]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_clnt.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Introduce a new early_data state in the state machine
[thirdparty/openssl.git] / ssl / statem / statem_clnt.c
CommitLineData
846e33c7
RS		 1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
8c74b5e5 3 *
846e33c7
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8c74b5e5 8 */
846e33c7 9
ea262260
BM		 10/* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
12 *
0f113f3e 13 * Portions of the attached software ("Contribution") are developed by
ea262260
BM		 14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
15 *
16 * The Contribution is licensed pursuant to the OpenSSL open source
17 * license provided above.
18 *
ea262260
BM		 19 * ECC cipher suite support in OpenSSL originally written by
20 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
21 *
22 */
ddac1974
NL		 23/* ====================================================================
24 * Copyright 2005 Nokia. All rights reserved.
25 *
26 * The portions of the attached software ("Contribution") is developed by
27 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
28 * license.
29 *
30 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
31 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
32 * support (see RFC 4279) to OpenSSL.
33 *
34 * No patent licenses or other rights except those expressly stated in
35 * the OpenSSL open source license shall be deemed granted or received
36 * expressly, by implication, estoppel, or otherwise.
37 *
38 * No assurances are provided by Nokia that the Contribution does not
39 * infringe the patent or other intellectual property rights of any third
40 * party or that the license provides you with all the necessary rights
41 * to make use of the Contribution.
42 *
43 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
44 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
45 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
46 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
47 * OTHERWISE.
48 */
d02b48c6
RE		 49
50#include <stdio.h>
fc24f0bf 51#include <time.h>
8ba708e5 52#include "../ssl_locl.h"
61ae935a 53#include "statem_locl.h"
ec577822
BM		 54#include <openssl/buffer.h>
55#include <openssl/rand.h>
56#include <openssl/objects.h>
57#include <openssl/evp.h>
dbad1690 58#include <openssl/md5.h>
3c27208f 59#include <openssl/dh.h>
d095b68d 60#include <openssl/bn.h>
3c27208f 61#include <openssl/engine.h>
f9b3bff6 62
3847d426 63static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt);
e46f2334
MC		 64static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
65
7ab09630 66static ossl_inline int cert_req_allowed(SSL *s);
a455d0f6 67static int key_exchange_expected(SSL *s);
0f113f3e 68static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
d45ba43d 69static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
ae2f7b37 70 WPACKET *pkt);
ea262260 71
61ae935a
MC		 72/*
73 * Is a CertificateRequest message allowed at the moment or not?
74 *
75 * Return values are:
76 * 1: Yes
77 * 0: No
78 */
7ab09630 79static ossl_inline int cert_req_allowed(SSL *s)
61ae935a
MC		 80{
81 /* TLS does not like anon-DH with client cert */
b7fa1f98 82 if ((s->version > SSL3_VERSION
a230b26e
EK		 83 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
84 || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
61ae935a
MC		 85 return 0;
86
87 return 1;
88}
89
90/*
a455d0f6 91 * Should we expect the ServerKeyExchange message or not?
61ae935a
MC		 92 *
93 * Return values are:
94 * 1: Yes
95 * 0: No
96 */
a455d0f6 97static int key_exchange_expected(SSL *s)
61ae935a
MC		 98{
99 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
100
101 /*
102 * Can't skip server key exchange if this is an ephemeral
a455d0f6 103 * ciphersuite or for SRP
61ae935a 104 */
a455d0f6
MC		 105 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
106 | SSL_kSRP)) {
107 return 1;
61ae935a
MC		 108 }
109
a455d0f6 110 return 0;
61ae935a
MC		 111}
112
0f1e51ea
MC		 113/*
114 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
115 * handshake state transitions when a TLS1.3 client is reading messages from the
116 * server. The message type that the server has sent is provided in |mt|. The
117 * current state is in |s->statem.hand_state|.
118 *
94ed2c67
MC		 119 * Return values are 1 for success (transition allowed) and 0 on error
120 * (transition not allowed)
0f1e51ea
MC		 121 */
122static int ossl_statem_client13_read_transition(SSL *s, int mt)
123{
124 OSSL_STATEM *st = &s->statem;
125
126 /*
127 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
128 * yet negotiated TLSv1.3 at that point so that is handled by
129 * ossl_statem_client_read_transition()
130 */
131
132 switch (st->hand_state) {
133 default:
134 break;
135
3847d426
MC		 136 case TLS_ST_CW_CLNT_HELLO:
137 /*
138 * This must a ClientHello following a HelloRetryRequest, so the only
139 * thing we can get now is a ServerHello.
140 */
141 if (mt == SSL3_MT_SERVER_HELLO) {
142 st->hand_state = TLS_ST_CR_SRVR_HELLO;
143 return 1;
144 }
145 break;
146
0f1e51ea 147 case TLS_ST_CR_SRVR_HELLO:
e46f2334
MC		 148 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
149 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
150 return 1;
151 }
152 break;
153
154 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
0f1e51ea 155 if (s->hit) {
92760c21
MC		 156 if (mt == SSL3_MT_FINISHED) {
157 st->hand_state = TLS_ST_CR_FINISHED;
0f1e51ea
MC		 158 return 1;
159 }
160 } else {
92760c21
MC		 161 if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
162 st->hand_state = TLS_ST_CR_CERT_REQ;
163 return 1;
f5ca0b04
MC		 164 }
165 if (mt == SSL3_MT_CERTIFICATE) {
0f1e51ea
MC		 166 st->hand_state = TLS_ST_CR_CERT;
167 return 1;
168 }
169 }
170 break;
171
92760c21
MC		 172 case TLS_ST_CR_CERT_REQ:
173 if (mt == SSL3_MT_CERTIFICATE) {
174 st->hand_state = TLS_ST_CR_CERT;
175 return 1;
176 }
177 break;
178
0f1e51ea 179 case TLS_ST_CR_CERT:
2c5dfdc3
MC		 180 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
181 st->hand_state = TLS_ST_CR_CERT_VRFY;
182 return 1;
183 }
184 break;
185
186 case TLS_ST_CR_CERT_VRFY:
0f1e51ea
MC		 187 if (mt == SSL3_MT_FINISHED) {
188 st->hand_state = TLS_ST_CR_FINISHED;
189 return 1;
190 }
191 break;
cc2455bf
MC		 192
193 case TLS_ST_OK:
194 if (mt == SSL3_MT_NEWSESSION_TICKET) {
195 st->hand_state = TLS_ST_CR_SESSION_TICKET;
196 return 1;
197 }
e1c3de44
MC		 198 if (mt == SSL3_MT_KEY_UPDATE) {
199 st->hand_state = TLS_ST_CR_KEY_UPDATE;
200 return 1;
201 }
cc2455bf 202 break;
0f1e51ea
MC		 203 }
204
0f1e51ea 205 /* No valid transition found */
0f1e51ea
MC		 206 return 0;
207}
208
61ae935a 209/*
8481f583
MC		 210 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
211 * handshake state transitions when the client is reading messages from the
212 * server. The message type that the server has sent is provided in |mt|. The
213 * current state is in |s->statem.hand_state|.
61ae935a 214 *
94ed2c67
MC		 215 * Return values are 1 for success (transition allowed) and 0 on error
216 * (transition not allowed)
61ae935a 217 */
8481f583 218int ossl_statem_client_read_transition(SSL *s, int mt)
61ae935a 219{
d6f1a6e9 220 OSSL_STATEM *st = &s->statem;
a455d0f6 221 int ske_expected;
61ae935a 222
0f1e51ea 223 /*
3847d426
MC		 224 * Note that after writing the first ClientHello we don't know what version
225 * we are going to negotiate yet, so we don't take this branch until later.
0f1e51ea 226 */
f5ca0b04 227 if (SSL_IS_TLS13(s)) {
5abeaf35
MC		 228 if (!ossl_statem_client13_read_transition(s, mt))
229 goto err;
230 return 1;
231 }
0f1e51ea 232
a230b26e 233 switch (st->hand_state) {
f3b3d7f0
RS		 234 default:
235 break;
236
61ae935a
MC		 237 case TLS_ST_CW_CLNT_HELLO:
238 if (mt == SSL3_MT_SERVER_HELLO) {
239 st->hand_state = TLS_ST_CR_SRVR_HELLO;
240 return 1;
241 }
242
243 if (SSL_IS_DTLS(s)) {
244 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
245 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
246 return 1;
247 }
3847d426
MC		 248 } else {
249 if (mt == SSL3_MT_HELLO_RETRY_REQUEST) {
250 st->hand_state = TLS_ST_CR_HELLO_RETRY_REQUEST;
251 return 1;
252 }
61ae935a
MC		 253 }
254 break;
255
4004ce5f
MC		 256 case TLS_ST_CW_EARLY_DATA:
257 /*
258 * We've not actually selected TLSv1.3 yet, but we have sent early
259 * data. The only thing allowed now is a ServerHello or a
260 * HelloRetryRequest.
261 */
262 if (mt == SSL3_MT_SERVER_HELLO) {
263 st->hand_state = TLS_ST_CR_SRVR_HELLO;
264 return 1;
265 }
266 if (mt == SSL3_MT_HELLO_RETRY_REQUEST) {
267 st->hand_state = TLS_ST_CR_HELLO_RETRY_REQUEST;
268 return 1;
269 }
270 break;
271
61ae935a
MC		 272 case TLS_ST_CR_SRVR_HELLO:
273 if (s->hit) {
aff8c126 274 if (s->ext.ticket_expected) {
61ae935a
MC		 275 if (mt == SSL3_MT_NEWSESSION_TICKET) {
276 st->hand_state = TLS_ST_CR_SESSION_TICKET;
277 return 1;
278 }
279 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
280 st->hand_state = TLS_ST_CR_CHANGE;
281 return 1;
282 }
283 } else {
284 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
285 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
286 return 1;
ad3819c2 287 } else if (s->version >= TLS1_VERSION
aff8c126
RS		 288 && s->ext.session_secret_cb != NULL
289 && s->session->ext.tick != NULL
a230b26e 290 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
ad3819c2
MC		 291 /*
292 * Normally, we can tell if the server is resuming the session
293 * from the session ID. EAP-FAST (RFC 4851), however, relies on
294 * the next server message after the ServerHello to determine if
295 * the server is resuming.
296 */
297 s->hit = 1;
298 st->hand_state = TLS_ST_CR_CHANGE;
299 return 1;
61ae935a 300 } else if (!(s->s3->tmp.new_cipher->algorithm_auth
a230b26e 301 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
61ae935a
MC		 302 if (mt == SSL3_MT_CERTIFICATE) {
303 st->hand_state = TLS_ST_CR_CERT;
304 return 1;
305 }
306 } else {
a455d0f6 307 ske_expected = key_exchange_expected(s);
a455d0f6
MC		 308 /* SKE is optional for some PSK ciphersuites */
309 if (ske_expected
a230b26e
EK		 310 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
311 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
a455d0f6
MC		 312 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
313 st->hand_state = TLS_ST_CR_KEY_EXCH;
314 return 1;
315 }
316 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
a230b26e
EK		 317 && cert_req_allowed(s)) {
318 st->hand_state = TLS_ST_CR_CERT_REQ;
319 return 1;
a455d0f6 320 } else if (mt == SSL3_MT_SERVER_DONE) {
a230b26e
EK		 321 st->hand_state = TLS_ST_CR_SRVR_DONE;
322 return 1;
61ae935a
MC		 323 }
324 }
325 }
326 break;
327
328 case TLS_ST_CR_CERT:
bb1aaab4
MC		 329 /*
330 * The CertificateStatus message is optional even if
aff8c126 331 * |ext.status_expected| is set
bb1aaab4 332 */
aff8c126 333 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
bb1aaab4
MC		 334 st->hand_state = TLS_ST_CR_CERT_STATUS;
335 return 1;
a455d0f6
MC		 336 }
337 /* Fall through */
338
339 case TLS_ST_CR_CERT_STATUS:
340 ske_expected = key_exchange_expected(s);
a455d0f6 341 /* SKE is optional for some PSK ciphersuites */
a230b26e
EK		 342 if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
343 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
61ae935a
MC		 344 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
345 st->hand_state = TLS_ST_CR_KEY_EXCH;
346 return 1;
61ae935a 347 }
672f3337 348 goto err;
61ae935a 349 }
a455d0f6 350 /* Fall through */
61ae935a 351
a455d0f6
MC		 352 case TLS_ST_CR_KEY_EXCH:
353 if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
354 if (cert_req_allowed(s)) {
61ae935a
MC		 355 st->hand_state = TLS_ST_CR_CERT_REQ;
356 return 1;
61ae935a 357 }
672f3337 358 goto err;
61ae935a 359 }
a455d0f6 360 /* Fall through */
61ae935a
MC		 361
362 case TLS_ST_CR_CERT_REQ:
363 if (mt == SSL3_MT_SERVER_DONE) {
364 st->hand_state = TLS_ST_CR_SRVR_DONE;
365 return 1;
366 }
367 break;
368
369 case TLS_ST_CW_FINISHED:
aff8c126 370 if (s->ext.ticket_expected) {
c45d6b2b
DB		 371 if (mt == SSL3_MT_NEWSESSION_TICKET) {
372 st->hand_state = TLS_ST_CR_SESSION_TICKET;
373 return 1;
374 }
61ae935a
MC		 375 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
376 st->hand_state = TLS_ST_CR_CHANGE;
377 return 1;
378 }
379 break;
380
381 case TLS_ST_CR_SESSION_TICKET:
382 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
383 st->hand_state = TLS_ST_CR_CHANGE;
384 return 1;
385 }
386 break;
387
388 case TLS_ST_CR_CHANGE:
389 if (mt == SSL3_MT_FINISHED) {
390 st->hand_state = TLS_ST_CR_FINISHED;
391 return 1;
392 }
393 break;
c7f47786
MC		 394
395 case TLS_ST_OK:
4004ce5f 396 if (mt == SSL3_MT_HELLO_REQUEST) {
c7f47786
MC		 397 st->hand_state = TLS_ST_CR_HELLO_REQ;
398 return 1;
399 }
400 break;
61ae935a
MC		 401 }
402
672f3337 403 err:
61ae935a 404 /* No valid transition found */
672f3337 405 ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
340a2828 406 SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
61ae935a
MC		 407 return 0;
408}
409
410/*
0f1e51ea
MC		 411 * ossl_statem_client13_write_transition() works out what handshake state to
412 * move to next when the TLSv1.3 client is writing messages to be sent to the
413 * server.
0f1e51ea
MC		 414 */
415static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
416{
417 OSSL_STATEM *st = &s->statem;
418
419 /*
3847d426
MC		 420 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
421 * TLSv1.3 yet at that point. They are handled by
422 * ossl_statem_client_write_transition().
0f1e51ea
MC		 423 */
424 switch (st->hand_state) {
425 default:
426 /* Shouldn't happen */
427 return WRITE_TRAN_ERROR;
428
3847d426
MC		 429 case TLS_ST_CW_CLNT_HELLO:
430 /* We only hit this in the case of HelloRetryRequest */
431 return WRITE_TRAN_FINISHED;
432
433 case TLS_ST_CR_HELLO_RETRY_REQUEST:
434 st->hand_state = TLS_ST_CW_CLNT_HELLO;
435 return WRITE_TRAN_CONTINUE;
436
92760c21 437 case TLS_ST_CR_FINISHED:
94ed2c67 438 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
92760c21 439 : TLS_ST_CW_FINISHED;
0f1e51ea
MC		 440 return WRITE_TRAN_CONTINUE;
441
442 case TLS_ST_CW_CERT:
443 /* If a non-empty Certificate we also send CertificateVerify */
94ed2c67 444 st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
92760c21 445 : TLS_ST_CW_FINISHED;
0f1e51ea
MC		 446 return WRITE_TRAN_CONTINUE;
447
448 case TLS_ST_CW_CERT_VRFY:
0f1e51ea
MC		 449 st->hand_state = TLS_ST_CW_FINISHED;
450 return WRITE_TRAN_CONTINUE;
451
e1c3de44 452 case TLS_ST_CR_KEY_UPDATE:
5bf47933
MC		 453 if (s->key_update != SSL_KEY_UPDATE_NONE) {
454 st->hand_state = TLS_ST_CW_KEY_UPDATE;
455 return WRITE_TRAN_CONTINUE;
456 }
457 /* Fall through */
458
9412b3ad 459 case TLS_ST_CW_KEY_UPDATE:
cc2455bf 460 case TLS_ST_CR_SESSION_TICKET:
0f1e51ea 461 case TLS_ST_CW_FINISHED:
94ed2c67 462 st->hand_state = TLS_ST_OK;
94ed2c67 463 return WRITE_TRAN_CONTINUE;
cc2455bf
MC		 464
465 case TLS_ST_OK:
9412b3ad
MC		 466 if (s->key_update != SSL_KEY_UPDATE_NONE) {
467 st->hand_state = TLS_ST_CW_KEY_UPDATE;
468 return WRITE_TRAN_CONTINUE;
469 }
470
471 /* Try to read from the server instead */
cc2455bf 472 return WRITE_TRAN_FINISHED;
0f1e51ea
MC		 473 }
474}
475
476/*
477 * ossl_statem_client_write_transition() works out what handshake state to
478 * move to next when the client is writing messages to be sent to the server.
