP_DH,
2551 EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
2552 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2553 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2554 SSL_R_DH_KEY_TOO_SMALL);
2555 goto err;
2556 }
2557 if (s->s3.tmp.pkey != NULL) {
2558 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2559 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2560 ERR_R_INTERNAL_ERROR);
2561 goto err;
2562 }
2563
2564 s->s3.tmp.pkey = ssl_generate_pkey(pkdhp);
2565 if (s->s3.tmp.pkey == NULL) {
2566 /* SSLfatal() already called */
2567 goto err;
2568 }
2569
2570 dh = EVP_PKEY_get0_DH(s->s3.tmp.pkey);
2571 if (dh == NULL) {
2572 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2573 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2574 ERR_R_INTERNAL_ERROR);
2575 goto err;
2576 }
2577
2578 EVP_PKEY_free(pkdh);
2579 pkdh = NULL;
2580
2581 DH_get0_pqg(dh, &r[0], NULL, &r[1]);
2582 DH_get0_key(dh, &r[2], NULL);
2583 } else
2584 #endif
2585 #ifndef OPENSSL_NO_EC
2586 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2587
2588 if (s->s3.tmp.pkey != NULL) {
2589 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2590 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2591 ERR_R_INTERNAL_ERROR);
2592 goto err;
2593 }
2594
2595 /* Get NID of appropriate shared curve */
2596 curve_id = tls1_shared_group(s, -2);
2597 if (curve_id == 0) {
2598 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2599 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2600 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
2601 goto err;
2602 }
2603 s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id);
2604 /* Generate a new key for this curve */
2605 if (s->s3.tmp.pkey == NULL) {
2606 /* SSLfatal() already called */
2607 goto err;
2608 }
2609
2610 /* Encode the public key. */
2611 encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3.tmp.pkey,
2612 &encodedPoint);
2613 if (encodedlen == 0) {
2614 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2615 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
2616 goto err;
2617 }
2618
2619 /*
2620 * We'll generate the serverKeyExchange message explicitly so we
2621 * can set these to NULLs
2622 */
2623 r[0] = NULL;
2624 r[1] = NULL;
2625 r[2] = NULL;
2626 r[3] = NULL;
2627 } else
2628 #endif /* !OPENSSL_NO_EC */
2629 #ifndef OPENSSL_NO_SRP
2630 if (type & SSL_kSRP) {
2631 if ((s->srp_ctx.N == NULL) ||
2632 (s->srp_ctx.g == NULL) ||
2633 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
2634 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2635 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2636 SSL_R_MISSING_SRP_PARAM);
2637 goto err;
2638 }
2639 r[0] = s->srp_ctx.N;
2640 r[1] = s->srp_ctx.g;
2641 r[2] = s->srp_ctx.s;
2642 r[3] = s->srp_ctx.B;
2643 } else
2644 #endif
2645 {
2646 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2647 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2648 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2649 goto err;
2650 }
2651
2652 if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
2653 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
2654 lu = NULL;
2655 } else if (lu == NULL) {
2656 SSLfatal(s, SSL_AD_DECODE_ERROR,
2657 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2658 goto err;
2659 }
2660
2661 #ifndef OPENSSL_NO_PSK
2662 if (type & SSL_PSK) {
2663 size_t len = (s->cert->psk_identity_hint == NULL)
2664 ? 0 : strlen(s->cert->psk_identity_hint);
2665
2666 /*
2667 * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
2668 * checked this when we set the identity hint - but just in case
2669 */
2670 if (len > PSK_MAX_IDENTITY_LEN
2671 || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2672 len)) {
2673 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2674 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2675 ERR_R_INTERNAL_ERROR);
2676 goto err;
2677 }
2678 }
2679 #endif
2680
2681 for (i = 0; i < 4 && r[i] != NULL; i++) {
2682 unsigned char *binval;
2683 int res;
2684
2685 #ifndef OPENSSL_NO_SRP
2686 if ((i == 2) && (type & SSL_kSRP)) {
2687 res = WPACKET_start_sub_packet_u8(pkt);
2688 } else
2689 #endif
2690 res = WPACKET_start_sub_packet_u16(pkt);
2691
2692 if (!res) {
2693 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2694 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2695 ERR_R_INTERNAL_ERROR);
2696 goto err;
2697 }
2698
2699 #ifndef OPENSSL_NO_DH
2700 /*-
2701 * for interoperability with some versions of the Microsoft TLS
2702 * stack, we need to zero pad the DHE pub key to the same length
2703 * as the prime
2704 */
2705 if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2706 size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
2707
2708 if (len > 0) {
2709 if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2710 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2711 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2712 ERR_R_INTERNAL_ERROR);
2713 goto err;
2714 }
2715 memset(binval, 0, len);
2716 }
2717 }
2718 #endif
2719 if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
2720 || !WPACKET_close(pkt)) {
2721 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2722 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2723 ERR_R_INTERNAL_ERROR);
2724 goto err;
2725 }
2726
2727 BN_bn2bin(r[i], binval);
2728 }
2729
2730 #ifndef OPENSSL_NO_EC
2731 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2732 /*
2733 * We only support named (not generic) curves. In this situation, the
2734 * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
2735 * [1 byte length of encoded point], followed by the actual encoded
2736 * point itself
2737 */
2738 if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
2739 || !WPACKET_put_bytes_u8(pkt, 0)
2740 || !WPACKET_put_bytes_u8(pkt, curve_id)
2741 || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2742 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2743 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2744 ERR_R_INTERNAL_ERROR);
2745 goto err;
2746 }
2747 OPENSSL_free(encodedPoint);
2748 encodedPoint = NULL;
2749 }
2750 #endif
2751
2752 /* not anonymous */
2753 if (lu != NULL) {
2754 EVP_PKEY *pkey = s->s3.tmp.cert->privatekey;
2755 const EVP_MD *md;
2756 unsigned char *sigbytes1, *sigbytes2, *tbs;
2757 size_t siglen, tbslen;
2758 int rv;
2759
2760 if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
2761 /* Should never happen */
2762 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2763 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2764 ERR_R_INTERNAL_ERROR);
2765 goto err;
2766 }
2767 /* Get length of the parameters we have written above */
2768 if (!WPACKET_get_length(pkt, &paramlen)) {
2769 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2770 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2771 ERR_R_INTERNAL_ERROR);
2772 goto err;
2773 }
2774 /* send signature algorithm */
2775 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
2776 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2777 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2778 ERR_R_INTERNAL_ERROR);
2779 goto err;
2780 }
2781 /*
2782 * Create the signature. We don't know the actual length of the sig
2783 * until after we've created it, so we reserve enough bytes for it
2784 * up front, and then properly allocate them in the WPACKET
2785 * afterwards.
