1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4e1051a39Sopenharmony_ci * Copyright 2005 Nokia. All rights reserved. 5e1051a39Sopenharmony_ci * 6e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 7e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 8e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 9e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 10e1051a39Sopenharmony_ci */ 11e1051a39Sopenharmony_ci 12e1051a39Sopenharmony_ci#include <stdio.h> 13e1051a39Sopenharmony_ci#include <time.h> 14e1051a39Sopenharmony_ci#include <assert.h> 15e1051a39Sopenharmony_ci#include "../ssl_local.h" 16e1051a39Sopenharmony_ci#include "statem_local.h" 17e1051a39Sopenharmony_ci#include <openssl/buffer.h> 18e1051a39Sopenharmony_ci#include <openssl/rand.h> 19e1051a39Sopenharmony_ci#include <openssl/objects.h> 20e1051a39Sopenharmony_ci#include <openssl/evp.h> 21e1051a39Sopenharmony_ci#include <openssl/md5.h> 22e1051a39Sopenharmony_ci#include <openssl/dh.h> 23e1051a39Sopenharmony_ci#include <openssl/rsa.h> 24e1051a39Sopenharmony_ci#include <openssl/bn.h> 25e1051a39Sopenharmony_ci#include <openssl/engine.h> 26e1051a39Sopenharmony_ci#include <openssl/trace.h> 27e1051a39Sopenharmony_ci#include <openssl/core_names.h> 28e1051a39Sopenharmony_ci#include <openssl/param_build.h> 29e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 30e1051a39Sopenharmony_ci 31e1051a39Sopenharmony_cistatic MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); 32e1051a39Sopenharmony_cistatic MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); 33e1051a39Sopenharmony_ci 34e1051a39Sopenharmony_cistatic ossl_inline int cert_req_allowed(SSL *s); 35e1051a39Sopenharmony_cistatic int key_exchange_expected(SSL *s); 36e1051a39Sopenharmony_cistatic int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, 37e1051a39Sopenharmony_ci WPACKET *pkt); 38e1051a39Sopenharmony_ci 39e1051a39Sopenharmony_ci/* 40e1051a39Sopenharmony_ci * Is a CertificateRequest message allowed at the moment or not? 41e1051a39Sopenharmony_ci * 42e1051a39Sopenharmony_ci * Return values are: 43e1051a39Sopenharmony_ci * 1: Yes 44e1051a39Sopenharmony_ci * 0: No 45e1051a39Sopenharmony_ci */ 46e1051a39Sopenharmony_cistatic ossl_inline int cert_req_allowed(SSL *s) 47e1051a39Sopenharmony_ci{ 48e1051a39Sopenharmony_ci /* TLS does not like anon-DH with client cert */ 49e1051a39Sopenharmony_ci if ((s->version > SSL3_VERSION 50e1051a39Sopenharmony_ci && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)) 51e1051a39Sopenharmony_ci || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) 52e1051a39Sopenharmony_ci return 0; 53e1051a39Sopenharmony_ci 54e1051a39Sopenharmony_ci return 1; 55e1051a39Sopenharmony_ci} 56e1051a39Sopenharmony_ci 57e1051a39Sopenharmony_ci/* 58e1051a39Sopenharmony_ci * Should we expect the ServerKeyExchange message or not? 59e1051a39Sopenharmony_ci * 60e1051a39Sopenharmony_ci * Return values are: 61e1051a39Sopenharmony_ci * 1: Yes 62e1051a39Sopenharmony_ci * 0: No 63e1051a39Sopenharmony_ci */ 64e1051a39Sopenharmony_cistatic int key_exchange_expected(SSL *s) 65e1051a39Sopenharmony_ci{ 66e1051a39Sopenharmony_ci long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 67e1051a39Sopenharmony_ci 68e1051a39Sopenharmony_ci /* 69e1051a39Sopenharmony_ci * Can't skip server key exchange if this is an ephemeral 70e1051a39Sopenharmony_ci * ciphersuite or for SRP 71e1051a39Sopenharmony_ci */ 72e1051a39Sopenharmony_ci if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK 73e1051a39Sopenharmony_ci | SSL_kSRP)) { 74e1051a39Sopenharmony_ci return 1; 75e1051a39Sopenharmony_ci } 76e1051a39Sopenharmony_ci 77e1051a39Sopenharmony_ci return 0; 78e1051a39Sopenharmony_ci} 79e1051a39Sopenharmony_ci 80e1051a39Sopenharmony_ci/* 81e1051a39Sopenharmony_ci * ossl_statem_client_read_transition() encapsulates the logic for the allowed 82e1051a39Sopenharmony_ci * handshake state transitions when a TLS1.3 client is reading messages from the 83e1051a39Sopenharmony_ci * server. The message type that the server has sent is provided in |mt|. The 84e1051a39Sopenharmony_ci * current state is in |s->statem.hand_state|. 85e1051a39Sopenharmony_ci * 86e1051a39Sopenharmony_ci * Return values are 1 for success (transition allowed) and 0 on error 87e1051a39Sopenharmony_ci * (transition not allowed) 88e1051a39Sopenharmony_ci */ 89e1051a39Sopenharmony_cistatic int ossl_statem_client13_read_transition(SSL *s, int mt) 90e1051a39Sopenharmony_ci{ 91e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 92e1051a39Sopenharmony_ci 93e1051a39Sopenharmony_ci /* 94e1051a39Sopenharmony_ci * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't 95e1051a39Sopenharmony_ci * yet negotiated TLSv1.3 at that point so that is handled by 96e1051a39Sopenharmony_ci * ossl_statem_client_read_transition() 97e1051a39Sopenharmony_ci */ 98e1051a39Sopenharmony_ci 99e1051a39Sopenharmony_ci switch (st->hand_state) { 100e1051a39Sopenharmony_ci default: 101e1051a39Sopenharmony_ci break; 102e1051a39Sopenharmony_ci 103e1051a39Sopenharmony_ci case TLS_ST_CW_CLNT_HELLO: 104e1051a39Sopenharmony_ci /* 105e1051a39Sopenharmony_ci * This must a ClientHello following a HelloRetryRequest, so the only 106e1051a39Sopenharmony_ci * thing we can get now is a ServerHello. 107e1051a39Sopenharmony_ci */ 108e1051a39Sopenharmony_ci if (mt == SSL3_MT_SERVER_HELLO) { 109e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SRVR_HELLO; 110e1051a39Sopenharmony_ci return 1; 111e1051a39Sopenharmony_ci } 112e1051a39Sopenharmony_ci break; 113e1051a39Sopenharmony_ci 114e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_HELLO: 115e1051a39Sopenharmony_ci if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { 116e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; 117e1051a39Sopenharmony_ci return 1; 118e1051a39Sopenharmony_ci } 119e1051a39Sopenharmony_ci break; 120e1051a39Sopenharmony_ci 121e1051a39Sopenharmony_ci case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 122e1051a39Sopenharmony_ci if (s->hit) { 123e1051a39Sopenharmony_ci if (mt == SSL3_MT_FINISHED) { 124e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_FINISHED; 125e1051a39Sopenharmony_ci return 1; 126e1051a39Sopenharmony_ci } 127e1051a39Sopenharmony_ci } else { 128e1051a39Sopenharmony_ci if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 129e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT_REQ; 130e1051a39Sopenharmony_ci return 1; 131e1051a39Sopenharmony_ci } 132e1051a39Sopenharmony_ci if (mt == SSL3_MT_CERTIFICATE) { 133e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT; 134e1051a39Sopenharmony_ci return 1; 135e1051a39Sopenharmony_ci } 136e1051a39Sopenharmony_ci } 137e1051a39Sopenharmony_ci break; 138e1051a39Sopenharmony_ci 139e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_REQ: 140e1051a39Sopenharmony_ci if (mt == SSL3_MT_CERTIFICATE) { 141e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT; 142e1051a39Sopenharmony_ci return 1; 143e1051a39Sopenharmony_ci } 144e1051a39Sopenharmony_ci break; 145e1051a39Sopenharmony_ci 146e1051a39Sopenharmony_ci case TLS_ST_CR_CERT: 147e1051a39Sopenharmony_ci if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 148e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT_VRFY; 149e1051a39Sopenharmony_ci return 1; 150e1051a39Sopenharmony_ci } 151e1051a39Sopenharmony_ci break; 152e1051a39Sopenharmony_ci 153e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_VRFY: 154e1051a39Sopenharmony_ci if (mt == SSL3_MT_FINISHED) { 155e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_FINISHED; 156e1051a39Sopenharmony_ci return 1; 157e1051a39Sopenharmony_ci } 158e1051a39Sopenharmony_ci break; 159e1051a39Sopenharmony_ci 160e1051a39Sopenharmony_ci case TLS_ST_OK: 161e1051a39Sopenharmony_ci if (mt == SSL3_MT_NEWSESSION_TICKET) { 162e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SESSION_TICKET; 163e1051a39Sopenharmony_ci return 1; 164e1051a39Sopenharmony_ci } 165e1051a39Sopenharmony_ci if (mt == SSL3_MT_KEY_UPDATE) { 166e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_KEY_UPDATE; 167e1051a39Sopenharmony_ci return 1; 168e1051a39Sopenharmony_ci } 169e1051a39Sopenharmony_ci if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 170e1051a39Sopenharmony_ci#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 171e1051a39Sopenharmony_ci /* Restore digest for PHA before adding message.*/ 172e1051a39Sopenharmony_ci# error Internal DTLS version error 173e1051a39Sopenharmony_ci#endif 174e1051a39Sopenharmony_ci if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { 175e1051a39Sopenharmony_ci s->post_handshake_auth = SSL_PHA_REQUESTED; 176e1051a39Sopenharmony_ci /* 177e1051a39Sopenharmony_ci * In TLS, this is called before the message is added to the 178e1051a39Sopenharmony_ci * digest. In DTLS, this is expected to be called after adding 179e1051a39Sopenharmony_ci * to the digest. Either move the digest restore, or add the 180e1051a39Sopenharmony_ci * message here after the swap, or do it after the clientFinished? 181e1051a39Sopenharmony_ci */ 182e1051a39Sopenharmony_ci if (!tls13_restore_handshake_digest_for_pha(s)) { 183e1051a39Sopenharmony_ci /* SSLfatal() already called */ 184e1051a39Sopenharmony_ci return 0; 185e1051a39Sopenharmony_ci } 186e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT_REQ; 187e1051a39Sopenharmony_ci return 1; 188e1051a39Sopenharmony_ci } 189e1051a39Sopenharmony_ci } 190e1051a39Sopenharmony_ci break; 191e1051a39Sopenharmony_ci } 192e1051a39Sopenharmony_ci 193e1051a39Sopenharmony_ci /* No valid transition found */ 194e1051a39Sopenharmony_ci return 0; 195e1051a39Sopenharmony_ci} 196e1051a39Sopenharmony_ci 197e1051a39Sopenharmony_ci/* 198e1051a39Sopenharmony_ci * ossl_statem_client_read_transition() encapsulates the logic for the allowed 199e1051a39Sopenharmony_ci * handshake state transitions when the client is reading messages from the 200e1051a39Sopenharmony_ci * server. The message type that the server has sent is provided in |mt|. The 201e1051a39Sopenharmony_ci * current state is in |s->statem.hand_state|. 202e1051a39Sopenharmony_ci * 203e1051a39Sopenharmony_ci * Return values are 1 for success (transition allowed) and 0 on error 204e1051a39Sopenharmony_ci * (transition not allowed) 205e1051a39Sopenharmony_ci */ 206e1051a39Sopenharmony_ciint ossl_statem_client_read_transition(SSL *s, int mt) 207e1051a39Sopenharmony_ci{ 208e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 209e1051a39Sopenharmony_ci int ske_expected; 210e1051a39Sopenharmony_ci 211e1051a39Sopenharmony_ci /* 212e1051a39Sopenharmony_ci * Note that after writing the first ClientHello we don't know what version 213e1051a39Sopenharmony_ci * we are going to negotiate yet, so we don't take this branch until later. 214e1051a39Sopenharmony_ci */ 215e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 216e1051a39Sopenharmony_ci if (!ossl_statem_client13_read_transition(s, mt)) 217e1051a39Sopenharmony_ci goto err; 218e1051a39Sopenharmony_ci return 1; 219e1051a39Sopenharmony_ci } 220e1051a39Sopenharmony_ci 221e1051a39Sopenharmony_ci switch (st->hand_state) { 222e1051a39Sopenharmony_ci default: 223e1051a39Sopenharmony_ci break; 224e1051a39Sopenharmony_ci 225e1051a39Sopenharmony_ci case TLS_ST_CW_CLNT_HELLO: 226e1051a39Sopenharmony_ci if (mt == SSL3_MT_SERVER_HELLO) { 227e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SRVR_HELLO; 228e1051a39Sopenharmony_ci return 1; 229e1051a39Sopenharmony_ci } 230e1051a39Sopenharmony_ci 231e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 232e1051a39Sopenharmony_ci if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 233e1051a39Sopenharmony_ci st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 234e1051a39Sopenharmony_ci return 1; 235e1051a39Sopenharmony_ci } 236e1051a39Sopenharmony_ci } 237e1051a39Sopenharmony_ci break; 238e1051a39Sopenharmony_ci 239e1051a39Sopenharmony_ci case TLS_ST_EARLY_DATA: 240e1051a39Sopenharmony_ci /* 241e1051a39Sopenharmony_ci * We've not actually selected TLSv1.3 yet, but we have sent early 242e1051a39Sopenharmony_ci * data. The only thing allowed now is a ServerHello or a 243e1051a39Sopenharmony_ci * HelloRetryRequest. 244e1051a39Sopenharmony_ci */ 245e1051a39Sopenharmony_ci if (mt == SSL3_MT_SERVER_HELLO) { 246e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SRVR_HELLO; 247e1051a39Sopenharmony_ci return 1; 248e1051a39Sopenharmony_ci } 249e1051a39Sopenharmony_ci break; 250e1051a39Sopenharmony_ci 251e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_HELLO: 252e1051a39Sopenharmony_ci if (s->hit) { 253e1051a39Sopenharmony_ci if (s->ext.ticket_expected) { 254e1051a39Sopenharmony_ci if (mt == SSL3_MT_NEWSESSION_TICKET) { 255e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SESSION_TICKET; 256e1051a39Sopenharmony_ci return 1; 257e1051a39Sopenharmony_ci } 258e1051a39Sopenharmony_ci } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 259e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CHANGE; 260e1051a39Sopenharmony_ci return 1; 261e1051a39Sopenharmony_ci } 262e1051a39Sopenharmony_ci } else { 263e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 264e1051a39Sopenharmony_ci st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 265e1051a39Sopenharmony_ci return 1; 266e1051a39Sopenharmony_ci } else if (s->version >= TLS1_VERSION 267e1051a39Sopenharmony_ci && s->ext.session_secret_cb != NULL 268e1051a39Sopenharmony_ci && s->session->ext.tick != NULL 269e1051a39Sopenharmony_ci && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 270e1051a39Sopenharmony_ci /* 271e1051a39Sopenharmony_ci * Normally, we can tell if the server is resuming the session 272e1051a39Sopenharmony_ci * from the session ID. EAP-FAST (RFC 4851), however, relies on 273e1051a39Sopenharmony_ci * the next server message after the ServerHello to determine if 274e1051a39Sopenharmony_ci * the server is resuming. 275e1051a39Sopenharmony_ci */ 276e1051a39Sopenharmony_ci s->hit = 1; 277e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CHANGE; 278e1051a39Sopenharmony_ci return 1; 279e1051a39Sopenharmony_ci } else if (!(s->s3.tmp.new_cipher->algorithm_auth 280e1051a39Sopenharmony_ci & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { 281e1051a39Sopenharmony_ci if (mt == SSL3_MT_CERTIFICATE) { 282e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT; 283e1051a39Sopenharmony_ci return 1; 284e1051a39Sopenharmony_ci } 285e1051a39Sopenharmony_ci } else { 286e1051a39Sopenharmony_ci ske_expected = key_exchange_expected(s); 287e1051a39Sopenharmony_ci /* SKE is optional for some PSK ciphersuites */ 288e1051a39Sopenharmony_ci if (ske_expected 289e1051a39Sopenharmony_ci || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) 290e1051a39Sopenharmony_ci && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 291e1051a39Sopenharmony_ci if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 292e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_KEY_EXCH; 293e1051a39Sopenharmony_ci return 1; 294e1051a39Sopenharmony_ci } 295e1051a39Sopenharmony_ci } else if (mt == SSL3_MT_CERTIFICATE_REQUEST 296e1051a39Sopenharmony_ci && cert_req_allowed(s)) { 297e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT_REQ; 298e1051a39Sopenharmony_ci return 1; 299e1051a39Sopenharmony_ci } else if (mt == SSL3_MT_SERVER_DONE) { 300e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SRVR_DONE; 301e1051a39Sopenharmony_ci return 1; 302e1051a39Sopenharmony_ci } 303e1051a39Sopenharmony_ci } 304e1051a39Sopenharmony_ci } 305e1051a39Sopenharmony_ci break; 306e1051a39Sopenharmony_ci 307e1051a39Sopenharmony_ci case TLS_ST_CR_CERT: 308e1051a39Sopenharmony_ci /* 309e1051a39Sopenharmony_ci * The CertificateStatus message is optional even if 310e1051a39Sopenharmony_ci * |ext.status_expected| is set 311e1051a39Sopenharmony_ci */ 312e1051a39Sopenharmony_ci if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { 313e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT_STATUS; 314e1051a39Sopenharmony_ci return 1; 315e1051a39Sopenharmony_ci } 316e1051a39Sopenharmony_ci /* Fall through */ 317e1051a39Sopenharmony_ci 318e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_STATUS: 319e1051a39Sopenharmony_ci ske_expected = key_exchange_expected(s); 320e1051a39Sopenharmony_ci /* SKE is optional for some PSK ciphersuites */ 321e1051a39Sopenharmony_ci if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) 322e1051a39Sopenharmony_ci && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 323e1051a39Sopenharmony_ci if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 324e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_KEY_EXCH; 325e1051a39Sopenharmony_ci return 1; 326e1051a39Sopenharmony_ci } 327e1051a39Sopenharmony_ci goto err; 328e1051a39Sopenharmony_ci } 329e1051a39Sopenharmony_ci /* Fall through */ 330e1051a39Sopenharmony_ci 331e1051a39Sopenharmony_ci case TLS_ST_CR_KEY_EXCH: 332e1051a39Sopenharmony_ci if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 333e1051a39Sopenharmony_ci if (cert_req_allowed(s)) { 334e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CERT_REQ; 335e1051a39Sopenharmony_ci return 1; 336e1051a39Sopenharmony_ci } 337e1051a39Sopenharmony_ci goto err; 338e1051a39Sopenharmony_ci } 339e1051a39Sopenharmony_ci /* Fall through */ 340e1051a39Sopenharmony_ci 341e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_REQ: 342e1051a39Sopenharmony_ci if (mt == SSL3_MT_SERVER_DONE) { 343e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SRVR_DONE; 344e1051a39Sopenharmony_ci return 1; 345e1051a39Sopenharmony_ci } 346e1051a39Sopenharmony_ci break; 347e1051a39Sopenharmony_ci 348e1051a39Sopenharmony_ci case TLS_ST_CW_FINISHED: 349e1051a39Sopenharmony_ci if (s->ext.ticket_expected) { 350e1051a39Sopenharmony_ci if (mt == SSL3_MT_NEWSESSION_TICKET) { 351e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_SESSION_TICKET; 352e1051a39Sopenharmony_ci return 1; 353e1051a39Sopenharmony_ci } 354e1051a39Sopenharmony_ci } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 355e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CHANGE; 356e1051a39Sopenharmony_ci return 1; 357e1051a39Sopenharmony_ci } 358e1051a39Sopenharmony_ci break; 359e1051a39Sopenharmony_ci 360e1051a39Sopenharmony_ci case TLS_ST_CR_SESSION_TICKET: 361e1051a39Sopenharmony_ci if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 362e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_CHANGE; 363e1051a39Sopenharmony_ci return 1; 364e1051a39Sopenharmony_ci } 365e1051a39Sopenharmony_ci break; 366e1051a39Sopenharmony_ci 367e1051a39Sopenharmony_ci case TLS_ST_CR_CHANGE: 368e1051a39Sopenharmony_ci if (mt == SSL3_MT_FINISHED) { 369e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_FINISHED; 370e1051a39Sopenharmony_ci return 1; 371e1051a39Sopenharmony_ci } 372e1051a39Sopenharmony_ci break; 373e1051a39Sopenharmony_ci 374e1051a39Sopenharmony_ci case TLS_ST_OK: 375e1051a39Sopenharmony_ci if (mt == SSL3_MT_HELLO_REQUEST) { 376e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CR_HELLO_REQ; 377e1051a39Sopenharmony_ci return 1; 378e1051a39Sopenharmony_ci } 379e1051a39Sopenharmony_ci break; 380e1051a39Sopenharmony_ci } 381e1051a39Sopenharmony_ci 382e1051a39Sopenharmony_ci err: 383e1051a39Sopenharmony_ci /* No valid transition found */ 384e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 385e1051a39Sopenharmony_ci BIO *rbio; 386e1051a39Sopenharmony_ci 387e1051a39Sopenharmony_ci /* 388e1051a39Sopenharmony_ci * CCS messages don't have a message sequence number so this is probably 389e1051a39Sopenharmony_ci * because of an out-of-order CCS. We'll just drop it. 390e1051a39Sopenharmony_ci */ 391e1051a39Sopenharmony_ci s->init_num = 0; 392e1051a39Sopenharmony_ci s->rwstate = SSL_READING; 393e1051a39Sopenharmony_ci rbio = SSL_get_rbio(s); 394e1051a39Sopenharmony_ci BIO_clear_retry_flags(rbio); 395e1051a39Sopenharmony_ci BIO_set_retry_read(rbio); 396e1051a39Sopenharmony_ci return 0; 397e1051a39Sopenharmony_ci } 398e1051a39Sopenharmony_ci SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 399e1051a39Sopenharmony_ci return 0; 400e1051a39Sopenharmony_ci} 401e1051a39Sopenharmony_ci 402e1051a39Sopenharmony_ci/* 403e1051a39Sopenharmony_ci * ossl_statem_client13_write_transition() works out what handshake state to 404e1051a39Sopenharmony_ci * move to next when the TLSv1.3 client is writing messages to be sent to the 405e1051a39Sopenharmony_ci * server. 406e1051a39Sopenharmony_ci */ 407e1051a39Sopenharmony_cistatic WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) 408e1051a39Sopenharmony_ci{ 409e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 410e1051a39Sopenharmony_ci 411e1051a39Sopenharmony_ci /* 412e1051a39Sopenharmony_ci * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated 413e1051a39Sopenharmony_ci * TLSv1.3 yet at that point. They are handled by 414e1051a39Sopenharmony_ci * ossl_statem_client_write_transition(). 