1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include <time.h> 14 #include <assert.h> 15 #include "../ssl_local.h" 16 #include "statem_local.h" 17 #include <openssl/buffer.h> 18 #include <openssl/rand.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/md5.h> 22 #include <openssl/dh.h> 23 #include <openssl/rsa.h> 24 #include <openssl/bn.h> 25 #include <openssl/engine.h> 26 #include <openssl/trace.h> 27 #include <openssl/core_names.h> 28 #include <openssl/param_build.h> 29 #include "internal/cryptlib.h" 30 #include "internal/comp.h" 31 #include "internal/ssl_unwrap.h" 32 33 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, 34 PACKET *pkt); 35 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s, 36 PACKET *pkt); 37 38 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s); 39 static int key_exchange_expected(SSL_CONNECTION *s); 40 static int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, 41 WPACKET *pkt); 42 43 static ossl_inline int received_server_cert(SSL_CONNECTION *sc) 44 { 45 return sc->session->peer_rpk != NULL || sc->session->peer != NULL; 46 } 47 48 /* 49 * Is a CertificateRequest message allowed at the moment or not? 50 * 51 * Return values are: 52 * 1: Yes 53 * 0: No 54 */ 55 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s) 56 { 57 /* TLS does not like anon-DH with client cert */ 58 if ((s->version > SSL3_VERSION 59 && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)) 60 || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) 61 return 0; 62 63 return 1; 64 } 65 66 /* 67 * Should we expect the ServerKeyExchange message or not? 68 * 69 * Return values are: 70 * 1: Yes 71 * 0: No 72 */ 73 static int key_exchange_expected(SSL_CONNECTION *s) 74 { 75 long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 76 77 /* 78 * Can't skip server key exchange if this is an ephemeral 79 * ciphersuite or for SRP 80 */ 81 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK | SSL_kSRP)) { 82 return 1; 83 } 84 85 return 0; 86 } 87 88 /* 89 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 90 * handshake state transitions when a TLS1.3 client is reading messages from the 91 * server. The message type that the server has sent is provided in |mt|. The 92 * current state is in |s->statem.hand_state|. 93 * 94 * Return values are 1 for success (transition allowed) and 0 on error 95 * (transition not allowed) 96 */ 97 static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt) 98 { 99 OSSL_STATEM *st = &s->statem; 100 101 /* 102 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't 103 * yet negotiated TLSv1.3 at that point so that is handled by 104 * ossl_statem_client_read_transition() 105 */ 106 107 switch (st->hand_state) { 108 default: 109 break; 110 111 case TLS_ST_CW_CLNT_HELLO: 112 /* 113 * This must a ClientHello following a HelloRetryRequest, so the only 114 * thing we can get now is a ServerHello. 115 */ 116 if (mt == SSL3_MT_SERVER_HELLO) { 117 st->hand_state = TLS_ST_CR_SRVR_HELLO; 118 return 1; 119 } 120 break; 121 122 case TLS_ST_CR_SRVR_HELLO: 123 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { 124 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; 125 return 1; 126 } 127 break; 128 129 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 130 if (s->hit) { 131 if (mt == SSL3_MT_FINISHED) { 132 st->hand_state = TLS_ST_CR_FINISHED; 133 return 1; 134 } 135 } else { 136 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 137 st->hand_state = TLS_ST_CR_CERT_REQ; 138 return 1; 139 } 140 if (mt == SSL3_MT_CERTIFICATE) { 141 st->hand_state = TLS_ST_CR_CERT; 142 return 1; 143 } 144 #ifndef OPENSSL_NO_COMP_ALG 145 if (mt == SSL3_MT_COMPRESSED_CERTIFICATE 146 && s->ext.compress_certificate_sent) { 147 st->hand_state = TLS_ST_CR_COMP_CERT; 148 return 1; 149 } 150 #endif 151 } 152 break; 153 154 case TLS_ST_CR_CERT_REQ: 155 if (mt == SSL3_MT_CERTIFICATE) { 156 st->hand_state = TLS_ST_CR_CERT; 157 return 1; 158 } 159 #ifndef OPENSSL_NO_COMP_ALG 160 if (mt == SSL3_MT_COMPRESSED_CERTIFICATE 161 && s->ext.compress_certificate_sent) { 162 st->hand_state = TLS_ST_CR_COMP_CERT; 163 return 1; 164 } 165 #endif 166 break; 167 168 case TLS_ST_CR_CERT: 169 case TLS_ST_CR_COMP_CERT: 170 if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 171 st->hand_state = TLS_ST_CR_CERT_VRFY; 172 return 1; 173 } 174 break; 175 176 case TLS_ST_CR_CERT_VRFY: 177 if (mt == SSL3_MT_FINISHED) { 178 st->hand_state = TLS_ST_CR_FINISHED; 179 return 1; 180 } 181 break; 182 183 case TLS_ST_OK: 184 if (mt == SSL3_MT_NEWSESSION_TICKET) { 185 st->hand_state = TLS_ST_CR_SESSION_TICKET; 186 return 1; 187 } 188 if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) { 189 st->hand_state = TLS_ST_CR_KEY_UPDATE; 190 return 1; 191 } 192 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 193 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 194 /* Restore digest for PHA before adding message.*/ 195 #error Internal DTLS version error 196 #endif 197 if (!SSL_CONNECTION_IS_DTLS(s) 198 && s->post_handshake_auth == SSL_PHA_EXT_SENT) { 199 s->post_handshake_auth = SSL_PHA_REQUESTED; 200 /* 201 * In TLS, this is called before the message is added to the 202 * digest. In DTLS, this is expected to be called after adding 203 * to the digest. Either move the digest restore, or add the 204 * message here after the swap, or do it after the clientFinished? 205 */ 206 if (!tls13_restore_handshake_digest_for_pha(s)) { 207 /* SSLfatal() already called */ 208 return 0; 209 } 210 st->hand_state = TLS_ST_CR_CERT_REQ; 211 return 1; 212 } 213 } 214 break; 215 } 216 217 /* No valid transition found */ 218 return 0; 219 } 220 221 /* 222 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 223 * handshake state transitions when the client is reading messages from the 224 * server. The message type that the server has sent is provided in |mt|. The 225 * current state is in |s->statem.hand_state|. 226 * 227 * Return values are 1 for success (transition allowed) and 0 on error 228 * (transition not allowed) 229 */ 230 int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt) 231 { 232 OSSL_STATEM *st = &s->statem; 233 int ske_expected; 234 235 /* 236 * Note that after writing the first ClientHello we don't know what version 237 * we are going to negotiate yet, so we don't take this branch until later. 238 */ 239 if (SSL_CONNECTION_IS_TLS13(s)) { 240 if (!ossl_statem_client13_read_transition(s, mt)) 241 goto err; 242 return 1; 243 } 244 245 switch (st->hand_state) { 246 default: 247 break; 248 249 case TLS_ST_CW_CLNT_HELLO: 250 if (mt == SSL3_MT_SERVER_HELLO) { 251 st->hand_state = TLS_ST_CR_SRVR_HELLO; 252 return 1; 253 } 254 255 if (SSL_CONNECTION_IS_DTLS(s)) { 256 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 257 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 258 return 1; 259 } 260 } 261 break; 262 263 case TLS_ST_EARLY_DATA: 264 /* 265 * We've not actually selected TLSv1.3 yet, but we have sent early 266 * data. The only thing allowed now is a ServerHello or a 267 * HelloRetryRequest. 268 */ 269 if (mt == SSL3_MT_SERVER_HELLO) { 270 st->hand_state = TLS_ST_CR_SRVR_HELLO; 271 return 1; 272 } 273 break; 274 275 case TLS_ST_CR_SRVR_HELLO: 276 if (s->hit) { 277 if (s->ext.ticket_expected) { 278 if (mt == SSL3_MT_NEWSESSION_TICKET) { 279 st->hand_state = TLS_ST_CR_SESSION_TICKET; 280 return 1; 281 } 282 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 283 st->hand_state = TLS_ST_CR_CHANGE; 284 return 1; 285 } 286 } else { 287 if (SSL_CONNECTION_IS_DTLS(s) 288 && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 289 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 290 return 1; 291 } else if (s->version >= TLS1_VERSION 292 && s->ext.session_secret_cb != NULL 293 && s->session->ext.tick != NULL 294 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 295 /* 296 * Normally, we can tell if the server is resuming the session 297 * from the session ID. EAP-FAST (RFC 4851), however, relies on 298 * the next server message after the ServerHello to determine if 299 * the server is resuming. 300 */ 301 s->hit = 1; 302 st->hand_state = TLS_ST_CR_CHANGE; 303 return 1; 304 } else if (!(s->s3.tmp.new_cipher->algorithm_auth 305 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { 306 if (mt == SSL3_MT_CERTIFICATE) { 307 st->hand_state = TLS_ST_CR_CERT; 308 return 1; 309 } 310 } else { 311 ske_expected = key_exchange_expected(s); 312 /* SKE is optional for some PSK ciphersuites */ 313 if (ske_expected 314 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) 315 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 316 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 317 st->hand_state = TLS_ST_CR_KEY_EXCH; 318 return 1; 319 } 320 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST 321 && cert_req_allowed(s)) { 322 st->hand_state = TLS_ST_CR_CERT_REQ; 323 return 1; 324 } else if (mt == SSL3_MT_SERVER_DONE) { 325 st->hand_state = TLS_ST_CR_SRVR_DONE; 326 return 1; 327 } 328 } 329 } 330 break; 331 332 case TLS_ST_CR_CERT: 333 case TLS_ST_CR_COMP_CERT: 334 /* 335 * The CertificateStatus message is optional even if 336 * |ext.status_expected| is set 337 */ 338 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { 339 st->hand_state = TLS_ST_CR_CERT_STATUS; 340 return 1; 341 } 342 /* Fall through */ 343 344 case TLS_ST_CR_CERT_STATUS: 345 ske_expected = key_exchange_expected(s); 346 /* SKE is optional for some PSK ciphersuites */ 347 if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 348 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 349 st->hand_state = TLS_ST_CR_KEY_EXCH; 350 return 1; 351 } 352 goto err; 353 } 354 /* Fall through */ 355 356 case TLS_ST_CR_KEY_EXCH: 357 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 358 if (cert_req_allowed(s)) { 359 st->hand_state = TLS_ST_CR_CERT_REQ; 360 return 1; 361 } 362 goto err; 363 } 364 /* Fall through */ 365 366 case TLS_ST_CR_CERT_REQ: 367 if (mt == SSL3_MT_SERVER_DONE) { 368 st->hand_state = TLS_ST_CR_SRVR_DONE; 369 return 1; 370 } 371 break; 372 373 case TLS_ST_CW_FINISHED: 374 if (s->ext.ticket_expected) { 375 if (mt == SSL3_MT_NEWSESSION_TICKET) { 376 st->hand_state = TLS_ST_CR_SESSION_TICKET; 377 return 1; 378 } 379 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 380 st->hand_state = TLS_ST_CR_CHANGE; 381 return 1; 382 } 383 break; 384 385 case TLS_ST_CR_SESSION_TICKET: 386 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 387 st->hand_state = TLS_ST_CR_CHANGE; 388 return 1; 389 } 390 break; 391 392 case TLS_ST_CR_CHANGE: 393 if (mt == SSL3_MT_FINISHED) { 394 st->hand_state = TLS_ST_CR_FINISHED; 395 return 1; 396 } 397 break; 398 399 case TLS_ST_OK: 400 if (mt == SSL3_MT_HELLO_REQUEST) { 401 st->hand_state = TLS_ST_CR_HELLO_REQ; 402 return 1; 403 } 404 break; 405 } 406 407 err: 408 /* No valid transition found */ 409 if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 410 BIO *rbio; 411 412 /* 413 * CCS messages don't have a message sequence number so this is probably 414 * because of an out-of-order CCS. We'll just drop it. 415 */ 416 s->init_num = 0; 417 s->rwstate = SSL_READING; 418 rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s)); 419 BIO_clear_retry_flags(rbio); 420 BIO_set_retry_read(rbio); 421 return 0; 422 } 423 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 424 return 0; 425 } 426 427 static int do_compressed_cert(SSL_CONNECTION *sc) 428 { 429 /* If we negotiated RPK, we won't try to compress it */ 430 return sc->ext.client_cert_type == TLSEXT_cert_type_x509 431 && sc->ext.compress_certificate_from_peer[0] != TLSEXT_comp_cert_none; 432 } 433 434 /* 435 * ossl_statem_client13_write_transition() works out what handshake state to 436 * move to next when the TLSv1.3 client is writing messages to be sent to the 437 * server. 438 */ 439 static WRITE_TRAN ossl_statem_client13_write_transition(SSL_CONNECTION *s) 440 { 441 OSSL_STATEM *st = &s->statem; 442 443 /* 444 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated 445 * TLSv1.3 yet at that point. They are handled by 446 * ossl_statem_client_write_transition(). 447 */ 448 switch (st->hand_state) { 449 default: 450 /* Shouldn't happen */ 451 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 452 return WRITE_TRAN_ERROR; 453 454 case TLS_ST_CR_CERT_REQ: 455 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 456 if (do_compressed_cert(s)) 457 st->hand_state = TLS_ST_CW_COMP_CERT; 458 else 459 st->hand_state = TLS_ST_CW_CERT; 460 return WRITE_TRAN_CONTINUE; 461 } 462 /* 463 * We should only get here if we received a CertificateRequest after 464 * we already sent close_notify 465 */ 466 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { 467 /* Shouldn't happen - same as default case */ 468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 469 return WRITE_TRAN_ERROR; 470 } 471 st->hand_state = TLS_ST_OK; 472 return WRITE_TRAN_CONTINUE; 473 474 case TLS_ST_CR_FINISHED: 475 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY 476 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) 477 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; 478 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 479 && s->hello_retry_request == SSL_HRR_NONE) 480 st->hand_state = TLS_ST_CW_CHANGE; 481 else if (s->s3.tmp.cert_req == 0) 482 st->hand_state = TLS_ST_CW_FINISHED; 483 else if (do_compressed_cert(s)) 484 st->hand_state = TLS_ST_CW_COMP_CERT; 485 else 486 st->hand_state = TLS_ST_CW_CERT; 487 488 s->ts_msg_read = ossl_time_now(); 489 return WRITE_TRAN_CONTINUE; 490 491 case TLS_ST_PENDING_EARLY_DATA_END: 492 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED && !SSL_NO_EOED(s)) { 493 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; 494 return WRITE_TRAN_CONTINUE; 495 } 496 /* Fall through */ 497 498 case TLS_ST_CW_END_OF_EARLY_DATA: 499 case TLS_ST_CW_CHANGE: 500 if (s->s3.tmp.cert_req == 0) 501 st->hand_state = TLS_ST_CW_FINISHED; 502 else if (do_compressed_cert(s)) 503 st->hand_state = TLS_ST_CW_COMP_CERT; 504 else 505 st->hand_state = TLS_ST_CW_CERT; 506 return WRITE_TRAN_CONTINUE; 507 508 case TLS_ST_CW_COMP_CERT: 509 case TLS_ST_CW_CERT: 510 /* If a non-empty Certificate we also send CertificateVerify */ 511 st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY 512 : TLS_ST_CW_FINISHED; 513 return WRITE_TRAN_CONTINUE; 514 515 case TLS_ST_CW_CERT_VRFY: 516 st->hand_state = TLS_ST_CW_FINISHED; 517 return WRITE_TRAN_CONTINUE; 518 519 case TLS_ST_CR_KEY_UPDATE: 520 case TLS_ST_CW_KEY_UPDATE: 521 case TLS_ST_CR_SESSION_TICKET: 522 case TLS_ST_CW_FINISHED: 523 st->hand_state = TLS_ST_OK; 524 return WRITE_TRAN_CONTINUE; 525 526 case TLS_ST_OK: 527 if (s->key_update != SSL_KEY_UPDATE_NONE) { 528 st->hand_state = TLS_ST_CW_KEY_UPDATE; 529 return WRITE_TRAN_CONTINUE; 530 } 531 532 /* Try to read from the server instead */ 533 return WRITE_TRAN_FINISHED; 534 } 535 } 536 537 /* 538 * ossl_statem_client_write_transition() works out what handshake state to 539 * move to next when the client is writing messages to be sent to the server. 