2786 */
2787 siglen = EVP_PKEY_size(pkey);
2788 if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
2789 || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
2790 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2791 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2792 ERR_R_INTERNAL_ERROR);
2793 goto err;
2794 }
2795 if (lu->sig == EVP_PKEY_RSA_PSS) {
2796 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
2797 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
2798 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2799 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2800 ERR_R_EVP_LIB);
2801 goto err;
2802 }
2803 }
2804 tbslen = construct_key_exchange_tbs(s, &tbs,
2805 s->init_buf->data + paramoffset,
2806 paramlen);
2807 if (tbslen == 0) {
2808 /* SSLfatal() already called */
2809 goto err;
2810 }
2811 rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
2812 OPENSSL_free(tbs);
2813 if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2814 || sigbytes1 != sigbytes2) {
2815 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2816 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2817 ERR_R_INTERNAL_ERROR);
2818 goto err;
2819 }
2820 }
2821
2822 EVP_MD_CTX_free(md_ctx);
2823 return 1;
2824 err:
2825 #ifndef OPENSSL_NO_DH
2826 EVP_PKEY_free(pkdh);
2827 #endif
2828 #ifndef OPENSSL_NO_EC
2829 OPENSSL_free(encodedPoint);
2830 #endif
2831 EVP_MD_CTX_free(md_ctx);
2832 return 0;
2833 }
2834
2835 int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2836 {
2837 if (SSL_IS_TLS13(s)) {
2838 /* Send random context when doing post-handshake auth */
2839 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
2840 OPENSSL_free(s->pha_context);
2841 s->pha_context_len = 32;
2842 if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
2843 || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
2844 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
2845 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2846 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
2847 ERR_R_INTERNAL_ERROR);
2848 return 0;
2849 }
2850 /* reset the handshake hash back to just after the ClientFinished */
2851 if (!tls13_restore_handshake_digest_for_pha(s)) {
2852 /* SSLfatal() already called */
2853 return 0;
2854 }
2855 } else {
2856 if (!WPACKET_put_bytes_u8(pkt, 0)) {
2857 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2858 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
2859 ERR_R_INTERNAL_ERROR);
2860 return 0;
2861 }
2862 }
2863
2864 if (!tls_construct_extensions(s, pkt,
2865 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
2866 0)) {
2867 /* SSLfatal() already called */
2868 return 0;
2869 }
2870 goto done;
2871 }
2872
2873 /* get the list of acceptable cert types */
2874 if (!WPACKET_start_sub_packet_u8(pkt)
2875 || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
2876 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2877 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
2878 return 0;
2879 }
2880
2881 if (SSL_USE_SIGALGS(s)) {
2882 const uint16_t *psigs;
2883 size_t nl = tls12_get_psigalgs(s, 1, &psigs);
2884
2885 if (!WPACKET_start_sub_packet_u16(pkt)
2886 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
2887 || !tls12_copy_sigalgs(s, pkt, psigs, nl)
2888 || !WPACKET_close(pkt)) {
2889 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2890 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
2891 ERR_R_INTERNAL_ERROR);
2892 return 0;
2893 }
2894 }
2895
2896 if (!construct_ca_names(s, get_ca_names(s), pkt)) {
2897 /* SSLfatal() already called */
2898 return 0;
2899 }
2900
2901 done:
2902 s->certreqs_sent++;
2903 s->s3.tmp.cert_request = 1;
2904 return 1;
2905 }
2906
2907 static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
2908 {
2909 #ifndef OPENSSL_NO_PSK
2910 unsigned char psk[PSK_MAX_PSK_LEN];
2911 size_t psklen;
2912 PACKET psk_identity;
2913
2914 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2915 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2916 SSL_R_LENGTH_MISMATCH);
2917 return 0;
2918 }
2919 if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2920 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2921 SSL_R_DATA_LENGTH_TOO_LONG);
2922 return 0;
2923 }
2924 if (s->psk_server_callback == NULL) {
2925 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2926 SSL_R_PSK_NO_SERVER_CB);
2927 return 0;
2928 }
2929
2930 if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
2931 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2932 ERR_R_INTERNAL_ERROR);
2933 return 0;
2934 }
2935
2936 psklen = s->psk_server_callback(s, s->session->psk_identity,
2937 psk, sizeof(psk));
2938
2939 if (psklen > PSK_MAX_PSK_LEN) {
2940 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2941 ERR_R_INTERNAL_ERROR);
2942 return 0;
2943 } else if (psklen == 0) {
2944 /*
2945 * PSK related to the given identity not found
2946 */
2947 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
2948 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2949 SSL_R_PSK_IDENTITY_NOT_FOUND);
2950 return 0;
2951 }
2952
2953 OPENSSL_free(s->s3.tmp.psk);
2954 s->s3.tmp.psk = OPENSSL_memdup(psk, psklen);
2955 OPENSSL_cleanse(psk, psklen);
2956
2957 if (s->s3.tmp.psk == NULL) {
2958 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2959 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2960 return 0;
2961 }
2962
2963 s->s3.tmp.psklen = psklen;
2964
2965 return 1;
2966 #else
2967 /* Should never happen */
2968 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2969 ERR_R_INTERNAL_ERROR);
2970 return 0;
2971 #endif
2972 }
2973
2974 static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
2975 {
2976 #ifndef OPENSSL_NO_RSA
2977 unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
2978 int decrypt_len;
2979 unsigned char decrypt_good, version_good;
2980 size_t j, padding_len;
2981 PACKET enc_premaster;
2982 RSA *rsa = NULL;
2983 unsigned char *rsa_decrypt = NULL;
2984 int ret = 0;
2985
2986 rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
2987 if (rsa == NULL) {
2988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
2989 SSL_R_MISSING_RSA_CERTIFICATE);
2990 return 0;
2991 }
2992
2993 /* SSLv3 and pre-standard DTLS omit the length bytes. */
2994 if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2995 enc_premaster = *pkt;
2996 } else {
2997 if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
2998 || PACKET_remaining(pkt) != 0) {
2999 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
3000 SSL_R_LENGTH_MISMATCH);
3001 return 0;
3002 }
3003 }
3004
3005 /*
3006 * We want to be sure that the plaintext buffer size makes it safe to
3007 * iterate over the entire size of a premaster secret
3008 * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
3009 * their ciphertext cannot accommodate a premaster secret anyway.
