]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix changing of the cipher state when dealing with early data
[thirdparty/openssl.git] / ssl / statem / statem_srvr.c
CommitLineData
846e33c7
RS		 1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
8e2f6b79 3 *
846e33c7
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8e2f6b79 8 */
846e33c7 9
ea262260
BM		 10/* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
12 *
0f113f3e 13 * Portions of the attached software ("Contribution") are developed by
ea262260
BM		 14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
15 *
16 * The Contribution is licensed pursuant to the OpenSSL open source
17 * license provided above.
18 *
ea262260
BM		 19 * ECC cipher suite support in OpenSSL originally written by
20 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
21 *
22 */
ddac1974
NL		 23/* ====================================================================
24 * Copyright 2005 Nokia. All rights reserved.
25 *
26 * The portions of the attached software ("Contribution") is developed by
27 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
28 * license.
29 *
30 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
31 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
32 * support (see RFC 4279) to OpenSSL.
33 *
34 * No patent licenses or other rights except those expressly stated in
35 * the OpenSSL open source license shall be deemed granted or received
36 * expressly, by implication, estoppel, or otherwise.
37 *
38 * No assurances are provided by Nokia that the Contribution does not
39 * infringe the patent or other intellectual property rights of any third
40 * party or that the license provides you with all the necessary rights
41 * to make use of the Contribution.
42 *
43 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
44 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
45 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
46 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
47 * OTHERWISE.
48 */
d02b48c6 49
d02b48c6 50#include <stdio.h>
8ba708e5 51#include "../ssl_locl.h"
61ae935a 52#include "statem_locl.h"
68570797 53#include "internal/constant_time_locl.h"
ec577822
BM		 54#include <openssl/buffer.h>
55#include <openssl/rand.h>
56#include <openssl/objects.h>
57#include <openssl/evp.h>
6434abbf 58#include <openssl/hmac.h>
ec577822 59#include <openssl/x509.h>
3c27208f 60#include <openssl/dh.h>
d095b68d 61#include <openssl/bn.h>
dbad1690 62#include <openssl/md5.h>
f9b3bff6 63
e46f2334 64static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
7d061fce 65static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt);
d45ba43d 66
61ae935a 67/*
0f1e51ea
MC		 68 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
69 * handshake state transitions when a TLSv1.3 server is reading messages from
70 * the client. The message type that the client has sent is provided in |mt|.
71 * The current state is in |s->statem.hand_state|.
72 *
94ed2c67
MC		 73 * Return values are 1 for success (transition allowed) and 0 on error
74 * (transition not allowed)
0f1e51ea
MC		 75 */
76static int ossl_statem_server13_read_transition(SSL *s, int mt)
77{
78 OSSL_STATEM *st = &s->statem;
79
80 /*
81 * Note: There is no case for TLS_ST_BEFORE because at that stage we have
82 * not negotiated TLSv1.3 yet, so that case is handled by
83 * ossl_statem_server_read_transition()
84 */
85 switch (st->hand_state) {
86 default:
87 break;
88
7d061fce
MC		 89 case TLS_ST_SW_HELLO_RETRY_REQUEST:
90 if (mt == SSL3_MT_CLIENT_HELLO) {
91 st->hand_state = TLS_ST_SR_CLNT_HELLO;
92 return 1;
93 }
94 break;
95
92760c21 96 case TLS_ST_SW_FINISHED:
0f1e51ea
MC		 97 if (s->s3->tmp.cert_request) {
98 if (mt == SSL3_MT_CERTIFICATE) {
99 st->hand_state = TLS_ST_SR_CERT;
100 return 1;
101 }
102 } else {
92760c21
MC		 103 if (mt == SSL3_MT_FINISHED) {
104 st->hand_state = TLS_ST_SR_FINISHED;
0f1e51ea
MC		 105 return 1;
106 }
107 }
108 break;
109
110 case TLS_ST_SR_CERT:
111 if (s->session->peer == NULL) {
92760c21
MC		 112 if (mt == SSL3_MT_FINISHED) {
113 st->hand_state = TLS_ST_SR_FINISHED;
0f1e51ea
MC		 114 return 1;
115 }
116 } else {
117 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
118 st->hand_state = TLS_ST_SR_CERT_VRFY;
119 return 1;
120 }
121 }
122 break;
123
124 case TLS_ST_SR_CERT_VRFY:
0f1e51ea
MC		 125 if (mt == SSL3_MT_FINISHED) {
126 st->hand_state = TLS_ST_SR_FINISHED;
127 return 1;
128 }
129 break;
8cdc8c51
MC		 130
131 case TLS_ST_OK:
132 if (mt == SSL3_MT_KEY_UPDATE) {
133 st->hand_state = TLS_ST_SR_KEY_UPDATE;
134 return 1;
135 }
136 break;
0f1e51ea
MC		 137 }
138
139 /* No valid transition found */
140 ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
141 SSLerr(SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION,
142 SSL_R_UNEXPECTED_MESSAGE);
143 return 0;
144}
145
146/*
147 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
148 * handshake state transitions when the server is reading messages from the
149 * client. The message type that the client has sent is provided in |mt|. The
150 * current state is in |s->statem.hand_state|.
61ae935a 151 *
94ed2c67
MC		 152 * Return values are 1 for success (transition allowed) and 0 on error
153 * (transition not allowed)
61ae935a 154 */
8481f583 155int ossl_statem_server_read_transition(SSL *s, int mt)
61ae935a 156{
d6f1a6e9 157 OSSL_STATEM *st = &s->statem;
61ae935a 158
f5ca0b04 159 if (SSL_IS_TLS13(s)) {
5abeaf35
MC		 160 if (!ossl_statem_server13_read_transition(s, mt))
161 goto err;
162 return 1;
163 }
0f1e51ea 164
e8aa8b6c 165 switch (st->hand_state) {
f3b3d7f0
RS		 166 default:
167 break;
168
61ae935a 169 case TLS_ST_BEFORE:
0386aad1 170 case TLS_ST_OK:
61ae935a
MC		 171 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
172 if (mt == SSL3_MT_CLIENT_HELLO) {
173 st->hand_state = TLS_ST_SR_CLNT_HELLO;
174 return 1;
175 }
176 break;
177
178 case TLS_ST_SW_SRVR_DONE:
179 /*
180 * If we get a CKE message after a ServerDone then either
181 * 1) We didn't request a Certificate
182 * OR
183 * 2) If we did request one then
184 * a) We allow no Certificate to be returned
185 * AND
186 * b) We are running SSL3 (in TLS1.0+ the client must return a 0
187 * list if we requested a certificate)
188 */
0f512756
MC		 189 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
190 if (s->s3->tmp.cert_request) {
191 if (s->version == SSL3_VERSION) {
23dd09b5
MC		 192 if ((s->verify_mode & SSL_VERIFY_PEER)
193 && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
0f512756
MC		 194 /*
195 * This isn't an unexpected message as such - we're just
23dd09b5
MC		 196 * not going to accept it because we require a client
197 * cert.
0f512756
MC		 198 */
199 ssl3_send_alert(s, SSL3_AL_FATAL,
200 SSL3_AD_HANDSHAKE_FAILURE);
340a2828 201 SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
0f512756
MC		 202 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
203 return 0;
204 }
205 st->hand_state = TLS_ST_SR_KEY_EXCH;
206 return 1;
207 }
208 } else {
209 st->hand_state = TLS_ST_SR_KEY_EXCH;
210 return 1;
211 }
61ae935a
MC		 212 } else if (s->s3->tmp.cert_request) {
213 if (mt == SSL3_MT_CERTIFICATE) {
214 st->hand_state = TLS_ST_SR_CERT;
215 return 1;
f100b031 216 }
61ae935a
MC		 217 }
218 break;
219
220 case TLS_ST_SR_CERT:
221 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
222 st->hand_state = TLS_ST_SR_KEY_EXCH;
223 return 1;
224 }
225 break;
226
227 case TLS_ST_SR_KEY_EXCH:
228 /*
229 * We should only process a CertificateVerify message if we have
230 * received a Certificate from the client. If so then |s->session->peer|
231 * will be non NULL. In some instances a CertificateVerify message is
232 * not required even if the peer has sent a Certificate (e.g. such as in
a71a4966 233 * the case of static DH). In that case |st->no_cert_verify| should be
61ae935a
MC		 234 * set.
235 */
a71a4966 236 if (s->session->peer == NULL || st->no_cert_verify) {
61ae935a
MC		 237 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
238 /*
239 * For the ECDH ciphersuites when the client sends its ECDH
240 * pub key in a certificate, the CertificateVerify message is
241 * not sent. Also for GOST ciphersuites when the client uses
242 * its key from the certificate for key exchange.
243 */
244 st->hand_state = TLS_ST_SR_CHANGE;
245 return 1;
246 }
247 } else {
248 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
249 st->hand_state = TLS_ST_SR_CERT_VRFY;
250 return 1;
251 }
252 }
253 break;
254
255 case TLS_ST_SR_CERT_VRFY:
256 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
257 st->hand_state = TLS_ST_SR_CHANGE;
258 return 1;
259 }
260 break;
261
262 case TLS_ST_SR_CHANGE:
263#ifndef OPENSSL_NO_NEXTPROTONEG
aff8c126 264 if (s->s3->npn_seen) {
61ae935a
MC		 265 if (mt == SSL3_MT_NEXT_PROTO) {
266 st->hand_state = TLS_ST_SR_NEXT_PROTO;
267 return 1;
268 }
269 } else {
270#endif
271 if (mt == SSL3_MT_FINISHED) {
272 st->hand_state = TLS_ST_SR_FINISHED;
273 return 1;
274 }
275#ifndef OPENSSL_NO_NEXTPROTONEG
276 }
277#endif
278 break;
279
280#ifndef OPENSSL_NO_NEXTPROTONEG
281 case TLS_ST_SR_NEXT_PROTO:
282 if (mt == SSL3_MT_FINISHED) {
283 st->hand_state = TLS_ST_SR_FINISHED;
284 return 1;
285 }
286 break;
287#endif
288
289 case TLS_ST_SW_FINISHED:
290 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
291 st->hand_state = TLS_ST_SR_CHANGE;
292 return 1;
293 }
294 break;
61ae935a
MC		 295 }
296
5abeaf35 297 err:
61ae935a 298 /* No valid transition found */
672f3337 299 ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
340a2828 300 SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
61ae935a
MC		 301 return 0;
302}
303
304/*
305 * Should we send a ServerKeyExchange message?
306 *
307 * Valid return values are:
308 * 1: Yes
309 * 0: No
310 */
bb3e20cf 311static int send_server_key_exchange(SSL *s)
61ae935a
MC		 312{
313 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
314
315 /*
361a1191 316 * only send a ServerKeyExchange if DH or fortezza but we have a
61ae935a
MC		 317 * sign only certificate PSK: may send PSK identity hints For
318 * ECC ciphersuites, we send a serverKeyExchange message only if
319 * the cipher suite is either ECDH-anon or ECDHE. In other cases,
320 * the server certificate contains the server's public key for
321 * key exchange.
322 */
a230b26e 323 if (alg_k & (SSL_kDHE | SSL_kECDHE)
61ae935a
MC		 324 /*
325 * PSK: send ServerKeyExchange if PSK identity hint if
326 * provided
327 */
328#ifndef OPENSSL_NO_PSK
329 /* Only send SKE if we have identity hint for plain PSK */
330 || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
331 && s->cert->psk_identity_hint)
332 /* For other PSK always send SKE */
333 || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
334#endif
335#ifndef OPENSSL_NO_SRP
336 /* SRP: send ServerKeyExchange */
337 || (alg_k & SSL_kSRP)
338#endif
a230b26e 339 ) {
61ae935a
MC		 340 return 1;
341 }
342
343 return 0;
344}
345
346/*
347 * Should we send a CertificateRequest message?
348 *
349 * Valid return values are:
350 * 1: Yes
351 * 0: No
352 */
bb3e20cf 353static int send_certificate_request(SSL *s)
61ae935a
MC		 354{
355 if (
356 /* don't request cert unless asked for it: */
357 s->verify_mode & SSL_VERIFY_PEER
358 /*
359 * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
360 * during re-negotiation:
361 */
a03a9dbe 362 && (s->s3->tmp.finish_md_len == 0 ||
61ae935a
MC		 363 !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
364 /*
365 * never request cert in anonymous ciphersuites (see
366 * section "Certificate request" in SSL 3 drafts and in
367 * RFC 2246):
368 */
369 && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
a230b26e
EK		 370 /*
371 * ... except when the application insists on
372 * verification (against the specs, but statem_clnt.c accepts
373 * this for SSL 3)
374 */
61ae935a
MC		 375 || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
376 /* don't request certificate for SRP auth */
377 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
378 /*
379 * With normal PSK Certificates and Certificate Requests
380 * are omitted
381 */
b7fa1f98 382 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
61ae935a
MC		 383 return 1;
384 }
385
386 return 0;
387}
388
389/*
0f1e51ea
MC		 390 * ossl_statem_server13_write_transition() works out what handshake state to
391 * move to next when a TLSv1.3 server is writing messages to be sent to the
392 * client.
0f1e51ea
MC		 393 */
394static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
395{
396 OSSL_STATEM *st = &s->statem;
397
398 /*
399 * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
400 * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
401 */
402
403 switch (st->hand_state) {
404 default:
405 /* Shouldn't happen */
406 return WRITE_TRAN_ERROR;
407
44c04a2e 408 case TLS_ST_OK:
d781d247
MC		 409 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING) {
410 st->hand_state = TLS_ST_SW_FINISHED;
411 return WRITE_TRAN_FINISHED;
412 }
44c04a2e
MC		 413 if (s->key_update != SSL_KEY_UPDATE_NONE) {
414 st->hand_state = TLS_ST_SW_KEY_UPDATE;
415 return WRITE_TRAN_CONTINUE;
416 }
8cdc8c51
MC		 417 /* Try to read from the client instead */
418 return WRITE_TRAN_FINISHED;
44c04a2e 419
0f1e51ea 420 case TLS_ST_SR_CLNT_HELLO:
7d061fce
MC		 421 if (s->hello_retry_request)
422 st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST;
423 else
424 st->hand_state = TLS_ST_SW_SRVR_HELLO;
0f1e51ea
MC		 425 return WRITE_TRAN_CONTINUE;
426
7d061fce
MC		 427 case TLS_ST_SW_HELLO_RETRY_REQUEST:
428 return WRITE_TRAN_FINISHED;
429
0f1e51ea 430 case TLS_ST_SW_SRVR_HELLO:
e46f2334
MC		 431 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
432 return WRITE_TRAN_CONTINUE;
433
434 case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
94ed2c67 435 if (s->hit)
92760c21
MC		 436 st->hand_state = TLS_ST_SW_FINISHED;
437 else if (send_certificate_request(s))
438 st->hand_state = TLS_ST_SW_CERT_REQ;
94ed2c67 439 else
0f1e51ea 440 st->hand_state = TLS_ST_SW_CERT;
94ed2c67 441
0f1e51ea
MC		 442 return WRITE_TRAN_CONTINUE;
443
0f1e51ea 444 case TLS_ST_SW_CERT_REQ:
92760c21 445 st->hand_state = TLS_ST_SW_CERT;
0f1e51ea
MC		 446 return WRITE_TRAN_CONTINUE;
447
92760c21 448 case TLS_ST_SW_CERT:
2c5dfdc3
MC		 449 st->hand_state = TLS_ST_SW_CERT_VRFY;
450 return WRITE_TRAN_CONTINUE;
451
452 case TLS_ST_SW_CERT_VRFY:
d805a57b 453 st->hand_state = TLS_ST_SW_FINISHED;
0f1e51ea
MC		 454 return WRITE_TRAN_CONTINUE;
455
456 case TLS_ST_SW_FINISHED:
d781d247
MC		 457 if (s->early_data_state == SSL_EARLY_DATA_ACCEPTING) {
458 st->hand_state = TLS_ST_OK;
459 ossl_statem_set_in_init(s, 0);
460 return WRITE_TRAN_CONTINUE;
461 }
92760c21 462 return WRITE_TRAN_FINISHED;
94ed2c67 463
92760c21 464 case TLS_ST_SR_FINISHED:
30f05b19
MC		 465 /*
466 * Technically we have finished the handshake at this point, but we're
467 * going to remain "in_init" for now and write out the session ticket
468 * immediately.
469 * TODO(TLS1.3): Perhaps we need to be able to control this behaviour
470 * and give the application the opportunity to delay sending the
471 * session ticket?
472 */
473 st->hand_state = TLS_ST_SW_SESSION_TICKET;
474 return WRITE_TRAN_CONTINUE;
475
8cdc8c51 476 case TLS_ST_SR_KEY_UPDATE:
5bf47933
MC		 477 if (s->key_update != SSL_KEY_UPDATE_NONE) {
478 st->hand_state = TLS_ST_SW_KEY_UPDATE;
479 return WRITE_TRAN_CONTINUE;
480 }
481 /* Fall through */
482
44c04a2e 483 case TLS_ST_SW_KEY_UPDATE:
30f05b19 484 case TLS_ST_SW_SESSION_TICKET:
0f1e51ea
MC		 485 st->hand_state = TLS_ST_OK;
486 ossl_statem_set_in_init(s, 0);
487 return WRITE_TRAN_CONTINUE;
488 }
489}
490
491/*
492 * ossl_statem_server_write_transition() works out what handshake state to move
493 * to next when the server is writing messages to be sent to the client.
