]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_clnt.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update documentation for SSL_set1_sigalgs()
[thirdparty/openssl.git] / ssl / statem / statem_clnt.c
CommitLineData
846e33c7
RS		 1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
c80149d9 4 * Copyright 2005 Nokia. All rights reserved.
8c74b5e5 5 *
846e33c7
RS		 6 * Licensed under the OpenSSL license (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
8c74b5e5 10 */
846e33c7 11
d02b48c6 12#include <stdio.h>
fc24f0bf 13#include <time.h>
8ba708e5 14#include "../ssl_locl.h"
61ae935a 15#include "statem_locl.h"
ec577822
BM		 16#include <openssl/buffer.h>
17#include <openssl/rand.h>
18#include <openssl/objects.h>
19#include <openssl/evp.h>
dbad1690 20#include <openssl/md5.h>
3c27208f 21#include <openssl/dh.h>
d095b68d 22#include <openssl/bn.h>
3c27208f 23#include <openssl/engine.h>
f9b3bff6 24
597c51bc 25static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
e46f2334
MC		 26static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
27
7ab09630 28static ossl_inline int cert_req_allowed(SSL *s);
a455d0f6 29static int key_exchange_expected(SSL *s);
d45ba43d 30static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
ae2f7b37 31 WPACKET *pkt);
ea262260 32
61ae935a
MC		 33/*
34 * Is a CertificateRequest message allowed at the moment or not?
35 *
36 * Return values are:
37 * 1: Yes
38 * 0: No
39 */
7ab09630 40static ossl_inline int cert_req_allowed(SSL *s)
61ae935a
MC		 41{
42 /* TLS does not like anon-DH with client cert */
b7fa1f98 43 if ((s->version > SSL3_VERSION
a230b26e
EK		 44 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
45 || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
61ae935a
MC		 46 return 0;
47
48 return 1;
49}
50
51/*
a455d0f6 52 * Should we expect the ServerKeyExchange message or not?
61ae935a
MC		 53 *
54 * Return values are:
55 * 1: Yes
56 * 0: No
57 */
a455d0f6 58static int key_exchange_expected(SSL *s)
61ae935a
MC		 59{
60 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
61
62 /*
63 * Can't skip server key exchange if this is an ephemeral
a455d0f6 64 * ciphersuite or for SRP
61ae935a 65 */
a455d0f6
MC		 66 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
67 | SSL_kSRP)) {
68 return 1;
61ae935a
MC		 69 }
70
a455d0f6 71 return 0;
61ae935a
MC		 72}
73
0f1e51ea
MC		 74/*
75 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
76 * handshake state transitions when a TLS1.3 client is reading messages from the
77 * server. The message type that the server has sent is provided in |mt|. The
78 * current state is in |s->statem.hand_state|.
79 *
94ed2c67
MC		 80 * Return values are 1 for success (transition allowed) and 0 on error
81 * (transition not allowed)
0f1e51ea
MC		 82 */
83static int ossl_statem_client13_read_transition(SSL *s, int mt)
84{
85 OSSL_STATEM *st = &s->statem;
86
87 /*
88 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
89 * yet negotiated TLSv1.3 at that point so that is handled by
90 * ossl_statem_client_read_transition()
91 */
92
93 switch (st->hand_state) {
94 default:
95 break;
96
3847d426
MC		 97 case TLS_ST_CW_CLNT_HELLO:
98 /*
99 * This must a ClientHello following a HelloRetryRequest, so the only
100 * thing we can get now is a ServerHello.
101 */
102 if (mt == SSL3_MT_SERVER_HELLO) {
103 st->hand_state = TLS_ST_CR_SRVR_HELLO;
104 return 1;
105 }
106 break;
107
0f1e51ea 108 case TLS_ST_CR_SRVR_HELLO:
e46f2334
MC		 109 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
110 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
111 return 1;
112 }
113 break;
114
115 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
0f1e51ea 116 if (s->hit) {
92760c21
MC		 117 if (mt == SSL3_MT_FINISHED) {
118 st->hand_state = TLS_ST_CR_FINISHED;
0f1e51ea
MC		 119 return 1;
120 }
121 } else {
92760c21
MC		 122 if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
123 st->hand_state = TLS_ST_CR_CERT_REQ;
124 return 1;
f5ca0b04
MC		 125 }
126 if (mt == SSL3_MT_CERTIFICATE) {
0f1e51ea
MC		 127 st->hand_state = TLS_ST_CR_CERT;
128 return 1;
129 }
130 }
131 break;
132
92760c21
MC		 133 case TLS_ST_CR_CERT_REQ:
134 if (mt == SSL3_MT_CERTIFICATE) {
135 st->hand_state = TLS_ST_CR_CERT;
136 return 1;
137 }
138 break;
139
0f1e51ea 140 case TLS_ST_CR_CERT:
2c5dfdc3
MC		 141 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
142 st->hand_state = TLS_ST_CR_CERT_VRFY;
143 return 1;
144 }
145 break;
146
147 case TLS_ST_CR_CERT_VRFY:
0f1e51ea
MC		 148 if (mt == SSL3_MT_FINISHED) {
149 st->hand_state = TLS_ST_CR_FINISHED;
150 return 1;
151 }
152 break;
cc2455bf
MC		 153
154 case TLS_ST_OK:
155 if (mt == SSL3_MT_NEWSESSION_TICKET) {
156 st->hand_state = TLS_ST_CR_SESSION_TICKET;
157 return 1;
158 }
e1c3de44
MC		 159 if (mt == SSL3_MT_KEY_UPDATE) {
160 st->hand_state = TLS_ST_CR_KEY_UPDATE;
161 return 1;
162 }
cc2455bf 163 break;
0f1e51ea
MC		 164 }
165
0f1e51ea 166 /* No valid transition found */
0f1e51ea
MC		 167 return 0;
168}
169
61ae935a 170/*
8481f583
MC		 171 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
172 * handshake state transitions when the client is reading messages from the
173 * server. The message type that the server has sent is provided in |mt|. The
174 * current state is in |s->statem.hand_state|.
61ae935a 175 *
94ed2c67
MC		 176 * Return values are 1 for success (transition allowed) and 0 on error
177 * (transition not allowed)
61ae935a 178 */
8481f583 179int ossl_statem_client_read_transition(SSL *s, int mt)
61ae935a 180{
d6f1a6e9 181 OSSL_STATEM *st = &s->statem;
a455d0f6 182 int ske_expected;
61ae935a 183
0f1e51ea 184 /*
3847d426
MC		 185 * Note that after writing the first ClientHello we don't know what version
186 * we are going to negotiate yet, so we don't take this branch until later.
0f1e51ea 187 */
f5ca0b04 188 if (SSL_IS_TLS13(s)) {
5abeaf35
MC		 189 if (!ossl_statem_client13_read_transition(s, mt))
190 goto err;
191 return 1;
192 }
0f1e51ea 193
a230b26e 194 switch (st->hand_state) {
f3b3d7f0
RS		 195 default:
196 break;
197
61ae935a
MC		 198 case TLS_ST_CW_CLNT_HELLO:
199 if (mt == SSL3_MT_SERVER_HELLO) {
200 st->hand_state = TLS_ST_CR_SRVR_HELLO;
201 return 1;
202 }
203
204 if (SSL_IS_DTLS(s)) {
205 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
206 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
207 return 1;
208 }
209 }
210 break;
211
d7f8783f 212 case TLS_ST_EARLY_DATA:
4004ce5f
MC		 213 /*
214 * We've not actually selected TLSv1.3 yet, but we have sent early
215 * data. The only thing allowed now is a ServerHello or a
216 * HelloRetryRequest.
217 */
218 if (mt == SSL3_MT_SERVER_HELLO) {
219 st->hand_state = TLS_ST_CR_SRVR_HELLO;
220 return 1;
221 }
4004ce5f
MC		 222 break;
223
61ae935a
MC		 224 case TLS_ST_CR_SRVR_HELLO:
225 if (s->hit) {
aff8c126 226 if (s->ext.ticket_expected) {
61ae935a
MC		 227 if (mt == SSL3_MT_NEWSESSION_TICKET) {
228 st->hand_state = TLS_ST_CR_SESSION_TICKET;
229 return 1;
230 }
231 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
232 st->hand_state = TLS_ST_CR_CHANGE;
233 return 1;
234 }
235 } else {
236 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
237 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
238 return 1;
ad3819c2 239 } else if (s->version >= TLS1_VERSION
aff8c126
RS		 240 && s->ext.session_secret_cb != NULL
241 && s->session->ext.tick != NULL
a230b26e 242 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
ad3819c2
MC		 243 /*
244 * Normally, we can tell if the server is resuming the session
245 * from the session ID. EAP-FAST (RFC 4851), however, relies on
246 * the next server message after the ServerHello to determine if
247 * the server is resuming.
248 */
249 s->hit = 1;
250 st->hand_state = TLS_ST_CR_CHANGE;
251 return 1;
61ae935a 252 } else if (!(s->s3->tmp.new_cipher->algorithm_auth
a230b26e 253 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
61ae935a
MC		 254 if (mt == SSL3_MT_CERTIFICATE) {
255 st->hand_state = TLS_ST_CR_CERT;
256 return 1;
257 }
258 } else {
a455d0f6 259 ske_expected = key_exchange_expected(s);
a455d0f6
MC		 260 /* SKE is optional for some PSK ciphersuites */
261 if (ske_expected
a230b26e
EK		 262 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
263 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
a455d0f6
MC		 264 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
265 st->hand_state = TLS_ST_CR_KEY_EXCH;
266 return 1;
267 }
268 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
a230b26e
EK		 269 && cert_req_allowed(s)) {
270 st->hand_state = TLS_ST_CR_CERT_REQ;
271 return 1;
a455d0f6 272 } else if (mt == SSL3_MT_SERVER_DONE) {
a230b26e
EK		 273 st->hand_state = TLS_ST_CR_SRVR_DONE;
274 return 1;
61ae935a
MC		 275 }
276 }
277 }
278 break;
279
280 case TLS_ST_CR_CERT:
bb1aaab4
MC		 281 /*
282 * The CertificateStatus message is optional even if
aff8c126 283 * |ext.status_expected| is set
bb1aaab4 284 */
aff8c126 285 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
bb1aaab4
MC		 286 st->hand_state = TLS_ST_CR_CERT_STATUS;
287 return 1;
a455d0f6
MC		 288 }
289 /* Fall through */
290
291 case TLS_ST_CR_CERT_STATUS:
292 ske_expected = key_exchange_expected(s);
a455d0f6 293 /* SKE is optional for some PSK ciphersuites */
a230b26e
EK		 294 if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
295 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
61ae935a
MC		 296 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
297 st->hand_state = TLS_ST_CR_KEY_EXCH;
298 return 1;
61ae935a 299 }
672f3337 300 goto err;
61ae935a 301 }
a455d0f6 302 /* Fall through */
61ae935a 303
a455d0f6
MC		 304 case TLS_ST_CR_KEY_EXCH:
305 if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
306 if (cert_req_allowed(s)) {
61ae935a
MC		 307 st->hand_state = TLS_ST_CR_CERT_REQ;
308 return 1;
61ae935a 309 }
672f3337 310 goto err;
61ae935a 311 }
a455d0f6 312 /* Fall through */
61ae935a
MC		 313
314 case TLS_ST_CR_CERT_REQ:
315 if (mt == SSL3_MT_SERVER_DONE) {
316 st->hand_state = TLS_ST_CR_SRVR_DONE;
317 return 1;
318 }
319 break;
320
321 case TLS_ST_CW_FINISHED:
aff8c126 322 if (s->ext.ticket_expected) {
c45d6b2b
DB		 323 if (mt == SSL3_MT_NEWSESSION_TICKET) {
324 st->hand_state = TLS_ST_CR_SESSION_TICKET;
325 return 1;
326 }
61ae935a
MC		 327 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
328 st->hand_state = TLS_ST_CR_CHANGE;
329 return 1;
330 }
331 break;
332
333 case TLS_ST_CR_SESSION_TICKET:
334 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
335 st->hand_state = TLS_ST_CR_CHANGE;
336 return 1;
337 }
338 break;
339
340 case TLS_ST_CR_CHANGE:
341 if (mt == SSL3_MT_FINISHED) {
342 st->hand_state = TLS_ST_CR_FINISHED;
343 return 1;
344 }
345 break;
c7f47786
MC		 346
347 case TLS_ST_OK:
4004ce5f 348 if (mt == SSL3_MT_HELLO_REQUEST) {
c7f47786
MC		 349 st->hand_state = TLS_ST_CR_HELLO_REQ;
350 return 1;
351 }
352 break;
61ae935a
MC		 353 }
354
672f3337 355 err:
61ae935a 356 /* No valid transition found */
f63a17d6
MC		 357 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
358 SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION,
359 SSL_R_UNEXPECTED_MESSAGE);
61ae935a
MC		 360 return 0;
361}
362
363/*
0f1e51ea
MC		 364 * ossl_statem_client13_write_transition() works out what handshake state to
365 * move to next when the TLSv1.3 client is writing messages to be sent to the
366 * server.
0f1e51ea
MC		 367 */
368static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
369{
370 OSSL_STATEM *st = &s->statem;
371
372 /*
3847d426
MC		 373 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
374 * TLSv1.3 yet at that point. They are handled by
375 * ossl_statem_client_write_transition().
0f1e51ea
MC		 376 */
377 switch (st->hand_state) {
378 default:
379 /* Shouldn't happen */
a2c2e000
MC		 380 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
381 SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION,
382 ERR_R_INTERNAL_ERROR);
0f1e51ea
MC		 383 return WRITE_TRAN_ERROR;
384
92760c21 385 case TLS_ST_CR_FINISHED:
ef6c191b
MC		 386 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
387 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
d7f8783f 388 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
4d02f870 389 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
fc7129dc 390 && s->hello_retry_request == SSL_HRR_NONE)
4d02f870 391 st->hand_state = TLS_ST_CW_CHANGE;
564547e4
MC		 392 else
393 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
394 : TLS_ST_CW_FINISHED;
395 return WRITE_TRAN_CONTINUE;
396
d7f8783f 397 case TLS_ST_PENDING_EARLY_DATA_END:
ef6c191b
MC		 398 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
399 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
400 return WRITE_TRAN_CONTINUE;
401 }
402 /* Fall through */
403
404 case TLS_ST_CW_END_OF_EARLY_DATA:
4d02f870 405 case TLS_ST_CW_CHANGE:
94ed2c67 406 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
92760c21 407 : TLS_ST_CW_FINISHED;
0f1e51ea
MC		 408 return WRITE_TRAN_CONTINUE;
409
410 case TLS_ST_CW_CERT:
411 /* If a non-empty Certificate we also send CertificateVerify */
94ed2c67 412 st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
92760c21 413 : TLS_ST_CW_FINISHED;
0f1e51ea
MC		 414 return WRITE_TRAN_CONTINUE;
415
416 case TLS_ST_CW_CERT_VRFY:
0f1e51ea
MC		 417 st->hand_state = TLS_ST_CW_FINISHED;
418 return WRITE_TRAN_CONTINUE;
419
e1c3de44 420 case TLS_ST_CR_KEY_UPDATE:
5bf47933
MC		 421 if (s->key_update != SSL_KEY_UPDATE_NONE) {
422 st->hand_state = TLS_ST_CW_KEY_UPDATE;
423 return WRITE_TRAN_CONTINUE;
424 }
425 /* Fall through */
426
9412b3ad 427 case TLS_ST_CW_KEY_UPDATE:
cc2455bf 428 case TLS_ST_CR_SESSION_TICKET:
0f1e51ea 429 case TLS_ST_CW_FINISHED:
94ed2c67 430 st->hand_state = TLS_ST_OK;
94ed2c67 431 return WRITE_TRAN_CONTINUE;
cc2455bf
MC		 432
433 case TLS_ST_OK:
9412b3ad
MC		 434 if (s->key_update != SSL_KEY_UPDATE_NONE) {
435 st->hand_state = TLS_ST_CW_KEY_UPDATE;
436 return WRITE_TRAN_CONTINUE;
437 }
438
439 /* Try to read from the server instead */
cc2455bf 440 return WRITE_TRAN_FINISHED;
0f1e51ea
MC		 441 }
442}
443
444/*
445 * ossl_statem_client_write_transition() works out what handshake state to
446 * move to next when the client is writing messages to be sent to the server.
61ae935a 447 */
8481f583 448WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
61ae935a 449{
d6f1a6e9 450 OSSL_STATEM *st = &s->statem;
61ae935a 451
0f1e51ea
MC		 452 /*
453 * Note that immediately before/after a ClientHello we don't know what
454 * version we are going to negotiate yet, so we don't take this branch until
455 * later
456 */
f5ca0b04 457 if (SSL_IS_TLS13(s))
0f1e51ea
MC		 458 return ossl_statem_client13_write_transition(s);
459
a230b26e 460 switch (st->hand_state) {
f3b3d7f0
RS		 461 default:
462 /* Shouldn't happen */
a2c2e000
MC		 463 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
464 SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION,
465 ERR_R_INTERNAL_ERROR);
f3b3d7f0
RS		 466 return WRITE_TRAN_ERROR;
467
a230b26e 468 case TLS_ST_OK:
c7f47786
MC		 469 if (!s->renegotiate) {
470 /*
471 * We haven't requested a renegotiation ourselves so we must have
472 * received a message from the server. Better read it.
473 */
474 return WRITE_TRAN_FINISHED;
475 }
018fcbec
BE		 476 /* Renegotiation */
477 /* fall thru */
a230b26e
EK		 478 case TLS_ST_BEFORE:
479 st->hand_state = TLS_ST_CW_CLNT_HELLO;
480 return WRITE_TRAN_CONTINUE;
61ae935a 481
a230b26e 482 case TLS_ST_CW_CLNT_HELLO:
49e7fe12
MC		 483 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
484 /*
485 * We are assuming this is a TLSv1.3 connection, although we haven't
486 * actually selected a version yet.