3010 */
3011 if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
3012 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
3013 RSA_R_KEY_SIZE_TOO_SMALL);
3014 return 0;
3015 }
3016
3017 rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
3018 if (rsa_decrypt == NULL) {
3019 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
3020 ERR_R_MALLOC_FAILURE);
3021 return 0;
3022 }
3023
3024 /*
3025 * We must not leak whether a decryption failure occurs because of
3026 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
3027 * section 7.4.7.1). The code follows that advice of the TLS RFC and
3028 * generates a random premaster secret for the case that the decrypt
3029 * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
3030 */
3031
3032 if (RAND_priv_bytes(rand_premaster_secret,
3033 sizeof(rand_premaster_secret)) <= 0) {
3034 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
3035 ERR_R_INTERNAL_ERROR);
3036 goto err;
3037 }
3038
3039 /*
3040 * Decrypt with no padding. PKCS#1 padding will be removed as part of
3041 * the timing-sensitive code below.
3042 */
3043 /* TODO(size_t): Convert this function */
3044 decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
3045 PACKET_data(&enc_premaster),
3046 rsa_decrypt, rsa, RSA_NO_PADDING);
3047 if (decrypt_len < 0) {
3048 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
3049 ERR_R_INTERNAL_ERROR);
3050 goto err;
3051 }
3052
3053 /* Check the padding. See RFC 3447, section 7.2.2. */
3054
3055 /*
3056 * The smallest padded premaster is 11 bytes of overhead. Small keys
3057 * are publicly invalid, so this may return immediately. This ensures
3058 * PS is at least 8 bytes.
3059 */
3060 if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
3061 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
3062 SSL_R_DECRYPTION_FAILED);
3063 goto err;
3064 }
3065
3066 padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
3067 decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
3068 constant_time_eq_int_8(rsa_decrypt[1], 2);
3069 for (j = 2; j < padding_len - 1; j++) {
3070 decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
3071 }
3072 decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
3073
3074 /*
3075 * If the version in the decrypted pre-master secret is correct then
3076 * version_good will be 0xff, otherwise it'll be zero. The
3077 * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
3078 * (http://eprint.iacr.org/2003/052/) exploits the version number
3079 * check as a "bad version oracle". Thus version checks are done in
3080 * constant time and are treated like any other decryption error.
3081 */
3082 version_good =
3083 constant_time_eq_8(rsa_decrypt[padding_len],
3084 (unsigned)(s->client_version >> 8));
3085 version_good &=
3086 constant_time_eq_8(rsa_decrypt[padding_len + 1],
3087 (unsigned)(s->client_version & 0xff));
3088
3089 /*
3090 * The premaster secret must contain the same version number as the
3091 * ClientHello to detect version rollback attacks (strangely, the
3092 * protocol does not offer such protection for DH ciphersuites).
3093 * However, buggy clients exist that send the negotiated protocol
3094 * version instead if the server does not support the requested
3095 * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
3096 * clients.
3097 */
3098 if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
3099 unsigned char workaround_good;
3100 workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
3101 (unsigned)(s->version >> 8));
3102 workaround_good &=
3103 constant_time_eq_8(rsa_decrypt[padding_len + 1],
3104 (unsigned)(s->version & 0xff));
3105 version_good |= workaround_good;
3106 }
3107
3108 /*
3109 * Both decryption and version must be good for decrypt_good to
3110 * remain non-zero (0xff).
3111 */
3112 decrypt_good &= version_good;
3113
3114 /*
3115 * Now copy rand_premaster_secret over from p using
3116 * decrypt_good_mask. If decryption failed, then p does not
3117 * contain valid plaintext, however, a check above guarantees
3118 * it is still sufficiently large to read from.
3119 */
3120 for (j = 0; j < sizeof(rand_premaster_secret); j++) {
3121 rsa_decrypt[padding_len + j] =
3122 constant_time_select_8(decrypt_good,
3123 rsa_decrypt[padding_len + j],
3124 rand_premaster_secret[j]);
3125 }
3126
3127 if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
3128 sizeof(rand_premaster_secret), 0)) {
3129 /* SSLfatal() already called */
3130 goto err;
3131 }
3132
3133 ret = 1;
3134 err:
3135 OPENSSL_free(rsa_decrypt);
3136 return ret;
3137 #else
3138 /* Should never happen */
3139 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
3140 ERR_R_INTERNAL_ERROR);
3141 return 0;
3142 #endif
3143 }
3144
3145 static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
3146 {
3147 #ifndef OPENSSL_NO_DH
3148 EVP_PKEY *skey = NULL;
3149 DH *cdh;
3150 unsigned int i;
3151 BIGNUM *pub_key;
3152 const unsigned char *data;
3153 EVP_PKEY *ckey = NULL;
3154 int ret = 0;
3155
3156 if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
3157 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3158 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
3159 goto err;
3160 }
3161 skey = s->s3.tmp.pkey;
3162 if (skey == NULL) {
3163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3164 SSL_R_MISSING_TMP_DH_KEY);
3165 goto err;
3166 }
3167
3168 if (PACKET_remaining(pkt) == 0L) {
3169 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3170 SSL_R_MISSING_TMP_DH_KEY);
3171 goto err;
3172 }
3173 if (!PACKET_get_bytes(pkt, &data, i)) {
3174 /* We already checked we have enough data */
3175 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3176 ERR_R_INTERNAL_ERROR);
3177 goto err;
3178 }
3179 ckey = EVP_PKEY_new();
3180 if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
3181 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3182 SSL_R_BN_LIB);
3183 goto err;
3184 }
3185
3186 cdh = EVP_PKEY_get0_DH(ckey);
3187 pub_key = BN_bin2bn(data, i, NULL);
3188 if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
3189 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3190 ERR_R_INTERNAL_ERROR);
3191 BN_free(pub_key);
3192 goto err;
3193 }
3194
3195 if (ssl_derive(s, skey, ckey, 1) == 0) {
3196 /* SSLfatal() already called */
3197 goto err;
3198 }
3199
3200 ret = 1;
3201 EVP_PKEY_free(s->s3.tmp.pkey);
3202 s->s3.tmp.pkey = NULL;
3203 err:
3204 EVP_PKEY_free(ckey);
3205 return ret;
3206 #else
3207 /* Should never happen */
3208 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3209 ERR_R_INTERNAL_ERROR);
3210 return 0;
3211 #endif
3212 }
3213
3214 static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
3215 {
3216 #ifndef OPENSSL_NO_EC
3217 EVP_PKEY *skey = s->s3.tmp.pkey;
3218 EVP_PKEY *ckey = NULL;
3219 int ret = 0;
3220
3221 if (PACKET_remaining(pkt) == 0L) {
3222 /* We don't support ECDH client auth */
3223 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
3224 SSL_R_MISSING_TMP_ECDH_KEY);
3225 goto err;
3226 } else {
3227 unsigned int i;
3228 const unsigned char *data;
3229
3230 /*
3231 * Get client's public key from encoded point in the
3232 * ClientKeyExchange message.