61ae935a 494 */
8481f583 495WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
61ae935a 496{
d6f1a6e9 497 OSSL_STATEM *st = &s->statem;
61ae935a 498
0f1e51ea
MC		 499 /*
500 * Note that before the ClientHello we don't know what version we are going
501 * to negotiate yet, so we don't take this branch until later
502 */
503
f5ca0b04 504 if (SSL_IS_TLS13(s))
0f1e51ea
MC		 505 return ossl_statem_server13_write_transition(s);
506
e8aa8b6c 507 switch (st->hand_state) {
f3b3d7f0
RS		 508 default:
509 /* Shouldn't happen */
510 return WRITE_TRAN_ERROR;
511
0386aad1
MC		 512 case TLS_ST_OK:
513 if (st->request_state == TLS_ST_SW_HELLO_REQ) {
514 /* We must be trying to renegotiate */
515 st->hand_state = TLS_ST_SW_HELLO_REQ;
516 st->request_state = TLS_ST_BEFORE;
517 return WRITE_TRAN_CONTINUE;
518 }
c7f47786
MC		 519 /* Must be an incoming ClientHello */
520 if (!tls_setup_handshake(s)) {
521 ossl_statem_set_error(s);
522 return WRITE_TRAN_ERROR;
523 }
0386aad1
MC		 524 /* Fall through */
525
e8aa8b6c 526 case TLS_ST_BEFORE:
a230b26e 527 /* Just go straight to trying to read from the client */
e8aa8b6c 528 return WRITE_TRAN_FINISHED;
61ae935a 529
e8aa8b6c
F		 530 case TLS_ST_SW_HELLO_REQ:
531 st->hand_state = TLS_ST_OK;
532 ossl_statem_set_in_init(s, 0);
533 return WRITE_TRAN_CONTINUE;
61ae935a 534
e8aa8b6c
F		 535 case TLS_ST_SR_CLNT_HELLO:
536 if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
a230b26e 537 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
e8aa8b6c
F		 538 st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
539 else
540 st->hand_state = TLS_ST_SW_SRVR_HELLO;
541 return WRITE_TRAN_CONTINUE;
61ae935a 542
e8aa8b6c
F		 543 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
544 return WRITE_TRAN_FINISHED;
61ae935a 545
e8aa8b6c
F		 546 case TLS_ST_SW_SRVR_HELLO:
547 if (s->hit) {
aff8c126 548 if (s->ext.ticket_expected)
e8aa8b6c
F		 549 st->hand_state = TLS_ST_SW_SESSION_TICKET;
550 else
551 st->hand_state = TLS_ST_SW_CHANGE;
552 } else {
553 /* Check if it is anon DH or anon ECDH, */
554 /* normal PSK or SRP */
555 if (!(s->s3->tmp.new_cipher->algorithm_auth &
a230b26e 556 (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
e8aa8b6c
F		 557 st->hand_state = TLS_ST_SW_CERT;
558 } else if (send_server_key_exchange(s)) {
61ae935a 559 st->hand_state = TLS_ST_SW_KEY_EXCH;
e8aa8b6c 560 } else if (send_certificate_request(s)) {
61ae935a 561 st->hand_state = TLS_ST_SW_CERT_REQ;
e8aa8b6c
F		 562 } else {
563 st->hand_state = TLS_ST_SW_SRVR_DONE;
61ae935a 564 }
e8aa8b6c
F		 565 }
566 return WRITE_TRAN_CONTINUE;
61ae935a 567
e8aa8b6c 568 case TLS_ST_SW_CERT:
aff8c126 569 if (s->ext.status_expected) {
e8aa8b6c 570 st->hand_state = TLS_ST_SW_CERT_STATUS;
61ae935a 571 return WRITE_TRAN_CONTINUE;
e8aa8b6c
F		 572 }
573 /* Fall through */
61ae935a 574
e8aa8b6c
F		 575 case TLS_ST_SW_CERT_STATUS:
576 if (send_server_key_exchange(s)) {
577 st->hand_state = TLS_ST_SW_KEY_EXCH;
61ae935a 578 return WRITE_TRAN_CONTINUE;
e8aa8b6c
F		 579 }
580 /* Fall through */
61ae935a 581
e8aa8b6c
F		 582 case TLS_ST_SW_KEY_EXCH:
583 if (send_certificate_request(s)) {
584 st->hand_state = TLS_ST_SW_CERT_REQ;
61ae935a 585 return WRITE_TRAN_CONTINUE;
e8aa8b6c
F		 586 }
587 /* Fall through */
61ae935a 588
e8aa8b6c
F		 589 case TLS_ST_SW_CERT_REQ:
590 st->hand_state = TLS_ST_SW_SRVR_DONE;
591 return WRITE_TRAN_CONTINUE;
61ae935a 592
e8aa8b6c
F		 593 case TLS_ST_SW_SRVR_DONE:
594 return WRITE_TRAN_FINISHED;
595
596 case TLS_ST_SR_FINISHED:
597 if (s->hit) {
61ae935a 598 st->hand_state = TLS_ST_OK;
fe3a3291 599 ossl_statem_set_in_init(s, 0);
61ae935a 600 return WRITE_TRAN_CONTINUE;
aff8c126 601 } else if (s->ext.ticket_expected) {
e8aa8b6c
F		 602 st->hand_state = TLS_ST_SW_SESSION_TICKET;
603 } else {
604 st->hand_state = TLS_ST_SW_CHANGE;
605 }
606 return WRITE_TRAN_CONTINUE;
607
608 case TLS_ST_SW_SESSION_TICKET:
609 st->hand_state = TLS_ST_SW_CHANGE;
610 return WRITE_TRAN_CONTINUE;
61ae935a 611
e8aa8b6c
F		 612 case TLS_ST_SW_CHANGE:
613 st->hand_state = TLS_ST_SW_FINISHED;
614 return WRITE_TRAN_CONTINUE;
615
616 case TLS_ST_SW_FINISHED:
617 if (s->hit) {
618 return WRITE_TRAN_FINISHED;
619 }
620 st->hand_state = TLS_ST_OK;
621 ossl_statem_set_in_init(s, 0);
622 return WRITE_TRAN_CONTINUE;
61ae935a
MC		 623 }
624}
625
626/*
627 * Perform any pre work that needs to be done prior to sending a message from
628 * the server to the client.
629 */
8481f583 630WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
61ae935a 631{
d6f1a6e9 632 OSSL_STATEM *st = &s->statem;
61ae935a 633
e8aa8b6c 634 switch (st->hand_state) {
f3b3d7f0
RS		 635 default:
636 /* No pre work to be done */
637 break;
638
61ae935a
MC		 639 case TLS_ST_SW_HELLO_REQ:
640 s->shutdown = 0;
641 if (SSL_IS_DTLS(s))
f5c7f5df 642 dtls1_clear_sent_buffer(s);
61ae935a
MC		 643 break;
644
645 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
646 s->shutdown = 0;
647 if (SSL_IS_DTLS(s)) {
f5c7f5df 648 dtls1_clear_sent_buffer(s);
61ae935a
MC		 649 /* We don't buffer this message so don't use the timer */
650 st->use_timer = 0;
651 }
652 break;
653
654 case TLS_ST_SW_SRVR_HELLO:
655 if (SSL_IS_DTLS(s)) {
656 /*
657 * Messages we write from now on should be bufferred and
658 * retransmitted if necessary, so we need to use the timer now
659 */
660 st->use_timer = 1;
661 }
662 break;
663
664 case TLS_ST_SW_SRVR_DONE:
665#ifndef OPENSSL_NO_SCTP
666 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
667 return dtls_wait_for_dry(s);
668#endif
669 return WORK_FINISHED_CONTINUE;
670
671 case TLS_ST_SW_SESSION_TICKET:
30f05b19
MC		 672 if (SSL_IS_TLS13(s)) {
673 /*
674 * Actually this is the end of the handshake, but we're going
675 * straight into writing the session ticket out. So we finish off
676 * the handshake, but keep the various buffers active.
677 */
678 return tls_finish_handshake(s, wst, 0);
679 } if (SSL_IS_DTLS(s)) {
61ae935a
MC		 680 /*
681 * We're into the last flight. We don't retransmit the last flight
682 * unless we need to, so we don't use the timer
683 */
684 st->use_timer = 0;
685 }
686 break;
687
688 case TLS_ST_SW_CHANGE:
689 s->session->cipher = s->s3->tmp.new_cipher;
690 if (!s->method->ssl3_enc->setup_key_block(s)) {
fe3a3291 691 ossl_statem_set_error(s);
61ae935a
MC		 692 return WORK_ERROR;
693 }
694 if (SSL_IS_DTLS(s)) {
695 /*
696 * We're into the last flight. We don't retransmit the last flight
697 * unless we need to, so we don't use the timer. This might have
698 * already been set to 0 if we sent a NewSessionTicket message,
699 * but we'll set it again here in case we didn't.
700 */
701 st->use_timer = 0;
702 }
703 return WORK_FINISHED_CONTINUE;
704
705 case TLS_ST_OK:
30f05b19 706 return tls_finish_handshake(s, wst, 1);
61ae935a
MC		 707 }
708
709 return WORK_FINISHED_CONTINUE;
710}
711
712/*
713 * Perform any work that needs to be done after sending a message from the
714 * server to the client.
715 */
8481f583 716WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
61ae935a 717{
d6f1a6e9 718 OSSL_STATEM *st = &s->statem;
61ae935a
MC		 719
720 s->init_num = 0;
721
e8aa8b6c 722 switch (st->hand_state) {
f3b3d7f0
RS		 723 default:
724 /* No post work to be done */
725 break;
726
7d061fce
MC		 727 case TLS_ST_SW_HELLO_RETRY_REQUEST:
728 if (statem_flush(s) != 1)
729 return WORK_MORE_A;
730 break;
731
61ae935a
MC		 732 case TLS_ST_SW_HELLO_REQ:
733 if (statem_flush(s) != 1)
734 return WORK_MORE_A;
2c4a056f
MC		 735 if (!ssl3_init_finished_mac(s)) {
736 ossl_statem_set_error(s);
737 return WORK_ERROR;
738 }
61ae935a
MC		 739 break;
740
741 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
742 if (statem_flush(s) != 1)
743 return WORK_MORE_A;
744 /* HelloVerifyRequest resets Finished MAC */
2c4a056f
MC		 745 if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
746 ossl_statem_set_error(s);
747 return WORK_ERROR;
748 }
61ae935a
MC		 749 /*
750 * The next message should be another ClientHello which we need to
751 * treat like it was the first packet
752 */
753 s->first_packet = 1;
754 break;
755
756 case TLS_ST_SW_SRVR_HELLO:
757#ifndef OPENSSL_NO_SCTP
758 if (SSL_IS_DTLS(s) && s->hit) {
759 unsigned char sctpauthkey[64];
760 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
761
762 /*
763 * Add new shared key for SCTP-Auth, will be ignored if no
764 * SCTP used.
765 */
141eb8c6
MC		 766 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
767 sizeof(DTLS1_SCTP_AUTH_LABEL));
61ae935a
MC		 768
769 if (SSL_export_keying_material(s, sctpauthkey,
a230b26e
EK		 770 sizeof(sctpauthkey), labelbuffer,
771 sizeof(labelbuffer), NULL, 0,
772 0) <= 0) {
fe3a3291 773 ossl_statem_set_error(s);
61ae935a
MC		 774 return WORK_ERROR;
775 }
776
777 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
778 sizeof(sctpauthkey), sctpauthkey);
779 }
780#endif
92760c21
MC		 781 /*
782 * TODO(TLS1.3): This actually causes a problem. We don't yet know
783 * whether the next record we are going to receive is an unencrypted
784 * alert, or an encrypted handshake message. We're going to need
785 * something clever in the record layer for this.
786 */
787 if (SSL_IS_TLS13(s)) {
788 if (!s->method->ssl3_enc->setup_key_block(s)
789 || !s->method->ssl3_enc->change_cipher_state(s,
fe5e20fd
MC		 790 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE))
791 return WORK_ERROR;
792
793 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
794 && !s->method->ssl3_enc->change_cipher_state(s,
92760c21 795 SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ))
fe5e20fd 796 return WORK_ERROR;
92760c21 797 }
61ae935a
MC		 798 break;
799
800 case TLS_ST_SW_CHANGE:
801#ifndef OPENSSL_NO_SCTP
802 if (SSL_IS_DTLS(s) && !s->hit) {
803 /*
804 * Change to new shared key of SCTP-Auth, will be ignored if
805 * no SCTP used.
806 */
807 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
808 0, NULL);
809 }
810#endif
811 if (!s->method->ssl3_enc->change_cipher_state(s,
a230b26e
EK		 812 SSL3_CHANGE_CIPHER_SERVER_WRITE))
813 {
fe3a3291 814 ossl_statem_set_error(s);
61ae935a
MC		 815 return WORK_ERROR;
816 }
817
818 if (SSL_IS_DTLS(s))
819 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
820 break;
821
822 case TLS_ST_SW_SRVR_DONE:
823 if (statem_flush(s) != 1)
824 return WORK_MORE_A;
825 break;
826
827 case TLS_ST_SW_FINISHED:
828 if (statem_flush(s) != 1)
829 return WORK_MORE_A;
830#ifndef OPENSSL_NO_SCTP
831 if (SSL_IS_DTLS(s) && s->hit) {
832 /*
833 * Change to new shared key of SCTP-Auth, will be ignored if
834 * no SCTP used.
835 */
836 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
837 0, NULL);
838 }
839#endif
92760c21
MC		 840 if (SSL_IS_TLS13(s)) {
841 if (!s->method->ssl3_enc->generate_master_secret(s,
ec15acb6 842 s->master_secret, s->handshake_secret, 0,
92760c21
MC		 843 &s->session->master_key_length)
844 || !s->method->ssl3_enc->change_cipher_state(s,
845 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
846 return WORK_ERROR;
847 }
61ae935a 848 break;
30f05b19 849
44c04a2e 850 case TLS_ST_SW_KEY_UPDATE:
57389a32
MC		 851 if (statem_flush(s) != 1)
852 return WORK_MORE_A;
57389a32
MC		 853 if (!tls13_update_key(s, 1))
854 return WORK_ERROR;
855 break;
856
30f05b19
MC		 857 case TLS_ST_SW_SESSION_TICKET:
858 if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
859 return WORK_MORE_A;
860 break;
61ae935a
MC		 861 }
862
863 return WORK_FINISHED_CONTINUE;
864}
865
866/*
6392fb8e
MC		 867 * Get the message construction function and message type for sending from the
868 * server
61ae935a
MC		 869 *
870 * Valid return values are:
871 * 1: Success
872 * 0: Error
873 */
6392fb8e 874int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
a15c953f 875 confunc_f *confunc, int *mt)
61ae935a 876{
d6f1a6e9 877 OSSL_STATEM *st = &s->statem;
61ae935a 878
4a01c59f
MC		 879 switch (st->hand_state) {
880 default:
881 /* Shouldn't happen */
882 return 0;
883
884 case TLS_ST_SW_CHANGE:
5923ad4b 885 if (SSL_IS_DTLS(s))
6392fb8e 886 *confunc = dtls_construct_change_cipher_spec;
4a01c59f 887 else
6392fb8e
MC		 888 *confunc = tls_construct_change_cipher_spec;
889 *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
4a01c59f 890 break;
f3b3d7f0 891
4a01c59f 892 case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
6392fb8e
MC		 893 *confunc = dtls_construct_hello_verify_request;
894 *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
4a01c59f 895 break;
61ae935a 896
4a01c59f
MC		 897 case TLS_ST_SW_HELLO_REQ:
898 /* No construction function needed */
6392fb8e
MC		 899 *confunc = NULL;
900 *mt = SSL3_MT_HELLO_REQUEST;
4a01c59f 901 break;
61ae935a 902
4a01c59f 903 case TLS_ST_SW_SRVR_HELLO:
6392fb8e
MC		 904 *confunc = tls_construct_server_hello;
905 *mt = SSL3_MT_SERVER_HELLO;
4a01c59f 906 break;
61ae935a 907
4a01c59f 908 case TLS_ST_SW_CERT:
6392fb8e
MC		 909 *confunc = tls_construct_server_certificate;
910 *mt = SSL3_MT_CERTIFICATE;
4a01c59f 911 break;
61ae935a 912
2c5dfdc3
MC		 913 case TLS_ST_SW_CERT_VRFY:
914 *confunc = tls_construct_cert_verify;
915 *mt = SSL3_MT_CERTIFICATE_VERIFY;
916 break;
917
918
4a01c59f 919 case TLS_ST_SW_KEY_EXCH:
6392fb8e
MC		 920 *confunc = tls_construct_server_key_exchange;
921 *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
4a01c59f 922 break;
61ae935a 923
4a01c59f 924 case TLS_ST_SW_CERT_REQ:
6392fb8e
MC		 925 *confunc = tls_construct_certificate_request;
926 *mt = SSL3_MT_CERTIFICATE_REQUEST;
4a01c59f 927 break;
61ae935a 928
4a01c59f 929 case TLS_ST_SW_SRVR_DONE:
6392fb8e
MC		 930 *confunc = tls_construct_server_done;
931 *mt = SSL3_MT_SERVER_DONE;
4a01c59f 932 break;
61ae935a 933
4a01c59f 934 case TLS_ST_SW_SESSION_TICKET:
6392fb8e
MC		 935 *confunc = tls_construct_new_session_ticket;
936 *mt = SSL3_MT_NEWSESSION_TICKET;
4a01c59f 937 break;
61ae935a 938
4a01c59f 939 case TLS_ST_SW_CERT_STATUS:
6392fb8e
MC		 940 *confunc = tls_construct_cert_status;
941 *mt = SSL3_MT_CERTIFICATE_STATUS;
4a01c59f 942 break;
61ae935a 943
4a01c59f 944 case TLS_ST_SW_FINISHED:
6392fb8e
MC		 945 *confunc = tls_construct_finished;
946 *mt = SSL3_MT_FINISHED;
4a01c59f 947 break;
e46f2334
MC		 948
949 case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
950 *confunc = tls_construct_encrypted_extensions;
951 *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
952 break;
7d061fce
MC		 953
954 case TLS_ST_SW_HELLO_RETRY_REQUEST:
955 *confunc = tls_construct_hello_retry_request;
956 *mt = SSL3_MT_HELLO_RETRY_REQUEST;
957 break;
44c04a2e
MC		 958
959 case TLS_ST_SW_KEY_UPDATE:
960 *confunc = tls_construct_key_update;
961 *mt = SSL3_MT_KEY_UPDATE;
962 break;
4a01c59f 963 }
61ae935a 964
5923ad4b 965 return 1;
61ae935a
MC		 966}
967
8a18bc25
AG		 968/*
969 * Maximum size (excluding the Handshake header) of a ClientHello message,
970 * calculated as follows:
971 *
972 * 2 + # client_version
973 * 32 + # only valid length for random
974 * 1 + # length of session_id
975 * 32 + # maximum size for session_id
976 * 2 + # length of cipher suites
977 * 2^16-2 + # maximum length of cipher suites array
978 * 1 + # length of compression_methods
979 * 2^8-1 + # maximum length of compression methods
980 * 2 + # length of extensions
981 * 2^16-1 # maximum length of extensions
982 */
983#define CLIENT_HELLO_MAX_LENGTH 131396
984
61ae935a
MC		 985#define CLIENT_KEY_EXCH_MAX_LENGTH 2048
986#define NEXT_PROTO_MAX_LENGTH 514
987
988/*
989 * Returns the maximum allowed length for the current message that we are
990 * reading. Excludes the message header.