415e1051a39Sopenharmony_ci */ 416e1051a39Sopenharmony_ci switch (st->hand_state) { 417e1051a39Sopenharmony_ci default: 418e1051a39Sopenharmony_ci /* Shouldn't happen */ 419e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 420e1051a39Sopenharmony_ci return WRITE_TRAN_ERROR; 421e1051a39Sopenharmony_ci 422e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_REQ: 423e1051a39Sopenharmony_ci if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 424e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CERT; 425e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 426e1051a39Sopenharmony_ci } 427e1051a39Sopenharmony_ci /* 428e1051a39Sopenharmony_ci * We should only get here if we received a CertificateRequest after 429e1051a39Sopenharmony_ci * we already sent close_notify 430e1051a39Sopenharmony_ci */ 431e1051a39Sopenharmony_ci if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { 432e1051a39Sopenharmony_ci /* Shouldn't happen - same as default case */ 433e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 434e1051a39Sopenharmony_ci return WRITE_TRAN_ERROR; 435e1051a39Sopenharmony_ci } 436e1051a39Sopenharmony_ci st->hand_state = TLS_ST_OK; 437e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 438e1051a39Sopenharmony_ci 439e1051a39Sopenharmony_ci case TLS_ST_CR_FINISHED: 440e1051a39Sopenharmony_ci if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY 441e1051a39Sopenharmony_ci || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) 442e1051a39Sopenharmony_ci st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; 443e1051a39Sopenharmony_ci else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 444e1051a39Sopenharmony_ci && s->hello_retry_request == SSL_HRR_NONE) 445e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CHANGE; 446e1051a39Sopenharmony_ci else 447e1051a39Sopenharmony_ci st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT 448e1051a39Sopenharmony_ci : TLS_ST_CW_FINISHED; 449e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 450e1051a39Sopenharmony_ci 451e1051a39Sopenharmony_ci case TLS_ST_PENDING_EARLY_DATA_END: 452e1051a39Sopenharmony_ci if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 453e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; 454e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 455e1051a39Sopenharmony_ci } 456e1051a39Sopenharmony_ci /* Fall through */ 457e1051a39Sopenharmony_ci 458e1051a39Sopenharmony_ci case TLS_ST_CW_END_OF_EARLY_DATA: 459e1051a39Sopenharmony_ci case TLS_ST_CW_CHANGE: 460e1051a39Sopenharmony_ci st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT 461e1051a39Sopenharmony_ci : TLS_ST_CW_FINISHED; 462e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 463e1051a39Sopenharmony_ci 464e1051a39Sopenharmony_ci case TLS_ST_CW_CERT: 465e1051a39Sopenharmony_ci /* If a non-empty Certificate we also send CertificateVerify */ 466e1051a39Sopenharmony_ci st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY 467e1051a39Sopenharmony_ci : TLS_ST_CW_FINISHED; 468e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 469e1051a39Sopenharmony_ci 470e1051a39Sopenharmony_ci case TLS_ST_CW_CERT_VRFY: 471e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_FINISHED; 472e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 473e1051a39Sopenharmony_ci 474e1051a39Sopenharmony_ci case TLS_ST_CR_KEY_UPDATE: 475e1051a39Sopenharmony_ci case TLS_ST_CW_KEY_UPDATE: 476e1051a39Sopenharmony_ci case TLS_ST_CR_SESSION_TICKET: 477e1051a39Sopenharmony_ci case TLS_ST_CW_FINISHED: 478e1051a39Sopenharmony_ci st->hand_state = TLS_ST_OK; 479e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 480e1051a39Sopenharmony_ci 481e1051a39Sopenharmony_ci case TLS_ST_OK: 482e1051a39Sopenharmony_ci if (s->key_update != SSL_KEY_UPDATE_NONE) { 483e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_KEY_UPDATE; 484e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 485e1051a39Sopenharmony_ci } 486e1051a39Sopenharmony_ci 487e1051a39Sopenharmony_ci /* Try to read from the server instead */ 488e1051a39Sopenharmony_ci return WRITE_TRAN_FINISHED; 489e1051a39Sopenharmony_ci } 490e1051a39Sopenharmony_ci} 491e1051a39Sopenharmony_ci 492e1051a39Sopenharmony_ci/* 493e1051a39Sopenharmony_ci * ossl_statem_client_write_transition() works out what handshake state to 494e1051a39Sopenharmony_ci * move to next when the client is writing messages to be sent to the server. 495e1051a39Sopenharmony_ci */ 496e1051a39Sopenharmony_ciWRITE_TRAN ossl_statem_client_write_transition(SSL *s) 497e1051a39Sopenharmony_ci{ 498e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 499e1051a39Sopenharmony_ci 500e1051a39Sopenharmony_ci /* 501e1051a39Sopenharmony_ci * Note that immediately before/after a ClientHello we don't know what 502e1051a39Sopenharmony_ci * version we are going to negotiate yet, so we don't take this branch until 503e1051a39Sopenharmony_ci * later 504e1051a39Sopenharmony_ci */ 505e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) 506e1051a39Sopenharmony_ci return ossl_statem_client13_write_transition(s); 507e1051a39Sopenharmony_ci 508e1051a39Sopenharmony_ci switch (st->hand_state) { 509e1051a39Sopenharmony_ci default: 510e1051a39Sopenharmony_ci /* Shouldn't happen */ 511e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 512e1051a39Sopenharmony_ci return WRITE_TRAN_ERROR; 513e1051a39Sopenharmony_ci 514e1051a39Sopenharmony_ci case TLS_ST_OK: 515e1051a39Sopenharmony_ci if (!s->renegotiate) { 516e1051a39Sopenharmony_ci /* 517e1051a39Sopenharmony_ci * We haven't requested a renegotiation ourselves so we must have 518e1051a39Sopenharmony_ci * received a message from the server. Better read it. 519e1051a39Sopenharmony_ci */ 520e1051a39Sopenharmony_ci return WRITE_TRAN_FINISHED; 521e1051a39Sopenharmony_ci } 522e1051a39Sopenharmony_ci /* Renegotiation */ 523e1051a39Sopenharmony_ci /* fall thru */ 524e1051a39Sopenharmony_ci case TLS_ST_BEFORE: 525e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CLNT_HELLO; 526e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 527e1051a39Sopenharmony_ci 528e1051a39Sopenharmony_ci case TLS_ST_CW_CLNT_HELLO: 529e1051a39Sopenharmony_ci if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 530e1051a39Sopenharmony_ci /* 531e1051a39Sopenharmony_ci * We are assuming this is a TLSv1.3 connection, although we haven't 532e1051a39Sopenharmony_ci * actually selected a version yet. 533e1051a39Sopenharmony_ci */ 534e1051a39Sopenharmony_ci if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 535e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CHANGE; 536e1051a39Sopenharmony_ci else 537e1051a39Sopenharmony_ci st->hand_state = TLS_ST_EARLY_DATA; 538e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 539e1051a39Sopenharmony_ci } 540e1051a39Sopenharmony_ci /* 541e1051a39Sopenharmony_ci * No transition at the end of writing because we don't know what 542e1051a39Sopenharmony_ci * we will be sent 543e1051a39Sopenharmony_ci */ 544e1051a39Sopenharmony_ci return WRITE_TRAN_FINISHED; 545e1051a39Sopenharmony_ci 546e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_HELLO: 547e1051a39Sopenharmony_ci /* 548e1051a39Sopenharmony_ci * We only get here in TLSv1.3. We just received an HRR, so issue a 549e1051a39Sopenharmony_ci * CCS unless middlebox compat mode is off, or we already issued one 550e1051a39Sopenharmony_ci * because we did early data. 551e1051a39Sopenharmony_ci */ 552e1051a39Sopenharmony_ci if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 553e1051a39Sopenharmony_ci && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 554e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CHANGE; 555e1051a39Sopenharmony_ci else 556e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CLNT_HELLO; 557e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 558e1051a39Sopenharmony_ci 559e1051a39Sopenharmony_ci case TLS_ST_EARLY_DATA: 560e1051a39Sopenharmony_ci return WRITE_TRAN_FINISHED; 561e1051a39Sopenharmony_ci 562e1051a39Sopenharmony_ci case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 563e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CLNT_HELLO; 564e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 565e1051a39Sopenharmony_ci 566e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_DONE: 567e1051a39Sopenharmony_ci if (s->s3.tmp.cert_req) 568e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CERT; 569e1051a39Sopenharmony_ci else 570e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_KEY_EXCH; 571e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 572e1051a39Sopenharmony_ci 573e1051a39Sopenharmony_ci case TLS_ST_CW_CERT: 574e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_KEY_EXCH; 575e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 576e1051a39Sopenharmony_ci 577e1051a39Sopenharmony_ci case TLS_ST_CW_KEY_EXCH: 578e1051a39Sopenharmony_ci /* 579e1051a39Sopenharmony_ci * For TLS, cert_req is set to 2, so a cert chain of nothing is 580e1051a39Sopenharmony_ci * sent, but no verify packet is sent 581e1051a39Sopenharmony_ci */ 582e1051a39Sopenharmony_ci /* 583e1051a39Sopenharmony_ci * XXX: For now, we do not support client authentication in ECDH 584e1051a39Sopenharmony_ci * cipher suites with ECDH (rather than ECDSA) certificates. We 585e1051a39Sopenharmony_ci * need to skip the certificate verify message when client's 586e1051a39Sopenharmony_ci * ECDH public key is sent inside the client certificate. 587e1051a39Sopenharmony_ci */ 588e1051a39Sopenharmony_ci if (s->s3.tmp.cert_req == 1) { 589e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CERT_VRFY; 590e1051a39Sopenharmony_ci } else { 591e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CHANGE; 592e1051a39Sopenharmony_ci } 593e1051a39Sopenharmony_ci if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 594e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CHANGE; 595e1051a39Sopenharmony_ci } 596e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 597e1051a39Sopenharmony_ci 598e1051a39Sopenharmony_ci case TLS_ST_CW_CERT_VRFY: 599e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CHANGE; 600e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 601e1051a39Sopenharmony_ci 602e1051a39Sopenharmony_ci case TLS_ST_CW_CHANGE: 603e1051a39Sopenharmony_ci if (s->hello_retry_request == SSL_HRR_PENDING) { 604e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CLNT_HELLO; 605e1051a39Sopenharmony_ci } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 606e1051a39Sopenharmony_ci st->hand_state = TLS_ST_EARLY_DATA; 607e1051a39Sopenharmony_ci } else { 608e1051a39Sopenharmony_ci#if defined(OPENSSL_NO_NEXTPROTONEG) 609e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_FINISHED; 610e1051a39Sopenharmony_ci#else 611e1051a39Sopenharmony_ci if (!SSL_IS_DTLS(s) && s->s3.npn_seen) 612e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_NEXT_PROTO; 613e1051a39Sopenharmony_ci else 614e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_FINISHED; 615e1051a39Sopenharmony_ci#endif 616e1051a39Sopenharmony_ci } 617e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 618e1051a39Sopenharmony_ci 619e1051a39Sopenharmony_ci#if !defined(OPENSSL_NO_NEXTPROTONEG) 620e1051a39Sopenharmony_ci case TLS_ST_CW_NEXT_PROTO: 621e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_FINISHED; 622e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 623e1051a39Sopenharmony_ci#endif 624e1051a39Sopenharmony_ci 625e1051a39Sopenharmony_ci case TLS_ST_CW_FINISHED: 626e1051a39Sopenharmony_ci if (s->hit) { 627e1051a39Sopenharmony_ci st->hand_state = TLS_ST_OK; 628e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 629e1051a39Sopenharmony_ci } else { 630e1051a39Sopenharmony_ci return WRITE_TRAN_FINISHED; 631e1051a39Sopenharmony_ci } 632e1051a39Sopenharmony_ci 633e1051a39Sopenharmony_ci case TLS_ST_CR_FINISHED: 634e1051a39Sopenharmony_ci if (s->hit) { 635e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CHANGE; 636e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 637e1051a39Sopenharmony_ci } else { 638e1051a39Sopenharmony_ci st->hand_state = TLS_ST_OK; 639e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 640e1051a39Sopenharmony_ci } 641e1051a39Sopenharmony_ci 642e1051a39Sopenharmony_ci case TLS_ST_CR_HELLO_REQ: 643e1051a39Sopenharmony_ci /* 644e1051a39Sopenharmony_ci * If we can renegotiate now then do so, otherwise wait for a more 645e1051a39Sopenharmony_ci * convenient time. 646e1051a39Sopenharmony_ci */ 647e1051a39Sopenharmony_ci if (ssl3_renegotiate_check(s, 1)) { 648e1051a39Sopenharmony_ci if (!tls_setup_handshake(s)) { 649e1051a39Sopenharmony_ci /* SSLfatal() already called */ 650e1051a39Sopenharmony_ci return WRITE_TRAN_ERROR; 651e1051a39Sopenharmony_ci } 652e1051a39Sopenharmony_ci st->hand_state = TLS_ST_CW_CLNT_HELLO; 653e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 654e1051a39Sopenharmony_ci } 655e1051a39Sopenharmony_ci st->hand_state = TLS_ST_OK; 656e1051a39Sopenharmony_ci return WRITE_TRAN_CONTINUE; 657e1051a39Sopenharmony_ci } 658e1051a39Sopenharmony_ci} 659e1051a39Sopenharmony_ci 660e1051a39Sopenharmony_ci/* 661e1051a39Sopenharmony_ci * Perform any pre work that needs to be done prior to sending a message from 662e1051a39Sopenharmony_ci * the client to the server. 663e1051a39Sopenharmony_ci */ 664e1051a39Sopenharmony_ciWORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) 665e1051a39Sopenharmony_ci{ 666e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 667e1051a39Sopenharmony_ci 668e1051a39Sopenharmony_ci switch (st->hand_state) { 669e1051a39Sopenharmony_ci default: 670e1051a39Sopenharmony_ci /* No pre work to be done */ 671e1051a39Sopenharmony_ci break; 672e1051a39Sopenharmony_ci 673e1051a39Sopenharmony_ci case TLS_ST_CW_CLNT_HELLO: 674e1051a39Sopenharmony_ci s->shutdown = 0; 675e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 676e1051a39Sopenharmony_ci /* every DTLS ClientHello resets Finished MAC */ 677e1051a39Sopenharmony_ci if (!ssl3_init_finished_mac(s)) { 678e1051a39Sopenharmony_ci /* SSLfatal() already called */ 679e1051a39Sopenharmony_ci return WORK_ERROR; 680e1051a39Sopenharmony_ci } 681e1051a39Sopenharmony_ci } 682e1051a39Sopenharmony_ci break; 683e1051a39Sopenharmony_ci 684e1051a39Sopenharmony_ci case TLS_ST_CW_CHANGE: 685e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 686e1051a39Sopenharmony_ci if (s->hit) { 687e1051a39Sopenharmony_ci /* 688e1051a39Sopenharmony_ci * We're into the last flight so we don't retransmit these 689e1051a39Sopenharmony_ci * messages unless we need to. 690e1051a39Sopenharmony_ci */ 691e1051a39Sopenharmony_ci st->use_timer = 0; 692e1051a39Sopenharmony_ci } 693e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SCTP 694e1051a39Sopenharmony_ci if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 695e1051a39Sopenharmony_ci /* Calls SSLfatal() as required */ 696e1051a39Sopenharmony_ci return dtls_wait_for_dry(s); 697e1051a39Sopenharmony_ci } 698e1051a39Sopenharmony_ci#endif 699e1051a39Sopenharmony_ci } 700e1051a39Sopenharmony_ci break; 701e1051a39Sopenharmony_ci 702e1051a39Sopenharmony_ci case TLS_ST_PENDING_EARLY_DATA_END: 703e1051a39Sopenharmony_ci /* 704e1051a39Sopenharmony_ci * If we've been called by SSL_do_handshake()/SSL_write(), or we did not 705e1051a39Sopenharmony_ci * attempt to write early data before calling SSL_read() then we press 706e1051a39Sopenharmony_ci * on with the handshake. Otherwise we pause here. 707e1051a39Sopenharmony_ci */ 708e1051a39Sopenharmony_ci if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 709e1051a39Sopenharmony_ci || s->early_data_state == SSL_EARLY_DATA_NONE) 710e1051a39Sopenharmony_ci return WORK_FINISHED_CONTINUE; 711e1051a39Sopenharmony_ci /* Fall through */ 712e1051a39Sopenharmony_ci 713e1051a39Sopenharmony_ci case TLS_ST_EARLY_DATA: 714e1051a39Sopenharmony_ci return tls_finish_handshake(s, wst, 0, 1); 715e1051a39Sopenharmony_ci 716e1051a39Sopenharmony_ci case TLS_ST_OK: 717e1051a39Sopenharmony_ci /* Calls SSLfatal() as required */ 718e1051a39Sopenharmony_ci return tls_finish_handshake(s, wst, 1, 1); 719e1051a39Sopenharmony_ci } 720e1051a39Sopenharmony_ci 721e1051a39Sopenharmony_ci return WORK_FINISHED_CONTINUE; 722e1051a39Sopenharmony_ci} 723e1051a39Sopenharmony_ci 724e1051a39Sopenharmony_ci/* 725e1051a39Sopenharmony_ci * Perform any work that needs to be done after sending a message from the 726e1051a39Sopenharmony_ci * client to the server. 727e1051a39Sopenharmony_ci */ 728e1051a39Sopenharmony_ciWORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) 729e1051a39Sopenharmony_ci{ 730e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 731e1051a39Sopenharmony_ci 732e1051a39Sopenharmony_ci s->init_num = 0; 733e1051a39Sopenharmony_ci 734e1051a39Sopenharmony_ci switch (st->hand_state) { 735e1051a39Sopenharmony_ci default: 736e1051a39Sopenharmony_ci /* No post work to be done */ 737e1051a39Sopenharmony_ci break; 738e1051a39Sopenharmony_ci 739e1051a39Sopenharmony_ci case TLS_ST_CW_CLNT_HELLO: 740e1051a39Sopenharmony_ci if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 741e1051a39Sopenharmony_ci && s->max_early_data > 0) { 742e1051a39Sopenharmony_ci /* 743e1051a39Sopenharmony_ci * We haven't selected TLSv1.3 yet so we don't call the change 744e1051a39Sopenharmony_ci * cipher state function associated with the SSL_METHOD. Instead 745e1051a39Sopenharmony_ci * we call tls13_change_cipher_state() directly. 746e1051a39Sopenharmony_ci */ 747e1051a39Sopenharmony_ci if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { 748e1051a39Sopenharmony_ci if (!tls13_change_cipher_state(s, 749e1051a39Sopenharmony_ci SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 750e1051a39Sopenharmony_ci /* SSLfatal() already called */ 751e1051a39Sopenharmony_ci return WORK_ERROR; 752e1051a39Sopenharmony_ci } 753e1051a39Sopenharmony_ci } 754e1051a39Sopenharmony_ci /* else we're in compat mode so we delay flushing until after CCS */ 755e1051a39Sopenharmony_ci } else if (!statem_flush(s)) { 756e1051a39Sopenharmony_ci return WORK_MORE_A; 757e1051a39Sopenharmony_ci } 758e1051a39Sopenharmony_ci 759e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 760e1051a39Sopenharmony_ci /* Treat the next message as the first packet */ 761e1051a39Sopenharmony_ci s->first_packet = 1; 762e1051a39Sopenharmony_ci } 763e1051a39Sopenharmony_ci break; 764e1051a39Sopenharmony_ci 765e1051a39Sopenharmony_ci case TLS_ST_CW_END_OF_EARLY_DATA: 766e1051a39Sopenharmony_ci /* 767e1051a39Sopenharmony_ci * We set the enc_write_ctx back to NULL because we may end up writing 768e1051a39Sopenharmony_ci * in cleartext again if we get a HelloRetryRequest from the server. 769e1051a39Sopenharmony_ci */ 770e1051a39Sopenharmony_ci EVP_CIPHER_CTX_free(s->enc_write_ctx); 771e1051a39Sopenharmony_ci s->enc_write_ctx = NULL; 772e1051a39Sopenharmony_ci break; 773e1051a39Sopenharmony_ci 774e1051a39Sopenharmony_ci case TLS_ST_CW_KEY_EXCH: 775e1051a39Sopenharmony_ci if (tls_client_key_exchange_post_work(s) == 0) { 776e1051a39Sopenharmony_ci /* SSLfatal() already called */ 777e1051a39Sopenharmony_ci return WORK_ERROR; 778e1051a39Sopenharmony_ci } 779e1051a39Sopenharmony_ci break; 780e1051a39Sopenharmony_ci 781e1051a39Sopenharmony_ci case TLS_ST_CW_CHANGE: 782e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) 783e1051a39Sopenharmony_ci break; 784e1051a39Sopenharmony_ci if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 785e1051a39Sopenharmony_ci && s->max_early_data > 0) { 786e1051a39Sopenharmony_ci /* 787e1051a39Sopenharmony_ci * We haven't selected TLSv1.3 yet so we don't call the change 788e1051a39Sopenharmony_ci * cipher state function associated with the SSL_METHOD. Instead 789e1051a39Sopenharmony_ci * we call tls13_change_cipher_state() directly. 790e1051a39Sopenharmony_ci */ 791e1051a39Sopenharmony_ci if (!tls13_change_cipher_state(s, 792e1051a39Sopenharmony_ci SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 793e1051a39Sopenharmony_ci return WORK_ERROR; 794e1051a39Sopenharmony_ci break; 795e1051a39Sopenharmony_ci } 796e1051a39Sopenharmony_ci s->session->cipher = s->s3.tmp.new_cipher; 797e1051a39Sopenharmony_ci#ifdef OPENSSL_NO_COMP 798e1051a39Sopenharmony_ci s->session->compress_meth = 0; 799e1051a39Sopenharmony_ci#else 800e1051a39Sopenharmony_ci if (s->s3.tmp.new_compression == NULL) 801e1051a39Sopenharmony_ci s->session->compress_meth = 0; 802e1051a39Sopenharmony_ci else 803e1051a39Sopenharmony_ci s->session->compress_meth = s->s3.tmp.new_compression->id; 804e1051a39Sopenharmony_ci#endif 805e1051a39Sopenharmony_ci if (!s->method->ssl3_enc->setup_key_block(s)) { 806e1051a39Sopenharmony_ci /* SSLfatal() already called */ 807e1051a39Sopenharmony_ci return WORK_ERROR; 808e1051a39Sopenharmony_ci } 809e1051a39Sopenharmony_ci 810e1051a39Sopenharmony_ci if (!s->method->ssl3_enc->change_cipher_state(s, 811e1051a39Sopenharmony_ci SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 812e1051a39Sopenharmony_ci /* SSLfatal() already called */ 813e1051a39Sopenharmony_ci return WORK_ERROR; 814e1051a39Sopenharmony_ci } 815e1051a39Sopenharmony_ci 816e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 817e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SCTP 818e1051a39Sopenharmony_ci if (s->hit) { 819e1051a39Sopenharmony_ci /* 820e1051a39Sopenharmony_ci * Change to new shared key of SCTP-Auth, will be ignored if 821e1051a39Sopenharmony_ci * no SCTP used. 822e1051a39Sopenharmony_ci */ 823e1051a39Sopenharmony_ci BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 824e1051a39Sopenharmony_ci 0, NULL); 825e1051a39Sopenharmony_ci } 826e1051a39Sopenharmony_ci#endif 827e1051a39Sopenharmony_ci 828e1051a39Sopenharmony_ci dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 829e1051a39Sopenharmony_ci } 830e1051a39Sopenharmony_ci break; 831e1051a39Sopenharmony_ci 832e1051a39Sopenharmony_ci case TLS_ST_CW_FINISHED: 833e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SCTP 834e1051a39Sopenharmony_ci if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) { 835e1051a39Sopenharmony_ci /* 836e1051a39Sopenharmony_ci * Change to new shared key of SCTP-Auth, will be ignored if 837e1051a39Sopenharmony_ci * no SCTP used. 838e1051a39Sopenharmony_ci */ 839e1051a39Sopenharmony_ci BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 840e1051a39Sopenharmony_ci 0, NULL); 841e1051a39Sopenharmony_ci } 842e1051a39Sopenharmony_ci#endif 843e1051a39Sopenharmony_ci if (statem_flush(s) != 1) 844e1051a39Sopenharmony_ci return WORK_MORE_B; 845e1051a39Sopenharmony_ci 846e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 847e1051a39Sopenharmony_ci if (!tls13_save_handshake_digest_for_pha(s)) { 848e1051a39Sopenharmony_ci /* SSLfatal() already called */ 849e1051a39Sopenharmony_ci return WORK_ERROR; 850e1051a39Sopenharmony_ci } 851e1051a39Sopenharmony_ci if (s->post_handshake_auth != SSL_PHA_REQUESTED) { 852e1051a39Sopenharmony_ci if (!s->method->ssl3_enc->change_cipher_state(s, 853e1051a39Sopenharmony_ci SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 854e1051a39Sopenharmony_ci /* SSLfatal() already called */ 855e1051a39Sopenharmony_ci return WORK_ERROR; 856e1051a39Sopenharmony_ci } 857e1051a39Sopenharmony_ci } 858e1051a39Sopenharmony_ci } 859e1051a39Sopenharmony_ci break; 860e1051a39Sopenharmony_ci 861e1051a39Sopenharmony_ci case TLS_ST_CW_KEY_UPDATE: 862e1051a39Sopenharmony_ci if (statem_flush(s) != 1) 863e1051a39Sopenharmony_ci return WORK_MORE_A; 864e1051a39Sopenharmony_ci if (!tls13_update_key(s, 1)) { 865e1051a39Sopenharmony_ci /* SSLfatal() already called */ 866e1051a39Sopenharmony_ci return WORK_ERROR; 867e1051a39Sopenharmony_ci } 868e1051a39Sopenharmony_ci break; 869e1051a39Sopenharmony_ci } 870e1051a39Sopenharmony_ci 871e1051a39Sopenharmony_ci return WORK_FINISHED_CONTINUE; 872e1051a39Sopenharmony_ci} 873e1051a39Sopenharmony_ci 874e1051a39Sopenharmony_ci/* 875e1051a39Sopenharmony_ci * Get the message construction function and message type for sending from the 876e1051a39Sopenharmony_ci * client 877e1051a39Sopenharmony_ci * 878e1051a39Sopenharmony_ci * Valid return values are: 879e1051a39Sopenharmony_ci * 1: Success 880e1051a39Sopenharmony_ci * 0: Error 881e1051a39Sopenharmony_ci */ 882e1051a39Sopenharmony_ciint ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, 883e1051a39Sopenharmony_ci confunc_f *confunc, int *mt) 884e1051a39Sopenharmony_ci{ 885e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 886e1051a39Sopenharmony_ci 887e1051a39Sopenharmony_ci switch (st->hand_state) { 888e1051a39Sopenharmony_ci default: 889e1051a39Sopenharmony_ci /* Shouldn't happen */ 890e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); 891e1051a39Sopenharmony_ci return 0; 892e1051a39Sopenharmony_ci 893e1051a39Sopenharmony_ci case TLS_ST_CW_CHANGE: 894e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) 895e1051a39Sopenharmony_ci *confunc = dtls_construct_change_cipher_spec; 896e1051a39Sopenharmony_ci else 897e1051a39Sopenharmony_ci *confunc = tls_construct_change_cipher_spec; 898e1051a39Sopenharmony_ci *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 899e1051a39Sopenharmony_ci break; 900e1051a39Sopenharmony_ci 901e1051a39Sopenharmony_ci case TLS_ST_CW_CLNT_HELLO: 902e1051a39Sopenharmony_ci *confunc = tls_construct_client_hello; 903e1051a39Sopenharmony_ci *mt = SSL3_MT_CLIENT_HELLO; 904e1051a39Sopenharmony_ci break; 905e1051a39Sopenharmony_ci 906e1051a39Sopenharmony_ci case TLS_ST_CW_END_OF_EARLY_DATA: 907e1051a39Sopenharmony_ci *confunc = tls_construct_end_of_early_data; 908e1051a39Sopenharmony_ci *mt = SSL3_MT_END_OF_EARLY_DATA; 909e1051a39Sopenharmony_ci break; 910e1051a39Sopenharmony_ci 911e1051a39Sopenharmony_ci case TLS_ST_PENDING_EARLY_DATA_END: 912e1051a39Sopenharmony_ci *confunc = NULL; 913e1051a39Sopenharmony_ci *mt = SSL3_MT_DUMMY; 914e1051a39Sopenharmony_ci break; 915e1051a39Sopenharmony_ci 916e1051a39Sopenharmony_ci case TLS_ST_CW_CERT: 917e1051a39Sopenharmony_ci *confunc = tls_construct_client_certificate; 918e1051a39Sopenharmony_ci *mt = SSL3_MT_CERTIFICATE; 919e1051a39Sopenharmony_ci break; 920e1051a39Sopenharmony_ci 921e1051a39Sopenharmony_ci case TLS_ST_CW_KEY_EXCH: 922e1051a39Sopenharmony_ci *confunc = tls_construct_client_key_exchange; 923e1051a39Sopenharmony_ci *mt = SSL3_MT_CLIENT_KEY_EXCHANGE; 924e1051a39Sopenharmony_ci break; 925e1051a39Sopenharmony_ci 926e1051a39Sopenharmony_ci case TLS_ST_CW_CERT_VRFY: 927e1051a39Sopenharmony_ci *confunc = tls_construct_cert_verify; 928e1051a39Sopenharmony_ci *mt = SSL3_MT_CERTIFICATE_VERIFY; 929e1051a39Sopenharmony_ci break; 930e1051a39Sopenharmony_ci 931e1051a39Sopenharmony_ci#if !defined(OPENSSL_NO_NEXTPROTONEG) 932e1051a39Sopenharmony_ci case TLS_ST_CW_NEXT_PROTO: 933e1051a39Sopenharmony_ci *confunc = tls_construct_next_proto; 934e1051a39Sopenharmony_ci *mt = SSL3_MT_NEXT_PROTO; 935e1051a39Sopenharmony_ci break; 936e1051a39Sopenharmony_ci#endif 937e1051a39Sopenharmony_ci case TLS_ST_CW_FINISHED: 938e1051a39Sopenharmony_ci *confunc = tls_construct_finished; 939e1051a39Sopenharmony_ci *mt = SSL3_MT_FINISHED; 940e1051a39Sopenharmony_ci break; 941e1051a39Sopenharmony_ci 942e1051a39Sopenharmony_ci case TLS_ST_CW_KEY_UPDATE: 943e1051a39Sopenharmony_ci *confunc = tls_construct_key_update; 944e1051a39Sopenharmony_ci *mt = SSL3_MT_KEY_UPDATE; 945e1051a39Sopenharmony_ci break; 946e1051a39Sopenharmony_ci } 947e1051a39Sopenharmony_ci 948e1051a39Sopenharmony_ci return 1; 949e1051a39Sopenharmony_ci} 950e1051a39Sopenharmony_ci 951e1051a39Sopenharmony_ci/* 952e1051a39Sopenharmony_ci * Returns the maximum allowed length for the current message that we are 953e1051a39Sopenharmony_ci * reading. Excludes the message header. 