487 */
066904cc
MC		 488 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
489 st->hand_state = TLS_ST_CW_CHANGE;
490 else
491 st->hand_state = TLS_ST_EARLY_DATA;
49e7fe12
MC		 492 return WRITE_TRAN_CONTINUE;
493 }
a230b26e
EK		 494 /*
495 * No transition at the end of writing because we don't know what
496 * we will be sent
497 */
498 return WRITE_TRAN_FINISHED;
61ae935a 499
597c51bc 500 case TLS_ST_CR_SRVR_HELLO:
318d3c0e
MC		 501 /*
502 * We only get here in TLSv1.3. We just received an HRR, so issue a
503 * CCS unless middlebox compat mode is off, or we already issued one
504 * because we did early data.
505 */
506 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
507 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
508 st->hand_state = TLS_ST_CW_CHANGE;
509 else
510 st->hand_state = TLS_ST_CW_CLNT_HELLO;
a2b97bdf
MC		 511 return WRITE_TRAN_CONTINUE;
512
d7f8783f 513 case TLS_ST_EARLY_DATA:
4004ce5f
MC		 514 return WRITE_TRAN_FINISHED;
515
a230b26e
EK		 516 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
517 st->hand_state = TLS_ST_CW_CLNT_HELLO;
518 return WRITE_TRAN_CONTINUE;
61ae935a 519
a230b26e
EK		 520 case TLS_ST_CR_SRVR_DONE:
521 if (s->s3->tmp.cert_req)
522 st->hand_state = TLS_ST_CW_CERT;
523 else
61ae935a 524 st->hand_state = TLS_ST_CW_KEY_EXCH;
a230b26e 525 return WRITE_TRAN_CONTINUE;
61ae935a 526
a230b26e
EK		 527 case TLS_ST_CW_CERT:
528 st->hand_state = TLS_ST_CW_KEY_EXCH;
529 return WRITE_TRAN_CONTINUE;
61ae935a 530
a230b26e
EK		 531 case TLS_ST_CW_KEY_EXCH:
532 /*
533 * For TLS, cert_req is set to 2, so a cert chain of nothing is
534 * sent, but no verify packet is sent
535 */
536 /*
537 * XXX: For now, we do not support client authentication in ECDH
538 * cipher suites with ECDH (rather than ECDSA) certificates. We
539 * need to skip the certificate verify message when client's
540 * ECDH public key is sent inside the client certificate.
541 */
542 if (s->s3->tmp.cert_req == 1) {
543 st->hand_state = TLS_ST_CW_CERT_VRFY;
544 } else {
61ae935a 545 st->hand_state = TLS_ST_CW_CHANGE;
a230b26e
EK		 546 }
547 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
548 st->hand_state = TLS_ST_CW_CHANGE;
549 }
550 return WRITE_TRAN_CONTINUE;
61ae935a 551
a230b26e
EK		 552 case TLS_ST_CW_CERT_VRFY:
553 st->hand_state = TLS_ST_CW_CHANGE;
554 return WRITE_TRAN_CONTINUE;
555
556 case TLS_ST_CW_CHANGE:
318d3c0e
MC		 557 if (s->hello_retry_request == SSL_HRR_PENDING) {
558 st->hand_state = TLS_ST_CW_CLNT_HELLO;
559 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
066904cc
MC		 560 st->hand_state = TLS_ST_EARLY_DATA;
561 } else {
61ae935a 562#if defined(OPENSSL_NO_NEXTPROTONEG)
a230b26e 563 st->hand_state = TLS_ST_CW_FINISHED;
066904cc
MC		 564#else
565 if (!SSL_IS_DTLS(s) && s->s3->npn_seen)
566 st->hand_state = TLS_ST_CW_NEXT_PROTO;
567 else
568 st->hand_state = TLS_ST_CW_FINISHED;
61ae935a 569#endif
066904cc 570 }
a230b26e 571 return WRITE_TRAN_CONTINUE;
61ae935a
MC		 572
573#if !defined(OPENSSL_NO_NEXTPROTONEG)
a230b26e
EK		 574 case TLS_ST_CW_NEXT_PROTO:
575 st->hand_state = TLS_ST_CW_FINISHED;
576 return WRITE_TRAN_CONTINUE;
61ae935a
MC		 577#endif
578
a230b26e
EK		 579 case TLS_ST_CW_FINISHED:
580 if (s->hit) {
581 st->hand_state = TLS_ST_OK;
a230b26e
EK		 582 return WRITE_TRAN_CONTINUE;
583 } else {
584 return WRITE_TRAN_FINISHED;
585 }
61ae935a 586
a230b26e
EK		 587 case TLS_ST_CR_FINISHED:
588 if (s->hit) {
589 st->hand_state = TLS_ST_CW_CHANGE;
590 return WRITE_TRAN_CONTINUE;
591 } else {
592 st->hand_state = TLS_ST_OK;
a230b26e
EK		 593 return WRITE_TRAN_CONTINUE;
594 }
c7f47786
MC		 595
596 case TLS_ST_CR_HELLO_REQ:
597 /*
598 * If we can renegotiate now then do so, otherwise wait for a more
599 * convenient time.
600 */
601 if (ssl3_renegotiate_check(s, 1)) {
602 if (!tls_setup_handshake(s)) {
f63a17d6 603 /* SSLfatal() already called */
c7f47786
MC		 604 return WRITE_TRAN_ERROR;
605 }
606 st->hand_state = TLS_ST_CW_CLNT_HELLO;
607 return WRITE_TRAN_CONTINUE;
608 }
609 st->hand_state = TLS_ST_OK;
c7f47786 610 return WRITE_TRAN_CONTINUE;
61ae935a
MC		 611 }
612}
613
614/*
615 * Perform any pre work that needs to be done prior to sending a message from
616 * the client to the server.
617 */
8481f583 618WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
61ae935a 619{
d6f1a6e9 620 OSSL_STATEM *st = &s->statem;
61ae935a 621
a230b26e 622 switch (st->hand_state) {
f3b3d7f0
RS		 623 default:
624 /* No pre work to be done */
625 break;
626
61ae935a
MC		 627 case TLS_ST_CW_CLNT_HELLO:
628 s->shutdown = 0;
629 if (SSL_IS_DTLS(s)) {
630 /* every DTLS ClientHello resets Finished MAC */
2c4a056f 631 if (!ssl3_init_finished_mac(s)) {
f63a17d6 632 /* SSLfatal() already called */
2c4a056f
MC		 633 return WORK_ERROR;
634 }
61ae935a
MC		 635 }
636 break;
637
61ae935a
MC		 638 case TLS_ST_CW_CHANGE:
639 if (SSL_IS_DTLS(s)) {
640 if (s->hit) {
641 /*
642 * We're into the last flight so we don't retransmit these
643 * messages unless we need to.
644 */
645 st->use_timer = 0;
646 }
647#ifndef OPENSSL_NO_SCTP
a2c2e000
MC		 648 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
649 /* Calls SSLfatal() as required */
61ae935a 650 return dtls_wait_for_dry(s);
a2c2e000 651 }
61ae935a
MC		 652#endif
653 }
f3b3d7f0 654 break;
61ae935a 655
d7f8783f 656 case TLS_ST_PENDING_EARLY_DATA_END:
ef6c191b
MC		 657 /*
658 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
659 * attempt to write early data before calling SSL_read() then we press
660 * on with the handshake. Otherwise we pause here.
661 */
662 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
663 || s->early_data_state == SSL_EARLY_DATA_NONE)
664 return WORK_FINISHED_CONTINUE;
665 /* Fall through */
666
667 case TLS_ST_EARLY_DATA:
2a8db717
MC		 668 return tls_finish_handshake(s, wst, 0, 1);
669
61ae935a 670 case TLS_ST_OK:
a2c2e000 671 /* Calls SSLfatal() as required */
2a8db717 672 return tls_finish_handshake(s, wst, 1, 1);
61ae935a
MC		 673 }
674
675 return WORK_FINISHED_CONTINUE;
676}
677
678/*
679 * Perform any work that needs to be done after sending a message from the
680 * client to the server.
681 */
8481f583 682WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
61ae935a 683{
d6f1a6e9 684 OSSL_STATEM *st = &s->statem;
61ae935a
MC		 685
686 s->init_num = 0;
687
a230b26e 688 switch (st->hand_state) {
f3b3d7f0
RS		 689 default:
690 /* No post work to be done */
691 break;
692
61ae935a 693 case TLS_ST_CW_CLNT_HELLO:
6cb42265 694 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
5cc807da 695 && s->max_early_data > 0) {
6cb42265
MC		 696 /*
697 * We haven't selected TLSv1.3 yet so we don't call the change
698 * cipher state function associated with the SSL_METHOD. Instead
699 * we call tls13_change_cipher_state() directly.
700 */
5cc807da 701 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
5cc807da
MC		 702 if (!tls13_change_cipher_state(s,
703 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
704 /* SSLfatal() already called */
705 return WORK_ERROR;
706 }
a2c2e000 707 }
5cc807da
MC		 708 /* else we're in compat mode so we delay flushing until after CCS */
709 } else if (!statem_flush(s)) {
710 return WORK_MORE_A;
711 }
712
713 if (SSL_IS_DTLS(s)) {
714 /* Treat the next message as the first packet */
715 s->first_packet = 1;
6cb42265 716 }
61ae935a
MC		 717 break;
718
ef6c191b
MC		 719 case TLS_ST_CW_END_OF_EARLY_DATA:
720 /*
721 * We set the enc_write_ctx back to NULL because we may end up writing
722 * in cleartext again if we get a HelloRetryRequest from the server.
723 */
724 EVP_CIPHER_CTX_free(s->enc_write_ctx);
725 s->enc_write_ctx = NULL;
726 break;
727
61ae935a 728 case TLS_ST_CW_KEY_EXCH:
a2c2e000
MC		 729 if (tls_client_key_exchange_post_work(s) == 0) {
730 /* SSLfatal() already called */
61ae935a 731 return WORK_ERROR;
a2c2e000 732 }
61ae935a
MC		 733 break;
734
735 case TLS_ST_CW_CHANGE:
318d3c0e 736 if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING)
4d02f870 737 break;
066904cc
MC		 738 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
739 && s->max_early_data > 0) {
740 /*
741 * We haven't selected TLSv1.3 yet so we don't call the change
742 * cipher state function associated with the SSL_METHOD. Instead
743 * we call tls13_change_cipher_state() directly.
744 */
745 if (!tls13_change_cipher_state(s,
746 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
747 return WORK_ERROR;
748 break;
749 }
61ae935a
MC		 750 s->session->cipher = s->s3->tmp.new_cipher;
751#ifdef OPENSSL_NO_COMP
752 s->session->compress_meth = 0;
753#else
754 if (s->s3->tmp.new_compression == NULL)
755 s->session->compress_meth = 0;
756 else
757 s->session->compress_meth = s->s3->tmp.new_compression->id;
758#endif
a2c2e000
MC		 759 if (!s->method->ssl3_enc->setup_key_block(s)) {
760 /* SSLfatal() already called */
61ae935a 761 return WORK_ERROR;
a2c2e000 762 }
61ae935a
MC		 763
764 if (!s->method->ssl3_enc->change_cipher_state(s,
a2c2e000
MC		 765 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
766 /* SSLfatal() already called */
61ae935a 767 return WORK_ERROR;
a2c2e000 768 }
61ae935a
MC		 769
770 if (SSL_IS_DTLS(s)) {
771#ifndef OPENSSL_NO_SCTP
772 if (s->hit) {
773 /*
774 * Change to new shared key of SCTP-Auth, will be ignored if
775 * no SCTP used.
776 */
777 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
778 0, NULL);
779 }
780#endif
781
782 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
783 }
784 break;
785
786 case TLS_ST_CW_FINISHED:
787#ifndef OPENSSL_NO_SCTP
788 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
789 /*
790 * Change to new shared key of SCTP-Auth, will be ignored if
791 * no SCTP used.
792 */
793 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
794 0, NULL);
795 }
796#endif
797 if (statem_flush(s) != 1)
798 return WORK_MORE_B;
92760c21
MC		 799
800 if (SSL_IS_TLS13(s)) {
801 if (!s->method->ssl3_enc->change_cipher_state(s,
a2c2e000
MC		 802 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
803 /* SSLfatal() already called */
804 return WORK_ERROR;
805 }
92760c21 806 }
61ae935a 807 break;
9412b3ad
MC		 808
809 case TLS_ST_CW_KEY_UPDATE:
810 if (statem_flush(s) != 1)
811 return WORK_MORE_A;
a2c2e000
MC		 812 if (!tls13_update_key(s, 1)) {
813 /* SSLfatal() already called */
57389a32 814 return WORK_ERROR;
a2c2e000 815 }
9412b3ad 816 break;
61ae935a
MC		 817 }
818
819 return WORK_FINISHED_CONTINUE;
820}
821
822/*
6392fb8e
MC		 823 * Get the message construction function and message type for sending from the
824 * client
61ae935a
MC		 825 *
826 * Valid return values are:
827 * 1: Success
828 * 0: Error
829 */
6392fb8e 830int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
a15c953f 831 confunc_f *confunc, int *mt)
61ae935a 832{
d6f1a6e9 833 OSSL_STATEM *st = &s->statem;
61ae935a 834
4a01c59f
MC		 835 switch (st->hand_state) {
836 default:
837 /* Shouldn't happen */
f63a17d6
MC		 838 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
839 SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE,
840 SSL_R_BAD_HANDSHAKE_STATE);
4a01c59f
MC		 841 return 0;
842
843 case TLS_ST_CW_CHANGE:
5923ad4b 844 if (SSL_IS_DTLS(s))
6392fb8e 845 *confunc = dtls_construct_change_cipher_spec;
4a01c59f 846 else
6392fb8e
MC		 847 *confunc = tls_construct_change_cipher_spec;
848 *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
4a01c59f
MC		 849 break;
850
851 case TLS_ST_CW_CLNT_HELLO:
6392fb8e
MC		 852 *confunc = tls_construct_client_hello;
853 *mt = SSL3_MT_CLIENT_HELLO;
4a01c59f
MC		 854 break;
855
ef6c191b
MC		 856 case TLS_ST_CW_END_OF_EARLY_DATA:
857 *confunc = tls_construct_end_of_early_data;
858 *mt = SSL3_MT_END_OF_EARLY_DATA;
859 break;
860
861 case TLS_ST_PENDING_EARLY_DATA_END:
862 *confunc = NULL;
863 *mt = SSL3_MT_DUMMY;
864 break;
865
4a01c59f 866 case TLS_ST_CW_CERT:
6392fb8e
MC		 867 *confunc = tls_construct_client_certificate;
868 *mt = SSL3_MT_CERTIFICATE;
4a01c59f
MC		 869 break;
870
871 case TLS_ST_CW_KEY_EXCH:
6392fb8e
MC		 872 *confunc = tls_construct_client_key_exchange;
873 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
4a01c59f
MC		 874 break;
875
876 case TLS_ST_CW_CERT_VRFY:
d8bc1399 877 *confunc = tls_construct_cert_verify;
6392fb8e 878 *mt = SSL3_MT_CERTIFICATE_VERIFY;
4a01c59f 879 break;
61ae935a
MC		 880
881#if !defined(OPENSSL_NO_NEXTPROTONEG)
4a01c59f 882 case TLS_ST_CW_NEXT_PROTO:
6392fb8e
MC		 883 *confunc = tls_construct_next_proto;
884 *mt = SSL3_MT_NEXT_PROTO;
4a01c59f 885 break;
61ae935a 886#endif
4a01c59f 887 case TLS_ST_CW_FINISHED:
6392fb8e
MC		 888 *confunc = tls_construct_finished;
889 *mt = SSL3_MT_FINISHED;
4a01c59f 890 break;
9412b3ad
MC		 891
892 case TLS_ST_CW_KEY_UPDATE:
893 *confunc = tls_construct_key_update;
894 *mt = SSL3_MT_KEY_UPDATE;
895 break;
4a01c59f 896 }
5923ad4b 897
5923ad4b 898 return 1;
61ae935a
MC		 899}
900
901/*
902 * Returns the maximum allowed length for the current message that we are
903 * reading. Excludes the message header.
904 */
eda75751 905size_t ossl_statem_client_max_message_size(SSL *s)
61ae935a 906{
d6f1a6e9 907 OSSL_STATEM *st = &s->statem;
61ae935a 908
a230b26e 909 switch (st->hand_state) {
f3b3d7f0
RS		 910 default:
911 /* Shouldn't happen */
912 return 0;
913
a230b26e
EK		 914 case TLS_ST_CR_SRVR_HELLO:
915 return SERVER_HELLO_MAX_LENGTH;
61ae935a 916
a230b26e
EK		 917 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
918 return HELLO_VERIFY_REQUEST_MAX_LENGTH;
61ae935a 919
a230b26e
EK		 920 case TLS_ST_CR_CERT:
921 return s->max_cert_list;
61ae935a 922
2c5dfdc3
MC		 923 case TLS_ST_CR_CERT_VRFY:
924 return SSL3_RT_MAX_PLAIN_LENGTH;
925
a230b26e
EK		 926 case TLS_ST_CR_CERT_STATUS:
927 return SSL3_RT_MAX_PLAIN_LENGTH;
61ae935a 928
a230b26e
EK		 929 case TLS_ST_CR_KEY_EXCH:
930 return SERVER_KEY_EXCH_MAX_LENGTH;
61ae935a 931
a230b26e
EK		 932 case TLS_ST_CR_CERT_REQ:
933 /*
934 * Set to s->max_cert_list for compatibility with previous releases. In
935 * practice these messages can get quite long if servers are configured
936 * to provide a long list of acceptable CAs
937 */
938 return s->max_cert_list;
61ae935a 939
a230b26e
EK		 940 case TLS_ST_CR_SRVR_DONE:
941 return SERVER_HELLO_DONE_MAX_LENGTH;
61ae935a 942
a230b26e
EK		 943 case TLS_ST_CR_CHANGE:
944 if (s->version == DTLS1_BAD_VER)
945 return 3;
946 return CCS_MAX_LENGTH;
61ae935a 947
a230b26e
EK		 948 case TLS_ST_CR_SESSION_TICKET:
949 return SSL3_RT_MAX_PLAIN_LENGTH;
61ae935a 950
a230b26e
EK		 951 case TLS_ST_CR_FINISHED:
952 return FINISHED_MAX_LENGTH;
e46f2334
MC		 953
954 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
955 return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
e1c3de44
MC		 956
957 case TLS_ST_CR_KEY_UPDATE:
958 return KEY_UPDATE_MAX_LENGTH;
61ae935a 959 }
61ae935a
MC		 960}
961
962/*
963 * Process a message that the client has been received from the server.