3233 */
3234
3235 /* Get encoded point length */
3236 if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
3237 || PACKET_remaining(pkt) != 0) {
3238 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
3239 SSL_R_LENGTH_MISMATCH);
3240 goto err;
3241 }
3242 if (skey == NULL) {
3243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
3244 SSL_R_MISSING_TMP_ECDH_KEY);
3245 goto err;
3246 }
3247
3248 ckey = EVP_PKEY_new();
3249 if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
3250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
3251 ERR_R_EVP_LIB);
3252 goto err;
3253 }
3254 if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
3255 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
3256 ERR_R_EC_LIB);
3257 goto err;
3258 }
3259 }
3260
3261 if (ssl_derive(s, skey, ckey, 1) == 0) {
3262 /* SSLfatal() already called */
3263 goto err;
3264 }
3265
3266 ret = 1;
3267 EVP_PKEY_free(s->s3.tmp.pkey);
3268 s->s3.tmp.pkey = NULL;
3269 err:
3270 EVP_PKEY_free(ckey);
3271
3272 return ret;
3273 #else
3274 /* Should never happen */
3275 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
3276 ERR_R_INTERNAL_ERROR);
3277 return 0;
3278 #endif
3279 }
3280
3281 static int tls_process_cke_srp(SSL *s, PACKET *pkt)
3282 {
3283 #ifndef OPENSSL_NO_SRP
3284 unsigned int i;
3285 const unsigned char *data;
3286
3287 if (!PACKET_get_net_2(pkt, &i)
3288 || !PACKET_get_bytes(pkt, &data, i)) {
3289 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
3290 SSL_R_BAD_SRP_A_LENGTH);
3291 return 0;
3292 }
3293 if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
3294 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
3295 ERR_R_BN_LIB);
3296 return 0;
3297 }
3298 if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
3299 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
3300 SSL_R_BAD_SRP_PARAMETERS);
3301 return 0;
3302 }
3303 OPENSSL_free(s->session->srp_username);
3304 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
3305 if (s->session->srp_username == NULL) {
3306 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
3307 ERR_R_MALLOC_FAILURE);
3308 return 0;
3309 }
3310
3311 if (!srp_generate_server_master_secret(s)) {
3312 /* SSLfatal() already called */
3313 return 0;
3314 }
3315
3316 return 1;
3317 #else
3318 /* Should never happen */
3319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
3320 ERR_R_INTERNAL_ERROR);
3321 return 0;
3322 #endif
3323 }
3324
3325 static int tls_process_cke_gost(SSL *s, PACKET *pkt)
3326 {
3327 #ifndef OPENSSL_NO_GOST
3328 EVP_PKEY_CTX *pkey_ctx;
3329 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
3330 unsigned char premaster_secret[32];
3331 const unsigned char *start;
3332 size_t outlen = 32, inlen;
3333 unsigned long alg_a;
3334 unsigned int asn1id, asn1len;
3335 int ret = 0;
3336 PACKET encdata;
3337
3338 /* Get our certificate private key */
3339 alg_a = s->s3.tmp.new_cipher->algorithm_auth;
3340 if (alg_a & SSL_aGOST12) {
3341 /*
3342 * New GOST ciphersuites have SSL_aGOST01 bit too
3343 */
3344 pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
3345 if (pk == NULL) {
3346 pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
3347 }
3348 if (pk == NULL) {
3349 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
3350 }
3351 } else if (alg_a & SSL_aGOST01) {
3352 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
3353 }
3354
3355 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
3356 if (pkey_ctx == NULL) {
3357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3358 ERR_R_MALLOC_FAILURE);
3359 return 0;
3360 }
3361 if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
3362 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3363 ERR_R_INTERNAL_ERROR);
3364 return 0;
3365 }
3366 /*
3367 * If client certificate is present and is of the same type, maybe
3368 * use it for key exchange. Don't mind errors from
3369 * EVP_PKEY_derive_set_peer, because it is completely valid to use a
3370 * client certificate for authorization only.
3371 */
3372 client_pub_pkey = X509_get0_pubkey(s->session->peer);
3373 if (client_pub_pkey) {
3374 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
3375 ERR_clear_error();
3376 }
3377 /* Decrypt session key */
3378 if (!PACKET_get_1(pkt, &asn1id)
3379 || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
3380 || !PACKET_peek_1(pkt, &asn1len)) {
3381 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3382 SSL_R_DECRYPTION_FAILED);
3383 goto err;
3384 }
3385 if (asn1len == 0x81) {
3386 /*
3387 * Long form length. Should only be one byte of length. Anything else
3388 * isn't supported.