954e1051a39Sopenharmony_ci */ 955e1051a39Sopenharmony_cisize_t ossl_statem_client_max_message_size(SSL *s) 956e1051a39Sopenharmony_ci{ 957e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 958e1051a39Sopenharmony_ci 959e1051a39Sopenharmony_ci switch (st->hand_state) { 960e1051a39Sopenharmony_ci default: 961e1051a39Sopenharmony_ci /* Shouldn't happen */ 962e1051a39Sopenharmony_ci return 0; 963e1051a39Sopenharmony_ci 964e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_HELLO: 965e1051a39Sopenharmony_ci return SERVER_HELLO_MAX_LENGTH; 966e1051a39Sopenharmony_ci 967e1051a39Sopenharmony_ci case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 968e1051a39Sopenharmony_ci return HELLO_VERIFY_REQUEST_MAX_LENGTH; 969e1051a39Sopenharmony_ci 970e1051a39Sopenharmony_ci case TLS_ST_CR_CERT: 971e1051a39Sopenharmony_ci return s->max_cert_list; 972e1051a39Sopenharmony_ci 973e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_VRFY: 974e1051a39Sopenharmony_ci return SSL3_RT_MAX_PLAIN_LENGTH; 975e1051a39Sopenharmony_ci 976e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_STATUS: 977e1051a39Sopenharmony_ci return SSL3_RT_MAX_PLAIN_LENGTH; 978e1051a39Sopenharmony_ci 979e1051a39Sopenharmony_ci case TLS_ST_CR_KEY_EXCH: 980e1051a39Sopenharmony_ci return SERVER_KEY_EXCH_MAX_LENGTH; 981e1051a39Sopenharmony_ci 982e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_REQ: 983e1051a39Sopenharmony_ci /* 984e1051a39Sopenharmony_ci * Set to s->max_cert_list for compatibility with previous releases. In 985e1051a39Sopenharmony_ci * practice these messages can get quite long if servers are configured 986e1051a39Sopenharmony_ci * to provide a long list of acceptable CAs 987e1051a39Sopenharmony_ci */ 988e1051a39Sopenharmony_ci return s->max_cert_list; 989e1051a39Sopenharmony_ci 990e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_DONE: 991e1051a39Sopenharmony_ci return SERVER_HELLO_DONE_MAX_LENGTH; 992e1051a39Sopenharmony_ci 993e1051a39Sopenharmony_ci case TLS_ST_CR_CHANGE: 994e1051a39Sopenharmony_ci if (s->version == DTLS1_BAD_VER) 995e1051a39Sopenharmony_ci return 3; 996e1051a39Sopenharmony_ci return CCS_MAX_LENGTH; 997e1051a39Sopenharmony_ci 998e1051a39Sopenharmony_ci case TLS_ST_CR_SESSION_TICKET: 999e1051a39Sopenharmony_ci return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 1000e1051a39Sopenharmony_ci : SESSION_TICKET_MAX_LENGTH_TLS12; 1001e1051a39Sopenharmony_ci 1002e1051a39Sopenharmony_ci case TLS_ST_CR_FINISHED: 1003e1051a39Sopenharmony_ci return FINISHED_MAX_LENGTH; 1004e1051a39Sopenharmony_ci 1005e1051a39Sopenharmony_ci case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1006e1051a39Sopenharmony_ci return ENCRYPTED_EXTENSIONS_MAX_LENGTH; 1007e1051a39Sopenharmony_ci 1008e1051a39Sopenharmony_ci case TLS_ST_CR_KEY_UPDATE: 1009e1051a39Sopenharmony_ci return KEY_UPDATE_MAX_LENGTH; 1010e1051a39Sopenharmony_ci } 1011e1051a39Sopenharmony_ci} 1012e1051a39Sopenharmony_ci 1013e1051a39Sopenharmony_ci/* 1014e1051a39Sopenharmony_ci * Process a message that the client has received from the server. 1015e1051a39Sopenharmony_ci */ 1016e1051a39Sopenharmony_ciMSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) 1017e1051a39Sopenharmony_ci{ 1018e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 1019e1051a39Sopenharmony_ci 1020e1051a39Sopenharmony_ci switch (st->hand_state) { 1021e1051a39Sopenharmony_ci default: 1022e1051a39Sopenharmony_ci /* Shouldn't happen */ 1023e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1024e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 1025e1051a39Sopenharmony_ci 1026e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_HELLO: 1027e1051a39Sopenharmony_ci return tls_process_server_hello(s, pkt); 1028e1051a39Sopenharmony_ci 1029e1051a39Sopenharmony_ci case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1030e1051a39Sopenharmony_ci return dtls_process_hello_verify(s, pkt); 1031e1051a39Sopenharmony_ci 1032e1051a39Sopenharmony_ci case TLS_ST_CR_CERT: 1033e1051a39Sopenharmony_ci return tls_process_server_certificate(s, pkt); 1034e1051a39Sopenharmony_ci 1035e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_VRFY: 1036e1051a39Sopenharmony_ci return tls_process_cert_verify(s, pkt); 1037e1051a39Sopenharmony_ci 1038e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_STATUS: 1039e1051a39Sopenharmony_ci return tls_process_cert_status(s, pkt); 1040e1051a39Sopenharmony_ci 1041e1051a39Sopenharmony_ci case TLS_ST_CR_KEY_EXCH: 1042e1051a39Sopenharmony_ci return tls_process_key_exchange(s, pkt); 1043e1051a39Sopenharmony_ci 1044e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_REQ: 1045e1051a39Sopenharmony_ci return tls_process_certificate_request(s, pkt); 1046e1051a39Sopenharmony_ci 1047e1051a39Sopenharmony_ci case TLS_ST_CR_SRVR_DONE: 1048e1051a39Sopenharmony_ci return tls_process_server_done(s, pkt); 1049e1051a39Sopenharmony_ci 1050e1051a39Sopenharmony_ci case TLS_ST_CR_CHANGE: 1051e1051a39Sopenharmony_ci return tls_process_change_cipher_spec(s, pkt); 1052e1051a39Sopenharmony_ci 1053e1051a39Sopenharmony_ci case TLS_ST_CR_SESSION_TICKET: 1054e1051a39Sopenharmony_ci return tls_process_new_session_ticket(s, pkt); 1055e1051a39Sopenharmony_ci 1056e1051a39Sopenharmony_ci case TLS_ST_CR_FINISHED: 1057e1051a39Sopenharmony_ci return tls_process_finished(s, pkt); 1058e1051a39Sopenharmony_ci 1059e1051a39Sopenharmony_ci case TLS_ST_CR_HELLO_REQ: 1060e1051a39Sopenharmony_ci return tls_process_hello_req(s, pkt); 1061e1051a39Sopenharmony_ci 1062e1051a39Sopenharmony_ci case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1063e1051a39Sopenharmony_ci return tls_process_encrypted_extensions(s, pkt); 1064e1051a39Sopenharmony_ci 1065e1051a39Sopenharmony_ci case TLS_ST_CR_KEY_UPDATE: 1066e1051a39Sopenharmony_ci return tls_process_key_update(s, pkt); 1067e1051a39Sopenharmony_ci } 1068e1051a39Sopenharmony_ci} 1069e1051a39Sopenharmony_ci 1070e1051a39Sopenharmony_ci/* 1071e1051a39Sopenharmony_ci * Perform any further processing required following the receipt of a message 1072e1051a39Sopenharmony_ci * from the server 1073e1051a39Sopenharmony_ci */ 1074e1051a39Sopenharmony_ciWORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst) 1075e1051a39Sopenharmony_ci{ 1076e1051a39Sopenharmony_ci OSSL_STATEM *st = &s->statem; 1077e1051a39Sopenharmony_ci 1078e1051a39Sopenharmony_ci switch (st->hand_state) { 1079e1051a39Sopenharmony_ci default: 1080e1051a39Sopenharmony_ci /* Shouldn't happen */ 1081e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1082e1051a39Sopenharmony_ci return WORK_ERROR; 1083e1051a39Sopenharmony_ci 1084e1051a39Sopenharmony_ci case TLS_ST_CR_CERT: 1085e1051a39Sopenharmony_ci return tls_post_process_server_certificate(s, wst); 1086e1051a39Sopenharmony_ci 1087e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_VRFY: 1088e1051a39Sopenharmony_ci case TLS_ST_CR_CERT_REQ: 1089e1051a39Sopenharmony_ci return tls_prepare_client_certificate(s, wst); 1090e1051a39Sopenharmony_ci } 1091e1051a39Sopenharmony_ci} 1092e1051a39Sopenharmony_ci 1093e1051a39Sopenharmony_ciint tls_construct_client_hello(SSL *s, WPACKET *pkt) 1094e1051a39Sopenharmony_ci{ 1095e1051a39Sopenharmony_ci unsigned char *p; 1096e1051a39Sopenharmony_ci size_t sess_id_len; 1097e1051a39Sopenharmony_ci int i, protverr; 1098e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_COMP 1099e1051a39Sopenharmony_ci SSL_COMP *comp; 1100e1051a39Sopenharmony_ci#endif 1101e1051a39Sopenharmony_ci SSL_SESSION *sess = s->session; 1102e1051a39Sopenharmony_ci unsigned char *session_id; 1103e1051a39Sopenharmony_ci 1104e1051a39Sopenharmony_ci /* Work out what SSL/TLS/DTLS version to use */ 1105e1051a39Sopenharmony_ci protverr = ssl_set_client_hello_version(s); 1106e1051a39Sopenharmony_ci if (protverr != 0) { 1107e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); 1108e1051a39Sopenharmony_ci return 0; 1109e1051a39Sopenharmony_ci } 1110e1051a39Sopenharmony_ci 1111e1051a39Sopenharmony_ci if (sess == NULL 1112e1051a39Sopenharmony_ci || !ssl_version_supported(s, sess->ssl_version, NULL) 1113e1051a39Sopenharmony_ci || !SSL_SESSION_is_resumable(sess)) { 1114e1051a39Sopenharmony_ci if (s->hello_retry_request == SSL_HRR_NONE 1115e1051a39Sopenharmony_ci && !ssl_get_new_session(s, 0)) { 1116e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1117e1051a39Sopenharmony_ci return 0; 1118e1051a39Sopenharmony_ci } 1119e1051a39Sopenharmony_ci } 1120e1051a39Sopenharmony_ci /* else use the pre-loaded session */ 1121e1051a39Sopenharmony_ci 1122e1051a39Sopenharmony_ci p = s->s3.client_random; 1123e1051a39Sopenharmony_ci 1124e1051a39Sopenharmony_ci /* 1125e1051a39Sopenharmony_ci * for DTLS if client_random is initialized, reuse it, we are 1126e1051a39Sopenharmony_ci * required to use same upon reply to HelloVerify 1127e1051a39Sopenharmony_ci */ 1128e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 1129e1051a39Sopenharmony_ci size_t idx; 1130e1051a39Sopenharmony_ci i = 1; 1131e1051a39Sopenharmony_ci for (idx = 0; idx < sizeof(s->s3.client_random); idx++) { 1132e1051a39Sopenharmony_ci if (p[idx]) { 1133e1051a39Sopenharmony_ci i = 0; 1134e1051a39Sopenharmony_ci break; 1135e1051a39Sopenharmony_ci } 1136e1051a39Sopenharmony_ci } 1137e1051a39Sopenharmony_ci } else { 1138e1051a39Sopenharmony_ci i = (s->hello_retry_request == SSL_HRR_NONE); 1139e1051a39Sopenharmony_ci } 1140e1051a39Sopenharmony_ci 1141e1051a39Sopenharmony_ci if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), 1142e1051a39Sopenharmony_ci DOWNGRADE_NONE) <= 0) { 1143e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1144e1051a39Sopenharmony_ci return 0; 1145e1051a39Sopenharmony_ci } 1146e1051a39Sopenharmony_ci 1147e1051a39Sopenharmony_ci /*- 1148e1051a39Sopenharmony_ci * version indicates the negotiated version: for example from 1149e1051a39Sopenharmony_ci * an SSLv2/v3 compatible client hello). The client_version 1150e1051a39Sopenharmony_ci * field is the maximum version we permit and it is also 1151e1051a39Sopenharmony_ci * used in RSA encrypted premaster secrets. Some servers can 1152e1051a39Sopenharmony_ci * choke if we initially report a higher version then 1153e1051a39Sopenharmony_ci * renegotiate to a lower one in the premaster secret. This 1154e1051a39Sopenharmony_ci * didn't happen with TLS 1.0 as most servers supported it 1155e1051a39Sopenharmony_ci * but it can with TLS 1.1 or later if the server only supports 1156e1051a39Sopenharmony_ci * 1.0. 1157e1051a39Sopenharmony_ci * 1158e1051a39Sopenharmony_ci * Possible scenario with previous logic: 1159e1051a39Sopenharmony_ci * 1. Client hello indicates TLS 1.2 1160e1051a39Sopenharmony_ci * 2. Server hello says TLS 1.0 1161e1051a39Sopenharmony_ci * 3. RSA encrypted premaster secret uses 1.2. 1162e1051a39Sopenharmony_ci * 4. Handshake proceeds using TLS 1.0. 1163e1051a39Sopenharmony_ci * 5. Server sends hello request to renegotiate. 1164e1051a39Sopenharmony_ci * 6. Client hello indicates TLS v1.0 as we now 1165e1051a39Sopenharmony_ci * know that is maximum server supports. 1166e1051a39Sopenharmony_ci * 7. Server chokes on RSA encrypted premaster secret 1167e1051a39Sopenharmony_ci * containing version 1.0. 1168e1051a39Sopenharmony_ci * 1169e1051a39Sopenharmony_ci * For interoperability it should be OK to always use the 1170e1051a39Sopenharmony_ci * maximum version we support in client hello and then rely 1171e1051a39Sopenharmony_ci * on the checking of version to ensure the servers isn't 1172e1051a39Sopenharmony_ci * being inconsistent: for example initially negotiating with 1173e1051a39Sopenharmony_ci * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 1174e1051a39Sopenharmony_ci * client_version in client hello and not resetting it to 1175e1051a39Sopenharmony_ci * the negotiated version. 1176e1051a39Sopenharmony_ci * 1177e1051a39Sopenharmony_ci * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the 1178e1051a39Sopenharmony_ci * supported_versions extension for the real supported versions. 1179e1051a39Sopenharmony_ci */ 1180e1051a39Sopenharmony_ci if (!WPACKET_put_bytes_u16(pkt, s->client_version) 1181e1051a39Sopenharmony_ci || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { 1182e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1183e1051a39Sopenharmony_ci return 0; 1184e1051a39Sopenharmony_ci } 1185e1051a39Sopenharmony_ci 1186e1051a39Sopenharmony_ci /* Session ID */ 1187e1051a39Sopenharmony_ci session_id = s->session->session_id; 1188e1051a39Sopenharmony_ci if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { 1189e1051a39Sopenharmony_ci if (s->version == TLS1_3_VERSION 1190e1051a39Sopenharmony_ci && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { 1191e1051a39Sopenharmony_ci sess_id_len = sizeof(s->tmp_session_id); 1192e1051a39Sopenharmony_ci s->tmp_session_id_len = sess_id_len; 1193e1051a39Sopenharmony_ci session_id = s->tmp_session_id; 1194e1051a39Sopenharmony_ci if (s->hello_retry_request == SSL_HRR_NONE 1195e1051a39Sopenharmony_ci && RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id, 1196e1051a39Sopenharmony_ci sess_id_len, 0) <= 0) { 1197e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1198e1051a39Sopenharmony_ci return 0; 1199e1051a39Sopenharmony_ci } 1200e1051a39Sopenharmony_ci } else { 1201e1051a39Sopenharmony_ci sess_id_len = 0; 1202e1051a39Sopenharmony_ci } 1203e1051a39Sopenharmony_ci } else { 1204e1051a39Sopenharmony_ci assert(s->session->session_id_length <= sizeof(s->session->session_id)); 1205e1051a39Sopenharmony_ci sess_id_len = s->session->session_id_length; 1206e1051a39Sopenharmony_ci if (s->version == TLS1_3_VERSION) { 1207e1051a39Sopenharmony_ci s->tmp_session_id_len = sess_id_len; 1208e1051a39Sopenharmony_ci memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); 1209e1051a39Sopenharmony_ci } 1210e1051a39Sopenharmony_ci } 1211e1051a39Sopenharmony_ci if (!WPACKET_start_sub_packet_u8(pkt) 1212e1051a39Sopenharmony_ci || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id, 1213e1051a39Sopenharmony_ci sess_id_len)) 1214e1051a39Sopenharmony_ci || !WPACKET_close(pkt)) { 1215e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1216e1051a39Sopenharmony_ci return 0; 1217e1051a39Sopenharmony_ci } 1218e1051a39Sopenharmony_ci 1219e1051a39Sopenharmony_ci /* cookie stuff for DTLS */ 1220e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 1221e1051a39Sopenharmony_ci if (s->d1->cookie_len > sizeof(s->d1->cookie) 1222e1051a39Sopenharmony_ci || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, 1223e1051a39Sopenharmony_ci s->d1->cookie_len)) { 1224e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1225e1051a39Sopenharmony_ci return 0; 1226e1051a39Sopenharmony_ci } 1227e1051a39Sopenharmony_ci } 1228e1051a39Sopenharmony_ci 1229e1051a39Sopenharmony_ci /* Ciphers supported */ 1230e1051a39Sopenharmony_ci if (!WPACKET_start_sub_packet_u16(pkt)) { 1231e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1232e1051a39Sopenharmony_ci return 0; 1233e1051a39Sopenharmony_ci } 1234e1051a39Sopenharmony_ci 1235e1051a39Sopenharmony_ci if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { 1236e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1237e1051a39Sopenharmony_ci return 0; 1238e1051a39Sopenharmony_ci } 1239e1051a39Sopenharmony_ci if (!WPACKET_close(pkt)) { 1240e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1241e1051a39Sopenharmony_ci return 0; 1242e1051a39Sopenharmony_ci } 1243e1051a39Sopenharmony_ci 1244e1051a39Sopenharmony_ci /* COMPRESSION */ 1245e1051a39Sopenharmony_ci if (!WPACKET_start_sub_packet_u8(pkt)) { 1246e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1247e1051a39Sopenharmony_ci return 0; 1248e1051a39Sopenharmony_ci } 1249e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_COMP 1250e1051a39Sopenharmony_ci if (ssl_allow_compression(s) 1251e1051a39Sopenharmony_ci && s->ctx->comp_methods 1252e1051a39Sopenharmony_ci && (SSL_IS_DTLS(s) || s->s3.tmp.max_ver < TLS1_3_VERSION)) { 1253e1051a39Sopenharmony_ci int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); 1254e1051a39Sopenharmony_ci for (i = 0; i < compnum; i++) { 1255e1051a39Sopenharmony_ci comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 1256e1051a39Sopenharmony_ci if (!WPACKET_put_bytes_u8(pkt, comp->id)) { 1257e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1258e1051a39Sopenharmony_ci return 0; 1259e1051a39Sopenharmony_ci } 1260e1051a39Sopenharmony_ci } 1261e1051a39Sopenharmony_ci } 1262e1051a39Sopenharmony_ci#endif 1263e1051a39Sopenharmony_ci /* Add the NULL method */ 1264e1051a39Sopenharmony_ci if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { 1265e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1266e1051a39Sopenharmony_ci return 0; 1267e1051a39Sopenharmony_ci } 1268e1051a39Sopenharmony_ci 1269e1051a39Sopenharmony_ci /* TLS extensions */ 1270e1051a39Sopenharmony_ci if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { 1271e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1272e1051a39Sopenharmony_ci return 0; 1273e1051a39Sopenharmony_ci } 1274e1051a39Sopenharmony_ci 1275e1051a39Sopenharmony_ci return 1; 1276e1051a39Sopenharmony_ci} 1277e1051a39Sopenharmony_ci 1278e1051a39Sopenharmony_ciMSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) 1279e1051a39Sopenharmony_ci{ 1280e1051a39Sopenharmony_ci size_t cookie_len; 1281e1051a39Sopenharmony_ci PACKET cookiepkt; 1282e1051a39Sopenharmony_ci 1283e1051a39Sopenharmony_ci if (!PACKET_forward(pkt, 2) 1284e1051a39Sopenharmony_ci || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { 1285e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1286e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 1287e1051a39Sopenharmony_ci } 1288e1051a39Sopenharmony_ci 1289e1051a39Sopenharmony_ci cookie_len = PACKET_remaining(&cookiepkt); 1290e1051a39Sopenharmony_ci if (cookie_len > sizeof(s->d1->cookie)) { 1291e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG); 1292e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 1293e1051a39Sopenharmony_ci } 1294e1051a39Sopenharmony_ci 1295e1051a39Sopenharmony_ci if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { 1296e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1297e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 1298e1051a39Sopenharmony_ci } 1299e1051a39Sopenharmony_ci s->d1->cookie_len = cookie_len; 1300e1051a39Sopenharmony_ci 1301e1051a39Sopenharmony_ci return MSG_PROCESS_FINISHED_READING; 1302e1051a39Sopenharmony_ci} 1303e1051a39Sopenharmony_ci 1304e1051a39Sopenharmony_cistatic int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) 1305e1051a39Sopenharmony_ci{ 1306e1051a39Sopenharmony_ci STACK_OF(SSL_CIPHER) *sk; 1307e1051a39Sopenharmony_ci const SSL_CIPHER *c; 1308e1051a39Sopenharmony_ci int i; 1309e1051a39Sopenharmony_ci 1310e1051a39Sopenharmony_ci c = ssl_get_cipher_by_char(s, cipherchars, 0); 1311e1051a39Sopenharmony_ci if (c == NULL) { 1312e1051a39Sopenharmony_ci /* unknown cipher */ 1313e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED); 1314e1051a39Sopenharmony_ci return 0; 1315e1051a39Sopenharmony_ci } 1316e1051a39Sopenharmony_ci /* 1317e1051a39Sopenharmony_ci * If it is a disabled cipher we either didn't send it in client hello, 1318e1051a39Sopenharmony_ci * or it's not allowed for the selected protocol. So we return an error. 1319e1051a39Sopenharmony_ci */ 1320e1051a39Sopenharmony_ci if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { 1321e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1322e1051a39Sopenharmony_ci return 0; 1323e1051a39Sopenharmony_ci } 1324e1051a39Sopenharmony_ci 1325e1051a39Sopenharmony_ci sk = ssl_get_ciphers_by_id(s); 1326e1051a39Sopenharmony_ci i = sk_SSL_CIPHER_find(sk, c); 1327e1051a39Sopenharmony_ci if (i < 0) { 1328e1051a39Sopenharmony_ci /* we did not say we would use this cipher */ 1329e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1330e1051a39Sopenharmony_ci return 0; 1331e1051a39Sopenharmony_ci } 1332e1051a39Sopenharmony_ci 1333e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL 1334e1051a39Sopenharmony_ci && s->s3.tmp.new_cipher->id != c->id) { 1335e1051a39Sopenharmony_ci /* ServerHello selected a different ciphersuite to that in the HRR */ 1336e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1337e1051a39Sopenharmony_ci return 0; 1338e1051a39Sopenharmony_ci } 1339e1051a39Sopenharmony_ci 1340e1051a39Sopenharmony_ci /* 1341e1051a39Sopenharmony_ci * Depending on the session caching (internal/external), the cipher 1342e1051a39Sopenharmony_ci * and/or cipher_id values may not be set. Make sure that cipher_id is 1343e1051a39Sopenharmony_ci * set and use it for comparison. 