964 */
8481f583 965MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
61ae935a 966{
d6f1a6e9 967 OSSL_STATEM *st = &s->statem;
61ae935a 968
a230b26e 969 switch (st->hand_state) {
f3b3d7f0
RS		 970 default:
971 /* Shouldn't happen */
a2c2e000
MC		 972 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
973 SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE,
974 ERR_R_INTERNAL_ERROR);
f3b3d7f0
RS		 975 return MSG_PROCESS_ERROR;
976
a230b26e
EK		 977 case TLS_ST_CR_SRVR_HELLO:
978 return tls_process_server_hello(s, pkt);
61ae935a 979
a230b26e
EK		 980 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
981 return dtls_process_hello_verify(s, pkt);
61ae935a 982
a230b26e
EK		 983 case TLS_ST_CR_CERT:
984 return tls_process_server_certificate(s, pkt);
61ae935a 985
2c5dfdc3
MC		 986 case TLS_ST_CR_CERT_VRFY:
987 return tls_process_cert_verify(s, pkt);
988
a230b26e
EK		 989 case TLS_ST_CR_CERT_STATUS:
990 return tls_process_cert_status(s, pkt);
61ae935a 991
a230b26e
EK		 992 case TLS_ST_CR_KEY_EXCH:
993 return tls_process_key_exchange(s, pkt);
61ae935a 994
a230b26e
EK		 995 case TLS_ST_CR_CERT_REQ:
996 return tls_process_certificate_request(s, pkt);
61ae935a 997
a230b26e
EK		 998 case TLS_ST_CR_SRVR_DONE:
999 return tls_process_server_done(s, pkt);
61ae935a 1000
a230b26e
EK		 1001 case TLS_ST_CR_CHANGE:
1002 return tls_process_change_cipher_spec(s, pkt);
61ae935a 1003
a230b26e
EK		 1004 case TLS_ST_CR_SESSION_TICKET:
1005 return tls_process_new_session_ticket(s, pkt);
61ae935a 1006
a230b26e
EK		 1007 case TLS_ST_CR_FINISHED:
1008 return tls_process_finished(s, pkt);
e46f2334 1009
c7f47786
MC		 1010 case TLS_ST_CR_HELLO_REQ:
1011 return tls_process_hello_req(s, pkt);
1012
e46f2334
MC		 1013 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1014 return tls_process_encrypted_extensions(s, pkt);
e1c3de44
MC		 1015
1016 case TLS_ST_CR_KEY_UPDATE:
1017 return tls_process_key_update(s, pkt);
61ae935a 1018 }
61ae935a
MC		 1019}
1020
1021/*
1022 * Perform any further processing required following the receipt of a message
1023 * from the server
1024 */
8481f583 1025WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
61ae935a 1026{
d6f1a6e9 1027 OSSL_STATEM *st = &s->statem;
61ae935a 1028
a230b26e 1029 switch (st->hand_state) {
f3b3d7f0
RS		 1030 default:
1031 /* Shouldn't happen */
a2c2e000
MC		 1032 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1033 SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE,
1034 ERR_R_INTERNAL_ERROR);
f3b3d7f0
RS		 1035 return WORK_ERROR;
1036
05c4f1d5
MC		 1037 case TLS_ST_CR_CERT_REQ:
1038 return tls_prepare_client_certificate(s, wst);
61ae935a 1039 }
61ae935a
MC		 1040}
1041
7cea05dc 1042int tls_construct_client_hello(SSL *s, WPACKET *pkt)
0f113f3e 1043{
2c7b4dbc 1044 unsigned char *p;
ec60ccc1
MC		 1045 size_t sess_id_len;
1046 int i, protverr;
09b6c2ef 1047#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 1048 SSL_COMP *comp;
1049#endif
b9908bf9 1050 SSL_SESSION *sess = s->session;
a5816a5a 1051 unsigned char *session_id;
0f113f3e 1052
7cea05dc 1053 if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
2c7b4dbc 1054 /* Should not happen */
f63a17d6
MC		 1055 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1056 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
7cea05dc 1057 return 0;
2c7b4dbc 1058 }
0f113f3e 1059
b9908bf9 1060 /* Work out what SSL/TLS/DTLS version to use */
4fa52141
VD		 1061 protverr = ssl_set_client_hello_version(s);
1062 if (protverr != 0) {
f63a17d6
MC		 1063 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1064 protverr);
7cea05dc 1065 return 0;
4fa52141 1066 }
0f113f3e 1067
e586eac8
MC		 1068 if (sess == NULL
1069 || !ssl_version_supported(s, sess->ssl_version)
1070 || !SSL_SESSION_is_resumable(sess)) {
fc7129dc
MC		 1071 if (s->hello_retry_request == SSL_HRR_NONE
1072 && !ssl_get_new_session(s, 0)) {
f63a17d6 1073 /* SSLfatal() already called */
7cea05dc 1074 return 0;
f63a17d6 1075 }
b9908bf9
MC		 1076 }
1077 /* else use the pre-loaded session */
0f113f3e 1078
b9908bf9 1079 p = s->s3->client_random;
0f113f3e 1080
b9908bf9
MC		 1081 /*
1082 * for DTLS if client_random is initialized, reuse it, we are
1083 * required to use same upon reply to HelloVerify
1084 */
1085 if (SSL_IS_DTLS(s)) {
1086 size_t idx;
1087 i = 1;
1088 for (idx = 0; idx < sizeof(s->s3->client_random); idx++) {
1089 if (p[idx]) {
1090 i = 0;
1091 break;
0f113f3e 1092 }
0f113f3e 1093 }
751b26b1 1094 } else {
fc7129dc 1095 i = (s->hello_retry_request == SSL_HRR_NONE);
751b26b1 1096 }
0f113f3e 1097
f7f2a01d 1098 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random),
f63a17d6
MC		 1099 DOWNGRADE_NONE) <= 0) {
1100 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1101 ERR_R_INTERNAL_ERROR);
7cea05dc 1102 return 0;
f63a17d6 1103 }
b9908bf9 1104
b9908bf9
MC		 1105 /*-
1106 * version indicates the negotiated version: for example from
1107 * an SSLv2/v3 compatible client hello). The client_version
1108 * field is the maximum version we permit and it is also
1109 * used in RSA encrypted premaster secrets. Some servers can
1110 * choke if we initially report a higher version then
1111 * renegotiate to a lower one in the premaster secret. This
1112 * didn't happen with TLS 1.0 as most servers supported it
1113 * but it can with TLS 1.1 or later if the server only supports
1114 * 1.0.
1115 *
1116 * Possible scenario with previous logic:
1117 * 1. Client hello indicates TLS 1.2
1118 * 2. Server hello says TLS 1.0
1119 * 3. RSA encrypted premaster secret uses 1.2.
8483a003 1120 * 4. Handshake proceeds using TLS 1.0.
b9908bf9
MC		 1121 * 5. Server sends hello request to renegotiate.
1122 * 6. Client hello indicates TLS v1.0 as we now
1123 * know that is maximum server supports.
1124 * 7. Server chokes on RSA encrypted premaster secret
1125 * containing version 1.0.
1126 *
1127 * For interoperability it should be OK to always use the
1128 * maximum version we support in client hello and then rely
1129 * on the checking of version to ensure the servers isn't
1130 * being inconsistent: for example initially negotiating with
1131 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1132 * client_version in client hello and not resetting it to
1133 * the negotiated version.
cd998837
MC		 1134 *
1135 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
16bce0e0 1136 * supported_versions extension for the real supported versions.
b9908bf9 1137 */
7acb8b64 1138 if (!WPACKET_put_bytes_u16(pkt, s->client_version)
7cea05dc 1139 || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
f63a17d6
MC		 1140 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1141 ERR_R_INTERNAL_ERROR);
7cea05dc 1142 return 0;
2c7b4dbc 1143 }
b9908bf9
MC		 1144
1145 /* Session ID */
a5816a5a
MC		 1146 session_id = s->session->session_id;
1147 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) {
1148 if (s->version == TLS1_3_VERSION
1149 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
1150 sess_id_len = sizeof(s->tmp_session_id);
1151 s->tmp_session_id_len = sess_id_len;
1152 session_id = s->tmp_session_id;
fc7129dc 1153 if (s->hello_retry_request == SSL_HRR_NONE
a5816a5a
MC		 1154 && ssl_randbytes(s, s->tmp_session_id,
1155 sess_id_len) <= 0) {
1156 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1157 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1158 ERR_R_INTERNAL_ERROR);
1159 return 0;
1160 }
1161 } else {
1162 sess_id_len = 0;
1163 }
1164 } else {
ec60ccc1 1165 sess_id_len = s->session->session_id_length;
a5816a5a
MC		 1166 if (s->version == TLS1_3_VERSION) {
1167 s->tmp_session_id_len = sess_id_len;
1168 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
1169 }
1170 }
ec60ccc1 1171 if (sess_id_len > sizeof(s->session->session_id)
7cea05dc 1172 || !WPACKET_start_sub_packet_u8(pkt)
a5816a5a 1173 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
ec60ccc1 1174 sess_id_len))
7cea05dc 1175 || !WPACKET_close(pkt)) {
f63a17d6
MC		 1176 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1177 ERR_R_INTERNAL_ERROR);
7cea05dc 1178 return 0;
b9908bf9 1179 }
0f113f3e 1180
b9908bf9
MC		 1181 /* cookie stuff for DTLS */
1182 if (SSL_IS_DTLS(s)) {
2c7b4dbc 1183 if (s->d1->cookie_len > sizeof(s->d1->cookie)
7cea05dc 1184 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
b2b3024e 1185 s->d1->cookie_len)) {
f63a17d6
MC		 1186 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1187 ERR_R_INTERNAL_ERROR);
7cea05dc 1188 return 0;
0f113f3e 1189 }
b9908bf9
MC		 1190 }
1191
1192 /* Ciphers supported */
7cea05dc 1193 if (!WPACKET_start_sub_packet_u16(pkt)) {
f63a17d6
MC		 1194 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1195 ERR_R_INTERNAL_ERROR);
7cea05dc 1196 return 0;
2c7b4dbc 1197 }
635c8f77 1198
f63a17d6
MC		 1199 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) {
1200 /* SSLfatal() already called */
7cea05dc 1201 return 0;
f63a17d6 1202 }
7cea05dc 1203 if (!WPACKET_close(pkt)) {
f63a17d6
MC		 1204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1205 ERR_R_INTERNAL_ERROR);
7cea05dc 1206 return 0;
b9908bf9 1207 }
0f113f3e 1208
b9908bf9 1209 /* COMPRESSION */
7cea05dc 1210 if (!WPACKET_start_sub_packet_u8(pkt)) {
f63a17d6
MC		 1211 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1212 ERR_R_INTERNAL_ERROR);
7cea05dc 1213 return 0;
2c7b4dbc
MC		 1214 }
1215#ifndef OPENSSL_NO_COMP
c19602b5
MC		 1216 if (ssl_allow_compression(s)
1217 && s->ctx->comp_methods
1218 && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) {
2c7b4dbc
MC		 1219 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
1220 for (i = 0; i < compnum; i++) {
1221 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
7cea05dc 1222 if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
f63a17d6
MC		 1223 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1224 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1225 ERR_R_INTERNAL_ERROR);
7cea05dc 1226 return 0;
2c7b4dbc
MC		 1227 }
1228 }
b9908bf9 1229 }
09b6c2ef 1230#endif
2c7b4dbc 1231 /* Add the NULL method */
7cea05dc 1232 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
f63a17d6
MC		 1233 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1234 ERR_R_INTERNAL_ERROR);
7cea05dc 1235 return 0;
2c7b4dbc 1236 }
761772d7 1237
b9908bf9 1238 /* TLS extensions */
f63a17d6
MC		 1239 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
1240 /* SSLfatal() already called */
7cea05dc 1241 return 0;
b9908bf9 1242 }
0f113f3e 1243
b9908bf9 1244 return 1;
0f113f3e 1245}
d02b48c6 1246
be3583fa 1247MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
8ba708e5 1248{
cb150cbc 1249 size_t cookie_len;
8ba708e5
MC		 1250 PACKET cookiepkt;
1251
1252 if (!PACKET_forward(pkt, 2)
a230b26e 1253 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
f63a17d6
MC		 1254 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
1255 SSL_R_LENGTH_MISMATCH);
1256 return MSG_PROCESS_ERROR;
8ba708e5
MC		 1257 }
1258
1259 cookie_len = PACKET_remaining(&cookiepkt);
1260 if (cookie_len > sizeof(s->d1->cookie)) {
f63a17d6
MC		 1261 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
1262 SSL_R_LENGTH_TOO_LONG);
1263 return MSG_PROCESS_ERROR;
8ba708e5
MC		 1264 }
1265
1266 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
f63a17d6
MC		 1267 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
1268 SSL_R_LENGTH_MISMATCH);
1269 return MSG_PROCESS_ERROR;
8ba708e5
MC		 1270 }
1271 s->d1->cookie_len = cookie_len;
1272
1273 return MSG_PROCESS_FINISHED_READING;
8ba708e5
MC		 1274}
1275
11c67eea 1276static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
b9908bf9
MC		 1277{
1278 STACK_OF(SSL_CIPHER) *sk;
1279 const SSL_CIPHER *c;
11c67eea
MC		 1280 int i;
1281
1282 c = ssl_get_cipher_by_char(s, cipherchars, 0);
1283 if (c == NULL) {
1284 /* unknown cipher */
f63a17d6
MC		 1285 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1286 SSL_R_UNKNOWN_CIPHER_RETURNED);
11c67eea
MC		 1287 return 0;
1288 }
1289 /*
1290 * If it is a disabled cipher we either didn't send it in client hello,
1291 * or it's not allowed for the selected protocol. So we return an error.
1292 */
8af91fd9 1293 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
f63a17d6
MC		 1294 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1295 SSL_R_WRONG_CIPHER_RETURNED);
11c67eea
MC		 1296 return 0;
1297 }
1298
1299 sk = ssl_get_ciphers_by_id(s);
1300 i = sk_SSL_CIPHER_find(sk, c);
1301 if (i < 0) {
1302 /* we did not say we would use this cipher */
f63a17d6
MC		 1303 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1304 SSL_R_WRONG_CIPHER_RETURNED);
11c67eea
MC		 1305 return 0;
1306 }
1307
1308 if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL
1309 && s->s3->tmp.new_cipher->id != c->id) {
1310 /* ServerHello selected a different ciphersuite to that in the HRR */
f63a17d6
MC		 1311 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1312 SSL_R_WRONG_CIPHER_RETURNED);
11c67eea
MC		 1313 return 0;
1314 }
1315
1316 /*
1317 * Depending on the session caching (internal/external), the cipher
1318 * and/or cipher_id values may not be set. Make sure that cipher_id is
1319 * set and use it for comparison.
1320 */
1321 if (s->session->cipher != NULL)
1322 s->session->cipher_id = s->session->cipher->id;
1323 if (s->hit && (s->session->cipher_id != c->id)) {
a055a881
MC		 1324 if (SSL_IS_TLS13(s)) {
1325 /*
1326 * In TLSv1.3 it is valid for the server to select a different
1327 * ciphersuite as long as the hash is the same.
1328 */
1329 if (ssl_md(c->algorithm2)
1330 != ssl_md(s->session->cipher->algorithm2)) {
f63a17d6
MC		 1331 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1332 SSL_F_SET_CLIENT_CIPHERSUITE,
1333 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
a055a881
MC		 1334 return 0;
1335 }
1336 } else {
1337 /*
1338 * Prior to TLSv1.3 resuming a session always meant using the same
1339 * ciphersuite.