540 */ 541 WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) 542 { 543 OSSL_STATEM *st = &s->statem; 544 545 /* 546 * Note that immediately before/after a ClientHello we don't know what 547 * version we are going to negotiate yet, so we don't take this branch until 548 * later 549 */ 550 if (SSL_CONNECTION_IS_TLS13(s)) 551 return ossl_statem_client13_write_transition(s); 552 553 switch (st->hand_state) { 554 default: 555 /* Shouldn't happen */ 556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 557 return WRITE_TRAN_ERROR; 558 559 case TLS_ST_OK: 560 if (!s->renegotiate) { 561 /* 562 * We haven't requested a renegotiation ourselves so we must have 563 * received a message from the server. Better read it. 564 */ 565 return WRITE_TRAN_FINISHED; 566 } 567 /* Renegotiation */ 568 /* fall thru */ 569 case TLS_ST_BEFORE: 570 st->hand_state = TLS_ST_CW_CLNT_HELLO; 571 return WRITE_TRAN_CONTINUE; 572 573 case TLS_ST_CW_CLNT_HELLO: 574 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 575 && !SSL_IS_QUIC_HANDSHAKE(s)) { 576 /* 577 * We are assuming this is a TLSv1.3 connection, although we haven't 578 * actually selected a version yet. 579 */ 580 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 581 st->hand_state = TLS_ST_CW_CHANGE; 582 else 583 st->hand_state = TLS_ST_EARLY_DATA; 584 return WRITE_TRAN_CONTINUE; 585 } 586 /* 587 * No transition at the end of writing because we don't know what 588 * we will be sent 589 */ 590 s->ts_msg_write = ossl_time_now(); 591 return WRITE_TRAN_FINISHED; 592 593 case TLS_ST_CR_SRVR_HELLO: 594 /* 595 * We only get here in TLSv1.3. We just received an HRR, so issue a 596 * CCS unless middlebox compat mode is off, or we already issued one 597 * because we did early data. 598 */ 599 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 600 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 601 st->hand_state = TLS_ST_CW_CHANGE; 602 else 603 st->hand_state = TLS_ST_CW_CLNT_HELLO; 604 return WRITE_TRAN_CONTINUE; 605 606 case TLS_ST_EARLY_DATA: 607 s->ts_msg_write = ossl_time_now(); 608 return WRITE_TRAN_FINISHED; 609 610 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 611 st->hand_state = TLS_ST_CW_CLNT_HELLO; 612 return WRITE_TRAN_CONTINUE; 613 614 case TLS_ST_CR_SRVR_DONE: 615 s->ts_msg_read = ossl_time_now(); 616 if (s->s3.tmp.cert_req) 617 st->hand_state = TLS_ST_CW_CERT; 618 else 619 st->hand_state = TLS_ST_CW_KEY_EXCH; 620 return WRITE_TRAN_CONTINUE; 621 622 case TLS_ST_CW_CERT: 623 st->hand_state = TLS_ST_CW_KEY_EXCH; 624 return WRITE_TRAN_CONTINUE; 625 626 case TLS_ST_CW_KEY_EXCH: 627 /* 628 * For TLS, cert_req is set to 2, so a cert chain of nothing is 629 * sent, but no verify packet is sent 630 */ 631 /* 632 * XXX: For now, we do not support client authentication in ECDH 633 * cipher suites with ECDH (rather than ECDSA) certificates. We 634 * need to skip the certificate verify message when client's 635 * ECDH public key is sent inside the client certificate. 636 */ 637 if (s->s3.tmp.cert_req == 1) { 638 st->hand_state = TLS_ST_CW_CERT_VRFY; 639 } else { 640 st->hand_state = TLS_ST_CW_CHANGE; 641 } 642 if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 643 st->hand_state = TLS_ST_CW_CHANGE; 644 } 645 return WRITE_TRAN_CONTINUE; 646 647 case TLS_ST_CW_CERT_VRFY: 648 st->hand_state = TLS_ST_CW_CHANGE; 649 return WRITE_TRAN_CONTINUE; 650 651 case TLS_ST_CW_CHANGE: 652 if (s->hello_retry_request == SSL_HRR_PENDING) { 653 st->hand_state = TLS_ST_CW_CLNT_HELLO; 654 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 655 st->hand_state = TLS_ST_EARLY_DATA; 656 } else { 657 #if defined(OPENSSL_NO_NEXTPROTONEG) 658 st->hand_state = TLS_ST_CW_FINISHED; 659 #else 660 if (!SSL_CONNECTION_IS_DTLS(s) && s->s3.npn_seen) 661 st->hand_state = TLS_ST_CW_NEXT_PROTO; 662 else 663 st->hand_state = TLS_ST_CW_FINISHED; 664 #endif 665 } 666 return WRITE_TRAN_CONTINUE; 667 668 #if !defined(OPENSSL_NO_NEXTPROTONEG) 669 case TLS_ST_CW_NEXT_PROTO: 670 st->hand_state = TLS_ST_CW_FINISHED; 671 return WRITE_TRAN_CONTINUE; 672 #endif 673 674 case TLS_ST_CW_FINISHED: 675 if (s->hit) { 676 st->hand_state = TLS_ST_OK; 677 return WRITE_TRAN_CONTINUE; 678 } else { 679 return WRITE_TRAN_FINISHED; 680 } 681 682 case TLS_ST_CR_FINISHED: 683 if (s->hit) { 684 st->hand_state = TLS_ST_CW_CHANGE; 685 return WRITE_TRAN_CONTINUE; 686 } else { 687 st->hand_state = TLS_ST_OK; 688 return WRITE_TRAN_CONTINUE; 689 } 690 691 case TLS_ST_CR_HELLO_REQ: 692 /* 693 * If we can renegotiate now then do so, otherwise wait for a more 694 * convenient time. 695 */ 696 if (ssl3_renegotiate_check(SSL_CONNECTION_GET_SSL(s), 1)) { 697 if (!tls_setup_handshake(s)) { 698 /* SSLfatal() already called */ 699 return WRITE_TRAN_ERROR; 700 } 701 st->hand_state = TLS_ST_CW_CLNT_HELLO; 702 return WRITE_TRAN_CONTINUE; 703 } 704 st->hand_state = TLS_ST_OK; 705 return WRITE_TRAN_CONTINUE; 706 } 707 } 708 709 /* 710 * Perform any pre work that needs to be done prior to sending a message from 711 * the client to the server. 712 */ 713 WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst) 714 { 715 OSSL_STATEM *st = &s->statem; 716 717 switch (st->hand_state) { 718 default: 719 /* No pre work to be done */ 720 break; 721 722 case TLS_ST_CW_CLNT_HELLO: 723 s->shutdown = 0; 724 if (SSL_CONNECTION_IS_DTLS(s)) { 725 /* every DTLS ClientHello resets Finished MAC */ 726 if (!ssl3_init_finished_mac(s)) { 727 /* SSLfatal() already called */ 728 return WORK_ERROR; 729 } 730 } else if (s->ext.early_data == SSL_EARLY_DATA_REJECTED) { 731 /* 732 * This must be a second ClientHello after an HRR following an 733 * earlier rejected attempt to send early data. Since we were 734 * previously encrypting the early data we now need to reset the 735 * write record layer in order to write in plaintext again. 736 */ 737 if (!ssl_set_new_record_layer(s, 738 TLS_ANY_VERSION, 739 OSSL_RECORD_DIRECTION_WRITE, 740 OSSL_RECORD_PROTECTION_LEVEL_NONE, 741 NULL, 0, NULL, 0, NULL, 0, NULL, 0, 742 NULL, 0, NID_undef, NULL, NULL, 743 NULL)) { 744 /* SSLfatal already called */ 745 return WORK_ERROR; 746 } 747 } 748 break; 749 750 case TLS_ST_CW_CHANGE: 751 if (SSL_CONNECTION_IS_DTLS(s)) { 752 if (s->hit) { 753 /* 754 * We're into the last flight so we don't retransmit these 755 * messages unless we need to. 756 */ 757 st->use_timer = 0; 758 } 759 #ifndef OPENSSL_NO_SCTP 760 if (BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))) { 761 /* Calls SSLfatal() as required */ 762 return dtls_wait_for_dry(s); 763 } 764 #endif 765 } 766 break; 767 768 case TLS_ST_PENDING_EARLY_DATA_END: 769 /* 770 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not 771 * attempt to write early data before calling SSL_read() then we press 772 * on with the handshake. Otherwise we pause here. 773 */ 774 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 775 || s->early_data_state == SSL_EARLY_DATA_NONE) 776 return WORK_FINISHED_CONTINUE; 777 /* Fall through */ 778 779 case TLS_ST_EARLY_DATA: 780 return tls_finish_handshake(s, wst, 0, 1); 781 782 case TLS_ST_OK: 783 /* Calls SSLfatal() as required */ 784 return tls_finish_handshake(s, wst, 1, 1); 785 } 786 787 return WORK_FINISHED_CONTINUE; 788 } 789 790 /* 791 * Perform any work that needs to be done after sending a message from the 792 * client to the server. 793 */ 794 WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) 795 { 796 OSSL_STATEM *st = &s->statem; 797 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 798 799 s->init_num = 0; 800 801 switch (st->hand_state) { 802 default: 803 /* No post work to be done */ 804 break; 805 806 case TLS_ST_CW_CLNT_HELLO: 807 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 808 && s->max_early_data > 0) { 809 /* 810 * We haven't selected TLSv1.3 yet so we don't call the change 811 * cipher state function associated with the SSL_METHOD. Instead 812 * we call tls13_change_cipher_state() directly. 813 */ 814 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { 815 if (!tls13_change_cipher_state(s, 816 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 817 /* SSLfatal() already called */ 818 return WORK_ERROR; 819 } 820 } 821 /* else we're in compat mode so we delay flushing until after CCS */ 822 } else if (!statem_flush(s)) { 823 return WORK_MORE_A; 824 } 825 826 if (SSL_CONNECTION_IS_DTLS(s)) { 827 /* Treat the next message as the first packet */ 828 s->first_packet = 1; 829 } 830 break; 831 832 case TLS_ST_CW_KEY_EXCH: 833 if (tls_client_key_exchange_post_work(s) == 0) { 834 /* SSLfatal() already called */ 835 return WORK_ERROR; 836 } 837 break; 838 839 case TLS_ST_CW_CHANGE: 840 if (SSL_CONNECTION_IS_TLS13(s) 841 || s->hello_retry_request == SSL_HRR_PENDING) 842 break; 843 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 844 && s->max_early_data > 0) { 845 /* 846 * We haven't selected TLSv1.3 yet so we don't call the change 847 * cipher state function associated with the SSL_METHOD. Instead 848 * we call tls13_change_cipher_state() directly. 849 */ 850 if (!tls13_change_cipher_state(s, 851 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 852 return WORK_ERROR; 853 break; 854 } 855 s->session->cipher = s->s3.tmp.new_cipher; 856 #ifdef OPENSSL_NO_COMP 857 s->session->compress_meth = 0; 858 #else 859 if (s->s3.tmp.new_compression == NULL) 860 s->session->compress_meth = 0; 861 else 862 s->session->compress_meth = s->s3.tmp.new_compression->id; 863 #endif 864 if (!ssl->method->ssl3_enc->setup_key_block(s)) { 865 /* SSLfatal() already called */ 866 return WORK_ERROR; 867 } 868 869 if (!ssl->method->ssl3_enc->change_cipher_state(s, 870 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 871 /* SSLfatal() already called */ 872 return WORK_ERROR; 873 } 874 875 #ifndef OPENSSL_NO_SCTP 876 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { 877 /* 878 * Change to new shared key of SCTP-Auth, will be ignored if 879 * no SCTP used. 880 */ 881 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 882 0, NULL); 883 } 884 #endif 885 break; 886 887 case TLS_ST_CW_FINISHED: 888 #ifndef OPENSSL_NO_SCTP 889 if (wst == WORK_MORE_A && SSL_CONNECTION_IS_DTLS(s) && s->hit == 0) { 890 /* 891 * Change to new shared key of SCTP-Auth, will be ignored if 892 * no SCTP used. 893 */ 894 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 895 0, NULL); 896 } 897 #endif 898 if (statem_flush(s) != 1) 899 return WORK_MORE_B; 900 901 if (SSL_CONNECTION_IS_TLS13(s)) { 902 if (!tls13_save_handshake_digest_for_pha(s)) { 903 /* SSLfatal() already called */ 904 return WORK_ERROR; 905 } 906 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { 907 if (!ssl->method->ssl3_enc->change_cipher_state(s, 908 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 909 /* SSLfatal() already called */ 910 return WORK_ERROR; 911 } 912 /* 913 * For QUIC we deferred setting up these keys until now so 914 * that we can ensure write keys are always set up before read 915 * keys. 916 */ 917 if (SSL_IS_QUIC_HANDSHAKE(s) 918 && !ssl->method->ssl3_enc->change_cipher_state(s, 919 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 920 /* SSLfatal() already called */ 921 return WORK_ERROR; 922 } 923 } 924 } 925 break; 926 927 case TLS_ST_CW_KEY_UPDATE: 928 if (statem_flush(s) != 1) 929 return WORK_MORE_A; 930 if (!tls13_update_key(s, 1)) { 931 /* SSLfatal() already called */ 932 return WORK_ERROR; 933 } 934 break; 935 } 936 937 return WORK_FINISHED_CONTINUE; 938 } 939 940 /* 941 * Get the message construction function and message type for sending from the 942 * client 943 * 944 * Valid return values are: 945 * 1: Success 946 * 0: Error 947 */ 948 int ossl_statem_client_construct_message(SSL_CONNECTION *s, 949 confunc_f *confunc, int *mt) 950 { 951 OSSL_STATEM *st = &s->statem; 952 953 switch (st->hand_state) { 954 default: 955 /* Shouldn't happen */ 956 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); 957 return 0; 958 959 case TLS_ST_CW_CHANGE: 960 if (SSL_CONNECTION_IS_DTLS(s)) 961 *confunc = dtls_construct_change_cipher_spec; 962 else 963 *confunc = tls_construct_change_cipher_spec; 964 *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 965 break; 966 967 case TLS_ST_CW_CLNT_HELLO: 968 *confunc = tls_construct_client_hello; 969 *mt = SSL3_MT_CLIENT_HELLO; 970 break; 971 972 case TLS_ST_CW_END_OF_EARLY_DATA: 973 *confunc = tls_construct_end_of_early_data; 974 *mt = SSL3_MT_END_OF_EARLY_DATA; 975 break; 976 977 case TLS_ST_PENDING_EARLY_DATA_END: 978 *confunc = NULL; 979 *mt = SSL3_MT_DUMMY; 980 break; 981 982 case TLS_ST_CW_CERT: 983 *confunc = tls_construct_client_certificate; 984 *mt = SSL3_MT_CERTIFICATE; 985 break; 986 987 #ifndef OPENSSL_NO_COMP_ALG 988 case TLS_ST_CW_COMP_CERT: 989 *confunc = tls_construct_client_compressed_certificate; 990 *mt = SSL3_MT_COMPRESSED_CERTIFICATE; 991 break; 992 #endif 993 994 case TLS_ST_CW_KEY_EXCH: 995 *confunc = tls_construct_client_key_exchange; 996 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE; 997 break; 998 999 case TLS_ST_CW_CERT_VRFY: 1000 *confunc = tls_construct_cert_verify; 1001 *mt = SSL3_MT_CERTIFICATE_VERIFY; 1002 break; 1003 1004 #if !defined(OPENSSL_NO_NEXTPROTONEG) 1005 case TLS_ST_CW_NEXT_PROTO: 1006 *confunc = tls_construct_next_proto; 1007 *mt = SSL3_MT_NEXT_PROTO; 1008 break; 1009 #endif 1010 case TLS_ST_CW_FINISHED: 1011 *confunc = tls_construct_finished; 1012 *mt = SSL3_MT_FINISHED; 1013 break; 1014 1015 case TLS_ST_CW_KEY_UPDATE: 1016 *confunc = tls_construct_key_update; 1017 *mt = SSL3_MT_KEY_UPDATE; 1018 break; 1019 } 1020 1021 return 1; 1022 } 1023 1024 /* 1025 * Returns the maximum allowed length for the current message that we are 1026 * reading. Excludes the message header. 1027 */ 1028 size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s) 1029 { 1030 OSSL_STATEM *st = &s->statem; 1031 1032 switch (st->hand_state) { 1033 default: 1034 /* Shouldn't happen */ 1035 return 0; 1036 1037 case TLS_ST_CR_SRVR_HELLO: 1038 return SERVER_HELLO_MAX_LENGTH; 1039 1040 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1041 return HELLO_VERIFY_REQUEST_MAX_LENGTH; 1042 1043 case TLS_ST_CR_COMP_CERT: 1044 case TLS_ST_CR_CERT: 1045 return s->max_cert_list; 1046 1047 case TLS_ST_CR_CERT_VRFY: 1048 return CERTIFICATE_VERIFY_MAX_LENGTH; 1049 1050 case TLS_ST_CR_CERT_STATUS: 1051 return SSL3_RT_MAX_PLAIN_LENGTH; 1052 1053 case TLS_ST_CR_KEY_EXCH: 1054 return SERVER_KEY_EXCH_MAX_LENGTH; 1055 1056 case TLS_ST_CR_CERT_REQ: 1057 /* 1058 * Set to s->max_cert_list for compatibility with previous releases. In 1059 * practice these messages can get quite long if servers are configured 1060 * to provide a long list of acceptable CAs 1061 */ 1062 return s->max_cert_list; 1063 1064 case TLS_ST_CR_SRVR_DONE: 1065 return SERVER_HELLO_DONE_MAX_LENGTH; 1066 1067 case TLS_ST_CR_CHANGE: 1068 if (s->version == DTLS1_BAD_VER) 1069 return 3; 1070 return CCS_MAX_LENGTH; 1071 1072 case TLS_ST_CR_SESSION_TICKET: 1073 return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 1074 : SESSION_TICKET_MAX_LENGTH_TLS12; 1075 1076 case TLS_ST_CR_FINISHED: 1077 return FINISHED_MAX_LENGTH; 1078 1079 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1080 return ENCRYPTED_EXTENSIONS_MAX_LENGTH; 1081 1082 case TLS_ST_CR_KEY_UPDATE: 1083 return KEY_UPDATE_MAX_LENGTH; 1084 } 1085 } 1086 1087 /* 1088 * Process a message that the client has received from the server. 