1344e1051a39Sopenharmony_ci */ 1345e1051a39Sopenharmony_ci if (s->session->cipher != NULL) 1346e1051a39Sopenharmony_ci s->session->cipher_id = s->session->cipher->id; 1347e1051a39Sopenharmony_ci if (s->hit && (s->session->cipher_id != c->id)) { 1348e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 1349e1051a39Sopenharmony_ci const EVP_MD *md = ssl_md(s->ctx, c->algorithm2); 1350e1051a39Sopenharmony_ci 1351e1051a39Sopenharmony_ci /* 1352e1051a39Sopenharmony_ci * In TLSv1.3 it is valid for the server to select a different 1353e1051a39Sopenharmony_ci * ciphersuite as long as the hash is the same. 1354e1051a39Sopenharmony_ci */ 1355e1051a39Sopenharmony_ci if (md == NULL 1356e1051a39Sopenharmony_ci || md != ssl_md(s->ctx, s->session->cipher->algorithm2)) { 1357e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1358e1051a39Sopenharmony_ci SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); 1359e1051a39Sopenharmony_ci return 0; 1360e1051a39Sopenharmony_ci } 1361e1051a39Sopenharmony_ci } else { 1362e1051a39Sopenharmony_ci /* 1363e1051a39Sopenharmony_ci * Prior to TLSv1.3 resuming a session always meant using the same 1364e1051a39Sopenharmony_ci * ciphersuite. 1365e1051a39Sopenharmony_ci */ 1366e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1367e1051a39Sopenharmony_ci SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1368e1051a39Sopenharmony_ci return 0; 1369e1051a39Sopenharmony_ci } 1370e1051a39Sopenharmony_ci } 1371e1051a39Sopenharmony_ci s->s3.tmp.new_cipher = c; 1372e1051a39Sopenharmony_ci 1373e1051a39Sopenharmony_ci return 1; 1374e1051a39Sopenharmony_ci} 1375e1051a39Sopenharmony_ci 1376e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) 1377e1051a39Sopenharmony_ci{ 1378e1051a39Sopenharmony_ci PACKET session_id, extpkt; 1379e1051a39Sopenharmony_ci size_t session_id_len; 1380e1051a39Sopenharmony_ci const unsigned char *cipherchars; 1381e1051a39Sopenharmony_ci int hrr = 0; 1382e1051a39Sopenharmony_ci unsigned int compression; 1383e1051a39Sopenharmony_ci unsigned int sversion; 1384e1051a39Sopenharmony_ci unsigned int context; 1385e1051a39Sopenharmony_ci RAW_EXTENSION *extensions = NULL; 1386e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_COMP 1387e1051a39Sopenharmony_ci SSL_COMP *comp; 1388e1051a39Sopenharmony_ci#endif 1389e1051a39Sopenharmony_ci 1390e1051a39Sopenharmony_ci if (!PACKET_get_net_2(pkt, &sversion)) { 1391e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1392e1051a39Sopenharmony_ci goto err; 1393e1051a39Sopenharmony_ci } 1394e1051a39Sopenharmony_ci 1395e1051a39Sopenharmony_ci /* load the server random */ 1396e1051a39Sopenharmony_ci if (s->version == TLS1_3_VERSION 1397e1051a39Sopenharmony_ci && sversion == TLS1_2_VERSION 1398e1051a39Sopenharmony_ci && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE 1399e1051a39Sopenharmony_ci && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { 1400e1051a39Sopenharmony_ci if (s->hello_retry_request != SSL_HRR_NONE) { 1401e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 1402e1051a39Sopenharmony_ci goto err; 1403e1051a39Sopenharmony_ci } 1404e1051a39Sopenharmony_ci s->hello_retry_request = SSL_HRR_PENDING; 1405e1051a39Sopenharmony_ci hrr = 1; 1406e1051a39Sopenharmony_ci if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { 1407e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1408e1051a39Sopenharmony_ci goto err; 1409e1051a39Sopenharmony_ci } 1410e1051a39Sopenharmony_ci } else { 1411e1051a39Sopenharmony_ci if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) { 1412e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1413e1051a39Sopenharmony_ci goto err; 1414e1051a39Sopenharmony_ci } 1415e1051a39Sopenharmony_ci } 1416e1051a39Sopenharmony_ci 1417e1051a39Sopenharmony_ci /* Get the session-id. */ 1418e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { 1419e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1420e1051a39Sopenharmony_ci goto err; 1421e1051a39Sopenharmony_ci } 1422e1051a39Sopenharmony_ci session_id_len = PACKET_remaining(&session_id); 1423e1051a39Sopenharmony_ci if (session_id_len > sizeof(s->session->session_id) 1424e1051a39Sopenharmony_ci || session_id_len > SSL3_SESSION_ID_SIZE) { 1425e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG); 1426e1051a39Sopenharmony_ci goto err; 1427e1051a39Sopenharmony_ci } 1428e1051a39Sopenharmony_ci 1429e1051a39Sopenharmony_ci if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { 1430e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1431e1051a39Sopenharmony_ci goto err; 1432e1051a39Sopenharmony_ci } 1433e1051a39Sopenharmony_ci 1434e1051a39Sopenharmony_ci if (!PACKET_get_1(pkt, &compression)) { 1435e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1436e1051a39Sopenharmony_ci goto err; 1437e1051a39Sopenharmony_ci } 1438e1051a39Sopenharmony_ci 1439e1051a39Sopenharmony_ci /* TLS extensions */ 1440e1051a39Sopenharmony_ci if (PACKET_remaining(pkt) == 0 && !hrr) { 1441e1051a39Sopenharmony_ci PACKET_null_init(&extpkt); 1442e1051a39Sopenharmony_ci } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 1443e1051a39Sopenharmony_ci || PACKET_remaining(pkt) != 0) { 1444e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1445e1051a39Sopenharmony_ci goto err; 1446e1051a39Sopenharmony_ci } 1447e1051a39Sopenharmony_ci 1448e1051a39Sopenharmony_ci if (!hrr) { 1449e1051a39Sopenharmony_ci if (!tls_collect_extensions(s, &extpkt, 1450e1051a39Sopenharmony_ci SSL_EXT_TLS1_2_SERVER_HELLO 1451e1051a39Sopenharmony_ci | SSL_EXT_TLS1_3_SERVER_HELLO, 1452e1051a39Sopenharmony_ci &extensions, NULL, 1)) { 1453e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1454e1051a39Sopenharmony_ci goto err; 1455e1051a39Sopenharmony_ci } 1456e1051a39Sopenharmony_ci 1457e1051a39Sopenharmony_ci if (!ssl_choose_client_version(s, sversion, extensions)) { 1458e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1459e1051a39Sopenharmony_ci goto err; 1460e1051a39Sopenharmony_ci } 1461e1051a39Sopenharmony_ci } 1462e1051a39Sopenharmony_ci 1463e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) || hrr) { 1464e1051a39Sopenharmony_ci if (compression != 0) { 1465e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1466e1051a39Sopenharmony_ci SSL_R_INVALID_COMPRESSION_ALGORITHM); 1467e1051a39Sopenharmony_ci goto err; 1468e1051a39Sopenharmony_ci } 1469e1051a39Sopenharmony_ci 1470e1051a39Sopenharmony_ci if (session_id_len != s->tmp_session_id_len 1471e1051a39Sopenharmony_ci || memcmp(PACKET_data(&session_id), s->tmp_session_id, 1472e1051a39Sopenharmony_ci session_id_len) != 0) { 1473e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID); 1474e1051a39Sopenharmony_ci goto err; 1475e1051a39Sopenharmony_ci } 1476e1051a39Sopenharmony_ci } 1477e1051a39Sopenharmony_ci 1478e1051a39Sopenharmony_ci if (hrr) { 1479e1051a39Sopenharmony_ci if (!set_client_ciphersuite(s, cipherchars)) { 1480e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1481e1051a39Sopenharmony_ci goto err; 1482e1051a39Sopenharmony_ci } 1483e1051a39Sopenharmony_ci 1484e1051a39Sopenharmony_ci return tls_process_as_hello_retry_request(s, &extpkt); 1485e1051a39Sopenharmony_ci } 1486e1051a39Sopenharmony_ci 1487e1051a39Sopenharmony_ci /* 1488e1051a39Sopenharmony_ci * Now we have chosen the version we need to check again that the extensions 1489e1051a39Sopenharmony_ci * are appropriate for this version. 1490e1051a39Sopenharmony_ci */ 1491e1051a39Sopenharmony_ci context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO 1492e1051a39Sopenharmony_ci : SSL_EXT_TLS1_2_SERVER_HELLO; 1493e1051a39Sopenharmony_ci if (!tls_validate_all_contexts(s, context, extensions)) { 1494e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 1495e1051a39Sopenharmony_ci goto err; 1496e1051a39Sopenharmony_ci } 1497e1051a39Sopenharmony_ci 1498e1051a39Sopenharmony_ci s->hit = 0; 1499e1051a39Sopenharmony_ci 1500e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 1501e1051a39Sopenharmony_ci /* 1502e1051a39Sopenharmony_ci * In TLSv1.3 a ServerHello message signals a key change so the end of 1503e1051a39Sopenharmony_ci * the message must be on a record boundary. 1504e1051a39Sopenharmony_ci */ 1505e1051a39Sopenharmony_ci if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 1506e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1507e1051a39Sopenharmony_ci SSL_R_NOT_ON_RECORD_BOUNDARY); 1508e1051a39Sopenharmony_ci goto err; 1509e1051a39Sopenharmony_ci } 1510e1051a39Sopenharmony_ci 1511e1051a39Sopenharmony_ci /* This will set s->hit if we are resuming */ 1512e1051a39Sopenharmony_ci if (!tls_parse_extension(s, TLSEXT_IDX_psk, 1513e1051a39Sopenharmony_ci SSL_EXT_TLS1_3_SERVER_HELLO, 1514e1051a39Sopenharmony_ci extensions, NULL, 0)) { 1515e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1516e1051a39Sopenharmony_ci goto err; 1517e1051a39Sopenharmony_ci } 1518e1051a39Sopenharmony_ci } else { 1519e1051a39Sopenharmony_ci /* 1520e1051a39Sopenharmony_ci * Check if we can resume the session based on external pre-shared 1521e1051a39Sopenharmony_ci * secret. EAP-FAST (RFC 4851) supports two types of session resumption. 1522e1051a39Sopenharmony_ci * Resumption based on server-side state works with session IDs. 1523e1051a39Sopenharmony_ci * Resumption based on pre-shared Protected Access Credentials (PACs) 1524e1051a39Sopenharmony_ci * works by overriding the SessionTicket extension at the application 1525e1051a39Sopenharmony_ci * layer, and does not send a session ID. (We do not know whether 1526e1051a39Sopenharmony_ci * EAP-FAST servers would honour the session ID.) Therefore, the session 1527e1051a39Sopenharmony_ci * ID alone is not a reliable indicator of session resumption, so we 1528e1051a39Sopenharmony_ci * first check if we can resume, and later peek at the next handshake 1529e1051a39Sopenharmony_ci * message to see if the server wants to resume. 1530e1051a39Sopenharmony_ci */ 1531e1051a39Sopenharmony_ci if (s->version >= TLS1_VERSION 1532e1051a39Sopenharmony_ci && s->ext.session_secret_cb != NULL && s->session->ext.tick) { 1533e1051a39Sopenharmony_ci const SSL_CIPHER *pref_cipher = NULL; 1534e1051a39Sopenharmony_ci /* 1535e1051a39Sopenharmony_ci * s->session->master_key_length is a size_t, but this is an int for 1536e1051a39Sopenharmony_ci * backwards compat reasons 1537e1051a39Sopenharmony_ci */ 1538e1051a39Sopenharmony_ci int master_key_length; 1539e1051a39Sopenharmony_ci master_key_length = sizeof(s->session->master_key); 1540e1051a39Sopenharmony_ci if (s->ext.session_secret_cb(s, s->session->master_key, 1541e1051a39Sopenharmony_ci &master_key_length, 1542e1051a39Sopenharmony_ci NULL, &pref_cipher, 1543e1051a39Sopenharmony_ci s->ext.session_secret_cb_arg) 1544e1051a39Sopenharmony_ci && master_key_length > 0) { 1545e1051a39Sopenharmony_ci s->session->master_key_length = master_key_length; 1546e1051a39Sopenharmony_ci s->session->cipher = pref_cipher ? 1547e1051a39Sopenharmony_ci pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); 1548e1051a39Sopenharmony_ci } else { 1549e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1550e1051a39Sopenharmony_ci goto err; 1551e1051a39Sopenharmony_ci } 1552e1051a39Sopenharmony_ci } 1553e1051a39Sopenharmony_ci 1554e1051a39Sopenharmony_ci if (session_id_len != 0 1555e1051a39Sopenharmony_ci && session_id_len == s->session->session_id_length 1556e1051a39Sopenharmony_ci && memcmp(PACKET_data(&session_id), s->session->session_id, 1557e1051a39Sopenharmony_ci session_id_len) == 0) 1558e1051a39Sopenharmony_ci s->hit = 1; 1559e1051a39Sopenharmony_ci } 1560e1051a39Sopenharmony_ci 1561e1051a39Sopenharmony_ci if (s->hit) { 1562e1051a39Sopenharmony_ci if (s->sid_ctx_length != s->session->sid_ctx_length 1563e1051a39Sopenharmony_ci || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { 1564e1051a39Sopenharmony_ci /* actually a client application bug */ 1565e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1566e1051a39Sopenharmony_ci SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 1567e1051a39Sopenharmony_ci goto err; 1568e1051a39Sopenharmony_ci } 1569e1051a39Sopenharmony_ci } else { 1570e1051a39Sopenharmony_ci /* 1571e1051a39Sopenharmony_ci * If we were trying for session-id reuse but the server 1572e1051a39Sopenharmony_ci * didn't resume, make a new SSL_SESSION. 1573e1051a39Sopenharmony_ci * In the case of EAP-FAST and PAC, we do not send a session ID, 1574e1051a39Sopenharmony_ci * so the PAC-based session secret is always preserved. It'll be 1575e1051a39Sopenharmony_ci * overwritten if the server refuses resumption. 1576e1051a39Sopenharmony_ci */ 1577e1051a39Sopenharmony_ci if (s->session->session_id_length > 0) { 1578e1051a39Sopenharmony_ci ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); 1579e1051a39Sopenharmony_ci if (!ssl_get_new_session(s, 0)) { 1580e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1581e1051a39Sopenharmony_ci goto err; 1582e1051a39Sopenharmony_ci } 1583e1051a39Sopenharmony_ci } 1584e1051a39Sopenharmony_ci 1585e1051a39Sopenharmony_ci s->session->ssl_version = s->version; 1586e1051a39Sopenharmony_ci /* 1587e1051a39Sopenharmony_ci * In TLSv1.2 and below we save the session id we were sent so we can 1588e1051a39Sopenharmony_ci * resume it later. In TLSv1.3 the session id we were sent is just an 1589e1051a39Sopenharmony_ci * echo of what we originally sent in the ClientHello and should not be 1590e1051a39Sopenharmony_ci * used for resumption. 1591e1051a39Sopenharmony_ci */ 1592e1051a39Sopenharmony_ci if (!SSL_IS_TLS13(s)) { 1593e1051a39Sopenharmony_ci s->session->session_id_length = session_id_len; 1594e1051a39Sopenharmony_ci /* session_id_len could be 0 */ 1595e1051a39Sopenharmony_ci if (session_id_len > 0) 1596e1051a39Sopenharmony_ci memcpy(s->session->session_id, PACKET_data(&session_id), 1597e1051a39Sopenharmony_ci session_id_len); 1598e1051a39Sopenharmony_ci } 1599e1051a39Sopenharmony_ci } 1600e1051a39Sopenharmony_ci 1601e1051a39Sopenharmony_ci /* Session version and negotiated protocol version should match */ 1602e1051a39Sopenharmony_ci if (s->version != s->session->ssl_version) { 1603e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1604e1051a39Sopenharmony_ci SSL_R_SSL_SESSION_VERSION_MISMATCH); 1605e1051a39Sopenharmony_ci goto err; 1606e1051a39Sopenharmony_ci } 1607e1051a39Sopenharmony_ci /* 1608e1051a39Sopenharmony_ci * Now that we know the version, update the check to see if it's an allowed 1609e1051a39Sopenharmony_ci * version. 1610e1051a39Sopenharmony_ci */ 1611e1051a39Sopenharmony_ci s->s3.tmp.min_ver = s->version; 1612e1051a39Sopenharmony_ci s->s3.tmp.max_ver = s->version; 1613e1051a39Sopenharmony_ci 1614e1051a39Sopenharmony_ci if (!set_client_ciphersuite(s, cipherchars)) { 1615e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1616e1051a39Sopenharmony_ci goto err; 1617e1051a39Sopenharmony_ci } 1618e1051a39Sopenharmony_ci 1619e1051a39Sopenharmony_ci#ifdef OPENSSL_NO_COMP 1620e1051a39Sopenharmony_ci if (compression != 0) { 1621e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1622e1051a39Sopenharmony_ci SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1623e1051a39Sopenharmony_ci goto err; 1624e1051a39Sopenharmony_ci } 1625e1051a39Sopenharmony_ci /* 1626e1051a39Sopenharmony_ci * If compression is disabled we'd better not try to resume a session 1627e1051a39Sopenharmony_ci * using compression. 1628e1051a39Sopenharmony_ci */ 1629e1051a39Sopenharmony_ci if (s->session->compress_meth != 0) { 1630e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); 1631e1051a39Sopenharmony_ci goto err; 1632e1051a39Sopenharmony_ci } 1633e1051a39Sopenharmony_ci#else 1634e1051a39Sopenharmony_ci if (s->hit && compression != s->session->compress_meth) { 1635e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1636e1051a39Sopenharmony_ci SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1637e1051a39Sopenharmony_ci goto err; 1638e1051a39Sopenharmony_ci } 1639e1051a39Sopenharmony_ci if (compression == 0) 1640e1051a39Sopenharmony_ci comp = NULL; 1641e1051a39Sopenharmony_ci else if (!ssl_allow_compression(s)) { 1642e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED); 1643e1051a39Sopenharmony_ci goto err; 1644e1051a39Sopenharmony_ci } else { 1645e1051a39Sopenharmony_ci comp = ssl3_comp_find(s->ctx->comp_methods, compression); 1646e1051a39Sopenharmony_ci } 1647e1051a39Sopenharmony_ci 1648e1051a39Sopenharmony_ci if (compression != 0 && comp == NULL) { 1649e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1650e1051a39Sopenharmony_ci SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1651e1051a39Sopenharmony_ci goto err; 1652e1051a39Sopenharmony_ci } else { 1653e1051a39Sopenharmony_ci s->s3.tmp.new_compression = comp; 1654e1051a39Sopenharmony_ci } 1655e1051a39Sopenharmony_ci#endif 1656e1051a39Sopenharmony_ci 1657e1051a39Sopenharmony_ci if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { 1658e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1659e1051a39Sopenharmony_ci goto err; 1660e1051a39Sopenharmony_ci } 1661e1051a39Sopenharmony_ci 1662e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SCTP 1663e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s) && s->hit) { 1664e1051a39Sopenharmony_ci unsigned char sctpauthkey[64]; 1665e1051a39Sopenharmony_ci char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 1666e1051a39Sopenharmony_ci size_t labellen; 1667e1051a39Sopenharmony_ci 1668e1051a39Sopenharmony_ci /* 1669e1051a39Sopenharmony_ci * Add new shared key for SCTP-Auth, will be ignored if 1670e1051a39Sopenharmony_ci * no SCTP used. 1671e1051a39Sopenharmony_ci */ 1672e1051a39Sopenharmony_ci memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 1673e1051a39Sopenharmony_ci sizeof(DTLS1_SCTP_AUTH_LABEL)); 1674e1051a39Sopenharmony_ci 1675e1051a39Sopenharmony_ci /* Don't include the terminating zero. */ 1676e1051a39Sopenharmony_ci labellen = sizeof(labelbuffer) - 1; 1677e1051a39Sopenharmony_ci if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 1678e1051a39Sopenharmony_ci labellen += 1; 1679e1051a39Sopenharmony_ci 1680e1051a39Sopenharmony_ci if (SSL_export_keying_material(s, sctpauthkey, 1681e1051a39Sopenharmony_ci sizeof(sctpauthkey), 1682e1051a39Sopenharmony_ci labelbuffer, 1683e1051a39Sopenharmony_ci labellen, NULL, 0, 0) <= 0) { 1684e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1685e1051a39Sopenharmony_ci goto err; 1686e1051a39Sopenharmony_ci } 1687e1051a39Sopenharmony_ci 1688e1051a39Sopenharmony_ci BIO_ctrl(SSL_get_wbio(s), 1689e1051a39Sopenharmony_ci BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 1690e1051a39Sopenharmony_ci sizeof(sctpauthkey), sctpauthkey); 1691e1051a39Sopenharmony_ci } 1692e1051a39Sopenharmony_ci#endif 1693e1051a39Sopenharmony_ci 1694e1051a39Sopenharmony_ci /* 1695e1051a39Sopenharmony_ci * In TLSv1.3 we have some post-processing to change cipher state, otherwise 1696e1051a39Sopenharmony_ci * we're done with this message 1697e1051a39Sopenharmony_ci */ 1698e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) 1699e1051a39Sopenharmony_ci && (!s->method->ssl3_enc->setup_key_block(s) 1700e1051a39Sopenharmony_ci || !s->method->ssl3_enc->change_cipher_state(s, 1701e1051a39Sopenharmony_ci SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { 1702e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1703e1051a39Sopenharmony_ci goto err; 1704e1051a39Sopenharmony_ci } 1705e1051a39Sopenharmony_ci 1706e1051a39Sopenharmony_ci OPENSSL_free(extensions); 1707e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_READING; 1708e1051a39Sopenharmony_ci err: 1709e1051a39Sopenharmony_ci OPENSSL_free(extensions); 1710e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 1711e1051a39Sopenharmony_ci} 1712e1051a39Sopenharmony_ci 1713e1051a39Sopenharmony_cistatic MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, 1714e1051a39Sopenharmony_ci PACKET *extpkt) 1715e1051a39Sopenharmony_ci{ 1716e1051a39Sopenharmony_ci RAW_EXTENSION *extensions = NULL; 1717e1051a39Sopenharmony_ci 1718e1051a39Sopenharmony_ci /* 1719e1051a39Sopenharmony_ci * If we were sending early_data then the enc_write_ctx is now invalid and 1720e1051a39Sopenharmony_ci * should not be used. 1721e1051a39Sopenharmony_ci */ 1722e1051a39Sopenharmony_ci EVP_CIPHER_CTX_free(s->enc_write_ctx); 1723e1051a39Sopenharmony_ci s->enc_write_ctx = NULL; 1724e1051a39Sopenharmony_ci 1725e1051a39Sopenharmony_ci if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1726e1051a39Sopenharmony_ci &extensions, NULL, 1) 1727e1051a39Sopenharmony_ci || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1728e1051a39Sopenharmony_ci extensions, NULL, 0, 1)) { 1729e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1730e1051a39Sopenharmony_ci goto err; 1731e1051a39Sopenharmony_ci } 1732e1051a39Sopenharmony_ci 1733e1051a39Sopenharmony_ci OPENSSL_free(extensions); 1734e1051a39Sopenharmony_ci extensions = NULL; 1735e1051a39Sopenharmony_ci 1736e1051a39Sopenharmony_ci if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { 1737e1051a39Sopenharmony_ci /* 1738e1051a39Sopenharmony_ci * We didn't receive a cookie or a new key_share so the next 1739e1051a39Sopenharmony_ci * ClientHello will not change 1740e1051a39Sopenharmony_ci */ 1741e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR); 1742e1051a39Sopenharmony_ci goto err; 1743e1051a39Sopenharmony_ci } 1744e1051a39Sopenharmony_ci 1745e1051a39Sopenharmony_ci /* 1746e1051a39Sopenharmony_ci * Re-initialise the Transcript Hash. We're going to prepopulate it with 1747e1051a39Sopenharmony_ci * a synthetic message_hash in place of ClientHello1. 1748e1051a39Sopenharmony_ci */ 1749e1051a39Sopenharmony_ci if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { 1750e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1751e1051a39Sopenharmony_ci goto err; 1752e1051a39Sopenharmony_ci } 1753e1051a39Sopenharmony_ci 1754e1051a39Sopenharmony_ci /* 1755e1051a39Sopenharmony_ci * Add this message to the Transcript Hash. Normally this is done 1756e1051a39Sopenharmony_ci * automatically prior to the message processing stage. However due to the 1757e1051a39Sopenharmony_ci * need to create the synthetic message hash, we defer that step until now 1758e1051a39Sopenharmony_ci * for HRR messages. 