1340 */
f63a17d6
MC		 1341 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1342 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
a055a881
MC		 1343 return 0;
1344 }
11c67eea
MC		 1345 }
1346 s->s3->tmp.new_cipher = c;
1347
1348 return 1;
1349}
1350
1351MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
1352{
332eb390 1353 PACKET session_id, extpkt;
b9908bf9 1354 size_t session_id_len;
b6981744 1355 const unsigned char *cipherchars;
597c51bc 1356 int hrr = 0;
b9908bf9 1357 unsigned int compression;
4fa52141 1358 unsigned int sversion;
3434f40b 1359 unsigned int context;
29bfd5b7 1360 int discard;
332eb390 1361 RAW_EXTENSION *extensions = NULL;
b9908bf9
MC		 1362#ifndef OPENSSL_NO_COMP
1363 SSL_COMP *comp;
1364#endif
1365
4fa52141 1366 if (!PACKET_get_net_2(pkt, &sversion)) {
f63a17d6
MC		 1367 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1368 SSL_R_LENGTH_MISMATCH);
1369 goto err;
4fa52141 1370 }
50932c4a 1371
c3043dcd 1372 /* load the server random */
597c51bc
MC		 1373 if (s->version == TLS1_3_VERSION
1374 && sversion == TLS1_2_VERSION
1375 && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
1376 && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
fc7129dc
MC		 1377 s->hello_retry_request = SSL_HRR_PENDING;
1378 hrr = 1;
597c51bc
MC		 1379 if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
1380 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1381 SSL_R_LENGTH_MISMATCH);
1382 goto err;
1383 }
1384 } else {
1385 if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
1386 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1387 SSL_R_LENGTH_MISMATCH);
1388 goto err;
1389 }
c3043dcd
MC		 1390 }
1391
88050dd1
MC		 1392 /* Get the session-id. */
1393 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1394 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1395 SSL_R_LENGTH_MISMATCH);
f63a17d6 1396 goto err;
0f113f3e 1397 }
88050dd1
MC		 1398 session_id_len = PACKET_remaining(&session_id);
1399 if (session_id_len > sizeof(s->session->session_id)
1400 || session_id_len > SSL3_SESSION_ID_SIZE) {
1401 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1402 SSL_R_SSL3_SESSION_ID_TOO_LONG);
f63a17d6 1403 goto err;
524420d8
MC		 1404 }
1405
73999b62 1406 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
f63a17d6
MC		 1407 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1408 SSL_R_LENGTH_MISMATCH);
1409 goto err;
fc5ce51d
EK		 1410 }
1411
88050dd1
MC		 1412 if (!PACKET_get_1(pkt, &compression)) {
1413 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1414 SSL_R_LENGTH_MISMATCH);
1415 goto err;
4ff65f77
MC		 1416 }
1417
1418 /* TLS extensions */
597c51bc 1419 if (PACKET_remaining(pkt) == 0 && !hrr) {
4ff65f77 1420 PACKET_null_init(&extpkt);
26b9172a
MC		 1421 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
1422 || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1423 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1424 SSL_R_BAD_LENGTH);
1425 goto err;
4ff65f77
MC		 1426 }
1427
597c51bc
MC		 1428 if (!hrr) {
1429 if (!tls_collect_extensions(s, &extpkt,
1430 SSL_EXT_TLS1_2_SERVER_HELLO
1431 | SSL_EXT_TLS1_3_SERVER_HELLO,
1432 &extensions, NULL, 1)) {
1433 /* SSLfatal() already called */
1434 goto err;
1435 }
1436
1437 if (!ssl_choose_client_version(s, sversion, extensions)) {
1438 /* SSLfatal() already called */
1439 goto err;
1440 }
88050dd1
MC		 1441 }
1442
597c51bc
MC		 1443 if (SSL_IS_TLS13(s) || hrr) {
1444 if (compression != 0) {
1445 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1446 SSL_F_TLS_PROCESS_SERVER_HELLO,
1447 SSL_R_INVALID_COMPRESSION_ALGORITHM);
1448 goto err;
1449 }
1450
1451 if (session_id_len != s->tmp_session_id_len
1452 || memcmp(PACKET_data(&session_id), s->tmp_session_id,
1453 session_id_len) != 0) {
1454 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1455 SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID);
1456 goto err;
1457 }
1458 }
1459
1460 if (hrr) {
1461 if (!set_client_ciphersuite(s, cipherchars)) {
1462 /* SSLfatal() already called */
1463 goto err;
1464 }
1465
1466 return tls_process_as_hello_retry_request(s, &extpkt);
88050dd1
MC		 1467 }
1468
1469 /*
1470 * Now we have chosen the version we need to check again that the extensions
1471 * are appropriate for this version.
1472 */
fe874d27
MC		 1473 context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
1474 : SSL_EXT_TLS1_2_SERVER_HELLO;
88050dd1
MC		 1475 if (!tls_validate_all_contexts(s, context, extensions)) {
1476 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1477 SSL_R_BAD_EXTENSION);
1478 goto err;
1479 }
1480
4ff65f77
MC		 1481 s->hit = 0;
1482
1483 if (SSL_IS_TLS13(s)) {
a5816a5a
MC		 1484 /*
1485 * In TLSv1.3 a ServerHello message signals a key change so the end of
1486 * the message must be on a record boundary.
1487 */
1488 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1489 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1490 SSL_F_TLS_PROCESS_SERVER_HELLO,
1491 SSL_R_NOT_ON_RECORD_BOUNDARY);
1492 goto err;
1493 }
1494
4ff65f77
MC		 1495 /* This will set s->hit if we are resuming */
1496 if (!tls_parse_extension(s, TLSEXT_IDX_psk,
fe874d27 1497 SSL_EXT_TLS1_3_SERVER_HELLO,
88050dd1 1498 extensions, NULL, 0)) {
f63a17d6
MC		 1499 /* SSLfatal() already called */
1500 goto err;
1501 }
4ff65f77 1502 } else {
8c1a5343 1503 /*
4ff65f77
MC		 1504 * Check if we can resume the session based on external pre-shared
1505 * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1506 * Resumption based on server-side state works with session IDs.
1507 * Resumption based on pre-shared Protected Access Credentials (PACs)
1508 * works by overriding the SessionTicket extension at the application
1509 * layer, and does not send a session ID. (We do not know whether
1510 * EAP-FAST servers would honour the session ID.) Therefore, the session
1511 * ID alone is not a reliable indicator of session resumption, so we
1512 * first check if we can resume, and later peek at the next handshake
1513 * message to see if the server wants to resume.
8c1a5343 1514 */
4ff65f77
MC		 1515 if (s->version >= TLS1_VERSION
1516 && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
1517 const SSL_CIPHER *pref_cipher = NULL;
1518 /*
1519 * s->session->master_key_length is a size_t, but this is an int for
1520 * backwards compat reasons
1521 */
1522 int master_key_length;
1523 master_key_length = sizeof(s->session->master_key);
1524 if (s->ext.session_secret_cb(s, s->session->master_key,
1525 &master_key_length,
1526 NULL, &pref_cipher,
1527 s->ext.session_secret_cb_arg)
1528 && master_key_length > 0) {
1529 s->session->master_key_length = master_key_length;
1530 s->session->cipher = pref_cipher ?
60d685d1 1531 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
4ff65f77 1532 } else {
f63a17d6
MC		 1533 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1534 SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1535 goto err;
4ff65f77 1536 }
0f113f3e 1537 }
4ff65f77
MC		 1538
1539 if (session_id_len != 0
1540 && session_id_len == s->session->session_id_length
1541 && memcmp(PACKET_data(&session_id), s->session->session_id,
1542 session_id_len) == 0)
1543 s->hit = 1;
50932c4a
MC		 1544 }
1545
4ff65f77 1546 if (s->hit) {
0f113f3e 1547 if (s->sid_ctx_length != s->session->sid_ctx_length
4ff65f77 1548 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
0f113f3e 1549 /* actually a client application bug */
f63a17d6
MC		 1550 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1551 SSL_F_TLS_PROCESS_SERVER_HELLO,
1552 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1553 goto err;
0f113f3e 1554 }
6e3d0153 1555 } else {
0f113f3e 1556 /*
6e3d0153 1557 * If we were trying for session-id reuse but the server
4ff65f77 1558 * didn't resume, make a new SSL_SESSION.
6e3d0153
EK		 1559 * In the case of EAP-FAST and PAC, we do not send a session ID,
1560 * so the PAC-based session secret is always preserved. It'll be
1561 * overwritten if the server refuses resumption.
0f113f3e 1562 */
4ff65f77
MC		 1563 if (s->session->session_id_length > 0
1564 || (SSL_IS_TLS13(s)
1565 && s->session->ext.tick_identity
1566 != TLSEXT_PSK_BAD_IDENTITY)) {
0e6161bc
BK		 1567 CRYPTO_atomic_add(&s->session_ctx->stats.sess_miss, 1, &discard,
1568 s->session_ctx->lock);
0f113f3e 1569 if (!ssl_get_new_session(s, 0)) {
f63a17d6
MC		 1570 /* SSLfatal() already called */
1571 goto err;
0f113f3e
MC		 1572 }
1573 }
50932c4a 1574
ccae4a15 1575 s->session->ssl_version = s->version;
a5816a5a
MC		 1576 /*
1577 * In TLSv1.2 and below we save the session id we were sent so we can
1578 * resume it later. In TLSv1.3 the session id we were sent is just an
1579 * echo of what we originally sent in the ClientHello and should not be
1580 * used for resumption.
1581 */
1582 if (!SSL_IS_TLS13(s)) {
1583 s->session->session_id_length = session_id_len;
1584 /* session_id_len could be 0 */
1585 if (session_id_len > 0)
1586 memcpy(s->session->session_id, PACKET_data(&session_id),
1587 session_id_len);
1588 }
0f113f3e 1589 }
fc5ce51d 1590
ccae4a15
FI		 1591 /* Session version and negotiated protocol version should match */
1592 if (s->version != s->session->ssl_version) {
f63a17d6
MC		 1593 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO,
1594 SSL_R_SSL_SESSION_VERSION_MISMATCH);
1595 goto err;
ccae4a15 1596 }
0f113f3e 1597 /*
3eb2aff4
KR		 1598 * Now that we know the version, update the check to see if it's an allowed
1599 * version.
1600 */
1601 s->s3->tmp.min_ver = s->version;
1602 s->s3->tmp.max_ver = s->version;
0f113f3e 1603
11c67eea 1604 if (!set_client_ciphersuite(s, cipherchars)) {
f63a17d6
MC		 1605 /* SSLfatal() already called */
1606 goto err;
0f113f3e
MC		 1607 }
1608
09b6c2ef 1609#ifdef OPENSSL_NO_COMP
fc5ce51d 1610 if (compression != 0) {
f63a17d6
MC		 1611 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1612 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1613 goto err;
0f113f3e
MC		 1614 }
1615 /*
1616 * If compression is disabled we'd better not try to resume a session
1617 * using compression.
1618 */
1619 if (s->session->compress_meth != 0) {
f63a17d6
MC		 1620 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO,
1621 SSL_R_INCONSISTENT_COMPRESSION);
1622 goto err;
0f113f3e 1623 }
09b6c2ef 1624#else
fc5ce51d 1625 if (s->hit && compression != s->session->compress_meth) {
f63a17d6 1626 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
dd5a4279 1627 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
f63a17d6 1628 goto err;
0f113f3e 1629 }
fc5ce51d 1630 if (compression == 0)
0f113f3e
MC		 1631 comp = NULL;
1632 else if (!ssl_allow_compression(s)) {
f63a17d6
MC		 1633 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1634 SSL_R_COMPRESSION_DISABLED);
1635 goto err;
fc5ce51d
EK		 1636 } else {
1637 comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1638 }
0f113f3e 1639
fc5ce51d 1640 if (compression != 0 && comp == NULL) {
f63a17d6
MC		 1641 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1642 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1643 goto err;
0f113f3e
MC		 1644 } else {
1645 s->s3->tmp.new_compression = comp;
1646 }
09b6c2ef 1647#endif
761772d7 1648
f63a17d6
MC		 1649 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) {
1650 /* SSLfatal() already called */
1651 goto err;
1652 }
332eb390 1653
8723588e
MC		 1654#ifndef OPENSSL_NO_SCTP
1655 if (SSL_IS_DTLS(s) && s->hit) {
1656 unsigned char sctpauthkey[64];
1657 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1658
1659 /*
1660 * Add new shared key for SCTP-Auth, will be ignored if
1661 * no SCTP used.
1662 */
141eb8c6
MC		 1663 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1664 sizeof(DTLS1_SCTP_AUTH_LABEL));
8723588e
MC		 1665
1666 if (SSL_export_keying_material(s, sctpauthkey,
a230b26e
EK		 1667 sizeof(sctpauthkey),
1668 labelbuffer,
f63a17d6
MC		 1669 sizeof(labelbuffer), NULL, 0, 0) <= 0) {
1670 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1671 ERR_R_INTERNAL_ERROR);
1672 goto err;
1673 }
8723588e
MC		 1674
1675 BIO_ctrl(SSL_get_wbio(s),
1676 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1677 sizeof(sctpauthkey), sctpauthkey);
1678 }
1679#endif
1680
92760c21
MC		 1681 /*
1682 * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1683 * we're done with this message
1684 */
1685 if (SSL_IS_TLS13(s)
1686 && (!s->method->ssl3_enc->setup_key_block(s)
92760c21
MC		 1687 || !s->method->ssl3_enc->change_cipher_state(s,
1688 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
f63a17d6
MC		 1689 /* SSLfatal() already called */
1690 goto err;
92760c21
MC		 1691 }
1692
1b0286a3 1693 OPENSSL_free(extensions);
b9908bf9 1694 return MSG_PROCESS_CONTINUE_READING;
f63a17d6 1695 err:
1b0286a3 1696 OPENSSL_free(extensions);
b9908bf9 1697 return MSG_PROCESS_ERROR;
0f113f3e 1698}
d02b48c6 1699
597c51bc
MC		 1700static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s,
1701 PACKET *extpkt)
3847d426 1702{
3847d426 1703 RAW_EXTENSION *extensions = NULL;
3847d426 1704
d4504fe5
MC		 1705 /*
1706 * If we were sending early_data then the enc_write_ctx is now invalid and
1707 * should not be used.
1708 */
1709 EVP_CIPHER_CTX_free(s->enc_write_ctx);
1710 s->enc_write_ctx = NULL;
1711
597c51bc 1712 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
f63a17d6 1713 &extensions, NULL, 1)
fe874d27 1714 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
f63a17d6
MC		 1715 extensions, NULL, 0, 1)) {
1716 /* SSLfatal() already called */
1717 goto err;
1718 }
3847d426
MC		 1719
1720 OPENSSL_free(extensions);
66d4bf6b
MC		 1721 extensions = NULL;
1722
f5d270ca
BK		 1723 if (s->ext.tls13_cookie_len == 0
1724#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1725 && s->s3->tmp.pkey != NULL
1726#endif
1727 ) {
66d4bf6b
MC		 1728 /*
1729 * We didn't receive a cookie or a new key_share so the next
1730 * ClientHello will not change
1731 */
f63a17d6 1732 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
597c51bc
MC		 1733 SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST,
1734 SSL_R_NO_CHANGE_FOLLOWING_HRR);
f63a17d6 1735 goto err;
66d4bf6b 1736 }
3847d426 1737
11c67eea
MC		 1738 /*
1739 * Re-initialise the Transcript Hash. We're going to prepopulate it with
1740 * a synthetic message_hash in place of ClientHello1.
1741 */
43054d3d 1742 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
f63a17d6
MC		 1743 /* SSLfatal() already called */
1744 goto err;
11c67eea
MC		 1745 }
1746
1747 /*
1748 * Add this message to the Transcript Hash. Normally this is done
1749 * automatically prior to the message processing stage. However due to the
1750 * need to create the synthetic message hash, we defer that step until now
1751 * for HRR messages.
1752 */
1753 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1754 s->init_num + SSL3_HM_HEADER_LENGTH)) {
f63a17d6
MC		 1755 /* SSLfatal() already called */
1756 goto err;
11c67eea
MC		 1757 }
1758
3847d426 1759 return MSG_PROCESS_FINISHED_READING;
f63a17d6 1760 err:
3847d426
MC		 1761 OPENSSL_free(extensions);
1762 return MSG_PROCESS_ERROR;
1763}
1764
be3583fa 1765MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
b9908bf9 1766{
f63a17d6 1767 int i;
eb5fd03b 1768 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
b9908bf9
MC		 1769 unsigned long cert_list_len, cert_len;
1770 X509 *x = NULL;
b6981744 1771 const unsigned char *certstart, *certbytes;
b9908bf9
MC		 1772 STACK_OF(X509) *sk = NULL;
1773 EVP_PKEY *pkey = NULL;
7f6b466b 1774 size_t chainidx, certidx;
e96e0f8e 1775 unsigned int context = 0;
7f6b466b 1776 const SSL_CERT_LOOKUP *clu;
0f113f3e
MC		 1777
1778 if ((sk = sk_X509_new_null()) == NULL) {
f63a17d6
MC		 1779 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1780 ERR_R_MALLOC_FAILURE);
cc273a93 1781 goto err;
0f113f3e
MC		 1782 }
1783
e96e0f8e
MC		 1784 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
1785 || context != 0
1786 || !PACKET_get_net_3(pkt, &cert_list_len)
1a281aab
MC		 1787 || PACKET_remaining(pkt) != cert_list_len
1788 || PACKET_remaining(pkt) == 0) {
f63a17d6
MC		 1789 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1790 SSL_R_LENGTH_MISMATCH);
1791 goto err;
0f113f3e 1792 }
d805a57b 1793 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
73999b62 1794 if (!PACKET_get_net_3(pkt, &cert_len)
a230b26e 1795 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
f63a17d6
MC		 1796 SSLfatal(s, SSL_AD_DECODE_ERROR,
1797 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1798 SSL_R_CERT_LENGTH_MISMATCH);
1799 goto err;
0f113f3e
MC		 1800 }
1801
df758a85
MC		 1802 certstart = certbytes;
1803 x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
0f113f3e 1804 if (x == NULL) {
f63a17d6
MC		 1805 SSLfatal(s, SSL_AD_BAD_CERTIFICATE,
1806 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1807 goto err;
0f113f3e 1808 }
df758a85 1809 if (certbytes != (certstart + cert_len)) {
f63a17d6
MC		 1810 SSLfatal(s, SSL_AD_DECODE_ERROR,
1811 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1812 SSL_R_CERT_LENGTH_MISMATCH);
1813 goto err;
0f113f3e 1814 }
e96e0f8e
MC		 1815
1816 if (SSL_IS_TLS13(s)) {
1817 RAW_EXTENSION *rawexts = NULL;
1818 PACKET extensions;
1819
1820 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
f63a17d6
MC		 1821 SSLfatal(s, SSL_AD_DECODE_ERROR,
1822 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1823 SSL_R_BAD_LENGTH);
1824 goto err;
e96e0f8e 1825 }
fe874d27
MC		 1826 if (!tls_collect_extensions(s, &extensions,
1827 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
f63a17d6 1828 NULL, chainidx == 0)
8e1634ec 1829 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
f63a17d6 1830 rawexts, x, chainidx,
8e1634ec 1831 PACKET_remaining(pkt) == 0)) {
5ee289ea 1832 OPENSSL_free(rawexts);
f63a17d6
MC		 1833 /* SSLfatal already called */
1834 goto err;
5ee289ea
MC		 1835 }
1836 OPENSSL_free(rawexts);
e96e0f8e
MC		 1837 }
1838
0f113f3e 1839 if (!sk_X509_push(sk, x)) {
f63a17d6
MC		 1840 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1841 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1842 ERR_R_MALLOC_FAILURE);
cc273a93 1843 goto err;
0f113f3e
MC		 1844 }
1845 x = NULL;
0f113f3e
MC		 1846 }
1847
1848 i = ssl_verify_cert_chain(s, sk);
c8e2f98c
MC		 1849 /*
1850 * The documented interface is that SSL_VERIFY_PEER should be set in order
1851 * for client side verification of the server certificate to take place.