61ae935a 479 */
8481f583 480WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
61ae935a 481{
d6f1a6e9 482 OSSL_STATEM *st = &s->statem;
61ae935a 483
0f1e51ea
MC		 484 /*
485 * Note that immediately before/after a ClientHello we don't know what
486 * version we are going to negotiate yet, so we don't take this branch until
487 * later
488 */
f5ca0b04 489 if (SSL_IS_TLS13(s))
0f1e51ea
MC		 490 return ossl_statem_client13_write_transition(s);
491
a230b26e 492 switch (st->hand_state) {
f3b3d7f0
RS		 493 default:
494 /* Shouldn't happen */
495 return WRITE_TRAN_ERROR;
496
a230b26e 497 case TLS_ST_OK:
c7f47786
MC		 498 if (!s->renegotiate) {
499 /*
500 * We haven't requested a renegotiation ourselves so we must have
501 * received a message from the server. Better read it.
502 */
503 return WRITE_TRAN_FINISHED;
504 }
a230b26e
EK		 505 /* Renegotiation - fall through */
506 case TLS_ST_BEFORE:
507 st->hand_state = TLS_ST_CW_CLNT_HELLO;
508 return WRITE_TRAN_CONTINUE;
61ae935a 509
a230b26e 510 case TLS_ST_CW_CLNT_HELLO:
49e7fe12
MC		 511 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
512 /*
513 * We are assuming this is a TLSv1.3 connection, although we haven't
514 * actually selected a version yet.
515 */
4004ce5f 516 st->hand_state = TLS_ST_CW_EARLY_DATA;
49e7fe12
MC		 517 return WRITE_TRAN_CONTINUE;
518 }
a230b26e
EK		 519 /*
520 * No transition at the end of writing because we don't know what
521 * we will be sent
522 */
523 return WRITE_TRAN_FINISHED;
61ae935a 524
4004ce5f
MC		 525 case TLS_ST_CW_EARLY_DATA:
526 return WRITE_TRAN_FINISHED;
527
a230b26e
EK		 528 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
529 st->hand_state = TLS_ST_CW_CLNT_HELLO;
530 return WRITE_TRAN_CONTINUE;
61ae935a 531
a230b26e
EK		 532 case TLS_ST_CR_SRVR_DONE:
533 if (s->s3->tmp.cert_req)
534 st->hand_state = TLS_ST_CW_CERT;
535 else
61ae935a 536 st->hand_state = TLS_ST_CW_KEY_EXCH;
a230b26e 537 return WRITE_TRAN_CONTINUE;
61ae935a 538
a230b26e
EK		 539 case TLS_ST_CW_CERT:
540 st->hand_state = TLS_ST_CW_KEY_EXCH;
541 return WRITE_TRAN_CONTINUE;
61ae935a 542
a230b26e
EK		 543 case TLS_ST_CW_KEY_EXCH:
544 /*
545 * For TLS, cert_req is set to 2, so a cert chain of nothing is
546 * sent, but no verify packet is sent
547 */
548 /*
549 * XXX: For now, we do not support client authentication in ECDH
550 * cipher suites with ECDH (rather than ECDSA) certificates. We
551 * need to skip the certificate verify message when client's
552 * ECDH public key is sent inside the client certificate.
553 */
554 if (s->s3->tmp.cert_req == 1) {
555 st->hand_state = TLS_ST_CW_CERT_VRFY;
556 } else {
61ae935a 557 st->hand_state = TLS_ST_CW_CHANGE;
a230b26e
EK		 558 }
559 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
560 st->hand_state = TLS_ST_CW_CHANGE;
561 }
562 return WRITE_TRAN_CONTINUE;
61ae935a 563
a230b26e
EK		 564 case TLS_ST_CW_CERT_VRFY:
565 st->hand_state = TLS_ST_CW_CHANGE;
566 return WRITE_TRAN_CONTINUE;
567
568 case TLS_ST_CW_CHANGE:
61ae935a 569#if defined(OPENSSL_NO_NEXTPROTONEG)
4004ce5f
MC		 570 st->
571 hand_state = TLS_ST_CW_FINISHED;
61ae935a 572#else
aff8c126 573 if (!SSL_IS_DTLS(s) && s->s3->npn_seen)
a230b26e
EK		 574 st->hand_state = TLS_ST_CW_NEXT_PROTO;
575 else
576 st->hand_state = TLS_ST_CW_FINISHED;
61ae935a 577#endif
a230b26e 578 return WRITE_TRAN_CONTINUE;
61ae935a
MC		 579
580#if !defined(OPENSSL_NO_NEXTPROTONEG)
a230b26e
EK		 581 case TLS_ST_CW_NEXT_PROTO:
582 st->hand_state = TLS_ST_CW_FINISHED;
583 return WRITE_TRAN_CONTINUE;
61ae935a
MC		 584#endif
585
a230b26e
EK		 586 case TLS_ST_CW_FINISHED:
587 if (s->hit) {
588 st->hand_state = TLS_ST_OK;
a230b26e
EK		 589 return WRITE_TRAN_CONTINUE;
590 } else {
591 return WRITE_TRAN_FINISHED;
592 }
61ae935a 593
a230b26e
EK		 594 case TLS_ST_CR_FINISHED:
595 if (s->hit) {
596 st->hand_state = TLS_ST_CW_CHANGE;
597 return WRITE_TRAN_CONTINUE;
598 } else {
599 st->hand_state = TLS_ST_OK;
a230b26e
EK		 600 return WRITE_TRAN_CONTINUE;
601 }
c7f47786
MC		 602
603 case TLS_ST_CR_HELLO_REQ:
604 /*
605 * If we can renegotiate now then do so, otherwise wait for a more
606 * convenient time.
607 */
608 if (ssl3_renegotiate_check(s, 1)) {
609 if (!tls_setup_handshake(s)) {
610 ossl_statem_set_error(s);
611 return WRITE_TRAN_ERROR;
612 }
613 st->hand_state = TLS_ST_CW_CLNT_HELLO;
614 return WRITE_TRAN_CONTINUE;
615 }
616 st->hand_state = TLS_ST_OK;
c7f47786 617 return WRITE_TRAN_CONTINUE;
61ae935a
MC		 618 }
619}
620
621/*
622 * Perform any pre work that needs to be done prior to sending a message from
623 * the client to the server.
624 */
8481f583 625WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
61ae935a 626{
d6f1a6e9 627 OSSL_STATEM *st = &s->statem;
61ae935a 628
a230b26e 629 switch (st->hand_state) {
f3b3d7f0
RS		 630 default:
631 /* No pre work to be done */
632 break;
633
61ae935a
MC		 634 case TLS_ST_CW_CLNT_HELLO:
635 s->shutdown = 0;
636 if (SSL_IS_DTLS(s)) {
637 /* every DTLS ClientHello resets Finished MAC */
2c4a056f
MC		 638 if (!ssl3_init_finished_mac(s)) {
639 ossl_statem_set_error(s);
640 return WORK_ERROR;
641 }
61ae935a
MC		 642 }
643 break;
644
61ae935a
MC		 645 case TLS_ST_CW_CHANGE:
646 if (SSL_IS_DTLS(s)) {
647 if (s->hit) {
648 /*
649 * We're into the last flight so we don't retransmit these
650 * messages unless we need to.
651 */
652 st->use_timer = 0;
653 }
654#ifndef OPENSSL_NO_SCTP
655 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
656 return dtls_wait_for_dry(s);
657#endif
658 }
f3b3d7f0 659 break;
61ae935a 660
4004ce5f 661 case TLS_ST_CW_EARLY_DATA:
61ae935a 662 case TLS_ST_OK:
30f05b19 663 return tls_finish_handshake(s, wst, 1);
61ae935a
MC		 664 }
665
666 return WORK_FINISHED_CONTINUE;
667}
668
669/*
670 * Perform any work that needs to be done after sending a message from the
671 * client to the server.
672 */
8481f583 673WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
61ae935a 674{
d6f1a6e9 675 OSSL_STATEM *st = &s->statem;
61ae935a
MC		 676
677 s->init_num = 0;
678
a230b26e 679 switch (st->hand_state) {
f3b3d7f0
RS		 680 default:
681 /* No post work to be done */
682 break;
683
61ae935a 684 case TLS_ST_CW_CLNT_HELLO:
46417569 685 if (wst == WORK_MORE_A && statem_flush(s) != 1)
61ae935a 686 return WORK_MORE_A;
46417569 687
61ae935a
MC		 688 if (SSL_IS_DTLS(s)) {
689 /* Treat the next message as the first packet */
690 s->first_packet = 1;
691 }
6cb42265
MC		 692
693 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
694 && s->max_early_data > 0) {
695 /*
696 * We haven't selected TLSv1.3 yet so we don't call the change
697 * cipher state function associated with the SSL_METHOD. Instead
698 * we call tls13_change_cipher_state() directly.
699 */
700 if (!tls13_change_cipher_state(s,
701 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
1ea4d09a 702 return WORK_ERROR;
6cb42265 703 }
61ae935a
MC		 704 break;
705
706 case TLS_ST_CW_KEY_EXCH:
707 if (tls_client_key_exchange_post_work(s) == 0)
708 return WORK_ERROR;
709 break;
710
711 case TLS_ST_CW_CHANGE:
712 s->session->cipher = s->s3->tmp.new_cipher;
713#ifdef OPENSSL_NO_COMP
714 s->session->compress_meth = 0;
715#else
716 if (s->s3->tmp.new_compression == NULL)
717 s->session->compress_meth = 0;
718 else
719 s->session->compress_meth = s->s3->tmp.new_compression->id;
720#endif
721 if (!s->method->ssl3_enc->setup_key_block(s))
722 return WORK_ERROR;
723
724 if (!s->method->ssl3_enc->change_cipher_state(s,
725 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
726 return WORK_ERROR;
727
728 if (SSL_IS_DTLS(s)) {
729#ifndef OPENSSL_NO_SCTP
730 if (s->hit) {
731 /*
732 * Change to new shared key of SCTP-Auth, will be ignored if
733 * no SCTP used.
734 */
735 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
736 0, NULL);
737 }
738#endif
739
740 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
741 }
742 break;
743
744 case TLS_ST_CW_FINISHED:
745#ifndef OPENSSL_NO_SCTP
746 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
747 /*
748 * Change to new shared key of SCTP-Auth, will be ignored if
749 * no SCTP used.
750 */
751 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
752 0, NULL);
753 }
754#endif
755 if (statem_flush(s) != 1)
756 return WORK_MORE_B;
92760c21
MC		 757
758 if (SSL_IS_TLS13(s)) {
759 if (!s->method->ssl3_enc->change_cipher_state(s,
760 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
761 return WORK_ERROR;
762 }
61ae935a 763 break;
9412b3ad
MC		 764
765 case TLS_ST_CW_KEY_UPDATE:
766 if (statem_flush(s) != 1)
767 return WORK_MORE_A;
57389a32
MC		 768 if (!tls13_update_key(s, 1))
769 return WORK_ERROR;
9412b3ad 770 break;
61ae935a
MC		 771 }
772
773 return WORK_FINISHED_CONTINUE;
774}
775
776/*
6392fb8e
MC		 777 * Get the message construction function and message type for sending from the
778 * client
61ae935a
MC		 779 *
780 * Valid return values are:
781 * 1: Success
782 * 0: Error
783 */
6392fb8e 784int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
a15c953f 785 confunc_f *confunc, int *mt)
61ae935a 786{
d6f1a6e9 787 OSSL_STATEM *st = &s->statem;
61ae935a 788
4a01c59f
MC		 789 switch (st->hand_state) {
790 default:
791 /* Shouldn't happen */
792 return 0;
793
794 case TLS_ST_CW_CHANGE:
5923ad4b 795 if (SSL_IS_DTLS(s))
6392fb8e 796 *confunc = dtls_construct_change_cipher_spec;
4a01c59f 797 else
6392fb8e
MC		 798 *confunc = tls_construct_change_cipher_spec;
799 *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
4a01c59f
MC		 800 break;
801
802 case TLS_ST_CW_CLNT_HELLO:
6392fb8e
MC		 803 *confunc = tls_construct_client_hello;
804 *mt = SSL3_MT_CLIENT_HELLO;
4a01c59f
MC		 805 break;
806
807 case TLS_ST_CW_CERT:
6392fb8e
MC		 808 *confunc = tls_construct_client_certificate;
809 *mt = SSL3_MT_CERTIFICATE;
4a01c59f
MC		 810 break;
811
812 case TLS_ST_CW_KEY_EXCH:
6392fb8e
MC		 813 *confunc = tls_construct_client_key_exchange;
814 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
4a01c59f
MC		 815 break;
816
817 case TLS_ST_CW_CERT_VRFY:
d8bc1399 818 *confunc = tls_construct_cert_verify;
6392fb8e 819 *mt = SSL3_MT_CERTIFICATE_VERIFY;
4a01c59f 820 break;
61ae935a
MC		 821
822#if !defined(OPENSSL_NO_NEXTPROTONEG)
4a01c59f 823 case TLS_ST_CW_NEXT_PROTO:
6392fb8e
MC		 824 *confunc = tls_construct_next_proto;
825 *mt = SSL3_MT_NEXT_PROTO;
4a01c59f 826 break;
61ae935a 827#endif
4a01c59f 828 case TLS_ST_CW_FINISHED:
6392fb8e
MC		 829 *confunc = tls_construct_finished;
830 *mt = SSL3_MT_FINISHED;
4a01c59f 831 break;
9412b3ad
MC		 832
833 case TLS_ST_CW_KEY_UPDATE:
834 *confunc = tls_construct_key_update;
835 *mt = SSL3_MT_KEY_UPDATE;
836 break;
4a01c59f 837 }
5923ad4b 838
5923ad4b 839 return 1;
61ae935a
MC		 840}
841
842/*
843 * Returns the maximum allowed length for the current message that we are
844 * reading. Excludes the message header.
845 */
eda75751 846size_t ossl_statem_client_max_message_size(SSL *s)
61ae935a 847{
d6f1a6e9 848 OSSL_STATEM *st = &s->statem;
61ae935a 849
a230b26e 850 switch (st->hand_state) {
f3b3d7f0
RS		 851 default:
852 /* Shouldn't happen */
853 return 0;
854
a230b26e
EK		 855 case TLS_ST_CR_SRVR_HELLO:
856 return SERVER_HELLO_MAX_LENGTH;
61ae935a 857
a230b26e
EK		 858 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
859 return HELLO_VERIFY_REQUEST_MAX_LENGTH;
61ae935a 860
3847d426
MC		 861 case TLS_ST_CR_HELLO_RETRY_REQUEST:
862 return HELLO_RETRY_REQUEST_MAX_LENGTH;
863
a230b26e
EK		 864 case TLS_ST_CR_CERT:
865 return s->max_cert_list;
61ae935a 866
2c5dfdc3
MC		 867 case TLS_ST_CR_CERT_VRFY:
868 return SSL3_RT_MAX_PLAIN_LENGTH;
869
a230b26e
EK		 870 case TLS_ST_CR_CERT_STATUS:
871 return SSL3_RT_MAX_PLAIN_LENGTH;
61ae935a 872
a230b26e
EK		 873 case TLS_ST_CR_KEY_EXCH:
874 return SERVER_KEY_EXCH_MAX_LENGTH;
61ae935a 875
a230b26e
EK		 876 case TLS_ST_CR_CERT_REQ:
877 /*
878 * Set to s->max_cert_list for compatibility with previous releases. In
879 * practice these messages can get quite long if servers are configured
880 * to provide a long list of acceptable CAs
881 */
882 return s->max_cert_list;
61ae935a 883
a230b26e
EK		 884 case TLS_ST_CR_SRVR_DONE:
885 return SERVER_HELLO_DONE_MAX_LENGTH;
61ae935a 886
a230b26e
EK		 887 case TLS_ST_CR_CHANGE:
888 if (s->version == DTLS1_BAD_VER)
889 return 3;
890 return CCS_MAX_LENGTH;
61ae935a 891
a230b26e
EK		 892 case TLS_ST_CR_SESSION_TICKET:
893 return SSL3_RT_MAX_PLAIN_LENGTH;
61ae935a 894
a230b26e
EK		 895 case TLS_ST_CR_FINISHED:
896 return FINISHED_MAX_LENGTH;
e46f2334
MC		 897
898 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
899 return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
e1c3de44
MC		 900
901 case TLS_ST_CR_KEY_UPDATE:
902 return KEY_UPDATE_MAX_LENGTH;
61ae935a 903 }
61ae935a
MC		 904}
905
906/*
907 * Process a message that the client has been received from the server.