1759e1051a39Sopenharmony_ci */ 1760e1051a39Sopenharmony_ci if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1761e1051a39Sopenharmony_ci s->init_num + SSL3_HM_HEADER_LENGTH)) { 1762e1051a39Sopenharmony_ci /* SSLfatal() already called */ 1763e1051a39Sopenharmony_ci goto err; 1764e1051a39Sopenharmony_ci } 1765e1051a39Sopenharmony_ci 1766e1051a39Sopenharmony_ci return MSG_PROCESS_FINISHED_READING; 1767e1051a39Sopenharmony_ci err: 1768e1051a39Sopenharmony_ci OPENSSL_free(extensions); 1769e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 1770e1051a39Sopenharmony_ci} 1771e1051a39Sopenharmony_ci 1772e1051a39Sopenharmony_ci/* prepare server cert verification by setting s->session->peer_chain from pkt */ 1773e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) 1774e1051a39Sopenharmony_ci{ 1775e1051a39Sopenharmony_ci unsigned long cert_list_len, cert_len; 1776e1051a39Sopenharmony_ci X509 *x = NULL; 1777e1051a39Sopenharmony_ci const unsigned char *certstart, *certbytes; 1778e1051a39Sopenharmony_ci size_t chainidx; 1779e1051a39Sopenharmony_ci unsigned int context = 0; 1780e1051a39Sopenharmony_ci 1781e1051a39Sopenharmony_ci if ((s->session->peer_chain = sk_X509_new_null()) == NULL) { 1782e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1783e1051a39Sopenharmony_ci goto err; 1784e1051a39Sopenharmony_ci } 1785e1051a39Sopenharmony_ci 1786e1051a39Sopenharmony_ci if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) 1787e1051a39Sopenharmony_ci || context != 0 1788e1051a39Sopenharmony_ci || !PACKET_get_net_3(pkt, &cert_list_len) 1789e1051a39Sopenharmony_ci || PACKET_remaining(pkt) != cert_list_len 1790e1051a39Sopenharmony_ci || PACKET_remaining(pkt) == 0) { 1791e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1792e1051a39Sopenharmony_ci goto err; 1793e1051a39Sopenharmony_ci } 1794e1051a39Sopenharmony_ci for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { 1795e1051a39Sopenharmony_ci if (!PACKET_get_net_3(pkt, &cert_len) 1796e1051a39Sopenharmony_ci || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { 1797e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); 1798e1051a39Sopenharmony_ci goto err; 1799e1051a39Sopenharmony_ci } 1800e1051a39Sopenharmony_ci 1801e1051a39Sopenharmony_ci certstart = certbytes; 1802e1051a39Sopenharmony_ci x = X509_new_ex(s->ctx->libctx, s->ctx->propq); 1803e1051a39Sopenharmony_ci if (x == NULL) { 1804e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE); 1805e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 1806e1051a39Sopenharmony_ci goto err; 1807e1051a39Sopenharmony_ci } 1808e1051a39Sopenharmony_ci if (d2i_X509(&x, (const unsigned char **)&certbytes, 1809e1051a39Sopenharmony_ci cert_len) == NULL) { 1810e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB); 1811e1051a39Sopenharmony_ci goto err; 1812e1051a39Sopenharmony_ci } 1813e1051a39Sopenharmony_ci 1814e1051a39Sopenharmony_ci if (certbytes != (certstart + cert_len)) { 1815e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); 1816e1051a39Sopenharmony_ci goto err; 1817e1051a39Sopenharmony_ci } 1818e1051a39Sopenharmony_ci 1819e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 1820e1051a39Sopenharmony_ci RAW_EXTENSION *rawexts = NULL; 1821e1051a39Sopenharmony_ci PACKET extensions; 1822e1051a39Sopenharmony_ci 1823e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 1824e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1825e1051a39Sopenharmony_ci goto err; 1826e1051a39Sopenharmony_ci } 1827e1051a39Sopenharmony_ci if (!tls_collect_extensions(s, &extensions, 1828e1051a39Sopenharmony_ci SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, 1829e1051a39Sopenharmony_ci NULL, chainidx == 0) 1830e1051a39Sopenharmony_ci || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, 1831e1051a39Sopenharmony_ci rawexts, x, chainidx, 1832e1051a39Sopenharmony_ci PACKET_remaining(pkt) == 0)) { 1833e1051a39Sopenharmony_ci OPENSSL_free(rawexts); 1834e1051a39Sopenharmony_ci /* SSLfatal already called */ 1835e1051a39Sopenharmony_ci goto err; 1836e1051a39Sopenharmony_ci } 1837e1051a39Sopenharmony_ci OPENSSL_free(rawexts); 1838e1051a39Sopenharmony_ci } 1839e1051a39Sopenharmony_ci 1840e1051a39Sopenharmony_ci if (!sk_X509_push(s->session->peer_chain, x)) { 1841e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1842e1051a39Sopenharmony_ci goto err; 1843e1051a39Sopenharmony_ci } 1844e1051a39Sopenharmony_ci x = NULL; 1845e1051a39Sopenharmony_ci } 1846e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_PROCESSING; 1847e1051a39Sopenharmony_ci 1848e1051a39Sopenharmony_ci err: 1849e1051a39Sopenharmony_ci X509_free(x); 1850e1051a39Sopenharmony_ci sk_X509_pop_free(s->session->peer_chain, X509_free); 1851e1051a39Sopenharmony_ci s->session->peer_chain = NULL; 1852e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 1853e1051a39Sopenharmony_ci} 1854e1051a39Sopenharmony_ci 1855e1051a39Sopenharmony_ci/* 1856e1051a39Sopenharmony_ci * Verify the s->session->peer_chain and check server cert type. 1857e1051a39Sopenharmony_ci * On success set s->session->peer and s->session->verify_result. 1858e1051a39Sopenharmony_ci * Else the peer certificate verification callback may request retry. 1859e1051a39Sopenharmony_ci */ 1860e1051a39Sopenharmony_ciWORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) 1861e1051a39Sopenharmony_ci{ 1862e1051a39Sopenharmony_ci X509 *x; 1863e1051a39Sopenharmony_ci EVP_PKEY *pkey = NULL; 1864e1051a39Sopenharmony_ci const SSL_CERT_LOOKUP *clu; 1865e1051a39Sopenharmony_ci size_t certidx; 1866e1051a39Sopenharmony_ci int i; 1867e1051a39Sopenharmony_ci 1868e1051a39Sopenharmony_ci if (s->rwstate == SSL_RETRY_VERIFY) 1869e1051a39Sopenharmony_ci s->rwstate = SSL_NOTHING; 1870e1051a39Sopenharmony_ci i = ssl_verify_cert_chain(s, s->session->peer_chain); 1871e1051a39Sopenharmony_ci if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) { 1872e1051a39Sopenharmony_ci return WORK_MORE_A; 1873e1051a39Sopenharmony_ci } 1874e1051a39Sopenharmony_ci /* 1875e1051a39Sopenharmony_ci * The documented interface is that SSL_VERIFY_PEER should be set in order 1876e1051a39Sopenharmony_ci * for client side verification of the server certificate to take place. 1877e1051a39Sopenharmony_ci * However, historically the code has only checked that *any* flag is set 1878e1051a39Sopenharmony_ci * to cause server verification to take place. Use of the other flags makes 1879e1051a39Sopenharmony_ci * no sense in client mode. An attempt to clean up the semantics was 1880e1051a39Sopenharmony_ci * reverted because at least one application *only* set 1881e1051a39Sopenharmony_ci * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused 1882e1051a39Sopenharmony_ci * server verification to take place, after the clean up it silently did 1883e1051a39Sopenharmony_ci * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags 1884e1051a39Sopenharmony_ci * sent to them because they are void functions. Therefore, we now use the 1885e1051a39Sopenharmony_ci * (less clean) historic behaviour of performing validation if any flag is 1886e1051a39Sopenharmony_ci * set. The *documented* interface remains the same. 1887e1051a39Sopenharmony_ci */ 1888e1051a39Sopenharmony_ci if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { 1889e1051a39Sopenharmony_ci SSLfatal(s, ssl_x509err2alert(s->verify_result), 1890e1051a39Sopenharmony_ci SSL_R_CERTIFICATE_VERIFY_FAILED); 1891e1051a39Sopenharmony_ci return WORK_ERROR; 1892e1051a39Sopenharmony_ci } 1893e1051a39Sopenharmony_ci ERR_clear_error(); /* but we keep s->verify_result */ 1894e1051a39Sopenharmony_ci 1895e1051a39Sopenharmony_ci /* 1896e1051a39Sopenharmony_ci * Inconsistency alert: cert_chain does include the peer's certificate, 1897e1051a39Sopenharmony_ci * which we don't include in statem_srvr.c 1898e1051a39Sopenharmony_ci */ 1899e1051a39Sopenharmony_ci x = sk_X509_value(s->session->peer_chain, 0); 1900e1051a39Sopenharmony_ci 1901e1051a39Sopenharmony_ci pkey = X509_get0_pubkey(x); 1902e1051a39Sopenharmony_ci 1903e1051a39Sopenharmony_ci if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { 1904e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1905e1051a39Sopenharmony_ci SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1906e1051a39Sopenharmony_ci return WORK_ERROR; 1907e1051a39Sopenharmony_ci } 1908e1051a39Sopenharmony_ci 1909e1051a39Sopenharmony_ci if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { 1910e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1911e1051a39Sopenharmony_ci return WORK_ERROR; 1912e1051a39Sopenharmony_ci } 1913e1051a39Sopenharmony_ci /* 1914e1051a39Sopenharmony_ci * Check certificate type is consistent with ciphersuite. For TLS 1.3 1915e1051a39Sopenharmony_ci * skip check since TLS 1.3 ciphersuites can be used with any certificate 1916e1051a39Sopenharmony_ci * type. 1917e1051a39Sopenharmony_ci */ 1918e1051a39Sopenharmony_ci if (!SSL_IS_TLS13(s)) { 1919e1051a39Sopenharmony_ci if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { 1920e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); 1921e1051a39Sopenharmony_ci return WORK_ERROR; 1922e1051a39Sopenharmony_ci } 1923e1051a39Sopenharmony_ci } 1924e1051a39Sopenharmony_ci 1925e1051a39Sopenharmony_ci X509_free(s->session->peer); 1926e1051a39Sopenharmony_ci X509_up_ref(x); 1927e1051a39Sopenharmony_ci s->session->peer = x; 1928e1051a39Sopenharmony_ci s->session->verify_result = s->verify_result; 1929e1051a39Sopenharmony_ci 1930e1051a39Sopenharmony_ci /* Save the current hash state for when we receive the CertificateVerify */ 1931e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) 1932e1051a39Sopenharmony_ci && !ssl_handshake_hash(s, s->cert_verify_hash, 1933e1051a39Sopenharmony_ci sizeof(s->cert_verify_hash), 1934e1051a39Sopenharmony_ci &s->cert_verify_hash_len)) { 1935e1051a39Sopenharmony_ci /* SSLfatal() already called */; 1936e1051a39Sopenharmony_ci return WORK_ERROR; 1937e1051a39Sopenharmony_ci } 1938e1051a39Sopenharmony_ci return WORK_FINISHED_CONTINUE; 1939e1051a39Sopenharmony_ci} 1940e1051a39Sopenharmony_ci 1941e1051a39Sopenharmony_cistatic int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt) 1942e1051a39Sopenharmony_ci{ 1943e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_PSK 1944e1051a39Sopenharmony_ci PACKET psk_identity_hint; 1945e1051a39Sopenharmony_ci 1946e1051a39Sopenharmony_ci /* PSK ciphersuites are preceded by an identity hint */ 1947e1051a39Sopenharmony_ci 1948e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) { 1949e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1950e1051a39Sopenharmony_ci return 0; 1951e1051a39Sopenharmony_ci } 1952e1051a39Sopenharmony_ci 1953e1051a39Sopenharmony_ci /* 1954e1051a39Sopenharmony_ci * Store PSK identity hint for later use, hint is used in 1955e1051a39Sopenharmony_ci * tls_construct_client_key_exchange. Assume that the maximum length of 1956e1051a39Sopenharmony_ci * a PSK identity hint can be as long as the maximum length of a PSK 1957e1051a39Sopenharmony_ci * identity. 1958e1051a39Sopenharmony_ci */ 1959e1051a39Sopenharmony_ci if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) { 1960e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG); 1961e1051a39Sopenharmony_ci return 0; 1962e1051a39Sopenharmony_ci } 1963e1051a39Sopenharmony_ci 1964e1051a39Sopenharmony_ci if (PACKET_remaining(&psk_identity_hint) == 0) { 1965e1051a39Sopenharmony_ci OPENSSL_free(s->session->psk_identity_hint); 1966e1051a39Sopenharmony_ci s->session->psk_identity_hint = NULL; 1967e1051a39Sopenharmony_ci } else if (!PACKET_strndup(&psk_identity_hint, 1968e1051a39Sopenharmony_ci &s->session->psk_identity_hint)) { 1969e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1970e1051a39Sopenharmony_ci return 0; 1971e1051a39Sopenharmony_ci } 1972e1051a39Sopenharmony_ci 1973e1051a39Sopenharmony_ci return 1; 1974e1051a39Sopenharmony_ci#else 1975e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1976e1051a39Sopenharmony_ci return 0; 1977e1051a39Sopenharmony_ci#endif 1978e1051a39Sopenharmony_ci} 1979e1051a39Sopenharmony_ci 1980e1051a39Sopenharmony_cistatic int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 1981e1051a39Sopenharmony_ci{ 1982e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SRP 1983e1051a39Sopenharmony_ci PACKET prime, generator, salt, server_pub; 1984e1051a39Sopenharmony_ci 1985e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(pkt, &prime) 1986e1051a39Sopenharmony_ci || !PACKET_get_length_prefixed_2(pkt, &generator) 1987e1051a39Sopenharmony_ci || !PACKET_get_length_prefixed_1(pkt, &salt) 1988e1051a39Sopenharmony_ci || !PACKET_get_length_prefixed_2(pkt, &server_pub)) { 1989e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1990e1051a39Sopenharmony_ci return 0; 1991e1051a39Sopenharmony_ci } 1992e1051a39Sopenharmony_ci 1993e1051a39Sopenharmony_ci if ((s->srp_ctx.N = 1994e1051a39Sopenharmony_ci BN_bin2bn(PACKET_data(&prime), 1995e1051a39Sopenharmony_ci (int)PACKET_remaining(&prime), NULL)) == NULL 1996e1051a39Sopenharmony_ci || (s->srp_ctx.g = 1997e1051a39Sopenharmony_ci BN_bin2bn(PACKET_data(&generator), 1998e1051a39Sopenharmony_ci (int)PACKET_remaining(&generator), NULL)) == NULL 1999e1051a39Sopenharmony_ci || (s->srp_ctx.s = 2000e1051a39Sopenharmony_ci BN_bin2bn(PACKET_data(&salt), 2001e1051a39Sopenharmony_ci (int)PACKET_remaining(&salt), NULL)) == NULL 2002e1051a39Sopenharmony_ci || (s->srp_ctx.B = 2003e1051a39Sopenharmony_ci BN_bin2bn(PACKET_data(&server_pub), 2004e1051a39Sopenharmony_ci (int)PACKET_remaining(&server_pub), NULL)) == NULL) { 2005e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); 2006e1051a39Sopenharmony_ci return 0; 2007e1051a39Sopenharmony_ci } 2008e1051a39Sopenharmony_ci 2009e1051a39Sopenharmony_ci if (!srp_verify_server_param(s)) { 2010e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2011e1051a39Sopenharmony_ci return 0; 2012e1051a39Sopenharmony_ci } 2013e1051a39Sopenharmony_ci 2014e1051a39Sopenharmony_ci /* We must check if there is a certificate */ 2015e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2016e1051a39Sopenharmony_ci *pkey = X509_get0_pubkey(s->session->peer); 2017e1051a39Sopenharmony_ci 2018e1051a39Sopenharmony_ci return 1; 2019e1051a39Sopenharmony_ci#else 2020e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2021e1051a39Sopenharmony_ci return 0; 2022e1051a39Sopenharmony_ci#endif 2023e1051a39Sopenharmony_ci} 2024e1051a39Sopenharmony_ci 2025e1051a39Sopenharmony_cistatic int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2026e1051a39Sopenharmony_ci{ 2027e1051a39Sopenharmony_ci PACKET prime, generator, pub_key; 2028e1051a39Sopenharmony_ci EVP_PKEY *peer_tmp = NULL; 2029e1051a39Sopenharmony_ci BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL; 2030e1051a39Sopenharmony_ci EVP_PKEY_CTX *pctx = NULL; 2031e1051a39Sopenharmony_ci OSSL_PARAM *params = NULL; 2032e1051a39Sopenharmony_ci OSSL_PARAM_BLD *tmpl = NULL; 2033e1051a39Sopenharmony_ci int ret = 0; 2034e1051a39Sopenharmony_ci 2035e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(pkt, &prime) 2036e1051a39Sopenharmony_ci || !PACKET_get_length_prefixed_2(pkt, &generator) 2037e1051a39Sopenharmony_ci || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { 2038e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2039e1051a39Sopenharmony_ci return 0; 2040e1051a39Sopenharmony_ci } 2041e1051a39Sopenharmony_ci 2042e1051a39Sopenharmony_ci p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); 2043e1051a39Sopenharmony_ci g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), 2044e1051a39Sopenharmony_ci NULL); 2045e1051a39Sopenharmony_ci bnpub_key = BN_bin2bn(PACKET_data(&pub_key), 2046e1051a39Sopenharmony_ci (int)PACKET_remaining(&pub_key), NULL); 2047e1051a39Sopenharmony_ci if (p == NULL || g == NULL || bnpub_key == NULL) { 2048e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); 2049e1051a39Sopenharmony_ci goto err; 2050e1051a39Sopenharmony_ci } 2051e1051a39Sopenharmony_ci 2052e1051a39Sopenharmony_ci tmpl = OSSL_PARAM_BLD_new(); 2053e1051a39Sopenharmony_ci if (tmpl == NULL 2054e1051a39Sopenharmony_ci || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 2055e1051a39Sopenharmony_ci || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g) 2056e1051a39Sopenharmony_ci || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY, 2057e1051a39Sopenharmony_ci bnpub_key) 2058e1051a39Sopenharmony_ci || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) { 2059e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2060e1051a39Sopenharmony_ci goto err; 2061e1051a39Sopenharmony_ci } 2062e1051a39Sopenharmony_ci 2063e1051a39Sopenharmony_ci pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); 2064e1051a39Sopenharmony_ci if (pctx == NULL) { 2065e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2066e1051a39Sopenharmony_ci goto err; 2067e1051a39Sopenharmony_ci } 2068e1051a39Sopenharmony_ci if (EVP_PKEY_fromdata_init(pctx) <= 0 2069e1051a39Sopenharmony_ci || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) { 2070e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); 2071e1051a39Sopenharmony_ci goto err; 2072e1051a39Sopenharmony_ci } 2073e1051a39Sopenharmony_ci 2074e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pctx); 2075e1051a39Sopenharmony_ci pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq); 2076e1051a39Sopenharmony_ci if (pctx == NULL 2077e1051a39Sopenharmony_ci /* 2078e1051a39Sopenharmony_ci * EVP_PKEY_param_check() will verify that the DH params are using 2079e1051a39Sopenharmony_ci * a safe prime. In this context, because we're using ephemeral DH, 2080e1051a39Sopenharmony_ci * we're ok with it not being a safe prime. 2081e1051a39Sopenharmony_ci * EVP_PKEY_param_check_quick() skips the safe prime check. 2082e1051a39Sopenharmony_ci */ 2083e1051a39Sopenharmony_ci || EVP_PKEY_param_check_quick(pctx) != 1 2084e1051a39Sopenharmony_ci || EVP_PKEY_public_check(pctx) != 1) { 2085e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); 2086e1051a39Sopenharmony_ci goto err; 2087e1051a39Sopenharmony_ci } 2088e1051a39Sopenharmony_ci 2089e1051a39Sopenharmony_ci if (!ssl_security(s, SSL_SECOP_TMP_DH, 2090e1051a39Sopenharmony_ci EVP_PKEY_get_security_bits(peer_tmp), 2091e1051a39Sopenharmony_ci 0, peer_tmp)) { 2092e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); 2093e1051a39Sopenharmony_ci goto err; 2094e1051a39Sopenharmony_ci } 2095e1051a39Sopenharmony_ci 2096e1051a39Sopenharmony_ci s->s3.peer_tmp = peer_tmp; 2097e1051a39Sopenharmony_ci peer_tmp = NULL; 2098e1051a39Sopenharmony_ci 2099e1051a39Sopenharmony_ci /* 2100e1051a39Sopenharmony_ci * FIXME: This makes assumptions about which ciphersuites come with 2101e1051a39Sopenharmony_ci * public keys. We should have a less ad-hoc way of doing this 2102e1051a39Sopenharmony_ci */ 2103e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2104e1051a39Sopenharmony_ci *pkey = X509_get0_pubkey(s->session->peer); 2105e1051a39Sopenharmony_ci /* else anonymous DH, so no certificate or pkey. */ 2106e1051a39Sopenharmony_ci 2107e1051a39Sopenharmony_ci ret = 1; 2108e1051a39Sopenharmony_ci 2109e1051a39Sopenharmony_ci err: 2110e1051a39Sopenharmony_ci OSSL_PARAM_BLD_free(tmpl); 2111e1051a39Sopenharmony_ci OSSL_PARAM_free(params); 2112e1051a39Sopenharmony_ci EVP_PKEY_free(peer_tmp); 2113e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pctx); 2114e1051a39Sopenharmony_ci BN_free(p); 2115e1051a39Sopenharmony_ci BN_free(g); 2116e1051a39Sopenharmony_ci BN_free(bnpub_key); 2117e1051a39Sopenharmony_ci 2118e1051a39Sopenharmony_ci return ret; 2119e1051a39Sopenharmony_ci} 2120e1051a39Sopenharmony_ci 2121e1051a39Sopenharmony_cistatic int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2122e1051a39Sopenharmony_ci{ 2123e1051a39Sopenharmony_ci PACKET encoded_pt; 2124e1051a39Sopenharmony_ci unsigned int curve_type, curve_id; 2125e1051a39Sopenharmony_ci 2126e1051a39Sopenharmony_ci /* 2127e1051a39Sopenharmony_ci * Extract elliptic curve parameters and the server's ephemeral ECDH 2128e1051a39Sopenharmony_ci * public key. We only support named (not generic) curves and 2129e1051a39Sopenharmony_ci * ECParameters in this case is just three bytes. 2130e1051a39Sopenharmony_ci */ 2131e1051a39Sopenharmony_ci if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) { 2132e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 2133e1051a39Sopenharmony_ci return 0; 2134e1051a39Sopenharmony_ci } 2135e1051a39Sopenharmony_ci /* 2136e1051a39Sopenharmony_ci * Check curve is named curve type and one of our preferences, if not 2137e1051a39Sopenharmony_ci * server has sent an invalid curve. 2138e1051a39Sopenharmony_ci */ 2139e1051a39Sopenharmony_ci if (curve_type != NAMED_CURVE_TYPE 2140e1051a39Sopenharmony_ci || !tls1_check_group_id(s, curve_id, 1)) { 2141e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 2142e1051a39Sopenharmony_ci return 0; 2143e1051a39Sopenharmony_ci } 2144e1051a39Sopenharmony_ci 2145e1051a39Sopenharmony_ci if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { 2146e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2147e1051a39Sopenharmony_ci SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 2148e1051a39Sopenharmony_ci return 0; 2149e1051a39Sopenharmony_ci } 2150e1051a39Sopenharmony_ci 2151e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) { 2152e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2153e1051a39Sopenharmony_ci return 0; 2154e1051a39Sopenharmony_ci } 2155e1051a39Sopenharmony_ci 2156e1051a39Sopenharmony_ci if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, 2157e1051a39Sopenharmony_ci PACKET_data(&encoded_pt), 2158e1051a39Sopenharmony_ci PACKET_remaining(&encoded_pt)) <= 0) { 2159e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 2160e1051a39Sopenharmony_ci return 0; 2161e1051a39Sopenharmony_ci } 2162e1051a39Sopenharmony_ci 2163e1051a39Sopenharmony_ci /* 2164e1051a39Sopenharmony_ci * The ECC/TLS specification does not mention the use of DSA to sign 2165e1051a39Sopenharmony_ci * ECParameters in the server key exchange message. We do support RSA 2166e1051a39Sopenharmony_ci * and ECDSA. 