1852 * However, historically the code has only checked that *any* flag is set
1853 * to cause server verification to take place. Use of the other flags makes
1854 * no sense in client mode. An attempt to clean up the semantics was
1855 * reverted because at least one application *only* set
1856 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
1857 * server verification to take place, after the clean up it silently did
1858 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
1859 * sent to them because they are void functions. Therefore, we now use the
1860 * (less clean) historic behaviour of performing validation if any flag is
1861 * set. The *documented* interface remains the same.
1862 */
1863 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
f63a17d6
MC		 1864 SSLfatal(s, ssl_verify_alarm_type(s->verify_result),
1865 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1866 SSL_R_CERTIFICATE_VERIFY_FAILED);
1867 goto err;
0f113f3e
MC		 1868 }
1869 ERR_clear_error(); /* but we keep s->verify_result */
1870 if (i > 1) {
f63a17d6
MC		 1871 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1872 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i);
1873 goto err;
0f113f3e
MC		 1874 }
1875
c34b0f99 1876 s->session->peer_chain = sk;
0f113f3e
MC		 1877 /*
1878 * Inconsistency alert: cert_chain does include the peer's certificate,
d4d78943 1879 * which we don't include in statem_srvr.c
0f113f3e
MC		 1880 */
1881 x = sk_X509_value(sk, 0);
1882 sk = NULL;
0f113f3e 1883
8382fd3a 1884 pkey = X509_get0_pubkey(x);
0f113f3e 1885
55a9a16f 1886 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
0f113f3e 1887 x = NULL;
f63a17d6
MC		 1888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1889 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1890 goto err;
0f113f3e
MC		 1891 }
1892
7f6b466b 1893 if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) {
0f113f3e 1894 x = NULL;
f63a17d6
MC		 1895 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1896 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1897 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1898 goto err;
0f113f3e 1899 }
05b8486e
DSH		 1900 /*
1901 * Check certificate type is consistent with ciphersuite. For TLS 1.3
1902 * skip check since TLS 1.3 ciphersuites can be used with any certificate
1903 * type.
1904 */
1905 if (!SSL_IS_TLS13(s)) {
7f6b466b 1906 if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) {
05b8486e 1907 x = NULL;
f63a17d6
MC		 1908 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1909 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1910 SSL_R_WRONG_CERTIFICATE_TYPE);
1911 goto err;
05b8486e 1912 }
0f113f3e 1913 }
7f6b466b 1914 s->session->peer_type = certidx;
55a9a16f
MC		 1915
1916 X509_free(s->session->peer);
05f0fb9f 1917 X509_up_ref(x);
55a9a16f 1918 s->session->peer = x;
0f113f3e 1919 s->session->verify_result = s->verify_result;
0f113f3e 1920 x = NULL;
2c5dfdc3
MC		 1921
1922 /* Save the current hash state for when we receive the CertificateVerify */
1923 if (SSL_IS_TLS13(s)
1924 && !ssl_handshake_hash(s, s->cert_verify_hash,
1925 sizeof(s->cert_verify_hash),
1926 &s->cert_verify_hash_len)) {
f63a17d6
MC		 1927 /* SSLfatal() already called */;
1928 goto err;
2c5dfdc3
MC		 1929 }
1930
b9908bf9 1931 ret = MSG_PROCESS_CONTINUE_READING;
66696478 1932
cc273a93 1933 err:
0f113f3e
MC		 1934 X509_free(x);
1935 sk_X509_pop_free(sk, X509_free);
b9908bf9 1936 return ret;
0f113f3e 1937}
d02b48c6 1938
a2c2e000 1939static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt)
02a74590
MC		 1940{
1941#ifndef OPENSSL_NO_PSK
7dc1c647 1942 PACKET psk_identity_hint;
02a74590 1943
7dc1c647
MC		 1944 /* PSK ciphersuites are preceded by an identity hint */
1945
1946 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
a2c2e000
MC		 1947 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
1948 SSL_R_LENGTH_MISMATCH);
7dc1c647
MC		 1949 return 0;
1950 }
1951
1952 /*
1953 * Store PSK identity hint for later use, hint is used in
1954 * tls_construct_client_key_exchange. Assume that the maximum length of
1955 * a PSK identity hint can be as long as the maximum length of a PSK
1956 * identity.
1957 */
1958 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
a2c2e000
MC		 1959 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1960 SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
1961 SSL_R_DATA_LENGTH_TOO_LONG);
7dc1c647
MC		 1962 return 0;
1963 }
02a74590 1964
7dc1c647
MC		 1965 if (PACKET_remaining(&psk_identity_hint) == 0) {
1966 OPENSSL_free(s->session->psk_identity_hint);
1967 s->session->psk_identity_hint = NULL;
1968 } else if (!PACKET_strndup(&psk_identity_hint,
a230b26e 1969 &s->session->psk_identity_hint)) {
a2c2e000
MC		 1970 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
1971 ERR_R_INTERNAL_ERROR);
7dc1c647
MC		 1972 return 0;
1973 }
1974
1975 return 1;
1976#else
a2c2e000
MC		 1977 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
1978 ERR_R_INTERNAL_ERROR);
7dc1c647 1979 return 0;
02a74590
MC		 1980#endif
1981}
1982
a2c2e000 1983static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
25c6c10c
MC		 1984{
1985#ifndef OPENSSL_NO_SRP
1986 PACKET prime, generator, salt, server_pub;
1987
1988 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1989 || !PACKET_get_length_prefixed_2(pkt, &generator)
1990 || !PACKET_get_length_prefixed_1(pkt, &salt)
1991 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
a2c2e000
MC		 1992 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_SRP,
1993 SSL_R_LENGTH_MISMATCH);
25c6c10c
MC		 1994 return 0;
1995 }
1996
348240c6 1997 /* TODO(size_t): Convert BN_bin2bn() calls */
25c6c10c
MC		 1998 if ((s->srp_ctx.N =
1999 BN_bin2bn(PACKET_data(&prime),
348240c6 2000 (int)PACKET_remaining(&prime), NULL)) == NULL
25c6c10c
MC		 2001 || (s->srp_ctx.g =
2002 BN_bin2bn(PACKET_data(&generator),
348240c6 2003 (int)PACKET_remaining(&generator), NULL)) == NULL
25c6c10c
MC		 2004 || (s->srp_ctx.s =
2005 BN_bin2bn(PACKET_data(&salt),
348240c6 2006 (int)PACKET_remaining(&salt), NULL)) == NULL
25c6c10c
MC		 2007 || (s->srp_ctx.B =
2008 BN_bin2bn(PACKET_data(&server_pub),
348240c6 2009 (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
a2c2e000
MC		 2010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP,
2011 ERR_R_BN_LIB);
25c6c10c
MC		 2012 return 0;
2013 }
2014
a2c2e000
MC		 2015 if (!srp_verify_server_param(s)) {
2016 /* SSLfatal() already called */
25c6c10c
MC		 2017 return 0;
2018 }
2019
2020 /* We must check if there is a certificate */
a230b26e 2021 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
25c6c10c
MC		 2022 *pkey = X509_get0_pubkey(s->session->peer);
2023
2024 return 1;
2025#else
a2c2e000
MC		 2026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP,
2027 ERR_R_INTERNAL_ERROR);
25c6c10c
MC		 2028 return 0;
2029#endif
2030}
2031
a2c2e000 2032static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
e01a610d
MC		 2033{
2034#ifndef OPENSSL_NO_DH
2035 PACKET prime, generator, pub_key;
2036 EVP_PKEY *peer_tmp = NULL;
2037
2038 DH *dh = NULL;
2039 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
2040
26505153
RL		 2041 int check_bits = 0;
2042
e01a610d
MC		 2043 if (!PACKET_get_length_prefixed_2(pkt, &prime)
2044 || !PACKET_get_length_prefixed_2(pkt, &generator)
2045 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
a2c2e000
MC		 2046 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2047 SSL_R_LENGTH_MISMATCH);
e01a610d
MC		 2048 return 0;
2049 }
2050
2051 peer_tmp = EVP_PKEY_new();
2052 dh = DH_new();
2053
2054 if (peer_tmp == NULL || dh == NULL) {
a2c2e000
MC		 2055 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2056 ERR_R_MALLOC_FAILURE);
e01a610d
MC		 2057 goto err;
2058 }
2059
348240c6
MC		 2060 /* TODO(size_t): Convert these calls */
2061 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
2062 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
2063 NULL);
2064 bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
2065 (int)PACKET_remaining(&pub_key), NULL);
e01a610d 2066 if (p == NULL || g == NULL || bnpub_key == NULL) {
a2c2e000
MC		 2067 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2068 ERR_R_BN_LIB);
e01a610d
MC		 2069 goto err;
2070 }
2071
69687aa8 2072 /* test non-zero pubkey */
26505153 2073 if (BN_is_zero(bnpub_key)) {
a2c2e000
MC		 2074 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE,
2075 SSL_R_BAD_DH_VALUE);
e01a610d
MC		 2076 goto err;
2077 }
2078
2079 if (!DH_set0_pqg(dh, p, NULL, g)) {
a2c2e000
MC		 2080 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2081 ERR_R_BN_LIB);
e01a610d
MC		 2082 goto err;
2083 }
2084 p = g = NULL;
2085
26505153 2086 if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) {
a2c2e000
MC		 2087 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE,
2088 SSL_R_BAD_DH_VALUE);
26505153
RL		 2089 goto err;
2090 }
2091
e01a610d 2092 if (!DH_set0_key(dh, bnpub_key, NULL)) {
a2c2e000
MC		 2093 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2094 ERR_R_BN_LIB);
e01a610d
MC		 2095 goto err;
2096 }
2097 bnpub_key = NULL;
2098
2099 if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
a2c2e000
MC		 2100 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
2101 SSL_R_DH_KEY_TOO_SMALL);
e01a610d
MC		 2102 goto err;
2103 }
2104
2105 if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
a2c2e000
MC		 2106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2107 ERR_R_EVP_LIB);
e01a610d
MC		 2108 goto err;
2109 }
2110
2111 s->s3->peer_tmp = peer_tmp;
2112
2113 /*
2114 * FIXME: This makes assumptions about which ciphersuites come with
2115 * public keys. We should have a less ad-hoc way of doing this
2116 */
a230b26e 2117 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
e01a610d
MC		 2118 *pkey = X509_get0_pubkey(s->session->peer);
2119 /* else anonymous DH, so no certificate or pkey. */
2120
2121 return 1;
2122
2123 err:
2124 BN_free(p);
2125 BN_free(g);
2126 BN_free(bnpub_key);
2127 DH_free(dh);
2128 EVP_PKEY_free(peer_tmp);
2129
2130 return 0;
2131#else
a2c2e000
MC		 2132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2133 ERR_R_INTERNAL_ERROR);
e01a610d
MC		 2134 return 0;
2135#endif
2136}
2137
a2c2e000 2138static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
ff74aeb1
MC		 2139{
2140#ifndef OPENSSL_NO_EC
2141 PACKET encoded_pt;
6447e818 2142 unsigned int curve_type, curve_id;
ff74aeb1
MC		 2143
2144 /*
2145 * Extract elliptic curve parameters and the server's ephemeral ECDH
6447e818 2146 * public key. We only support named (not generic) curves and
ff74aeb1
MC		 2147 * ECParameters in this case is just three bytes.
2148 */
6447e818 2149 if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) {
a2c2e000
MC		 2150 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2151 SSL_R_LENGTH_TOO_SHORT);
ff74aeb1
MC		 2152 return 0;
2153 }
2154 /*
6447e818
DSH		 2155 * Check curve is named curve type and one of our preferences, if not
2156 * server has sent an invalid curve.
ff74aeb1 2157 */
6447e818 2158 if (curve_type != NAMED_CURVE_TYPE || !tls1_check_group_id(s, curve_id)) {
a2c2e000
MC		 2159 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE,
2160 SSL_R_WRONG_CURVE);
ff74aeb1
MC		 2161 return 0;
2162 }
2163
6447e818 2164 if ((s->s3->peer_tmp = ssl_generate_param_group(curve_id)) == NULL) {
a2c2e000
MC		 2165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2166 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
ff74aeb1
MC		 2167 return 0;
2168 }
2169
ff74aeb1 2170 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
a2c2e000
MC		 2171 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2172 SSL_R_LENGTH_MISMATCH);
ff74aeb1
MC		 2173 return 0;
2174 }
2175
ec24630a
DSH		 2176 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
2177 PACKET_data(&encoded_pt),
2178 PACKET_remaining(&encoded_pt))) {
a2c2e000
MC		 2179 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE,
2180 SSL_R_BAD_ECPOINT);
ff74aeb1
MC		 2181 return 0;
2182 }
2183
2184 /*
2185 * The ECC/TLS specification does not mention the use of DSA to sign
2186 * ECParameters in the server key exchange message. We do support RSA
2187 * and ECDSA.
2188 */
2189 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA)
2190 *pkey = X509_get0_pubkey(s->session->peer);
2191 else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA)
2192 *pkey = X509_get0_pubkey(s->session->peer);
2193 /* else anonymous ECDH, so no certificate or pkey. */
2194
2195 return 1;
2196#else
a2c2e000
MC		 2197 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2198 ERR_R_INTERNAL_ERROR);
ff74aeb1
MC		 2199 return 0;
2200#endif
2201}
2202
be3583fa 2203MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
b9908bf9 2204{
e1e588ac 2205 long alg_k;
b9908bf9 2206 EVP_PKEY *pkey = NULL;
fe3066ee
MC		 2207 EVP_MD_CTX *md_ctx = NULL;
2208 EVP_PKEY_CTX *pctx = NULL;
73999b62 2209 PACKET save_param_start, signature;
b9908bf9 2210
b9908bf9
MC		 2211 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2212
73999b62 2213 save_param_start = *pkt;
8d92c1f8 2214
3260adf1 2215#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
61dd9f7a
DSH		 2216 EVP_PKEY_free(s->s3->peer_tmp);
2217 s->s3->peer_tmp = NULL;
3260adf1 2218#endif
d02b48c6 2219
7689082b 2220 if (alg_k & SSL_PSK) {
a2c2e000
MC		 2221 if (!tls_process_ske_psk_preamble(s, pkt)) {
2222 /* SSLfatal() already called */
7dc1c647 2223 goto err;
a2c2e000 2224 }
7689082b
DSH		 2225 }
2226
2227 /* Nothing else to do for plain PSK or RSAPSK */
2228 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
25c6c10c 2229 } else if (alg_k & SSL_kSRP) {
a2c2e000
MC		 2230 if (!tls_process_ske_srp(s, pkt, &pkey)) {
2231 /* SSLfatal() already called */
0f113f3e 2232 goto err;
a2c2e000 2233 }
e01a610d 2234 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
a2c2e000
MC		 2235 if (!tls_process_ske_dhe(s, pkt, &pkey)) {
2236 /* SSLfatal() already called */
e01a610d 2237 goto err;
a2c2e000 2238 }
ff74aeb1 2239 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
a2c2e000
MC		 2240 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
2241 /* SSLfatal() already called */
ff74aeb1 2242 goto err;
a2c2e000 2243 }
0f113f3e 2244 } else if (alg_k) {
a2c2e000
MC		 2245 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2246 SSL_R_UNEXPECTED_MESSAGE);
e1e588ac 2247 goto err;
0f113f3e 2248 }
0f113f3e 2249
0f113f3e
MC		 2250 /* if it was signed, check the signature */
2251 if (pkey != NULL) {
32942870 2252 PACKET params;
be8dba2c
MC		 2253 int maxsig;
2254 const EVP_MD *md = NULL;
72ceb6a6
DSH		 2255 unsigned char *tbs;
2256 size_t tbslen;
2257 int rv;
e1e588ac 2258
32942870
EK		 2259 /*
2260 * |pkt| now points to the beginning of the signature, so the difference
2261 * equals the length of the parameters.