991 */
eda75751 992size_t ossl_statem_server_max_message_size(SSL *s)
61ae935a 993{
d6f1a6e9 994 OSSL_STATEM *st = &s->statem;
61ae935a 995
e8aa8b6c 996 switch (st->hand_state) {
f3b3d7f0
RS		 997 default:
998 /* Shouldn't happen */
999 return 0;
1000
61ae935a 1001 case TLS_ST_SR_CLNT_HELLO:
8a18bc25 1002 return CLIENT_HELLO_MAX_LENGTH;
61ae935a
MC		 1003
1004 case TLS_ST_SR_CERT:
1005 return s->max_cert_list;
1006
1007 case TLS_ST_SR_KEY_EXCH:
1008 return CLIENT_KEY_EXCH_MAX_LENGTH;
1009
1010 case TLS_ST_SR_CERT_VRFY:
1011 return SSL3_RT_MAX_PLAIN_LENGTH;
1012
1013#ifndef OPENSSL_NO_NEXTPROTONEG
1014 case TLS_ST_SR_NEXT_PROTO:
1015 return NEXT_PROTO_MAX_LENGTH;
1016#endif
1017
1018 case TLS_ST_SR_CHANGE:
1019 return CCS_MAX_LENGTH;
1020
1021 case TLS_ST_SR_FINISHED:
1022 return FINISHED_MAX_LENGTH;
8cdc8c51
MC		 1023
1024 case TLS_ST_SR_KEY_UPDATE:
1025 return KEY_UPDATE_MAX_LENGTH;
61ae935a 1026 }
61ae935a
MC		 1027}
1028
1029/*
1030 * Process a message that the server has received from the client.
1031 */
8481f583 1032MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
61ae935a 1033{
d6f1a6e9 1034 OSSL_STATEM *st = &s->statem;
61ae935a 1035
e8aa8b6c 1036 switch (st->hand_state) {
f3b3d7f0
RS		 1037 default:
1038 /* Shouldn't happen */
1039 return MSG_PROCESS_ERROR;
1040
61ae935a
MC		 1041 case TLS_ST_SR_CLNT_HELLO:
1042 return tls_process_client_hello(s, pkt);
1043
1044 case TLS_ST_SR_CERT:
1045 return tls_process_client_certificate(s, pkt);
1046
1047 case TLS_ST_SR_KEY_EXCH:
1048 return tls_process_client_key_exchange(s, pkt);
1049
1050 case TLS_ST_SR_CERT_VRFY:
1051 return tls_process_cert_verify(s, pkt);
1052
1053#ifndef OPENSSL_NO_NEXTPROTONEG
1054 case TLS_ST_SR_NEXT_PROTO:
1055 return tls_process_next_proto(s, pkt);
1056#endif
1057
1058 case TLS_ST_SR_CHANGE:
1059 return tls_process_change_cipher_spec(s, pkt);
1060
1061 case TLS_ST_SR_FINISHED:
1062 return tls_process_finished(s, pkt);
8cdc8c51
MC		 1063
1064 case TLS_ST_SR_KEY_UPDATE:
1065 return tls_process_key_update(s, pkt);
1066
61ae935a 1067 }
61ae935a
MC		 1068}
1069
1070/*
1071 * Perform any further processing required following the receipt of a message
1072 * from the client
1073 */
8481f583 1074WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
61ae935a 1075{
d6f1a6e9 1076 OSSL_STATEM *st = &s->statem;
61ae935a 1077
e8aa8b6c 1078 switch (st->hand_state) {
f3b3d7f0
RS		 1079 default:
1080 /* Shouldn't happen */
1081 return WORK_ERROR;
1082
61ae935a
MC		 1083 case TLS_ST_SR_CLNT_HELLO:
1084 return tls_post_process_client_hello(s, wst);
1085
1086 case TLS_ST_SR_KEY_EXCH:
1087 return tls_post_process_client_key_exchange(s, wst);
1088
1089 case TLS_ST_SR_CERT_VRFY:
1090#ifndef OPENSSL_NO_SCTP
a230b26e
EK		 1091 if ( /* Is this SCTP? */
1092 BIO_dgram_is_sctp(SSL_get_wbio(s))
1093 /* Are we renegotiating? */
1094 && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
61ae935a
MC		 1095 s->s3->in_read_app_data = 2;
1096 s->rwstate = SSL_READING;
1097 BIO_clear_retry_flags(SSL_get_rbio(s));
1098 BIO_set_retry_read(SSL_get_rbio(s));
d99b0691 1099 ossl_statem_set_sctp_read_sock(s, 1);
61ae935a
MC		 1100 return WORK_MORE_A;
1101 } else {
d99b0691 1102 ossl_statem_set_sctp_read_sock(s, 0);
61ae935a
MC		 1103 }
1104#endif
1105 return WORK_FINISHED_CONTINUE;
61ae935a 1106 }
92760c21 1107 return WORK_FINISHED_CONTINUE;
61ae935a
MC		 1108}
1109
fe5e20fd
MC		 1110int ossl_statem_finish_early_data(SSL *s)
1111{
1112 if (!s->method->ssl3_enc->change_cipher_state(s,
1113 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ))
1114 return 0;
1115
1116 return 1;
1117}
1118
edc032b5 1119#ifndef OPENSSL_NO_SRP
71fa4513 1120static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
0f113f3e
MC		 1121{
1122 int ret = SSL_ERROR_NONE;
1123
1124 *al = SSL_AD_UNRECOGNIZED_NAME;
1125
1126 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
1127 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
1128 if (s->srp_ctx.login == NULL) {
1129 /*
1130 * RFC 5054 says SHOULD reject, we do so if There is no srp
1131 * login name
1132 */
1133 ret = SSL3_AL_FATAL;
1134 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
1135 } else {
1136 ret = SSL_srp_server_param_with_username(s, al);
1137 }
1138 }
1139 return ret;
1140}
edc032b5
BL		 1141#endif
1142
c536b6be 1143int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
cb150cbc 1144 size_t cookie_len)
8ba708e5 1145{
8ba708e5 1146 /* Always use DTLS 1.0 version: see RFC 6347 */
c536b6be
MC		 1147 if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
1148 || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
1149 return 0;
8ba708e5 1150
c536b6be 1151 return 1;
8ba708e5
MC		 1152}
1153
7cea05dc 1154int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
8ba708e5 1155{
cb150cbc 1156 unsigned int cookie_leni;
8ba708e5
MC		 1157 if (s->ctx->app_gen_cookie_cb == NULL ||
1158 s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
cb150cbc
MC		 1159 &cookie_leni) == 0 ||
1160 cookie_leni > 255) {
f0659bdb 1161 SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
8ba708e5 1162 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
8ba708e5
MC		 1163 return 0;
1164 }
cb150cbc 1165 s->d1->cookie_len = cookie_leni;
8ba708e5 1166
4a01c59f
MC		 1167 if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
1168 s->d1->cookie_len)) {
c536b6be 1169 SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
c536b6be
MC		 1170 return 0;
1171 }
8ba708e5 1172
8ba708e5
MC		 1173 return 1;
1174}
1175
805a2e9e
MC		 1176#ifndef OPENSSL_NO_EC
1177/*-
1178 * ssl_check_for_safari attempts to fingerprint Safari using OS X
1179 * SecureTransport using the TLS extension block in |hello|.
1180 * Safari, since 10.6, sends exactly these extensions, in this order:
1181 * SNI,
1182 * elliptic_curves
1183 * ec_point_formats
1184 *
1185 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1186 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1187 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1188 * 10.8..10.8.3 (which don't work).
1189 */
1190static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
1191{
805a2e9e
MC		 1192 static const unsigned char kSafariExtensionsBlock[] = {
1193 0x00, 0x0a, /* elliptic_curves extension */
1194 0x00, 0x08, /* 8 bytes */
1195 0x00, 0x06, /* 6 bytes of curve ids */
1196 0x00, 0x17, /* P-256 */
1197 0x00, 0x18, /* P-384 */
1198 0x00, 0x19, /* P-521 */
1199
1200 0x00, 0x0b, /* ec_point_formats */
1201 0x00, 0x02, /* 2 bytes */
1202 0x01, /* 1 point format */
1203 0x00, /* uncompressed */
1204 /* The following is only present in TLS 1.2 */
1205 0x00, 0x0d, /* signature_algorithms */
1206 0x00, 0x0c, /* 12 bytes */
1207 0x00, 0x0a, /* 10 bytes */
1208 0x05, 0x01, /* SHA-384/RSA */
1209 0x04, 0x01, /* SHA-256/RSA */
1210 0x02, 0x01, /* SHA-1/RSA */
1211 0x04, 0x03, /* SHA-256/ECDSA */
1212 0x02, 0x03, /* SHA-1/ECDSA */
1213 };
805a2e9e
MC		 1214 /* Length of the common prefix (first two extensions). */
1215 static const size_t kSafariCommonExtensionsLength = 18;
1266eefd
MC		 1216 unsigned int type;
1217 PACKET sni, tmppkt;
1218 size_t ext_len;
805a2e9e
MC		 1219
1220 tmppkt = hello->extensions;
1221
1222 if (!PACKET_forward(&tmppkt, 2)
1223 || !PACKET_get_net_2(&tmppkt, &type)
1224 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1225 return;
6b473aca
MC		 1226 }
1227
805a2e9e
MC		 1228 if (type != TLSEXT_TYPE_server_name)
1229 return;
1230
1231 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1232 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1233
1234 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1235 ext_len);
6b473aca 1236}
805a2e9e 1237#endif /* !OPENSSL_NO_EC */
6b473aca 1238
be3583fa 1239MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
e27f234a 1240{
6b1bb98f 1241 int al = SSL_AD_INTERNAL_ERROR;
e27f234a 1242 /* |cookie| will only be initialized for DTLS. */
1ab3836b 1243 PACKET session_id, compression, extensions, cookie;
6e3ff632 1244 static const unsigned char null_compression = 0;
6b1bb98f 1245 CLIENTHELLO_MSG *clienthello;
e27f234a 1246
6b1bb98f
BK		 1247 clienthello = OPENSSL_zalloc(sizeof(*clienthello));
1248 if (clienthello == NULL) {
1249 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1250 goto err;
1251 }
c7f47786
MC		 1252 /* Check if this is actually an unexpected renegotiation ClientHello */
1253 if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
1254 s->renegotiate = 1;
1255 s->new_session = 1;
1256 }
1257
1ab3836b 1258 /*
b1b4b543 1259 * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1ab3836b 1260 */
6b1bb98f 1261 clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
bbafa47b 1262 PACKET_null_init(&cookie);
1ab3836b 1263
6b1bb98f 1264 if (clienthello->isv2) {
9ceb2426 1265 unsigned int mt;
b1b4b543 1266
7d061fce
MC		 1267 if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) {
1268 al = SSL_AD_HANDSHAKE_FAILURE;
1269 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
1270 goto f_err;
1271 }
1272
32ec4153
MC		 1273 /*-
1274 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
1275 * header is sent directly on the wire, not wrapped as a TLS
1276 * record. Our record layer just processes the message length and passes
1277 * the rest right through. Its format is:
1278 * Byte Content
1279 * 0-1 msg_length - decoded by the record layer
1280 * 2 msg_type - s->init_msg points here
1281 * 3-4 version
1282 * 5-6 cipher_spec_length
1283 * 7-8 session_id_length
1284 * 9-10 challenge_length
1285 * ... ...
1286 */
1287
73999b62 1288 if (!PACKET_get_1(pkt, &mt)
a230b26e 1289 || mt != SSL2_MT_CLIENT_HELLO) {
32ec4153
MC		 1290 /*
1291 * Should never happen. We should have tested this in the record
1292 * layer in order to have determined that this is a SSLv2 record
1293 * in the first place
1294 */
e27f234a 1295 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
d45ba43d 1296 goto err;
32ec4153 1297 }
32ec4153
MC		 1298 }
1299
6b1bb98f 1300 if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
1ab3836b
MC		 1301 al = SSL_AD_DECODE_ERROR;
1302 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
1303 goto err;
0f113f3e
MC		 1304 }
1305
b3e2272c 1306 /* Parse the message and load client random. */
6b1bb98f 1307 if (clienthello->isv2) {
32ec4153
MC		 1308 /*
1309 * Handle an SSLv2 backwards compatible ClientHello
1310 * Note, this is only for SSLv3+ using the backward compatible format.
e2994cf0 1311 * Real SSLv2 is not supported, and is rejected below.
32ec4153 1312 */
1ab3836b 1313 unsigned int ciphersuite_len, session_id_len, challenge_len;
b3e2272c 1314 PACKET challenge;
0f113f3e 1315
1ab3836b 1316 if (!PACKET_get_net_2(pkt, &ciphersuite_len)
a230b26e
EK		 1317 || !PACKET_get_net_2(pkt, &session_id_len)
1318 || !PACKET_get_net_2(pkt, &challenge_len)) {
e27f234a
MC		 1319 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1320 SSL_R_RECORD_LENGTH_MISMATCH);
6c3cca57
AE		 1321 al = SSL_AD_DECODE_ERROR;
1322 goto f_err;
5e9f0eeb 1323 }
0f113f3e 1324
293b5ca4
AG		 1325 if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
1326 al = SSL_AD_DECODE_ERROR;
1327 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1328 goto f_err;
1329 }
1330
6b1bb98f 1331 if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
1ab3836b 1332 ciphersuite_len)
6b1bb98f 1333 || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
73999b62 1334 || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
b3e2272c 1335 /* No extensions. */
73999b62 1336 || PACKET_remaining(pkt) != 0) {
f0659bdb
MC		 1337 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1338 SSL_R_RECORD_LENGTH_MISMATCH);
9ceb2426
MC		 1339 al = SSL_AD_DECODE_ERROR;
1340 goto f_err;
1341 }
6b1bb98f 1342 clienthello->session_id_len = session_id_len;
9ceb2426 1343
fba7b84c 1344 /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
6b1bb98f 1345 * here rather than sizeof(clienthello->random) because that is the limit
fba7b84c 1346 * for SSLv3 and it is fixed. It won't change even if
6b1bb98f 1347 * sizeof(clienthello->random) does.
fba7b84c
MC		 1348 */
1349 challenge_len = challenge_len > SSL3_RANDOM_SIZE
1350 ? SSL3_RANDOM_SIZE : challenge_len;
6b1bb98f 1351 memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
b3e2272c 1352 if (!PACKET_copy_bytes(&challenge,
6b1bb98f 1353 clienthello->random + SSL3_RANDOM_SIZE -
cb21df32
DB		 1354 challenge_len, challenge_len)
1355 /* Advertise only null compression. */
1356 || !PACKET_buf_init(&compression, &null_compression, 1)) {
f0659bdb 1357 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
b3e2272c 1358 al = SSL_AD_INTERNAL_ERROR;
9ceb2426
MC		 1359 goto f_err;
1360 }
b3e2272c 1361
6b1bb98f 1362 PACKET_null_init(&clienthello->extensions);
0f113f3e 1363 } else {
b3e2272c 1364 /* Regular ClientHello. */
6b1bb98f 1365 if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
e2994cf0 1366 || !PACKET_get_length_prefixed_1(pkt, &session_id)
6b1bb98f 1367 || !PACKET_copy_all(&session_id, clienthello->session_id,
e2994cf0 1368 SSL_MAX_SSL_SESSION_ID_LENGTH,
6b1bb98f 1369 &clienthello->session_id_len)) {
9ceb2426 1370 al = SSL_AD_DECODE_ERROR;
f0659bdb 1371 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
9ceb2426
MC		 1372 goto f_err;
1373 }
32ec4153 1374
b3e2272c 1375 if (SSL_IS_DTLS(s)) {
73999b62 1376 if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
32ec4153 1377 al = SSL_AD_DECODE_ERROR;
f0659bdb 1378 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
32ec4153
MC		 1379 goto f_err;
1380 }
6b1bb98f 1381 if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
1ab3836b 1382 DTLS1_COOKIE_LENGTH,
6b1bb98f 1383 &clienthello->dtls_cookie_len)) {
1ab3836b
MC		 1384 al = SSL_AD_DECODE_ERROR;
1385 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1386 goto f_err;
1387 }
b3e2272c
EK		 1388 /*
1389 * If we require cookies and this ClientHello doesn't contain one,
1390 * just return since we do not want to allocate any memory yet.