1089 */ 1090 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL_CONNECTION *s, 1091 PACKET *pkt) 1092 { 1093 OSSL_STATEM *st = &s->statem; 1094 1095 switch (st->hand_state) { 1096 default: 1097 /* Shouldn't happen */ 1098 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1099 return MSG_PROCESS_ERROR; 1100 1101 case TLS_ST_CR_SRVR_HELLO: 1102 return tls_process_server_hello(s, pkt); 1103 1104 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1105 return dtls_process_hello_verify(s, pkt); 1106 1107 case TLS_ST_CR_CERT: 1108 return tls_process_server_certificate(s, pkt); 1109 1110 #ifndef OPENSSL_NO_COMP_ALG 1111 case TLS_ST_CR_COMP_CERT: 1112 return tls_process_server_compressed_certificate(s, pkt); 1113 #endif 1114 1115 case TLS_ST_CR_CERT_VRFY: 1116 return tls_process_cert_verify(s, pkt); 1117 1118 case TLS_ST_CR_CERT_STATUS: 1119 return tls_process_cert_status(s, pkt); 1120 1121 case TLS_ST_CR_KEY_EXCH: 1122 return tls_process_key_exchange(s, pkt); 1123 1124 case TLS_ST_CR_CERT_REQ: 1125 return tls_process_certificate_request(s, pkt); 1126 1127 case TLS_ST_CR_SRVR_DONE: 1128 return tls_process_server_done(s, pkt); 1129 1130 case TLS_ST_CR_CHANGE: 1131 return tls_process_change_cipher_spec(s, pkt); 1132 1133 case TLS_ST_CR_SESSION_TICKET: 1134 return tls_process_new_session_ticket(s, pkt); 1135 1136 case TLS_ST_CR_FINISHED: 1137 return tls_process_finished(s, pkt); 1138 1139 case TLS_ST_CR_HELLO_REQ: 1140 return tls_process_hello_req(s, pkt); 1141 1142 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1143 return tls_process_encrypted_extensions(s, pkt); 1144 1145 case TLS_ST_CR_KEY_UPDATE: 1146 return tls_process_key_update(s, pkt); 1147 } 1148 } 1149 1150 /* 1151 * Perform any further processing required following the receipt of a message 1152 * from the server 1153 */ 1154 WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s, 1155 WORK_STATE wst) 1156 { 1157 OSSL_STATEM *st = &s->statem; 1158 1159 switch (st->hand_state) { 1160 default: 1161 /* Shouldn't happen */ 1162 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1163 return WORK_ERROR; 1164 1165 case TLS_ST_CR_CERT: 1166 case TLS_ST_CR_COMP_CERT: 1167 return tls_post_process_server_certificate(s, wst); 1168 1169 case TLS_ST_CR_CERT_VRFY: 1170 case TLS_ST_CR_CERT_REQ: 1171 return tls_prepare_client_certificate(s, wst); 1172 } 1173 } 1174 1175 CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) 1176 { 1177 unsigned char *p; 1178 size_t sess_id_len; 1179 int i, protverr; 1180 #ifndef OPENSSL_NO_COMP 1181 SSL_COMP *comp; 1182 #endif 1183 SSL_SESSION *sess = s->session; 1184 unsigned char *session_id; 1185 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1186 1187 /* Work out what SSL/TLS/DTLS version to use */ 1188 protverr = ssl_set_client_hello_version(s); 1189 if (protverr != 0) { 1190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); 1191 return CON_FUNC_ERROR; 1192 } 1193 1194 if (sess == NULL 1195 || !ssl_version_supported(s, sess->ssl_version, NULL) 1196 || !SSL_SESSION_is_resumable(sess)) { 1197 if (s->hello_retry_request == SSL_HRR_NONE 1198 && !ssl_get_new_session(s, 0)) { 1199 /* SSLfatal() already called */ 1200 return CON_FUNC_ERROR; 1201 } 1202 } 1203 /* else use the pre-loaded session */ 1204 1205 p = s->s3.client_random; 1206 1207 /* 1208 * for DTLS if client_random is initialized, reuse it, we are 1209 * required to use same upon reply to HelloVerify 1210 */ 1211 if (SSL_CONNECTION_IS_DTLS(s)) { 1212 size_t idx; 1213 i = 1; 1214 for (idx = 0; idx < sizeof(s->s3.client_random); idx++) { 1215 if (p[idx]) { 1216 i = 0; 1217 break; 1218 } 1219 } 1220 } else { 1221 i = (s->hello_retry_request == SSL_HRR_NONE); 1222 } 1223 1224 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), DOWNGRADE_NONE) <= 0) { 1225 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1226 return CON_FUNC_ERROR; 1227 } 1228 1229 /*- 1230 * version indicates the negotiated version: for example from 1231 * an SSLv2/v3 compatible client hello). The client_version 1232 * field is the maximum version we permit and it is also 1233 * used in RSA encrypted premaster secrets. Some servers can 1234 * choke if we initially report a higher version then 1235 * renegotiate to a lower one in the premaster secret. This 1236 * didn't happen with TLS 1.0 as most servers supported it 1237 * but it can with TLS 1.1 or later if the server only supports 1238 * 1.0. 1239 * 1240 * Possible scenario with previous logic: 1241 * 1. Client hello indicates TLS 1.2 1242 * 2. Server hello says TLS 1.0 1243 * 3. RSA encrypted premaster secret uses 1.2. 1244 * 4. Handshake proceeds using TLS 1.0. 1245 * 5. Server sends hello request to renegotiate. 1246 * 6. Client hello indicates TLS v1.0 as we now 1247 * know that is maximum server supports. 1248 * 7. Server chokes on RSA encrypted premaster secret 1249 * containing version 1.0. 1250 * 1251 * For interoperability it should be OK to always use the 1252 * maximum version we support in client hello and then rely 1253 * on the checking of version to ensure the servers isn't 1254 * being inconsistent: for example initially negotiating with 1255 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 1256 * client_version in client hello and not resetting it to 1257 * the negotiated version. 1258 * 1259 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the 1260 * supported_versions extension for the real supported versions. 1261 */ 1262 if (!WPACKET_put_bytes_u16(pkt, s->client_version) 1263 || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { 1264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1265 return CON_FUNC_ERROR; 1266 } 1267 1268 /* Session ID */ 1269 session_id = s->session->session_id; 1270 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { 1271 if (s->version == TLS1_3_VERSION 1272 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { 1273 sess_id_len = sizeof(s->tmp_session_id); 1274 s->tmp_session_id_len = sess_id_len; 1275 session_id = s->tmp_session_id; 1276 if (s->hello_retry_request == SSL_HRR_NONE 1277 && RAND_bytes_ex(sctx->libctx, s->tmp_session_id, 1278 sess_id_len, 0) 1279 <= 0) { 1280 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1281 return CON_FUNC_ERROR; 1282 } 1283 } else { 1284 sess_id_len = 0; 1285 } 1286 } else { 1287 assert(s->session->session_id_length <= sizeof(s->session->session_id)); 1288 sess_id_len = s->session->session_id_length; 1289 if (s->version == TLS1_3_VERSION) { 1290 s->tmp_session_id_len = sess_id_len; 1291 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); 1292 } 1293 } 1294 if (!WPACKET_start_sub_packet_u8(pkt) 1295 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id, sess_id_len)) 1296 || !WPACKET_close(pkt)) { 1297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1298 return CON_FUNC_ERROR; 1299 } 1300 1301 /* cookie stuff for DTLS */ 1302 if (SSL_CONNECTION_IS_DTLS(s)) { 1303 if (s->d1->cookie_len > sizeof(s->d1->cookie) 1304 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, 1305 s->d1->cookie_len)) { 1306 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1307 return CON_FUNC_ERROR; 1308 } 1309 } 1310 1311 /* Ciphers supported */ 1312 if (!WPACKET_start_sub_packet_u16(pkt)) { 1313 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1314 return CON_FUNC_ERROR; 1315 } 1316 1317 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)), 1318 pkt)) { 1319 /* SSLfatal() already called */ 1320 return CON_FUNC_ERROR; 1321 } 1322 if (!WPACKET_close(pkt)) { 1323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1324 return CON_FUNC_ERROR; 1325 } 1326 1327 /* COMPRESSION */ 1328 if (!WPACKET_start_sub_packet_u8(pkt)) { 1329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1330 return CON_FUNC_ERROR; 1331 } 1332 #ifndef OPENSSL_NO_COMP 1333 if (ssl_allow_compression(s) 1334 && sctx->comp_methods 1335 && (SSL_CONNECTION_IS_DTLS(s) 1336 || s->s3.tmp.max_ver < TLS1_3_VERSION)) { 1337 int compnum = sk_SSL_COMP_num(sctx->comp_methods); 1338 for (i = 0; i < compnum; i++) { 1339 comp = sk_SSL_COMP_value(sctx->comp_methods, i); 1340 if (!WPACKET_put_bytes_u8(pkt, comp->id)) { 1341 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1342 return CON_FUNC_ERROR; 1343 } 1344 } 1345 } 1346 #endif 1347 /* Add the NULL method */ 1348 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { 1349 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1350 return CON_FUNC_ERROR; 1351 } 1352 1353 /* TLS extensions */ 1354 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { 1355 /* SSLfatal() already called */ 1356 return CON_FUNC_ERROR; 1357 } 1358 1359 return CON_FUNC_SUCCESS; 1360 } 1361 1362 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt) 1363 { 1364 size_t cookie_len; 1365 PACKET cookiepkt; 1366 1367 if (!PACKET_forward(pkt, 2) 1368 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { 1369 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1370 return MSG_PROCESS_ERROR; 1371 } 1372 1373 cookie_len = PACKET_remaining(&cookiepkt); 1374 if (cookie_len > sizeof(s->d1->cookie)) { 1375 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG); 1376 return MSG_PROCESS_ERROR; 1377 } 1378 1379 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { 1380 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1381 return MSG_PROCESS_ERROR; 1382 } 1383 s->d1->cookie_len = cookie_len; 1384 1385 return MSG_PROCESS_FINISHED_READING; 1386 } 1387 1388 static int set_client_ciphersuite(SSL_CONNECTION *s, 1389 const unsigned char *cipherchars) 1390 { 1391 STACK_OF(SSL_CIPHER) *sk; 1392 const SSL_CIPHER *c; 1393 int i; 1394 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1395 1396 c = ssl_get_cipher_by_char(s, cipherchars, 0); 1397 if (c == NULL) { 1398 /* unknown cipher */ 1399 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED); 1400 return 0; 1401 } 1402 /* 1403 * If it is a disabled cipher we either didn't send it in client hello, 1404 * or it's not allowed for the selected protocol. So we return an error. 1405 */ 1406 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { 1407 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1408 return 0; 1409 } 1410 1411 sk = ssl_get_ciphers_by_id(s); 1412 i = sk_SSL_CIPHER_find(sk, c); 1413 if (i < 0) { 1414 /* we did not say we would use this cipher */ 1415 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1416 return 0; 1417 } 1418 1419 if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL 1420 && s->s3.tmp.new_cipher->id != c->id) { 1421 /* ServerHello selected a different ciphersuite to that in the HRR */ 1422 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1423 return 0; 1424 } 1425 1426 /* 1427 * Depending on the session caching (internal/external), the cipher 1428 * and/or cipher_id values may not be set. Make sure that cipher_id is 1429 * set and use it for comparison. 1430 */ 1431 if (s->session->cipher != NULL) 1432 s->session->cipher_id = s->session->cipher->id; 1433 if (s->hit && (s->session->cipher_id != c->id)) { 1434 if (SSL_CONNECTION_IS_TLS13(s)) { 1435 const EVP_MD *md = ssl_md(sctx, c->algorithm2); 1436 1437 if (!ossl_assert(s->session->cipher != NULL)) { 1438 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1439 return 0; 1440 } 1441 /* 1442 * In TLSv1.3 it is valid for the server to select a different 1443 * ciphersuite as long as the hash is the same. 1444 */ 1445 if (md == NULL 1446 || md != ssl_md(sctx, s->session->cipher->algorithm2)) { 1447 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1448 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); 1449 return 0; 1450 } 1451 } else { 1452 /* 1453 * Prior to TLSv1.3 resuming a session always meant using the same 1454 * ciphersuite. 1455 */ 1456 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1457 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1458 return 0; 1459 } 1460 } 1461 s->s3.tmp.new_cipher = c; 1462 1463 return 1; 1464 } 1465 1466 MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) 1467 { 1468 PACKET session_id, extpkt; 1469 size_t session_id_len; 1470 const unsigned char *cipherchars; 1471 int hrr = 0; 1472 unsigned int compression; 1473 unsigned int sversion; 1474 unsigned int context; 1475 RAW_EXTENSION *extensions = NULL; 1476 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1477 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1478 #ifndef OPENSSL_NO_COMP 1479 SSL_COMP *comp; 1480 #endif 1481 1482 if (!PACKET_get_net_2(pkt, &sversion)) { 1483 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1484 goto err; 1485 } 1486 1487 /* load the server random */ 1488 if (s->version == TLS1_3_VERSION 1489 && sversion == TLS1_2_VERSION 1490 && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE 1491 && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { 1492 if (s->hello_retry_request != SSL_HRR_NONE) { 1493 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 1494 goto err; 1495 } 1496 s->hello_retry_request = SSL_HRR_PENDING; 1497 /* Tell the record layer that we know we're going to get TLSv1.3 */ 1498 if (!ssl_set_record_protocol_version(s, s->version)) { 1499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1500 goto err; 1501 } 1502 hrr = 1; 1503 if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { 1504 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1505 goto err; 1506 } 1507 } else { 1508 if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) { 1509 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1510 goto err; 1511 } 1512 } 1513 1514 /* Get the session-id. */ 1515 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { 1516 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1517 goto err; 1518 } 1519 session_id_len = PACKET_remaining(&session_id); 1520 if (session_id_len > sizeof(s->session->session_id) 1521 || session_id_len > SSL3_SESSION_ID_SIZE) { 1522 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG); 1523 goto err; 1524 } 1525 1526 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { 1527 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1528 goto err; 1529 } 1530 1531 if (!PACKET_get_1(pkt, &compression)) { 1532 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1533 goto err; 1534 } 1535 1536 /* TLS extensions */ 1537 if (PACKET_remaining(pkt) == 0 && !hrr) { 1538 PACKET_null_init(&extpkt); 1539 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 1540 || PACKET_remaining(pkt) != 0) { 1541 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1542 goto err; 1543 } 1544 1545 if (!hrr) { 1546 if (!tls_collect_extensions(s, &extpkt, 1547 SSL_EXT_TLS1_2_SERVER_HELLO 1548 | SSL_EXT_TLS1_3_SERVER_HELLO, 1549 &extensions, NULL, 1)) { 1550 /* SSLfatal() already called */ 1551 goto err; 1552 } 1553 1554 if (!ssl_choose_client_version(s, sversion, extensions)) { 1555 /* SSLfatal() already called */ 1556 goto err; 1557 } 1558 } 1559 1560 if (SSL_CONNECTION_IS_TLS13(s) || hrr) { 1561 if (compression != 0) { 1562 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1563 SSL_R_INVALID_COMPRESSION_ALGORITHM); 1564 goto err; 1565 } 1566 1567 if (session_id_len != s->tmp_session_id_len 1568 || memcmp(PACKET_data(&session_id), s->tmp_session_id, 1569 session_id_len) 1570 != 0) { 1571 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID); 1572 goto err; 1573 } 1574 } 1575 1576 if (hrr) { 1577 if (!set_client_ciphersuite(s, cipherchars)) { 1578 /* SSLfatal() already called */ 1579 goto err; 1580 } 1581 1582 return tls_process_as_hello_retry_request(s, &extpkt); 1583 } 1584 1585 /* 1586 * Now we have chosen the version we need to check again that the extensions 1587 * are appropriate for this version. 1588 */ 1589 context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO 1590 : SSL_EXT_TLS1_2_SERVER_HELLO; 1591 if (!tls_validate_all_contexts(s, context, extensions)) { 1592 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 1593 goto err; 1594 } 1595 1596 s->hit = 0; 1597 1598 if (SSL_CONNECTION_IS_TLS13(s)) { 1599 /* 1600 * In TLSv1.3 a ServerHello message signals a key change so the end of 1601 * the message must be on a record boundary. 1602 */ 1603 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 1604 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1605 SSL_R_NOT_ON_RECORD_BOUNDARY); 1606 goto err; 1607 } 1608 1609 /* This will set s->hit if we are resuming */ 1610 if (!tls_parse_extension(s, TLSEXT_IDX_psk, 1611 SSL_EXT_TLS1_3_SERVER_HELLO, 1612 extensions, NULL, 0)) { 1613 /* SSLfatal() already called */ 1614 goto err; 1615 } 1616 } else { 1617 /* 1618 * Check if we can resume the session based on external pre-shared 1619 * secret. EAP-FAST (RFC 4851) supports two types of session resumption. 1620 * Resumption based on server-side state works with session IDs. 1621 * Resumption based on pre-shared Protected Access Credentials (PACs) 1622 * works by overriding the SessionTicket extension at the application 1623 * layer, and does not send a session ID. (We do not know whether 1624 * EAP-FAST servers would honour the session ID.) Therefore, the session 1625 * ID alone is not a reliable indicator of session resumption, so we 1626 * first check if we can resume, and later peek at the next handshake 1627 * message to see if the server wants to resume. 