2262 */
2263 if (!PACKET_get_sub_packet(&save_param_start, &params,
2264 PACKET_remaining(&save_param_start) -
73999b62 2265 PACKET_remaining(pkt))) {
a2c2e000
MC		 2266 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2267 ERR_R_INTERNAL_ERROR);
e1e588ac 2268 goto err;
32942870
EK		 2269 }
2270
0f113f3e 2271 if (SSL_USE_SIGALGS(s)) {
703bcee0 2272 unsigned int sigalg;
703bcee0
MC		 2273
2274 if (!PACKET_get_net_2(pkt, &sigalg)) {
a2c2e000
MC		 2275 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2276 SSL_R_LENGTH_TOO_SHORT);
e1e588ac 2277 goto err;
0f113f3e 2278 }
f63a17d6
MC		 2279 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
2280 /* SSLfatal() already called */
0f113f3e 2281 goto err;
0f113f3e 2282 }
f365a3e2 2283 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
a2c2e000
MC		 2284 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2285 ERR_R_INTERNAL_ERROR);
f365a3e2 2286 goto err;
32942870 2287 }
0f113f3e 2288
b2021556 2289 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
a2c2e000
MC		 2290 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2291 ERR_R_INTERNAL_ERROR);
b2021556
DSH		 2292 goto err;
2293 }
44f23cd2
RS		 2294#ifdef SSL_DEBUG
2295 if (SSL_USE_SIGALGS(s))
2296 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
2297#endif
f365a3e2 2298
73999b62
MC		 2299 if (!PACKET_get_length_prefixed_2(pkt, &signature)
2300 || PACKET_remaining(pkt) != 0) {
a2c2e000
MC		 2301 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2302 SSL_R_LENGTH_MISMATCH);
e1e588ac 2303 goto err;
0f113f3e 2304 }
be8dba2c
MC		 2305 maxsig = EVP_PKEY_size(pkey);
2306 if (maxsig < 0) {
a2c2e000
MC		 2307 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2308 ERR_R_INTERNAL_ERROR);
e1e588ac 2309 goto err;
8098fc56 2310 }
0f113f3e
MC		 2311
2312 /*
8098fc56 2313 * Check signature length
0f113f3e 2314 */
be8dba2c 2315 if (PACKET_remaining(&signature) > (size_t)maxsig) {
0f113f3e 2316 /* wrong packet length */
a2c2e000 2317 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
a230b26e 2318 SSL_R_WRONG_SIGNATURE_LENGTH);
e1e588ac
MC		 2319 goto err;
2320 }
2321
2322 md_ctx = EVP_MD_CTX_new();
2323 if (md_ctx == NULL) {
a2c2e000 2324 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
dd5a4279 2325 ERR_R_MALLOC_FAILURE);
e1e588ac 2326 goto err;
0f113f3e 2327 }
e1e588ac 2328
fe3066ee 2329 if (EVP_DigestVerifyInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
a2c2e000
MC		 2330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2331 ERR_R_EVP_LIB);
fe3066ee
MC		 2332 goto err;
2333 }
5554facb 2334 if (SSL_USE_PSS(s)) {
fe3066ee 2335 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
91410d40 2336 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
968ae5b3 2337 RSA_PSS_SALTLEN_DIGEST) <= 0) {
a2c2e000
MC		 2338 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2339 SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
fe3066ee
MC		 2340 goto err;
2341 }
2342 }
72ceb6a6
DSH		 2343 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
2344 PACKET_remaining(&params));
2345 if (tbslen == 0) {
f63a17d6 2346 /* SSLfatal() already called */
e1e588ac 2347 goto err;
192e4bbb 2348 }
72ceb6a6
DSH		 2349
2350 rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
2351 PACKET_remaining(&signature), tbs, tbslen);
2352 OPENSSL_free(tbs);
cfba0675 2353 if (rv <= 0) {
a2c2e000
MC		 2354 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2355 SSL_R_BAD_SIGNATURE);
e1e588ac 2356 goto err;
0f113f3e 2357 }
e1e588ac 2358 EVP_MD_CTX_free(md_ctx);
fe3066ee 2359 md_ctx = NULL;
0f113f3e 2360 } else {
7689082b 2361 /* aNULL, aSRP or PSK do not need public keys */
e1e588ac 2362 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
a230b26e 2363 && !(alg_k & SSL_PSK)) {
0f113f3e 2364 /* Might be wrong key type, check it */
e1e588ac 2365 if (ssl3_check_cert_and_algorithm(s)) {
a2c2e000
MC		 2366 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2367 SSL_R_BAD_DATA);
e1e588ac 2368 }
a2c2e000 2369 /* else this shouldn't happen, SSLfatal() already called */
0f113f3e
MC		 2370 goto err;
2371 }
2372 /* still data left over */
73999b62 2373 if (PACKET_remaining(pkt) != 0) {
a2c2e000
MC		 2374 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2375 SSL_R_EXTRA_DATA_IN_MESSAGE);
e1e588ac 2376 goto err;
0f113f3e
MC		 2377 }
2378 }
e1e588ac 2379
b9908bf9 2380 return MSG_PROCESS_CONTINUE_READING;
0f113f3e 2381 err:
fe3066ee 2382 EVP_MD_CTX_free(md_ctx);
b9908bf9 2383 return MSG_PROCESS_ERROR;
0f113f3e 2384}
d02b48c6 2385
be3583fa 2386MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
b9908bf9 2387{
32f66107
DSH		 2388 size_t i;
2389
2390 /* Clear certificate validity flags */
2391 for (i = 0; i < SSL_PKEY_NUM; i++)
2392 s->s3->tmp.valid_flags[i] = 0;
0f113f3e 2393
03f44b97 2394 if (SSL_IS_TLS13(s)) {
32f66107
DSH		 2395 PACKET reqctx, extensions;
2396 RAW_EXTENSION *rawexts = NULL;
03f44b97
DSH		 2397
2398 /* Free and zero certificate types: it is not present in TLS 1.3 */
2399 OPENSSL_free(s->s3->tmp.ctype);
2400 s->s3->tmp.ctype = NULL;
2401 s->s3->tmp.ctype_len = 0;
32f66107 2402
03f44b97
DSH		 2403 /* TODO(TLS1.3) need to process request context, for now ignore */
2404 if (!PACKET_get_length_prefixed_1(pkt, &reqctx)) {
f63a17d6
MC		 2405 SSLfatal(s, SSL_AD_DECODE_ERROR,
2406 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2407 SSL_R_LENGTH_MISMATCH);
2408 return MSG_PROCESS_ERROR;
03f44b97 2409 }
32f66107
DSH		 2410
2411 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
f63a17d6
MC		 2412 SSLfatal(s, SSL_AD_DECODE_ERROR,
2413 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2414 SSL_R_BAD_LENGTH);
2415 return MSG_PROCESS_ERROR;
32f66107
DSH		 2416 }
2417 if (!tls_collect_extensions(s, &extensions,
fe874d27 2418 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
f63a17d6 2419 &rawexts, NULL, 1)
fe874d27 2420 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
f63a17d6
MC		 2421 rawexts, NULL, 0, 1)) {
2422 /* SSLfatal() already called */
32f66107 2423 OPENSSL_free(rawexts);
f63a17d6 2424 return MSG_PROCESS_ERROR;
32f66107
DSH		 2425 }
2426 OPENSSL_free(rawexts);
2427 if (!tls1_process_sigalgs(s)) {
f63a17d6
MC		 2428 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2429 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2430 SSL_R_BAD_LENGTH);
2431 return MSG_PROCESS_ERROR;
32f66107 2432 }
03f44b97
DSH		 2433 } else {
2434 PACKET ctypes;
75c13e78 2435
03f44b97
DSH		 2436 /* get the certificate types */
2437 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
f63a17d6
MC		 2438 SSLfatal(s, SSL_AD_DECODE_ERROR,
2439 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2440 SSL_R_LENGTH_MISMATCH);
2441 return MSG_PROCESS_ERROR;
03f44b97
DSH		 2442 }
2443
2444 if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) {
f63a17d6
MC		 2445 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2446 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2447 ERR_R_INTERNAL_ERROR);
2448 return MSG_PROCESS_ERROR;
03f44b97 2449 }
ac112332 2450
32f66107
DSH		 2451 if (SSL_USE_SIGALGS(s)) {
2452 PACKET sigalgs;
703bcee0 2453
32f66107 2454 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
f63a17d6
MC		 2455 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2456 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2457 SSL_R_LENGTH_MISMATCH);
2458 return MSG_PROCESS_ERROR;
32f66107 2459 }
ac112332 2460
32f66107 2461 if (!tls1_save_sigalgs(s, &sigalgs)) {
f63a17d6
MC		 2462 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2463 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2464 SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2465 return MSG_PROCESS_ERROR;
32f66107
DSH		 2466 }
2467 if (!tls1_process_sigalgs(s)) {
f63a17d6
MC		 2468 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2469 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2470 ERR_R_MALLOC_FAILURE);
2471 return MSG_PROCESS_ERROR;
32f66107 2472 }
0f113f3e 2473 }
0f113f3e 2474
32f66107 2475 /* get the CA RDNs */
f63a17d6
MC		 2476 if (!parse_ca_names(s, pkt)) {
2477 /* SSLfatal() already called */
2478 return MSG_PROCESS_ERROR;
2479 }
03f44b97
DSH		 2480 }
2481
2482 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 2483 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2484 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2485 SSL_R_LENGTH_MISMATCH);
2486 return MSG_PROCESS_ERROR;
03f44b97 2487 }
0f113f3e 2488
0f113f3e
MC		 2489 /* we should setup a certificate to return.... */
2490 s->s3->tmp.cert_req = 1;
0f113f3e 2491
f63a17d6 2492 return MSG_PROCESS_CONTINUE_PROCESSING;
0f113f3e
MC		 2493}
2494
be3583fa 2495MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
b9908bf9 2496{
b9908bf9 2497 unsigned int ticklen;
9ac6244b 2498 unsigned long ticket_lifetime_hint, age_add = 0;
ec60ccc1 2499 unsigned int sess_len;
de1df7e9 2500 RAW_EXTENSION *exts = NULL;
9b6a8254 2501 PACKET nonce;
b9908bf9 2502
73999b62 2503 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
9b6a8254
MC		 2504 || (SSL_IS_TLS13(s)
2505 && (!PACKET_get_net_4(pkt, &age_add)
2506 || !PACKET_get_length_prefixed_1(pkt, &nonce)
9b6a8254
MC		 2507 || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,
2508 &s->session->ext.tick_nonce_len)))
a230b26e 2509 || !PACKET_get_net_2(pkt, &ticklen)
de1df7e9 2510 || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
1f5b44e9
MC		 2511 || (SSL_IS_TLS13(s)
2512 && (ticklen == 0 || PACKET_remaining(pkt) < ticklen))) {
f63a17d6
MC		 2513 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2514 SSL_R_LENGTH_MISMATCH);
2515 goto err;
e711da71
EK		 2516 }
2517
de1df7e9
MC		 2518 /*
2519 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2520 * ticket. We already checked this TLSv1.3 case above, so it should never
2521 * be 0 here in that instance
2522 */
e711da71 2523 if (ticklen == 0)
c9de4a20 2524 return MSG_PROCESS_CONTINUE_READING;
e711da71 2525
150840b9
MC		 2526 /*
2527 * Sessions must be immutable once they go into the session cache. Otherwise
2528 * we can get multi-thread problems. Therefore we don't "update" sessions,
2529 * we replace them with a duplicate. In TLSv1.3 we need to do this every
2530 * time a NewSessionTicket arrives because those messages arrive
2531 * post-handshake and the session may have already gone into the session
2532 * cache.
2533 */
2534 if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {
98ece4ee
MC		 2535 int i = s->session_ctx->session_cache_mode;
2536 SSL_SESSION *new_sess;
2537 /*
2538 * We reused an existing session, so we need to replace it with a new
2539 * one
2540 */
5d61491c 2541 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
f63a17d6
MC		 2542 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2543 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2544 ERR_R_MALLOC_FAILURE);
2545 goto err;
5d61491c
MC		 2546 }
2547
98ece4ee
MC		 2548 if (i & SSL_SESS_CACHE_CLIENT) {
2549 /*
e4612d02 2550 * Remove the old session from the cache. We carry on if this fails
98ece4ee 2551 */
e4612d02 2552 SSL_CTX_remove_session(s->session_ctx, s->session);
98ece4ee
MC		 2553 }
2554
98ece4ee
MC		 2555 SSL_SESSION_free(s->session);
2556 s->session = new_sess;
2557 }
2558
fc24f0bf
MC		 2559 /*
2560 * Technically the cast to long here is not guaranteed by the C standard -
2561 * but we use it elsewhere, so this should be ok.
2562 */
2563 s->session->time = (long)time(NULL);
2564
aff8c126
RS		 2565 OPENSSL_free(s->session->ext.tick);
2566 s->session->ext.tick = NULL;
2567 s->session->ext.ticklen = 0;
e711da71 2568
aff8c126
RS		 2569 s->session->ext.tick = OPENSSL_malloc(ticklen);
2570 if (s->session->ext.tick == NULL) {
f63a17d6
MC		 2571 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2572 ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 2573 goto err;
2574 }
aff8c126 2575 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
f63a17d6
MC		 2576 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2577 SSL_R_LENGTH_MISMATCH);
2578 goto err;
561e12bb 2579 }
e711da71 2580
aff8c126 2581 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
fc24f0bf 2582 s->session->ext.tick_age_add = age_add;
aff8c126 2583 s->session->ext.ticklen = ticklen;
de1df7e9
MC		 2584
2585 if (SSL_IS_TLS13(s)) {
2586 PACKET extpkt;
2587
2588 if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
26b9172a 2589 || PACKET_remaining(pkt) != 0
de1df7e9 2590 || !tls_collect_extensions(s, &extpkt,
fe874d27 2591 SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
f63a17d6 2592 &exts, NULL, 1)
fe874d27
MC		 2593 || !tls_parse_all_extensions(s,
2594 SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
f63a17d6
MC		 2595 exts, NULL, 0, 1)) {
2596 /* SSLfatal() already called */
2597 goto err;
de1df7e9
MC		 2598 }
2599 }
2600
0f113f3e
MC		 2601 /*
2602 * There are two ways to detect a resumed ticket session. One is to set
2603 * an appropriate session ID and then the server must return a match in
2604 * ServerHello. This allows the normal client session ID matching to work
2605 * and we know much earlier that the ticket has been accepted. The
2606 * other way is to set zero length session ID when the ticket is
2607 * presented and rely on the handshake to determine session resumption.
2608 * We choose the former approach because this fits in with assumptions
2609 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
2610 * SHA256 is disabled) hash of the ticket.
2611 */
ec60ccc1
MC		 2612 /*
2613 * TODO(size_t): we use sess_len here because EVP_Digest expects an int
2614 * but s->session->session_id_length is a size_t
2615 */
aff8c126 2616 if (!EVP_Digest(s->session->ext.tick, ticklen,
ec60ccc1 2617 s->session->session_id, &sess_len,
d166ed8c 2618 EVP_sha256(), NULL)) {
f63a17d6
MC		 2619 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2620 ERR_R_EVP_LIB);
d166ed8c
DSH		 2621 goto err;
2622 }
ec60ccc1 2623 s->session->session_id_length = sess_len;
de1df7e9
MC		 2624
2625 /* This is a standalone message in TLSv1.3, so there is no more to read */
2626 if (SSL_IS_TLS13(s)) {
33d93417 2627 OPENSSL_free(exts);
de1df7e9
MC		 2628 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
2629 return MSG_PROCESS_FINISHED_READING;
2630 }
2631
b9908bf9 2632 return MSG_PROCESS_CONTINUE_READING;
0f113f3e 2633 err:
33d93417 2634 OPENSSL_free(exts);
b9908bf9 2635 return MSG_PROCESS_ERROR;
0f113f3e 2636}
67c8e7f4 2637
f63e4288
MC		 2638/*
2639 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
f63a17d6 2640 * parse a separate message. Returns 1 on success or 0 on failure
f63e4288 2641 */
f63a17d6 2642int tls_process_cert_status_body(SSL *s, PACKET *pkt)
b9908bf9 2643{
8b0e934a 2644 size_t resplen;
b9908bf9 2645 unsigned int type;
b9908bf9 2646
73999b62 2647 if (!PACKET_get_1(pkt, &type)
a230b26e 2648 || type != TLSEXT_STATUSTYPE_ocsp) {
f63a17d6
MC		 2649 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2650 SSL_R_UNSUPPORTED_STATUS_TYPE);
f63e4288 2651 return 0;
0f113f3e 2652 }
56a26ce3
MC		 2653 if (!PACKET_get_net_3_len(pkt, &resplen)
2654 || PACKET_remaining(pkt) != resplen) {
f63a17d6
MC		 2655 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2656 SSL_R_LENGTH_MISMATCH);
f63e4288 2657 return 0;
0f113f3e 2658 }
8cbfcc70
RS		 2659 s->ext.ocsp.resp = OPENSSL_malloc(resplen);
2660 if (s->ext.ocsp.resp == NULL) {
f63a17d6
MC		 2661 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2662 ERR_R_MALLOC_FAILURE);
f63e4288 2663 return 0;
0f113f3e 2664 }
8cbfcc70 2665 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
f63a17d6
MC		 2666 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2667 SSL_R_LENGTH_MISMATCH);
f63e4288 2668 return 0;
ac63710a 2669 }
8cbfcc70 2670 s->ext.ocsp.resp_len = resplen;
f63e4288
MC		 2671
2672 return 1;
2673}
2faa1b48 2674
f63e4288
MC		 2675
2676MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
2677{
f63a17d6
MC		 2678 if (!tls_process_cert_status_body(s, pkt)) {
2679 /* SSLfatal() already called */
f63e4288
MC		 2680 return MSG_PROCESS_ERROR;
2681 }
2682
b9908bf9 2683 return MSG_PROCESS_CONTINUE_READING;
0f113f3e 2684}
d02b48c6 2685
7776a36c
MC		 2686/*
2687 * Perform miscellaneous checks and processing after we have received the
2688 * server's initial flight. In TLS1.3 this is after the Server Finished message.
6530c490
MC		 2689 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2690 * on failure.
7776a36c 2691 */
f63a17d6 2692int tls_process_initial_server_flight(SSL *s)
b9908bf9 2693{
a455d0f6
MC		 2694 /*
2695 * at this point we check that we have the required stuff from
2696 * the server
2697 */
2698 if (!ssl3_check_cert_and_algorithm(s)) {
f63a17d6 2699 /* SSLfatal() already called */
7776a36c 2700 return 0;
a455d0f6
MC		 2701 }
2702
bb1aaab4 2703 /*
aff8c126
RS		 2704 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2705 * |ext.ocsp.resp_len| values will be set if we actually received a status
bb1aaab4
MC		 2706 * message, or NULL and -1 otherwise
2707 */
aff8c126
RS		 2708 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
2709 && s->ctx->ext.status_cb != NULL) {
2710 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2711
bb1aaab4 2712 if (ret == 0) {
f63a17d6
MC		 2713 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
2714 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
2715 SSL_R_INVALID_STATUS_RESPONSE);
7776a36c 2716 return 0;
bb1aaab4
MC		 2717 }
2718 if (ret < 0) {
f63a17d6
MC		 2719 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2720 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
dd5a4279 2721 ERR_R_MALLOC_FAILURE);
7776a36c 2722 return 0;
bb1aaab4
MC		 2723 }
2724 }
ed29e82a
RP		 2725#ifndef OPENSSL_NO_CT
2726 if (s->ct_validation_callback != NULL) {
43341433
VD		 2727 /* Note we validate the SCTs whether or not we abort on error */
2728 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
f63a17d6 2729 /* SSLfatal() already called */
7776a36c 2730 return 0;
ed29e82a
RP		 2731 }
2732 }
2733#endif
2734
7776a36c
MC		 2735 return 1;
2736}
2737
2738MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
2739{
7776a36c
MC		 2740 if (PACKET_remaining(pkt) > 0) {
2741 /* should contain no data */
f63a17d6
MC		 2742 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE,
2743 SSL_R_LENGTH_MISMATCH);
2744 return MSG_PROCESS_ERROR;
7776a36c
MC		 2745 }
2746#ifndef OPENSSL_NO_SRP
2747 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2748 if (SRP_Calc_A_param(s) <= 0) {
f63a17d6
MC		 2749 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE,
2750 SSL_R_SRP_A_CALC);
2751 return MSG_PROCESS_ERROR;
7776a36c
MC		 2752 }
2753 }
2754#endif
2755
f63a17d6
MC		 2756 if (!tls_process_initial_server_flight(s)) {
2757 /* SSLfatal() already called */
2758 return MSG_PROCESS_ERROR;
2759 }
7776a36c 2760
bd79bcb4 2761 return MSG_PROCESS_FINISHED_READING;
0f113f3e 2762}
176f31dd 2763
a2c2e000 2764static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)
0f113f3e 2765{
7689082b 2766#ifndef OPENSSL_NO_PSK
13c0ec4a
MC		 2767 int ret = 0;
2768 /*
2769 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2770 * \0-terminated identity. The last byte is for us for simulating
2771 * strnlen.