908 */
8481f583 909MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
61ae935a 910{
d6f1a6e9 911 OSSL_STATEM *st = &s->statem;
61ae935a 912
a230b26e 913 switch (st->hand_state) {
f3b3d7f0
RS		 914 default:
915 /* Shouldn't happen */
916 return MSG_PROCESS_ERROR;
917
a230b26e
EK		 918 case TLS_ST_CR_SRVR_HELLO:
919 return tls_process_server_hello(s, pkt);
61ae935a 920
a230b26e
EK		 921 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
922 return dtls_process_hello_verify(s, pkt);
61ae935a 923
3847d426
MC		 924 case TLS_ST_CR_HELLO_RETRY_REQUEST:
925 return tls_process_hello_retry_request(s, pkt);
926
a230b26e
EK		 927 case TLS_ST_CR_CERT:
928 return tls_process_server_certificate(s, pkt);
61ae935a 929
2c5dfdc3
MC		 930 case TLS_ST_CR_CERT_VRFY:
931 return tls_process_cert_verify(s, pkt);
932
a230b26e
EK		 933 case TLS_ST_CR_CERT_STATUS:
934 return tls_process_cert_status(s, pkt);
61ae935a 935
a230b26e
EK		 936 case TLS_ST_CR_KEY_EXCH:
937 return tls_process_key_exchange(s, pkt);
61ae935a 938
a230b26e
EK		 939 case TLS_ST_CR_CERT_REQ:
940 return tls_process_certificate_request(s, pkt);
61ae935a 941
a230b26e
EK		 942 case TLS_ST_CR_SRVR_DONE:
943 return tls_process_server_done(s, pkt);
61ae935a 944
a230b26e
EK		 945 case TLS_ST_CR_CHANGE:
946 return tls_process_change_cipher_spec(s, pkt);
61ae935a 947
a230b26e
EK		 948 case TLS_ST_CR_SESSION_TICKET:
949 return tls_process_new_session_ticket(s, pkt);
61ae935a 950
a230b26e
EK		 951 case TLS_ST_CR_FINISHED:
952 return tls_process_finished(s, pkt);
e46f2334 953
c7f47786
MC		 954 case TLS_ST_CR_HELLO_REQ:
955 return tls_process_hello_req(s, pkt);
956
e46f2334
MC		 957 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
958 return tls_process_encrypted_extensions(s, pkt);
e1c3de44
MC		 959
960 case TLS_ST_CR_KEY_UPDATE:
961 return tls_process_key_update(s, pkt);
61ae935a 962 }
61ae935a
MC		 963}
964
965/*
966 * Perform any further processing required following the receipt of a message
967 * from the server
968 */
8481f583 969WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
61ae935a 970{
d6f1a6e9 971 OSSL_STATEM *st = &s->statem;
61ae935a 972
a230b26e 973 switch (st->hand_state) {
f3b3d7f0
RS		 974 default:
975 /* Shouldn't happen */
976 return WORK_ERROR;
977
05c4f1d5
MC		 978 case TLS_ST_CR_CERT_REQ:
979 return tls_prepare_client_certificate(s, wst);
980
61ae935a
MC		 981#ifndef OPENSSL_NO_SCTP
982 case TLS_ST_CR_SRVR_DONE:
983 /* We only get here if we are using SCTP and we are renegotiating */
984 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
985 s->s3->in_read_app_data = 2;
986 s->rwstate = SSL_READING;
987 BIO_clear_retry_flags(SSL_get_rbio(s));
988 BIO_set_retry_read(SSL_get_rbio(s));
fe3a3291 989 ossl_statem_set_sctp_read_sock(s, 1);
61ae935a
MC		 990 return WORK_MORE_A;
991 }
fe3a3291 992 ossl_statem_set_sctp_read_sock(s, 0);
61ae935a
MC		 993 return WORK_FINISHED_STOP;
994#endif
61ae935a 995 }
61ae935a
MC		 996}
997
7cea05dc 998int tls_construct_client_hello(SSL *s, WPACKET *pkt)
0f113f3e 999{
2c7b4dbc 1000 unsigned char *p;
ec60ccc1
MC		 1001 size_t sess_id_len;
1002 int i, protverr;
2c7b4dbc 1003 int al = SSL_AD_HANDSHAKE_FAILURE;
09b6c2ef 1004#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 1005 SSL_COMP *comp;
1006#endif
b9908bf9 1007 SSL_SESSION *sess = s->session;
0f113f3e 1008
7cea05dc 1009 if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
2c7b4dbc
MC		 1010 /* Should not happen */
1011 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1012 return 0;
2c7b4dbc 1013 }
0f113f3e 1014
b9908bf9 1015 /* Work out what SSL/TLS/DTLS version to use */
4fa52141
VD		 1016 protverr = ssl_set_client_hello_version(s);
1017 if (protverr != 0) {
1018 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr);
7cea05dc 1019 return 0;
4fa52141 1020 }
0f113f3e 1021
a230b26e 1022 if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||
0f113f3e 1023 /*
b9908bf9
MC		 1024 * In the case of EAP-FAST, we can have a pre-shared
1025 * "ticket" without a session ID.
0f113f3e 1026 */
aff8c126 1027 (!sess->session_id_length && !sess->ext.tick) ||
b9908bf9
MC		 1028 (sess->not_resumable)) {
1029 if (!ssl_get_new_session(s, 0))
7cea05dc 1030 return 0;
b9908bf9
MC		 1031 }
1032 /* else use the pre-loaded session */
0f113f3e 1033
b9908bf9 1034 p = s->s3->client_random;
0f113f3e 1035
b9908bf9
MC		 1036 /*
1037 * for DTLS if client_random is initialized, reuse it, we are
1038 * required to use same upon reply to HelloVerify
1039 */
1040 if (SSL_IS_DTLS(s)) {
1041 size_t idx;
1042 i = 1;
1043 for (idx = 0; idx < sizeof(s->s3->client_random); idx++) {
1044 if (p[idx]) {
1045 i = 0;
1046 break;
0f113f3e 1047 }
0f113f3e 1048 }
b9908bf9
MC		 1049 } else
1050 i = 1;
0f113f3e 1051
a230b26e 1052 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
7cea05dc 1053 return 0;
b9908bf9 1054
b9908bf9
MC		 1055 /*-
1056 * version indicates the negotiated version: for example from
1057 * an SSLv2/v3 compatible client hello). The client_version
1058 * field is the maximum version we permit and it is also
1059 * used in RSA encrypted premaster secrets. Some servers can
1060 * choke if we initially report a higher version then
1061 * renegotiate to a lower one in the premaster secret. This
1062 * didn't happen with TLS 1.0 as most servers supported it
1063 * but it can with TLS 1.1 or later if the server only supports
1064 * 1.0.
1065 *
1066 * Possible scenario with previous logic:
1067 * 1. Client hello indicates TLS 1.2
1068 * 2. Server hello says TLS 1.0
1069 * 3. RSA encrypted premaster secret uses 1.2.
8483a003 1070 * 4. Handshake proceeds using TLS 1.0.
b9908bf9
MC		 1071 * 5. Server sends hello request to renegotiate.
1072 * 6. Client hello indicates TLS v1.0 as we now
1073 * know that is maximum server supports.
1074 * 7. Server chokes on RSA encrypted premaster secret
1075 * containing version 1.0.
1076 *
1077 * For interoperability it should be OK to always use the
1078 * maximum version we support in client hello and then rely
1079 * on the checking of version to ensure the servers isn't
1080 * being inconsistent: for example initially negotiating with
1081 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1082 * client_version in client hello and not resetting it to
1083 * the negotiated version.
cd998837
MC		 1084 *
1085 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
16bce0e0 1086 * supported_versions extension for the real supported versions.
b9908bf9 1087 */
7acb8b64 1088 if (!WPACKET_put_bytes_u16(pkt, s->client_version)
7cea05dc 1089 || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
2c7b4dbc 1090 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1091 return 0;
2c7b4dbc 1092 }
b9908bf9
MC		 1093
1094 /* Session ID */
f05bcf0f 1095 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION)
ec60ccc1 1096 sess_id_len = 0;
b9908bf9 1097 else
ec60ccc1
MC		 1098 sess_id_len = s->session->session_id_length;
1099 if (sess_id_len > sizeof(s->session->session_id)
7cea05dc 1100 || !WPACKET_start_sub_packet_u8(pkt)
ec60ccc1
MC		 1101 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, s->session->session_id,
1102 sess_id_len))
7cea05dc 1103 || !WPACKET_close(pkt)) {
2c7b4dbc 1104 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1105 return 0;
b9908bf9 1106 }
0f113f3e 1107
b9908bf9
MC		 1108 /* cookie stuff for DTLS */
1109 if (SSL_IS_DTLS(s)) {
2c7b4dbc 1110 if (s->d1->cookie_len > sizeof(s->d1->cookie)
7cea05dc 1111 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
b2b3024e 1112 s->d1->cookie_len)) {
b9908bf9 1113 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1114 return 0;
0f113f3e 1115 }
b9908bf9
MC		 1116 }
1117
1118 /* Ciphers supported */
7cea05dc 1119 if (!WPACKET_start_sub_packet_u16(pkt)) {
2c7b4dbc 1120 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1121 return 0;
2c7b4dbc
MC		 1122 }
1123 /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
7cea05dc
MC		 1124 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt))
1125 return 0;
1126 if (!WPACKET_close(pkt)) {
2c7b4dbc 1127 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1128 return 0;
b9908bf9 1129 }
0f113f3e 1130
b9908bf9 1131 /* COMPRESSION */
7cea05dc 1132 if (!WPACKET_start_sub_packet_u8(pkt)) {
2c7b4dbc 1133 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1134 return 0;
2c7b4dbc
MC		 1135 }
1136#ifndef OPENSSL_NO_COMP
c19602b5
MC		 1137 if (ssl_allow_compression(s)
1138 && s->ctx->comp_methods
1139 && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) {
2c7b4dbc
MC		 1140 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
1141 for (i = 0; i < compnum; i++) {
1142 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
7cea05dc 1143 if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
2c7b4dbc 1144 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1145 return 0;
2c7b4dbc
MC		 1146 }
1147 }
b9908bf9 1148 }
09b6c2ef 1149#endif
2c7b4dbc 1150 /* Add the NULL method */
7cea05dc 1151 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
2c7b4dbc 1152 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1153 return 0;
2c7b4dbc 1154 }
761772d7 1155
b9908bf9 1156 /* TLS extensions */
30aeba43 1157 if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) {
b9908bf9
MC		 1158 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1159 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1160 return 0;
b9908bf9 1161 }
0f113f3e 1162
b9908bf9 1163 return 1;
0f113f3e 1164}
d02b48c6 1165
be3583fa 1166MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
8ba708e5
MC		 1167{
1168 int al;
cb150cbc 1169 size_t cookie_len;
8ba708e5
MC		 1170 PACKET cookiepkt;
1171
1172 if (!PACKET_forward(pkt, 2)
a230b26e 1173 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
8ba708e5
MC		 1174 al = SSL_AD_DECODE_ERROR;
1175 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
1176 goto f_err;
1177 }
1178
1179 cookie_len = PACKET_remaining(&cookiepkt);
1180 if (cookie_len > sizeof(s->d1->cookie)) {
1181 al = SSL_AD_ILLEGAL_PARAMETER;
1182 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_TOO_LONG);
1183 goto f_err;
1184 }
1185
1186 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
1187 al = SSL_AD_DECODE_ERROR;
1188 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
1189 goto f_err;
1190 }
1191 s->d1->cookie_len = cookie_len;
1192
1193 return MSG_PROCESS_FINISHED_READING;
1194 f_err:
1195 ssl3_send_alert(s, SSL3_AL_FATAL, al);
fe3a3291 1196 ossl_statem_set_error(s);
8ba708e5
MC		 1197 return MSG_PROCESS_ERROR;
1198}
1199
be3583fa 1200MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
b9908bf9
MC		 1201{
1202 STACK_OF(SSL_CIPHER) *sk;
1203 const SSL_CIPHER *c;
332eb390 1204 PACKET session_id, extpkt;
b9908bf9 1205 size_t session_id_len;
b6981744 1206 const unsigned char *cipherchars;
b9908bf9
MC		 1207 int i, al = SSL_AD_INTERNAL_ERROR;
1208 unsigned int compression;
4fa52141 1209 unsigned int sversion;
3434f40b 1210 unsigned int context;
4fa52141 1211 int protverr;
332eb390 1212 RAW_EXTENSION *extensions = NULL;
b9908bf9
MC		 1213#ifndef OPENSSL_NO_COMP
1214 SSL_COMP *comp;
1215#endif
1216
4fa52141
VD		 1217 if (!PACKET_get_net_2(pkt, &sversion)) {
1218 al = SSL_AD_DECODE_ERROR;
1219 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
1220 goto f_err;
1221 }
50932c4a 1222
4ff65f77 1223 /* We do this immediately so we know what format the ServerHello is in */
4fa52141
VD		 1224 protverr = ssl_choose_client_version(s, sversion);
1225 if (protverr != 0) {
1226 al = SSL_AD_PROTOCOL_VERSION;
1227 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr);
1228 goto f_err;
0f113f3e 1229 }
0f113f3e
MC		 1230
1231 /* load the server hello data */
1232 /* load the server random */
73999b62 1233 if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
50932c4a 1234 al = SSL_AD_DECODE_ERROR;
b9908bf9 1235 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
50932c4a
MC		 1236 goto f_err;
1237 }
0f113f3e 1238
fc5ce51d 1239 /* Get the session-id. */
71728dd8
MC		 1240 if (!SSL_IS_TLS13(s)) {
1241 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1242 al = SSL_AD_DECODE_ERROR;
1243 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
1244 goto f_err;
1245 }
1246 session_id_len = PACKET_remaining(&session_id);
1247 if (session_id_len > sizeof s->session->session_id
1248 || session_id_len > SSL3_SESSION_ID_SIZE) {
1249 al = SSL_AD_ILLEGAL_PARAMETER;
1250 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1251 SSL_R_SSL3_SESSION_ID_TOO_LONG);
1252 goto f_err;
1253 }
1254 } else {
625b0d51 1255 PACKET_null_init(&session_id);
71728dd8 1256 session_id_len = 0;
0f113f3e 1257 }
e481f9b9 1258
73999b62 1259 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
f0659bdb 1260 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
fc5ce51d
EK		 1261 al = SSL_AD_DECODE_ERROR;
1262 goto f_err;
1263 }
1264
4ff65f77
MC		 1265 if (!SSL_IS_TLS13(s)) {
1266 if (!PACKET_get_1(pkt, &compression)) {
1267 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
1268 al = SSL_AD_DECODE_ERROR;
1269 goto f_err;
1270 }
1271 } else {
1272 compression = 0;
1273 }
1274
1275 /* TLS extensions */
1276 if (PACKET_remaining(pkt) == 0) {
1277 PACKET_null_init(&extpkt);
1278 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
1279 al = SSL_AD_DECODE_ERROR;
1280 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH);
1281 goto f_err;
1282 }
1283
1284 context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO
1285 : EXT_TLS1_2_SERVER_HELLO;
fc5ece2e 1286 if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL))
4ff65f77
MC		 1287 goto f_err;
1288
1289 s->hit = 0;
1290
1291 if (SSL_IS_TLS13(s)) {
1292 /* This will set s->hit if we are resuming */
1293 if (!tls_parse_extension(s, TLSEXT_IDX_psk,
1294 EXT_TLS1_3_SERVER_HELLO,
1295 extensions, NULL, 0, &al))
1296 goto f_err;
1297 } else {
8c1a5343 1298 /*
4ff65f77
MC		 1299 * Check if we can resume the session based on external pre-shared
1300 * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1301 * Resumption based on server-side state works with session IDs.
1302 * Resumption based on pre-shared Protected Access Credentials (PACs)
1303 * works by overriding the SessionTicket extension at the application
1304 * layer, and does not send a session ID. (We do not know whether
1305 * EAP-FAST servers would honour the session ID.) Therefore, the session
1306 * ID alone is not a reliable indicator of session resumption, so we
1307 * first check if we can resume, and later peek at the next handshake
1308 * message to see if the server wants to resume.
8c1a5343 1309 */
4ff65f77
MC		 1310 if (s->version >= TLS1_VERSION
1311 && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
1312 const SSL_CIPHER *pref_cipher = NULL;
1313 /*
1314 * s->session->master_key_length is a size_t, but this is an int for
1315 * backwards compat reasons
1316 */
1317 int master_key_length;
1318 master_key_length = sizeof(s->session->master_key);
1319 if (s->ext.session_secret_cb(s, s->session->master_key,
1320 &master_key_length,
1321 NULL, &pref_cipher,
1322 s->ext.session_secret_cb_arg)
1323 && master_key_length > 0) {
1324 s->session->master_key_length = master_key_length;
1325 s->session->cipher = pref_cipher ?