3389 * We did a successful peek before so this shouldn't fail
3390 */
3391 if (!PACKET_forward(pkt, 1)) {
3392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3393 SSL_R_DECRYPTION_FAILED);
3394 goto err;
3395 }
3396 } else if (asn1len >= 0x80) {
3397 /*
3398 * Indefinite length, or more than one long form length bytes. We don't
3399 * support it
3400 */
3401 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3402 SSL_R_DECRYPTION_FAILED);
3403 goto err;
3404 } /* else short form length */
3405
3406 if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
3407 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3408 SSL_R_DECRYPTION_FAILED);
3409 goto err;
3410 }
3411 inlen = PACKET_remaining(&encdata);
3412 start = PACKET_data(&encdata);
3413
3414 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
3415 inlen) <= 0) {
3416 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3417 SSL_R_DECRYPTION_FAILED);
3418 goto err;
3419 }
3420 /* Generate master secret */
3421 if (!ssl_generate_master_secret(s, premaster_secret,
3422 sizeof(premaster_secret), 0)) {
3423 /* SSLfatal() already called */
3424 goto err;
3425 }
3426 /* Check if pubkey from client certificate was used */
3427 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
3428 NULL) > 0)
3429 s->statem.no_cert_verify = 1;
3430
3431 ret = 1;
3432 err:
3433 EVP_PKEY_CTX_free(pkey_ctx);
3434 return ret;
3435 #else
3436 /* Should never happen */
3437 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
3438 ERR_R_INTERNAL_ERROR);
3439 return 0;
3440 #endif
3441 }
3442
3443 MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
3444 {
3445 unsigned long alg_k;
3446
3447 alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3448
3449 /* For PSK parse and retrieve identity, obtain PSK key */
3450 if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
3451 /* SSLfatal() already called */
3452 goto err;
3453 }
3454
3455 if (alg_k & SSL_kPSK) {
3456 /* Identity extracted earlier: should be nothing left */
3457 if (PACKET_remaining(pkt) != 0) {
3458 SSLfatal(s, SSL_AD_DECODE_ERROR,
3459 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
3460 SSL_R_LENGTH_MISMATCH);
3461 goto err;
3462 }
3463 /* PSK handled by ssl_generate_master_secret */
3464 if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
3465 /* SSLfatal() already called */
3466 goto err;
3467 }
3468 } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3469 if (!tls_process_cke_rsa(s, pkt)) {
3470 /* SSLfatal() already called */
3471 goto err;
3472 }
3473 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3474 if (!tls_process_cke_dhe(s, pkt)) {
3475 /* SSLfatal() already called */
3476 goto err;
3477 }
3478 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3479 if (!tls_process_cke_ecdhe(s, pkt)) {
3480 /* SSLfatal() already called */
3481 goto err;
3482 }
3483 } else if (alg_k & SSL_kSRP) {
3484 if (!tls_process_cke_srp(s, pkt)) {
3485 /* SSLfatal() already called */
3486 goto err;
3487 }
3488 } else if (alg_k & SSL_kGOST) {
3489 if (!tls_process_cke_gost(s, pkt)) {
3490 /* SSLfatal() already called */
3491 goto err;
3492 }
3493 } else {
3494 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3495 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
3496 SSL_R_UNKNOWN_CIPHER_TYPE);
3497 goto err;
3498 }
3499
3500 return MSG_PROCESS_CONTINUE_PROCESSING;
3501 err:
3502 #ifndef OPENSSL_NO_PSK
3503 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
3504 s->s3.tmp.psk = NULL;
3505 #endif
3506 return MSG_PROCESS_ERROR;
3507 }
3508
3509 WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
3510 {
3511 #ifndef OPENSSL_NO_SCTP
3512 if (wst == WORK_MORE_A) {
3513 if (SSL_IS_DTLS(s)) {
3514 unsigned char sctpauthkey[64];
3515 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3516 size_t labellen;
3517 /*
3518 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3519 * used.
3520 */
3521 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3522 sizeof(DTLS1_SCTP_AUTH_LABEL));
3523
3524 /* Don't include the terminating zero. */
3525 labellen = sizeof(labelbuffer) - 1;
3526 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
3527 labellen += 1;
3528
3529 if (SSL_export_keying_material(s, sctpauthkey,
3530 sizeof(sctpauthkey), labelbuffer,
3531 labellen, NULL, 0,
3532 0) <= 0) {
3533 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3534 SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
3535 ERR_R_INTERNAL_ERROR);
3536 return WORK_ERROR;
3537 }
3538
3539 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3540 sizeof(sctpauthkey), sctpauthkey);
3541 }
3542 }
3543 #endif
3544
3545 if (s->statem.no_cert_verify || !s->session->peer) {
3546 /*
3547 * No certificate verify or no peer certificate so we no longer need
3548 * the handshake_buffer
3549 */
3550 if (!ssl3_digest_cached_records(s, 0)) {
3551 /* SSLfatal() already called */
3552 return WORK_ERROR;
3553 }
3554 return WORK_FINISHED_CONTINUE;
3555 } else {
3556 if (!s->s3.handshake_buffer) {
3557 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3558 SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
3559 ERR_R_INTERNAL_ERROR);
3560 return WORK_ERROR;
3561 }
3562 /*
3563 * For sigalgs freeze the handshake buffer. If we support
3564 * extms we've done this already so this is a no-op
3565 */
3566 if (!ssl3_digest_cached_records(s, 1)) {
3567 /* SSLfatal() already called */
3568 return WORK_ERROR;
3569 }
3570 }
3571
3572 return WORK_FINISHED_CONTINUE;
3573 }
3574
3575 MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
3576 {
3577 int i;
3578 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
3579 X509 *x = NULL;
3580 unsigned long l;
3581 const unsigned char *certstart, *certbytes;
3582 STACK_OF(X509) *sk = NULL;
3583 PACKET spkt, context;
3584 size_t chainidx;
3585 SSL_SESSION *new_sess = NULL;
3586
3587 /*
3588 * To get this far we must have read encrypted data from the client. We no
3589 * longer tolerate unencrypted alerts. This value is ignored if less than
3590 * TLSv1.3
3591 */
3592 s->statem.enc_read_state = ENC_READ_STATE_VALID;
3593
3594 if ((sk = sk_X509_new_null()) == NULL) {
3595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3596 ERR_R_MALLOC_FAILURE);
3597 goto err;
3598 }
3599
3600 if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
3601 || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
3602 || (s->pha_context != NULL &&
3603 !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