2772 */
2773 char identity[PSK_MAX_IDENTITY_LEN + 1];
2774 size_t identitylen = 0;
2775 unsigned char psk[PSK_MAX_PSK_LEN];
2776 unsigned char *tmppsk = NULL;
2777 char *tmpidentity = NULL;
2778 size_t psklen = 0;
2779
2780 if (s->psk_client_callback == NULL) {
a2c2e000
MC		 2781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2782 SSL_R_PSK_NO_CLIENT_CB);
13c0ec4a
MC		 2783 goto err;
2784 }
d02b48c6 2785
13c0ec4a 2786 memset(identity, 0, sizeof(identity));
d02b48c6 2787
13c0ec4a
MC		 2788 psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2789 identity, sizeof(identity) - 1,
2790 psk, sizeof(psk));
7689082b 2791
13c0ec4a 2792 if (psklen > PSK_MAX_PSK_LEN) {
a2c2e000
MC		 2793 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2794 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2795 goto err;
2796 } else if (psklen == 0) {
a2c2e000
MC		 2797 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2798 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2799 SSL_R_PSK_IDENTITY_NOT_FOUND);
13c0ec4a
MC		 2800 goto err;
2801 }
7689082b 2802
13c0ec4a
MC		 2803 identitylen = strlen(identity);
2804 if (identitylen > PSK_MAX_IDENTITY_LEN) {
a2c2e000
MC		 2805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2806 ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2807 goto err;
2808 }
7689082b 2809
13c0ec4a
MC		 2810 tmppsk = OPENSSL_memdup(psk, psklen);
2811 tmpidentity = OPENSSL_strdup(identity);
2812 if (tmppsk == NULL || tmpidentity == NULL) {
a2c2e000
MC		 2813 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2814 ERR_R_MALLOC_FAILURE);
13c0ec4a
MC		 2815 goto err;
2816 }
7689082b 2817
13c0ec4a
MC		 2818 OPENSSL_free(s->s3->tmp.psk);
2819 s->s3->tmp.psk = tmppsk;
2820 s->s3->tmp.psklen = psklen;
2821 tmppsk = NULL;
2822 OPENSSL_free(s->session->psk_identity);
2823 s->session->psk_identity = tmpidentity;
2824 tmpidentity = NULL;
f1ec23c0 2825
b2b3024e 2826 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) {
a2c2e000
MC		 2827 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2828 ERR_R_INTERNAL_ERROR);
f1ec23c0
MC		 2829 goto err;
2830 }
7689082b 2831
13c0ec4a 2832 ret = 1;
0bce0b02 2833
13c0ec4a
MC		 2834 err:
2835 OPENSSL_cleanse(psk, psklen);
2836 OPENSSL_cleanse(identity, sizeof(identity));
2837 OPENSSL_clear_free(tmppsk, psklen);
2838 OPENSSL_clear_free(tmpidentity, identitylen);
d02b48c6 2839
13c0ec4a
MC		 2840 return ret;
2841#else
a2c2e000
MC		 2842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2843 ERR_R_INTERNAL_ERROR);
13c0ec4a 2844 return 0;
b9908bf9 2845#endif
13c0ec4a 2846}
b9908bf9 2847
a2c2e000 2848static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
13c0ec4a 2849{
bc36ee62 2850#ifndef OPENSSL_NO_RSA
f1ec23c0 2851 unsigned char *encdata = NULL;
13c0ec4a
MC		 2852 EVP_PKEY *pkey = NULL;
2853 EVP_PKEY_CTX *pctx = NULL;
2854 size_t enclen;
2855 unsigned char *pms = NULL;
2856 size_t pmslen = 0;
b9908bf9 2857
13c0ec4a
MC		 2858 if (s->session->peer == NULL) {
2859 /*
2860 * We should always have a server certificate with SSL_kRSA.
2861 */
a2c2e000
MC		 2862 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2863 ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2864 return 0;
2865 }
0f113f3e 2866
13c0ec4a
MC		 2867 pkey = X509_get0_pubkey(s->session->peer);
2868 if (EVP_PKEY_get0_RSA(pkey) == NULL) {
a2c2e000
MC		 2869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2870 ERR_R_INTERNAL_ERROR);
13c0ec4a
MC		 2871 return 0;
2872 }
0f113f3e 2873
13c0ec4a
MC		 2874 pmslen = SSL_MAX_MASTER_KEY_LENGTH;
2875 pms = OPENSSL_malloc(pmslen);
2876 if (pms == NULL) {
a2c2e000
MC		 2877 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2878 ERR_R_MALLOC_FAILURE);
13c0ec4a
MC		 2879 return 0;
2880 }
0bce0b02 2881
13c0ec4a
MC		 2882 pms[0] = s->client_version >> 8;
2883 pms[1] = s->client_version & 0xff;
348240c6 2884 /* TODO(size_t): Convert this function */
ae3947de 2885 if (ssl_randbytes(s, pms + 2, (int)(pmslen - 2)) <= 0) {
a2c2e000
MC		 2886 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2887 ERR_R_MALLOC_FAILURE);
13c0ec4a
MC		 2888 goto err;
2889 }
0f113f3e 2890
13c0ec4a 2891 /* Fix buf for TLS and beyond */
f1ec23c0 2892 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
a2c2e000
MC		 2893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2894 ERR_R_INTERNAL_ERROR);
f1ec23c0
MC		 2895 goto err;
2896 }
13c0ec4a
MC		 2897 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2898 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
2899 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
a2c2e000
MC		 2900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2901 ERR_R_EVP_LIB);
13c0ec4a
MC		 2902 goto err;
2903 }
f1ec23c0
MC		 2904 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
2905 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
a2c2e000
MC		 2906 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2907 SSL_R_BAD_RSA_ENCRYPT);
13c0ec4a
MC		 2908 goto err;
2909 }
13c0ec4a
MC		 2910 EVP_PKEY_CTX_free(pctx);
2911 pctx = NULL;
0f113f3e 2912
13c0ec4a 2913 /* Fix buf for TLS and beyond */
f1ec23c0 2914 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
a2c2e000
MC		 2915 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2916 ERR_R_INTERNAL_ERROR);
f1ec23c0 2917 goto err;
b9908bf9 2918 }
13c0ec4a 2919
2faa1b48 2920 /* Log the premaster secret, if logging is enabled. */
a2c2e000
MC		 2921 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
2922 /* SSLfatal() already called */
2faa1b48 2923 goto err;
a2c2e000 2924 }
2faa1b48 2925
26fb4b03
RS		 2926 s->s3->tmp.pms = pms;
2927 s->s3->tmp.pmslen = pmslen;
2928
13c0ec4a
MC		 2929 return 1;
2930 err:
2931 OPENSSL_clear_free(pms, pmslen);
2932 EVP_PKEY_CTX_free(pctx);
2933
2934 return 0;
2935#else
a2c2e000
MC		 2936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2937 ERR_R_INTERNAL_ERROR);
13c0ec4a 2938 return 0;
f9b3bff6 2939#endif
13c0ec4a
MC		 2940}
2941
a2c2e000 2942static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt)
a8c1c704
MC		 2943{
2944#ifndef OPENSSL_NO_DH
2945 DH *dh_clnt = NULL;
2946 const BIGNUM *pub_key;
2947 EVP_PKEY *ckey = NULL, *skey = NULL;
f1ec23c0 2948 unsigned char *keybytes = NULL;
a8c1c704
MC		 2949
2950 skey = s->s3->peer_tmp;
a2c2e000
MC		 2951 if (skey == NULL) {
2952 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
2953 ERR_R_INTERNAL_ERROR);
f1ec23c0 2954 goto err;
a2c2e000 2955 }
f1ec23c0 2956
0a699a07 2957 ckey = ssl_generate_pkey(skey);
a2c2e000
MC		 2958 if (ckey == NULL) {
2959 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
2960 ERR_R_INTERNAL_ERROR);
b599ce3b 2961 goto err;
a2c2e000 2962 }
b599ce3b 2963
a8c1c704
MC		 2964 dh_clnt = EVP_PKEY_get0_DH(ckey);
2965
a2c2e000
MC		 2966 if (dh_clnt == NULL) {
2967 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
2968 ERR_R_INTERNAL_ERROR);
2969 goto err;
2970 }
2971
2972 if (ssl_derive(s, ckey, skey, 0) == 0) {
2973 /* SSLfatal() already called */
f1ec23c0 2974 goto err;
a2c2e000 2975 }
a8c1c704
MC		 2976
2977 /* send off the data */
2978 DH_get0_key(dh_clnt, &pub_key, NULL);
a2c2e000
MC		 2979 if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key),
2980 &keybytes)) {
2981 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
2982 ERR_R_INTERNAL_ERROR);
f1ec23c0 2983 goto err;
a2c2e000 2984 }
f1ec23c0
MC		 2985
2986 BN_bn2bin(pub_key, keybytes);
a8c1c704
MC		 2987 EVP_PKEY_free(ckey);
2988
2989 return 1;
f1ec23c0
MC		 2990 err:
2991 EVP_PKEY_free(ckey);
f9f674eb
MC		 2992 return 0;
2993#else
a2c2e000
MC		 2994 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
2995 ERR_R_INTERNAL_ERROR);
a8c1c704 2996 return 0;
f9f674eb 2997#endif
a8c1c704
MC		 2998}
2999
a2c2e000 3000static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt)
67ad5aab
MC		 3001{
3002#ifndef OPENSSL_NO_EC
3003 unsigned char *encodedPoint = NULL;
348240c6 3004 size_t encoded_pt_len = 0;
67ad5aab 3005 EVP_PKEY *ckey = NULL, *skey = NULL;
f1ec23c0 3006 int ret = 0;
67ad5aab
MC		 3007
3008 skey = s->s3->peer_tmp;
ec24630a 3009 if (skey == NULL) {
a2c2e000
MC		 3010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3011 ERR_R_INTERNAL_ERROR);
67ad5aab
MC		 3012 return 0;
3013 }
3014
0a699a07 3015 ckey = ssl_generate_pkey(skey);
b599ce3b 3016 if (ckey == NULL) {
a2c2e000
MC		 3017 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3018 ERR_R_MALLOC_FAILURE);
b599ce3b
MC		 3019 goto err;
3020 }
67ad5aab 3021
0f1e51ea 3022 if (ssl_derive(s, ckey, skey, 0) == 0) {
a2c2e000 3023 /* SSLfatal() already called */
67ad5aab
MC		 3024 goto err;
3025 }
3026
3027 /* Generate encoding of client key */
ec24630a 3028 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint);
67ad5aab
MC		 3029
3030 if (encoded_pt_len == 0) {
a2c2e000
MC		 3031 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3032 ERR_R_EC_LIB);
67ad5aab
MC		 3033 goto err;
3034 }
3035
b2b3024e 3036 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
a2c2e000
MC		 3037 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3038 ERR_R_INTERNAL_ERROR);
f1ec23c0
MC		 3039 goto err;
3040 }
67ad5aab 3041
f1ec23c0 3042 ret = 1;
67ad5aab 3043 err:
f1ec23c0 3044 OPENSSL_free(encodedPoint);
67ad5aab 3045 EVP_PKEY_free(ckey);
f1ec23c0 3046 return ret;
67ad5aab 3047#else
a2c2e000
MC		 3048 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3049 ERR_R_INTERNAL_ERROR);
67ad5aab
MC		 3050 return 0;
3051#endif
3052}
3053
a2c2e000 3054static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
e00e0b3d
MC		 3055{
3056#ifndef OPENSSL_NO_GOST
3057 /* GOST key exchange message creation */
3058 EVP_PKEY_CTX *pkey_ctx = NULL;
3059 X509 *peer_cert;
3060 size_t msglen;
3061 unsigned int md_len;
3062 unsigned char shared_ukm[32], tmp[256];
3063 EVP_MD_CTX *ukm_hash = NULL;
3064 int dgst_nid = NID_id_GostR3411_94;
3065 unsigned char *pms = NULL;
3066 size_t pmslen = 0;
3067
3068 if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
3069 dgst_nid = NID_id_GostR3411_2012_256;
3070
3071 /*
1ee4b98e 3072 * Get server certificate PKEY and create ctx from it
e00e0b3d
MC		 3073 */
3074 peer_cert = s->session->peer;
3075 if (!peer_cert) {
a2c2e000 3076 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST,
e00e0b3d
MC		 3077 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3078 return 0;
3079 }
3080
3081 pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
3082 if (pkey_ctx == NULL) {
a2c2e000
MC		 3083 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3084 ERR_R_MALLOC_FAILURE);
e00e0b3d
MC		 3085 return 0;
3086 }
3087 /*
3088 * If we have send a certificate, and certificate key
3089 * parameters match those of server certificate, use
3090 * certificate key for key exchange
3091 */
3092
3093 /* Otherwise, generate ephemeral key pair */
3094 pmslen = 32;
3095 pms = OPENSSL_malloc(pmslen);
3096 if (pms == NULL) {
a2c2e000
MC		 3097 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3098 ERR_R_MALLOC_FAILURE);
2f3930bc 3099 goto err;
e00e0b3d
MC		 3100 }
3101
3102 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
348240c6
MC		 3103 /* Generate session key
3104 * TODO(size_t): Convert this function
3105 */
ae3947de 3106 || ssl_randbytes(s, pms, (int)pmslen) <= 0) {
a2c2e000
MC		 3107 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3108 ERR_R_INTERNAL_ERROR);
e00e0b3d
MC		 3109 goto err;
3110 };
e00e0b3d
MC		 3111 /*
3112 * Compute shared IV and store it in algorithm-specific context
3113 * data
3114 */
3115 ukm_hash = EVP_MD_CTX_new();
3116 if (ukm_hash == NULL
a230b26e
EK		 3117 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
3118 || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
3119 SSL3_RANDOM_SIZE) <= 0
3120 || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
3121 SSL3_RANDOM_SIZE) <= 0
3122 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
a2c2e000
MC		 3123 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3124 ERR_R_INTERNAL_ERROR);
e00e0b3d
MC		 3125 goto err;
3126 }
3127 EVP_MD_CTX_free(ukm_hash);
3128 ukm_hash = NULL;
3129 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3130 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
a2c2e000
MC		 3131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3132 SSL_R_LIBRARY_BUG);
e00e0b3d
MC		 3133 goto err;
3134 }
3135 /* Make GOST keytransport blob message */
3136 /*
3137 * Encapsulate it into sequence
3138 */
e00e0b3d
MC		 3139 msglen = 255;
3140 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
a2c2e000
MC		 3141 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3142 SSL_R_LIBRARY_BUG);
e00e0b3d
MC		 3143 goto err;
3144 }
f1ec23c0 3145
08029dfa
MC		 3146 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
3147 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
b2b3024e 3148 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
a2c2e000
MC		 3149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3150 ERR_R_INTERNAL_ERROR);
f1ec23c0 3151 goto err;
e00e0b3d 3152 }
f1ec23c0 3153
e00e0b3d
MC		 3154 EVP_PKEY_CTX_free(pkey_ctx);
3155 s->s3->tmp.pms = pms;
3156 s->s3->tmp.pmslen = pmslen;
3157
3158 return 1;
3159 err:
3160 EVP_PKEY_CTX_free(pkey_ctx);
3161 OPENSSL_clear_free(pms, pmslen);
3162 EVP_MD_CTX_free(ukm_hash);
3163 return 0;
3164#else
a2c2e000
MC		 3165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3166 ERR_R_INTERNAL_ERROR);
e00e0b3d
MC		 3167 return 0;
3168#endif
3169}
3170
a2c2e000 3171static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
840a2bf8 3172{
8b9546c7 3173#ifndef OPENSSL_NO_SRP
f1ec23c0
MC		 3174 unsigned char *abytes = NULL;
3175
3176 if (s->srp_ctx.A == NULL
b2b3024e
MC		 3177 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
3178 &abytes)) {
a2c2e000
MC		 3179 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP,
3180 ERR_R_INTERNAL_ERROR);
840a2bf8
MC		 3181 return 0;
3182 }
f1ec23c0
MC		 3183 BN_bn2bin(s->srp_ctx.A, abytes);
3184
840a2bf8
MC		 3185 OPENSSL_free(s->session->srp_username);
3186 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
3187 if (s->session->srp_username == NULL) {
a2c2e000
MC		 3188 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP,
3189 ERR_R_MALLOC_FAILURE);
840a2bf8
MC		 3190 return 0;
3191 }
3192
3193 return 1;
3194#else
a2c2e000
MC		 3195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP,
3196 ERR_R_INTERNAL_ERROR);
840a2bf8
MC		 3197 return 0;
3198#endif
3199}
3200
7cea05dc 3201int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
13c0ec4a 3202{
13c0ec4a 3203 unsigned long alg_k;
13c0ec4a 3204
f1ec23c0 3205 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
13c0ec4a 3206
a2c2e000
MC		 3207 /*
3208 * All of the construct functions below call SSLfatal() if necessary so
3209 * no need to do so here.