60d685d1 1326 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
4ff65f77
MC		 1327 } else {
1328 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1329 al = SSL_AD_INTERNAL_ERROR;
1330 goto f_err;
1331 }
0f113f3e 1332 }
4ff65f77
MC		 1333
1334 if (session_id_len != 0
1335 && session_id_len == s->session->session_id_length
1336 && memcmp(PACKET_data(&session_id), s->session->session_id,
1337 session_id_len) == 0)
1338 s->hit = 1;
50932c4a
MC		 1339 }
1340
4ff65f77 1341 if (s->hit) {
0f113f3e 1342 if (s->sid_ctx_length != s->session->sid_ctx_length
4ff65f77 1343 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
0f113f3e
MC		 1344 /* actually a client application bug */
1345 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1346 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
0f113f3e
MC		 1347 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1348 goto f_err;
1349 }
6e3d0153 1350 } else {
0f113f3e 1351 /*
6e3d0153 1352 * If we were trying for session-id reuse but the server
4ff65f77 1353 * didn't resume, make a new SSL_SESSION.
6e3d0153
EK		 1354 * In the case of EAP-FAST and PAC, we do not send a session ID,
1355 * so the PAC-based session secret is always preserved. It'll be
1356 * overwritten if the server refuses resumption.
0f113f3e 1357 */
4ff65f77
MC		 1358 if (s->session->session_id_length > 0
1359 || (SSL_IS_TLS13(s)
1360 && s->session->ext.tick_identity
1361 != TLSEXT_PSK_BAD_IDENTITY)) {
4f6eaa59 1362 s->ctx->stats.sess_miss++;
0f113f3e
MC		 1363 if (!ssl_get_new_session(s, 0)) {
1364 goto f_err;
1365 }
1366 }
50932c4a 1367
ccae4a15 1368 s->session->ssl_version = s->version;
fc5ce51d
EK		 1369 s->session->session_id_length = session_id_len;
1370 /* session_id_len could be 0 */
a19fc66a
KR		 1371 if (session_id_len > 0)
1372 memcpy(s->session->session_id, PACKET_data(&session_id),
1373 session_id_len);
0f113f3e 1374 }
fc5ce51d 1375
ccae4a15
FI		 1376 /* Session version and negotiated protocol version should match */
1377 if (s->version != s->session->ssl_version) {
1378 al = SSL_AD_PROTOCOL_VERSION;
1379
1380 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1381 SSL_R_SSL_SESSION_VERSION_MISMATCH);
1382 goto f_err;
1383 }
1384
60d685d1 1385 c = ssl_get_cipher_by_char(s, cipherchars, 0);
0f113f3e
MC		 1386 if (c == NULL) {
1387 /* unknown cipher */
1388 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1389 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
0f113f3e
MC		 1390 goto f_err;
1391 }
0f113f3e 1392 /*
3eb2aff4
KR		 1393 * Now that we know the version, update the check to see if it's an allowed
1394 * version.
1395 */
1396 s->s3->tmp.min_ver = s->version;
1397 s->s3->tmp.max_ver = s->version;
1398 /*
1399 * If it is a disabled cipher we either didn't send it in client hello,
1400 * or it's not allowed for the selected protocol. So we return an error.
0f113f3e
MC		 1401 */
1402 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
1403 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1404 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
0f113f3e
MC		 1405 goto f_err;
1406 }
0f113f3e
MC		 1407
1408 sk = ssl_get_ciphers_by_id(s);
1409 i = sk_SSL_CIPHER_find(sk, c);
1410 if (i < 0) {
1411 /* we did not say we would use this cipher */
1412 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1413 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
0f113f3e
MC		 1414 goto f_err;
1415 }
1416
1417 /*
1418 * Depending on the session caching (internal/external), the cipher
1419 * and/or cipher_id values may not be set. Make sure that cipher_id is
1420 * set and use it for comparison.
1421 */
1422 if (s->session->cipher)
1423 s->session->cipher_id = s->session->cipher->id;
1424 if (s->hit && (s->session->cipher_id != c->id)) {
9e9858d1 1425 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1426 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
9e9858d1
RS		 1427 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1428 goto f_err;
0f113f3e
MC		 1429 }
1430 s->s3->tmp.new_cipher = c;
71728dd8 1431
09b6c2ef 1432#ifdef OPENSSL_NO_COMP
fc5ce51d 1433 if (compression != 0) {
0f113f3e 1434 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1435 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
0f113f3e
MC		 1436 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1437 goto f_err;
1438 }
1439 /*
1440 * If compression is disabled we'd better not try to resume a session
1441 * using compression.
1442 */
1443 if (s->session->compress_meth != 0) {
b9908bf9 1444 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
0f113f3e
MC		 1445 goto f_err;
1446 }
09b6c2ef 1447#else
fc5ce51d 1448 if (s->hit && compression != s->session->compress_meth) {
0f113f3e 1449 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1450 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
0f113f3e
MC		 1451 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1452 goto f_err;
1453 }
fc5ce51d 1454 if (compression == 0)
0f113f3e
MC		 1455 comp = NULL;
1456 else if (!ssl_allow_compression(s)) {
1457 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1458 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
0f113f3e 1459 goto f_err;
fc5ce51d
EK		 1460 } else {
1461 comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1462 }
0f113f3e 1463
fc5ce51d 1464 if (compression != 0 && comp == NULL) {
0f113f3e 1465 al = SSL_AD_ILLEGAL_PARAMETER;
b9908bf9 1466 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
0f113f3e
MC		 1467 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1468 goto f_err;
1469 } else {
1470 s->s3->tmp.new_compression = comp;
1471 }
09b6c2ef 1472#endif
761772d7 1473
4ff65f77 1474 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, &al))
332eb390
MC		 1475 goto f_err;
1476
8723588e
MC		 1477#ifndef OPENSSL_NO_SCTP
1478 if (SSL_IS_DTLS(s) && s->hit) {
1479 unsigned char sctpauthkey[64];
1480 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1481
1482 /*
1483 * Add new shared key for SCTP-Auth, will be ignored if
1484 * no SCTP used.
1485 */
141eb8c6
MC		 1486 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1487 sizeof(DTLS1_SCTP_AUTH_LABEL));
8723588e
MC		 1488
1489 if (SSL_export_keying_material(s, sctpauthkey,
a230b26e
EK		 1490 sizeof(sctpauthkey),
1491 labelbuffer,
1492 sizeof(labelbuffer), NULL, 0, 0) <= 0)
c0aa6b81 1493 goto f_err;
8723588e
MC		 1494
1495 BIO_ctrl(SSL_get_wbio(s),
1496 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1497 sizeof(sctpauthkey), sctpauthkey);
1498 }
1499#endif
1500
92760c21
MC		 1501 /*
1502 * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1503 * we're done with this message
1504 */
1505 if (SSL_IS_TLS13(s)
1506 && (!s->method->ssl3_enc->setup_key_block(s)
1507 || !s->method->ssl3_enc->change_cipher_state(s,
1508 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)
1509 || !s->method->ssl3_enc->change_cipher_state(s,
1510 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
1511 al = SSL_AD_INTERNAL_ERROR;
1512 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_CANNOT_CHANGE_CIPHER);
1513 goto f_err;
1514 }
1515
1b0286a3 1516 OPENSSL_free(extensions);
b9908bf9 1517 return MSG_PROCESS_CONTINUE_READING;
0f113f3e
MC		 1518 f_err:
1519 ssl3_send_alert(s, SSL3_AL_FATAL, al);
fe3a3291 1520 ossl_statem_set_error(s);
1b0286a3 1521 OPENSSL_free(extensions);
b9908bf9 1522 return MSG_PROCESS_ERROR;
0f113f3e 1523}
d02b48c6 1524
3847d426
MC		 1525static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
1526{
1527 unsigned int sversion;
2248dbeb 1528 int errorcode;
3847d426
MC		 1529 RAW_EXTENSION *extensions = NULL;
1530 int al;
1531 PACKET extpkt;
1532
1533 if (!PACKET_get_net_2(pkt, &sversion)) {
1534 al = SSL_AD_DECODE_ERROR;
1535 SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_LENGTH_MISMATCH);
1536 goto f_err;
1537 }
1538
1539 s->hello_retry_request = 1;
1540
1541 /* This will fail if it doesn't choose TLSv1.3+ */
2248dbeb
MC		 1542 errorcode = ssl_choose_client_version(s, sversion);
1543 if (errorcode != 0) {
3847d426 1544 al = SSL_AD_PROTOCOL_VERSION;
2248dbeb 1545 SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, errorcode);
3847d426
MC		 1546 goto f_err;
1547 }
1548
1549 if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
1550 al = SSL_AD_DECODE_ERROR;
1551 SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_BAD_LENGTH);
1552 goto f_err;
1553 }
1554
1555 if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
fc5ece2e 1556 &extensions, &al, NULL)
3847d426
MC		 1557 || !tls_parse_all_extensions(s, EXT_TLS1_3_HELLO_RETRY_REQUEST,
1558 extensions, NULL, 0, &al))
1559 goto f_err;
1560
1561 OPENSSL_free(extensions);
1562
1563 return MSG_PROCESS_FINISHED_READING;
1564 f_err:
1565 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1566 ossl_statem_set_error(s);
1567 OPENSSL_free(extensions);
1568 return MSG_PROCESS_ERROR;
1569}
1570
be3583fa 1571MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
b9908bf9
MC		 1572{
1573 int al, i, ret = MSG_PROCESS_ERROR, exp_idx;
1574 unsigned long cert_list_len, cert_len;
1575 X509 *x = NULL;
b6981744 1576 const unsigned char *certstart, *certbytes;
b9908bf9
MC		 1577 STACK_OF(X509) *sk = NULL;
1578 EVP_PKEY *pkey = NULL;
d805a57b 1579 size_t chainidx;
e96e0f8e 1580 unsigned int context = 0;
0f113f3e
MC		 1581
1582 if ((sk = sk_X509_new_null()) == NULL) {
b9908bf9 1583 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
cc273a93 1584 goto err;
0f113f3e
MC		 1585 }
1586
e96e0f8e
MC		 1587 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
1588 || context != 0
1589 || !PACKET_get_net_3(pkt, &cert_list_len)
1590 || PACKET_remaining(pkt) != cert_list_len) {
0f113f3e 1591 al = SSL_AD_DECODE_ERROR;
b9908bf9 1592 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
0f113f3e
MC		 1593 goto f_err;
1594 }
d805a57b 1595 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
73999b62 1596 if (!PACKET_get_net_3(pkt, &cert_len)
a230b26e 1597 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
0f113f3e 1598 al = SSL_AD_DECODE_ERROR;
b9908bf9 1599 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
0f113f3e
MC		 1600 SSL_R_CERT_LENGTH_MISMATCH);
1601 goto f_err;
1602 }
1603
df758a85
MC		 1604 certstart = certbytes;
1605 x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
0f113f3e
MC		 1606 if (x == NULL) {
1607 al = SSL_AD_BAD_CERTIFICATE;
b9908bf9 1608 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
0f113f3e
MC		 1609 goto f_err;
1610 }
df758a85 1611 if (certbytes != (certstart + cert_len)) {
0f113f3e 1612 al = SSL_AD_DECODE_ERROR;
b9908bf9 1613 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
0f113f3e
MC		 1614 SSL_R_CERT_LENGTH_MISMATCH);
1615 goto f_err;
1616 }
e96e0f8e
MC		 1617
1618 if (SSL_IS_TLS13(s)) {
1619 RAW_EXTENSION *rawexts = NULL;
1620 PACKET extensions;
1621
1622 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
1623 al = SSL_AD_DECODE_ERROR;
1624 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH);
1625 goto f_err;
1626 }
1627 if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
fc5ece2e 1628 &rawexts, &al, NULL)
e96e0f8e 1629 || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
5ee289ea
MC		 1630 rawexts, x, chainidx, &al)) {
1631 OPENSSL_free(rawexts);
e96e0f8e 1632 goto f_err;
5ee289ea
MC		 1633 }
1634 OPENSSL_free(rawexts);
e96e0f8e
MC		 1635 }
1636
0f113f3e 1637 if (!sk_X509_push(sk, x)) {
b9908bf9 1638 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
cc273a93 1639 goto err;
0f113f3e
MC		 1640 }
1641 x = NULL;
0f113f3e
MC		 1642 }
1643
1644 i = ssl_verify_cert_chain(s, sk);
c8e2f98c
MC		 1645 /*
1646 * The documented interface is that SSL_VERIFY_PEER should be set in order
1647 * for client side verification of the server certificate to take place.
1648 * However, historically the code has only checked that *any* flag is set
1649 * to cause server verification to take place. Use of the other flags makes
1650 * no sense in client mode. An attempt to clean up the semantics was
1651 * reverted because at least one application *only* set
1652 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
1653 * server verification to take place, after the clean up it silently did
1654 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
1655 * sent to them because they are void functions. Therefore, we now use the
1656 * (less clean) historic behaviour of performing validation if any flag is
1657 * set. The *documented* interface remains the same.
1658 */
1659 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
0f113f3e 1660 al = ssl_verify_alarm_type(s->verify_result);
b9908bf9 1661 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
0f113f3e
MC		 1662 SSL_R_CERTIFICATE_VERIFY_FAILED);
1663 goto f_err;
1664 }
1665 ERR_clear_error(); /* but we keep s->verify_result */
1666 if (i > 1) {
b9908bf9 1667 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i);
0f113f3e
MC		 1668 al = SSL_AD_HANDSHAKE_FAILURE;
1669 goto f_err;
1670 }
1671
c34b0f99 1672 s->session->peer_chain = sk;
0f113f3e
MC		 1673 /*
1674 * Inconsistency alert: cert_chain does include the peer's certificate,
d4d78943 1675 * which we don't include in statem_srvr.c
0f113f3e
MC		 1676 */
1677 x = sk_X509_value(sk, 0);
1678 sk = NULL;
1679 /*
1680 * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
1681 */
1682
8382fd3a 1683 pkey = X509_get0_pubkey(x);
0f113f3e 1684
55a9a16f 1685 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
0f113f3e
MC		 1686 x = NULL;
1687 al = SSL3_AL_FATAL;
b9908bf9 1688 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
0f113f3e
MC		 1689 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1690 goto f_err;
1691 }
1692
1693 i = ssl_cert_type(x, pkey);
55a9a16f 1694 if (i < 0) {
0f113f3e
MC		 1695 x = NULL;
1696 al = SSL3_AL_FATAL;
b9908bf9 1697 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
0f113f3e
MC		 1698 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1699 goto f_err;
1700 }
05b8486e
DSH		 1701 /*
1702 * Check certificate type is consistent with ciphersuite. For TLS 1.3
1703 * skip check since TLS 1.3 ciphersuites can be used with any certificate
1704 * type.
1705 */
1706 if (!SSL_IS_TLS13(s)) {
1707 exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1708 if (exp_idx >= 0 && i != exp_idx
1709 && (exp_idx != SSL_PKEY_GOST_EC ||
1710 (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
1711 && i != SSL_PKEY_GOST01))) {
1712 x = NULL;
1713 al = SSL_AD_ILLEGAL_PARAMETER;
1714 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1715 SSL_R_WRONG_CERTIFICATE_TYPE);
1716 goto f_err;
1717 }
0f113f3e 1718 }
a273c6ee 1719 s->session->peer_type = i;
55a9a16f
MC		 1720
1721 X509_free(s->session->peer);
05f0fb9f 1722 X509_up_ref(x);
55a9a16f 1723 s->session->peer = x;
0f113f3e 1724 s->session->verify_result = s->verify_result;
0f113f3e 1725 x = NULL;
2c5dfdc3
MC		 1726
1727 /* Save the current hash state for when we receive the CertificateVerify */
1728 if (SSL_IS_TLS13(s)
1729 && !ssl_handshake_hash(s, s->cert_verify_hash,
1730 sizeof(s->cert_verify_hash),
1731 &s->cert_verify_hash_len)) {
1732 al = SSL_AD_INTERNAL_ERROR;
1733 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
1734 goto f_err;
1735 }
1736
b9908bf9 1737 ret = MSG_PROCESS_CONTINUE_READING;
66696478
RS		 1738 goto done;
1739
0f113f3e 1740 f_err:
66696478 1741 ssl3_send_alert(s, SSL3_AL_FATAL, al);
cc273a93 1742 err:
fe3a3291 1743 ossl_statem_set_error(s);
66696478 1744 done:
0f113f3e
MC		 1745 X509_free(x);
1746 sk_X509_pop_free(sk, X509_free);
b9908bf9 1747 return ret;
0f113f3e 1748}
d02b48c6 1749
7dc1c647 1750static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al)
02a74590
MC		 1751{
1752#ifndef OPENSSL_NO_PSK
7dc1c647 1753 PACKET psk_identity_hint;
02a74590 1754
7dc1c647
MC		 1755 /* PSK ciphersuites are preceded by an identity hint */
1756
1757 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
1758 *al = SSL_AD_DECODE_ERROR;
4fa88861 1759 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
7dc1c647
MC		 1760 return 0;
1761 }
1762
1763 /*
1764 * Store PSK identity hint for later use, hint is used in
1765 * tls_construct_client_key_exchange. Assume that the maximum length of
1766 * a PSK identity hint can be as long as the maximum length of a PSK
1767 * identity.