1391 * So check cookie length...
1392 */
1393 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
6b1bb98f 1394 if (clienthello->dtls_cookie_len == 0)
a230b26e 1395 return 1;
b3e2272c 1396 }
5e9f0eeb 1397 }
0f113f3e 1398
6b1bb98f 1399 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
1ab3836b
MC		 1400 al = SSL_AD_DECODE_ERROR;
1401 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1402 goto f_err;
1403 }
1404
4bfe1432 1405 if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
a230b26e
EK		 1406 al = SSL_AD_DECODE_ERROR;
1407 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1408 goto f_err;
b3e2272c 1409 }
1ab3836b 1410
b3e2272c 1411 /* Could be empty. */
1ab3836b 1412 if (PACKET_remaining(pkt) == 0) {
6b1bb98f 1413 PACKET_null_init(&clienthello->extensions);
1ab3836b 1414 } else {
6b1bb98f 1415 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)) {
1ab3836b
MC		 1416 al = SSL_AD_DECODE_ERROR;
1417 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1418 goto f_err;
1419 }
1420 }
1421 }
1422
6b1bb98f 1423 if (!PACKET_copy_all(&compression, clienthello->compressions,
e2994cf0 1424 MAX_COMPRESSIONS_SIZE,
6b1bb98f 1425 &clienthello->compressions_len)) {
1ab3836b
MC		 1426 al = SSL_AD_DECODE_ERROR;
1427 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1428 goto f_err;
1429 }
1430
b1b4b543 1431 /* Preserve the raw extensions PACKET for later use */
6b1bb98f 1432 extensions = clienthello->extensions;
fadd9a1e 1433 if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO,
6b1bb98f
BK		 1434 &clienthello->pre_proc_exts, &al,
1435 &clienthello->pre_proc_exts_len)) {
1ab3836b
MC		 1436 /* SSLerr already been called */
1437 goto f_err;
1438 }
6b1bb98f 1439 s->clienthello = clienthello;
1ab3836b 1440
6b1bb98f
BK		 1441 return MSG_PROCESS_CONTINUE_PROCESSING;
1442 f_err:
1443 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1444 err:
1445 ossl_statem_set_error(s);
1446
1447 OPENSSL_free(clienthello->pre_proc_exts);
1448 OPENSSL_free(clienthello);
1449
1450 return MSG_PROCESS_ERROR;
1451}
1452
1453static int tls_early_post_process_client_hello(SSL *s, int *al)
1454{
1455 unsigned int j;
1456 int i;
1457 int protverr;
1458 size_t loop;
1459 unsigned long id;
1460#ifndef OPENSSL_NO_COMP
1461 SSL_COMP *comp = NULL;
1462#endif
1463 const SSL_CIPHER *c;
1464 STACK_OF(SSL_CIPHER) *ciphers = NULL;
1465 STACK_OF(SSL_CIPHER) *scsvs = NULL;
1466 CLIENTHELLO_MSG *clienthello = s->clienthello;
1467
1468 *al = SSL_AD_INTERNAL_ERROR;
1ab3836b 1469 /* Finished parsing the ClientHello, now we can start processing it */
6b1bb98f
BK		 1470 /* Give the early callback a crack at things */
1471 if (s->ctx->early_cb != NULL) {
1472 int code;
1473 /* A failure in the early callback terminates the connection. */
1474 code = s->ctx->early_cb(s, al, s->ctx->early_cb_arg);
1475 if (code == 0)
1476 goto err;
1477 if (code < 0) {
1478 s->rwstate = SSL_EARLY_WORK;
1479 return code;
1480 }
1481 }
1ab3836b
MC		 1482
1483 /* Set up the client_random */
6b1bb98f 1484 memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
1ab3836b
MC		 1485
1486 /* Choose the version */
1487
6b1bb98f
BK		 1488 if (clienthello->isv2) {
1489 if (clienthello->legacy_version == SSL2_VERSION
1490 || (clienthello->legacy_version & 0xff00)
b1b4b543
MC		 1491 != (SSL3_VERSION_MAJOR << 8)) {
1492 /*
1493 * This is real SSLv2 or something complete unknown. We don't
1494 * support it.
1495 */
6b1bb98f 1496 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1ab3836b
MC		 1497 goto err;
1498 }
b1b4b543 1499 /* SSLv3/TLS */
6b1bb98f 1500 s->client_version = clienthello->legacy_version;
1ab3836b
MC		 1501 }
1502 /*
1503 * Do SSL/TLS version negotiation if applicable. For DTLS we just check
1504 * versions are potentially compatible. Version negotiation comes later.
1505 */
1506 if (!SSL_IS_DTLS(s)) {
6b1bb98f 1507 protverr = ssl_choose_server_version(s, clienthello);
1ab3836b 1508 } else if (s->method->version != DTLS_ANY_VERSION &&
6b1bb98f 1509 DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
1ab3836b
MC		 1510 protverr = SSL_R_VERSION_TOO_LOW;
1511 } else {
1512 protverr = 0;
1513 }
1514
1515 if (protverr) {
6b1bb98f 1516 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
7d061fce 1517 if (SSL_IS_FIRST_HANDSHAKE(s)) {
b1b4b543 1518 /* like ssl3_get_record, send alert using remote version number */
6b1bb98f 1519 s->version = s->client_version = clienthello->legacy_version;
1ab3836b 1520 }
6b1bb98f
BK		 1521 *al = SSL_AD_PROTOCOL_VERSION;
1522 goto err;
b3e2272c
EK		 1523 }
1524
1ed65871
DB		 1525 if (SSL_IS_DTLS(s)) {
1526 /* Empty cookie was already handled above by returning early. */
1527 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1528 if (s->ctx->app_verify_cookie_cb != NULL) {
6b1bb98f
BK		 1529 if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
1530 clienthello->dtls_cookie_len) == 0) {
1531 *al = SSL_AD_HANDSHAKE_FAILURE;
1532 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1ed65871 1533 SSL_R_COOKIE_MISMATCH);
6b1bb98f 1534 goto err;
1ed65871
DB		 1535 /* else cookie verification succeeded */
1536 }
a230b26e 1537 /* default verification */
6b1bb98f
BK		 1538 } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
1539 || memcmp(clienthello->dtls_cookie, s->d1->cookie,
1ab3836b 1540 s->d1->cookie_len) != 0) {
6b1bb98f
BK		 1541 *al = SSL_AD_HANDSHAKE_FAILURE;
1542 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1543 goto err;
1ed65871
DB		 1544 }
1545 s->d1->cookie_verified = 1;
1546 }
1547 if (s->method->version == DTLS_ANY_VERSION) {
6b1bb98f 1548 protverr = ssl_choose_server_version(s, clienthello);
1ed65871 1549 if (protverr != 0) {
6b1bb98f 1550 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
1ed65871 1551 s->version = s->client_version;
6b1bb98f
BK		 1552 *al = SSL_AD_PROTOCOL_VERSION;
1553 goto err;
1ed65871
DB		 1554 }
1555 }
1556 }
1557
b3e2272c
EK		 1558 s->hit = 0;
1559
1ab3836b 1560 /* We need to do this before getting the session */
70af3d8e 1561 if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
4b299b8e 1562 EXT_CLIENT_HELLO,
6b1bb98f
BK		 1563 clienthello->pre_proc_exts, NULL, 0, al)) {
1564 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1565 goto err;
1ab3836b
MC		 1566 }
1567
b3e2272c
EK		 1568 /*
1569 * We don't allow resumption in a backwards compatible ClientHello.
1570 * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
1571 *
1572 * Versions before 0.9.7 always allow clients to resume sessions in
1573 * renegotiation. 0.9.7 and later allow this by default, but optionally
1574 * ignore resumption requests with flag
1575 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
1576 * than a change to default behavior so that applications relying on
1577 * this for security won't even compile against older library versions).
1578 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
1579 * request renegotiation but not a new session (s->new_session remains
1580 * unset): for servers, this essentially just means that the
1581 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
1582 * ignored.
1583 */
6b1bb98f 1584 if (clienthello->isv2 ||
b3e2272c
EK		 1585 (s->new_session &&
1586 (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1587 if (!ssl_get_new_session(s, 1))
1588 goto err;
1589 } else {
6b1bb98f 1590 i = ssl_get_prev_session(s, clienthello, al);
128ae276 1591 if (i == 1) {
b3e2272c
EK		 1592 /* previous session */
1593 s->hit = 1;
1594 } else if (i == -1) {
6b1bb98f 1595 goto err;
32ec4153 1596 } else {
b3e2272c
EK		 1597 /* i == 0 */
1598 if (!ssl_get_new_session(s, 1))
32ec4153 1599 goto err;
0f113f3e 1600 }
b3e2272c 1601 }
0f113f3e 1602
6b1bb98f
BK		 1603 if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
1604 clienthello->isv2, al) ||
1605 !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
1606 clienthello->isv2, al)) {
1607 goto err;
b3e2272c 1608 }
5e9f0eeb 1609
90134d98
BK		 1610 s->s3->send_connection_binding = 0;
1611 /* Check what signalling cipher-suite values were received. */
1612 if (scsvs != NULL) {
1613 for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
1614 c = sk_SSL_CIPHER_value(scsvs, i);
1615 if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
1616 if (s->renegotiate) {
1617 /* SCSV is fatal if renegotiating */
6b1bb98f 1618 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
90134d98 1619 SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
6b1bb98f
BK		 1620 *al = SSL_AD_HANDSHAKE_FAILURE;
1621 goto err;
90134d98
BK		 1622 }
1623 s->s3->send_connection_binding = 1;
1624 } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
1625 !ssl_check_version_downgrade(s)) {
1626 /*
1627 * This SCSV indicates that the client previously tried
1628 * a higher version. We should fail if the current version
1629 * is an unexpected downgrade, as that indicates that the first
1630 * connection may have been tampered with in order to trigger
1631 * an insecure downgrade.
1632 */
6b1bb98f 1633 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
90134d98 1634 SSL_R_INAPPROPRIATE_FALLBACK);
6b1bb98f
BK		 1635 *al = SSL_AD_INAPPROPRIATE_FALLBACK;
1636 goto err;
90134d98
BK		 1637 }
1638 }
1639 }
1640
b3e2272c
EK		 1641 /* If it is a hit, check that the cipher is in the list */
1642 if (s->hit) {
1643 j = 0;
1644 id = s->session->cipher->id;
d02b48c6 1645
413c4f45 1646#ifdef CIPHER_DEBUG
a230b26e 1647 fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
413c4f45 1648#endif
b3e2272c
EK		 1649 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1650 c = sk_SSL_CIPHER_value(ciphers, i);
413c4f45 1651#ifdef CIPHER_DEBUG
b3e2272c
EK		 1652 fprintf(stderr, "client [%2d of %2d]:%s\n",
1653 i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
88f2a4cf 1654#endif
b3e2272c
EK		 1655 if (c->id == id) {
1656 j = 1;
1657 break;
32ec4153 1658 }
0f113f3e 1659 }
b3e2272c 1660 if (j == 0) {
ec30e856 1661 /*
b3e2272c
EK		 1662 * we need to have the cipher in the cipher list if we are asked
1663 * to reuse it
ec30e856 1664 */
6b1bb98f
BK		 1665 *al = SSL_AD_ILLEGAL_PARAMETER;
1666 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
b3e2272c 1667 SSL_R_REQUIRED_CIPHER_MISSING);
6b1bb98f 1668 goto err;
32ec4153 1669 }
b3e2272c 1670 }
9ceb2426 1671
6b1bb98f
BK		 1672 for (loop = 0; loop < clienthello->compressions_len; loop++) {
1673 if (clienthello->compressions[loop] == 0)
b3e2272c 1674 break;
0f113f3e 1675 }
32ec4153 1676
6b1bb98f 1677 if (loop >= clienthello->compressions_len) {
b3e2272c 1678 /* no compress */
6b1bb98f
BK		 1679 *al = SSL_AD_DECODE_ERROR;
1680 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1681 goto err;
b3e2272c 1682 }
f100b031 1683
805a2e9e
MC		 1684#ifndef OPENSSL_NO_EC
1685 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
6b1bb98f 1686 ssl_check_for_safari(s, clienthello);
805a2e9e
MC		 1687#endif /* !OPENSSL_NO_EC */
1688
0f113f3e 1689 /* TLS extensions */
24b8e4b2 1690 if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO,
6b1bb98f
BK		 1691 clienthello->pre_proc_exts, NULL, 0, al)) {
1692 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1693 goto err;
0f113f3e
MC		 1694 }
1695
1696 /*
1697 * Check if we want to use external pre-shared secret for this handshake
1698 * for not reused session only. We need to generate server_random before
1699 * calling tls_session_secret_cb in order to allow SessionTicket
1700 * processing to use it in key derivation.
1701 */
1702 {
1703 unsigned char *pos;
1704 pos = s->s3->server_random;
1705 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
6b1bb98f 1706 goto err;
0f113f3e
MC		 1707 }
1708 }
1709
aff8c126 1710 if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) {
4a640fb6 1711 const SSL_CIPHER *pref_cipher = NULL;
8c1a5343
MC		 1712 /*
1713 * s->session->master_key_length is a size_t, but this is an int for
1714 * backwards compat reasons
1715 */
1716 int master_key_length;
0f113f3e 1717
8c1a5343 1718 master_key_length = sizeof(s->session->master_key);
aff8c126 1719 if (s->ext.session_secret_cb(s, s->session->master_key,
8c1a5343 1720 &master_key_length, ciphers,
0f113f3e 1721 &pref_cipher,
aff8c126 1722 s->ext.session_secret_cb_arg)
8c1a5343
MC		 1723 && master_key_length > 0) {
1724 s->session->master_key_length = master_key_length;
0f113f3e
MC		 1725 s->hit = 1;
1726 s->session->ciphers = ciphers;
1727 s->session->verify_result = X509_V_OK;
1728
1729 ciphers = NULL;
1730
1731 /* check if some cipher was preferred by call back */
3f4bf115
DSH		 1732 if (pref_cipher == NULL)
1733 pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
1734 SSL_get_ciphers(s));
0f113f3e 1735 if (pref_cipher == NULL) {
6b1bb98f
BK		 1736 *al = SSL_AD_HANDSHAKE_FAILURE;
1737 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1738 goto err;
0f113f3e
MC		 1739 }
1740
1741 s->session->cipher = pref_cipher;
25aaa98a 1742 sk_SSL_CIPHER_free(s->cipher_list);
0f113f3e 1743 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
25aaa98a 1744 sk_SSL_CIPHER_free(s->cipher_list_by_id);
0f113f3e
MC		 1745 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1746 }
1747 }
58ece833 1748
0f113f3e
MC		 1749 /*
1750 * Worst case, we will use the NULL compression, but if we have other
b2ce0337 1751 * options, we will now look for them. We have complen-1 compression
0f113f3e
MC		 1752 * algorithms from the client, starting at q.
1753 */
1754 s->s3->tmp.new_compression = NULL;
09b6c2ef 1755#ifndef OPENSSL_NO_COMP
0f113f3e 1756 /* This only happens if we have a cache hit */
c19602b5 1757 if (s->session->compress_meth != 0 && !SSL_IS_TLS13(s)) {
0f113f3e 1758 int m, comp_id = s->session->compress_meth;
9ceb2426 1759 unsigned int k;
0f113f3e
MC		 1760 /* Perform sanity checks on resumed compression algorithm */
1761 /* Can't disable compression */
1762 if (!ssl_allow_compression(s)) {
6b1bb98f 1763 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
0f113f3e 1764 SSL_R_INCONSISTENT_COMPRESSION);
6b1bb98f 1765 goto err;
0f113f3e
MC		 1766 }
1767 /* Look for resumed compression method */
1768 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1769 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1770 if (comp_id == comp->id) {
1771 s->s3->tmp.new_compression = comp;
1772 break;
1773 }
1774 }
1775 if (s->s3->tmp.new_compression == NULL) {
6b1bb98f 1776 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
0f113f3e 1777 SSL_R_INVALID_COMPRESSION_ALGORITHM);
6b1bb98f 1778 goto err;
0f113f3e
MC		 1779 }
1780 /* Look for resumed method in compression list */
6b1bb98f
BK		 1781 for (k = 0; k < clienthello->compressions_len; k++) {
1782 if (clienthello->compressions[k] == comp_id)
0f113f3e
MC		 1783 break;
1784 }
6b1bb98f
BK		 1785 if (k >= clienthello->compressions_len) {
1786 *al = SSL_AD_ILLEGAL_PARAMETER;
1787 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
8fdc99cb 1788 SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
6b1bb98f 1789 goto err;
0f113f3e 1790 }
c19602b5 1791 } else if (s->hit) {
0f113f3e 1792 comp = NULL;
c19602b5
MC		 1793 } else if (ssl_allow_compression(s) && s->ctx->comp_methods
1794 && !SSL_IS_TLS13(s)) {
df6741c9 1795 /* See if we have a match */
9ceb2426
MC		 1796 int m, nn, v, done = 0;
1797 unsigned int o;
0f113f3e
MC		 1798
1799 nn = sk_SSL_COMP_num(s->ctx->comp_methods);
1800 for (m = 0; m < nn; m++) {
1801 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1802 v = comp->id;
6b1bb98f
BK		 1803 for (o = 0; o < clienthello->compressions_len; o++) {
1804 if (v == clienthello->compressions[o]) {
0f113f3e
MC		 1805 done = 1;
1806 break;
1807 }
1808 }
1809 if (done)
1810 break;
1811 }
1812 if (done)
1813 s->s3->tmp.new_compression = comp;
1814 else
1815 comp = NULL;
1816 }
e6f418bc 1817#else
0f113f3e
MC		 1818 /*
1819 * If compression is disabled we'd better not try to resume a session
1820 * using compression.