3604 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3605 SSL_R_INVALID_CONTEXT);
3606 goto err;
3607 }
3608
3609 if (!PACKET_get_length_prefixed_3(pkt, &spkt)
3610 || PACKET_remaining(pkt) != 0) {
3611 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3612 SSL_R_LENGTH_MISMATCH);
3613 goto err;
3614 }
3615
3616 for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
3617 if (!PACKET_get_net_3(&spkt, &l)
3618 || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3619 SSLfatal(s, SSL_AD_DECODE_ERROR,
3620 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3621 SSL_R_CERT_LENGTH_MISMATCH);
3622 goto err;
3623 }
3624
3625 certstart = certbytes;
3626 x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3627 if (x == NULL) {
3628 SSLfatal(s, SSL_AD_DECODE_ERROR,
3629 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
3630 goto err;
3631 }
3632 if (certbytes != (certstart + l)) {
3633 SSLfatal(s, SSL_AD_DECODE_ERROR,
3634 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3635 SSL_R_CERT_LENGTH_MISMATCH);
3636 goto err;
3637 }
3638
3639 if (SSL_IS_TLS13(s)) {
3640 RAW_EXTENSION *rawexts = NULL;
3641 PACKET extensions;
3642
3643 if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
3644 SSLfatal(s, SSL_AD_DECODE_ERROR,
3645 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3646 SSL_R_BAD_LENGTH);
3647 goto err;
3648 }
3649 if (!tls_collect_extensions(s, &extensions,
3650 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
3651 NULL, chainidx == 0)
3652 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
3653 rawexts, x, chainidx,
3654 PACKET_remaining(&spkt) == 0)) {
3655 OPENSSL_free(rawexts);
3656 goto err;
3657 }
3658 OPENSSL_free(rawexts);
3659 }
3660
3661 if (!sk_X509_push(sk, x)) {
3662 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3663 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3664 ERR_R_MALLOC_FAILURE);
3665 goto err;
3666 }
3667 x = NULL;
3668 }
3669
3670 if (sk_X509_num(sk) <= 0) {
3671 /* TLS does not mind 0 certs returned */
3672 if (s->version == SSL3_VERSION) {
3673 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3674 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3675 SSL_R_NO_CERTIFICATES_RETURNED);
3676 goto err;
3677 }
3678 /* Fail for TLS only if we required a certificate */
3679 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3680 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3681 SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
3682 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3683 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3684 goto err;
3685 }
3686 /* No client certificate so digest cached records */
3687 if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3688 /* SSLfatal() already called */
3689 goto err;
3690 }
3691 } else {
3692 EVP_PKEY *pkey;
3693 i = ssl_verify_cert_chain(s, sk);
3694 if (i <= 0) {
3695 SSLfatal(s, ssl_x509err2alert(s->verify_result),
3696 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3697 SSL_R_CERTIFICATE_VERIFY_FAILED);
3698 goto err;
3699 }
3700 if (i > 1) {
3701 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3702 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
3703 goto err;
3704 }
3705 pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3706 if (pkey == NULL) {
3707 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3708 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3709 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
3710 goto err;
3711 }
3712 }
3713
3714 /*
3715 * Sessions must be immutable once they go into the session cache. Otherwise
3716 * we can get multi-thread problems. Therefore we don't "update" sessions,
3717 * we replace them with a duplicate. Here, we need to do this every time
3718 * a new certificate is received via post-handshake authentication, as the
3719 * session may have already gone into the session cache.
3720 */
3721
3722 if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
3723 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
3724 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3725 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3726 ERR_R_MALLOC_FAILURE);
3727 goto err;
3728 }
3729
3730 SSL_SESSION_free(s->session);
3731 s->session = new_sess;
3732 }
3733
3734 X509_free(s->session->peer);
3735 s->session->peer = sk_X509_shift(sk);
3736 s->session->verify_result = s->verify_result;
3737
3738 sk_X509_pop_free(s->session->peer_chain, X509_free);
3739 s->session->peer_chain = sk;
3740
3741 /*
3742 * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
3743 * message
3744 */
3745 if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3746 /* SSLfatal() already called */
3747 goto err;
3748 }
3749
3750 /*
3751 * Inconsistency alert: cert_chain does *not* include the peer's own
3752 * certificate, while we do include it in statem_clnt.c
3753 */
3754 sk = NULL;
3755
3756 /* Save the current hash state for when we receive the CertificateVerify */
3757 if (SSL_IS_TLS13(s)) {
3758 if (!ssl_handshake_hash(s, s->cert_verify_hash,
3759 sizeof(s->cert_verify_hash),
3760 &s->cert_verify_hash_len)) {
3761 /* SSLfatal() already called */
3762 goto err;
3763 }
3764
3765 /* Resend session tickets */
3766 s->sent_tickets = 0;
3767 }
3768
3769 ret = MSG_PROCESS_CONTINUE_READING;
3770
3771 err:
3772 X509_free(x);
3773 sk_X509_pop_free(sk, X509_free);
3774 return ret;
3775 }
3776
3777 int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
3778 {
3779 CERT_PKEY *cpk = s->s3.tmp.cert;
3780
3781 if (cpk == NULL) {
3782 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3783 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3784 return 0;
3785 }
3786
3787 /*
3788 * In TLSv1.3 the certificate chain is always preceded by a 0 length context
3789 * for the server Certificate message
3790 */
3791 if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
3792 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3793 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3794 return 0;
3795 }
3796 if (!ssl3_output_cert_chain(s, pkt, cpk)) {
3797 /* SSLfatal() already called */
3798 return 0;
3799 }
3800
3801 return 1;
3802 }
3803
3804 static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
3805 unsigned char *tick_nonce)
3806 {
3807 /*
3808 * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
3809 * unspecified for resumed session (for simplicity).
3810 * In TLSv1.3 we reset the "time" field above, and always specify the
3811 * timeout.