1628 */ 1629 if (s->version >= TLS1_VERSION 1630 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { 1631 const SSL_CIPHER *pref_cipher = NULL; 1632 /* 1633 * s->session->master_key_length is a size_t, but this is an int for 1634 * backwards compat reasons 1635 */ 1636 int master_key_length; 1637 1638 master_key_length = sizeof(s->session->master_key); 1639 if (s->ext.session_secret_cb(ussl, s->session->master_key, 1640 &master_key_length, 1641 NULL, &pref_cipher, 1642 s->ext.session_secret_cb_arg) 1643 && master_key_length > 0) { 1644 s->session->master_key_length = master_key_length; 1645 s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); 1646 } else { 1647 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1648 goto err; 1649 } 1650 } 1651 1652 if (session_id_len != 0 1653 && session_id_len == s->session->session_id_length 1654 && memcmp(PACKET_data(&session_id), s->session->session_id, 1655 session_id_len) 1656 == 0) 1657 s->hit = 1; 1658 } 1659 1660 if (s->hit) { 1661 if (s->sid_ctx_length != s->session->sid_ctx_length 1662 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { 1663 /* actually a client application bug */ 1664 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1665 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 1666 goto err; 1667 } 1668 } else { 1669 /* 1670 * If we were trying for session-id reuse but the server 1671 * didn't resume, make a new SSL_SESSION. 1672 * In the case of EAP-FAST and PAC, we do not send a session ID, 1673 * so the PAC-based session secret is always preserved. It'll be 1674 * overwritten if the server refuses resumption. 1675 */ 1676 if (s->session->session_id_length > 0) { 1677 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); 1678 if (!ssl_get_new_session(s, 0)) { 1679 /* SSLfatal() already called */ 1680 goto err; 1681 } 1682 } 1683 1684 s->session->ssl_version = s->version; 1685 /* 1686 * In TLSv1.2 and below we save the session id we were sent so we can 1687 * resume it later. In TLSv1.3 the session id we were sent is just an 1688 * echo of what we originally sent in the ClientHello and should not be 1689 * used for resumption. 1690 */ 1691 if (!SSL_CONNECTION_IS_TLS13(s)) { 1692 s->session->session_id_length = session_id_len; 1693 /* session_id_len could be 0 */ 1694 if (session_id_len > 0) 1695 memcpy(s->session->session_id, PACKET_data(&session_id), 1696 session_id_len); 1697 } 1698 } 1699 1700 /* Session version and negotiated protocol version should match */ 1701 if (s->version != s->session->ssl_version) { 1702 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1703 SSL_R_SSL_SESSION_VERSION_MISMATCH); 1704 goto err; 1705 } 1706 /* 1707 * Now that we know the version, update the check to see if it's an allowed 1708 * version. 1709 */ 1710 s->s3.tmp.min_ver = s->version; 1711 s->s3.tmp.max_ver = s->version; 1712 1713 if (!set_client_ciphersuite(s, cipherchars)) { 1714 /* SSLfatal() already called */ 1715 goto err; 1716 } 1717 1718 #ifdef OPENSSL_NO_COMP 1719 if (compression != 0) { 1720 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1721 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1722 goto err; 1723 } 1724 /* 1725 * If compression is disabled we'd better not try to resume a session 1726 * using compression. 1727 */ 1728 if (s->session->compress_meth != 0) { 1729 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); 1730 goto err; 1731 } 1732 #else 1733 if (s->hit && compression != s->session->compress_meth) { 1734 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1735 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1736 goto err; 1737 } 1738 if (compression == 0) 1739 comp = NULL; 1740 else if (!ssl_allow_compression(s)) { 1741 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED); 1742 goto err; 1743 } else { 1744 comp = ssl3_comp_find(SSL_CONNECTION_GET_CTX(s)->comp_methods, 1745 compression); 1746 } 1747 1748 if (compression != 0 && comp == NULL) { 1749 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1750 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1751 goto err; 1752 } else { 1753 s->s3.tmp.new_compression = comp; 1754 } 1755 #endif 1756 1757 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { 1758 /* SSLfatal() already called */ 1759 goto err; 1760 } 1761 1762 #ifndef OPENSSL_NO_SCTP 1763 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { 1764 unsigned char sctpauthkey[64]; 1765 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 1766 size_t labellen; 1767 1768 /* 1769 * Add new shared key for SCTP-Auth, will be ignored if 1770 * no SCTP used. 1771 */ 1772 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 1773 sizeof(DTLS1_SCTP_AUTH_LABEL)); 1774 1775 /* Don't include the terminating zero. */ 1776 labellen = sizeof(labelbuffer) - 1; 1777 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 1778 labellen += 1; 1779 1780 if (SSL_export_keying_material(ssl, sctpauthkey, 1781 sizeof(sctpauthkey), 1782 labelbuffer, 1783 labellen, NULL, 0, 0) 1784 <= 0) { 1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1786 goto err; 1787 } 1788 1789 BIO_ctrl(SSL_get_wbio(ssl), 1790 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 1791 sizeof(sctpauthkey), sctpauthkey); 1792 } 1793 #endif 1794 1795 /* 1796 * In TLSv1.3 we have some post-processing to change cipher state, otherwise 1797 * we're done with this message 1798 */ 1799 if (SSL_CONNECTION_IS_TLS13(s)) { 1800 if (!ssl->method->ssl3_enc->setup_key_block(s) 1801 || !tls13_store_handshake_traffic_hash(s)) { 1802 /* SSLfatal() already called */ 1803 goto err; 1804 } 1805 /* 1806 * If we're not doing early-data and we're not going to send a dummy CCS 1807 * (i.e. no middlebox compat mode) then we can change the write keys 1808 * immediately. Otherwise we have to defer this until after all possible 1809 * early data is written. We could just always defer until the last 1810 * moment except QUIC needs it done at the same time as the read keys 1811 * are changed. Since QUIC doesn't do TLS early data or need middlebox 1812 * compat this doesn't cause a problem. 1813 */ 1814 if (SSL_IS_QUIC_HANDSHAKE(s) 1815 || (s->early_data_state == SSL_EARLY_DATA_NONE 1816 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0)) { 1817 if (!ssl->method->ssl3_enc->change_cipher_state(s, 1818 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 1819 /* SSLfatal() already called */ 1820 goto err; 1821 } 1822 } 1823 if (!ssl->method->ssl3_enc->change_cipher_state(s, 1824 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 1825 /* SSLfatal() already called */ 1826 goto err; 1827 } 1828 } 1829 1830 OPENSSL_free(extensions); 1831 return MSG_PROCESS_CONTINUE_READING; 1832 err: 1833 OPENSSL_free(extensions); 1834 return MSG_PROCESS_ERROR; 1835 } 1836 1837 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, 1838 PACKET *extpkt) 1839 { 1840 RAW_EXTENSION *extensions = NULL; 1841 1842 /* 1843 * If we were sending early_data then any alerts should not be sent using 1844 * the old wrlmethod. 1845 */ 1846 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 1847 && !ssl_set_new_record_layer(s, 1848 TLS_ANY_VERSION, 1849 OSSL_RECORD_DIRECTION_WRITE, 1850 OSSL_RECORD_PROTECTION_LEVEL_NONE, 1851 NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1852 NULL, 0, NID_undef, NULL, NULL, NULL)) { 1853 /* SSLfatal already called */ 1854 goto err; 1855 } 1856 /* We are definitely going to be using TLSv1.3 */ 1857 s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION); 1858 1859 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1860 &extensions, NULL, 1) 1861 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1862 extensions, NULL, 0, 1)) { 1863 /* SSLfatal() already called */ 1864 goto err; 1865 } 1866 1867 OPENSSL_free(extensions); 1868 extensions = NULL; 1869 1870 if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { 1871 /* 1872 * We didn't receive a cookie or a new key_share so the next 1873 * ClientHello will not change 1874 */ 1875 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR); 1876 goto err; 1877 } 1878 1879 /* 1880 * Re-initialise the Transcript Hash. We're going to prepopulate it with 1881 * a synthetic message_hash in place of ClientHello1. 1882 */ 1883 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { 1884 /* SSLfatal() already called */ 1885 goto err; 1886 } 1887 1888 /* 1889 * Add this message to the Transcript Hash. Normally this is done 1890 * automatically prior to the message processing stage. However due to the 1891 * need to create the synthetic message hash, we defer that step until now 1892 * for HRR messages. 1893 */ 1894 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1895 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1896 /* SSLfatal() already called */ 1897 goto err; 1898 } 1899 1900 return MSG_PROCESS_FINISHED_READING; 1901 err: 1902 OPENSSL_free(extensions); 1903 return MSG_PROCESS_ERROR; 1904 } 1905 1906 MSG_PROCESS_RETURN tls_process_server_rpk(SSL_CONNECTION *sc, PACKET *pkt) 1907 { 1908 EVP_PKEY *peer_rpk = NULL; 1909 1910 if (!tls_process_rpk(sc, pkt, &peer_rpk)) { 1911 /* SSLfatal() already called */ 1912 return MSG_PROCESS_ERROR; 1913 } 1914 1915 if (peer_rpk == NULL) { 1916 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_CERTIFICATE); 1917 return MSG_PROCESS_ERROR; 1918 } 1919 1920 EVP_PKEY_free(sc->session->peer_rpk); 1921 sc->session->peer_rpk = peer_rpk; 1922 1923 return MSG_PROCESS_CONTINUE_PROCESSING; 1924 } 1925 1926 static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, 1927 WORK_STATE wst) 1928 { 1929 size_t certidx; 1930 const SSL_CERT_LOOKUP *clu; 1931 int v_ok; 1932 1933 if (sc->session->peer_rpk == NULL) { 1934 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, 1935 SSL_R_INVALID_RAW_PUBLIC_KEY); 1936 return WORK_ERROR; 1937 } 1938 1939 if (sc->rwstate == SSL_RETRY_VERIFY) 1940 sc->rwstate = SSL_NOTHING; 1941 1942 ERR_set_mark(); 1943 v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk); 1944 if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) { 1945 ERR_clear_last_mark(); 1946 SSLfatal(sc, ssl_x509err2alert(sc->verify_result), 1947 SSL_R_CERTIFICATE_VERIFY_FAILED); 1948 return WORK_ERROR; 1949 } 1950 ERR_pop_to_mark(); /* but we keep s->verify_result */ 1951 if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) { 1952 return WORK_MORE_A; 1953 } 1954 1955 if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, 1956 SSL_CONNECTION_GET_CTX(sc))) 1957 == NULL) { 1958 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1959 return WORK_ERROR; 1960 } 1961 1962 /* 1963 * Check certificate type is consistent with ciphersuite. For TLS 1.3 1964 * skip check since TLS 1.3 ciphersuites can be used with any certificate 1965 * type. 1966 */ 1967 if (!SSL_CONNECTION_IS_TLS13(sc)) { 1968 if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) { 1969 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_RPK_TYPE); 1970 return WORK_ERROR; 1971 } 1972 } 1973 1974 /* Ensure there is no peer/peer_chain */ 1975 X509_free(sc->session->peer); 1976 sc->session->peer = NULL; 1977 sk_X509_pop_free(sc->session->peer_chain, X509_free); 1978 sc->session->peer_chain = NULL; 1979 sc->session->verify_result = sc->verify_result; 1980 1981 /* Save the current hash state for when we receive the CertificateVerify */ 1982 if (SSL_CONNECTION_IS_TLS13(sc) 1983 && !ssl_handshake_hash(sc, sc->cert_verify_hash, 1984 sizeof(sc->cert_verify_hash), 1985 &sc->cert_verify_hash_len)) { 1986 /* SSLfatal() already called */ 1987 return WORK_ERROR; 1988 } 1989 1990 return WORK_FINISHED_CONTINUE; 1991 } 1992 1993 /* prepare server cert verification by setting s->session->peer_chain from pkt */ 1994 MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, 1995 PACKET *pkt) 1996 { 1997 unsigned long cert_list_len, cert_len; 1998 X509 *x = NULL; 1999 const unsigned char *certstart, *certbytes; 2000 size_t chainidx; 2001 unsigned int context = 0; 2002 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2003 2004 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) 2005 return tls_process_server_rpk(s, pkt); 2006 if (s->ext.server_cert_type != TLSEXT_cert_type_x509) { 2007 SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE, 2008 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 2009 goto err; 2010 } 2011 2012 if ((s->session->peer_chain = sk_X509_new_null()) == NULL) { 2013 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2014 goto err; 2015 } 2016 2017 if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) 2018 || context != 0 2019 || !PACKET_get_net_3(pkt, &cert_list_len) 2020 || PACKET_remaining(pkt) != cert_list_len 2021 || PACKET_remaining(pkt) == 0) { 2022 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2023 goto err; 2024 } 2025 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { 2026 if (!PACKET_get_net_3(pkt, &cert_len) 2027 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { 2028 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); 2029 goto err; 2030 } 2031 2032 certstart = certbytes; 2033 x = X509_new_ex(sctx->libctx, sctx->propq); 2034 if (x == NULL) { 2035 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); 2036 goto err; 2037 } 2038 if (d2i_X509(&x, (const unsigned char **)&certbytes, 2039 cert_len) 2040 == NULL) { 2041 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB); 2042 goto err; 2043 } 2044 2045 if (certbytes != (certstart + cert_len)) { 2046 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); 2047 goto err; 2048 } 2049 2050 if (SSL_CONNECTION_IS_TLS13(s)) { 2051 RAW_EXTENSION *rawexts = NULL; 2052 PACKET extensions; 2053 2054 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2055 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 2056 goto err; 2057 } 2058 if (!tls_collect_extensions(s, &extensions, 2059 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, 2060 NULL, chainidx == 0) 2061 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, 2062 rawexts, x, chainidx, 2063 PACKET_remaining(pkt) == 0)) { 2064 OPENSSL_free(rawexts); 2065 /* SSLfatal already called */ 2066 goto err; 2067 } 2068 OPENSSL_free(rawexts); 2069 } 2070 2071 if (!sk_X509_push(s->session->peer_chain, x)) { 2072 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2073 goto err; 2074 } 2075 x = NULL; 2076 } 2077 return MSG_PROCESS_CONTINUE_PROCESSING; 2078 2079 err: 2080 X509_free(x); 2081 OSSL_STACK_OF_X509_free(s->session->peer_chain); 2082 s->session->peer_chain = NULL; 2083 return MSG_PROCESS_ERROR; 2084 } 2085 2086 /* 2087 * Verify the s->session->peer_chain and check server cert type. 2088 * On success set s->session->peer and s->session->verify_result. 2089 * Else the peer certificate verification callback may request retry. 2090 */ 2091 WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, 2092 WORK_STATE wst) 2093 { 2094 X509 *x; 2095 EVP_PKEY *pkey = NULL; 2096 const SSL_CERT_LOOKUP *clu; 2097 size_t certidx; 2098 int i; 2099 2100 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) 2101 return tls_post_process_server_rpk(s, wst); 2102 2103 if (s->rwstate == SSL_RETRY_VERIFY) 2104 s->rwstate = SSL_NOTHING; 2105 2106 /* 2107 * The documented interface is that SSL_VERIFY_PEER should be set in order 2108 * for client side verification of the server certificate to take place. 