1821 */
1822 if (s->session->compress_meth != 0) {
6b1bb98f
BK		 1823 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1824 goto err;
0f113f3e 1825 }
09b6c2ef 1826#endif
413c4f45 1827
0f113f3e
MC		 1828 /*
1829 * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
1830 */
d02b48c6 1831
0f113f3e 1832 if (!s->hit) {
09b6c2ef 1833#ifdef OPENSSL_NO_COMP
0f113f3e 1834 s->session->compress_meth = 0;
09b6c2ef 1835#else
0f113f3e 1836 s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
09b6c2ef 1837#endif
25aaa98a 1838 sk_SSL_CIPHER_free(s->session->ciphers);
0f113f3e
MC		 1839 s->session->ciphers = ciphers;
1840 if (ciphers == NULL) {
6b1bb98f
BK		 1841 *al = SSL_AD_INTERNAL_ERROR;
1842 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1843 goto err;
0f113f3e
MC		 1844 }
1845 ciphers = NULL;
1846 if (!tls1_set_server_sigalgs(s)) {
6b1bb98f 1847 SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
0f113f3e
MC		 1848 goto err;
1849 }
e27f234a
MC		 1850 }
1851
1852 sk_SSL_CIPHER_free(ciphers);
6b1bb98f
BK		 1853 sk_SSL_CIPHER_free(scsvs);
1854 OPENSSL_free(clienthello->pre_proc_exts);
1855 OPENSSL_free(s->clienthello);
1856 s->clienthello = NULL;
1857 return 1;
e27f234a 1858 err:
fe3a3291 1859 ossl_statem_set_error(s);
e27f234a
MC		 1860
1861 sk_SSL_CIPHER_free(ciphers);
6b1bb98f
BK		 1862 sk_SSL_CIPHER_free(scsvs);
1863 OPENSSL_free(clienthello->pre_proc_exts);
1864 OPENSSL_free(s->clienthello);
1865 s->clienthello = NULL;
e27f234a 1866
6b1bb98f 1867 return 0;
e27f234a
MC		 1868}
1869
24b8e4b2
MC		 1870/*
1871 * Call the status request callback if needed. Upon success, returns 1.
1266eefd 1872 * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert.
24b8e4b2
MC		 1873 */
1874static int tls_handle_status_request(SSL *s, int *al)
1875{
aff8c126 1876 s->ext.status_expected = 0;
24b8e4b2
MC		 1877
1878 /*
1879 * If status request then ask callback what to do. Note: this must be
1880 * called after servername callbacks in case the certificate has changed,
1881 * and must be called after the cipher has been chosen because this may
1882 * influence which certificate is sent
1883 */
aff8c126
RS		 1884 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
1885 && s->ctx->ext.status_cb != NULL) {
24b8e4b2 1886 int ret;
1266eefd 1887
24b8e4b2 1888 /* If no certificate can't return certificate status */
a497cf25 1889 if (s->s3->tmp.cert != NULL) {
24b8e4b2
MC		 1890 /*
1891 * Set current certificate to one we will use so SSL_get_certificate
1892 * et al can pick it up.
1893 */
a497cf25 1894 s->cert->key = s->s3->tmp.cert;
aff8c126 1895 ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
24b8e4b2
MC		 1896 switch (ret) {
1897 /* We don't want to send a status request response */
1898 case SSL_TLSEXT_ERR_NOACK:
aff8c126 1899 s->ext.status_expected = 0;
24b8e4b2
MC		 1900 break;
1901 /* status request response should be sent */
1902 case SSL_TLSEXT_ERR_OK:
aff8c126
RS		 1903 if (s->ext.ocsp.resp)
1904 s->ext.status_expected = 1;
24b8e4b2
MC		 1905 break;
1906 /* something bad happened */
1907 case SSL_TLSEXT_ERR_ALERT_FATAL:
1908 default:
1909 *al = SSL_AD_INTERNAL_ERROR;
1910 return 0;
1911 }
1912 }
1913 }
1914
1915 return 1;
1916}
1917
be3583fa 1918WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
e27f234a 1919{
d13dd4be 1920 int al = SSL_AD_HANDSHAKE_FAILURE;
4a640fb6 1921 const SSL_CIPHER *cipher;
e27f234a
MC		 1922
1923 if (wst == WORK_MORE_A) {
6b1bb98f
BK		 1924 int rv = tls_early_post_process_client_hello(s, &al);
1925 if (rv == 0) {
1926 /* SSLErr() was already called */
1927 goto f_err;
1928 }
1929 if (rv < 0)
1930 return WORK_MORE_A;
1931 wst = WORK_MORE_B;
1932 }
1933 if (wst == WORK_MORE_B) {
e27f234a
MC		 1934 if (!s->hit) {
1935 /* Let cert callback update server certificates if required */
1936 if (s->cert->cert_cb) {
1937 int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
1938 if (rv == 0) {
1939 al = SSL_AD_INTERNAL_ERROR;
a230b26e
EK		 1940 SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
1941 SSL_R_CERT_CB_ERROR);
e27f234a
MC		 1942 goto f_err;
1943 }
1944 if (rv < 0) {
1945 s->rwstate = SSL_X509_LOOKUP;
6b1bb98f 1946 return WORK_MORE_B;
e27f234a
MC		 1947 }
1948 s->rwstate = SSL_NOTHING;
0f113f3e 1949 }
a230b26e
EK		 1950 cipher =
1951 ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
e27f234a
MC		 1952
1953 if (cipher == NULL) {
a230b26e
EK		 1954 SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
1955 SSL_R_NO_SHARED_CIPHER);
e27f234a 1956 goto f_err;
0f113f3e 1957 }
e27f234a 1958 s->s3->tmp.new_cipher = cipher;
4a419f60 1959 if (!tls_choose_sigalg(s, &al))
56723275 1960 goto f_err;
e27f234a
MC		 1961 /* check whether we should disable session resumption */
1962 if (s->not_resumable_session_cb != NULL)
24b8e4b2
MC		 1963 s->session->not_resumable =
1964 s->not_resumable_session_cb(s, ((cipher->algorithm_mkey
1965 & (SSL_kDHE | SSL_kECDHE))
1966 != 0));
e27f234a
MC		 1967 if (s->session->not_resumable)
1968 /* do not send a session ticket */
aff8c126 1969 s->ext.ticket_expected = 0;
e27f234a
MC		 1970 } else {
1971 /* Session-id reuse */
1972 s->s3->tmp.new_cipher = s->session->cipher;
0f113f3e 1973 }
0f113f3e 1974
e27f234a
MC		 1975 /*-
1976 * we now have the following setup.
1977 * client_random
60250017 1978 * cipher_list - our preferred list of ciphers
1979 * ciphers - the clients preferred list of ciphers
e27f234a
MC		 1980 * compression - basically ignored right now
1981 * ssl version is set - sslv3
1982 * s->session - The ssl session has been setup.
1983 * s->hit - session reuse flag
1984 * s->s3->tmp.new_cipher- the new cipher to use.
1985 */
0f113f3e 1986
24b8e4b2
MC		 1987 /*
1988 * Call status_request callback if needed. Has to be done after the
1989 * certificate callbacks etc above.
1990 */
1991 if (!tls_handle_status_request(s, &al)) {
1992 SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
1993 SSL_R_CLIENTHELLO_TLSEXT);
1994 goto f_err;
e27f234a 1995 }
0f113f3e 1996
6b1bb98f 1997 wst = WORK_MORE_C;
e27f234a
MC		 1998 }
1999#ifndef OPENSSL_NO_SRP
6b1bb98f 2000 if (wst == WORK_MORE_C) {
e27f234a
MC		 2001 int ret;
2002 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
2003 /*
2004 * callback indicates further work to be done
2005 */
2006 s->rwstate = SSL_X509_LOOKUP;
6b1bb98f 2007 return WORK_MORE_C;
e27f234a
MC		 2008 }
2009 if (ret != SSL_ERROR_NONE) {
2010 /*
2011 * This is not really an error but the only means to for
2012 * a client to detect whether srp is supported.
2013 */
2014 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
2015 SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
a230b26e 2016 SSL_R_CLIENTHELLO_TLSEXT);
7bb37cb5
E		 2017 else
2018 SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
2019 SSL_R_PSK_IDENTITY_NOT_FOUND);
e27f234a 2020 goto f_err;
0f113f3e
MC		 2021 }
2022 }
e27f234a 2023#endif
0f113f3e 2024
e27f234a 2025 return WORK_FINISHED_STOP;
0f113f3e 2026 f_err:
e27f234a 2027 ssl3_send_alert(s, SSL3_AL_FATAL, al);
fe3a3291 2028 ossl_statem_set_error(s);
e27f234a
MC		 2029 return WORK_ERROR;
2030}
2031
7cea05dc 2032int tls_construct_server_hello(SSL *s, WPACKET *pkt)
0f113f3e 2033{
ec60ccc1
MC		 2034 int compm, al = SSL_AD_INTERNAL_ERROR;
2035 size_t sl, len;
f2342b7a 2036 int version;
0f113f3e 2037
b97667ce 2038 /* TODO(TLS1.3): Remove the DRAFT conditional before release */
f2342b7a
MC		 2039 version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version;
2040 if (!WPACKET_put_bytes_u16(pkt, version)
8157d44b
MC		 2041 /*
2042 * Random stuff. Filling of the server_random takes place in
2043 * tls_process_client_hello()
2044 */
7cea05dc 2045 || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
8157d44b
MC		 2046 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
2047 goto err;
2048 }
0f113f3e 2049
e27f234a
MC		 2050 /*-
2051 * There are several cases for the session ID to send
2052 * back in the server hello:
2053 * - For session reuse from the session cache,
2054 * we send back the old session ID.
2055 * - If stateless session reuse (using a session ticket)
2056 * is successful, we send back the client's "session ID"
2057 * (which doesn't actually identify the session).
2058 * - If it is a new session, we send back the new
2059 * session ID.
2060 * - However, if we want the new session to be single-use,
2061 * we send back a 0-length session ID.
2062 * s->hit is non-zero in either case of session reuse,
2063 * so the following won't overwrite an ID that we're supposed
2064 * to send back.
2065 */
2066 if (s->session->not_resumable ||
2067 (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
2068 && !s->hit))
2069 s->session->session_id_length = 0;
2070
2071 sl = s->session->session_id_length;
ec60ccc1 2072 if (sl > sizeof(s->session->session_id)) {
e27f234a 2073 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
8157d44b 2074 goto err;
e27f234a 2075 }
0f113f3e 2076
8157d44b 2077 /* set up the compression method */
09b6c2ef 2078#ifdef OPENSSL_NO_COMP
8157d44b 2079 compm = 0;
09b6c2ef 2080#else
e27f234a 2081 if (s->s3->tmp.new_compression == NULL)
8157d44b 2082 compm = 0;
e27f234a 2083 else
8157d44b 2084 compm = s->s3->tmp.new_compression->id;
09b6c2ef 2085#endif
e481f9b9 2086
71728dd8
MC		 2087 if ((!SSL_IS_TLS13(s)
2088 && !WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl))
7cea05dc 2089 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
71728dd8
MC		 2090 || (!SSL_IS_TLS13(s)
2091 && !WPACKET_put_bytes_u8(pkt, compm))
7da160b0 2092 || !tls_construct_extensions(s, pkt,
3434f40b 2093 SSL_IS_TLS13(s)
1266eefd 2094 ? EXT_TLS1_3_SERVER_HELLO
30aeba43
MC		 2095 : EXT_TLS1_2_SERVER_HELLO,
2096 NULL, 0, &al)) {
e27f234a 2097 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
8157d44b 2098 goto err;
0f113f3e 2099 }
d02b48c6 2100
aff9929b
MC		 2101 if (!(s->verify_mode & SSL_VERIFY_PEER)
2102 && !ssl3_digest_cached_records(s, 0)) {
2103 al = SSL_AD_INTERNAL_ERROR;
2104 goto err;
2105 }
2106
e27f234a 2107 return 1;
8157d44b 2108 err:
7da160b0 2109 ssl3_send_alert(s, SSL3_AL_FATAL, al);
8157d44b 2110 return 0;
0f113f3e 2111}
d02b48c6 2112
7cea05dc 2113int tls_construct_server_done(SSL *s, WPACKET *pkt)
e27f234a 2114{
e27f234a 2115 if (!s->s3->tmp.cert_request) {
5923ad4b
MC		 2116 if (!ssl3_digest_cached_records(s, 0)) {
2117 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2118 return 0;
2119 }
e27f234a 2120 }
e27f234a
MC		 2121 return 1;
2122}
2123
7cea05dc 2124int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
0f113f3e 2125{
bc36ee62 2126#ifndef OPENSSL_NO_DH
e2b420fd 2127 EVP_PKEY *pkdh = NULL;
ea262260 2128#endif
10bf4fc2 2129#ifndef OPENSSL_NO_EC
0f113f3e 2130 unsigned char *encodedPoint = NULL;
348240c6 2131 size_t encodedlen = 0;
0f113f3e 2132 int curve_id = 0;
d02b48c6 2133#endif
f695571e 2134 const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
c13d2a5b 2135 int al = SSL_AD_INTERNAL_ERROR, i;
0f113f3e 2136 unsigned long type;
2ac6115d 2137 const BIGNUM *r[4];
bfb0641f 2138 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
fe3066ee 2139 EVP_PKEY_CTX *pctx = NULL;
c13d2a5b
MC		 2140 size_t paramlen, paramoffset;
2141
5923ad4b 2142 if (!WPACKET_get_total_written(pkt, &paramoffset)) {
e4e1aa90 2143 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
c13d2a5b
MC		 2144 goto f_err;
2145 }
0f113f3e 2146
6e59a892
RL		 2147 if (md_ctx == NULL) {
2148 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
6e59a892
RL		 2149 goto f_err;
2150 }
0f113f3e 2151
e27f234a 2152 type = s->s3->tmp.new_cipher->algorithm_mkey;
e27f234a 2153
e27f234a 2154 r[0] = r[1] = r[2] = r[3] = NULL;
85269210 2155#ifndef OPENSSL_NO_PSK
e27f234a
MC		 2156 /* Plain PSK or RSAPSK nothing to do */
2157 if (type & (SSL_kPSK | SSL_kRSAPSK)) {
2158 } else
85269210 2159#endif /* !OPENSSL_NO_PSK */
bc36ee62 2160#ifndef OPENSSL_NO_DH
e27f234a 2161 if (type & (SSL_kDHE | SSL_kDHEPSK)) {
94d61512
BL		 2162 CERT *cert = s->cert;
2163
e2b420fd
DSH		 2164 EVP_PKEY *pkdhp = NULL;
2165 DH *dh;
2166
e27f234a 2167 if (s->cert->dh_tmp_auto) {
e2b420fd
DSH		 2168 DH *dhp = ssl_get_auto_dh(s);
2169 pkdh = EVP_PKEY_new();
2170 if (pkdh == NULL || dhp == NULL) {
2171 DH_free(dhp);
e27f234a 2172 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
0f113f3e 2173 ERR_R_INTERNAL_ERROR);
e27f234a 2174 goto f_err;
0f113f3e 2175 }
e2b420fd
DSH		 2176 EVP_PKEY_assign_DH(pkdh, dhp);
2177 pkdhp = pkdh;
2178 } else {
2179 pkdhp = cert->dh_tmp;
2180 }
2181 if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
2182 DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
2183 pkdh = ssl_dh_to_pkey(dhp);
2184 if (pkdh == NULL) {
e2b420fd
DSH		 2185 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2186 ERR_R_INTERNAL_ERROR);
2187 goto f_err;
2188 }
2189 pkdhp = pkdh;
2190 }
2191 if (pkdhp == NULL) {
e27f234a
MC		 2192 al = SSL_AD_HANDSHAKE_FAILURE;
2193 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2194 SSL_R_MISSING_TMP_DH_KEY);
2195 goto f_err;
2196 }
2197 if (!ssl_security(s, SSL_SECOP_TMP_DH,
e2b420fd 2198 EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
e27f234a
MC		 2199 al = SSL_AD_HANDSHAKE_FAILURE;
2200 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2201 SSL_R_DH_KEY_TOO_SMALL);
2202 goto f_err;
2203 }
e2b420fd 2204 if (s->s3->tmp.pkey != NULL) {
e27f234a
MC		 2205 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2206 ERR_R_INTERNAL_ERROR);
2207 goto err;
2208 }
0f113f3e 2209
0a699a07 2210 s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
e27f234a 2211
e2b420fd
DSH		 2212 if (s->s3->tmp.pkey == NULL) {
2213 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
ffaef3f1 2214 goto err;
e27f234a 2215 }
e2b420fd
DSH		 2216
2217 dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);
2218
2219 EVP_PKEY_free(pkdh);
2220 pkdh = NULL;
2221
0aeddcfa
MC		 2222 DH_get0_pqg(dh, &r[0], NULL, &r[1]);
2223 DH_get0_key(dh, &r[2], NULL);
e27f234a 2224 } else
d02b48c6 2225#endif
10bf4fc2 2226#ifndef OPENSSL_NO_EC
e27f234a 2227 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
57be4444 2228 int nid;
e27f234a 2229
880d9d86 2230 if (s->s3->tmp.pkey != NULL) {
e27f234a
MC		 2231 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2232 ERR_R_INTERNAL_ERROR);
2233 goto err;
2234 }
2235
57be4444 2236 /* Get NID of appropriate shared curve */
de4d764e 2237 nid = tls1_shared_group(s, -2);
57be4444
DSH		 2238 curve_id = tls1_ec_nid2curve_id(nid);
2239 if (curve_id == 0) {
e27f234a
MC		 2240 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2241 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
2242 goto err;
2243 }
0a699a07 2244 s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id);
880d9d86
DSH		 2245 /* Generate a new key for this curve */
2246 if (s->s3->tmp.pkey == NULL) {
880d9d86 2247 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
57be4444
DSH		 2248 goto f_err;
2249 }
2250
880d9d86 2251 /* Encode the public key. */
ec24630a
DSH		 2252 encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
2253 &encodedPoint);
e27f234a 2254 if (encodedlen == 0) {
cae41364 2255 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
e27f234a
MC		 2256 goto err;
2257 }
0f113f3e 2258
e27f234a
MC		 2259 /*
2260 * We'll generate the serverKeyExchange message explicitly so we
2261 * can set these to NULLs
2262 */
2263 r[0] = NULL;
2264 r[1] = NULL;
2265 r[2] = NULL;
2266 r[3] = NULL;
2267 } else
10bf4fc2 2268#endif /* !OPENSSL_NO_EC */
edc032b5 2269#ifndef OPENSSL_NO_SRP
e27f234a
MC		 2270 if (type & SSL_kSRP) {
2271 if ((s->srp_ctx.N == NULL) ||
2272 (s->srp_ctx.g == NULL) ||
2273 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
2274 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2275 SSL_R_MISSING_SRP_PARAM);