1768 */
1769 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
1770 *al = SSL_AD_HANDSHAKE_FAILURE;
4fa88861 1771 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
7dc1c647
MC		 1772 return 0;
1773 }
02a74590 1774
7dc1c647
MC		 1775 if (PACKET_remaining(&psk_identity_hint) == 0) {
1776 OPENSSL_free(s->session->psk_identity_hint);
1777 s->session->psk_identity_hint = NULL;
1778 } else if (!PACKET_strndup(&psk_identity_hint,
a230b26e 1779 &s->session->psk_identity_hint)) {
7dc1c647
MC		 1780 *al = SSL_AD_INTERNAL_ERROR;
1781 return 0;
1782 }
1783
1784 return 1;
1785#else
4fa88861 1786 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
7dc1c647
MC		 1787 *al = SSL_AD_INTERNAL_ERROR;
1788 return 0;
02a74590
MC		 1789#endif
1790}
1791
25c6c10c
MC		 1792static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
1793{
1794#ifndef OPENSSL_NO_SRP
1795 PACKET prime, generator, salt, server_pub;
1796
1797 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1798 || !PACKET_get_length_prefixed_2(pkt, &generator)
1799 || !PACKET_get_length_prefixed_1(pkt, &salt)
1800 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
1801 *al = SSL_AD_DECODE_ERROR;
4fa88861 1802 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_LENGTH_MISMATCH);
25c6c10c
MC		 1803 return 0;
1804 }
1805
348240c6 1806 /* TODO(size_t): Convert BN_bin2bn() calls */
25c6c10c
MC		 1807 if ((s->srp_ctx.N =
1808 BN_bin2bn(PACKET_data(&prime),
348240c6 1809 (int)PACKET_remaining(&prime), NULL)) == NULL
25c6c10c
MC		 1810 || (s->srp_ctx.g =
1811 BN_bin2bn(PACKET_data(&generator),
348240c6 1812 (int)PACKET_remaining(&generator), NULL)) == NULL
25c6c10c
MC		 1813 || (s->srp_ctx.s =
1814 BN_bin2bn(PACKET_data(&salt),
348240c6 1815 (int)PACKET_remaining(&salt), NULL)) == NULL
25c6c10c
MC		 1816 || (s->srp_ctx.B =
1817 BN_bin2bn(PACKET_data(&server_pub),
348240c6 1818 (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
25c6c10c 1819 *al = SSL_AD_INTERNAL_ERROR;
4fa88861 1820 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_BN_LIB);
25c6c10c
MC		 1821 return 0;
1822 }
1823
1824 if (!srp_verify_server_param(s, al)) {
1825 *al = SSL_AD_DECODE_ERROR;
4fa88861 1826 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
25c6c10c
MC		 1827 return 0;
1828 }
1829
1830 /* We must check if there is a certificate */
a230b26e 1831 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
25c6c10c
MC		 1832 *pkey = X509_get0_pubkey(s->session->peer);
1833
1834 return 1;
1835#else
4fa88861 1836 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_INTERNAL_ERROR);
25c6c10c
MC		 1837 *al = SSL_AD_INTERNAL_ERROR;
1838 return 0;
1839#endif
1840}
1841
e01a610d
MC		 1842static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
1843{
1844#ifndef OPENSSL_NO_DH
1845 PACKET prime, generator, pub_key;
1846 EVP_PKEY *peer_tmp = NULL;
1847
1848 DH *dh = NULL;
1849 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
1850
26505153
RL		 1851 int check_bits = 0;
1852
e01a610d
MC		 1853 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1854 || !PACKET_get_length_prefixed_2(pkt, &generator)
1855 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
1856 *al = SSL_AD_DECODE_ERROR;
4fa88861 1857 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_LENGTH_MISMATCH);
e01a610d
MC		 1858 return 0;
1859 }
1860
1861 peer_tmp = EVP_PKEY_new();
1862 dh = DH_new();
1863
1864 if (peer_tmp == NULL || dh == NULL) {
1865 *al = SSL_AD_INTERNAL_ERROR;
4fa88861 1866 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_MALLOC_FAILURE);
e01a610d
MC		 1867 goto err;
1868 }
1869
348240c6
MC		 1870 /* TODO(size_t): Convert these calls */
1871 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
1872 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
1873 NULL);
1874 bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
1875 (int)PACKET_remaining(&pub_key), NULL);
e01a610d
MC		 1876 if (p == NULL || g == NULL || bnpub_key == NULL) {
1877 *al = SSL_AD_INTERNAL_ERROR;
4fa88861 1878 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
e01a610d
MC		 1879 goto err;
1880 }
1881
26505153
RL		 1882 /* test non-zero pupkey */
1883 if (BN_is_zero(bnpub_key)) {
e01a610d 1884 *al = SSL_AD_DECODE_ERROR;
4fa88861 1885 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
e01a610d
MC		 1886 goto err;
1887 }
1888
1889 if (!DH_set0_pqg(dh, p, NULL, g)) {
1890 *al = SSL_AD_INTERNAL_ERROR;
4fa88861 1891 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
e01a610d
MC		 1892 goto err;
1893 }
1894 p = g = NULL;
1895
26505153
RL		 1896 if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) {
1897 *al = SSL_AD_DECODE_ERROR;
1898 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
1899 goto err;
1900 }
1901
e01a610d
MC		 1902 if (!DH_set0_key(dh, bnpub_key, NULL)) {
1903 *al = SSL_AD_INTERNAL_ERROR;
4fa88861 1904 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
e01a610d
MC		 1905 goto err;
1906 }
1907 bnpub_key = NULL;
1908
1909 if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
1910 *al = SSL_AD_HANDSHAKE_FAILURE;
4fa88861 1911 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_DH_KEY_TOO_SMALL);
e01a610d
MC		 1912 goto err;
1913 }
1914
1915 if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
1916 *al = SSL_AD_INTERNAL_ERROR;
4fa88861 1917 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_EVP_LIB);
e01a610d
MC		 1918 goto err;
1919 }
1920
1921 s->s3->peer_tmp = peer_tmp;
1922
1923 /*
1924 * FIXME: This makes assumptions about which ciphersuites come with
1925 * public keys. We should have a less ad-hoc way of doing this
1926 */
a230b26e 1927 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
e01a610d
MC		 1928 *pkey = X509_get0_pubkey(s->session->peer);
1929 /* else anonymous DH, so no certificate or pkey. */
1930
1931 return 1;
1932
1933 err:
1934 BN_free(p);
1935 BN_free(g);
1936 BN_free(bnpub_key);
1937 DH_free(dh);
1938 EVP_PKEY_free(peer_tmp);
1939
1940 return 0;
1941#else
4fa88861 1942 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_INTERNAL_ERROR);
e01a610d
MC		 1943 *al = SSL_AD_INTERNAL_ERROR;
1944 return 0;
1945#endif
1946}
1947
ff74aeb1
MC		 1948static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
1949{
1950#ifndef OPENSSL_NO_EC
1951 PACKET encoded_pt;
1952 const unsigned char *ecparams;
1953 int curve_nid;
ec24630a 1954 unsigned int curve_flags;
ff74aeb1
MC		 1955 EVP_PKEY_CTX *pctx = NULL;
1956
1957 /*
1958 * Extract elliptic curve parameters and the server's ephemeral ECDH
1959 * public key. For now we only support named (not generic) curves and
1960 * ECParameters in this case is just three bytes.
1961 */
1962 if (!PACKET_get_bytes(pkt, &ecparams, 3)) {
1963 *al = SSL_AD_DECODE_ERROR;
4fa88861 1964 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_TOO_SHORT);
ff74aeb1
MC		 1965 return 0;
1966 }
1967 /*
1968 * Check curve is one of our preferences, if not server has sent an
1969 * invalid curve. ECParameters is 3 bytes.
1970 */
1971 if (!tls1_check_curve(s, ecparams, 3)) {
1972 *al = SSL_AD_DECODE_ERROR;
4fa88861 1973 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE);
ff74aeb1
MC		 1974 return 0;
1975 }
1976
ec24630a
DSH		 1977 curve_nid = tls1_ec_curve_id2nid(*(ecparams + 2), &curve_flags);
1978
a230b26e 1979 if (curve_nid == 0) {
ff74aeb1 1980 *al = SSL_AD_INTERNAL_ERROR;
4fa88861 1981 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE,
ff74aeb1
MC		 1982 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1983 return 0;
1984 }
1985
ec24630a
DSH		 1986 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
1987 EVP_PKEY *key = EVP_PKEY_new();
1988
1989 if (key == NULL || !EVP_PKEY_set_type(key, curve_nid)) {
1990 *al = SSL_AD_INTERNAL_ERROR;
1991 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB);
1992 EVP_PKEY_free(key);
1993 return 0;
1994 }
1995 s->s3->peer_tmp = key;
1996 } else {
1997 /* Set up EVP_PKEY with named curve as parameters */
1998 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1999 if (pctx == NULL
2000 || EVP_PKEY_paramgen_init(pctx) <= 0
2001 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, curve_nid) <= 0
2002 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
2003 *al = SSL_AD_INTERNAL_ERROR;
2004 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB);
2005 EVP_PKEY_CTX_free(pctx);
2006 return 0;
2007 }
ff74aeb1 2008 EVP_PKEY_CTX_free(pctx);
ec24630a 2009 pctx = NULL;
ff74aeb1 2010 }
ff74aeb1
MC		 2011
2012 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
2013 *al = SSL_AD_DECODE_ERROR;
4fa88861 2014 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_MISMATCH);
ff74aeb1
MC		 2015 return 0;
2016 }
2017
ec24630a
DSH		 2018 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
2019 PACKET_data(&encoded_pt),
2020 PACKET_remaining(&encoded_pt))) {
ff74aeb1 2021 *al = SSL_AD_DECODE_ERROR;
4fa88861 2022 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_BAD_ECPOINT);
ff74aeb1
MC		 2023 return 0;
2024 }
2025
2026 /*
2027 * The ECC/TLS specification does not mention the use of DSA to sign
2028 * ECParameters in the server key exchange message. We do support RSA
2029 * and ECDSA.
2030 */
2031 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA)
2032 *pkey = X509_get0_pubkey(s->session->peer);
2033 else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA)
2034 *pkey = X509_get0_pubkey(s->session->peer);
2035 /* else anonymous ECDH, so no certificate or pkey. */
2036
2037 return 1;
2038#else
4fa88861 2039 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_INTERNAL_ERROR);
ff74aeb1
MC		 2040 *al = SSL_AD_INTERNAL_ERROR;
2041 return 0;
2042#endif
2043}
2044
be3583fa 2045MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
b9908bf9 2046{
5554facb 2047 int al = -1;
e1e588ac 2048 long alg_k;
b9908bf9 2049 EVP_PKEY *pkey = NULL;
fe3066ee
MC		 2050 EVP_MD_CTX *md_ctx = NULL;
2051 EVP_PKEY_CTX *pctx = NULL;
73999b62 2052 PACKET save_param_start, signature;
b9908bf9 2053
b9908bf9
MC		 2054 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2055
73999b62 2056 save_param_start = *pkt;
8d92c1f8 2057
3260adf1 2058#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
61dd9f7a
DSH		 2059 EVP_PKEY_free(s->s3->peer_tmp);
2060 s->s3->peer_tmp = NULL;
3260adf1 2061#endif
d02b48c6 2062
7689082b 2063 if (alg_k & SSL_PSK) {
7dc1c647
MC		 2064 if (!tls_process_ske_psk_preamble(s, pkt, &al))
2065 goto err;
7689082b
DSH		 2066 }
2067
2068 /* Nothing else to do for plain PSK or RSAPSK */
2069 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
25c6c10c
MC		 2070 } else if (alg_k & SSL_kSRP) {
2071 if (!tls_process_ske_srp(s, pkt, &pkey, &al))
0f113f3e 2072 goto err;
e01a610d
MC		 2073 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2074 if (!tls_process_ske_dhe(s, pkt, &pkey, &al))
2075 goto err;
ff74aeb1
MC		 2076 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
2077 if (!tls_process_ske_ecdhe(s, pkt, &pkey, &al))
2078 goto err;
0f113f3e
MC		 2079 } else if (alg_k) {
2080 al = SSL_AD_UNEXPECTED_MESSAGE;
b9908bf9 2081 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
e1e588ac 2082 goto err;
0f113f3e 2083 }
0f113f3e 2084
0f113f3e
MC		 2085 /* if it was signed, check the signature */
2086 if (pkey != NULL) {
32942870 2087 PACKET params;
be8dba2c
MC		 2088 int maxsig;
2089 const EVP_MD *md = NULL;
e1e588ac 2090
32942870
EK		 2091 /*
2092 * |pkt| now points to the beginning of the signature, so the difference
2093 * equals the length of the parameters.