2109 * However, historically the code has only checked that *any* flag is set 2110 * to cause server verification to take place. Use of the other flags makes 2111 * no sense in client mode. An attempt to clean up the semantics was 2112 * reverted because at least one application *only* set 2113 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused 2114 * server verification to take place, after the clean up it silently did 2115 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags 2116 * sent to them because they are void functions. Therefore, we now use the 2117 * (less clean) historic behaviour of performing validation if any flag is 2118 * set. The *documented* interface remains the same. 2119 */ 2120 ERR_set_mark(); 2121 i = ssl_verify_cert_chain(s, s->session->peer_chain); 2122 if (i <= 0 && s->verify_mode != SSL_VERIFY_NONE) { 2123 ERR_clear_last_mark(); 2124 SSLfatal(s, ssl_x509err2alert(s->verify_result), 2125 SSL_R_CERTIFICATE_VERIFY_FAILED); 2126 return WORK_ERROR; 2127 } 2128 ERR_pop_to_mark(); /* but we keep s->verify_result */ 2129 if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) 2130 return WORK_MORE_A; 2131 2132 /* 2133 * Inconsistency alert: cert_chain does include the peer's certificate, 2134 * which we don't include in statem_srvr.c 2135 */ 2136 x = sk_X509_value(s->session->peer_chain, 0); 2137 2138 pkey = X509_get0_pubkey(x); 2139 2140 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { 2141 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2142 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 2143 return WORK_ERROR; 2144 } 2145 2146 if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx, 2147 SSL_CONNECTION_GET_CTX(s))) 2148 == NULL) { 2149 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 2150 return WORK_ERROR; 2151 } 2152 /* 2153 * Check certificate type is consistent with ciphersuite. For TLS 1.3 2154 * skip check since TLS 1.3 ciphersuites can be used with any certificate 2155 * type. 2156 */ 2157 if (!SSL_CONNECTION_IS_TLS13(s)) { 2158 if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { 2159 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); 2160 return WORK_ERROR; 2161 } 2162 } 2163 2164 if (!X509_up_ref(x)) { 2165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2166 return WORK_ERROR; 2167 } 2168 2169 X509_free(s->session->peer); 2170 s->session->peer = x; 2171 s->session->verify_result = s->verify_result; 2172 /* Ensure there is no RPK */ 2173 EVP_PKEY_free(s->session->peer_rpk); 2174 s->session->peer_rpk = NULL; 2175 2176 /* Save the current hash state for when we receive the CertificateVerify */ 2177 if (SSL_CONNECTION_IS_TLS13(s) 2178 && !ssl_handshake_hash(s, s->cert_verify_hash, 2179 sizeof(s->cert_verify_hash), 2180 &s->cert_verify_hash_len)) { 2181 /* SSLfatal() already called */; 2182 return WORK_ERROR; 2183 } 2184 return WORK_FINISHED_CONTINUE; 2185 } 2186 2187 #ifndef OPENSSL_NO_COMP_ALG 2188 MSG_PROCESS_RETURN tls_process_server_compressed_certificate(SSL_CONNECTION *sc, PACKET *pkt) 2189 { 2190 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 2191 PACKET tmppkt; 2192 BUF_MEM *buf = BUF_MEM_new(); 2193 2194 if (tls13_process_compressed_certificate(sc, pkt, &tmppkt, buf) != MSG_PROCESS_ERROR) 2195 ret = tls_process_server_certificate(sc, &tmppkt); 2196 2197 BUF_MEM_free(buf); 2198 return ret; 2199 } 2200 #endif 2201 2202 static int tls_process_ske_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) 2203 { 2204 #ifndef OPENSSL_NO_PSK 2205 PACKET psk_identity_hint; 2206 2207 /* PSK ciphersuites are preceded by an identity hint */ 2208 2209 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) { 2210 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2211 return 0; 2212 } 2213 2214 /* 2215 * Store PSK identity hint for later use, hint is used in 2216 * tls_construct_client_key_exchange. Assume that the maximum length of 2217 * a PSK identity hint can be as long as the maximum length of a PSK 2218 * identity. 2219 */ 2220 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) { 2221 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG); 2222 return 0; 2223 } 2224 2225 if (PACKET_remaining(&psk_identity_hint) == 0) { 2226 OPENSSL_free(s->session->psk_identity_hint); 2227 s->session->psk_identity_hint = NULL; 2228 } else if (!PACKET_strndup(&psk_identity_hint, 2229 &s->session->psk_identity_hint)) { 2230 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2231 return 0; 2232 } 2233 2234 return 1; 2235 #else 2236 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2237 return 0; 2238 #endif 2239 } 2240 2241 static int tls_process_ske_srp(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) 2242 { 2243 #ifndef OPENSSL_NO_SRP 2244 PACKET prime, generator, salt, server_pub; 2245 2246 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2247 || !PACKET_get_length_prefixed_2(pkt, &generator) 2248 || !PACKET_get_length_prefixed_1(pkt, &salt) 2249 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) { 2250 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2251 return 0; 2252 } 2253 2254 if ((s->srp_ctx.N = BN_bin2bn(PACKET_data(&prime), 2255 (int)PACKET_remaining(&prime), NULL)) 2256 == NULL 2257 || (s->srp_ctx.g = BN_bin2bn(PACKET_data(&generator), 2258 (int)PACKET_remaining(&generator), NULL)) 2259 == NULL 2260 || (s->srp_ctx.s = BN_bin2bn(PACKET_data(&salt), 2261 (int)PACKET_remaining(&salt), NULL)) 2262 == NULL 2263 || (s->srp_ctx.B = BN_bin2bn(PACKET_data(&server_pub), 2264 (int)PACKET_remaining(&server_pub), NULL)) 2265 == NULL) { 2266 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); 2267 return 0; 2268 } 2269 2270 if (!srp_verify_server_param(s)) { 2271 /* SSLfatal() already called */ 2272 return 0; 2273 } 2274 2275 /* We must check if there is a certificate */ 2276 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2277 *pkey = tls_get_peer_pkey(s); 2278 2279 return 1; 2280 #else 2281 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2282 return 0; 2283 #endif 2284 } 2285 2286 static int tls_process_ske_dhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) 2287 { 2288 PACKET prime, generator, pub_key; 2289 EVP_PKEY *peer_tmp = NULL; 2290 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL; 2291 EVP_PKEY_CTX *pctx = NULL; 2292 OSSL_PARAM *params = NULL; 2293 OSSL_PARAM_BLD *tmpl = NULL; 2294 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2295 int ret = 0; 2296 2297 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2298 || !PACKET_get_length_prefixed_2(pkt, &generator) 2299 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { 2300 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2301 return 0; 2302 } 2303 2304 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); 2305 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), 2306 NULL); 2307 bnpub_key = BN_bin2bn(PACKET_data(&pub_key), 2308 (int)PACKET_remaining(&pub_key), NULL); 2309 if (p == NULL || g == NULL || bnpub_key == NULL) { 2310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); 2311 goto err; 2312 } 2313 2314 tmpl = OSSL_PARAM_BLD_new(); 2315 if (tmpl == NULL 2316 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 2317 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g) 2318 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY, 2319 bnpub_key) 2320 || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) { 2321 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2322 goto err; 2323 } 2324 2325 pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq); 2326 if (pctx == NULL) { 2327 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2328 goto err; 2329 } 2330 if (EVP_PKEY_fromdata_init(pctx) <= 0 2331 || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) { 2332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); 2333 goto err; 2334 } 2335 2336 EVP_PKEY_CTX_free(pctx); 2337 pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, peer_tmp, sctx->propq); 2338 if (pctx == NULL 2339 /* 2340 * EVP_PKEY_param_check() will verify that the DH params are using 2341 * a safe prime. In this context, because we're using ephemeral DH, 2342 * we're ok with it not being a safe prime. 2343 * EVP_PKEY_param_check_quick() skips the safe prime check. 2344 */ 2345 || EVP_PKEY_param_check_quick(pctx) != 1 2346 || EVP_PKEY_public_check(pctx) != 1) { 2347 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); 2348 goto err; 2349 } 2350 2351 if (!ssl_security(s, SSL_SECOP_TMP_DH, 2352 EVP_PKEY_get_security_bits(peer_tmp), 2353 0, peer_tmp)) { 2354 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); 2355 goto err; 2356 } 2357 2358 s->s3.peer_tmp = peer_tmp; 2359 peer_tmp = NULL; 2360 2361 /* 2362 * FIXME: This makes assumptions about which ciphersuites come with 2363 * public keys. We should have a less ad-hoc way of doing this 2364 */ 2365 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2366 *pkey = tls_get_peer_pkey(s); 2367 /* else anonymous DH, so no certificate or pkey. */ 2368 2369 ret = 1; 2370 2371 err: 2372 OSSL_PARAM_BLD_free(tmpl); 2373 OSSL_PARAM_free(params); 2374 EVP_PKEY_free(peer_tmp); 2375 EVP_PKEY_CTX_free(pctx); 2376 BN_free(p); 2377 BN_free(g); 2378 BN_free(bnpub_key); 2379 2380 return ret; 2381 } 2382 2383 static int tls_process_ske_ecdhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) 2384 { 2385 PACKET encoded_pt; 2386 unsigned int curve_type, curve_id; 2387 2388 /* 2389 * Extract elliptic curve parameters and the server's ephemeral ECDH 2390 * public key. We only support named (not generic) curves and 2391 * ECParameters in this case is just three bytes. 2392 */ 2393 if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) { 2394 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 2395 return 0; 2396 } 2397 /* 2398 * Check curve is named curve type and one of our preferences, if not 2399 * server has sent an invalid curve. 2400 */ 2401 if (curve_type != NAMED_CURVE_TYPE 2402 || !tls1_check_group_id(s, curve_id, 1)) { 2403 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 2404 return 0; 2405 } 2406 2407 if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { 2408 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2409 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 2410 return 0; 2411 } 2412 2413 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) { 2414 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2415 return 0; 2416 } 2417 2418 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, 2419 PACKET_data(&encoded_pt), 2420 PACKET_remaining(&encoded_pt)) 2421 <= 0) { 2422 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 2423 return 0; 2424 } 2425 2426 /* 2427 * The ECC/TLS specification does not mention the use of DSA to sign 2428 * ECParameters in the server key exchange message. We do support RSA 2429 * and ECDSA. 2430 */ 2431 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) 2432 *pkey = tls_get_peer_pkey(s); 2433 else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA) 2434 *pkey = tls_get_peer_pkey(s); 2435 /* else anonymous ECDH, so no certificate or pkey. */ 2436 2437 /* Cache the agreed upon group in the SSL_SESSION */ 2438 s->session->kex_group = curve_id; 2439 return 1; 2440 } 2441 2442 MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) 2443 { 2444 long alg_k; 2445 EVP_PKEY *pkey = NULL; 2446 EVP_MD_CTX *md_ctx = NULL; 2447 EVP_PKEY_CTX *pctx = NULL; 2448 PACKET save_param_start, signature; 2449 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2450 2451 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 2452 2453 save_param_start = *pkt; 2454 2455 EVP_PKEY_free(s->s3.peer_tmp); 2456 s->s3.peer_tmp = NULL; 2457 2458 if (alg_k & SSL_PSK) { 2459 if (!tls_process_ske_psk_preamble(s, pkt)) { 2460 /* SSLfatal() already called */ 2461 goto err; 2462 } 2463 } 2464 2465 /* Nothing else to do for plain PSK or RSAPSK */ 2466 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { 2467 } else if (alg_k & SSL_kSRP) { 2468 if (!tls_process_ske_srp(s, pkt, &pkey)) { 2469 /* SSLfatal() already called */ 2470 goto err; 2471 } 2472 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 2473 if (!tls_process_ske_dhe(s, pkt, &pkey)) { 2474 /* SSLfatal() already called */ 2475 goto err; 2476 } 2477 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 2478 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { 2479 /* SSLfatal() already called */ 2480 goto err; 2481 } 2482 } else if (alg_k) { 2483 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 2484 goto err; 2485 } 2486 2487 /* if it was signed, check the signature */ 2488 if (pkey != NULL) { 2489 PACKET params; 2490 const EVP_MD *md = NULL; 2491 unsigned char *tbs; 2492 size_t tbslen; 2493 int rv; 2494 2495 /* 2496 * |pkt| now points to the beginning of the signature, so the difference 2497 * equals the length of the parameters. 2498 */ 2499 if (!PACKET_get_sub_packet(&save_param_start, ¶ms, 2500 PACKET_remaining(&save_param_start) - PACKET_remaining(pkt))) { 2501 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); 2502 goto err; 2503 } 2504 2505 if (SSL_USE_SIGALGS(s)) { 2506 unsigned int sigalg; 2507 2508 if (!PACKET_get_net_2(pkt, &sigalg)) { 2509 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 2510 goto err; 2511 } 2512 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 2513 /* SSLfatal() already called */ 2514 goto err; 2515 } 2516 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 2517 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2518 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); 2519 goto err; 2520 } 2521 2522 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) { 2523 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2524 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM); 2525 goto err; 2526 } 2527 if (SSL_USE_SIGALGS(s)) 2528 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", 2529 md == NULL ? "n/a" : EVP_MD_get0_name(md)); 2530 2531 if (!PACKET_get_length_prefixed_2(pkt, &signature) 2532 || PACKET_remaining(pkt) != 0) { 2533 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2534 goto err; 2535 } 2536 2537 md_ctx = EVP_MD_CTX_new(); 2538 if (md_ctx == NULL) { 2539 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2540 goto err; 2541 } 2542 2543 if (EVP_DigestVerifyInit_ex(md_ctx, &pctx, 2544 md == NULL ? NULL : EVP_MD_get0_name(md), 2545 sctx->libctx, sctx->propq, pkey, 2546 NULL) 2547 <= 0) { 2548 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2549 goto err; 2550 } 2551 if (SSL_USE_PSS(s)) { 2552 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 2553 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 2554 RSA_PSS_SALTLEN_DIGEST) 2555 <= 0) { 2556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2557 goto err; 2558 } 2559 } 2560 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), 2561 PACKET_remaining(¶ms)); 2562 if (tbslen == 0) { 2563 /* SSLfatal() already called */ 2564 goto err; 2565 } 2566 2567 rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), 2568 PACKET_remaining(&signature), tbs, tbslen); 2569 OPENSSL_free(tbs); 2570 if (rv <= 0) { 2571 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 2572 goto err; 2573 } 2574 EVP_MD_CTX_free(md_ctx); 2575 md_ctx = NULL; 2576 } else { 2577 /* aNULL, aSRP or PSK do not need public keys */ 2578 if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) 2579 && !(alg_k & SSL_PSK)) { 2580 /* Might be wrong key type, check it */ 2581 if (ssl3_check_cert_and_algorithm(s)) { 2582 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA); 2583 } 2584 /* else this shouldn't happen, SSLfatal() already called */ 2585 goto err; 2586 } 2587 /* still data left over */ 2588 if (PACKET_remaining(pkt) != 0) { 2589 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE); 2590 goto err; 2591 } 2592 } 2593 2594 return MSG_PROCESS_CONTINUE_READING; 2595 err: 2596 EVP_MD_CTX_free(md_ctx); 2597 return MSG_PROCESS_ERROR; 2598 } 2599 2600 MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, 2601 PACKET *pkt) 2602 { 2603 /* Clear certificate validity flags */ 2604 if (s->s3.tmp.valid_flags != NULL) 2605 memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); 2606 else 2607 s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); 2608 2609 /* Give up for good if allocation didn't work */ 2610 if (s->s3.tmp.valid_flags == NULL) 2611 return 0; 2612 2613 if (SSL_CONNECTION_IS_TLS13(s)) { 2614 PACKET reqctx, extensions; 2615 RAW_EXTENSION *rawexts = NULL; 2616 2617 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { 2618 /* 2619 * We already sent close_notify. This can only happen in TLSv1.3 2620 * post-handshake messages. We can't reasonably respond to this, so 2621 * we just ignore it 2622 */ 2623 return MSG_PROCESS_FINISHED_READING; 2624 } 2625 2626 /* Free and zero certificate types: it is not present in TLS 1.3 */ 2627 OPENSSL_free(s->s3.tmp.ctype); 2628 s->s3.tmp.ctype = NULL; 2629 s->s3.tmp.ctype_len = 0; 2630 OPENSSL_free(s->pha_context); 2631 s->pha_context = NULL; 2632 s->pha_context_len = 0; 2633 2634 if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { 2635 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2636 return MSG_PROCESS_ERROR; 2637 } 2638 2639 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2640 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 2641 return MSG_PROCESS_ERROR; 2642 } 2643 if (!tls_collect_extensions(s, &extensions, 2644 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2645 &rawexts, NULL, 1) 2646 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2647 rawexts, NULL, 0, 1)) { 2648 /* SSLfatal() already called */ 2649 OPENSSL_free(rawexts); 2650 return MSG_PROCESS_ERROR; 2651 } 2652 OPENSSL_free(rawexts); 2653 if (!tls1_process_sigalgs(s)) { 2654 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); 2655 return MSG_PROCESS_ERROR; 2656 } 2657 } else { 2658 PACKET ctypes; 2659 2660 /* get the certificate types */ 2661 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { 2662 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2663 return MSG_PROCESS_ERROR; 2664 } 2665 2666 if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) { 2667 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2668 return MSG_PROCESS_ERROR; 2669 } 2670 2671 if (SSL_USE_SIGALGS(s)) { 2672 PACKET sigalgs; 2673 2674 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { 2675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2676 return MSG_PROCESS_ERROR; 2677 } 2678 2679 /* 2680 * Despite this being for certificates, preserve compatibility 2681 * with pre-TLS 1.3 and use the regular sigalgs field. 