2167e1051a39Sopenharmony_ci */ 2168e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) 2169e1051a39Sopenharmony_ci *pkey = X509_get0_pubkey(s->session->peer); 2170e1051a39Sopenharmony_ci else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA) 2171e1051a39Sopenharmony_ci *pkey = X509_get0_pubkey(s->session->peer); 2172e1051a39Sopenharmony_ci /* else anonymous ECDH, so no certificate or pkey. */ 2173e1051a39Sopenharmony_ci 2174e1051a39Sopenharmony_ci /* Cache the agreed upon group in the SSL_SESSION */ 2175e1051a39Sopenharmony_ci s->session->kex_group = curve_id; 2176e1051a39Sopenharmony_ci return 1; 2177e1051a39Sopenharmony_ci} 2178e1051a39Sopenharmony_ci 2179e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) 2180e1051a39Sopenharmony_ci{ 2181e1051a39Sopenharmony_ci long alg_k; 2182e1051a39Sopenharmony_ci EVP_PKEY *pkey = NULL; 2183e1051a39Sopenharmony_ci EVP_MD_CTX *md_ctx = NULL; 2184e1051a39Sopenharmony_ci EVP_PKEY_CTX *pctx = NULL; 2185e1051a39Sopenharmony_ci PACKET save_param_start, signature; 2186e1051a39Sopenharmony_ci 2187e1051a39Sopenharmony_ci alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 2188e1051a39Sopenharmony_ci 2189e1051a39Sopenharmony_ci save_param_start = *pkt; 2190e1051a39Sopenharmony_ci 2191e1051a39Sopenharmony_ci EVP_PKEY_free(s->s3.peer_tmp); 2192e1051a39Sopenharmony_ci s->s3.peer_tmp = NULL; 2193e1051a39Sopenharmony_ci 2194e1051a39Sopenharmony_ci if (alg_k & SSL_PSK) { 2195e1051a39Sopenharmony_ci if (!tls_process_ske_psk_preamble(s, pkt)) { 2196e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2197e1051a39Sopenharmony_ci goto err; 2198e1051a39Sopenharmony_ci } 2199e1051a39Sopenharmony_ci } 2200e1051a39Sopenharmony_ci 2201e1051a39Sopenharmony_ci /* Nothing else to do for plain PSK or RSAPSK */ 2202e1051a39Sopenharmony_ci if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { 2203e1051a39Sopenharmony_ci } else if (alg_k & SSL_kSRP) { 2204e1051a39Sopenharmony_ci if (!tls_process_ske_srp(s, pkt, &pkey)) { 2205e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2206e1051a39Sopenharmony_ci goto err; 2207e1051a39Sopenharmony_ci } 2208e1051a39Sopenharmony_ci } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 2209e1051a39Sopenharmony_ci if (!tls_process_ske_dhe(s, pkt, &pkey)) { 2210e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2211e1051a39Sopenharmony_ci goto err; 2212e1051a39Sopenharmony_ci } 2213e1051a39Sopenharmony_ci } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 2214e1051a39Sopenharmony_ci if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { 2215e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2216e1051a39Sopenharmony_ci goto err; 2217e1051a39Sopenharmony_ci } 2218e1051a39Sopenharmony_ci } else if (alg_k) { 2219e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 2220e1051a39Sopenharmony_ci goto err; 2221e1051a39Sopenharmony_ci } 2222e1051a39Sopenharmony_ci 2223e1051a39Sopenharmony_ci /* if it was signed, check the signature */ 2224e1051a39Sopenharmony_ci if (pkey != NULL) { 2225e1051a39Sopenharmony_ci PACKET params; 2226e1051a39Sopenharmony_ci const EVP_MD *md = NULL; 2227e1051a39Sopenharmony_ci unsigned char *tbs; 2228e1051a39Sopenharmony_ci size_t tbslen; 2229e1051a39Sopenharmony_ci int rv; 2230e1051a39Sopenharmony_ci 2231e1051a39Sopenharmony_ci /* 2232e1051a39Sopenharmony_ci * |pkt| now points to the beginning of the signature, so the difference 2233e1051a39Sopenharmony_ci * equals the length of the parameters. 2234e1051a39Sopenharmony_ci */ 2235e1051a39Sopenharmony_ci if (!PACKET_get_sub_packet(&save_param_start, ¶ms, 2236e1051a39Sopenharmony_ci PACKET_remaining(&save_param_start) - 2237e1051a39Sopenharmony_ci PACKET_remaining(pkt))) { 2238e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); 2239e1051a39Sopenharmony_ci goto err; 2240e1051a39Sopenharmony_ci } 2241e1051a39Sopenharmony_ci 2242e1051a39Sopenharmony_ci if (SSL_USE_SIGALGS(s)) { 2243e1051a39Sopenharmony_ci unsigned int sigalg; 2244e1051a39Sopenharmony_ci 2245e1051a39Sopenharmony_ci if (!PACKET_get_net_2(pkt, &sigalg)) { 2246e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 2247e1051a39Sopenharmony_ci goto err; 2248e1051a39Sopenharmony_ci } 2249e1051a39Sopenharmony_ci if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { 2250e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2251e1051a39Sopenharmony_ci goto err; 2252e1051a39Sopenharmony_ci } 2253e1051a39Sopenharmony_ci } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 2254e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2255e1051a39Sopenharmony_ci SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); 2256e1051a39Sopenharmony_ci goto err; 2257e1051a39Sopenharmony_ci } 2258e1051a39Sopenharmony_ci 2259e1051a39Sopenharmony_ci if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { 2260e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2261e1051a39Sopenharmony_ci SSL_R_NO_SUITABLE_DIGEST_ALGORITHM); 2262e1051a39Sopenharmony_ci goto err; 2263e1051a39Sopenharmony_ci } 2264e1051a39Sopenharmony_ci if (SSL_USE_SIGALGS(s)) 2265e1051a39Sopenharmony_ci OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", 2266e1051a39Sopenharmony_ci md == NULL ? "n/a" : EVP_MD_get0_name(md)); 2267e1051a39Sopenharmony_ci 2268e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(pkt, &signature) 2269e1051a39Sopenharmony_ci || PACKET_remaining(pkt) != 0) { 2270e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2271e1051a39Sopenharmony_ci goto err; 2272e1051a39Sopenharmony_ci } 2273e1051a39Sopenharmony_ci 2274e1051a39Sopenharmony_ci md_ctx = EVP_MD_CTX_new(); 2275e1051a39Sopenharmony_ci if (md_ctx == NULL) { 2276e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2277e1051a39Sopenharmony_ci goto err; 2278e1051a39Sopenharmony_ci } 2279e1051a39Sopenharmony_ci 2280e1051a39Sopenharmony_ci if (EVP_DigestVerifyInit_ex(md_ctx, &pctx, 2281e1051a39Sopenharmony_ci md == NULL ? NULL : EVP_MD_get0_name(md), 2282e1051a39Sopenharmony_ci s->ctx->libctx, s->ctx->propq, pkey, 2283e1051a39Sopenharmony_ci NULL) <= 0) { 2284e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2285e1051a39Sopenharmony_ci goto err; 2286e1051a39Sopenharmony_ci } 2287e1051a39Sopenharmony_ci if (SSL_USE_PSS(s)) { 2288e1051a39Sopenharmony_ci if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 2289e1051a39Sopenharmony_ci || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 2290e1051a39Sopenharmony_ci RSA_PSS_SALTLEN_DIGEST) <= 0) { 2291e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2292e1051a39Sopenharmony_ci goto err; 2293e1051a39Sopenharmony_ci } 2294e1051a39Sopenharmony_ci } 2295e1051a39Sopenharmony_ci tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), 2296e1051a39Sopenharmony_ci PACKET_remaining(¶ms)); 2297e1051a39Sopenharmony_ci if (tbslen == 0) { 2298e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2299e1051a39Sopenharmony_ci goto err; 2300e1051a39Sopenharmony_ci } 2301e1051a39Sopenharmony_ci 2302e1051a39Sopenharmony_ci rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), 2303e1051a39Sopenharmony_ci PACKET_remaining(&signature), tbs, tbslen); 2304e1051a39Sopenharmony_ci OPENSSL_free(tbs); 2305e1051a39Sopenharmony_ci if (rv <= 0) { 2306e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 2307e1051a39Sopenharmony_ci goto err; 2308e1051a39Sopenharmony_ci } 2309e1051a39Sopenharmony_ci EVP_MD_CTX_free(md_ctx); 2310e1051a39Sopenharmony_ci md_ctx = NULL; 2311e1051a39Sopenharmony_ci } else { 2312e1051a39Sopenharmony_ci /* aNULL, aSRP or PSK do not need public keys */ 2313e1051a39Sopenharmony_ci if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) 2314e1051a39Sopenharmony_ci && !(alg_k & SSL_PSK)) { 2315e1051a39Sopenharmony_ci /* Might be wrong key type, check it */ 2316e1051a39Sopenharmony_ci if (ssl3_check_cert_and_algorithm(s)) { 2317e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA); 2318e1051a39Sopenharmony_ci } 2319e1051a39Sopenharmony_ci /* else this shouldn't happen, SSLfatal() already called */ 2320e1051a39Sopenharmony_ci goto err; 2321e1051a39Sopenharmony_ci } 2322e1051a39Sopenharmony_ci /* still data left over */ 2323e1051a39Sopenharmony_ci if (PACKET_remaining(pkt) != 0) { 2324e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE); 2325e1051a39Sopenharmony_ci goto err; 2326e1051a39Sopenharmony_ci } 2327e1051a39Sopenharmony_ci } 2328e1051a39Sopenharmony_ci 2329e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_READING; 2330e1051a39Sopenharmony_ci err: 2331e1051a39Sopenharmony_ci EVP_MD_CTX_free(md_ctx); 2332e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2333e1051a39Sopenharmony_ci} 2334e1051a39Sopenharmony_ci 2335e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) 2336e1051a39Sopenharmony_ci{ 2337e1051a39Sopenharmony_ci size_t i; 2338e1051a39Sopenharmony_ci 2339e1051a39Sopenharmony_ci /* Clear certificate validity flags */ 2340e1051a39Sopenharmony_ci for (i = 0; i < SSL_PKEY_NUM; i++) 2341e1051a39Sopenharmony_ci s->s3.tmp.valid_flags[i] = 0; 2342e1051a39Sopenharmony_ci 2343e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 2344e1051a39Sopenharmony_ci PACKET reqctx, extensions; 2345e1051a39Sopenharmony_ci RAW_EXTENSION *rawexts = NULL; 2346e1051a39Sopenharmony_ci 2347e1051a39Sopenharmony_ci if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { 2348e1051a39Sopenharmony_ci /* 2349e1051a39Sopenharmony_ci * We already sent close_notify. This can only happen in TLSv1.3 2350e1051a39Sopenharmony_ci * post-handshake messages. We can't reasonably respond to this, so 2351e1051a39Sopenharmony_ci * we just ignore it 2352e1051a39Sopenharmony_ci */ 2353e1051a39Sopenharmony_ci return MSG_PROCESS_FINISHED_READING; 2354e1051a39Sopenharmony_ci } 2355e1051a39Sopenharmony_ci 2356e1051a39Sopenharmony_ci /* Free and zero certificate types: it is not present in TLS 1.3 */ 2357e1051a39Sopenharmony_ci OPENSSL_free(s->s3.tmp.ctype); 2358e1051a39Sopenharmony_ci s->s3.tmp.ctype = NULL; 2359e1051a39Sopenharmony_ci s->s3.tmp.ctype_len = 0; 2360e1051a39Sopenharmony_ci OPENSSL_free(s->pha_context); 2361e1051a39Sopenharmony_ci s->pha_context = NULL; 2362e1051a39Sopenharmony_ci s->pha_context_len = 0; 2363e1051a39Sopenharmony_ci 2364e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || 2365e1051a39Sopenharmony_ci !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { 2366e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2367e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2368e1051a39Sopenharmony_ci } 2369e1051a39Sopenharmony_ci 2370e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2371e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 2372e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2373e1051a39Sopenharmony_ci } 2374e1051a39Sopenharmony_ci if (!tls_collect_extensions(s, &extensions, 2375e1051a39Sopenharmony_ci SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2376e1051a39Sopenharmony_ci &rawexts, NULL, 1) 2377e1051a39Sopenharmony_ci || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2378e1051a39Sopenharmony_ci rawexts, NULL, 0, 1)) { 2379e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2380e1051a39Sopenharmony_ci OPENSSL_free(rawexts); 2381e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2382e1051a39Sopenharmony_ci } 2383e1051a39Sopenharmony_ci OPENSSL_free(rawexts); 2384e1051a39Sopenharmony_ci if (!tls1_process_sigalgs(s)) { 2385e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); 2386e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2387e1051a39Sopenharmony_ci } 2388e1051a39Sopenharmony_ci } else { 2389e1051a39Sopenharmony_ci PACKET ctypes; 2390e1051a39Sopenharmony_ci 2391e1051a39Sopenharmony_ci /* get the certificate types */ 2392e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { 2393e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2394e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2395e1051a39Sopenharmony_ci } 2396e1051a39Sopenharmony_ci 2397e1051a39Sopenharmony_ci if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) { 2398e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2399e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2400e1051a39Sopenharmony_ci } 2401e1051a39Sopenharmony_ci 2402e1051a39Sopenharmony_ci if (SSL_USE_SIGALGS(s)) { 2403e1051a39Sopenharmony_ci PACKET sigalgs; 2404e1051a39Sopenharmony_ci 2405e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { 2406e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2407e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2408e1051a39Sopenharmony_ci } 2409e1051a39Sopenharmony_ci 2410e1051a39Sopenharmony_ci /* 2411e1051a39Sopenharmony_ci * Despite this being for certificates, preserve compatibility 2412e1051a39Sopenharmony_ci * with pre-TLS 1.3 and use the regular sigalgs field. 2413e1051a39Sopenharmony_ci */ 2414e1051a39Sopenharmony_ci if (!tls1_save_sigalgs(s, &sigalgs, 0)) { 2415e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2416e1051a39Sopenharmony_ci SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2417e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2418e1051a39Sopenharmony_ci } 2419e1051a39Sopenharmony_ci if (!tls1_process_sigalgs(s)) { 2420e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2421e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2422e1051a39Sopenharmony_ci } 2423e1051a39Sopenharmony_ci } 2424e1051a39Sopenharmony_ci 2425e1051a39Sopenharmony_ci /* get the CA RDNs */ 2426e1051a39Sopenharmony_ci if (!parse_ca_names(s, pkt)) { 2427e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2428e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2429e1051a39Sopenharmony_ci } 2430e1051a39Sopenharmony_ci } 2431e1051a39Sopenharmony_ci 2432e1051a39Sopenharmony_ci if (PACKET_remaining(pkt) != 0) { 2433e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2434e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2435e1051a39Sopenharmony_ci } 2436e1051a39Sopenharmony_ci 2437e1051a39Sopenharmony_ci /* we should setup a certificate to return.... */ 2438e1051a39Sopenharmony_ci s->s3.tmp.cert_req = 1; 2439e1051a39Sopenharmony_ci 2440e1051a39Sopenharmony_ci /* 2441e1051a39Sopenharmony_ci * In TLSv1.3 we don't prepare the client certificate yet. We wait until 2442e1051a39Sopenharmony_ci * after the CertificateVerify message has been received. This is because 2443e1051a39Sopenharmony_ci * in TLSv1.3 the CertificateRequest arrives before the Certificate message 2444e1051a39Sopenharmony_ci * but in TLSv1.2 it is the other way around. We want to make sure that 2445e1051a39Sopenharmony_ci * SSL_get1_peer_certificate() returns something sensible in 2446e1051a39Sopenharmony_ci * client_cert_cb. 2447e1051a39Sopenharmony_ci */ 2448e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) 2449e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_READING; 2450e1051a39Sopenharmony_ci 2451e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_PROCESSING; 2452e1051a39Sopenharmony_ci} 2453e1051a39Sopenharmony_ci 2454e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) 2455e1051a39Sopenharmony_ci{ 2456e1051a39Sopenharmony_ci unsigned int ticklen; 2457e1051a39Sopenharmony_ci unsigned long ticket_lifetime_hint, age_add = 0; 2458e1051a39Sopenharmony_ci unsigned int sess_len; 2459e1051a39Sopenharmony_ci RAW_EXTENSION *exts = NULL; 2460e1051a39Sopenharmony_ci PACKET nonce; 2461e1051a39Sopenharmony_ci EVP_MD *sha256 = NULL; 2462e1051a39Sopenharmony_ci 2463e1051a39Sopenharmony_ci PACKET_null_init(&nonce); 2464e1051a39Sopenharmony_ci 2465e1051a39Sopenharmony_ci if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) 2466e1051a39Sopenharmony_ci || (SSL_IS_TLS13(s) 2467e1051a39Sopenharmony_ci && (!PACKET_get_net_4(pkt, &age_add) 2468e1051a39Sopenharmony_ci || !PACKET_get_length_prefixed_1(pkt, &nonce))) 2469e1051a39Sopenharmony_ci || !PACKET_get_net_2(pkt, &ticklen) 2470e1051a39Sopenharmony_ci || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) 2471e1051a39Sopenharmony_ci : PACKET_remaining(pkt) != ticklen)) { 2472e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2473e1051a39Sopenharmony_ci goto err; 2474e1051a39Sopenharmony_ci } 2475e1051a39Sopenharmony_ci 2476e1051a39Sopenharmony_ci /* 2477e1051a39Sopenharmony_ci * Server is allowed to change its mind (in <=TLSv1.2) and send an empty 2478e1051a39Sopenharmony_ci * ticket. We already checked this TLSv1.3 case above, so it should never 2479e1051a39Sopenharmony_ci * be 0 here in that instance 2480e1051a39Sopenharmony_ci */ 2481e1051a39Sopenharmony_ci if (ticklen == 0) 2482e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_READING; 2483e1051a39Sopenharmony_ci 2484e1051a39Sopenharmony_ci /* 2485e1051a39Sopenharmony_ci * Sessions must be immutable once they go into the session cache. Otherwise 2486e1051a39Sopenharmony_ci * we can get multi-thread problems. Therefore we don't "update" sessions, 2487e1051a39Sopenharmony_ci * we replace them with a duplicate. In TLSv1.3 we need to do this every 2488e1051a39Sopenharmony_ci * time a NewSessionTicket arrives because those messages arrive 2489e1051a39Sopenharmony_ci * post-handshake and the session may have already gone into the session 2490e1051a39Sopenharmony_ci * cache. 2491e1051a39Sopenharmony_ci */ 2492e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) { 2493e1051a39Sopenharmony_ci SSL_SESSION *new_sess; 2494e1051a39Sopenharmony_ci 2495e1051a39Sopenharmony_ci /* 2496e1051a39Sopenharmony_ci * We reused an existing session, so we need to replace it with a new 2497e1051a39Sopenharmony_ci * one 2498e1051a39Sopenharmony_ci */ 2499e1051a39Sopenharmony_ci if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { 2500e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2501e1051a39Sopenharmony_ci goto err; 2502e1051a39Sopenharmony_ci } 2503e1051a39Sopenharmony_ci 2504e1051a39Sopenharmony_ci if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 2505e1051a39Sopenharmony_ci && !SSL_IS_TLS13(s)) { 2506e1051a39Sopenharmony_ci /* 2507e1051a39Sopenharmony_ci * In TLSv1.2 and below the arrival of a new tickets signals that 2508e1051a39Sopenharmony_ci * any old ticket we were using is now out of date, so we remove the 2509e1051a39Sopenharmony_ci * old session from the cache. We carry on if this fails 2510e1051a39Sopenharmony_ci */ 2511e1051a39Sopenharmony_ci SSL_CTX_remove_session(s->session_ctx, s->session); 2512e1051a39Sopenharmony_ci } 2513e1051a39Sopenharmony_ci 2514e1051a39Sopenharmony_ci SSL_SESSION_free(s->session); 2515e1051a39Sopenharmony_ci s->session = new_sess; 2516e1051a39Sopenharmony_ci } 2517e1051a39Sopenharmony_ci 2518e1051a39Sopenharmony_ci s->session->time = time(NULL); 2519e1051a39Sopenharmony_ci ssl_session_calculate_timeout(s->session); 2520e1051a39Sopenharmony_ci 2521e1051a39Sopenharmony_ci OPENSSL_free(s->session->ext.tick); 2522e1051a39Sopenharmony_ci s->session->ext.tick = NULL; 2523e1051a39Sopenharmony_ci s->session->ext.ticklen = 0; 2524e1051a39Sopenharmony_ci 2525e1051a39Sopenharmony_ci s->session->ext.tick = OPENSSL_malloc(ticklen); 2526e1051a39Sopenharmony_ci if (s->session->ext.tick == NULL) { 2527e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2528e1051a39Sopenharmony_ci goto err; 2529e1051a39Sopenharmony_ci } 2530e1051a39Sopenharmony_ci if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { 2531e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2532e1051a39Sopenharmony_ci goto err; 2533e1051a39Sopenharmony_ci } 2534e1051a39Sopenharmony_ci 2535e1051a39Sopenharmony_ci s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; 2536e1051a39Sopenharmony_ci s->session->ext.tick_age_add = age_add; 2537e1051a39Sopenharmony_ci s->session->ext.ticklen = ticklen; 2538e1051a39Sopenharmony_ci 2539e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 2540e1051a39Sopenharmony_ci PACKET extpkt; 2541e1051a39Sopenharmony_ci 2542e1051a39Sopenharmony_ci if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 2543e1051a39Sopenharmony_ci || PACKET_remaining(pkt) != 0) { 2544e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2545e1051a39Sopenharmony_ci goto err; 2546e1051a39Sopenharmony_ci } 2547e1051a39Sopenharmony_ci 2548e1051a39Sopenharmony_ci if (!tls_collect_extensions(s, &extpkt, 2549e1051a39Sopenharmony_ci SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, 2550e1051a39Sopenharmony_ci NULL, 1) 2551e1051a39Sopenharmony_ci || !tls_parse_all_extensions(s, 2552e1051a39Sopenharmony_ci SSL_EXT_TLS1_3_NEW_SESSION_TICKET, 2553e1051a39Sopenharmony_ci exts, NULL, 0, 1)) { 2554e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2555e1051a39Sopenharmony_ci goto err; 2556e1051a39Sopenharmony_ci } 2557e1051a39Sopenharmony_ci } 2558e1051a39Sopenharmony_ci 2559e1051a39Sopenharmony_ci /* 2560e1051a39Sopenharmony_ci * There are two ways to detect a resumed ticket session. One is to set 2561e1051a39Sopenharmony_ci * an appropriate session ID and then the server must return a match in 2562e1051a39Sopenharmony_ci * ServerHello. This allows the normal client session ID matching to work 2563e1051a39Sopenharmony_ci * and we know much earlier that the ticket has been accepted. The 2564e1051a39Sopenharmony_ci * other way is to set zero length session ID when the ticket is 2565e1051a39Sopenharmony_ci * presented and rely on the handshake to determine session resumption. 2566e1051a39Sopenharmony_ci * We choose the former approach because this fits in with assumptions 2567e1051a39Sopenharmony_ci * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the 2568e1051a39Sopenharmony_ci * ticket. 