2094 */
2095 if (!PACKET_get_sub_packet(&save_param_start, &params,
2096 PACKET_remaining(&save_param_start) -
73999b62 2097 PACKET_remaining(pkt))) {
32942870 2098 al = SSL_AD_INTERNAL_ERROR;
f0659bdb 2099 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
e1e588ac 2100 goto err;
32942870
EK		 2101 }
2102
0f113f3e 2103 if (SSL_USE_SIGALGS(s)) {
703bcee0 2104 unsigned int sigalg;
0f113f3e 2105 int rv;
703bcee0
MC		 2106
2107 if (!PACKET_get_net_2(pkt, &sigalg)) {
e1e588ac 2108 al = SSL_AD_DECODE_ERROR;
f0659bdb 2109 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
e1e588ac 2110 goto err;
0f113f3e 2111 }
5554facb 2112 rv = tls12_check_peer_sigalg(s, sigalg, pkey);
e1e588ac
MC		 2113 if (rv == -1) {
2114 al = SSL_AD_INTERNAL_ERROR;
2115 goto err;
2116 } else if (rv == 0) {
2117 al = SSL_AD_DECODE_ERROR;
0f113f3e 2118 goto err;
0f113f3e 2119 }
a2f9200f 2120#ifdef SSL_DEBUG
0f113f3e
MC		 2121 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
2122#endif
f365a3e2
DSH		 2123 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
2124 al = SSL_AD_INTERNAL_ERROR;
2125 goto err;
32942870 2126 }
0f113f3e 2127
f365a3e2
DSH		 2128 md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
2129
73999b62
MC		 2130 if (!PACKET_get_length_prefixed_2(pkt, &signature)
2131 || PACKET_remaining(pkt) != 0) {
e1e588ac 2132 al = SSL_AD_DECODE_ERROR;
f0659bdb 2133 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
e1e588ac 2134 goto err;
0f113f3e 2135 }
be8dba2c
MC		 2136 maxsig = EVP_PKEY_size(pkey);
2137 if (maxsig < 0) {
e1e588ac 2138 al = SSL_AD_INTERNAL_ERROR;
b9908bf9 2139 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
e1e588ac 2140 goto err;
8098fc56 2141 }
0f113f3e
MC		 2142
2143 /*
8098fc56 2144 * Check signature length
0f113f3e 2145 */
be8dba2c 2146 if (PACKET_remaining(&signature) > (size_t)maxsig) {
0f113f3e 2147 /* wrong packet length */
e1e588ac 2148 al = SSL_AD_DECODE_ERROR;
a230b26e
EK		 2149 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2150 SSL_R_WRONG_SIGNATURE_LENGTH);
e1e588ac
MC		 2151 goto err;
2152 }
2153
2154 md_ctx = EVP_MD_CTX_new();
2155 if (md_ctx == NULL) {
2156 al = SSL_AD_INTERNAL_ERROR;
2157 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2158 goto err;
0f113f3e 2159 }
e1e588ac 2160
fe3066ee
MC		 2161 if (EVP_DigestVerifyInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
2162 al = SSL_AD_INTERNAL_ERROR;
2163 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
2164 goto err;
2165 }
5554facb 2166 if (SSL_USE_PSS(s)) {
fe3066ee 2167 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
91410d40 2168 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
968ae5b3 2169 RSA_PSS_SALTLEN_DIGEST) <= 0) {
fe3066ee
MC		 2170 al = SSL_AD_INTERNAL_ERROR;
2171 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
2172 goto err;
2173 }
2174 }
2175 if (EVP_DigestVerifyUpdate(md_ctx, &(s->s3->client_random[0]),
2176 SSL3_RANDOM_SIZE) <= 0
2177 || EVP_DigestVerifyUpdate(md_ctx, &(s->s3->server_random[0]),
2178 SSL3_RANDOM_SIZE) <= 0
2179 || EVP_DigestVerifyUpdate(md_ctx, PACKET_data(&params),
2180 PACKET_remaining(&params)) <= 0) {
192e4bbb
DSH		 2181 al = SSL_AD_INTERNAL_ERROR;
2182 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
e1e588ac 2183 goto err;
192e4bbb 2184 }
fe3066ee
MC		 2185 if (EVP_DigestVerifyFinal(md_ctx, PACKET_data(&signature),
2186 PACKET_remaining(&signature)) <= 0) {
192e4bbb
DSH		 2187 /* bad signature */
2188 al = SSL_AD_DECRYPT_ERROR;
2189 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
e1e588ac 2190 goto err;
0f113f3e 2191 }
e1e588ac 2192 EVP_MD_CTX_free(md_ctx);
fe3066ee 2193 md_ctx = NULL;
0f113f3e 2194 } else {
7689082b 2195 /* aNULL, aSRP or PSK do not need public keys */
e1e588ac 2196 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
a230b26e 2197 && !(alg_k & SSL_PSK)) {
0f113f3e 2198 /* Might be wrong key type, check it */
e1e588ac 2199 if (ssl3_check_cert_and_algorithm(s)) {
0f113f3e 2200 /* Otherwise this shouldn't happen */
e1e588ac 2201 al = SSL_AD_INTERNAL_ERROR;
b9908bf9 2202 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
e1e588ac
MC		 2203 } else {
2204 al = SSL_AD_DECODE_ERROR;
2205 }
0f113f3e
MC		 2206 goto err;
2207 }
2208 /* still data left over */
73999b62 2209 if (PACKET_remaining(pkt) != 0) {
e1e588ac 2210 al = SSL_AD_DECODE_ERROR;
b9908bf9 2211 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
e1e588ac 2212 goto err;
0f113f3e
MC		 2213 }
2214 }
e1e588ac 2215
b9908bf9 2216 return MSG_PROCESS_CONTINUE_READING;
0f113f3e 2217 err:
7dc1c647
MC		 2218 if (al != -1)
2219 ssl3_send_alert(s, SSL3_AL_FATAL, al);
fe3a3291 2220 ossl_statem_set_error(s);
fe3066ee 2221 EVP_MD_CTX_free(md_ctx);
b9908bf9 2222 return MSG_PROCESS_ERROR;
0f113f3e 2223}
d02b48c6 2224
be3583fa 2225MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
b9908bf9
MC		 2226{
2227 int ret = MSG_PROCESS_ERROR;
03f44b97 2228 unsigned int i, name_len;
b9908bf9 2229 X509_NAME *xn = NULL;
b6981744 2230 const unsigned char *namestart, *namebytes;
b9908bf9 2231 STACK_OF(X509_NAME) *ca_sk = NULL;
03f44b97 2232 PACKET cadns;
0f113f3e
MC		 2233
2234 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
b9908bf9 2235 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 2236 goto err;
2237 }
2238
03f44b97
DSH		 2239 if (SSL_IS_TLS13(s)) {
2240 PACKET reqctx;
2241
2242 /* Free and zero certificate types: it is not present in TLS 1.3 */
2243 OPENSSL_free(s->s3->tmp.ctype);
2244 s->s3->tmp.ctype = NULL;
2245 s->s3->tmp.ctype_len = 0;
2246 /* TODO(TLS1.3) need to process request context, for now ignore */
2247 if (!PACKET_get_length_prefixed_1(pkt, &reqctx)) {
2248 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2249 SSL_R_LENGTH_MISMATCH);
2250 goto err;
2251 }
2252 } else {
2253 PACKET ctypes;
75c13e78 2254
03f44b97
DSH		 2255 /* get the certificate types */
2256 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
2257 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2258 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2259 SSL_R_LENGTH_MISMATCH);
0f113f3e 2260 goto err;
03f44b97
DSH		 2261 }
2262
2263 if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) {
2264 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
2265 goto err;
2266 }
0f113f3e 2267 }
ac112332 2268
0f113f3e 2269 if (SSL_USE_SIGALGS(s)) {
703bcee0
MC		 2270 PACKET sigalgs;
2271
2272 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
0f113f3e 2273 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
b9908bf9
MC		 2274 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2275 SSL_R_LENGTH_MISMATCH);
0f113f3e
MC		 2276 goto err;
2277 }
ac112332 2278
9195ddcd
DSH		 2279 /* Clear certificate validity flags */
2280 for (i = 0; i < SSL_PKEY_NUM; i++)
6383d316 2281 s->s3->tmp.valid_flags[i] = 0;
703bcee0 2282 if (!tls1_save_sigalgs(s, &sigalgs)) {
0f113f3e 2283 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
b9908bf9 2284 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
0f113f3e
MC		 2285 SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2286 goto err;
2287 }
2288 if (!tls1_process_sigalgs(s)) {
2289 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
b9908bf9 2290 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 2291 goto err;
2292 }
0f113f3e
MC		 2293 }
2294
2295 /* get the CA RDNs */
03f44b97 2296 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
0f113f3e 2297 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
b9908bf9 2298 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
0f113f3e
MC		 2299 goto err;
2300 }
2301
03f44b97
DSH		 2302 while (PACKET_remaining(&cadns)) {
2303 if (!PACKET_get_net_2(&cadns, &name_len)
2304 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
0f113f3e 2305 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
b9908bf9
MC		 2306 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2307 SSL_R_LENGTH_MISMATCH);
0f113f3e
MC		 2308 goto err;
2309 }
2310
ac112332 2311 namestart = namebytes;
0f113f3e 2312
ac112332
MC		 2313 if ((xn = d2i_X509_NAME(NULL, (const unsigned char **)&namebytes,
2314 name_len)) == NULL) {
3c33c6f6 2315 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
b9908bf9 2316 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
3c33c6f6 2317 goto err;
0f113f3e
MC		 2318 }
2319
ac112332 2320 if (namebytes != (namestart + name_len)) {
0f113f3e 2321 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
b9908bf9 2322 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
0f113f3e
MC		 2323 SSL_R_CA_DN_LENGTH_MISMATCH);
2324 goto err;
2325 }
2326 if (!sk_X509_NAME_push(ca_sk, xn)) {
b9908bf9 2327 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 2328 goto err;
2329 }
6afef8b1 2330 xn = NULL;
0f113f3e 2331 }
03f44b97
DSH		 2332 /* TODO(TLS1.3) need to parse and process extensions, for now ignore */
2333 if (SSL_IS_TLS13(s)) {
2334 PACKET reqexts;
2335
2336 if (!PACKET_get_length_prefixed_2(pkt, &reqexts)) {
2337 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2338 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2339 SSL_R_EXT_LENGTH_MISMATCH);
2340 goto err;
2341 }
2342 }
2343
2344 if (PACKET_remaining(pkt) != 0) {
2345 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2346 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
2347 goto err;
2348 }
0f113f3e 2349
0f113f3e
MC		 2350 /* we should setup a certificate to return.... */
2351 s->s3->tmp.cert_req = 1;
222561fe 2352 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
0f113f3e
MC		 2353 s->s3->tmp.ca_names = ca_sk;
2354 ca_sk = NULL;
2355
05c4f1d5 2356 ret = MSG_PROCESS_CONTINUE_PROCESSING;
cc273a93 2357 goto done;
0f113f3e 2358 err:
fe3a3291 2359 ossl_statem_set_error(s);
cc273a93 2360 done:
6afef8b1 2361 X509_NAME_free(xn);
222561fe 2362 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
b9908bf9 2363 return ret;
0f113f3e
MC		 2364}
2365
2366static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
dfeab068 2367{
0f113f3e 2368 return (X509_NAME_cmp(*a, *b));
dfeab068 2369}
dfeab068 2370
be3583fa 2371MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
b9908bf9 2372{
6df55cac 2373 int al = SSL_AD_DECODE_ERROR;
b9908bf9 2374 unsigned int ticklen;
9ac6244b 2375 unsigned long ticket_lifetime_hint, age_add = 0;
ec60ccc1 2376 unsigned int sess_len;
de1df7e9 2377 RAW_EXTENSION *exts = NULL;
b9908bf9 2378
73999b62 2379 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
fc24f0bf 2380 || (SSL_IS_TLS13(s) && !PACKET_get_net_4(pkt, &age_add))
a230b26e 2381 || !PACKET_get_net_2(pkt, &ticklen)
de1df7e9 2382 || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
1f5b44e9
MC		 2383 || (SSL_IS_TLS13(s)
2384 && (ticklen == 0 || PACKET_remaining(pkt) < ticklen))) {
f0659bdb 2385 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
e711da71
EK		 2386 goto f_err;
2387 }
2388
de1df7e9
MC		 2389 /*
2390 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2391 * ticket. We already checked this TLSv1.3 case above, so it should never
2392 * be 0 here in that instance
2393 */
e711da71 2394 if (ticklen == 0)
c9de4a20 2395 return MSG_PROCESS_CONTINUE_READING;
e711da71 2396
de1df7e9 2397 /* TODO(TLS1.3): Is this a suitable test for TLS1.3? */
98ece4ee
MC		 2398 if (s->session->session_id_length > 0) {
2399 int i = s->session_ctx->session_cache_mode;
2400 SSL_SESSION *new_sess;
2401 /*
2402 * We reused an existing session, so we need to replace it with a new
2403 * one
2404 */
2405 if (i & SSL_SESS_CACHE_CLIENT) {
2406 /*
e4612d02 2407 * Remove the old session from the cache. We carry on if this fails
98ece4ee 2408 */
e4612d02 2409 SSL_CTX_remove_session(s->session_ctx, s->session);
98ece4ee
MC		 2410 }
2411
2412 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2413 al = SSL_AD_INTERNAL_ERROR;
b9908bf9 2414 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
98ece4ee
MC		 2415 goto f_err;
2416 }
2417
2418 SSL_SESSION_free(s->session);
2419 s->session = new_sess;
2420 }
2421
fc24f0bf
MC		 2422 /*
2423 * Technically the cast to long here is not guaranteed by the C standard -
2424 * but we use it elsewhere, so this should be ok.
2425 */
2426 s->session->time = (long)time(NULL);
2427
aff8c126
RS		 2428 OPENSSL_free(s->session->ext.tick);
2429 s->session->ext.tick = NULL;
2430 s->session->ext.ticklen = 0;
e711da71 2431
aff8c126
RS		 2432 s->session->ext.tick = OPENSSL_malloc(ticklen);
2433 if (s->session->ext.tick == NULL) {
b9908bf9 2434 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 2435 goto err;
2436 }
aff8c126 2437 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
561e12bb 2438 al = SSL_AD_DECODE_ERROR;
b9908bf9 2439 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
561e12bb
MC		 2440 goto f_err;
2441 }
e711da71 2442
aff8c126 2443 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
fc24f0bf 2444 s->session->ext.tick_age_add = age_add;
aff8c126 2445 s->session->ext.ticklen = ticklen;
de1df7e9
MC		 2446
2447 if (SSL_IS_TLS13(s)) {
2448 PACKET extpkt;
2449
2450 if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
2451 || !tls_collect_extensions(s, &extpkt,
2452 EXT_TLS1_3_NEW_SESSION_TICKET,
fc5ece2e 2453 &exts, &al, NULL)
de1df7e9
MC		 2454 || !tls_parse_all_extensions(s, EXT_TLS1_3_NEW_SESSION_TICKET,
2455 exts, NULL, 0, &al)) {
2456 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION);
2457 goto f_err;
2458 }
2459 }
2460
0f113f3e
MC		 2461 /*
2462 * There are two ways to detect a resumed ticket session. One is to set
2463 * an appropriate session ID and then the server must return a match in
2464 * ServerHello. This allows the normal client session ID matching to work
2465 * and we know much earlier that the ticket has been accepted. The
2466 * other way is to set zero length session ID when the ticket is
2467 * presented and rely on the handshake to determine session resumption.
2468 * We choose the former approach because this fits in with assumptions
2469 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
2470 * SHA256 is disabled) hash of the ticket.
2471 */
ec60ccc1
MC		 2472 /*
2473 * TODO(size_t): we use sess_len here because EVP_Digest expects an int
2474 * but s->session->session_id_length is a size_t
2475 */
aff8c126 2476 if (!EVP_Digest(s->session->ext.tick, ticklen,
ec60ccc1 2477 s->session->session_id, &sess_len,
d166ed8c
DSH		 2478 EVP_sha256(), NULL)) {
2479 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB);
2480 goto err;
2481 }
ec60ccc1 2482 s->session->session_id_length = sess_len;
de1df7e9
MC		 2483
2484 /* This is a standalone message in TLSv1.3, so there is no more to read */
2485 if (SSL_IS_TLS13(s)) {
33d93417 2486 OPENSSL_free(exts);
de1df7e9
MC		 2487 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
2488 return MSG_PROCESS_FINISHED_READING;
2489 }
2490
b9908bf9 2491 return MSG_PROCESS_CONTINUE_READING;
0f113f3e
MC		 2492 f_err:
2493 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2494 err:
fe3a3291 2495 ossl_statem_set_error(s);
33d93417 2496 OPENSSL_free(exts);
b9908bf9 2497 return MSG_PROCESS_ERROR;
0f113f3e 2498}
67c8e7f4 2499
f63e4288
MC		 2500/*
2501 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
2502 * parse a separate message. Returns 1 on success or 0 on failure. On failure
2503 * |*al| is populated with a suitable alert code.
2504 */
2505int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al)
b9908bf9 2506{
8b0e934a 2507 size_t resplen;
b9908bf9 2508 unsigned int type;
b9908bf9 2509
73999b62 2510 if (!PACKET_get_1(pkt, &type)
a230b26e 2511 || type != TLSEXT_STATUSTYPE_ocsp) {
f63e4288
MC		 2512 *al = SSL_AD_DECODE_ERROR;
2513 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2514 SSL_R_UNSUPPORTED_STATUS_TYPE);
2515 return 0;
0f113f3e 2516 }
56a26ce3
MC		 2517 if (!PACKET_get_net_3_len(pkt, &resplen)
2518 || PACKET_remaining(pkt) != resplen) {
f63e4288
MC		 2519 *al = SSL_AD_DECODE_ERROR;
2520 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
2521 return 0;
0f113f3e 2522 }
8cbfcc70
RS		 2523 s->ext.ocsp.resp = OPENSSL_malloc(resplen);
2524 if (s->ext.ocsp.resp == NULL) {
f63e4288
MC		 2525 *al = SSL_AD_INTERNAL_ERROR;
2526 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE);
2527 return 0;
0f113f3e 2528 }
8cbfcc70 2529 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
f63e4288
MC		 2530 *al = SSL_AD_DECODE_ERROR;
2531 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
2532 return 0;
ac63710a 2533 }
8cbfcc70 2534 s->ext.ocsp.resp_len = resplen;
f63e4288
MC		 2535
2536 return 1;
2537}
2faa1b48 2538
f63e4288
MC		 2539
2540MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
2541{
2542 int al;
2543
2544 if (!tls_process_cert_status_body(s, pkt, &al)) {
2545 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2546 ossl_statem_set_error(s);
2547 return MSG_PROCESS_ERROR;
2548 }
2549
b9908bf9 2550 return MSG_PROCESS_CONTINUE_READING;
0f113f3e 2551}
d02b48c6 2552
7776a36c
MC		 2553/*
2554 * Perform miscellaneous checks and processing after we have received the
2555 * server's initial flight. In TLS1.3 this is after the Server Finished message.
6530c490
MC		 2556 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2557 * on failure.
7776a36c
MC		 2558 */
2559int tls_process_initial_server_flight(SSL *s, int *al)
b9908bf9 2560{
a455d0f6
MC		 2561 /*
2562 * at this point we check that we have the required stuff from
2563 * the server
2564 */
2565 if (!ssl3_check_cert_and_algorithm(s)) {
7776a36c
MC		 2566 *al = SSL_AD_HANDSHAKE_FAILURE;
2567 return 0;
a455d0f6
MC		 2568 }
2569
bb1aaab4 2570 /*
aff8c126
RS		 2571 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2572 * |ext.ocsp.resp_len| values will be set if we actually received a status
bb1aaab4
MC		 2573 * message, or NULL and -1 otherwise
2574 */
aff8c126
RS		 2575 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
2576 && s->ctx->ext.status_cb != NULL) {
2577 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2578
bb1aaab4 2579 if (ret == 0) {
7776a36c
MC		 2580 *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2581 SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
bb1aaab4 2582 SSL_R_INVALID_STATUS_RESPONSE);
7776a36c 2583 return 0;
bb1aaab4
MC		 2584 }
2585 if (ret < 0) {
7776a36c
MC		 2586 *al = SSL_AD_INTERNAL_ERROR;
2587 SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
2588 ERR_R_MALLOC_FAILURE);
2589 return 0;
bb1aaab4
MC		 2590 }
2591 }
ed29e82a
RP		 2592#ifndef OPENSSL_NO_CT
2593 if (s->ct_validation_callback != NULL) {
43341433
VD		 2594 /* Note we validate the SCTs whether or not we abort on error */
2595 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
7776a36c
MC		 2596 *al = SSL_AD_HANDSHAKE_FAILURE;
2597 return 0;
ed29e82a
RP		 2598 }
2599 }
2600#endif
2601
7776a36c
MC		 2602 return 1;
2603}
2604
2605MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
2606{
2607 int al = SSL_AD_INTERNAL_ERROR;
2608
2609 if (PACKET_remaining(pkt) > 0) {
2610 /* should contain no data */
2611 al = SSL_AD_DECODE_ERROR;
2612 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
2613 goto err;
2614 }
2615#ifndef OPENSSL_NO_SRP
2616 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2617 if (SRP_Calc_A_param(s) <= 0) {
2618 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC);
2619 goto err;
2620 }
2621 }
2622#endif
2623
2624 /*
2625 * Error queue messages are generated directly by this function
2626 */
2627 if (!tls_process_initial_server_flight(s, &al))
2628 goto err;
2629
473483d4
MC		 2630#ifndef OPENSSL_NO_SCTP
2631 /* Only applies to renegotiation */
2632 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
a230b26e 2633 && s->renegotiate != 0)
473483d4
MC		 2634 return MSG_PROCESS_CONTINUE_PROCESSING;
2635 else
2636#endif
2637 return MSG_PROCESS_FINISHED_READING;
7776a36c
MC		 2638
2639 err:
2640 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2641 ossl_statem_set_error(s);
2642 return MSG_PROCESS_ERROR;
0f113f3e 2643}
176f31dd 2644
f1ec23c0 2645static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt, int *al)
0f113f3e 2646{
7689082b 2647#ifndef OPENSSL_NO_PSK
13c0ec4a
MC		 2648 int ret = 0;
2649 /*
2650 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2651 * \0-terminated identity. The last byte is for us for simulating
2652 * strnlen.