2682 */ 2683 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { 2684 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2685 SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2686 return MSG_PROCESS_ERROR; 2687 } 2688 if (!tls1_process_sigalgs(s)) { 2689 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 2690 return MSG_PROCESS_ERROR; 2691 } 2692 } 2693 2694 /* get the CA RDNs */ 2695 if (!parse_ca_names(s, pkt)) { 2696 /* SSLfatal() already called */ 2697 return MSG_PROCESS_ERROR; 2698 } 2699 } 2700 2701 if (PACKET_remaining(pkt) != 0) { 2702 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2703 return MSG_PROCESS_ERROR; 2704 } 2705 2706 /* we should setup a certificate to return.... */ 2707 s->s3.tmp.cert_req = 1; 2708 2709 /* 2710 * In TLSv1.3 we don't prepare the client certificate yet. We wait until 2711 * after the CertificateVerify message has been received. This is because 2712 * in TLSv1.3 the CertificateRequest arrives before the Certificate message 2713 * but in TLSv1.2 it is the other way around. We want to make sure that 2714 * SSL_get1_peer_certificate() returns something sensible in 2715 * client_cert_cb. 2716 */ 2717 if (SSL_CONNECTION_IS_TLS13(s) 2718 && s->post_handshake_auth != SSL_PHA_REQUESTED) 2719 return MSG_PROCESS_CONTINUE_READING; 2720 2721 return MSG_PROCESS_CONTINUE_PROCESSING; 2722 } 2723 2724 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, 2725 PACKET *pkt) 2726 { 2727 unsigned int ticklen; 2728 unsigned long ticket_lifetime_hint, age_add = 0; 2729 unsigned int sess_len; 2730 RAW_EXTENSION *exts = NULL; 2731 PACKET nonce; 2732 EVP_MD *sha256 = NULL; 2733 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2734 2735 PACKET_null_init(&nonce); 2736 2737 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) 2738 || (SSL_CONNECTION_IS_TLS13(s) 2739 && (!PACKET_get_net_4(pkt, &age_add) 2740 || !PACKET_get_length_prefixed_1(pkt, &nonce))) 2741 || !PACKET_get_net_2(pkt, &ticklen) 2742 || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0 2743 || PACKET_remaining(pkt) < ticklen) 2744 : PACKET_remaining(pkt) != ticklen)) { 2745 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2746 goto err; 2747 } 2748 2749 /* 2750 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty 2751 * ticket. We already checked this TLSv1.3 case above, so it should never 2752 * be 0 here in that instance 2753 */ 2754 if (ticklen == 0) 2755 return MSG_PROCESS_CONTINUE_READING; 2756 2757 /* 2758 * Sessions must be immutable once they go into the session cache. Otherwise 2759 * we can get multi-thread problems. Therefore we don't "update" sessions, 2760 * we replace them with a duplicate. In TLSv1.3 we need to do this every 2761 * time a NewSessionTicket arrives because those messages arrive 2762 * post-handshake and the session may have already gone into the session 2763 * cache. 2764 */ 2765 if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) { 2766 SSL_SESSION *new_sess; 2767 2768 /* 2769 * We reused an existing session, so we need to replace it with a new 2770 * one 2771 */ 2772 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { 2773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 2774 goto err; 2775 } 2776 2777 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 2778 && !SSL_CONNECTION_IS_TLS13(s)) { 2779 /* 2780 * In TLSv1.2 and below the arrival of a new tickets signals that 2781 * any old ticket we were using is now out of date, so we remove the 2782 * old session from the cache. We carry on if this fails 2783 */ 2784 SSL_CTX_remove_session(s->session_ctx, s->session); 2785 } 2786 2787 SSL_SESSION_free(s->session); 2788 s->session = new_sess; 2789 } 2790 2791 s->session->time = ossl_time_now(); 2792 ssl_session_calculate_timeout(s->session); 2793 2794 OPENSSL_free(s->session->ext.tick); 2795 s->session->ext.tick = NULL; 2796 s->session->ext.ticklen = 0; 2797 2798 s->session->ext.tick = OPENSSL_malloc(ticklen); 2799 if (s->session->ext.tick == NULL) { 2800 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2801 goto err; 2802 } 2803 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { 2804 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2805 goto err; 2806 } 2807 2808 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; 2809 s->session->ext.tick_age_add = age_add; 2810 s->session->ext.ticklen = ticklen; 2811 2812 if (SSL_CONNECTION_IS_TLS13(s)) { 2813 PACKET extpkt; 2814 2815 if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 2816 || PACKET_remaining(pkt) != 0) { 2817 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2818 goto err; 2819 } 2820 2821 if (!tls_collect_extensions(s, &extpkt, 2822 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, 2823 NULL, 1) 2824 || !tls_parse_all_extensions(s, 2825 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, 2826 exts, NULL, 0, 1)) { 2827 /* SSLfatal() already called */ 2828 goto err; 2829 } 2830 } 2831 2832 /* 2833 * There are two ways to detect a resumed ticket session. One is to set 2834 * an appropriate session ID and then the server must return a match in 2835 * ServerHello. This allows the normal client session ID matching to work 2836 * and we know much earlier that the ticket has been accepted. The 2837 * other way is to set zero length session ID when the ticket is 2838 * presented and rely on the handshake to determine session resumption. 2839 * We choose the former approach because this fits in with assumptions 2840 * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the 2841 * ticket. 2842 */ 2843 sha256 = EVP_MD_fetch(sctx->libctx, "SHA2-256", sctx->propq); 2844 if (sha256 == NULL) { 2845 /* Error is already recorded */ 2846 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 2847 goto err; 2848 } 2849 /* 2850 * We use sess_len here because EVP_Digest expects an int 2851 * but s->session->session_id_length is a size_t 2852 */ 2853 if (!EVP_Digest(s->session->ext.tick, ticklen, 2854 s->session->session_id, &sess_len, 2855 sha256, NULL)) { 2856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2857 goto err; 2858 } 2859 EVP_MD_free(sha256); 2860 sha256 = NULL; 2861 s->session->session_id_length = sess_len; 2862 s->session->not_resumable = 0; 2863 2864 /* This is a standalone message in TLSv1.3, so there is no more to read */ 2865 if (SSL_CONNECTION_IS_TLS13(s)) { 2866 const EVP_MD *md = ssl_handshake_md(s); 2867 int hashleni = EVP_MD_get_size(md); 2868 size_t hashlen; 2869 /* ASCII: "resumption", in hex for EBCDIC compatibility */ 2870 static const unsigned char nonce_label[] = { 0x72, 0x65, 0x73, 0x75, 0x6D, 2871 0x70, 0x74, 0x69, 0x6F, 0x6E }; 2872 2873 /* Ensure cast to size_t is safe */ 2874 if (!ossl_assert(hashleni > 0)) { 2875 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2876 goto err; 2877 } 2878 hashlen = (size_t)hashleni; 2879 2880 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, 2881 nonce_label, 2882 sizeof(nonce_label), 2883 PACKET_data(&nonce), 2884 PACKET_remaining(&nonce), 2885 s->session->master_key, 2886 hashlen, 1)) { 2887 /* SSLfatal() already called */ 2888 goto err; 2889 } 2890 s->session->master_key_length = hashlen; 2891 2892 OPENSSL_free(exts); 2893 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 2894 return MSG_PROCESS_FINISHED_READING; 2895 } 2896 2897 return MSG_PROCESS_CONTINUE_READING; 2898 err: 2899 EVP_MD_free(sha256); 2900 OPENSSL_free(exts); 2901 return MSG_PROCESS_ERROR; 2902 } 2903 2904 /* 2905 * In TLSv1.3 this is called from the extensions code, otherwise it is used to 2906 * parse a separate message. Returns 1 on success or 0 on failure 2907 */ 2908 int tls_process_cert_status_body(SSL_CONNECTION *s, PACKET *pkt) 2909 { 2910 size_t resplen; 2911 unsigned int type; 2912 2913 if (!PACKET_get_1(pkt, &type) 2914 || type != TLSEXT_STATUSTYPE_ocsp) { 2915 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE); 2916 return 0; 2917 } 2918 if (!PACKET_get_net_3_len(pkt, &resplen) 2919 || PACKET_remaining(pkt) != resplen) { 2920 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2921 return 0; 2922 } 2923 s->ext.ocsp.resp = OPENSSL_malloc(resplen); 2924 if (s->ext.ocsp.resp == NULL) { 2925 s->ext.ocsp.resp_len = 0; 2926 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2927 return 0; 2928 } 2929 s->ext.ocsp.resp_len = resplen; 2930 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { 2931 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2932 return 0; 2933 } 2934 2935 return 1; 2936 } 2937 2938 MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s, PACKET *pkt) 2939 { 2940 if (!tls_process_cert_status_body(s, pkt)) { 2941 /* SSLfatal() already called */ 2942 return MSG_PROCESS_ERROR; 2943 } 2944 2945 return MSG_PROCESS_CONTINUE_READING; 2946 } 2947 2948 /* 2949 * Perform miscellaneous checks and processing after we have received the 2950 * server's initial flight. In TLS1.3 this is after the Server Finished message. 2951 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 2952 * on failure. 2953 */ 2954 int tls_process_initial_server_flight(SSL_CONNECTION *s) 2955 { 2956 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2957 2958 /* 2959 * at this point we check that we have the required stuff from 2960 * the server 2961 */ 2962 if (!ssl3_check_cert_and_algorithm(s)) { 2963 /* SSLfatal() already called */ 2964 return 0; 2965 } 2966 2967 /* 2968 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and 2969 * |ext.ocsp.resp_len| values will be set if we actually received a status 2970 * message, or NULL and -1 otherwise 2971 */ 2972 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing 2973 && sctx->ext.status_cb != NULL) { 2974 int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s), 2975 sctx->ext.status_arg); 2976 2977 if (ret == 0) { 2978 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, 2979 SSL_R_INVALID_STATUS_RESPONSE); 2980 return 0; 2981 } 2982 if (ret < 0) { 2983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2984 SSL_R_OCSP_CALLBACK_FAILURE); 2985 return 0; 2986 } 2987 } 2988 #ifndef OPENSSL_NO_CT 2989 if (s->ct_validation_callback != NULL) { 2990 /* Note we validate the SCTs whether or not we abort on error */ 2991 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { 2992 /* SSLfatal() already called */ 2993 return 0; 2994 } 2995 } 2996 #endif 2997 2998 return 1; 2999 } 3000 3001 MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s, PACKET *pkt) 3002 { 3003 if (PACKET_remaining(pkt) > 0) { 3004 /* should contain no data */ 3005 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 3006 return MSG_PROCESS_ERROR; 3007 } 3008 #ifndef OPENSSL_NO_SRP 3009 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3010 if (ssl_srp_calc_a_param_intern(s) <= 0) { 3011 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); 3012 return MSG_PROCESS_ERROR; 3013 } 3014 } 3015 #endif 3016 3017 if (!tls_process_initial_server_flight(s)) { 3018 /* SSLfatal() already called */ 3019 return MSG_PROCESS_ERROR; 3020 } 3021 3022 return MSG_PROCESS_FINISHED_READING; 3023 } 3024 3025 static int tls_construct_cke_psk_preamble(SSL_CONNECTION *s, WPACKET *pkt) 3026 { 3027 #ifndef OPENSSL_NO_PSK 3028 int ret = 0; 3029 /* 3030 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a 3031 * \0-terminated identity. The last byte is for us for simulating 3032 * strnlen. 3033 */ 3034 char identity[PSK_MAX_IDENTITY_LEN + 1]; 3035 size_t identitylen = 0; 3036 unsigned char psk[PSK_MAX_PSK_LEN]; 3037 unsigned char *tmppsk = NULL; 3038 char *tmpidentity = NULL; 3039 size_t psklen = 0; 3040 3041 if (s->psk_client_callback == NULL) { 3042 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB); 3043 goto err; 3044 } 3045 3046 memset(identity, 0, sizeof(identity)); 3047 3048 psklen = s->psk_client_callback(SSL_CONNECTION_GET_USER_SSL(s), 3049 s->session->psk_identity_hint, 3050 identity, sizeof(identity) - 1, 3051 psk, sizeof(psk)); 3052 3053 if (psklen > PSK_MAX_PSK_LEN) { 3054 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 3055 psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */ 3056 goto err; 3057 } else if (psklen == 0) { 3058 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND); 3059 goto err; 3060 } 3061 3062 identitylen = strlen(identity); 3063 if (identitylen > PSK_MAX_IDENTITY_LEN) { 3064 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3065 goto err; 3066 } 3067 3068 tmppsk = OPENSSL_memdup(psk, psklen); 3069 tmpidentity = OPENSSL_strdup(identity); 3070 if (tmppsk == NULL || tmpidentity == NULL) { 3071 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3072 goto err; 3073 } 3074 3075 OPENSSL_free(s->s3.tmp.psk); 3076 s->s3.tmp.psk = tmppsk; 3077 s->s3.tmp.psklen = psklen; 3078 tmppsk = NULL; 3079 OPENSSL_free(s->session->psk_identity); 3080 s->session->psk_identity = tmpidentity; 3081 tmpidentity = NULL; 3082 3083 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) { 3084 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3085 goto err; 3086 } 3087 3088 ret = 1; 3089 3090 err: 3091 OPENSSL_cleanse(psk, psklen); 3092 OPENSSL_cleanse(identity, sizeof(identity)); 3093 OPENSSL_clear_free(tmppsk, psklen); 3094 OPENSSL_clear_free(tmpidentity, identitylen); 3095 3096 return ret; 3097 #else 3098 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3099 return 0; 3100 #endif 3101 } 3102 3103 static int tls_construct_cke_rsa(SSL_CONNECTION *s, WPACKET *pkt) 3104 { 3105 unsigned char *encdata = NULL; 3106 EVP_PKEY *pkey = NULL; 3107 EVP_PKEY_CTX *pctx = NULL; 3108 size_t enclen; 3109 unsigned char *pms = NULL; 3110 size_t pmslen = 0; 3111 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3112 3113 if (!received_server_cert(s)) { 3114 /* 3115 * We should always have a server certificate with SSL_kRSA. 3116 */ 3117 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3118 return 0; 3119 } 3120 3121 if ((pkey = tls_get_peer_pkey(s)) == NULL) { 3122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3123 return 0; 3124 } 3125 3126 if (!EVP_PKEY_is_a(pkey, "RSA")) { 3127 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3128 return 0; 3129 } 3130 3131 pmslen = SSL_MAX_MASTER_KEY_LENGTH; 3132 pms = OPENSSL_malloc(pmslen); 3133 if (pms == NULL) { 3134 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3135 return 0; 3136 } 3137 3138 pms[0] = s->client_version >> 8; 3139 pms[1] = s->client_version & 0xff; 3140 if (RAND_bytes_ex(sctx->libctx, pms + 2, pmslen - 2, 0) <= 0) { 3141 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_RAND_LIB); 3142 goto