3812 */
3813 if (!WPACKET_put_bytes_u32(pkt,
3814 (s->hit && !SSL_IS_TLS13(s))
3815 ? 0 : s->session->timeout)) {
3816 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
3817 ERR_R_INTERNAL_ERROR);
3818 return 0;
3819 }
3820
3821 if (SSL_IS_TLS13(s)) {
3822 if (!WPACKET_put_bytes_u32(pkt, age_add)
3823 || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
3824 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
3825 ERR_R_INTERNAL_ERROR);
3826 return 0;
3827 }
3828 }
3829
3830 /* Start the sub-packet for the actual ticket data */
3831 if (!WPACKET_start_sub_packet_u16(pkt)) {
3832 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
3833 ERR_R_INTERNAL_ERROR);
3834 return 0;
3835 }
3836
3837 return 1;
3838 }
3839
3840 static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
3841 unsigned char *tick_nonce)
3842 {
3843 unsigned char *senc = NULL;
3844 EVP_CIPHER_CTX *ctx = NULL;
3845 HMAC_CTX *hctx = NULL;
3846 unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
3847 const unsigned char *const_p;
3848 int len, slen_full, slen, lenfinal;
3849 SSL_SESSION *sess;
3850 unsigned int hlen;
3851 SSL_CTX *tctx = s->session_ctx;
3852 unsigned char iv[EVP_MAX_IV_LENGTH];
3853 unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
3854 int iv_len, ok = 0;
3855 size_t macoffset, macendoffset;
3856
3857 /* get session encoding length */
3858 slen_full = i2d_SSL_SESSION(s->session, NULL);
3859 /*
3860 * Some length values are 16 bits, so forget it if session is too
3861 * long
3862 */
3863 if (slen_full == 0 || slen_full > 0xFF00) {
3864 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3865 ERR_R_INTERNAL_ERROR);
3866 goto err;
3867 }
3868 senc = OPENSSL_malloc(slen_full);
3869 if (senc == NULL) {
3870 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3871 SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_MALLOC_FAILURE);
3872 goto err;
3873 }
3874
3875 ctx = EVP_CIPHER_CTX_new();
3876 hctx = HMAC_CTX_new();
3877 if (ctx == NULL || hctx == NULL) {
3878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3879 ERR_R_MALLOC_FAILURE);
3880 goto err;
3881 }
3882
3883 p = senc;
3884 if (!i2d_SSL_SESSION(s->session, &p)) {
3885 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3886 ERR_R_INTERNAL_ERROR);
3887 goto err;
3888 }
3889
3890 /*
3891 * create a fresh copy (not shared with other threads) to clean up
3892 */
3893 const_p = senc;
3894 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3895 if (sess == NULL) {
3896 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3897 ERR_R_INTERNAL_ERROR);
3898 goto err;
3899 }
3900
3901 slen = i2d_SSL_SESSION(sess, NULL);
3902 if (slen == 0 || slen > slen_full) {
3903 /* shouldn't ever happen */
3904 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3905 ERR_R_INTERNAL_ERROR);
3906 SSL_SESSION_free(sess);
3907 goto err;
3908 }
3909 p = senc;
3910 if (!i2d_SSL_SESSION(sess, &p)) {
3911 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3912 ERR_R_INTERNAL_ERROR);
3913 SSL_SESSION_free(sess);
3914 goto err;
3915 }
3916 SSL_SESSION_free(sess);
3917
3918 /*
3919 * Initialize HMAC and cipher contexts. If callback present it does
3920 * all the work otherwise use generated values from parent ctx.
3921 */
3922 if (tctx->ext.ticket_key_cb) {
3923 /* if 0 is returned, write an empty ticket */
3924 int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
3925 hctx, 1);
3926
3927 if (ret == 0) {
3928
3929 /* Put timeout and length */
3930 if (!WPACKET_put_bytes_u32(pkt, 0)
3931 || !WPACKET_put_bytes_u16(pkt, 0)) {
3932 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3933 SSL_F_CONSTRUCT_STATELESS_TICKET,
3934 ERR_R_INTERNAL_ERROR);
3935 goto err;
3936 }
3937 OPENSSL_free(senc);
3938 EVP_CIPHER_CTX_free(ctx);
3939 HMAC_CTX_free(hctx);
3940 return 1;
3941 }
3942 if (ret < 0) {
3943 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3944 SSL_R_CALLBACK_FAILED);
3945 goto err;
3946 }
3947 iv_len = EVP_CIPHER_CTX_iv_length(ctx);
3948 } else {
3949 const EVP_CIPHER *cipher = EVP_aes_256_cbc();
3950
3951 iv_len = EVP_CIPHER_iv_length(cipher);
3952 if (RAND_bytes(iv, iv_len) <= 0
3953 || !EVP_EncryptInit_ex(ctx, cipher, NULL,
3954 tctx->ext.secure->tick_aes_key, iv)
3955 || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
3956 sizeof(tctx->ext.secure->tick_hmac_key),
3957 EVP_sha256(), NULL)) {
3958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
3959 ERR_R_INTERNAL_ERROR);
3960 goto err;
3961 }
3962 memcpy(key_name, tctx->ext.tick_key_name,
3963 sizeof(tctx->ext.tick_key_name));
3964 }
3965
3966 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
3967 /* SSLfatal() already called */
3968 goto err;
3969 }
3970
3971 if (!WPACKET_get_total_written(pkt, &macoffset)
3972 /* Output key name */
3973 || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3974 /* output IV */
3975 || !WPACKET_memcpy(pkt, iv, iv_len)
3976 || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3977 &encdata1)
3978 /* Encrypt session data */
3979 || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3980 || !WPACKET_allocate_bytes(pkt, len, &encdata2)
3981 || encdata1 != encdata2
3982 || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
3983 || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
3984 || encdata1 + len != encdata2
3985 || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
3986 || !WPACKET_get_total_written(pkt, &macendoffset)
3987 || !HMAC_Update(hctx,
3988 (unsigned char *)s->init_buf->data + macoffset,
3989 macendoffset - macoffset)
3990 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
3991 || !HMAC_Final(hctx, macdata1, &hlen)
3992 || hlen > EVP_MAX_MD_SIZE
3993 || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
3994 || macdata1 != macdata2) {
3995 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3996 SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_INTERNAL_ERROR);
3997 goto err;
3998 }
3999
4000 /* Close the sub-packet created by create_ticket_prequel() */
4001 if (!WPACKET_close(pkt)) {
4002 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
4003 ERR_R_INTERNAL_ERROR);
4004 goto err;
4005 }
4006
4007 ok = 1;
4008 err:
4009 OPENSSL_free(senc);
4010 EVP_CIPHER_CTX_free(ctx);
4011 HMAC_CTX_free(hctx);
4012 return ok;
4013 }
4014
4015 static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
4016 unsigned char *tick_nonce)
4017 {
4018 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
4019 /* SSLfatal() already called */
4020 return 0;
4021 }
4022
4023 if (!WPACKET_memcpy(pkt, s->session->session_id,
4024 s->session->session_id_length)
4025 || !WPACKET_close(pkt)) {
4026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATEFUL_TICKET,
4027 ERR_R_INTERNAL_ERROR);
4028 return 0;
4029 }
4030
4031 return 1;
4032 }
4033
4034 int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
4035 {
4036 SSL_CTX *tctx = s->session_ctx;
4037 unsigned char tick_nonce[TICKET_NONCE_SIZE];
4038 union {
4039 unsigned char age_add_c[sizeof(uint32_t)];
4040 uint32_t age_add;
4041 } age_add_u;
4042
4043 age_add_u.age_add = 0;
4044
4045 if (SSL_IS_TLS13(s)) {
4046 size_t i, hashlen;
4047 uint64_t nonce;
4048 static const unsigned char nonce_label[] = "resumption";
4049 const EVP_MD *md = ssl_handshake_md(s);
4050 int hashleni = EVP_MD_size(md);
4051
4052 /* Ensure cast to size_t is safe */
4053 if (!ossl_assert(hashleni >= 0)) {
4054 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
4055 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
4056 ERR_R_INTERNAL_ERROR);
4057 goto err;
4058 }
4059 hashlen = (size_t)hashleni;
4060
4061 /*
4062 * If we already sent one NewSessionTicket, or we resumed then
4063 * s->session may already be in a cache and so we must not modify it.