2653 */
2654 char identity[PSK_MAX_IDENTITY_LEN + 1];
2655 size_t identitylen = 0;
2656 unsigned char psk[PSK_MAX_PSK_LEN];
2657 unsigned char *tmppsk = NULL;
2658 char *tmpidentity = NULL;
2659 size_t psklen = 0;
2660
2661 if (s->psk_client_callback == NULL) {
05ec6a25 2662 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_CLIENT_CB);
13c0ec4a
MC		 2663 *al = SSL_AD_INTERNAL_ERROR;
2664 goto err;
2665 }
d02b48c6 2666
13c0ec4a 2667 memset(identity, 0, sizeof(identity));
d02b48c6 2668
13c0ec4a
MC		 2669 psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2670 identity, sizeof(identity) - 1,
2671 psk, sizeof(psk));
7689082b 2672
13c0ec4a 2673 if (psklen > PSK_MAX_PSK_LEN) {
05ec6a25 2674 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2675 *al = SSL_AD_HANDSHAKE_FAILURE;
2676 goto err;
2677 } else if (psklen == 0) {
05ec6a25 2678 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
13c0ec4a
MC		 2679 SSL_R_PSK_IDENTITY_NOT_FOUND);
2680 *al = SSL_AD_HANDSHAKE_FAILURE;
2681 goto err;
2682 }
7689082b 2683
13c0ec4a
MC		 2684 identitylen = strlen(identity);
2685 if (identitylen > PSK_MAX_IDENTITY_LEN) {
05ec6a25 2686 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2687 *al = SSL_AD_HANDSHAKE_FAILURE;
2688 goto err;
2689 }
7689082b 2690
13c0ec4a
MC		 2691 tmppsk = OPENSSL_memdup(psk, psklen);
2692 tmpidentity = OPENSSL_strdup(identity);
2693 if (tmppsk == NULL || tmpidentity == NULL) {
05ec6a25 2694 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
13c0ec4a
MC		 2695 *al = SSL_AD_INTERNAL_ERROR;
2696 goto err;
2697 }
7689082b 2698
13c0ec4a
MC		 2699 OPENSSL_free(s->s3->tmp.psk);
2700 s->s3->tmp.psk = tmppsk;
2701 s->s3->tmp.psklen = psklen;
2702 tmppsk = NULL;
2703 OPENSSL_free(s->session->psk_identity);
2704 s->session->psk_identity = tmpidentity;
2705 tmpidentity = NULL;
f1ec23c0 2706
b2b3024e 2707 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) {
f1ec23c0
MC		 2708 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2709 *al = SSL_AD_INTERNAL_ERROR;
2710 goto err;
2711 }
7689082b 2712
13c0ec4a 2713 ret = 1;
0bce0b02 2714
13c0ec4a
MC		 2715 err:
2716 OPENSSL_cleanse(psk, psklen);
2717 OPENSSL_cleanse(identity, sizeof(identity));
2718 OPENSSL_clear_free(tmppsk, psklen);
2719 OPENSSL_clear_free(tmpidentity, identitylen);
d02b48c6 2720
13c0ec4a
MC		 2721 return ret;
2722#else
05ec6a25 2723 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2724 *al = SSL_AD_INTERNAL_ERROR;
2725 return 0;
b9908bf9 2726#endif
13c0ec4a 2727}
b9908bf9 2728
f1ec23c0 2729static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al)
13c0ec4a 2730{
bc36ee62 2731#ifndef OPENSSL_NO_RSA
f1ec23c0 2732 unsigned char *encdata = NULL;
13c0ec4a
MC		 2733 EVP_PKEY *pkey = NULL;
2734 EVP_PKEY_CTX *pctx = NULL;
2735 size_t enclen;
2736 unsigned char *pms = NULL;
2737 size_t pmslen = 0;
b9908bf9 2738
13c0ec4a
MC		 2739 if (s->session->peer == NULL) {
2740 /*
2741 * We should always have a server certificate with SSL_kRSA.
2742 */
05ec6a25 2743 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2744 return 0;
2745 }
0f113f3e 2746
13c0ec4a
MC		 2747 pkey = X509_get0_pubkey(s->session->peer);
2748 if (EVP_PKEY_get0_RSA(pkey) == NULL) {
05ec6a25 2749 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2750 return 0;
2751 }
0f113f3e 2752
13c0ec4a
MC		 2753 pmslen = SSL_MAX_MASTER_KEY_LENGTH;
2754 pms = OPENSSL_malloc(pmslen);
2755 if (pms == NULL) {
05ec6a25 2756 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_MALLOC_FAILURE);
13c0ec4a
MC		 2757 *al = SSL_AD_INTERNAL_ERROR;
2758 return 0;
2759 }
0bce0b02 2760
13c0ec4a
MC		 2761 pms[0] = s->client_version >> 8;
2762 pms[1] = s->client_version & 0xff;
348240c6
MC		 2763 /* TODO(size_t): Convert this function */
2764 if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) {
13c0ec4a
MC		 2765 goto err;
2766 }
0f113f3e 2767
13c0ec4a 2768 /* Fix buf for TLS and beyond */
f1ec23c0
MC		 2769 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
2770 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
2771 goto err;
2772 }
13c0ec4a
MC		 2773 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2774 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
2775 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
05ec6a25 2776 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_EVP_LIB);
13c0ec4a
MC		 2777 goto err;
2778 }
f1ec23c0
MC		 2779 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
2780 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
05ec6a25 2781 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, SSL_R_BAD_RSA_ENCRYPT);
13c0ec4a
MC		 2782 goto err;
2783 }
13c0ec4a
MC		 2784 EVP_PKEY_CTX_free(pctx);
2785 pctx = NULL;
0f113f3e 2786
13c0ec4a 2787 /* Fix buf for TLS and beyond */
f1ec23c0
MC		 2788 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
2789 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
2790 goto err;
b9908bf9 2791 }
13c0ec4a
MC		 2792
2793 s->s3->tmp.pms = pms;
2794 s->s3->tmp.pmslen = pmslen;
2795
2faa1b48
CB		 2796 /* Log the premaster secret, if logging is enabled. */
2797 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen))
2798 goto err;
2799
13c0ec4a
MC		 2800 return 1;
2801 err:
2802 OPENSSL_clear_free(pms, pmslen);
2803 EVP_PKEY_CTX_free(pctx);
2804
2805 return 0;
2806#else
05ec6a25 2807 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2808 *al = SSL_AD_INTERNAL_ERROR;
2809 return 0;
f9b3bff6 2810#endif
13c0ec4a
MC		 2811}
2812
f1ec23c0 2813static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt, int *al)
a8c1c704
MC		 2814{
2815#ifndef OPENSSL_NO_DH
2816 DH *dh_clnt = NULL;
2817 const BIGNUM *pub_key;
2818 EVP_PKEY *ckey = NULL, *skey = NULL;
f1ec23c0 2819 unsigned char *keybytes = NULL;
a8c1c704
MC		 2820
2821 skey = s->s3->peer_tmp;
f1ec23c0
MC		 2822 if (skey == NULL)
2823 goto err;
2824
0a699a07 2825 ckey = ssl_generate_pkey(skey);
b599ce3b
MC		 2826 if (ckey == NULL)
2827 goto err;
2828
a8c1c704
MC		 2829 dh_clnt = EVP_PKEY_get0_DH(ckey);
2830
0f1e51ea 2831 if (dh_clnt == NULL || ssl_derive(s, ckey, skey, 0) == 0)
f1ec23c0 2832 goto err;
a8c1c704
MC		 2833
2834 /* send off the data */
2835 DH_get0_key(dh_clnt, &pub_key, NULL);
b2b3024e 2836 if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), &keybytes))
f1ec23c0
MC		 2837 goto err;
2838
2839 BN_bn2bin(pub_key, keybytes);
a8c1c704
MC		 2840 EVP_PKEY_free(ckey);
2841
2842 return 1;
f1ec23c0
MC		 2843 err:
2844 EVP_PKEY_free(ckey);
2845#endif
05ec6a25 2846 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR);
a8c1c704
MC		 2847 *al = SSL_AD_INTERNAL_ERROR;
2848 return 0;
a8c1c704
MC		 2849}
2850
f1ec23c0 2851static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, int *al)
67ad5aab
MC		 2852{
2853#ifndef OPENSSL_NO_EC
2854 unsigned char *encodedPoint = NULL;
348240c6 2855 size_t encoded_pt_len = 0;
67ad5aab 2856 EVP_PKEY *ckey = NULL, *skey = NULL;
f1ec23c0 2857 int ret = 0;
67ad5aab
MC		 2858
2859 skey = s->s3->peer_tmp;
ec24630a 2860 if (skey == NULL) {
05ec6a25 2861 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
67ad5aab
MC		 2862 return 0;
2863 }
2864
0a699a07 2865 ckey = ssl_generate_pkey(skey);
b599ce3b
MC		 2866 if (ckey == NULL) {
2867 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_MALLOC_FAILURE);
2868 goto err;
2869 }
67ad5aab 2870
0f1e51ea 2871 if (ssl_derive(s, ckey, skey, 0) == 0) {
05ec6a25 2872 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB);
67ad5aab
MC		 2873 goto err;
2874 }
2875
2876 /* Generate encoding of client key */
ec24630a 2877 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint);
67ad5aab
MC		 2878
2879 if (encoded_pt_len == 0) {
05ec6a25 2880 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EC_LIB);
67ad5aab
MC		 2881 goto err;
2882 }
2883
b2b3024e 2884 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
f1ec23c0
MC		 2885 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2886 goto err;
2887 }
67ad5aab 2888
f1ec23c0 2889 ret = 1;
67ad5aab 2890 err:
f1ec23c0 2891 OPENSSL_free(encodedPoint);
67ad5aab 2892 EVP_PKEY_free(ckey);
f1ec23c0 2893 return ret;
67ad5aab 2894#else
05ec6a25 2895 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
67ad5aab
MC		 2896 *al = SSL_AD_INTERNAL_ERROR;
2897 return 0;
2898#endif
2899}
2900
f1ec23c0 2901static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
e00e0b3d
MC		 2902{
2903#ifndef OPENSSL_NO_GOST
2904 /* GOST key exchange message creation */
2905 EVP_PKEY_CTX *pkey_ctx = NULL;
2906 X509 *peer_cert;
2907 size_t msglen;
2908 unsigned int md_len;
2909 unsigned char shared_ukm[32], tmp[256];
2910 EVP_MD_CTX *ukm_hash = NULL;
2911 int dgst_nid = NID_id_GostR3411_94;
2912 unsigned char *pms = NULL;
2913 size_t pmslen = 0;
2914
2915 if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
2916 dgst_nid = NID_id_GostR3411_2012_256;
2917
2918 /*
2919 * Get server sertificate PKEY and create ctx from it
2920 */
2921 peer_cert = s->session->peer;
2922 if (!peer_cert) {
2923 *al = SSL_AD_HANDSHAKE_FAILURE;
05ec6a25 2924 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST,
e00e0b3d
MC		 2925 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2926 return 0;
2927 }
2928
2929 pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
2930 if (pkey_ctx == NULL) {
2931 *al = SSL_AD_INTERNAL_ERROR;
05ec6a25 2932 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE);
e00e0b3d
MC		 2933 return 0;
2934 }
2935 /*
2936 * If we have send a certificate, and certificate key
2937 * parameters match those of server certificate, use
2938 * certificate key for key exchange
2939 */
2940
2941 /* Otherwise, generate ephemeral key pair */
2942 pmslen = 32;
2943 pms = OPENSSL_malloc(pmslen);
2944 if (pms == NULL) {
2945 *al = SSL_AD_INTERNAL_ERROR;
05ec6a25 2946 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE);
2f3930bc 2947 goto err;
e00e0b3d
MC		 2948 }
2949
2950 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
348240c6
MC		 2951 /* Generate session key
2952 * TODO(size_t): Convert this function
2953 */
2954 || RAND_bytes(pms, (int)pmslen) <= 0) {
e00e0b3d 2955 *al = SSL_AD_INTERNAL_ERROR;
05ec6a25 2956 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
e00e0b3d
MC		 2957 goto err;
2958 };
e00e0b3d
MC		 2959 /*
2960 * Compute shared IV and store it in algorithm-specific context
2961 * data
2962 */
2963 ukm_hash = EVP_MD_CTX_new();
2964 if (ukm_hash == NULL
a230b26e
EK		 2965 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
2966 || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
2967 SSL3_RANDOM_SIZE) <= 0
2968 || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
2969 SSL3_RANDOM_SIZE) <= 0
2970 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
e00e0b3d 2971 *al = SSL_AD_INTERNAL_ERROR;
05ec6a25 2972 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
e00e0b3d
MC		 2973 goto err;
2974 }
2975 EVP_MD_CTX_free(ukm_hash);
2976 ukm_hash = NULL;
2977 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2978 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2979 *al = SSL_AD_INTERNAL_ERROR;
05ec6a25 2980 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG);
e00e0b3d
MC		 2981 goto err;
2982 }
2983 /* Make GOST keytransport blob message */
2984 /*
2985 * Encapsulate it into sequence
2986 */
e00e0b3d
MC		 2987 msglen = 255;
2988 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
2989 *al = SSL_AD_INTERNAL_ERROR;
05ec6a25 2990 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG);
e00e0b3d
MC		 2991 goto err;
2992 }
f1ec23c0 2993
08029dfa
MC		 2994 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
2995 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
b2b3024e 2996 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
f1ec23c0
MC		 2997 *al = SSL_AD_INTERNAL_ERROR;
2998 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
2999 goto err;
e00e0b3d 3000 }
f1ec23c0 3001
e00e0b3d
MC		 3002 EVP_PKEY_CTX_free(pkey_ctx);
3003 s->s3->tmp.pms = pms;
3004 s->s3->tmp.pmslen = pmslen;
3005
3006 return 1;
3007 err:
3008 EVP_PKEY_CTX_free(pkey_ctx);
3009 OPENSSL_clear_free(pms, pmslen);
3010 EVP_MD_CTX_free(ukm_hash);
3011 return 0;
3012#else
05ec6a25 3013 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
e00e0b3d
MC		 3014 *al = SSL_AD_INTERNAL_ERROR;
3015 return 0;
3016#endif
3017}
3018
f1ec23c0 3019static int tls_construct_cke_srp(SSL *s, WPACKET *pkt, int *al)
840a2bf8 3020{
8b9546c7 3021#ifndef OPENSSL_NO_SRP
f1ec23c0
MC		 3022 unsigned char *abytes = NULL;
3023
3024 if (s->srp_ctx.A == NULL
b2b3024e
MC		 3025 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
3026 &abytes)) {
05ec6a25 3027 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR);
840a2bf8
MC		 3028 return 0;
3029 }
f1ec23c0
MC		 3030 BN_bn2bin(s->srp_ctx.A, abytes);
3031
840a2bf8
MC		 3032 OPENSSL_free(s->session->srp_username);
3033 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
3034 if (s->session->srp_username == NULL) {
05ec6a25 3035 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_MALLOC_FAILURE);
840a2bf8
MC		 3036 return 0;
3037 }
3038
3039 return 1;
3040#else
05ec6a25 3041 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR);
840a2bf8
MC		 3042 *al = SSL_AD_INTERNAL_ERROR;
3043 return 0;
3044#endif
3045}
3046
7cea05dc 3047int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
13c0ec4a 3048{
13c0ec4a
MC		 3049 unsigned long alg_k;
3050 int al = -1;
3051
f1ec23c0 3052 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
13c0ec4a 3053
13c0ec4a 3054 if ((alg_k & SSL_PSK)
7cea05dc 3055 && !tls_construct_cke_psk_preamble(s, pkt, &al))
13c0ec4a
MC		 3056 goto err;
3057
f1ec23c0 3058 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
7cea05dc 3059 if (!tls_construct_cke_rsa(s, pkt, &al))
13c0ec4a 3060 goto err;
a8c1c704 3061 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
7cea05dc 3062 if (!tls_construct_cke_dhe(s, pkt, &al))
b9908bf9 3063 goto err;
67ad5aab 3064 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
7cea05dc 3065 if (!tls_construct_cke_ecdhe(s, pkt, &al))
ce0c1f2b 3066 goto err;
e00e0b3d 3067 } else if (alg_k & SSL_kGOST) {
7cea05dc 3068 if (!tls_construct_cke_gost(s, pkt, &al))
a71edf3b 3069 goto err;
840a2bf8 3070 } else if (alg_k & SSL_kSRP) {
7cea05dc 3071 if (!tls_construct_cke_srp(s, pkt, &al))
69f68237 3072 goto err;
4a424545 3073 } else if (!(alg_k & SSL_kPSK)) {
b9908bf9
MC		 3074 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3075 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
3076 goto err;
3077 }
3078
b9908bf9 3079 return 1;
0f113f3e 3080 err:
13c0ec4a
MC		 3081 if (al != -1)
3082 ssl3_send_alert(s, SSL3_AL_FATAL, al);
0bce0b02 3083 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
76106e60 3084 s->s3->tmp.pms = NULL;
7689082b
DSH		 3085#ifndef OPENSSL_NO_PSK
3086 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
3087 s->s3->tmp.psk = NULL;
0f113f3e 3088#endif
b9908bf9
MC		 3089 return 0;
3090}
3091
3092int tls_client_key_exchange_post_work(SSL *s)
3093{
3094 unsigned char *pms = NULL;
3095 size_t pmslen = 0;
3096
6f137370
MC		 3097 pms = s->s3->tmp.pms;
3098 pmslen = s->s3->tmp.pmslen;
3099
b9908bf9
MC		 3100#ifndef OPENSSL_NO_SRP
3101 /* Check for SRP */
3102 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
3103 if (!srp_generate_client_master_secret(s)) {
3104 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK,
3105 ERR_R_INTERNAL_ERROR);
3106 goto err;
3107 }
3108 return 1;
3109 }
3110#endif
b9908bf9
MC		 3111
3112 if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
3113 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
3114 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE);
3115 goto err;
3116 }
3117 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
3118 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
3119 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_INTERNAL_ERROR);
6f137370
MC		 3120 /* ssl_generate_master_secret frees the pms even on error */
3121 pms = NULL;
3122 pmslen = 0;
b9908bf9
MC		 3123 goto err;
3124 }
6f137370
MC		 3125 pms = NULL;
3126 pmslen = 0;
473483d4
MC		 3127
3128#ifndef OPENSSL_NO_SCTP
3129 if (SSL_IS_DTLS(s)) {
3130 unsigned char sctpauthkey[64];
3131 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3132
3133 /*
3134 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3135 * used.