err; 3143 } 3144 3145 /* Fix buf for TLS and beyond */ 3146 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { 3147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3148 goto err; 3149 } 3150 3151 pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pkey, sctx->propq); 3152 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 3153 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { 3154 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3155 goto err; 3156 } 3157 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata) 3158 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) { 3159 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT); 3160 goto err; 3161 } 3162 EVP_PKEY_CTX_free(pctx); 3163 pctx = NULL; 3164 3165 /* Fix buf for TLS and beyond */ 3166 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { 3167 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3168 goto err; 3169 } 3170 3171 /* Log the premaster secret, if logging is enabled. */ 3172 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { 3173 /* SSLfatal() already called */ 3174 goto err; 3175 } 3176 3177 s->s3.tmp.pms = pms; 3178 s->s3.tmp.pmslen = pmslen; 3179 3180 return 1; 3181 err: 3182 OPENSSL_clear_free(pms, pmslen); 3183 EVP_PKEY_CTX_free(pctx); 3184 3185 return 0; 3186 } 3187 3188 static int tls_construct_cke_dhe(SSL_CONNECTION *s, WPACKET *pkt) 3189 { 3190 EVP_PKEY *ckey = NULL, *skey = NULL; 3191 unsigned char *keybytes = NULL; 3192 int prime_len; 3193 unsigned char *encoded_pub = NULL; 3194 size_t encoded_pub_len, pad_len; 3195 int ret = 0; 3196 3197 skey = s->s3.peer_tmp; 3198 if (skey == NULL) { 3199 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3200 goto err; 3201 } 3202 3203 ckey = ssl_generate_pkey(s, skey); 3204 if (ckey == NULL) { 3205 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3206 goto err; 3207 } 3208 3209 if (ssl_derive(s, ckey, skey, 0) == 0) { 3210 /* SSLfatal() already called */ 3211 goto err; 3212 } 3213 3214 /* send off the data */ 3215 3216 /* Generate encoding of server key */ 3217 encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub); 3218 if (encoded_pub_len == 0) { 3219 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3220 EVP_PKEY_free(ckey); 3221 return EXT_RETURN_FAIL; 3222 } 3223 3224 /* 3225 * For interoperability with some versions of the Microsoft TLS 3226 * stack, we need to zero pad the DHE pub key to the same length 3227 * as the prime. 3228 */ 3229 prime_len = EVP_PKEY_get_size(ckey); 3230 pad_len = prime_len - encoded_pub_len; 3231 if (pad_len > 0) { 3232 if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) { 3233 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3234 goto err; 3235 } 3236 memset(keybytes, 0, pad_len); 3237 } 3238 3239 if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)) { 3240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3241 goto err; 3242 } 3243 3244 ret = 1; 3245 err: 3246 OPENSSL_free(encoded_pub); 3247 EVP_PKEY_free(ckey); 3248 return ret; 3249 } 3250 3251 static int tls_construct_cke_ecdhe(SSL_CONNECTION *s, WPACKET *pkt) 3252 { 3253 unsigned char *encodedPoint = NULL; 3254 size_t encoded_pt_len = 0; 3255 EVP_PKEY *ckey = NULL, *skey = NULL; 3256 int ret = 0; 3257 3258 skey = s->s3.peer_tmp; 3259 if (skey == NULL) { 3260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3261 return 0; 3262 } 3263 3264 ckey = ssl_generate_pkey(s, skey); 3265 if (ckey == NULL) { 3266 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 3267 goto err; 3268 } 3269 3270 if (ssl_derive(s, ckey, skey, 0) == 0) { 3271 /* SSLfatal() already called */ 3272 goto err; 3273 } 3274 3275 /* Generate encoding of client key */ 3276 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint); 3277 3278 if (encoded_pt_len == 0) { 3279 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 3280 goto err; 3281 } 3282 3283 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) { 3284 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3285 goto err; 3286 } 3287 3288 ret = 1; 3289 err: 3290 OPENSSL_free(encodedPoint); 3291 EVP_PKEY_free(ckey); 3292 return ret; 3293 } 3294 3295 static int tls_construct_cke_gost(SSL_CONNECTION *s, WPACKET *pkt) 3296 { 3297 #ifndef OPENSSL_NO_GOST 3298 /* GOST key exchange message creation */ 3299 EVP_PKEY_CTX *pkey_ctx = NULL; 3300 EVP_PKEY *pkey = NULL; 3301 size_t msglen; 3302 unsigned int md_len; 3303 unsigned char shared_ukm[32], tmp[256]; 3304 EVP_MD_CTX *ukm_hash = NULL; 3305 int dgst_nid = NID_id_GostR3411_94; 3306 unsigned char *pms = NULL; 3307 size_t pmslen = 0; 3308 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3309 3310 if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) 3311 dgst_nid = NID_id_GostR3411_2012_256; 3312 3313 /* 3314 * Get server certificate PKEY and create ctx from it 3315 */ 3316 if ((pkey = tls_get_peer_pkey(s)) == NULL) { 3317 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3318 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3319 return 0; 3320 } 3321 3322 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, 3323 pkey, 3324 sctx->propq); 3325 if (pkey_ctx == NULL) { 3326 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3327 return 0; 3328 } 3329 /* 3330 * If we have send a certificate, and certificate key 3331 * parameters match those of server certificate, use 3332 * certificate key for key exchange 3333 */ 3334 3335 /* Otherwise, generate ephemeral key pair */ 3336 pmslen = 32; 3337 pms = OPENSSL_malloc(pmslen); 3338 if (pms == NULL) { 3339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3340 goto err; 3341 } 3342 3343 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 3344 /* Generate session key 3345 */ 3346 || RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) { 3347 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3348 goto err; 3349 }; 3350 /* 3351 * Compute shared IV and store it in algorithm-specific context 3352 * data 3353 */ 3354 ukm_hash = EVP_MD_CTX_new(); 3355 if (ukm_hash == NULL 3356 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0 3357 || EVP_DigestUpdate(ukm_hash, s->s3.client_random, 3358 SSL3_RANDOM_SIZE) 3359 <= 0 3360 || EVP_DigestUpdate(ukm_hash, s->s3.server_random, 3361 SSL3_RANDOM_SIZE) 3362 <= 0 3363 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { 3364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3365 goto err; 3366 } 3367 EVP_MD_CTX_free(ukm_hash); 3368 ukm_hash = NULL; 3369 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3370 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) 3371 <= 0) { 3372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3373 goto err; 3374 } 3375 /* Make GOST keytransport blob message */ 3376 /* 3377 * Encapsulate it into sequence 3378 */ 3379 msglen = 255; 3380 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { 3381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3382 goto err; 3383 } 3384 3385 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) 3386 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)) 3387 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) { 3388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3389 goto err; 3390 } 3391 3392 EVP_PKEY_CTX_free(pkey_ctx); 3393 s->s3.tmp.pms = pms; 3394 s->s3.tmp.pmslen = pmslen; 3395 3396 return 1; 3397 err: 3398 EVP_PKEY_CTX_free(pkey_ctx); 3399 OPENSSL_clear_free(pms, pmslen); 3400 EVP_MD_CTX_free(ukm_hash); 3401 return 0; 3402 #else 3403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3404 return 0; 3405 #endif 3406 } 3407 3408 #ifndef OPENSSL_NO_GOST 3409 int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION *s) 3410 { 3411 if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0) 3412 return NID_magma_ctr; 3413 else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0) 3414 return NID_kuznyechik_ctr; 3415 3416 return NID_undef; 3417 } 3418 3419 int ossl_gost_ukm(const SSL_CONNECTION *s, unsigned char *dgst_buf) 3420 { 3421 EVP_MD_CTX *hash = NULL; 3422 unsigned int md_len; 3423 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3424 const EVP_MD *md = ssl_evp_md_fetch(sctx->libctx, NID_id_GostR3411_2012_256, 3425 sctx->propq); 3426 3427 if (md == NULL) 3428 return 0; 3429 3430 if ((hash = EVP_MD_CTX_new()) == NULL 3431 || EVP_DigestInit(hash, md) <= 0 3432 || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0 3433 || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0 3434 || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) { 3435 EVP_MD_CTX_free(hash); 3436 ssl_evp_md_free(md); 3437 return 0; 3438 } 3439 3440 EVP_MD_CTX_free(hash); 3441 ssl_evp_md_free(md); 3442 return 1; 3443 } 3444 #endif 3445 3446 static int tls_construct_cke_gost18(SSL_CONNECTION *s, WPACKET *pkt) 3447 { 3448 #ifndef OPENSSL_NO_GOST 3449 /* GOST 2018 key exchange message creation */ 3450 unsigned char rnd_dgst[32]; 3451 unsigned char *encdata = NULL; 3452 EVP_PKEY_CTX *pkey_ctx = NULL; 3453 EVP_PKEY *pkey; 3454 unsigned char *pms = NULL; 3455 size_t pmslen = 0; 3456 size_t msglen; 3457 int cipher_nid = ossl_gost18_cke_cipher_nid(s); 3458 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3459 3460 if (cipher_nid == NID_undef) { 3461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3462 return 0; 3463 } 3464 3465 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { 3466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3467 goto err; 3468 } 3469 3470 /* Pre-master secret - random bytes */ 3471 pmslen = 32; 3472 pms = OPENSSL_malloc(pmslen); 3473 if (pms == NULL) { 3474 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3475 goto err; 3476 } 3477 3478 if (RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) { 3479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3480 goto err; 3481 } 3482 3483 /* Get server certificate PKEY and create ctx from it */ 3484 if ((pkey = tls_get_peer_pkey(s)) == NULL) { 3485 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3486 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3487 goto err; 3488 } 3489 3490 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, 3491 pkey, 3492 sctx->propq); 3493 if (pkey_ctx == NULL) { 3494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3495 goto err; 3496 } 3497 3498 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0) { 3499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3500 goto err; 3501 }; 3502 3503 /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */ 3504 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3505 EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) 3506 <= 0) { 3507 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3508 goto err; 3509 } 3510 3511 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3512 EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) 3513 <= 0) { 3514 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3515 goto err; 3516 } 3517 3518 if (EVP_PKEY_encrypt(pkey_ctx, NULL, &msglen, pms, pmslen) <= 0) { 3519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3520 goto err; 3521 } 3522 3523 if (!WPACKET_allocate_bytes(pkt, msglen, &encdata) 3524 || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) { 3525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3526 goto err; 3527 } 3528 3529 EVP_PKEY_CTX_free(pkey_ctx); 3530 pkey_ctx = NULL; 3531 s->s3.tmp.pms = pms; 3532 s->s3.tmp.pmslen = pmslen; 3533 3534 return 1; 3535 err: 3536 EVP_PKEY_CTX_free(pkey_ctx); 3537 OPENSSL_clear_free(pms, pmslen); 3538 return 0; 3539 #else 3540 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3541 return 0; 3542 #endif 3543 } 3544 3545 static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt) 3546 { 3547 #ifndef OPENSSL_NO_SRP 3548 unsigned char *abytes = NULL; 3549 3550 if (s->srp_ctx.A == NULL 3551 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), 3552 &abytes)) { 3553 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3554 return 0; 3555 } 3556 BN_bn2bin(s->srp_ctx.A, abytes); 3557 3558 OPENSSL_free(s->session->srp_username); 3559 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); 3560 if (s->session->srp_username == NULL) { 3561 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3562 return 0; 3563 } 3564 3565 return 1; 3566 #else 3567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3568 return 0; 3569 #endif 3570 } 3571 3572 CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s, 3573 WPACKET *pkt) 3574 { 3575 unsigned long alg_k; 3576 3577 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 3578 3579 /* 3580 * All of the construct functions below call SSLfatal() if necessary so 3581 * no need to do so here. 3582 */ 3583 if ((alg_k & SSL_PSK) 3584 && !tls_construct_cke_psk_preamble(s, pkt)) 3585 goto err; 3586 3587 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { 3588 if (!tls_construct_cke_rsa(s, pkt)) 3589 goto err; 3590 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 3591 if (!tls_construct_cke_dhe(s, pkt)) 3592 goto err; 3593 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 3594 if (!tls_construct_cke_ecdhe(s, pkt)) 3595 goto err; 3596 } else if (alg_k & SSL_kGOST) { 3597 if (!tls_construct_cke_gost(s, pkt)) 3598 goto err; 3599 } else if (alg_k & SSL_kGOST18) { 3600 if (!tls_construct_cke_gost18(s, pkt)) 3601 goto err; 3602 } else if (alg_k & SSL_kSRP) { 3603 if (!tls_construct_cke_srp(s, pkt)) 3604 goto err; 3605 } else if (!(alg_k & SSL_kPSK)) { 3606 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3607 goto err; 3608 } 3609 3610 return CON_FUNC_SUCCESS; 3611 err: 3612 OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); 3613 s->s3.tmp.pms = NULL; 3614 s->s3.tmp.pmslen = 0; 3615 #ifndef OPENSSL_NO_PSK 3616 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); 3617 s->s3.tmp.psk = NULL; 3618 s->s3.tmp.psklen = 0; 3619 #endif 3620 return CON_FUNC_ERROR; 3621 } 3622 3623 int tls_client_key_exchange_post_work(SSL_CONNECTION *s) 3624 { 3625 unsigned char *pms = NULL; 3626 size_t pmslen = 0; 3627 3628 pms = s->s3.tmp.pms; 3629 pmslen = s->s3.tmp.pmslen; 3630 3631 #ifndef OPENSSL_NO_SRP 3632 /* Check for SRP */ 3633 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3634 if (!srp_generate_client_master_secret(s)) { 3635 /* SSLfatal() already called */ 3636 goto err; 3637 } 3638 return 1; 3639 } 3640 #endif 3641 3642 if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 3643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_PASSED_INVALID_ARGUMENT); 3644 goto err; 3645 } 3646 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { 3647 /* SSLfatal() already called */ 3648 /* ssl_generate_master_secret frees the pms even on error */ 3649 pms = NULL; 3650 pmslen = 0; 3651 goto err; 3652 } 3653 pms = NULL; 3654 pmslen = 0; 3655 3656 #ifndef OPENSSL_NO_SCTP 3657 if (SSL_CONNECTION_IS_DTLS(s)) { 3658 unsigned char sctpauthkey[64]; 3659 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 3660 size_t labellen; 3661 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 3662 3663 /* 3664 * Add new shared key for SCTP-Auth, will be ignored if no SCTP 3665 * used. 3666 */ 3667 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 3668 sizeof(DTLS1_SCTP_AUTH_LABEL)); 3669 3670 /* Don't include the terminating zero. */ 3671 labellen = sizeof(labelbuffer) - 1; 3672 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 3673 labellen += 1; 3674 3675 if (SSL_export_keying_material(ssl, sctpauthkey, 3676 sizeof(sctpauthkey), labelbuffer, 3677 labellen, NULL, 0, 0) 3678 <= 0) { 3679 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3680 goto err; 3681 } 3682 3683 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 3684 sizeof(sctpauthkey), sctpauthkey); 3685 } 3686 #endif 3687 3688 return 1; 3689 err: 3690 OPENSSL_clear_free(pms, pmslen); 3691 s->s3.tmp.pms = NULL; 3692 s->s3.tmp.pmslen = 0; 3693 return 0; 3694 } 3695 3696 /* 3697 * Check a certificate can be used for client authentication. Currently check 3698 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client 3699 * certificates can be used and optionally checks suitability for Suite B. 3700 */ 3701 static int ssl3_check_client_certificate(SSL_CONNECTION *s) 3702 { 3703 /* If no suitable signature algorithm can't use certificate */ 3704 if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL) 3705 return 0; 3706 /* 3707 * If strict mode check suitability of chain before using it. This also 3708 * adjusts suite B digest if necessary. 