2276 goto err;
0f113f3e 2277 }
e27f234a
MC		 2278 r[0] = s->srp_ctx.N;
2279 r[1] = s->srp_ctx.g;
2280 r[2] = s->srp_ctx.s;
2281 r[3] = s->srp_ctx.B;
2282 } else
2283#endif
2284 {
2285 al = SSL_AD_HANDSHAKE_FAILURE;
2286 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2287 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2288 goto f_err;
2289 }
0f113f3e 2290
f695571e
DSH		 2291 if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
2292 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
2293 lu = NULL;
2294 } else if (lu == NULL) {
2295 al = SSL_AD_DECODE_ERROR;
2296 goto f_err;
e27f234a 2297 }
0f113f3e 2298
85269210 2299#ifndef OPENSSL_NO_PSK
e27f234a 2300 if (type & SSL_PSK) {
c13d2a5b
MC		 2301 size_t len = (s->cert->psk_identity_hint == NULL)
2302 ? 0 : strlen(s->cert->psk_identity_hint);
2303
2304 /*
2305 * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
2306 * checked this when we set the identity hint - but just in case
2307 */
2308 if (len > PSK_MAX_IDENTITY_LEN
7cea05dc 2309 || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
c13d2a5b
MC		 2310 len)) {
2311 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2312 ERR_R_INTERNAL_ERROR);
2313 goto f_err;
85269210 2314 }
e27f234a 2315 }
85269210
DSH		 2316#endif
2317
e27f234a 2318 for (i = 0; i < 4 && r[i] != NULL; i++) {
c13d2a5b
MC		 2319 unsigned char *binval;
2320 int res;
2321
edc032b5 2322#ifndef OPENSSL_NO_SRP
e27f234a 2323 if ((i == 2) && (type & SSL_kSRP)) {
7cea05dc 2324 res = WPACKET_start_sub_packet_u8(pkt);
e27f234a 2325 } else
78a01b3f 2326#endif
7cea05dc 2327 res = WPACKET_start_sub_packet_u16(pkt);
c13d2a5b
MC		 2328
2329 if (!res) {
2330 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2331 ERR_R_INTERNAL_ERROR);
2332 goto f_err;
2333 }
2334
78a01b3f 2335#ifndef OPENSSL_NO_DH
a230b26e 2336 /*-
78a01b3f 2337 * for interoperability with some versions of the Microsoft TLS
2338 * stack, we need to zero pad the DHE pub key to the same length
2339 * as the prime
2340 */
2341 if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
c13d2a5b 2342 size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
ff819477 2343
c13d2a5b 2344 if (len > 0) {
7cea05dc 2345 if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
c13d2a5b
MC		 2346 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2347 ERR_R_INTERNAL_ERROR);
2348 goto f_err;
2349 }
2350 memset(binval, 0, len);
78a01b3f 2351 }
c13d2a5b 2352 }
edc032b5 2353#endif
7cea05dc
MC		 2354 if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
2355 || !WPACKET_close(pkt)) {
c13d2a5b
MC		 2356 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2357 ERR_R_INTERNAL_ERROR);
2358 goto f_err;
2359 }
2360
2361 BN_bn2bin(r[i], binval);
e27f234a 2362 }
d02b48c6 2363
10bf4fc2 2364#ifndef OPENSSL_NO_EC
e27f234a
MC		 2365 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2366 /*
c13d2a5b
MC		 2367 * We only support named (not generic) curves. In this situation, the
2368 * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
2369 * [1 byte length of encoded point], followed by the actual encoded
2370 * point itself
e27f234a 2371 */
7cea05dc
MC		 2372 if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
2373 || !WPACKET_put_bytes_u8(pkt, 0)
2374 || !WPACKET_put_bytes_u8(pkt, curve_id)
2375 || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
c13d2a5b
MC		 2376 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2377 ERR_R_INTERNAL_ERROR);
2378 goto f_err;
2379 }
e27f234a
MC		 2380 OPENSSL_free(encodedPoint);
2381 encodedPoint = NULL;
e27f234a 2382 }
ea262260
BM		 2383#endif
2384
e27f234a 2385 /* not anonymous */
f695571e 2386 if (lu != NULL) {
a497cf25 2387 EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
f695571e
DSH		 2388 const EVP_MD *md = ssl_md(lu->hash_idx);
2389 unsigned char *sigbytes1, *sigbytes2;
2390 size_t siglen;
2391
2392 if (pkey == NULL || md == NULL) {
2393 /* Should never happen */
2394 al = SSL_AD_INTERNAL_ERROR;
2395 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2396 ERR_R_INTERNAL_ERROR);
2397 goto f_err;
2398 }
e27f234a
MC		 2399 /*
2400 * n is the length of the params, they start at &(d[4]) and p
2401 * points to the space at the end.
2402 */
c13d2a5b 2403
f695571e
DSH		 2404 /* Get length of the parameters we have written above */
2405 if (!WPACKET_get_length(pkt, &paramlen)) {
2406 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2407 ERR_R_INTERNAL_ERROR);
2408 goto f_err;
2409 }
2410 /* send signature algorithm */
2411 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg))
2412 return 0;
2413 /*
2414 * Create the signature. We don't know the actual length of the sig
2415 * until after we've created it, so we reserve enough bytes for it
2416 * up front, and then properly allocate them in the WPACKET
2417 * afterwards.
2418 */
2419 siglen = EVP_PKEY_size(pkey);
2420 if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
2421 || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
2422 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2423 ERR_R_INTERNAL_ERROR);
2424 goto f_err;
2425 }
2426 if (lu->sig == EVP_PKEY_RSA_PSS) {
2427 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
2428 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
c13d2a5b 2429 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
f695571e 2430 ERR_R_EVP_LIB);
5f3d93e4 2431 goto f_err;
0f113f3e 2432 }
f695571e
DSH		 2433 }
2434 if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]),
2435 SSL3_RANDOM_SIZE) <= 0
2436 || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]),
2437 SSL3_RANDOM_SIZE) <= 0
2438 || EVP_DigestSignUpdate(md_ctx,
2439 s->init_buf->data + paramoffset,
2440 paramlen) <= 0
2441 || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0
2442 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2443 || sigbytes1 != sigbytes2) {
e27f234a 2444 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
f695571e 2445 ERR_R_INTERNAL_ERROR);
77d514c5
MC		 2446 goto f_err;
2447 }
0f113f3e
MC		 2448 }
2449
bfb0641f 2450 EVP_MD_CTX_free(md_ctx);
e27f234a 2451 return 1;
0f113f3e
MC		 2452 f_err:
2453 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2454 err:
e2b420fd
DSH		 2455#ifndef OPENSSL_NO_DH
2456 EVP_PKEY_free(pkdh);
2457#endif
556efe79 2458#ifndef OPENSSL_NO_EC
b548a1f1 2459 OPENSSL_free(encodedPoint);
ea262260 2460#endif
bfb0641f 2461 EVP_MD_CTX_free(md_ctx);
e27f234a 2462 return 0;
0f113f3e 2463}
d02b48c6 2464
7cea05dc 2465int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
0f113f3e 2466{
348240c6 2467 int i;
0f113f3e 2468 STACK_OF(X509_NAME) *sk = NULL;
0f113f3e 2469
03f44b97
DSH		 2470 if (SSL_IS_TLS13(s)) {
2471 /* TODO(TLS1.3) for now send empty request context */
2472 if (!WPACKET_put_bytes_u8(pkt, 0)) {
2473 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
2474 ERR_R_INTERNAL_ERROR);
2475 goto err;
2476 }
2477 } else {
2478 /* get the list of acceptable cert types */
2479 if (!WPACKET_start_sub_packet_u8(pkt)
2480 || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
2481 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
2482 ERR_R_INTERNAL_ERROR);
2483 goto err;
2484 }
28ff8ef3 2485 }
0f113f3e 2486
e27f234a 2487 if (SSL_USE_SIGALGS(s)) {
98c792d1 2488 const uint16_t *psigs;
a9669ddc 2489 size_t nl = tls12_get_psigalgs(s, 1, &psigs);
703bcee0 2490
7cea05dc
MC		 2491 if (!WPACKET_start_sub_packet_u16(pkt)
2492 || !tls12_copy_sigalgs(s, pkt, psigs, nl)
2493 || !WPACKET_close(pkt)) {
28ff8ef3
MC		 2494 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
2495 ERR_R_INTERNAL_ERROR);
2496 goto err;
2497 }
e27f234a 2498 }
0f113f3e 2499
28ff8ef3 2500 /* Start sub-packet for client CA list */
7cea05dc 2501 if (!WPACKET_start_sub_packet_u16(pkt)) {
28ff8ef3
MC		 2502 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
2503 goto err;
2504 }
e27f234a
MC		 2505
2506 sk = SSL_get_client_CA_list(s);
e27f234a
MC		 2507 if (sk != NULL) {
2508 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
28ff8ef3
MC		 2509 unsigned char *namebytes;
2510 X509_NAME *name = sk_X509_NAME_value(sk, i);
2511 int namelen;
2512
2513 if (name == NULL
2514 || (namelen = i2d_X509_NAME(name, NULL)) < 0
7cea05dc 2515 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
28ff8ef3
MC		 2516 &namebytes)
2517 || i2d_X509_NAME(name, &namebytes) != namelen) {
2518 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
2519 ERR_R_INTERNAL_ERROR);
e27f234a 2520 goto err;
0f113f3e
MC		 2521 }
2522 }
e27f234a
MC		 2523 }
2524 /* else no CA names */
5923ad4b 2525 if (!WPACKET_close(pkt)) {
e27f234a
MC		 2526 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
2527 goto err;
0f113f3e 2528 }
03f44b97
DSH		 2529 /*
2530 * TODO(TLS1.3) implement configurable certificate_extensions
2531 * For now just send zero length extensions.
2532 */
2533 if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u16(pkt, 0)) {
2534 SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
2535 goto err;
2536 }
d02b48c6 2537
e27f234a
MC		 2538 s->s3->tmp.cert_request = 1;
2539
2540 return 1;
0f113f3e 2541 err:
28ff8ef3 2542 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
e27f234a 2543 return 0;
0f113f3e 2544}
d02b48c6 2545
0907d710 2546static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
e27f234a 2547{
85269210 2548#ifndef OPENSSL_NO_PSK
0907d710
MC		 2549 unsigned char psk[PSK_MAX_PSK_LEN];
2550 size_t psklen;
2551 PACKET psk_identity;
efcdbcbe 2552
0907d710
MC		 2553 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2554 *al = SSL_AD_DECODE_ERROR;
c76a4aea 2555 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
0907d710
MC		 2556 return 0;
2557 }
2558 if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2559 *al = SSL_AD_DECODE_ERROR;
c76a4aea 2560 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
0907d710
MC		 2561 return 0;
2562 }
2563 if (s->psk_server_callback == NULL) {
2564 *al = SSL_AD_INTERNAL_ERROR;
a230b26e 2565 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
0907d710
MC		 2566 return 0;
2567 }
85269210 2568
0907d710
MC		 2569 if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
2570 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2571 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
0907d710
MC		 2572 return 0;
2573 }
85269210 2574
0907d710 2575 psklen = s->psk_server_callback(s, s->session->psk_identity,
a230b26e 2576 psk, sizeof(psk));
85269210 2577
0907d710
MC		 2578 if (psklen > PSK_MAX_PSK_LEN) {
2579 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2580 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
0907d710
MC		 2581 return 0;
2582 } else if (psklen == 0) {
2583 /*
2584 * PSK related to the given identity not found
2585 */
2586 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
c76a4aea 2587 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
0907d710
MC		 2588 SSL_R_PSK_IDENTITY_NOT_FOUND);
2589 return 0;
2590 }
85269210 2591
0907d710
MC		 2592 OPENSSL_free(s->s3->tmp.psk);
2593 s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
2594 OPENSSL_cleanse(psk, psklen);
85269210 2595
0907d710
MC		 2596 if (s->s3->tmp.psk == NULL) {
2597 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2598 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
0907d710 2599 return 0;
85269210 2600 }
0907d710
MC		 2601
2602 s->s3->tmp.psklen = psklen;
2603
2604 return 1;
2605#else
2606 /* Should never happen */
2607 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2608 SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
0907d710 2609 return 0;
85269210 2610#endif
0907d710
MC		 2611}
2612
0907d710
MC		 2613static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
2614{
bc36ee62 2615#ifndef OPENSSL_NO_RSA
0907d710
MC		 2616 unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
2617 int decrypt_len;
2618 unsigned char decrypt_good, version_good;
2619 size_t j, padding_len;
2620 PACKET enc_premaster;
2621 RSA *rsa = NULL;
2622 unsigned char *rsa_decrypt = NULL;
2623 int ret = 0;
2624
d0ff28f8 2625 rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
0907d710
MC		 2626 if (rsa == NULL) {
2627 *al = SSL_AD_HANDSHAKE_FAILURE;
c76a4aea 2628 SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE);
0907d710
MC		 2629 return 0;
2630 }
2631
2632 /* SSLv3 and pre-standard DTLS omit the length bytes. */
2633 if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2634 enc_premaster = *pkt;
2635 } else {
2636 if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
2637 || PACKET_remaining(pkt) != 0) {
2638 *al = SSL_AD_DECODE_ERROR;
c76a4aea 2639 SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH);
0907d710 2640 return 0;
0f113f3e 2641 }
0907d710 2642 }
0f113f3e 2643
0907d710
MC		 2644 /*
2645 * We want to be sure that the plaintext buffer size makes it safe to
2646 * iterate over the entire size of a premaster secret
2647 * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
2648 * their ciphertext cannot accommodate a premaster secret anyway.
2649 */
2650 if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
2651 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2652 SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
0907d710
MC		 2653 return 0;
2654 }
0f113f3e 2655
0907d710
MC		 2656 rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
2657 if (rsa_decrypt == NULL) {
2658 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2659 SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE);
0907d710
MC		 2660 return 0;
2661 }
0f113f3e 2662
0907d710
MC		 2663 /*
2664 * We must not leak whether a decryption failure occurs because of
2665 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
2666 * section 7.4.7.1). The code follows that advice of the TLS RFC and
2667 * generates a random premaster secret for the case that the decrypt
2668 * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
2669 */
20ca916d 2670
a230b26e 2671 if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
0907d710 2672 goto err;
0f113f3e 2673
0907d710
MC		 2674 /*
2675 * Decrypt with no padding. PKCS#1 padding will be removed as part of
2676 * the timing-sensitive code below.
2677 */
348240c6
MC		 2678 /* TODO(size_t): Convert this function */
2679 decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
2680 PACKET_data(&enc_premaster),
2681 rsa_decrypt, rsa, RSA_NO_PADDING);
0907d710
MC		 2682 if (decrypt_len < 0)
2683 goto err;
20ca916d 2684
0907d710 2685 /* Check the padding. See RFC 3447, section 7.2.2. */
5b8fa431 2686
0907d710
MC		 2687 /*
2688 * The smallest padded premaster is 11 bytes of overhead. Small keys
2689 * are publicly invalid, so this may return immediately. This ensures
2690 * PS is at least 8 bytes.
2691 */
2692 if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
2693 *al = SSL_AD_DECRYPT_ERROR;
c76a4aea 2694 SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED);
0907d710
MC		 2695 goto err;
2696 }
0f113f3e 2697
0907d710
MC		 2698 padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
2699 decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
a230b26e 2700 constant_time_eq_int_8(rsa_decrypt[1], 2);
0907d710
MC		 2701 for (j = 2; j < padding_len - 1; j++) {
2702 decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
2703 }
2704 decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
5b8fa431 2705
0907d710
MC		 2706 /*
2707 * If the version in the decrypted pre-master secret is correct then
2708 * version_good will be 0xff, otherwise it'll be zero. The
2709 * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
2710 * (http://eprint.iacr.org/2003/052/) exploits the version number
2711 * check as a "bad version oracle". Thus version checks are done in
2712 * constant time and are treated like any other decryption error.