4064 * Instead we need to take a copy of it and modify that.
4065 */
4066 if (s->sent_tickets != 0 || s->hit) {
4067 SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
4068
4069 if (new_sess == NULL) {
4070 /* SSLfatal already called */
4071 goto err;
4072 }
4073
4074 SSL_SESSION_free(s->session);
4075 s->session = new_sess;
4076 }
4077
4078 if (!ssl_generate_session_id(s, s->session)) {
4079 /* SSLfatal() already called */
4080 goto err;
4081 }
4082 if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
4083 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
4084 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
4085 ERR_R_INTERNAL_ERROR);
4086 goto err;
4087 }
4088 s->session->ext.tick_age_add = age_add_u.age_add;
4089
4090 nonce = s->next_ticket_nonce;
4091 for (i = TICKET_NONCE_SIZE; i > 0; i--) {
4092 tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
4093 nonce >>= 8;
4094 }
4095
4096 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
4097 nonce_label,
4098 sizeof(nonce_label) - 1,
4099 tick_nonce,
4100 TICKET_NONCE_SIZE,
4101 s->session->master_key,
4102 hashlen, 1)) {
4103 /* SSLfatal() already called */
4104 goto err;
4105 }
4106 s->session->master_key_length = hashlen;
4107
4108 s->session->time = (long)time(NULL);
4109 if (s->s3.alpn_selected != NULL) {
4110 OPENSSL_free(s->session->ext.alpn_selected);
4111 s->session->ext.alpn_selected =
4112 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
4113 if (s->session->ext.alpn_selected == NULL) {
4114 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
4115 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
4116 ERR_R_MALLOC_FAILURE);
4117 goto err;
4118 }
4119 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
4120 }
4121 s->session->ext.max_early_data = s->max_early_data;
4122 }
4123
4124 if (tctx->generate_ticket_cb != NULL &&
4125 tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
4126 goto err;
4127
4128 /*
4129 * If we are using anti-replay protection then we behave as if
4130 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
4131 * is no point in using full stateless tickets.
4132 */
4133 if (SSL_IS_TLS13(s)
4134 && ((s->options & SSL_OP_NO_TICKET) != 0
4135 || (s->max_early_data > 0
4136 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
4137 if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
4138 /* SSLfatal() already called */
4139 goto err;
4140 }
4141 } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add,
4142 tick_nonce)) {
4143 /* SSLfatal() already called */
4144 goto err;
4145 }
4146
4147 if (SSL_IS_TLS13(s)) {
4148 if (!tls_construct_extensions(s, pkt,
4149 SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
4150 NULL, 0)) {
4151 /* SSLfatal() already called */
4152 goto err;
4153 }
4154 /*
4155 * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
4156 * gets reset to 0 if we send more tickets following a post-handshake
4157 * auth, but |next_ticket_nonce| does not.
4158 */
4159 s->sent_tickets++;
4160 s->next_ticket_nonce++;
4161 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
4162 }
4163
4164 return 1;
4165 err:
4166 return 0;
4167 }
4168
4169 /*
4170 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
4171 * create a separate message. Returns 1 on success or 0 on failure.
4172 */
4173 int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
4174 {
4175 if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
4176 || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
4177 s->ext.ocsp.resp_len)) {
4178 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY,
4179 ERR_R_INTERNAL_ERROR);
4180 return 0;
4181 }
4182
4183 return 1;
4184 }
4185
4186 int tls_construct_cert_status(SSL *s, WPACKET *pkt)
4187 {
4188 if (!tls_construct_cert_status_body(s, pkt)) {
4189 /* SSLfatal() already called */
4190 return 0;
4191 }
4192
4193 return 1;
4194 }
4195
4196 #ifndef OPENSSL_NO_NEXTPROTONEG
4197 /*
4198 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
4199 * It sets the next_proto member in s if found
4200 */
4201 MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
4202 {
4203 PACKET next_proto, padding;
4204 size_t next_proto_len;
4205
4206 /*-
4207 * The payload looks like:
4208 * uint8 proto_len;
4209 * uint8 proto[proto_len];
4210 * uint8 padding_len;
4211 * uint8 padding[padding_len];
4212 */
4213 if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
4214 || !PACKET_get_length_prefixed_1(pkt, &padding)
4215 || PACKET_remaining(pkt) > 0) {
4216 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
4217 SSL_R_LENGTH_MISMATCH);
4218 return MSG_PROCESS_ERROR;
4219 }
4220
4221 if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
4222 s->ext.npn_len = 0;
4223 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
4224 ERR_R_INTERNAL_ERROR);
4225 return MSG_PROCESS_ERROR;
4226 }
4227
4228 s->ext.npn_len = (unsigned char)next_proto_len;
4229
4230 return MSG_PROCESS_CONTINUE_READING;
4231 }
4232 #endif
4233
4234 static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
4235 {
4236 if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
4237 NULL, 0)) {
4238 /* SSLfatal() already called */
4239 return 0;
4240 }
4241
4242 return 1;
4243 }
4244
4245 MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
4246 {
4247 if (PACKET_remaining(pkt) != 0) {
4248 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
4249 SSL_R_LENGTH_MISMATCH);
4250 return MSG_PROCESS_ERROR;
4251 }
4252
4253 if (s->early_data_state != SSL_EARLY_DATA_READING
4254 && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
4255 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
4256 ERR_R_INTERNAL_ERROR);
4257 return MSG_PROCESS_ERROR;
4258 }
4259
4260 /*
4261 * EndOfEarlyData signals a key change so the end of the message must be on
4262 * a record boundary.
4263 */
4264 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
4265 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
4266 SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
4267 SSL_R_NOT_ON_RECORD_BOUNDARY);
4268 return MSG_PROCESS_ERROR;
4269 }
4270
4271 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
4272 if (!s->method->ssl3_enc->change_cipher_state(s,
4273 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
4274 /* SSLfatal() already called */
4275 return MSG_PROCESS_ERROR;
4276 }
4277
4278 return MSG_PROCESS_CONTINUE_READING;
4279 }
A mirror of the official openssl repository