3136 */
141eb8c6
MC		 3137 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3138 sizeof(DTLS1_SCTP_AUTH_LABEL));
473483d4
MC		 3139
3140 if (SSL_export_keying_material(s, sctpauthkey,
a230b26e
EK		 3141 sizeof(sctpauthkey), labelbuffer,
3142 sizeof(labelbuffer), NULL, 0, 0) <= 0)
473483d4
MC		 3143 goto err;
3144
3145 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3146 sizeof(sctpauthkey), sctpauthkey);
3147 }
3148#endif
3149
b9908bf9
MC		 3150 return 1;
3151 err:
3152 OPENSSL_clear_free(pms, pmslen);
3153 s->s3->tmp.pms = NULL;
3154 return 0;
0f113f3e 3155}
d02b48c6 3156
0f113f3e
MC		 3157/*
3158 * Check a certificate can be used for client authentication. Currently check
3159 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3160 * certificates can be used and optionally checks suitability for Suite B.
0d609395
DSH		 3161 */
3162static int ssl3_check_client_certificate(SSL *s)
0f113f3e 3163{
0f113f3e 3164 /* If no suitable signature algorithm can't use certificate */
ad4dd362 3165 if (!tls_choose_sigalg(s, NULL) || s->s3->tmp.sigalg == NULL)
0f113f3e
MC		 3166 return 0;
3167 /*
3168 * If strict mode check suitability of chain before using it. This also
3169 * adjusts suite B digest if necessary.
3170 */
3171 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
3172 !tls1_check_chain(s, NULL, NULL, NULL, -2))
3173 return 0;
0f113f3e
MC		 3174 return 1;
3175}
0d609395 3176
be3583fa 3177WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
0f113f3e
MC		 3178{
3179 X509 *x509 = NULL;
3180 EVP_PKEY *pkey = NULL;
3181 int i;
3182
b9908bf9 3183 if (wst == WORK_MORE_A) {
0f113f3e
MC		 3184 /* Let cert callback update client certificates if required */
3185 if (s->cert->cert_cb) {
3186 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
3187 if (i < 0) {
3188 s->rwstate = SSL_X509_LOOKUP;
b9908bf9 3189 return WORK_MORE_A;
0f113f3e
MC		 3190 }
3191 if (i == 0) {
3192 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
fe3a3291 3193 ossl_statem_set_error(s);
0f113f3e
MC		 3194 return 0;
3195 }
3196 s->rwstate = SSL_NOTHING;
3197 }
3198 if (ssl3_check_client_certificate(s))
b9908bf9
MC		 3199 return WORK_FINISHED_CONTINUE;
3200
3201 /* Fall through to WORK_MORE_B */
3202 wst = WORK_MORE_B;
0f113f3e
MC		 3203 }
3204
3205 /* We need to get a client cert */
b9908bf9 3206 if (wst == WORK_MORE_B) {
0f113f3e
MC		 3207 /*
3208 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3209 * return(-1); We then get retied later
3210 */
0f113f3e
MC		 3211 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3212 if (i < 0) {
3213 s->rwstate = SSL_X509_LOOKUP;
b9908bf9 3214 return WORK_MORE_B;
0f113f3e
MC		 3215 }
3216 s->rwstate = SSL_NOTHING;
3217 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
0f113f3e
MC		 3218 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
3219 i = 0;
3220 } else if (i == 1) {
3221 i = 0;
b9908bf9 3222 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
0f113f3e
MC		 3223 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3224 }
3225
222561fe 3226 X509_free(x509);
25aaa98a 3227 EVP_PKEY_free(pkey);
0f113f3e
MC		 3228 if (i && !ssl3_check_client_certificate(s))
3229 i = 0;
3230 if (i == 0) {
3231 if (s->version == SSL3_VERSION) {
3232 s->s3->tmp.cert_req = 0;
3233 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
b9908bf9 3234 return WORK_FINISHED_CONTINUE;
0f113f3e
MC		 3235 } else {
3236 s->s3->tmp.cert_req = 2;
124037fd 3237 if (!ssl3_digest_cached_records(s, 0)) {
dab18ab5 3238 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
fe3a3291 3239 ossl_statem_set_error(s);
dab18ab5
DSH		 3240 return 0;
3241 }
0f113f3e
MC		 3242 }
3243 }
3244
b9908bf9 3245 return WORK_FINISHED_CONTINUE;
0f113f3e
MC		 3246 }
3247
b9908bf9
MC		 3248 /* Shouldn't ever get here */
3249 return WORK_ERROR;
3250}
3251
7cea05dc 3252int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
b9908bf9 3253{
0baed5e9 3254 int al = SSL_AD_INTERNAL_ERROR;
e96e0f8e
MC		 3255
3256 /*
3257 * TODO(TLS1.3): For now we must put an empty context. Needs to be filled in
3258 * later
3259 */
3260 if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0))
3261 || !ssl3_output_cert_chain(s, pkt,
b90506e9 3262 (s->s3->tmp.cert_req == 2) ? NULL
e96e0f8e
MC		 3263 : s->cert->key,
3264 &al)) {
b9908bf9 3265 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
e96e0f8e 3266 ssl3_send_alert(s, SSL3_AL_FATAL, al);
b9908bf9 3267 return 0;
0f113f3e 3268 }
b9908bf9
MC		 3269
3270 return 1;
0f113f3e
MC		 3271}
3272
3273#define has_bits(i,m) (((i)&(m)) == (m))
d02b48c6 3274
36d16f8e 3275int ssl3_check_cert_and_algorithm(SSL *s)
0f113f3e 3276{
60f43e9e
RL		 3277 int i;
3278#ifndef OPENSSL_NO_EC
3279 int idx;
3280#endif
0f113f3e
MC		 3281 long alg_k, alg_a;
3282 EVP_PKEY *pkey = NULL;
26c79d56 3283 int al = SSL_AD_HANDSHAKE_FAILURE;
d02b48c6 3284
0f113f3e
MC		 3285 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3286 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
d02b48c6 3287
0f113f3e 3288 /* we don't have a certificate */
55a9a16f 3289 if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
0f113f3e 3290 return (1);
d02b48c6 3291
0f113f3e 3292 /* This is the passed certificate */
d02b48c6 3293
10bf4fc2 3294#ifndef OPENSSL_NO_EC
60f43e9e 3295 idx = s->session->peer_type;
0f113f3e 3296 if (idx == SSL_PKEY_ECC) {
a273c6ee 3297 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) {
0f113f3e
MC		 3298 /* check failed */
3299 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3300 goto f_err;
3301 } else {
3302 return 1;
3303 }
3304 } else if (alg_a & SSL_aECDSA) {
3305 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3306 SSL_R_MISSING_ECDSA_SIGNING_CERT);
3307 goto f_err;
0f113f3e
MC		 3308 }
3309#endif
8382fd3a 3310 pkey = X509_get0_pubkey(s->session->peer);
a273c6ee 3311 i = X509_certificate_type(s->session->peer, pkey);
0f113f3e
MC		 3312
3313 /* Check that we have a certificate if we require one */
3314 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
3315 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3316 SSL_R_MISSING_RSA_SIGNING_CERT);
3317 goto f_err;
3318 }
bc36ee62 3319#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 3320 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA | EVP_PKT_SIGN)) {
3321 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3322 SSL_R_MISSING_DSA_SIGNING_CERT);
3323 goto f_err;
3324 }
d02b48c6 3325#endif
bc36ee62 3326#ifndef OPENSSL_NO_RSA
361a1191
KR		 3327 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) &&
3328 !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
3329 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3330 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3331 goto f_err;
0f113f3e 3332 }
79df9d62 3333#endif
bc36ee62 3334#ifndef OPENSSL_NO_DH
fb79abe3 3335 if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) {
26c79d56
KR		 3336 al = SSL_AD_INTERNAL_ERROR;
3337 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
0f113f3e 3338 goto f_err;
0f113f3e 3339 }
d02b48c6
RE		 3340#endif
3341
0f113f3e
MC		 3342 return (1);
3343 f_err:
26c79d56 3344 ssl3_send_alert(s, SSL3_AL_FATAL, al);
0f113f3e
MC		 3345 return (0);
3346}
3347
e481f9b9 3348#ifndef OPENSSL_NO_NEXTPROTONEG
7cea05dc 3349int tls_construct_next_proto(SSL *s, WPACKET *pkt)
b9908bf9 3350{
15e6be6c
MC		 3351 size_t len, padding_len;
3352 unsigned char *padding = NULL;
15e6be6c 3353
aff8c126 3354 len = s->ext.npn_len;
b9908bf9 3355 padding_len = 32 - ((len + 2) % 32);
15e6be6c 3356
aff8c126 3357 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
7cea05dc 3358 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
15e6be6c
MC		 3359 SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
3360 goto err;
3361 }
3362
3363 memset(padding, 0, padding_len);
3364
b9908bf9 3365 return 1;
15e6be6c 3366 err:
15e6be6c
MC		 3367 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
3368 return 0;
b9908bf9 3369}
6434abbf 3370#endif
368888bc 3371
c7f47786
MC		 3372MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
3373{
3374 if (PACKET_remaining(pkt) > 0) {
3375 /* should contain no data */
3376 SSLerr(SSL_F_TLS_PROCESS_HELLO_REQ, SSL_R_LENGTH_MISMATCH);
3377 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
3378 ossl_statem_set_error(s);
3379 return MSG_PROCESS_ERROR;
3380 }
3381
3382 /*
1f04f23e
MC		 3383 * This is a historical discrepancy (not in the RFC) maintained for
3384 * compatibility reasons. If a TLS client receives a HelloRequest it will
3385 * attempt an abbreviated handshake. However if a DTLS client receives a
3386 * HelloRequest it will do a full handshake. Either behaviour is reasonable
3387 * but doing one for TLS and another for DTLS is odd.
c7f47786
MC		 3388 */
3389 if (SSL_IS_DTLS(s))
3390 SSL_renegotiate(s);
3391 else
3392 SSL_renegotiate_abbreviated(s);
3393
3394 return MSG_PROCESS_FINISHED_READING;
3395}
3396
e46f2334
MC		 3397static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
3398{
3399 int al = SSL_AD_INTERNAL_ERROR;
3400 PACKET extensions;
3434f40b 3401 RAW_EXTENSION *rawexts = NULL;
e46f2334 3402
e46f2334
MC		 3403 if (!PACKET_as_length_prefixed_2(pkt, &extensions)) {
3404 al = SSL_AD_DECODE_ERROR;
3405 SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
3406 goto err;
3407 }
3408
e96e0f8e 3409 if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
fc5ece2e 3410 &rawexts, &al, NULL)
e96e0f8e 3411 || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
f97d4c37 3412 rawexts, NULL, 0, &al))
3434f40b
MC		 3413 goto err;
3414
1b0286a3 3415 OPENSSL_free(rawexts);
e46f2334
MC		 3416 return MSG_PROCESS_CONTINUE_READING;
3417
3418 err:
3419 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3420 ossl_statem_set_error(s);
1b0286a3 3421 OPENSSL_free(rawexts);
e46f2334
MC		 3422 return MSG_PROCESS_ERROR;
3423}
3424
368888bc 3425int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
0f113f3e
MC		 3426{
3427 int i = 0;
368888bc 3428#ifndef OPENSSL_NO_ENGINE
0f113f3e
MC		 3429 if (s->ctx->client_cert_engine) {
3430 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3431 SSL_get_client_CA_list(s),
3432 px509, ppkey, NULL, NULL, NULL);
3433 if (i != 0)
3434 return i;
3435 }
3436#endif
3437 if (s->ctx->client_cert_cb)
3438 i = s->ctx->client_cert_cb(s, px509, ppkey);
3439 return i;
3440}
d45ba43d 3441
ae2f7b37 3442int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
d45ba43d 3443{
2c7b4dbc
MC		 3444 int i;
3445 size_t totlen = 0, len, maxlen;
d45ba43d
MC		 3446 int empty_reneg_info_scsv = !s->renegotiate;
3447 /* Set disabled masks for this session */
3448 ssl_set_client_disabled(s);
3449
3450 if (sk == NULL)
3451 return (0);
d45ba43d 3452
2c7b4dbc
MC		 3453#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
3454# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
3455# error Max cipher length too short
3456# endif
3457 /*
3458 * Some servers hang if client hello > 256 bytes as hack workaround
3459 * chop number of supported ciphers to keep it well below this if we
3460 * use TLS v1.2
3461 */
3462 if (TLS1_get_version(s) >= TLS1_2_VERSION)
3463 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
3464 else
3465#endif
3466 /* Maximum length that can be stored in 2 bytes. Length must be even */
3467 maxlen = 0xfffe;
3468
3469 if (empty_reneg_info_scsv)
3470 maxlen -= 2;
3471 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
3472 maxlen -= 2;
3473
3474 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
3475 const SSL_CIPHER *c;
3476
d45ba43d
MC		 3477 c = sk_SSL_CIPHER_value(sk, i);
3478 /* Skip disabled ciphers */
3479 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
3480 continue;
2c7b4dbc
MC		 3481
3482 if (!s->method->put_cipher_by_char(c, pkt, &len)) {
3483 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3484 return 0;
3485 }
3486
3487 totlen += len;
d45ba43d 3488 }
2c7b4dbc
MC		 3489
3490 if (totlen == 0) {
3491 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
3492 return 0;
3493 }
3494
3495 if (totlen != 0) {
d45ba43d
MC		 3496 if (empty_reneg_info_scsv) {
3497 static SSL_CIPHER scsv = {
3498 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3499 };
2c7b4dbc
MC		 3500 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3501 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3502 return 0;
3503 }
d45ba43d
MC		 3504 }
3505 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
3506 static SSL_CIPHER scsv = {
3507 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3508 };
2c7b4dbc
MC		 3509 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3510 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3511 return 0;
3512 }
d45ba43d
MC		 3513 }
3514 }
3515
2c7b4dbc 3516 return 1;
d45ba43d 3517}
A mirror of the official openssl repository