2713 */
2714 version_good =
2715 constant_time_eq_8(rsa_decrypt[padding_len],
2716 (unsigned)(s->client_version >> 8));
2717 version_good &=
2718 constant_time_eq_8(rsa_decrypt[padding_len + 1],
2719 (unsigned)(s->client_version & 0xff));
0f113f3e 2720
0907d710
MC		 2721 /*
2722 * The premaster secret must contain the same version number as the
2723 * ClientHello to detect version rollback attacks (strangely, the
2724 * protocol does not offer such protection for DH ciphersuites).
2725 * However, buggy clients exist that send the negotiated protocol
2726 * version instead if the server does not support the requested
2727 * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2728 * clients.
2729 */
2730 if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
2731 unsigned char workaround_good;
2732 workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
2733 (unsigned)(s->version >> 8));
2734 workaround_good &=
5b8fa431 2735 constant_time_eq_8(rsa_decrypt[padding_len + 1],
0907d710
MC		 2736 (unsigned)(s->version & 0xff));
2737 version_good |= workaround_good;
2738 }
0f113f3e 2739
0907d710
MC		 2740 /*
2741 * Both decryption and version must be good for decrypt_good to
2742 * remain non-zero (0xff).
2743 */
2744 decrypt_good &= version_good;
0f113f3e 2745
0907d710
MC		 2746 /*
2747 * Now copy rand_premaster_secret over from p using
2748 * decrypt_good_mask. If decryption failed, then p does not
2749 * contain valid plaintext, however, a check above guarantees
2750 * it is still sufficiently large to read from.
2751 */
2752 for (j = 0; j < sizeof(rand_premaster_secret); j++) {
2753 rsa_decrypt[padding_len + j] =
2754 constant_time_select_8(decrypt_good,
2755 rsa_decrypt[padding_len + j],
2756 rand_premaster_secret[j]);
2757 }
0f113f3e 2758
0907d710
MC		 2759 if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
2760 sizeof(rand_premaster_secret), 0)) {
2761 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2762 SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
0907d710
MC		 2763 goto err;
2764 }
0f113f3e 2765
0907d710
MC		 2766 ret = 1;
2767 err:
2768 OPENSSL_free(rsa_decrypt);
2769 return ret;
2770#else
2771 /* Should never happen */
2772 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2773 SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
0907d710
MC		 2774 return 0;
2775#endif
2776}
2777
642360f9
MC		 2778static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
2779{
2780#ifndef OPENSSL_NO_DH
2781 EVP_PKEY *skey = NULL;
2782 DH *cdh;
2783 unsigned int i;
2784 BIGNUM *pub_key;
2785 const unsigned char *data;
2786 EVP_PKEY *ckey = NULL;
2787 int ret = 0;
2788
31a7d80d 2789 if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
642360f9 2790 *al = SSL_AD_HANDSHAKE_FAILURE;
c76a4aea 2791 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE,
642360f9
MC		 2792 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2793 goto err;
2794 }
642360f9
MC		 2795 skey = s->s3->tmp.pkey;
2796 if (skey == NULL) {
2797 *al = SSL_AD_HANDSHAKE_FAILURE;
c76a4aea 2798 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
642360f9
MC		 2799 goto err;
2800 }
2801
2802 if (PACKET_remaining(pkt) == 0L) {
2803 *al = SSL_AD_HANDSHAKE_FAILURE;
c76a4aea 2804 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
642360f9
MC		 2805 goto err;
2806 }
2807 if (!PACKET_get_bytes(pkt, &data, i)) {
2808 /* We already checked we have enough data */
2809 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2810 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
642360f9
MC		 2811 goto err;
2812 }
2813 ckey = EVP_PKEY_new();
2814 if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
c76a4aea 2815 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
642360f9
MC		 2816 goto err;
2817 }
2818 cdh = EVP_PKEY_get0_DH(ckey);
2819 pub_key = BN_bin2bn(data, i, NULL);
2820
2821 if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
c76a4aea 2822 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
642360f9
MC		 2823 if (pub_key != NULL)
2824 BN_free(pub_key);
2825 goto err;
2826 }
2827
0f1e51ea 2828 if (ssl_derive(s, skey, ckey, 1) == 0) {
642360f9 2829 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2830 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
642360f9
MC		 2831 goto err;
2832 }
2833
2834 ret = 1;
2835 EVP_PKEY_free(s->s3->tmp.pkey);
2836 s->s3->tmp.pkey = NULL;
2837 err:
2838 EVP_PKEY_free(ckey);
2839 return ret;
2840#else
2841 /* Should never happen */
2842 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2843 SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
642360f9
MC		 2844 return 0;
2845#endif
2846}
2847
19ed1ec1
MC		 2848static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
2849{
2850#ifndef OPENSSL_NO_EC
2851 EVP_PKEY *skey = s->s3->tmp.pkey;
2852 EVP_PKEY *ckey = NULL;
2853 int ret = 0;
2854
2855 if (PACKET_remaining(pkt) == 0L) {
2856 /* We don't support ECDH client auth */
2857 *al = SSL_AD_HANDSHAKE_FAILURE;
c76a4aea 2858 SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY);
19ed1ec1
MC		 2859 goto err;
2860 } else {
2861 unsigned int i;
2862 const unsigned char *data;
2863
2864 /*
2865 * Get client's public key from encoded point in the
2866 * ClientKeyExchange message.
2867 */
2868
2869 /* Get encoded point length */
fb933982
DSH		 2870 if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
2871 || PACKET_remaining(pkt) != 0) {
19ed1ec1 2872 *al = SSL_AD_DECODE_ERROR;
c76a4aea 2873 SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH);
19ed1ec1
MC		 2874 goto err;
2875 }
19ed1ec1
MC		 2876 ckey = EVP_PKEY_new();
2877 if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
c76a4aea 2878 SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB);
19ed1ec1
MC		 2879 goto err;
2880 }
ec24630a 2881 if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
fb933982 2882 *al = SSL_AD_HANDSHAKE_FAILURE;
c76a4aea 2883 SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB);
19ed1ec1
MC		 2884 goto err;
2885 }
2886 }
2887
0f1e51ea 2888 if (ssl_derive(s, skey, ckey, 1) == 0) {
19ed1ec1 2889 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2890 SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
19ed1ec1
MC		 2891 goto err;
2892 }
2893
2894 ret = 1;
2895 EVP_PKEY_free(s->s3->tmp.pkey);
2896 s->s3->tmp.pkey = NULL;
2897 err:
2898 EVP_PKEY_free(ckey);
2899
2900 return ret;
2901#else
2902 /* Should never happen */
2903 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2904 SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
19ed1ec1
MC		 2905 return 0;
2906#endif
2907}
2908
c437eef6
MC		 2909static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
2910{
2911#ifndef OPENSSL_NO_SRP
2912 unsigned int i;
2913 const unsigned char *data;
2914
2915 if (!PACKET_get_net_2(pkt, &i)
a230b26e 2916 || !PACKET_get_bytes(pkt, &data, i)) {
c437eef6 2917 *al = SSL_AD_DECODE_ERROR;
c76a4aea 2918 SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
c437eef6
MC		 2919 return 0;
2920 }
2921 if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
c76a4aea 2922 SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
c437eef6
MC		 2923 return 0;
2924 }
a230b26e 2925 if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
c437eef6 2926 *al = SSL_AD_ILLEGAL_PARAMETER;
c76a4aea 2927 SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
c437eef6
MC		 2928 return 0;
2929 }
2930 OPENSSL_free(s->session->srp_username);
2931 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
2932 if (s->session->srp_username == NULL) {
c76a4aea 2933 SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE);
c437eef6
MC		 2934 return 0;
2935 }
2936
2937 if (!srp_generate_server_master_secret(s)) {
c76a4aea 2938 SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
c437eef6
MC		 2939 return 0;
2940 }
2941
2942 return 1;
2943#else
2944 /* Should never happen */
2945 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2946 SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
c437eef6
MC		 2947 return 0;
2948#endif
2949}
2950
2951static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
2952{
2953#ifndef OPENSSL_NO_GOST
2954 EVP_PKEY_CTX *pkey_ctx;
2955 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2956 unsigned char premaster_secret[32];
2957 const unsigned char *start;
2958 size_t outlen = 32, inlen;
2959 unsigned long alg_a;
2960 int Ttag, Tclass;
2961 long Tlen;
348240c6 2962 size_t sess_key_len;
c437eef6
MC		 2963 const unsigned char *data;
2964 int ret = 0;
2965
2966 /* Get our certificate private key */
2967 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2968 if (alg_a & SSL_aGOST12) {
2969 /*
2970 * New GOST ciphersuites have SSL_aGOST01 bit too
2971 */
2972 pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
2973 if (pk == NULL) {
2974 pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
2975 }
2976 if (pk == NULL) {
2977 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2978 }
2979 } else if (alg_a & SSL_aGOST01) {
2980 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2981 }
2982
2983 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2984 if (pkey_ctx == NULL) {
2985 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2986 SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE);
c437eef6
MC		 2987 return 0;
2988 }
2989 if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
2990 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 2991 SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
c437eef6
MC		 2992 return 0;
2993 }
2994 /*
2995 * If client certificate is present and is of the same type, maybe
2996 * use it for key exchange. Don't mind errors from
2997 * EVP_PKEY_derive_set_peer, because it is completely valid to use a
2998 * client certificate for authorization only.
2999 */
3000 client_pub_pkey = X509_get0_pubkey(s->session->peer);
3001 if (client_pub_pkey) {
3002 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
3003 ERR_clear_error();
3004 }
3005 /* Decrypt session key */
3006 sess_key_len = PACKET_remaining(pkt);
3007 if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
3008 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 3009 SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
c437eef6
MC		 3010 goto err;
3011 }
348240c6 3012 /* TODO(size_t): Convert this function */
a230b26e 3013 if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
348240c6 3014 &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
a230b26e 3015 || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
c437eef6 3016 *al = SSL_AD_DECODE_ERROR;
c76a4aea 3017 SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
c437eef6
MC		 3018 goto err;
3019 }
3020 start = data;
3021 inlen = Tlen;
3022 if (EVP_PKEY_decrypt
3023 (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
3024 *al = SSL_AD_DECODE_ERROR;
c76a4aea 3025 SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
c437eef6
MC		 3026 goto err;
3027 }
3028 /* Generate master secret */
3029 if (!ssl_generate_master_secret(s, premaster_secret,
3030 sizeof(premaster_secret), 0)) {
3031 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 3032 SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
c437eef6
MC		 3033 goto err;
3034 }
3035 /* Check if pubkey from client certificate was used */
3036 if (EVP_PKEY_CTX_ctrl
3037 (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
3038 s->statem.no_cert_verify = 1;
3039
3040 ret = 1;
3041 err:
3042 EVP_PKEY_CTX_free(pkey_ctx);
3043 return ret;
3044#else
3045 /* Should never happen */
3046 *al = SSL_AD_INTERNAL_ERROR;
c76a4aea 3047 SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
c437eef6
MC		 3048 return 0;
3049#endif
3050}
3051
0907d710
MC		 3052MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
3053{
3054 int al = -1;
3055 unsigned long alg_k;
3056
3057 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3058
3059 /* For PSK parse and retrieve identity, obtain PSK key */
3060 if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al))
3061 goto err;
3062
3063 if (alg_k & SSL_kPSK) {
3064 /* Identity extracted earlier: should be nothing left */
3065 if (PACKET_remaining(pkt) != 0) {
3066 al = SSL_AD_HANDSHAKE_FAILURE;
a230b26e
EK		 3067 SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
3068 SSL_R_LENGTH_MISMATCH);
9059eb71 3069 goto err;
0907d710
MC		 3070 }
3071 /* PSK handled by ssl_generate_master_secret */
3072 if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
69f68237 3073 al = SSL_AD_INTERNAL_ERROR;
e27f234a 3074 SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
9059eb71 3075 goto err;
69f68237 3076 }
0907d710
MC		 3077 } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3078 if (!tls_process_cke_rsa(s, pkt, &al))
3079 goto err;
642360f9
MC		 3080 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3081 if (!tls_process_cke_dhe(s, pkt, &al))
0f113f3e 3082 goto err;
19ed1ec1
MC		 3083 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3084 if (!tls_process_cke_ecdhe(s, pkt, &al))
3085 goto err;
c437eef6
MC		 3086 } else if (alg_k & SSL_kSRP) {
3087 if (!tls_process_cke_srp(s, pkt, &al))
0f113f3e 3088 goto err;
c437eef6
MC		 3089 } else if (alg_k & SSL_kGOST) {
3090 if (!tls_process_cke_gost(s, pkt, &al))
0f113f3e 3091 goto err;
c437eef6 3092 } else {
0f113f3e 3093 al = SSL_AD_HANDSHAKE_FAILURE;
a230b26e
EK		 3094 SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
3095 SSL_R_UNKNOWN_CIPHER_TYPE);
9059eb71 3096 goto err;
0f113f3e
MC		 3097 }
3098
e27f234a 3099 return MSG_PROCESS_CONTINUE_PROCESSING;
0f113f3e 3100 err:
0907d710
MC		 3101 if (al != -1)
3102 ssl3_send_alert(s, SSL3_AL_FATAL, al);
85269210
DSH		 3103#ifndef OPENSSL_NO_PSK
3104 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
3105 s->s3->tmp.psk = NULL;
58964a49 3106#endif
fe3a3291 3107 ossl_statem_set_error(s);
e27f234a 3108 return MSG_PROCESS_ERROR;
0f113f3e 3109}
d02b48c6 3110
be3583fa 3111WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
94836de2 3112{
94836de2 3113#ifndef OPENSSL_NO_SCTP
c130dd8e
MC		 3114 if (wst == WORK_MORE_A) {
3115 if (SSL_IS_DTLS(s)) {
3116 unsigned char sctpauthkey[64];
3117 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3118 /*
3119 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3120 * used.