3210 */
13c0ec4a 3211 if ((alg_k & SSL_PSK)
a2c2e000 3212 && !tls_construct_cke_psk_preamble(s, pkt))
13c0ec4a
MC		 3213 goto err;
3214
f1ec23c0 3215 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
a2c2e000 3216 if (!tls_construct_cke_rsa(s, pkt))
13c0ec4a 3217 goto err;
a8c1c704 3218 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
a2c2e000 3219 if (!tls_construct_cke_dhe(s, pkt))
b9908bf9 3220 goto err;
67ad5aab 3221 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
a2c2e000 3222 if (!tls_construct_cke_ecdhe(s, pkt))
ce0c1f2b 3223 goto err;
e00e0b3d 3224 } else if (alg_k & SSL_kGOST) {
a2c2e000 3225 if (!tls_construct_cke_gost(s, pkt))
a71edf3b 3226 goto err;
840a2bf8 3227 } else if (alg_k & SSL_kSRP) {
a2c2e000 3228 if (!tls_construct_cke_srp(s, pkt))
69f68237 3229 goto err;
4a424545 3230 } else if (!(alg_k & SSL_kPSK)) {
a2c2e000
MC		 3231 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3232 SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
b9908bf9
MC		 3233 goto err;
3234 }
3235
b9908bf9 3236 return 1;
0f113f3e 3237 err:
0bce0b02 3238 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
76106e60 3239 s->s3->tmp.pms = NULL;
7689082b
DSH		 3240#ifndef OPENSSL_NO_PSK
3241 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
3242 s->s3->tmp.psk = NULL;
0f113f3e 3243#endif
b9908bf9
MC		 3244 return 0;
3245}
3246
3247int tls_client_key_exchange_post_work(SSL *s)
3248{
3249 unsigned char *pms = NULL;
3250 size_t pmslen = 0;
3251
6f137370
MC		 3252 pms = s->s3->tmp.pms;
3253 pmslen = s->s3->tmp.pmslen;
3254
b9908bf9
MC		 3255#ifndef OPENSSL_NO_SRP
3256 /* Check for SRP */
3257 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
3258 if (!srp_generate_client_master_secret(s)) {
a2c2e000 3259 /* SSLfatal() already called */
b9908bf9
MC		 3260 goto err;
3261 }
3262 return 1;
3263 }
3264#endif
b9908bf9
MC		 3265
3266 if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
a2c2e000
MC		 3267 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3268 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE);
b9908bf9
MC		 3269 goto err;
3270 }
3271 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
a2c2e000 3272 /* SSLfatal() already called */
6f137370
MC		 3273 /* ssl_generate_master_secret frees the pms even on error */
3274 pms = NULL;
3275 pmslen = 0;
b9908bf9
MC		 3276 goto err;
3277 }
6f137370
MC		 3278 pms = NULL;
3279 pmslen = 0;
473483d4
MC		 3280
3281#ifndef OPENSSL_NO_SCTP
3282 if (SSL_IS_DTLS(s)) {
3283 unsigned char sctpauthkey[64];
3284 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3285
3286 /*
3287 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3288 * used.
3289 */
141eb8c6
MC		 3290 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3291 sizeof(DTLS1_SCTP_AUTH_LABEL));
473483d4
MC		 3292
3293 if (SSL_export_keying_material(s, sctpauthkey,
a230b26e 3294 sizeof(sctpauthkey), labelbuffer,
a2c2e000
MC		 3295 sizeof(labelbuffer), NULL, 0, 0) <= 0) {
3296 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
dd5a4279
MC		 3297 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK,
3298 ERR_R_INTERNAL_ERROR);
473483d4 3299 goto err;
a2c2e000 3300 }
473483d4
MC		 3301
3302 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3303 sizeof(sctpauthkey), sctpauthkey);
3304 }
3305#endif
3306
b9908bf9
MC		 3307 return 1;
3308 err:
3309 OPENSSL_clear_free(pms, pmslen);
3310 s->s3->tmp.pms = NULL;
3311 return 0;
0f113f3e 3312}
d02b48c6 3313
0f113f3e
MC		 3314/*
3315 * Check a certificate can be used for client authentication. Currently check
3316 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3317 * certificates can be used and optionally checks suitability for Suite B.
0d609395
DSH		 3318 */
3319static int ssl3_check_client_certificate(SSL *s)
0f113f3e 3320{
0f113f3e 3321 /* If no suitable signature algorithm can't use certificate */
f63a17d6 3322 if (!tls_choose_sigalg(s, 0) || s->s3->tmp.sigalg == NULL)
0f113f3e
MC		 3323 return 0;
3324 /*
3325 * If strict mode check suitability of chain before using it. This also
3326 * adjusts suite B digest if necessary.
3327 */
3328 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
3329 !tls1_check_chain(s, NULL, NULL, NULL, -2))
3330 return 0;
0f113f3e
MC		 3331 return 1;
3332}
0d609395 3333
be3583fa 3334WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
0f113f3e
MC		 3335{
3336 X509 *x509 = NULL;
3337 EVP_PKEY *pkey = NULL;
3338 int i;
3339
b9908bf9 3340 if (wst == WORK_MORE_A) {
0f113f3e
MC		 3341 /* Let cert callback update client certificates if required */
3342 if (s->cert->cert_cb) {
3343 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
3344 if (i < 0) {
3345 s->rwstate = SSL_X509_LOOKUP;
b9908bf9 3346 return WORK_MORE_A;
0f113f3e
MC		 3347 }
3348 if (i == 0) {
f63a17d6
MC		 3349 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3350 SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
3351 SSL_R_CALLBACK_FAILED);
eb5fd03b 3352 return WORK_ERROR;
0f113f3e
MC		 3353 }
3354 s->rwstate = SSL_NOTHING;
3355 }
3356 if (ssl3_check_client_certificate(s))
b9908bf9
MC		 3357 return WORK_FINISHED_CONTINUE;
3358
3359 /* Fall through to WORK_MORE_B */
3360 wst = WORK_MORE_B;
0f113f3e
MC		 3361 }
3362
3363 /* We need to get a client cert */
b9908bf9 3364 if (wst == WORK_MORE_B) {
0f113f3e
MC		 3365 /*
3366 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3367 * return(-1); We then get retied later
3368 */
0f113f3e
MC		 3369 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3370 if (i < 0) {
3371 s->rwstate = SSL_X509_LOOKUP;
b9908bf9 3372 return WORK_MORE_B;
0f113f3e
MC		 3373 }
3374 s->rwstate = SSL_NOTHING;
3375 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
0f113f3e
MC		 3376 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
3377 i = 0;
3378 } else if (i == 1) {
3379 i = 0;
b9908bf9 3380 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
0f113f3e
MC		 3381 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3382 }
3383
222561fe 3384 X509_free(x509);
25aaa98a 3385 EVP_PKEY_free(pkey);
0f113f3e
MC		 3386 if (i && !ssl3_check_client_certificate(s))
3387 i = 0;
3388 if (i == 0) {
3389 if (s->version == SSL3_VERSION) {
3390 s->s3->tmp.cert_req = 0;
3391 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
b9908bf9 3392 return WORK_FINISHED_CONTINUE;
0f113f3e
MC		 3393 } else {
3394 s->s3->tmp.cert_req = 2;
124037fd 3395 if (!ssl3_digest_cached_records(s, 0)) {
f63a17d6 3396 /* SSLfatal() already called */
eb5fd03b 3397 return WORK_ERROR;
dab18ab5 3398 }
0f113f3e
MC		 3399 }
3400 }
3401
b9908bf9 3402 return WORK_FINISHED_CONTINUE;
0f113f3e
MC		 3403 }
3404
b9908bf9 3405 /* Shouldn't ever get here */
a2c2e000
MC		 3406 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
3407 ERR_R_INTERNAL_ERROR);
b9908bf9
MC		 3408 return WORK_ERROR;
3409}
3410
7cea05dc 3411int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
b9908bf9 3412{
e96e0f8e
MC		 3413 /*
3414 * TODO(TLS1.3): For now we must put an empty context. Needs to be filled in
3415 * later
3416 */
f63a17d6
MC		 3417 if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
3418 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3419 SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3420 return 0;
3421 }
3422 if (!ssl3_output_cert_chain(s, pkt,
3423 (s->s3->tmp.cert_req == 2) ? NULL
3424 : s->cert->key)) {
3425 /* SSLfatal() already called */
3426 return 0;
f7e393be
MC		 3427 }
3428
3429 if (SSL_IS_TLS13(s)
3430 && SSL_IS_FIRST_HANDSHAKE(s)
3431 && (!s->method->ssl3_enc->change_cipher_state(s,
3432 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
c31ad0bb 3433 /*
a2c2e000 3434 * This is a fatal error, which leaves enc_write_ctx in an inconsistent
f63a17d6 3435 * state and thus ssl3_send_alert may crash.
c31ad0bb 3436 */
f63a17d6 3437 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE,
dd5a4279 3438 SSL_R_CANNOT_CHANGE_CIPHER);
c31ad0bb 3439 return 0;
0f113f3e 3440 }
b9908bf9
MC		 3441
3442 return 1;
0f113f3e
MC		 3443}
3444
36d16f8e 3445int ssl3_check_cert_and_algorithm(SSL *s)
0f113f3e 3446{
dd24857b
DSH		 3447 const SSL_CERT_LOOKUP *clu;
3448 size_t idx;
0f113f3e 3449 long alg_k, alg_a;
d02b48c6 3450
0f113f3e
MC		 3451 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3452 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
d02b48c6 3453
0f113f3e 3454 /* we don't have a certificate */
dd24857b
DSH		 3455 if (!(alg_a & SSL_aCERT))
3456 return 1;
d02b48c6 3457
0f113f3e 3458 /* This is the passed certificate */
dd24857b 3459 clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx);
d02b48c6 3460
dd24857b
DSH		 3461 /* Check certificate is recognised and suitable for cipher */
3462 if (clu == NULL || (alg_a & clu->amask) == 0) {
f63a17d6
MC		 3463 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3464 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3465 SSL_R_MISSING_SIGNING_CERT);
3466 return 0;
0f113f3e 3467 }
0f113f3e 3468
dd24857b
DSH		 3469#ifndef OPENSSL_NO_EC
3470 if (clu->amask & SSL_aECDSA) {
3471 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
3472 return 1;
f63a17d6
MC		 3473 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3474 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3475 return 0;
0f113f3e 3476 }
d02b48c6 3477#endif
bc36ee62 3478#ifndef OPENSSL_NO_RSA
dd24857b 3479 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) {
f63a17d6
MC		 3480 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3481 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3482 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3483 return 0;
0f113f3e 3484 }
79df9d62 3485#endif
bc36ee62 3486#ifndef OPENSSL_NO_DH
fb79abe3 3487 if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) {
f63a17d6
MC		 3488 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3489 ERR_R_INTERNAL_ERROR);
3490 return 0;
0f113f3e 3491 }
d02b48c6
RE		 3492#endif
3493
dd24857b 3494 return 1;
0f113f3e
MC		 3495}
3496
e481f9b9 3497#ifndef OPENSSL_NO_NEXTPROTONEG
7cea05dc 3498int tls_construct_next_proto(SSL *s, WPACKET *pkt)
b9908bf9 3499{
15e6be6c
MC		 3500 size_t len, padding_len;
3501 unsigned char *padding = NULL;
15e6be6c 3502
aff8c126 3503 len = s->ext.npn_len;
b9908bf9 3504 padding_len = 32 - ((len + 2) % 32);
15e6be6c 3505
aff8c126 3506 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
7cea05dc 3507 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
a2c2e000
MC		 3508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEXT_PROTO,
3509 ERR_R_INTERNAL_ERROR);
3510 return 0;
15e6be6c
MC		 3511 }
3512
3513 memset(padding, 0, padding_len);
3514
b9908bf9
MC		 3515 return 1;
3516}
6434abbf 3517#endif
368888bc 3518
c7f47786
MC		 3519MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
3520{
3521 if (PACKET_remaining(pkt) > 0) {
3522 /* should contain no data */
f63a17d6
MC		 3523 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_REQ,
3524 SSL_R_LENGTH_MISMATCH);
c7f47786
MC		 3525 return MSG_PROCESS_ERROR;
3526 }
3527
db0f35dd
TS		 3528 if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
3529 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
3530 return MSG_PROCESS_FINISHED_READING;
3531 }
3532
c7f47786 3533 /*
1f04f23e
MC		 3534 * This is a historical discrepancy (not in the RFC) maintained for
3535 * compatibility reasons. If a TLS client receives a HelloRequest it will
3536 * attempt an abbreviated handshake. However if a DTLS client receives a
3537 * HelloRequest it will do a full handshake. Either behaviour is reasonable
3538 * but doing one for TLS and another for DTLS is odd.
c7f47786
MC		 3539 */
3540 if (SSL_IS_DTLS(s))
3541 SSL_renegotiate(s);
3542 else
3543 SSL_renegotiate_abbreviated(s);
3544
3545 return MSG_PROCESS_FINISHED_READING;
3546}
3547
e46f2334
MC		 3548static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
3549{
e46f2334 3550 PACKET extensions;
3434f40b 3551 RAW_EXTENSION *rawexts = NULL;
e46f2334 3552
26b9172a
MC		 3553 if (!PACKET_as_length_prefixed_2(pkt, &extensions)
3554 || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 3555 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS,
3556 SSL_R_LENGTH_MISMATCH);
e46f2334
MC		 3557 goto err;
3558 }
3559
fe874d27
MC		 3560 if (!tls_collect_extensions(s, &extensions,
3561 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
f63a17d6 3562 NULL, 1)
fe874d27 3563 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
f63a17d6
MC		 3564 rawexts, NULL, 0, 1)) {
3565 /* SSLfatal() already called */
3434f40b 3566 goto err;
f63a17d6 3567 }
3434f40b 3568
1b0286a3 3569 OPENSSL_free(rawexts);
e46f2334
MC		 3570 return MSG_PROCESS_CONTINUE_READING;
3571
3572 err:
1b0286a3 3573 OPENSSL_free(rawexts);
e46f2334
MC		 3574 return MSG_PROCESS_ERROR;
3575}
3576
368888bc 3577int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
0f113f3e
MC		 3578{
3579 int i = 0;
368888bc 3580#ifndef OPENSSL_NO_ENGINE
0f113f3e
MC		 3581 if (s->ctx->client_cert_engine) {
3582 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3583 SSL_get_client_CA_list(s),
3584 px509, ppkey, NULL, NULL, NULL);
3585 if (i != 0)
3586 return i;
3587 }
3588#endif
3589 if (s->ctx->client_cert_cb)
3590 i = s->ctx->client_cert_cb(s, px509, ppkey);
3591 return i;
3592}
d45ba43d 3593
ae2f7b37 3594int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
d45ba43d 3595{
2c7b4dbc 3596 int i;
aafec89c 3597 size_t totlen = 0, len, maxlen, maxverok = 0;
d45ba43d
MC		 3598 int empty_reneg_info_scsv = !s->renegotiate;
3599 /* Set disabled masks for this session */
3600 ssl_set_client_disabled(s);
3601
f63a17d6
MC		 3602 if (sk == NULL) {
3603 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
3604 ERR_R_INTERNAL_ERROR);
26a7d938 3605 return 0;
f63a17d6 3606 }
d45ba43d 3607
2c7b4dbc
MC		 3608#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
3609# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
3610# error Max cipher length too short
3611# endif
3612 /*
3613 * Some servers hang if client hello > 256 bytes as hack workaround
3614 * chop number of supported ciphers to keep it well below this if we
3615 * use TLS v1.2
3616 */
3617 if (TLS1_get_version(s) >= TLS1_2_VERSION)
3618 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
3619 else
3620#endif
3621 /* Maximum length that can be stored in 2 bytes. Length must be even */
3622 maxlen = 0xfffe;
3623
3624 if (empty_reneg_info_scsv)
3625 maxlen -= 2;
3626 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
3627 maxlen -= 2;
3628
3629 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
3630 const SSL_CIPHER *c;
3631
d45ba43d
MC		 3632 c = sk_SSL_CIPHER_value(sk, i);
3633 /* Skip disabled ciphers */
8af91fd9 3634 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
d45ba43d 3635 continue;
2c7b4dbc
MC		 3636
3637 if (!s->method->put_cipher_by_char(c, pkt, &len)) {
f63a17d6
MC		 3638 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
3639 ERR_R_INTERNAL_ERROR);
2c7b4dbc
MC		 3640 return 0;
3641 }
3642
aafec89c
MC		 3643 /* Sanity check that the maximum version we offer has ciphers enabled */
3644 if (!maxverok) {
3645 if (SSL_IS_DTLS(s)) {
3646 if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver)
3647 && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver))
3648 maxverok = 1;
3649 } else {
3650 if (c->max_tls >= s->s3->tmp.max_ver
3651 && c->min_tls <= s->s3->tmp.max_ver)
3652 maxverok = 1;
3653 }
3654 }
3655
2c7b4dbc 3656 totlen += len;
d45ba43d 3657 }
2c7b4dbc 3658
aafec89c 3659 if (totlen == 0 || !maxverok) {
f63a17d6
MC		 3660 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
3661 SSL_R_NO_CIPHERS_AVAILABLE);
aafec89c
MC		 3662
3663 if (!maxverok)
3664 ERR_add_error_data(1, "No ciphers enabled for max supported "
3665 "SSL/TLS version");
3666
2c7b4dbc
MC		 3667 return 0;
3668 }
3669
3670 if (totlen != 0) {
d45ba43d
MC		 3671 if (empty_reneg_info_scsv) {
3672 static SSL_CIPHER scsv = {
bbb4ceb8 3673 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
d45ba43d 3674 };
2c7b4dbc 3675 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
f63a17d6
MC		 3676 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3677 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
2c7b4dbc
MC		 3678 return 0;
3679 }
d45ba43d
MC		 3680 }
3681 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
3682 static SSL_CIPHER scsv = {
bbb4ceb8 3683 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
d45ba43d 3684 };
2c7b4dbc 3685 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
f63a17d6
MC		 3686 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3687 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
2c7b4dbc
MC		 3688 return 0;
3689 }
d45ba43d
MC		 3690 }
3691 }
3692
2c7b4dbc 3693 return 1;
d45ba43d 3694}
ef6c191b
MC		 3695
3696int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt)
3697{
3698 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
3699 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
635c8f77
MC		 3700 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3701 SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA,
3702 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
ef6c191b
MC		 3703 return 0;
3704 }
3705
3706 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
3707 return 1;
3708}
A mirror of the official openssl repository