3709 */ 3710 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && !tls1_check_chain(s, NULL, NULL, NULL, -2)) 3711 return 0; 3712 return 1; 3713 } 3714 3715 WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) 3716 { 3717 X509 *x509 = NULL; 3718 EVP_PKEY *pkey = NULL; 3719 int i; 3720 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 3721 3722 if (wst == WORK_MORE_A) { 3723 /* Let cert callback update client certificates if required */ 3724 if (s->cert->cert_cb) { 3725 i = s->cert->cert_cb(ssl, s->cert->cert_cb_arg); 3726 if (i < 0) { 3727 s->rwstate = SSL_X509_LOOKUP; 3728 return WORK_MORE_A; 3729 } 3730 if (i == 0) { 3731 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); 3732 return WORK_ERROR; 3733 } 3734 s->rwstate = SSL_NOTHING; 3735 } 3736 if (ssl3_check_client_certificate(s)) { 3737 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 3738 return WORK_FINISHED_STOP; 3739 } 3740 return WORK_FINISHED_CONTINUE; 3741 } 3742 3743 /* Fall through to WORK_MORE_B */ 3744 wst = WORK_MORE_B; 3745 } 3746 3747 /* We need to get a client cert */ 3748 if (wst == WORK_MORE_B) { 3749 /* 3750 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 3751 * return(-1); We then get retied later 3752 */ 3753 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3754 if (i < 0) { 3755 s->rwstate = SSL_X509_LOOKUP; 3756 return WORK_MORE_B; 3757 } 3758 s->rwstate = SSL_NOTHING; 3759 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 3760 if (!SSL_use_certificate(ssl, x509) 3761 || !SSL_use_PrivateKey(ssl, pkey)) 3762 i = 0; 3763 } else if (i == 1) { 3764 i = 0; 3765 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3766 } 3767 3768 X509_free(x509); 3769 EVP_PKEY_free(pkey); 3770 if (i && !ssl3_check_client_certificate(s)) 3771 i = 0; 3772 if (i == 0) { 3773 if (s->version == SSL3_VERSION) { 3774 s->s3.tmp.cert_req = 0; 3775 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 3776 return WORK_FINISHED_CONTINUE; 3777 } else { 3778 s->s3.tmp.cert_req = 2; 3779 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; 3780 if (!ssl3_digest_cached_records(s, 0)) { 3781 /* SSLfatal() already called */ 3782 return WORK_ERROR; 3783 } 3784 } 3785 } 3786 3787 if (!SSL_CONNECTION_IS_TLS13(s) 3788 || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) 3789 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; 3790 3791 if (s->post_handshake_auth == SSL_PHA_REQUESTED) 3792 return WORK_FINISHED_STOP; 3793 return WORK_FINISHED_CONTINUE; 3794 } 3795 3796 /* Shouldn't ever get here */ 3797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3798 return WORK_ERROR; 3799 } 3800 3801 CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, 3802 WPACKET *pkt) 3803 { 3804 CERT_PKEY *cpk = NULL; 3805 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 3806 3807 if (SSL_CONNECTION_IS_TLS13(s)) { 3808 if (s->pha_context == NULL) { 3809 /* no context available, add 0-length context */ 3810 if (!WPACKET_put_bytes_u8(pkt, 0)) { 3811 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3812 return CON_FUNC_ERROR; 3813 } 3814 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { 3815 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3816 return CON_FUNC_ERROR; 3817 } 3818 } 3819 if (s->s3.tmp.cert_req != 2) 3820 cpk = s->cert->key; 3821 switch (s->ext.client_cert_type) { 3822 case TLSEXT_cert_type_rpk: 3823 if (!tls_output_rpk(s, pkt, cpk)) { 3824 /* SSLfatal() already called */ 3825 return CON_FUNC_ERROR; 3826 } 3827 break; 3828 case TLSEXT_cert_type_x509: 3829 if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) { 3830 /* SSLfatal() already called */ 3831 return CON_FUNC_ERROR; 3832 } 3833 break; 3834 default: 3835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3836 return CON_FUNC_ERROR; 3837 } 3838 3839 /* 3840 * If we attempted to write early data or we're in middlebox compat mode 3841 * then we deferred changing the handshake write keys to the last possible 3842 * moment. We need to do it now. 3843 */ 3844 if (SSL_CONNECTION_IS_TLS13(s) 3845 && !SSL_IS_QUIC_HANDSHAKE(s) 3846 && SSL_IS_FIRST_HANDSHAKE(s) 3847 && (s->early_data_state != SSL_EARLY_DATA_NONE 3848 || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 3849 && (!ssl->method->ssl3_enc->change_cipher_state(s, 3850 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3851 /* 3852 * This is a fatal error, which leaves enc_write_ctx in an inconsistent 3853 * state and thus ssl3_send_alert may crash. 3854 */ 3855 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); 3856 return CON_FUNC_ERROR; 3857 } 3858 3859 return CON_FUNC_SUCCESS; 3860 } 3861 3862 #ifndef OPENSSL_NO_COMP_ALG 3863 CON_FUNC_RETURN tls_construct_client_compressed_certificate(SSL_CONNECTION *sc, 3864 WPACKET *pkt) 3865 { 3866 SSL *ssl = SSL_CONNECTION_GET_SSL(sc); 3867 WPACKET tmppkt; 3868 BUF_MEM *buf = NULL; 3869 size_t length; 3870 size_t max_length; 3871 COMP_METHOD *method; 3872 COMP_CTX *comp = NULL; 3873 int comp_len; 3874 int ret = 0; 3875 int alg = sc->ext.compress_certificate_from_peer[0]; 3876 3877 /* Note that sc->s3.tmp.cert_req == 2 is checked in write transition */ 3878 3879 if ((buf = BUF_MEM_new()) == NULL || !WPACKET_init(&tmppkt, buf)) 3880 goto err; 3881 3882 /* Use the |tmppkt| for the to-be-compressed data */ 3883 if (sc->pha_context == NULL) { 3884 /* no context available, add 0-length context */ 3885 if (!WPACKET_put_bytes_u8(&tmppkt, 0)) 3886 goto err; 3887 } else if (!WPACKET_sub_memcpy_u8(&tmppkt, sc->pha_context, sc->pha_context_len)) 3888 goto err; 3889 3890 if (!ssl3_output_cert_chain(sc, &tmppkt, sc->cert->key, 0)) { 3891 /* SSLfatal() already called */ 3892 goto out; 3893 } 3894 3895 /* continue with the real |pkt| */ 3896 if (!WPACKET_put_bytes_u16(pkt, alg) 3897 || !WPACKET_get_total_written(&tmppkt, &length) 3898 || !WPACKET_put_bytes_u24(pkt, length)) 3899 goto err; 3900 3901 switch (alg) { 3902 case TLSEXT_comp_cert_zlib: 3903 method = COMP_zlib_oneshot(); 3904 break; 3905 case TLSEXT_comp_cert_brotli: 3906 method = COMP_brotli_oneshot(); 3907 break; 3908 case TLSEXT_comp_cert_zstd: 3909 method = COMP_zstd_oneshot(); 3910 break; 3911 default: 3912 goto err; 3913 } 3914 max_length = ossl_calculate_comp_expansion(alg, length); 3915 3916 if ((comp = COMP_CTX_new(method)) == NULL 3917 || !WPACKET_start_sub_packet_u24(pkt) 3918 || !WPACKET_reserve_bytes(pkt, max_length, NULL)) 3919 goto err; 3920 3921 comp_len = COMP_compress_block(comp, WPACKET_get_curr(pkt), max_length, 3922 (unsigned char *)buf->data, length); 3923 if (comp_len <= 0) 3924 goto err; 3925 3926 if (!WPACKET_allocate_bytes(pkt, comp_len, NULL) 3927 || !WPACKET_close(pkt)) 3928 goto err; 3929 3930 /* 3931 * If we attempted to write early data or we're in middlebox compat mode 3932 * then we deferred changing the handshake write keys to the last possible 3933 * moment. We need to do it now. 3934 */ 3935 if (SSL_IS_FIRST_HANDSHAKE(sc) 3936 && !SSL_IS_QUIC_HANDSHAKE(sc) 3937 && (sc->early_data_state != SSL_EARLY_DATA_NONE 3938 || (sc->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 3939 && (!ssl->method->ssl3_enc->change_cipher_state(sc, 3940 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3941 /* 3942 * This is a fatal error, which leaves sc->enc_write_ctx in an 3943 * inconsistent state and thus ssl3_send_alert may crash. 3944 */ 3945 SSLfatal(sc, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); 3946 goto out; 3947 } 3948 ret = 1; 3949 goto out; 3950 3951 err: 3952 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3953 out: 3954 if (buf != NULL) { 3955 /* If |buf| is NULL, then |tmppkt| could not have been initialized */ 3956 WPACKET_cleanup(&tmppkt); 3957 } 3958 BUF_MEM_free(buf); 3959 COMP_CTX_free(comp); 3960 return ret; 3961 } 3962 #endif 3963 3964 int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) 3965 { 3966 const SSL_CERT_LOOKUP *clu; 3967 size_t idx; 3968 long alg_k, alg_a; 3969 EVP_PKEY *pkey; 3970 3971 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 3972 alg_a = s->s3.tmp.new_cipher->algorithm_auth; 3973 3974 /* we don't have a certificate */ 3975 if (!(alg_a & SSL_aCERT)) 3976 return 1; 3977 3978 /* This is the passed certificate */ 3979 pkey = tls_get_peer_pkey(s); 3980 clu = ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)); 3981 3982 /* Check certificate is recognised and suitable for cipher */ 3983 if (clu == NULL || (alg_a & clu->amask) == 0) { 3984 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT); 3985 return 0; 3986 } 3987 3988 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { 3989 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3990 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3991 return 0; 3992 } 3993 3994 if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { 3995 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3996 return 0; 3997 } 3998 3999 /* Early out to skip the checks below */ 4000 if (s->session->peer_rpk != NULL) 4001 return 1; 4002 4003 if (clu->amask & SSL_aECDSA) { 4004 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) 4005 return 1; 4006 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); 4007 return 0; 4008 } 4009 4010 return 1; 4011 } 4012 4013 #ifndef OPENSSL_NO_NEXTPROTONEG 4014 CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt) 4015 { 4016 size_t len, padding_len; 4017 unsigned char *padding = NULL; 4018 4019 len = s->ext.npn_len; 4020 padding_len = 32 - ((len + 2) % 32); 4021 4022 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) 4023 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { 4024 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4025 return CON_FUNC_ERROR; 4026 } 4027 4028 memset(padding, 0, padding_len); 4029 4030 return CON_FUNC_SUCCESS; 4031 } 4032 #endif 4033 4034 MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt) 4035 { 4036 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 4037 4038 if (PACKET_remaining(pkt) > 0) { 4039 /* should contain no data */ 4040 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 4041 return MSG_PROCESS_ERROR; 4042 } 4043 4044 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 4045 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 4046 return MSG_PROCESS_FINISHED_READING; 4047 } 4048 4049 /* 4050 * This is a historical discrepancy (not in the RFC) maintained for 4051 * compatibility reasons. If a TLS client receives a HelloRequest it will 4052 * attempt an abbreviated handshake. However if a DTLS client receives a 4053 * HelloRequest it will do a full handshake. Either behaviour is reasonable 4054 * but doing one for TLS and another for DTLS is odd. 4055 */ 4056 if (SSL_CONNECTION_IS_DTLS(s)) 4057 SSL_renegotiate(ssl); 4058 else 4059 SSL_renegotiate_abbreviated(ssl); 4060 4061 return MSG_PROCESS_FINISHED_READING; 4062 } 4063 4064 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s, 4065 PACKET *pkt) 4066 { 4067 PACKET extensions; 4068 RAW_EXTENSION *rawexts = NULL; 4069 4070 if (!PACKET_as_length_prefixed_2(pkt, &extensions) 4071 || PACKET_remaining(pkt) != 0) { 4072 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 4073 goto err; 4074 } 4075 4076 if (!tls_collect_extensions(s, &extensions, 4077 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, 4078 NULL, 1) 4079 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 4080 rawexts, NULL, 0, 1)) { 4081 /* SSLfatal() already called */ 4082 goto err; 4083 } 4084 4085 OPENSSL_free(rawexts); 4086 return MSG_PROCESS_CONTINUE_READING; 4087 4088 err: 4089 OPENSSL_free(rawexts); 4090 return MSG_PROCESS_ERROR; 4091 } 4092 4093 int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey) 4094 { 4095 int i = 0; 4096 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4097 4098 #ifndef OPENSSL_NO_ENGINE 4099 if (sctx->client_cert_engine) { 4100 i = tls_engine_load_ssl_client_cert(s, px509, ppkey); 4101 if (i != 0) 4102 return i; 4103 } 4104 #endif 4105 if (sctx->client_cert_cb) 4106 i = sctx->client_cert_cb(SSL_CONNECTION_GET_USER_SSL(s), px509, ppkey); 4107 return i; 4108 } 4109 4110 int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, 4111 WPACKET *pkt) 4112 { 4113 int i; 4114 size_t totlen = 0, len, maxlen, maxverok = 0; 4115 int empty_reneg_info_scsv = !s->renegotiate 4116 && !SSL_CONNECTION_IS_DTLS(s) 4117 && ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) 4118 && s->min_proto_version <= TLS1_VERSION; 4119 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 4120 4121 /* Set disabled masks for this session */ 4122 if (!ssl_set_client_disabled(s)) { 4123 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE); 4124 return 0; 4125 } 4126 4127 if (sk == NULL) { 4128 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4129 return 0; 4130 } 4131 4132 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 4133 #if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 4134 #error Max cipher length too short 4135 #endif 4136 /* 4137 * Some servers hang if client hello > 256 bytes as hack workaround 4138 * chop number of supported ciphers to keep it well below this if we 4139 * use TLS v1.2 4140 */ 4141 if (TLS1_get_version(ssl) >= TLS1_2_VERSION) 4142 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 4143 else 4144 #endif 4145 /* Maximum length that can be stored in 2 bytes. Length must be even */ 4146 maxlen = 0xfffe; 4147 4148 if (empty_reneg_info_scsv) 4149 maxlen -= 2; 4150 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) 4151 maxlen -= 2; 4152 4153 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) { 4154 const SSL_CIPHER *c; 4155 4156 c = sk_SSL_CIPHER_value(sk, i); 4157 /* Skip disabled ciphers */ 4158 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 4159 continue; 4160 4161 if (!ssl->method->put_cipher_by_char(c, pkt, &len)) { 4162 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4163 return 0; 4164 } 4165 4166 /* Sanity check that the maximum version we offer has ciphers enabled */ 4167 if (!maxverok) { 4168 int minproto = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; 4169 int maxproto = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; 4170 4171 if (ssl_version_cmp(s, maxproto, s->s3.tmp.max_ver) >= 0 4172 && ssl_version_cmp(s, minproto, s->s3.tmp.max_ver) <= 0) 4173 maxverok = 1; 4174 } 4175 4176 totlen += len; 4177 } 4178 4179 if (totlen == 0 || !maxverok) { 4180 const char *maxvertext = !maxverok 4181 ? "No ciphers enabled for max supported SSL/TLS version" 4182 : NULL; 4183 4184 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE, 4185 maxvertext); 4186 return 0; 4187 } 4188 4189 if (totlen != 0) { 4190 if (empty_reneg_info_scsv) { 4191 static const SSL_CIPHER scsv = { 4192 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 4193 }; 4194 if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) { 4195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4196 return 0; 4197 } 4198 } 4199 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { 4200 static const SSL_CIPHER scsv = { 4201 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 4202 }; 4203 if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) { 4204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4205 return 0; 4206 } 4207 } 4208 } 4209 4210 return 1; 4211 } 4212 4213 CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt) 4214 { 4215 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 4216 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { 4217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 4218 return CON_FUNC_ERROR; 4219 } 4220 4221 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 4222 return CON_FUNC_SUCCESS; 4223 } 4224
Indexes created Sat Feb 28 05:31:39 UTC 2026