3121 */
141eb8c6
MC		 3122 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3123 sizeof(DTLS1_SCTP_AUTH_LABEL));
c130dd8e
MC		 3124
3125 if (SSL_export_keying_material(s, sctpauthkey,
a230b26e
EK		 3126 sizeof(sctpauthkey), labelbuffer,
3127 sizeof(labelbuffer), NULL, 0,
3128 0) <= 0) {
fe3a3291 3129 ossl_statem_set_error(s);
0fe2a0af 3130 return WORK_ERROR;
c130dd8e 3131 }
94836de2 3132
c130dd8e
MC		 3133 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3134 sizeof(sctpauthkey), sctpauthkey);
94836de2 3135 }
c130dd8e
MC		 3136 wst = WORK_MORE_B;
3137 }
94836de2 3138
c130dd8e 3139 if ((wst == WORK_MORE_B)
a230b26e
EK		 3140 /* Is this SCTP? */
3141 && BIO_dgram_is_sctp(SSL_get_wbio(s))
3142 /* Are we renegotiating? */
3143 && s->renegotiate
3144 /* Are we going to skip the CertificateVerify? */
3145 && (s->session->peer == NULL || s->statem.no_cert_verify)
3146 && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
c130dd8e
MC		 3147 s->s3->in_read_app_data = 2;
3148 s->rwstate = SSL_READING;
3149 BIO_clear_retry_flags(SSL_get_rbio(s));
3150 BIO_set_retry_read(SSL_get_rbio(s));
d99b0691 3151 ossl_statem_set_sctp_read_sock(s, 1);
c130dd8e
MC		 3152 return WORK_MORE_B;
3153 } else {
fe3a3291 3154 ossl_statem_set_sctp_read_sock(s, 0);
94836de2
MC		 3155 }
3156#endif
3157
149c2ef5 3158 if (s->statem.no_cert_verify || !s->session->peer) {
a230b26e
EK		 3159 /*
3160 * No certificate verify or no peer certificate so we no longer need
3161 * the handshake_buffer
149c2ef5
MC		 3162 */
3163 if (!ssl3_digest_cached_records(s, 0)) {
3164 ossl_statem_set_error(s);
3165 return WORK_ERROR;
3166 }
94836de2 3167 return WORK_FINISHED_CONTINUE;
28f4580c 3168 } else {
94836de2
MC		 3169 if (!s->s3->handshake_buffer) {
3170 SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
3171 ERR_R_INTERNAL_ERROR);
fe3a3291 3172 ossl_statem_set_error(s);
94836de2
MC		 3173 return WORK_ERROR;
3174 }
3175 /*
3176 * For sigalgs freeze the handshake buffer. If we support
3177 * extms we've done this already so this is a no-op
3178 */
3179 if (!ssl3_digest_cached_records(s, 1)) {
fe3a3291 3180 ossl_statem_set_error(s);
94836de2
MC		 3181 return WORK_ERROR;
3182 }
94836de2
MC		 3183 }
3184
3185 return WORK_FINISHED_CONTINUE;
3186}
3187
be3583fa 3188MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
e27f234a 3189{
20dbe585 3190 int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
e27f234a
MC		 3191 X509 *x = NULL;
3192 unsigned long l, llen;
b6981744 3193 const unsigned char *certstart, *certbytes;
e27f234a 3194 STACK_OF(X509) *sk = NULL;
e96e0f8e 3195 PACKET spkt, context;
d805a57b 3196 size_t chainidx;
0f113f3e
MC		 3197
3198 if ((sk = sk_X509_new_null()) == NULL) {
e27f234a
MC		 3199 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3200 goto f_err;
0f113f3e
MC		 3201 }
3202
e96e0f8e
MC		 3203 /* TODO(TLS1.3): For now we ignore the context. We need to verify this */
3204 if ((SSL_IS_TLS13(s) && !PACKET_get_length_prefixed_1(pkt, &context))
3205 || !PACKET_get_net_3(pkt, &llen)
3206 || !PACKET_get_sub_packet(pkt, &spkt, llen)
3207 || PACKET_remaining(pkt) != 0) {
0f113f3e 3208 al = SSL_AD_DECODE_ERROR;
e27f234a 3209 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
0f113f3e
MC		 3210 goto f_err;
3211 }
0bc09ecd 3212
d805a57b 3213 for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
0bc09ecd 3214 if (!PACKET_get_net_3(&spkt, &l)
a230b26e 3215 || !PACKET_get_bytes(&spkt, &certbytes, l)) {
0f113f3e 3216 al = SSL_AD_DECODE_ERROR;
e27f234a 3217 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
0f113f3e
MC		 3218 SSL_R_CERT_LENGTH_MISMATCH);
3219 goto f_err;
3220 }
3221
0bc09ecd
MC		 3222 certstart = certbytes;
3223 x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
0f113f3e 3224 if (x == NULL) {
e27f234a
MC		 3225 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
3226 goto f_err;
0f113f3e 3227 }
0bc09ecd 3228 if (certbytes != (certstart + l)) {
0f113f3e 3229 al = SSL_AD_DECODE_ERROR;
e27f234a 3230 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
0f113f3e
MC		 3231 SSL_R_CERT_LENGTH_MISMATCH);
3232 goto f_err;
3233 }
e96e0f8e
MC		 3234
3235 if (SSL_IS_TLS13(s)) {
3236 RAW_EXTENSION *rawexts = NULL;
3237 PACKET extensions;
3238
3239 if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
3240 al = SSL_AD_DECODE_ERROR;
3241 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH);
3242 goto f_err;
3243 }
3244 if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
fc5ece2e 3245 &rawexts, &al, NULL)
e96e0f8e 3246 || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
5ee289ea
MC		 3247 rawexts, x, chainidx, &al)) {
3248 OPENSSL_free(rawexts);
e96e0f8e 3249 goto f_err;
5ee289ea
MC		 3250 }
3251 OPENSSL_free(rawexts);
e96e0f8e
MC		 3252 }
3253
0f113f3e 3254 if (!sk_X509_push(sk, x)) {
e27f234a
MC		 3255 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3256 goto f_err;
0f113f3e
MC		 3257 }
3258 x = NULL;
0f113f3e
MC		 3259 }
3260
3261 if (sk_X509_num(sk) <= 0) {
3262 /* TLS does not mind 0 certs returned */
3263 if (s->version == SSL3_VERSION) {
3264 al = SSL_AD_HANDSHAKE_FAILURE;
e27f234a 3265 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
0f113f3e
MC		 3266 SSL_R_NO_CERTIFICATES_RETURNED);
3267 goto f_err;
3268 }
3269 /* Fail for TLS only if we required a certificate */
3270 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3271 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
e27f234a 3272 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
0f113f3e
MC		 3273 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3274 al = SSL_AD_HANDSHAKE_FAILURE;
3275 goto f_err;
3276 }
3277 /* No client certificate so digest cached records */
124037fd 3278 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
0f113f3e
MC		 3279 goto f_err;
3280 }
3281 } else {
3282 EVP_PKEY *pkey;
3283 i = ssl_verify_cert_chain(s, sk);
3284 if (i <= 0) {
3285 al = ssl_verify_alarm_type(s->verify_result);
e27f234a 3286 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
0f113f3e
MC		 3287 SSL_R_CERTIFICATE_VERIFY_FAILED);
3288 goto f_err;
3289 }
3290 if (i > 1) {
e27f234a 3291 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
0f113f3e
MC		 3292 al = SSL_AD_HANDSHAKE_FAILURE;
3293 goto f_err;
3294 }
8382fd3a 3295 pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
0f113f3e
MC		 3296 if (pkey == NULL) {
3297 al = SSL3_AD_HANDSHAKE_FAILURE;
e27f234a 3298 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
0f113f3e
MC		 3299 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
3300 goto f_err;
3301 }
0f113f3e
MC		 3302 }
3303
222561fe 3304 X509_free(s->session->peer);
0f113f3e
MC		 3305 s->session->peer = sk_X509_shift(sk);
3306 s->session->verify_result = s->verify_result;
3307
c34b0f99
DSH		 3308 sk_X509_pop_free(s->session->peer_chain, X509_free);
3309 s->session->peer_chain = sk;
0f1e51ea
MC		 3310
3311 /*
3312 * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
3313 * message
3314 */
94ed2c67 3315 if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
0f1e51ea
MC		 3316 al = SSL_AD_INTERNAL_ERROR;
3317 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3318 goto f_err;
3319 }
3320
0f113f3e
MC		 3321 /*
3322 * Inconsistency alert: cert_chain does *not* include the peer's own
d4d78943 3323 * certificate, while we do include it in statem_clnt.c
0f113f3e 3324 */
0f113f3e 3325 sk = NULL;
2c5dfdc3
MC		 3326
3327 /* Save the current hash state for when we receive the CertificateVerify */
3328 if (SSL_IS_TLS13(s)
3329 && !ssl_handshake_hash(s, s->cert_verify_hash,
3330 sizeof(s->cert_verify_hash),
3331 &s->cert_verify_hash_len)) {
3332 al = SSL_AD_INTERNAL_ERROR;
3333 SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3334 goto f_err;
3335 }
3336
e27f234a 3337 ret = MSG_PROCESS_CONTINUE_READING;
66696478
RS		 3338 goto done;
3339
0f113f3e 3340 f_err:
66696478 3341 ssl3_send_alert(s, SSL3_AL_FATAL, al);
fe3a3291 3342 ossl_statem_set_error(s);
66696478 3343 done:
222561fe
RS		 3344 X509_free(x);
3345 sk_X509_pop_free(sk, X509_free);
e27f234a 3346 return ret;
0f113f3e 3347}
d02b48c6 3348
7cea05dc 3349int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
e27f234a 3350{
a497cf25 3351 CERT_PKEY *cpk = s->s3->tmp.cert;
e96e0f8e 3352 int al = SSL_AD_INTERNAL_ERROR;
e27f234a 3353
a497cf25 3354 if (cpk == NULL) {
e27f234a 3355 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
e27f234a
MC		 3356 return 0;
3357 }
3358
e96e0f8e
MC		 3359 /*
3360 * In TLSv1.3 the certificate chain is always preceded by a 0 length context
3361 * for the server Certificate message
3362 */
3363 if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0))
3364 || !ssl3_output_cert_chain(s, pkt, cpk, &al)) {
e27f234a 3365 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
e96e0f8e 3366 ssl3_send_alert(s, SSL3_AL_FATAL, al);
e27f234a
MC		 3367 return 0;
3368 }
3369
3370 return 1;
3371}
3372
7cea05dc 3373int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
e27f234a
MC		 3374{
3375 unsigned char *senc = NULL;
83ae4661 3376 EVP_CIPHER_CTX *ctx = NULL;
bf7c6817 3377 HMAC_CTX *hctx = NULL;
a00d75e1 3378 unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
e27f234a 3379 const unsigned char *const_p;
a00d75e1 3380 int len, slen_full, slen, lenfinal;
e27f234a
MC		 3381 SSL_SESSION *sess;
3382 unsigned int hlen;
222da979 3383 SSL_CTX *tctx = s->session_ctx;
e27f234a 3384 unsigned char iv[EVP_MAX_IV_LENGTH];
d139723b 3385 unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
30f05b19 3386 int iv_len, al = SSL_AD_INTERNAL_ERROR;
a00d75e1 3387 size_t macoffset, macendoffset;
30f05b19
MC		 3388 union {
3389 unsigned char age_add_c[sizeof(uint32_t)];
3390 uint32_t age_add;
3391 } age_add_u;
e27f234a 3392
fc24f0bf
MC		 3393 if (SSL_IS_TLS13(s)) {
3394 if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0)
3395 goto err;
3396 s->session->ext.tick_age_add = age_add_u.age_add;
3397 }
3398
e27f234a
MC		 3399 /* get session encoding length */
3400 slen_full = i2d_SSL_SESSION(s->session, NULL);
3401 /*
3402 * Some length values are 16 bits, so forget it if session is too
3403 * long
3404 */
3405 if (slen_full == 0 || slen_full > 0xFF00) {
fe3a3291 3406 ossl_statem_set_error(s);
e27f234a
MC		 3407 return 0;
3408 }
3409 senc = OPENSSL_malloc(slen_full);
a71edf3b 3410 if (senc == NULL) {
fe3a3291 3411 ossl_statem_set_error(s);
e27f234a
MC		 3412 return 0;
3413 }
0f113f3e 3414
846ec07d 3415 ctx = EVP_CIPHER_CTX_new();
bf7c6817 3416 hctx = HMAC_CTX_new();
83ae4661
MC		 3417 if (ctx == NULL || hctx == NULL) {
3418 SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
3419 goto err;
3420 }
0f113f3e 3421
e27f234a
MC		 3422 p = senc;
3423 if (!i2d_SSL_SESSION(s->session, &p))
3424 goto err;
687eaf27 3425
e27f234a
MC		 3426 /*
3427 * create a fresh copy (not shared with other threads) to clean up
3428 */
3429 const_p = senc;
3430 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3431 if (sess == NULL)
3432 goto err;
3433 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
0f113f3e 3434
e27f234a
MC		 3435 slen = i2d_SSL_SESSION(sess, NULL);
3436 if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
3437 SSL_SESSION_free(sess);
3438 goto err;
3439 }
3440 p = senc;
3441 if (!i2d_SSL_SESSION(sess, &p)) {
3442 SSL_SESSION_free(sess);
3443 goto err;
3444 }
3445 SSL_SESSION_free(sess);
0f113f3e 3446
e27f234a
MC		 3447 /*
3448 * Initialize HMAC and cipher contexts. If callback present it does
3449 * all the work otherwise use generated values from parent ctx.
3450 */
aff8c126 3451 if (tctx->ext.ticket_key_cb) {
5c753de6 3452 /* if 0 is returned, write an empty ticket */
aff8c126 3453 int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
5c753de6
TS		 3454 hctx, 1);
3455
3456 if (ret == 0) {
a00d75e1
MC		 3457
3458 /* Put timeout and length */
7cea05dc 3459 if (!WPACKET_put_bytes_u32(pkt, 0)
4a01c59f 3460 || !WPACKET_put_bytes_u16(pkt, 0)) {
a00d75e1
MC		 3461 SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
3462 ERR_R_INTERNAL_ERROR);
5c753de6 3463 goto err;
a00d75e1 3464 }
5c753de6
TS		 3465 OPENSSL_free(senc);
3466 EVP_CIPHER_CTX_free(ctx);
3467 HMAC_CTX_free(hctx);
3468 return 1;
3469 }
3470 if (ret < 0)
e27f234a 3471 goto err;
d139723b 3472 iv_len = EVP_CIPHER_CTX_iv_length(ctx);
e27f234a 3473 } else {
d139723b
KR		 3474 const EVP_CIPHER *cipher = EVP_aes_256_cbc();
3475
3476 iv_len = EVP_CIPHER_iv_length(cipher);
3477 if (RAND_bytes(iv, iv_len) <= 0)
687eaf27 3478 goto err;
d139723b 3479 if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
aff8c126 3480 tctx->ext.tick_aes_key, iv))
687eaf27 3481 goto err;
aff8c126
RS		 3482 if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
3483 sizeof(tctx->ext.tick_hmac_key),
e27f234a 3484 EVP_sha256(), NULL))
4f9fab6b 3485 goto err;
aff8c126
RS		 3486 memcpy(key_name, tctx->ext.tick_key_name,
3487 sizeof(tctx->ext.tick_key_name));
0f113f3e
MC		 3488 }
3489
e27f234a
MC		 3490 /*
3491 * Ticket lifetime hint (advisory only): We leave this unspecified
3492 * for resumed session (for simplicity), and guess that tickets for
3493 * new sessions will live as long as their sessions.
3494 */
7cea05dc 3495 if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout)
30f05b19
MC		 3496 || (SSL_IS_TLS13(s)
3497 && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add))
a00d75e1 3498 /* Now the actual ticket data */
7cea05dc
MC		 3499 || !WPACKET_start_sub_packet_u16(pkt)
3500 || !WPACKET_get_total_written(pkt, &macoffset)
a00d75e1 3501 /* Output key name */
7cea05dc 3502 || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
a00d75e1 3503 /* output IV */
7cea05dc
MC		 3504 || !WPACKET_memcpy(pkt, iv, iv_len)
3505 || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
a00d75e1
MC		 3506 &encdata1)
3507 /* Encrypt session data */
3508 || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
7cea05dc 3509 || !WPACKET_allocate_bytes(pkt, len, &encdata2)
a00d75e1
MC		 3510 || encdata1 != encdata2
3511 || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
7cea05dc 3512 || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
a00d75e1
MC		 3513 || encdata1 + len != encdata2
3514 || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
7cea05dc 3515 || !WPACKET_get_total_written(pkt, &macendoffset)
a00d75e1
MC		 3516 || !HMAC_Update(hctx,
3517 (unsigned char *)s->init_buf->data + macoffset,
3518 macendoffset - macoffset)
7cea05dc 3519 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
a00d75e1
MC		 3520 || !HMAC_Final(hctx, macdata1, &hlen)
3521 || hlen > EVP_MAX_MD_SIZE
7cea05dc 3522 || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
a00d75e1 3523 || macdata1 != macdata2
30f05b19
MC		 3524 || !WPACKET_close(pkt)
3525 || (SSL_IS_TLS13(s)
3526 && !tls_construct_extensions(s, pkt,
3527 EXT_TLS1_3_NEW_SESSION_TICKET,
3528 NULL, 0, &al))) {
a00d75e1 3529 SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
e27f234a 3530 goto err;
a00d75e1 3531 }
bcaad809
DSH		 3532 EVP_CIPHER_CTX_free(ctx);
3533 HMAC_CTX_free(hctx);
e27f234a
MC		 3534 OPENSSL_free(senc);
3535
3536 return 1;
687eaf27 3537 err:
b548a1f1 3538 OPENSSL_free(senc);
846ec07d 3539 EVP_CIPHER_CTX_free(ctx);
bf7c6817 3540 HMAC_CTX_free(hctx);
a00d75e1 3541 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
e27f234a 3542 return 0;
0f113f3e 3543}
67c8e7f4 3544
f63e4288
MC		 3545/*
3546 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
3547 * create a separate message. Returns 1 on success or 0 on failure.
3548 */
3549int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
e27f234a 3550{
8cbfcc70
RS		 3551 if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
3552 || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
3553 s->ext.ocsp.resp_len)) {
f63e4288
MC		 3554 SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR);
3555 return 0;
3556 }
3557
3558 return 1;
3559}
3560
3561int tls_construct_cert_status(SSL *s, WPACKET *pkt)
3562{
3563 if (!tls_construct_cert_status_body(s, pkt)) {
cc59ad10 3564 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
cc59ad10
MC		 3565 return 0;
3566 }
e27f234a
MC		 3567
3568 return 1;
3569}
3570
e481f9b9 3571#ifndef OPENSSL_NO_NEXTPROTONEG
e27f234a
MC		 3572/*
3573 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
3574 * It sets the next_proto member in s if found
3575 */
be3583fa 3576MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
e27f234a 3577{
73999b62 3578 PACKET next_proto, padding;
e27f234a
MC		 3579 size_t next_proto_len;
3580
50e735f9
MC		 3581 /*-
3582 * The payload looks like:
3583 * uint8 proto_len;
3584 * uint8 proto[proto_len];
3585 * uint8 padding_len;
3586 * uint8 padding[padding_len];
3587 */
73999b62
MC		 3588 if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
3589 || !PACKET_get_length_prefixed_1(pkt, &padding)
3590 || PACKET_remaining(pkt) > 0) {
e27f234a 3591 SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
c3fc7eea 3592 goto err;
cf9b0b6f 3593 }
0f113f3e 3594
aff8c126
RS		 3595 if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
3596 s->ext.npn_len = 0;
c3fc7eea
MC		 3597 goto err;
3598 }
3599
aff8c126 3600 s->ext.npn_len = (unsigned char)next_proto_len;
0f113f3e 3601
e27f234a 3602 return MSG_PROCESS_CONTINUE_READING;
a230b26e 3603 err:
fe3a3291 3604 ossl_statem_set_error(s);
e27f234a 3605 return MSG_PROCESS_ERROR;
0f113f3e 3606}
6434abbf 3607#endif
d45ba43d 3608
e46f2334
MC		 3609static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
3610{
3434f40b
MC		 3611 int al;
3612
e96e0f8e 3613 if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
30aeba43 3614 NULL, 0, &al)) {
3434f40b 3615 ssl3_send_alert(s, SSL3_AL_FATAL, al);
e46f2334 3616 SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
3434f40b 3617 ssl3_send_alert(s, SSL3_AL_FATAL, al);
e46f2334
MC		 3618 return 0;
3619 }
3620
3621 return 1;
3622}
3623
7d061fce
MC		 3624static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
3625{
429ff318 3626 int al = SSL_AD_INTERNAL_ERROR;
7d061fce
MC		 3627
3628 /*
3629 * TODO(TLS1.3): Remove the DRAFT version before release
3630 * (should be s->version)
3631 */
3632 if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
3633 || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
3634 NULL, 0, &al)) {
7d061fce
MC		 3635 SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
3636 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3637 return 0;
3638 }
3639
3640 /* Ditch the session. We'll create a new one next time around */
3641 SSL_SESSION_free(s->session);
3642 s->session = NULL;
3643 s->hit = 0;
3644
3645 return 1;
3646}
A mirror of the official openssl repository