2569e1051a39Sopenharmony_ci */ 2570e1051a39Sopenharmony_ci sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq); 2571e1051a39Sopenharmony_ci if (sha256 == NULL) { 2572e1051a39Sopenharmony_ci /* Error is already recorded */ 2573e1051a39Sopenharmony_ci SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 2574e1051a39Sopenharmony_ci goto err; 2575e1051a39Sopenharmony_ci } 2576e1051a39Sopenharmony_ci /* 2577e1051a39Sopenharmony_ci * We use sess_len here because EVP_Digest expects an int 2578e1051a39Sopenharmony_ci * but s->session->session_id_length is a size_t 2579e1051a39Sopenharmony_ci */ 2580e1051a39Sopenharmony_ci if (!EVP_Digest(s->session->ext.tick, ticklen, 2581e1051a39Sopenharmony_ci s->session->session_id, &sess_len, 2582e1051a39Sopenharmony_ci sha256, NULL)) { 2583e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2584e1051a39Sopenharmony_ci goto err; 2585e1051a39Sopenharmony_ci } 2586e1051a39Sopenharmony_ci EVP_MD_free(sha256); 2587e1051a39Sopenharmony_ci sha256 = NULL; 2588e1051a39Sopenharmony_ci s->session->session_id_length = sess_len; 2589e1051a39Sopenharmony_ci s->session->not_resumable = 0; 2590e1051a39Sopenharmony_ci 2591e1051a39Sopenharmony_ci /* This is a standalone message in TLSv1.3, so there is no more to read */ 2592e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 2593e1051a39Sopenharmony_ci const EVP_MD *md = ssl_handshake_md(s); 2594e1051a39Sopenharmony_ci int hashleni = EVP_MD_get_size(md); 2595e1051a39Sopenharmony_ci size_t hashlen; 2596e1051a39Sopenharmony_ci static const unsigned char nonce_label[] = "resumption"; 2597e1051a39Sopenharmony_ci 2598e1051a39Sopenharmony_ci /* Ensure cast to size_t is safe */ 2599e1051a39Sopenharmony_ci if (!ossl_assert(hashleni >= 0)) { 2600e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2601e1051a39Sopenharmony_ci goto err; 2602e1051a39Sopenharmony_ci } 2603e1051a39Sopenharmony_ci hashlen = (size_t)hashleni; 2604e1051a39Sopenharmony_ci 2605e1051a39Sopenharmony_ci if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, 2606e1051a39Sopenharmony_ci nonce_label, 2607e1051a39Sopenharmony_ci sizeof(nonce_label) - 1, 2608e1051a39Sopenharmony_ci PACKET_data(&nonce), 2609e1051a39Sopenharmony_ci PACKET_remaining(&nonce), 2610e1051a39Sopenharmony_ci s->session->master_key, 2611e1051a39Sopenharmony_ci hashlen, 1)) { 2612e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2613e1051a39Sopenharmony_ci goto err; 2614e1051a39Sopenharmony_ci } 2615e1051a39Sopenharmony_ci s->session->master_key_length = hashlen; 2616e1051a39Sopenharmony_ci 2617e1051a39Sopenharmony_ci OPENSSL_free(exts); 2618e1051a39Sopenharmony_ci ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 2619e1051a39Sopenharmony_ci return MSG_PROCESS_FINISHED_READING; 2620e1051a39Sopenharmony_ci } 2621e1051a39Sopenharmony_ci 2622e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_READING; 2623e1051a39Sopenharmony_ci err: 2624e1051a39Sopenharmony_ci EVP_MD_free(sha256); 2625e1051a39Sopenharmony_ci OPENSSL_free(exts); 2626e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2627e1051a39Sopenharmony_ci} 2628e1051a39Sopenharmony_ci 2629e1051a39Sopenharmony_ci/* 2630e1051a39Sopenharmony_ci * In TLSv1.3 this is called from the extensions code, otherwise it is used to 2631e1051a39Sopenharmony_ci * parse a separate message. Returns 1 on success or 0 on failure 2632e1051a39Sopenharmony_ci */ 2633e1051a39Sopenharmony_ciint tls_process_cert_status_body(SSL *s, PACKET *pkt) 2634e1051a39Sopenharmony_ci{ 2635e1051a39Sopenharmony_ci size_t resplen; 2636e1051a39Sopenharmony_ci unsigned int type; 2637e1051a39Sopenharmony_ci 2638e1051a39Sopenharmony_ci if (!PACKET_get_1(pkt, &type) 2639e1051a39Sopenharmony_ci || type != TLSEXT_STATUSTYPE_ocsp) { 2640e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE); 2641e1051a39Sopenharmony_ci return 0; 2642e1051a39Sopenharmony_ci } 2643e1051a39Sopenharmony_ci if (!PACKET_get_net_3_len(pkt, &resplen) 2644e1051a39Sopenharmony_ci || PACKET_remaining(pkt) != resplen) { 2645e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2646e1051a39Sopenharmony_ci return 0; 2647e1051a39Sopenharmony_ci } 2648e1051a39Sopenharmony_ci s->ext.ocsp.resp = OPENSSL_malloc(resplen); 2649e1051a39Sopenharmony_ci if (s->ext.ocsp.resp == NULL) { 2650e1051a39Sopenharmony_ci s->ext.ocsp.resp_len = 0; 2651e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2652e1051a39Sopenharmony_ci return 0; 2653e1051a39Sopenharmony_ci } 2654e1051a39Sopenharmony_ci s->ext.ocsp.resp_len = resplen; 2655e1051a39Sopenharmony_ci if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { 2656e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2657e1051a39Sopenharmony_ci return 0; 2658e1051a39Sopenharmony_ci } 2659e1051a39Sopenharmony_ci 2660e1051a39Sopenharmony_ci return 1; 2661e1051a39Sopenharmony_ci} 2662e1051a39Sopenharmony_ci 2663e1051a39Sopenharmony_ci 2664e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) 2665e1051a39Sopenharmony_ci{ 2666e1051a39Sopenharmony_ci if (!tls_process_cert_status_body(s, pkt)) { 2667e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2668e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2669e1051a39Sopenharmony_ci } 2670e1051a39Sopenharmony_ci 2671e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_READING; 2672e1051a39Sopenharmony_ci} 2673e1051a39Sopenharmony_ci 2674e1051a39Sopenharmony_ci/* 2675e1051a39Sopenharmony_ci * Perform miscellaneous checks and processing after we have received the 2676e1051a39Sopenharmony_ci * server's initial flight. In TLS1.3 this is after the Server Finished message. 2677e1051a39Sopenharmony_ci * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 2678e1051a39Sopenharmony_ci * on failure. 2679e1051a39Sopenharmony_ci */ 2680e1051a39Sopenharmony_ciint tls_process_initial_server_flight(SSL *s) 2681e1051a39Sopenharmony_ci{ 2682e1051a39Sopenharmony_ci /* 2683e1051a39Sopenharmony_ci * at this point we check that we have the required stuff from 2684e1051a39Sopenharmony_ci * the server 2685e1051a39Sopenharmony_ci */ 2686e1051a39Sopenharmony_ci if (!ssl3_check_cert_and_algorithm(s)) { 2687e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2688e1051a39Sopenharmony_ci return 0; 2689e1051a39Sopenharmony_ci } 2690e1051a39Sopenharmony_ci 2691e1051a39Sopenharmony_ci /* 2692e1051a39Sopenharmony_ci * Call the ocsp status callback if needed. The |ext.ocsp.resp| and 2693e1051a39Sopenharmony_ci * |ext.ocsp.resp_len| values will be set if we actually received a status 2694e1051a39Sopenharmony_ci * message, or NULL and -1 otherwise 2695e1051a39Sopenharmony_ci */ 2696e1051a39Sopenharmony_ci if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing 2697e1051a39Sopenharmony_ci && s->ctx->ext.status_cb != NULL) { 2698e1051a39Sopenharmony_ci int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); 2699e1051a39Sopenharmony_ci 2700e1051a39Sopenharmony_ci if (ret == 0) { 2701e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, 2702e1051a39Sopenharmony_ci SSL_R_INVALID_STATUS_RESPONSE); 2703e1051a39Sopenharmony_ci return 0; 2704e1051a39Sopenharmony_ci } 2705e1051a39Sopenharmony_ci if (ret < 0) { 2706e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2707e1051a39Sopenharmony_ci SSL_R_OCSP_CALLBACK_FAILURE); 2708e1051a39Sopenharmony_ci return 0; 2709e1051a39Sopenharmony_ci } 2710e1051a39Sopenharmony_ci } 2711e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_CT 2712e1051a39Sopenharmony_ci if (s->ct_validation_callback != NULL) { 2713e1051a39Sopenharmony_ci /* Note we validate the SCTs whether or not we abort on error */ 2714e1051a39Sopenharmony_ci if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { 2715e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2716e1051a39Sopenharmony_ci return 0; 2717e1051a39Sopenharmony_ci } 2718e1051a39Sopenharmony_ci } 2719e1051a39Sopenharmony_ci#endif 2720e1051a39Sopenharmony_ci 2721e1051a39Sopenharmony_ci return 1; 2722e1051a39Sopenharmony_ci} 2723e1051a39Sopenharmony_ci 2724e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) 2725e1051a39Sopenharmony_ci{ 2726e1051a39Sopenharmony_ci if (PACKET_remaining(pkt) > 0) { 2727e1051a39Sopenharmony_ci /* should contain no data */ 2728e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2729e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2730e1051a39Sopenharmony_ci } 2731e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SRP 2732e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 2733e1051a39Sopenharmony_ci if (ssl_srp_calc_a_param_intern(s) <= 0) { 2734e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); 2735e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2736e1051a39Sopenharmony_ci } 2737e1051a39Sopenharmony_ci } 2738e1051a39Sopenharmony_ci#endif 2739e1051a39Sopenharmony_ci 2740e1051a39Sopenharmony_ci if (!tls_process_initial_server_flight(s)) { 2741e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2742e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 2743e1051a39Sopenharmony_ci } 2744e1051a39Sopenharmony_ci 2745e1051a39Sopenharmony_ci return MSG_PROCESS_FINISHED_READING; 2746e1051a39Sopenharmony_ci} 2747e1051a39Sopenharmony_ci 2748e1051a39Sopenharmony_cistatic int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) 2749e1051a39Sopenharmony_ci{ 2750e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_PSK 2751e1051a39Sopenharmony_ci int ret = 0; 2752e1051a39Sopenharmony_ci /* 2753e1051a39Sopenharmony_ci * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a 2754e1051a39Sopenharmony_ci * \0-terminated identity. The last byte is for us for simulating 2755e1051a39Sopenharmony_ci * strnlen. 2756e1051a39Sopenharmony_ci */ 2757e1051a39Sopenharmony_ci char identity[PSK_MAX_IDENTITY_LEN + 1]; 2758e1051a39Sopenharmony_ci size_t identitylen = 0; 2759e1051a39Sopenharmony_ci unsigned char psk[PSK_MAX_PSK_LEN]; 2760e1051a39Sopenharmony_ci unsigned char *tmppsk = NULL; 2761e1051a39Sopenharmony_ci char *tmpidentity = NULL; 2762e1051a39Sopenharmony_ci size_t psklen = 0; 2763e1051a39Sopenharmony_ci 2764e1051a39Sopenharmony_ci if (s->psk_client_callback == NULL) { 2765e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB); 2766e1051a39Sopenharmony_ci goto err; 2767e1051a39Sopenharmony_ci } 2768e1051a39Sopenharmony_ci 2769e1051a39Sopenharmony_ci memset(identity, 0, sizeof(identity)); 2770e1051a39Sopenharmony_ci 2771e1051a39Sopenharmony_ci psklen = s->psk_client_callback(s, s->session->psk_identity_hint, 2772e1051a39Sopenharmony_ci identity, sizeof(identity) - 1, 2773e1051a39Sopenharmony_ci psk, sizeof(psk)); 2774e1051a39Sopenharmony_ci 2775e1051a39Sopenharmony_ci if (psklen > PSK_MAX_PSK_LEN) { 2776e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 2777e1051a39Sopenharmony_ci psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */ 2778e1051a39Sopenharmony_ci goto err; 2779e1051a39Sopenharmony_ci } else if (psklen == 0) { 2780e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND); 2781e1051a39Sopenharmony_ci goto err; 2782e1051a39Sopenharmony_ci } 2783e1051a39Sopenharmony_ci 2784e1051a39Sopenharmony_ci identitylen = strlen(identity); 2785e1051a39Sopenharmony_ci if (identitylen > PSK_MAX_IDENTITY_LEN) { 2786e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2787e1051a39Sopenharmony_ci goto err; 2788e1051a39Sopenharmony_ci } 2789e1051a39Sopenharmony_ci 2790e1051a39Sopenharmony_ci tmppsk = OPENSSL_memdup(psk, psklen); 2791e1051a39Sopenharmony_ci tmpidentity = OPENSSL_strdup(identity); 2792e1051a39Sopenharmony_ci if (tmppsk == NULL || tmpidentity == NULL) { 2793e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2794e1051a39Sopenharmony_ci goto err; 2795e1051a39Sopenharmony_ci } 2796e1051a39Sopenharmony_ci 2797e1051a39Sopenharmony_ci OPENSSL_free(s->s3.tmp.psk); 2798e1051a39Sopenharmony_ci s->s3.tmp.psk = tmppsk; 2799e1051a39Sopenharmony_ci s->s3.tmp.psklen = psklen; 2800e1051a39Sopenharmony_ci tmppsk = NULL; 2801e1051a39Sopenharmony_ci OPENSSL_free(s->session->psk_identity); 2802e1051a39Sopenharmony_ci s->session->psk_identity = tmpidentity; 2803e1051a39Sopenharmony_ci tmpidentity = NULL; 2804e1051a39Sopenharmony_ci 2805e1051a39Sopenharmony_ci if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) { 2806e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2807e1051a39Sopenharmony_ci goto err; 2808e1051a39Sopenharmony_ci } 2809e1051a39Sopenharmony_ci 2810e1051a39Sopenharmony_ci ret = 1; 2811e1051a39Sopenharmony_ci 2812e1051a39Sopenharmony_ci err: 2813e1051a39Sopenharmony_ci OPENSSL_cleanse(psk, psklen); 2814e1051a39Sopenharmony_ci OPENSSL_cleanse(identity, sizeof(identity)); 2815e1051a39Sopenharmony_ci OPENSSL_clear_free(tmppsk, psklen); 2816e1051a39Sopenharmony_ci OPENSSL_clear_free(tmpidentity, identitylen); 2817e1051a39Sopenharmony_ci 2818e1051a39Sopenharmony_ci return ret; 2819e1051a39Sopenharmony_ci#else 2820e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2821e1051a39Sopenharmony_ci return 0; 2822e1051a39Sopenharmony_ci#endif 2823e1051a39Sopenharmony_ci} 2824e1051a39Sopenharmony_ci 2825e1051a39Sopenharmony_cistatic int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) 2826e1051a39Sopenharmony_ci{ 2827e1051a39Sopenharmony_ci unsigned char *encdata = NULL; 2828e1051a39Sopenharmony_ci EVP_PKEY *pkey = NULL; 2829e1051a39Sopenharmony_ci EVP_PKEY_CTX *pctx = NULL; 2830e1051a39Sopenharmony_ci size_t enclen; 2831e1051a39Sopenharmony_ci unsigned char *pms = NULL; 2832e1051a39Sopenharmony_ci size_t pmslen = 0; 2833e1051a39Sopenharmony_ci 2834e1051a39Sopenharmony_ci if (s->session->peer == NULL) { 2835e1051a39Sopenharmony_ci /* 2836e1051a39Sopenharmony_ci * We should always have a server certificate with SSL_kRSA. 2837e1051a39Sopenharmony_ci */ 2838e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2839e1051a39Sopenharmony_ci return 0; 2840e1051a39Sopenharmony_ci } 2841e1051a39Sopenharmony_ci 2842e1051a39Sopenharmony_ci pkey = X509_get0_pubkey(s->session->peer); 2843e1051a39Sopenharmony_ci if (!EVP_PKEY_is_a(pkey, "RSA")) { 2844e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2845e1051a39Sopenharmony_ci return 0; 2846e1051a39Sopenharmony_ci } 2847e1051a39Sopenharmony_ci 2848e1051a39Sopenharmony_ci pmslen = SSL_MAX_MASTER_KEY_LENGTH; 2849e1051a39Sopenharmony_ci pms = OPENSSL_malloc(pmslen); 2850e1051a39Sopenharmony_ci if (pms == NULL) { 2851e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2852e1051a39Sopenharmony_ci return 0; 2853e1051a39Sopenharmony_ci } 2854e1051a39Sopenharmony_ci 2855e1051a39Sopenharmony_ci pms[0] = s->client_version >> 8; 2856e1051a39Sopenharmony_ci pms[1] = s->client_version & 0xff; 2857e1051a39Sopenharmony_ci if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) { 2858e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2859e1051a39Sopenharmony_ci goto err; 2860e1051a39Sopenharmony_ci } 2861e1051a39Sopenharmony_ci 2862e1051a39Sopenharmony_ci /* Fix buf for TLS and beyond */ 2863e1051a39Sopenharmony_ci if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { 2864e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2865e1051a39Sopenharmony_ci goto err; 2866e1051a39Sopenharmony_ci } 2867e1051a39Sopenharmony_ci 2868e1051a39Sopenharmony_ci pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pkey, s->ctx->propq); 2869e1051a39Sopenharmony_ci if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 2870e1051a39Sopenharmony_ci || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { 2871e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2872e1051a39Sopenharmony_ci goto err; 2873e1051a39Sopenharmony_ci } 2874e1051a39Sopenharmony_ci if (!WPACKET_allocate_bytes(pkt, enclen, &encdata) 2875e1051a39Sopenharmony_ci || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) { 2876e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT); 2877e1051a39Sopenharmony_ci goto err; 2878e1051a39Sopenharmony_ci } 2879e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pctx); 2880e1051a39Sopenharmony_ci pctx = NULL; 2881e1051a39Sopenharmony_ci 2882e1051a39Sopenharmony_ci /* Fix buf for TLS and beyond */ 2883e1051a39Sopenharmony_ci if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { 2884e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2885e1051a39Sopenharmony_ci goto err; 2886e1051a39Sopenharmony_ci } 2887e1051a39Sopenharmony_ci 2888e1051a39Sopenharmony_ci /* Log the premaster secret, if logging is enabled. */ 2889e1051a39Sopenharmony_ci if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { 2890e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2891e1051a39Sopenharmony_ci goto err; 2892e1051a39Sopenharmony_ci } 2893e1051a39Sopenharmony_ci 2894e1051a39Sopenharmony_ci s->s3.tmp.pms = pms; 2895e1051a39Sopenharmony_ci s->s3.tmp.pmslen = pmslen; 2896e1051a39Sopenharmony_ci 2897e1051a39Sopenharmony_ci return 1; 2898e1051a39Sopenharmony_ci err: 2899e1051a39Sopenharmony_ci OPENSSL_clear_free(pms, pmslen); 2900e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pctx); 2901e1051a39Sopenharmony_ci 2902e1051a39Sopenharmony_ci return 0; 2903e1051a39Sopenharmony_ci} 2904e1051a39Sopenharmony_ci 2905e1051a39Sopenharmony_cistatic int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) 2906e1051a39Sopenharmony_ci{ 2907e1051a39Sopenharmony_ci EVP_PKEY *ckey = NULL, *skey = NULL; 2908e1051a39Sopenharmony_ci unsigned char *keybytes = NULL; 2909e1051a39Sopenharmony_ci int prime_len; 2910e1051a39Sopenharmony_ci unsigned char *encoded_pub = NULL; 2911e1051a39Sopenharmony_ci size_t encoded_pub_len, pad_len; 2912e1051a39Sopenharmony_ci int ret = 0; 2913e1051a39Sopenharmony_ci 2914e1051a39Sopenharmony_ci skey = s->s3.peer_tmp; 2915e1051a39Sopenharmony_ci if (skey == NULL) { 2916e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2917e1051a39Sopenharmony_ci goto err; 2918e1051a39Sopenharmony_ci } 2919e1051a39Sopenharmony_ci 2920e1051a39Sopenharmony_ci ckey = ssl_generate_pkey(s, skey); 2921e1051a39Sopenharmony_ci if (ckey == NULL) { 2922e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2923e1051a39Sopenharmony_ci goto err; 2924e1051a39Sopenharmony_ci } 2925e1051a39Sopenharmony_ci 2926e1051a39Sopenharmony_ci if (ssl_derive(s, ckey, skey, 0) == 0) { 2927e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2928e1051a39Sopenharmony_ci goto err; 2929e1051a39Sopenharmony_ci } 2930e1051a39Sopenharmony_ci 2931e1051a39Sopenharmony_ci /* send off the data */ 2932e1051a39Sopenharmony_ci 2933e1051a39Sopenharmony_ci /* Generate encoding of server key */ 2934e1051a39Sopenharmony_ci encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub); 2935e1051a39Sopenharmony_ci if (encoded_pub_len == 0) { 2936e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2937e1051a39Sopenharmony_ci EVP_PKEY_free(ckey); 2938e1051a39Sopenharmony_ci return EXT_RETURN_FAIL; 2939e1051a39Sopenharmony_ci } 2940e1051a39Sopenharmony_ci 2941e1051a39Sopenharmony_ci /* 2942e1051a39Sopenharmony_ci * For interoperability with some versions of the Microsoft TLS 2943e1051a39Sopenharmony_ci * stack, we need to zero pad the DHE pub key to the same length 2944e1051a39Sopenharmony_ci * as the prime. 2945e1051a39Sopenharmony_ci */ 2946e1051a39Sopenharmony_ci prime_len = EVP_PKEY_get_size(ckey); 2947e1051a39Sopenharmony_ci pad_len = prime_len - encoded_pub_len; 2948e1051a39Sopenharmony_ci if (pad_len > 0) { 2949e1051a39Sopenharmony_ci if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) { 2950e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2951e1051a39Sopenharmony_ci goto err; 2952e1051a39Sopenharmony_ci } 2953e1051a39Sopenharmony_ci memset(keybytes, 0, pad_len); 2954e1051a39Sopenharmony_ci } 2955e1051a39Sopenharmony_ci 2956e1051a39Sopenharmony_ci if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)) { 2957e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2958e1051a39Sopenharmony_ci goto err; 2959e1051a39Sopenharmony_ci } 2960e1051a39Sopenharmony_ci 2961e1051a39Sopenharmony_ci ret = 1; 2962e1051a39Sopenharmony_ci err: 2963e1051a39Sopenharmony_ci OPENSSL_free(encoded_pub); 2964e1051a39Sopenharmony_ci EVP_PKEY_free(ckey); 2965e1051a39Sopenharmony_ci return ret; 2966e1051a39Sopenharmony_ci} 2967e1051a39Sopenharmony_ci 2968e1051a39Sopenharmony_cistatic int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) 2969e1051a39Sopenharmony_ci{ 2970e1051a39Sopenharmony_ci unsigned char *encodedPoint = NULL; 2971e1051a39Sopenharmony_ci size_t encoded_pt_len = 0; 2972e1051a39Sopenharmony_ci EVP_PKEY *ckey = NULL, *skey = NULL; 2973e1051a39Sopenharmony_ci int ret = 0; 2974e1051a39Sopenharmony_ci 2975e1051a39Sopenharmony_ci skey = s->s3.peer_tmp; 2976e1051a39Sopenharmony_ci if (skey == NULL) { 2977e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2978e1051a39Sopenharmony_ci return 0; 2979e1051a39Sopenharmony_ci } 2980e1051a39Sopenharmony_ci 2981e1051a39Sopenharmony_ci ckey = ssl_generate_pkey(s, skey); 2982e1051a39Sopenharmony_ci if (ckey == NULL) { 2983e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2984e1051a39Sopenharmony_ci goto err; 2985e1051a39Sopenharmony_ci } 2986e1051a39Sopenharmony_ci 2987e1051a39Sopenharmony_ci if (ssl_derive(s, ckey, skey, 0) == 0) { 2988e1051a39Sopenharmony_ci /* SSLfatal() already called */ 2989e1051a39Sopenharmony_ci goto err; 2990e1051a39Sopenharmony_ci } 2991e1051a39Sopenharmony_ci 2992e1051a39Sopenharmony_ci /* Generate encoding of client key */ 2993e1051a39Sopenharmony_ci encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint); 2994e1051a39Sopenharmony_ci 2995e1051a39Sopenharmony_ci if (encoded_pt_len == 0) { 2996e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 2997e1051a39Sopenharmony_ci goto err; 2998e1051a39Sopenharmony_ci } 2999e1051a39Sopenharmony_ci 3000e1051a39Sopenharmony_ci if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) { 3001e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3002e1051a39Sopenharmony_ci goto err; 3003e1051a39Sopenharmony_ci } 3004e1051a39Sopenharmony_ci 3005e1051a39Sopenharmony_ci ret = 1; 3006e1051a39Sopenharmony_ci err: 3007e1051a39Sopenharmony_ci OPENSSL_free(encodedPoint); 3008e1051a39Sopenharmony_ci EVP_PKEY_free(ckey); 3009e1051a39Sopenharmony_ci return ret; 3010e1051a39Sopenharmony_ci} 3011e1051a39Sopenharmony_ci 3012e1051a39Sopenharmony_cistatic int tls_construct_cke_gost(SSL *s, WPACKET *pkt) 3013e1051a39Sopenharmony_ci{ 3014e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_GOST 3015e1051a39Sopenharmony_ci /* GOST key exchange message creation */ 3016e1051a39Sopenharmony_ci EVP_PKEY_CTX *pkey_ctx = NULL; 3017e1051a39Sopenharmony_ci X509 *peer_cert; 3018e1051a39Sopenharmony_ci size_t msglen; 3019e1051a39Sopenharmony_ci unsigned int md_len; 3020e1051a39Sopenharmony_ci unsigned char shared_ukm[32], tmp[256]; 3021e1051a39Sopenharmony_ci EVP_MD_CTX *ukm_hash = NULL; 3022e1051a39Sopenharmony_ci int dgst_nid = NID_id_GostR3411_94; 3023e1051a39Sopenharmony_ci unsigned char *pms = NULL; 3024e1051a39Sopenharmony_ci size_t pmslen = 0; 3025e1051a39Sopenharmony_ci 3026e1051a39Sopenharmony_ci if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) 3027e1051a39Sopenharmony_ci dgst_nid = NID_id_GostR3411_2012_256; 3028e1051a39Sopenharmony_ci 3029e1051a39Sopenharmony_ci /* 3030e1051a39Sopenharmony_ci * Get server certificate PKEY and create ctx from it 3031e1051a39Sopenharmony_ci */ 3032e1051a39Sopenharmony_ci peer_cert = s->session->peer; 3033e1051a39Sopenharmony_ci if (peer_cert == NULL) { 3034e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3035e1051a39Sopenharmony_ci SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3036e1051a39Sopenharmony_ci return 0; 3037e1051a39Sopenharmony_ci } 3038e1051a39Sopenharmony_ci 3039e1051a39Sopenharmony_ci pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, 3040e1051a39Sopenharmony_ci X509_get0_pubkey(peer_cert), 3041e1051a39Sopenharmony_ci s->ctx->propq); 3042e1051a39Sopenharmony_ci if (pkey_ctx == NULL) { 3043e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 3044e1051a39Sopenharmony_ci return 0; 3045e1051a39Sopenharmony_ci } 3046e1051a39Sopenharmony_ci /* 3047e1051a39Sopenharmony_ci * If we have send a certificate, and certificate key 3048e1051a39Sopenharmony_ci * parameters match those of server certificate, use 3049e1051a39Sopenharmony_ci * certificate key for key exchange 3050e1051a39Sopenharmony_ci */ 3051e1051a39Sopenharmony_ci 3052e1051a39Sopenharmony_ci /* Otherwise, generate ephemeral key pair */ 3053e1051a39Sopenharmony_ci pmslen = 32; 3054e1051a39Sopenharmony_ci pms = OPENSSL_malloc(pmslen); 3055e1051a39Sopenharmony_ci if (pms == NULL) { 3056e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 3057e1051a39Sopenharmony_ci goto err; 3058e1051a39Sopenharmony_ci } 3059e1051a39Sopenharmony_ci 3060e1051a39Sopenharmony_ci if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 3061e1051a39Sopenharmony_ci /* Generate session key 3062e1051a39Sopenharmony_ci */ 3063e1051a39Sopenharmony_ci || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) { 3064e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3065e1051a39Sopenharmony_ci goto err; 3066e1051a39Sopenharmony_ci }; 3067e1051a39Sopenharmony_ci /* 3068e1051a39Sopenharmony_ci * Compute shared IV and store it in algorithm-specific context 3069e1051a39Sopenharmony_ci * data 3070e1051a39Sopenharmony_ci */ 3071e1051a39Sopenharmony_ci ukm_hash = EVP_MD_CTX_new(); 3072e1051a39Sopenharmony_ci if (ukm_hash == NULL 3073e1051a39Sopenharmony_ci || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0 3074e1051a39Sopenharmony_ci || EVP_DigestUpdate(ukm_hash, s->s3.client_random, 3075e1051a39Sopenharmony_ci SSL3_RANDOM_SIZE) <= 0 3076e1051a39Sopenharmony_ci || EVP_DigestUpdate(ukm_hash, s->s3.server_random, 3077e1051a39Sopenharmony_ci SSL3_RANDOM_SIZE) <= 0 3078e1051a39Sopenharmony_ci || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { 3079e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3080e1051a39Sopenharmony_ci goto err; 3081e1051a39Sopenharmony_ci } 3082e1051a39Sopenharmony_ci EVP_MD_CTX_free(ukm_hash); 3083e1051a39Sopenharmony_ci ukm_hash = NULL; 3084e1051a39Sopenharmony_ci if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3085e1051a39Sopenharmony_ci EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) <= 0) { 3086e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3087e1051a39Sopenharmony_ci goto err; 3088e1051a39Sopenharmony_ci } 3089e1051a39Sopenharmony_ci /* Make GOST keytransport blob message */ 3090e1051a39Sopenharmony_ci /* 3091e1051a39Sopenharmony_ci * Encapsulate it into sequence 3092e1051a39Sopenharmony_ci */ 3093e1051a39Sopenharmony_ci msglen = 255; 3094e1051a39Sopenharmony_ci if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { 3095e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3096e1051a39Sopenharmony_ci goto err; 3097e1051a39Sopenharmony_ci } 3098e1051a39Sopenharmony_ci 3099e1051a39Sopenharmony_ci if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) 3100e1051a39Sopenharmony_ci || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)) 3101e1051a39Sopenharmony_ci || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) { 3102e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3103e1051a39Sopenharmony_ci goto err; 3104e1051a39Sopenharmony_ci } 3105e1051a39Sopenharmony_ci 3106e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pkey_ctx); 3107e1051a39Sopenharmony_ci s->s3.tmp.pms = pms; 3108e1051a39Sopenharmony_ci s->s3.tmp.pmslen = pmslen; 3109e1051a39Sopenharmony_ci 3110e1051a39Sopenharmony_ci return 1; 3111e1051a39Sopenharmony_ci err: 3112e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pkey_ctx); 3113e1051a39Sopenharmony_ci OPENSSL_clear_free(pms, pmslen); 3114e1051a39Sopenharmony_ci EVP_MD_CTX_free(ukm_hash); 3115e1051a39Sopenharmony_ci return 0; 3116e1051a39Sopenharmony_ci#else 3117e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3118e1051a39Sopenharmony_ci return 0; 3119e1051a39Sopenharmony_ci#endif 3120e1051a39Sopenharmony_ci} 3121e1051a39Sopenharmony_ci 3122e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_GOST 3123e1051a39Sopenharmony_ciint ossl_gost18_cke_cipher_nid(const SSL *s) 3124e1051a39Sopenharmony_ci{ 3125e1051a39Sopenharmony_ci if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0) 3126e1051a39Sopenharmony_ci return NID_magma_ctr; 3127e1051a39Sopenharmony_ci else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0) 3128e1051a39Sopenharmony_ci return NID_kuznyechik_ctr; 3129e1051a39Sopenharmony_ci 3130e1051a39Sopenharmony_ci return NID_undef; 3131e1051a39Sopenharmony_ci} 3132e1051a39Sopenharmony_ci 3133e1051a39Sopenharmony_ciint ossl_gost_ukm(const SSL *s, unsigned char *dgst_buf) 3134e1051a39Sopenharmony_ci{ 3135e1051a39Sopenharmony_ci EVP_MD_CTX * hash = NULL; 3136e1051a39Sopenharmony_ci unsigned int md_len; 3137e1051a39Sopenharmony_ci const EVP_MD *md = ssl_evp_md_fetch(s->ctx->libctx, NID_id_GostR3411_2012_256, s->ctx->propq); 3138e1051a39Sopenharmony_ci 3139e1051a39Sopenharmony_ci if (md == NULL) 3140e1051a39Sopenharmony_ci return 0; 3141e1051a39Sopenharmony_ci 3142e1051a39Sopenharmony_ci if ((hash = EVP_MD_CTX_new()) == NULL 3143e1051a39Sopenharmony_ci || EVP_DigestInit(hash, md) <= 0 3144e1051a39Sopenharmony_ci || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0 3145e1051a39Sopenharmony_ci || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0 3146e1051a39Sopenharmony_ci || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) { 3147e1051a39Sopenharmony_ci EVP_MD_CTX_free(hash); 3148e1051a39Sopenharmony_ci ssl_evp_md_free(md); 3149e1051a39Sopenharmony_ci return 0; 3150e1051a39Sopenharmony_ci } 3151e1051a39Sopenharmony_ci 3152e1051a39Sopenharmony_ci EVP_MD_CTX_free(hash); 3153e1051a39Sopenharmony_ci ssl_evp_md_free(md); 3154e1051a39Sopenharmony_ci return 1; 3155e1051a39Sopenharmony_ci} 3156e1051a39Sopenharmony_ci#endif 3157e1051a39Sopenharmony_ci 3158e1051a39Sopenharmony_cistatic int tls_construct_cke_gost18(SSL *s, WPACKET *pkt) 3159e1051a39Sopenharmony_ci{ 3160e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_GOST 3161e1051a39Sopenharmony_ci /* GOST 2018 key exchange message creation */ 3162e1051a39Sopenharmony_ci unsigned char rnd_dgst[32]; 3163e1051a39Sopenharmony_ci unsigned char *encdata = NULL; 3164e1051a39Sopenharmony_ci EVP_PKEY_CTX *pkey_ctx = NULL; 3165e1051a39Sopenharmony_ci X509 *peer_cert; 3166e1051a39Sopenharmony_ci unsigned char *pms = NULL; 3167e1051a39Sopenharmony_ci size_t pmslen = 0; 3168e1051a39Sopenharmony_ci size_t msglen; 3169e1051a39Sopenharmony_ci int cipher_nid = ossl_gost18_cke_cipher_nid(s); 3170e1051a39Sopenharmony_ci 3171e1051a39Sopenharmony_ci if (cipher_nid == NID_undef) { 3172e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3173e1051a39Sopenharmony_ci return 0; 3174e1051a39Sopenharmony_ci } 3175e1051a39Sopenharmony_ci 3176e1051a39Sopenharmony_ci if (ossl_gost_ukm(s, rnd_dgst) <= 0) { 3177e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3178e1051a39Sopenharmony_ci goto err; 3179e1051a39Sopenharmony_ci } 3180e1051a39Sopenharmony_ci 3181e1051a39Sopenharmony_ci /* Pre-master secret - random bytes */ 3182e1051a39Sopenharmony_ci pmslen = 32; 3183e1051a39Sopenharmony_ci pms = OPENSSL_malloc(pmslen); 3184e1051a39Sopenharmony_ci if (pms == NULL) { 3185e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 3186e1051a39Sopenharmony_ci goto err; 3187e1051a39Sopenharmony_ci } 3188e1051a39Sopenharmony_ci 3189e1051a39Sopenharmony_ci if (RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) { 3190e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3191e1051a39Sopenharmony_ci goto err; 3192e1051a39Sopenharmony_ci } 3193e1051a39Sopenharmony_ci 3194e1051a39Sopenharmony_ci /* Get server certificate PKEY and create ctx from it */ 3195e1051a39Sopenharmony_ci peer_cert = s->session->peer; 3196e1051a39Sopenharmony_ci if (peer_cert == NULL) { 3197e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3198e1051a39Sopenharmony_ci SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3199e1051a39Sopenharmony_ci goto err; 3200e1051a39Sopenharmony_ci } 3201e1051a39Sopenharmony_ci 3202e1051a39Sopenharmony_ci pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, 3203e1051a39Sopenharmony_ci X509_get0_pubkey(peer_cert), 3204e1051a39Sopenharmony_ci s->ctx->propq); 3205e1051a39Sopenharmony_ci if (pkey_ctx == NULL) { 3206e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 3207e1051a39Sopenharmony_ci goto err; 3208e1051a39Sopenharmony_ci } 3209e1051a39Sopenharmony_ci 3210e1051a39Sopenharmony_ci if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) { 3211e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3212e1051a39Sopenharmony_ci goto err; 3213e1051a39Sopenharmony_ci }; 3214e1051a39Sopenharmony_ci 3215e1051a39Sopenharmony_ci /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */ 3216e1051a39Sopenharmony_ci if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3217e1051a39Sopenharmony_ci EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) { 3218e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3219e1051a39Sopenharmony_ci goto err; 3220e1051a39Sopenharmony_ci } 3221e1051a39Sopenharmony_ci 3222e1051a39Sopenharmony_ci if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3223e1051a39Sopenharmony_ci EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) { 3224e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3225e1051a39Sopenharmony_ci goto err; 3226e1051a39Sopenharmony_ci } 3227e1051a39Sopenharmony_ci 3228e1051a39Sopenharmony_ci if (EVP_PKEY_encrypt(pkey_ctx, NULL, &msglen, pms, pmslen) <= 0) { 3229e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3230e1051a39Sopenharmony_ci goto err; 3231e1051a39Sopenharmony_ci } 3232e1051a39Sopenharmony_ci 3233e1051a39Sopenharmony_ci if (!WPACKET_allocate_bytes(pkt, msglen, &encdata) 3234e1051a39Sopenharmony_ci || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) { 3235e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3236e1051a39Sopenharmony_ci goto err; 3237e1051a39Sopenharmony_ci } 3238e1051a39Sopenharmony_ci 3239e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pkey_ctx); 3240e1051a39Sopenharmony_ci pkey_ctx = NULL; 3241e1051a39Sopenharmony_ci s->s3.tmp.pms = pms; 3242e1051a39Sopenharmony_ci s->s3.tmp.pmslen = pmslen; 3243e1051a39Sopenharmony_ci 3244e1051a39Sopenharmony_ci return 1; 3245e1051a39Sopenharmony_ci err: 3246e1051a39Sopenharmony_ci EVP_PKEY_CTX_free(pkey_ctx); 3247e1051a39Sopenharmony_ci OPENSSL_clear_free(pms, pmslen); 3248e1051a39Sopenharmony_ci return 0; 3249e1051a39Sopenharmony_ci#else 3250e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3251e1051a39Sopenharmony_ci return 0; 3252e1051a39Sopenharmony_ci#endif 3253e1051a39Sopenharmony_ci} 3254e1051a39Sopenharmony_ci 3255e1051a39Sopenharmony_cistatic int tls_construct_cke_srp(SSL *s, WPACKET *pkt) 3256e1051a39Sopenharmony_ci{ 3257e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SRP 3258e1051a39Sopenharmony_ci unsigned char *abytes = NULL; 3259e1051a39Sopenharmony_ci 3260e1051a39Sopenharmony_ci if (s->srp_ctx.A == NULL 3261e1051a39Sopenharmony_ci || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), 3262e1051a39Sopenharmony_ci &abytes)) { 3263e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3264e1051a39Sopenharmony_ci return 0; 3265e1051a39Sopenharmony_ci } 3266e1051a39Sopenharmony_ci BN_bn2bin(s->srp_ctx.A, abytes); 3267e1051a39Sopenharmony_ci 3268e1051a39Sopenharmony_ci OPENSSL_free(s->session->srp_username); 3269e1051a39Sopenharmony_ci s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); 3270e1051a39Sopenharmony_ci if (s->session->srp_username == NULL) { 3271e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 3272e1051a39Sopenharmony_ci return 0; 3273e1051a39Sopenharmony_ci } 3274e1051a39Sopenharmony_ci 3275e1051a39Sopenharmony_ci return 1; 3276e1051a39Sopenharmony_ci#else 3277e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3278e1051a39Sopenharmony_ci return 0; 3279e1051a39Sopenharmony_ci#endif 3280e1051a39Sopenharmony_ci} 3281e1051a39Sopenharmony_ci 3282e1051a39Sopenharmony_ciint tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) 3283e1051a39Sopenharmony_ci{ 3284e1051a39Sopenharmony_ci unsigned long alg_k; 3285e1051a39Sopenharmony_ci 3286e1051a39Sopenharmony_ci alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 3287e1051a39Sopenharmony_ci 3288e1051a39Sopenharmony_ci /* 3289e1051a39Sopenharmony_ci * All of the construct functions below call SSLfatal() if necessary so 3290e1051a39Sopenharmony_ci * no need to do so here. 3291e1051a39Sopenharmony_ci */ 3292e1051a39Sopenharmony_ci if ((alg_k & SSL_PSK) 3293e1051a39Sopenharmony_ci && !tls_construct_cke_psk_preamble(s, pkt)) 3294e1051a39Sopenharmony_ci goto err; 3295e1051a39Sopenharmony_ci 3296e1051a39Sopenharmony_ci if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { 3297e1051a39Sopenharmony_ci if (!tls_construct_cke_rsa(s, pkt)) 3298e1051a39Sopenharmony_ci goto err; 3299e1051a39Sopenharmony_ci } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 3300e1051a39Sopenharmony_ci if (!tls_construct_cke_dhe(s, pkt)) 3301e1051a39Sopenharmony_ci goto err; 3302e1051a39Sopenharmony_ci } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 3303e1051a39Sopenharmony_ci if (!tls_construct_cke_ecdhe(s, pkt)) 3304e1051a39Sopenharmony_ci goto err; 3305e1051a39Sopenharmony_ci } else if (alg_k & SSL_kGOST) { 3306e1051a39Sopenharmony_ci if (!tls_construct_cke_gost(s, pkt)) 3307e1051a39Sopenharmony_ci goto err; 3308e1051a39Sopenharmony_ci } else if (alg_k & SSL_kGOST18) { 3309e1051a39Sopenharmony_ci if (!tls_construct_cke_gost18(s, pkt)) 3310e1051a39Sopenharmony_ci goto err; 3311e1051a39Sopenharmony_ci } else if (alg_k & SSL_kSRP) { 3312e1051a39Sopenharmony_ci if (!tls_construct_cke_srp(s, pkt)) 3313e1051a39Sopenharmony_ci goto err; 3314e1051a39Sopenharmony_ci } else if (!(alg_k & SSL_kPSK)) { 3315e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3316e1051a39Sopenharmony_ci goto err; 3317e1051a39Sopenharmony_ci } 3318e1051a39Sopenharmony_ci 3319e1051a39Sopenharmony_ci return 1; 3320e1051a39Sopenharmony_ci err: 3321e1051a39Sopenharmony_ci OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); 3322e1051a39Sopenharmony_ci s->s3.tmp.pms = NULL; 3323e1051a39Sopenharmony_ci s->s3.tmp.pmslen = 0; 3324e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_PSK 3325e1051a39Sopenharmony_ci OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); 3326e1051a39Sopenharmony_ci s->s3.tmp.psk = NULL; 3327e1051a39Sopenharmony_ci s->s3.tmp.psklen = 0; 3328e1051a39Sopenharmony_ci#endif 3329e1051a39Sopenharmony_ci return 0; 3330e1051a39Sopenharmony_ci} 3331e1051a39Sopenharmony_ci 3332e1051a39Sopenharmony_ciint tls_client_key_exchange_post_work(SSL *s) 3333e1051a39Sopenharmony_ci{ 3334e1051a39Sopenharmony_ci unsigned char *pms = NULL; 3335e1051a39Sopenharmony_ci size_t pmslen = 0; 3336e1051a39Sopenharmony_ci 3337e1051a39Sopenharmony_ci pms = s->s3.tmp.pms; 3338e1051a39Sopenharmony_ci pmslen = s->s3.tmp.pmslen; 3339e1051a39Sopenharmony_ci 3340e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SRP 3341e1051a39Sopenharmony_ci /* Check for SRP */ 3342e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3343e1051a39Sopenharmony_ci if (!srp_generate_client_master_secret(s)) { 3344e1051a39Sopenharmony_ci /* SSLfatal() already called */ 3345e1051a39Sopenharmony_ci goto err; 3346e1051a39Sopenharmony_ci } 3347e1051a39Sopenharmony_ci return 1; 3348e1051a39Sopenharmony_ci } 3349e1051a39Sopenharmony_ci#endif 3350e1051a39Sopenharmony_ci 3351e1051a39Sopenharmony_ci if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 3352e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 3353e1051a39Sopenharmony_ci goto err; 3354e1051a39Sopenharmony_ci } 3355e1051a39Sopenharmony_ci if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { 3356e1051a39Sopenharmony_ci /* SSLfatal() already called */ 3357e1051a39Sopenharmony_ci /* ssl_generate_master_secret frees the pms even on error */ 3358e1051a39Sopenharmony_ci pms = NULL; 3359e1051a39Sopenharmony_ci pmslen = 0; 3360e1051a39Sopenharmony_ci goto err; 3361e1051a39Sopenharmony_ci } 3362e1051a39Sopenharmony_ci pms = NULL; 3363e1051a39Sopenharmony_ci pmslen = 0; 3364e1051a39Sopenharmony_ci 3365e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_SCTP 3366e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 3367e1051a39Sopenharmony_ci unsigned char sctpauthkey[64]; 3368e1051a39Sopenharmony_ci char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 3369e1051a39Sopenharmony_ci size_t labellen; 3370e1051a39Sopenharmony_ci 3371e1051a39Sopenharmony_ci /* 3372e1051a39Sopenharmony_ci * Add new shared key for SCTP-Auth, will be ignored if no SCTP 3373e1051a39Sopenharmony_ci * used. 3374e1051a39Sopenharmony_ci */ 3375e1051a39Sopenharmony_ci memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 3376e1051a39Sopenharmony_ci sizeof(DTLS1_SCTP_AUTH_LABEL)); 3377e1051a39Sopenharmony_ci 3378e1051a39Sopenharmony_ci /* Don't include the terminating zero. */ 3379e1051a39Sopenharmony_ci labellen = sizeof(labelbuffer) - 1; 3380e1051a39Sopenharmony_ci if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 3381e1051a39Sopenharmony_ci labellen += 1; 3382e1051a39Sopenharmony_ci 3383e1051a39Sopenharmony_ci if (SSL_export_keying_material(s, sctpauthkey, 3384e1051a39Sopenharmony_ci sizeof(sctpauthkey), labelbuffer, 3385e1051a39Sopenharmony_ci labellen, NULL, 0, 0) <= 0) { 3386e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3387e1051a39Sopenharmony_ci goto err; 3388e1051a39Sopenharmony_ci } 3389e1051a39Sopenharmony_ci 3390e1051a39Sopenharmony_ci BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 3391e1051a39Sopenharmony_ci sizeof(sctpauthkey), sctpauthkey); 3392e1051a39Sopenharmony_ci } 3393e1051a39Sopenharmony_ci#endif 3394e1051a39Sopenharmony_ci 3395e1051a39Sopenharmony_ci return 1; 3396e1051a39Sopenharmony_ci err: 3397e1051a39Sopenharmony_ci OPENSSL_clear_free(pms, pmslen); 3398e1051a39Sopenharmony_ci s->s3.tmp.pms = NULL; 3399e1051a39Sopenharmony_ci s->s3.tmp.pmslen = 0; 3400e1051a39Sopenharmony_ci return 0; 3401e1051a39Sopenharmony_ci} 3402e1051a39Sopenharmony_ci 3403e1051a39Sopenharmony_ci/* 3404e1051a39Sopenharmony_ci * Check a certificate can be used for client authentication. Currently check 3405e1051a39Sopenharmony_ci * cert exists, if we have a suitable digest for TLS 1.2 if static DH client 3406e1051a39Sopenharmony_ci * certificates can be used and optionally checks suitability for Suite B. 3407e1051a39Sopenharmony_ci */ 3408e1051a39Sopenharmony_cistatic int ssl3_check_client_certificate(SSL *s) 3409e1051a39Sopenharmony_ci{ 3410e1051a39Sopenharmony_ci /* If no suitable signature algorithm can't use certificate */ 3411e1051a39Sopenharmony_ci if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL) 3412e1051a39Sopenharmony_ci return 0; 3413e1051a39Sopenharmony_ci /* 3414e1051a39Sopenharmony_ci * If strict mode check suitability of chain before using it. This also 3415e1051a39Sopenharmony_ci * adjusts suite B digest if necessary. 3416e1051a39Sopenharmony_ci */ 3417e1051a39Sopenharmony_ci if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && 3418e1051a39Sopenharmony_ci !tls1_check_chain(s, NULL, NULL, NULL, -2)) 3419e1051a39Sopenharmony_ci return 0; 3420e1051a39Sopenharmony_ci return 1; 3421e1051a39Sopenharmony_ci} 3422e1051a39Sopenharmony_ci 3423e1051a39Sopenharmony_ciWORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) 3424e1051a39Sopenharmony_ci{ 3425e1051a39Sopenharmony_ci X509 *x509 = NULL; 3426e1051a39Sopenharmony_ci EVP_PKEY *pkey = NULL; 3427e1051a39Sopenharmony_ci int i; 3428e1051a39Sopenharmony_ci 3429e1051a39Sopenharmony_ci if (wst == WORK_MORE_A) { 3430e1051a39Sopenharmony_ci /* Let cert callback update client certificates if required */ 3431e1051a39Sopenharmony_ci if (s->cert->cert_cb) { 3432e1051a39Sopenharmony_ci i = s->cert->cert_cb(s, s->cert->cert_cb_arg); 3433e1051a39Sopenharmony_ci if (i < 0) { 3434e1051a39Sopenharmony_ci s->rwstate = SSL_X509_LOOKUP; 3435e1051a39Sopenharmony_ci return WORK_MORE_A; 3436e1051a39Sopenharmony_ci } 3437e1051a39Sopenharmony_ci if (i == 0) { 3438e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); 3439e1051a39Sopenharmony_ci return WORK_ERROR; 3440e1051a39Sopenharmony_ci } 3441e1051a39Sopenharmony_ci s->rwstate = SSL_NOTHING; 3442e1051a39Sopenharmony_ci } 3443e1051a39Sopenharmony_ci if (ssl3_check_client_certificate(s)) { 3444e1051a39Sopenharmony_ci if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 3445e1051a39Sopenharmony_ci return WORK_FINISHED_STOP; 3446e1051a39Sopenharmony_ci } 3447e1051a39Sopenharmony_ci return WORK_FINISHED_CONTINUE; 3448e1051a39Sopenharmony_ci } 3449e1051a39Sopenharmony_ci 3450e1051a39Sopenharmony_ci /* Fall through to WORK_MORE_B */ 3451e1051a39Sopenharmony_ci wst = WORK_MORE_B; 3452e1051a39Sopenharmony_ci } 3453e1051a39Sopenharmony_ci 3454e1051a39Sopenharmony_ci /* We need to get a client cert */ 3455e1051a39Sopenharmony_ci if (wst == WORK_MORE_B) { 3456e1051a39Sopenharmony_ci /* 3457e1051a39Sopenharmony_ci * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 3458e1051a39Sopenharmony_ci * return(-1); We then get retied later 3459e1051a39Sopenharmony_ci */ 3460e1051a39Sopenharmony_ci i = ssl_do_client_cert_cb(s, &x509, &pkey); 3461e1051a39Sopenharmony_ci if (i < 0) { 3462e1051a39Sopenharmony_ci s->rwstate = SSL_X509_LOOKUP; 3463e1051a39Sopenharmony_ci return WORK_MORE_B; 3464e1051a39Sopenharmony_ci } 3465e1051a39Sopenharmony_ci s->rwstate = SSL_NOTHING; 3466e1051a39Sopenharmony_ci if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 3467e1051a39Sopenharmony_ci if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) 3468e1051a39Sopenharmony_ci i = 0; 3469e1051a39Sopenharmony_ci } else if (i == 1) { 3470e1051a39Sopenharmony_ci i = 0; 3471e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3472e1051a39Sopenharmony_ci } 3473e1051a39Sopenharmony_ci 3474e1051a39Sopenharmony_ci X509_free(x509); 3475e1051a39Sopenharmony_ci EVP_PKEY_free(pkey); 3476e1051a39Sopenharmony_ci if (i && !ssl3_check_client_certificate(s)) 3477e1051a39Sopenharmony_ci i = 0; 3478e1051a39Sopenharmony_ci if (i == 0) { 3479e1051a39Sopenharmony_ci if (s->version == SSL3_VERSION) { 3480e1051a39Sopenharmony_ci s->s3.tmp.cert_req = 0; 3481e1051a39Sopenharmony_ci ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 3482e1051a39Sopenharmony_ci return WORK_FINISHED_CONTINUE; 3483e1051a39Sopenharmony_ci } else { 3484e1051a39Sopenharmony_ci s->s3.tmp.cert_req = 2; 3485e1051a39Sopenharmony_ci if (!ssl3_digest_cached_records(s, 0)) { 3486e1051a39Sopenharmony_ci /* SSLfatal() already called */ 3487e1051a39Sopenharmony_ci return WORK_ERROR; 3488e1051a39Sopenharmony_ci } 3489e1051a39Sopenharmony_ci } 3490e1051a39Sopenharmony_ci } 3491e1051a39Sopenharmony_ci 3492e1051a39Sopenharmony_ci if (s->post_handshake_auth == SSL_PHA_REQUESTED) 3493e1051a39Sopenharmony_ci return WORK_FINISHED_STOP; 3494e1051a39Sopenharmony_ci return WORK_FINISHED_CONTINUE; 3495e1051a39Sopenharmony_ci } 3496e1051a39Sopenharmony_ci 3497e1051a39Sopenharmony_ci /* Shouldn't ever get here */ 3498e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3499e1051a39Sopenharmony_ci return WORK_ERROR; 3500e1051a39Sopenharmony_ci} 3501e1051a39Sopenharmony_ci 3502e1051a39Sopenharmony_ciint tls_construct_client_certificate(SSL *s, WPACKET *pkt) 3503e1051a39Sopenharmony_ci{ 3504e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s)) { 3505e1051a39Sopenharmony_ci if (s->pha_context == NULL) { 3506e1051a39Sopenharmony_ci /* no context available, add 0-length context */ 3507e1051a39Sopenharmony_ci if (!WPACKET_put_bytes_u8(pkt, 0)) { 3508e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3509e1051a39Sopenharmony_ci return 0; 3510e1051a39Sopenharmony_ci } 3511e1051a39Sopenharmony_ci } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { 3512e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3513e1051a39Sopenharmony_ci return 0; 3514e1051a39Sopenharmony_ci } 3515e1051a39Sopenharmony_ci } 3516e1051a39Sopenharmony_ci if (!ssl3_output_cert_chain(s, pkt, 3517e1051a39Sopenharmony_ci (s->s3.tmp.cert_req == 2) ? NULL 3518e1051a39Sopenharmony_ci : s->cert->key)) { 3519e1051a39Sopenharmony_ci /* SSLfatal() already called */ 3520e1051a39Sopenharmony_ci return 0; 3521e1051a39Sopenharmony_ci } 3522e1051a39Sopenharmony_ci 3523e1051a39Sopenharmony_ci if (SSL_IS_TLS13(s) 3524e1051a39Sopenharmony_ci && SSL_IS_FIRST_HANDSHAKE(s) 3525e1051a39Sopenharmony_ci && (!s->method->ssl3_enc->change_cipher_state(s, 3526e1051a39Sopenharmony_ci SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3527e1051a39Sopenharmony_ci /* 3528e1051a39Sopenharmony_ci * This is a fatal error, which leaves enc_write_ctx in an inconsistent 3529e1051a39Sopenharmony_ci * state and thus ssl3_send_alert may crash. 3530e1051a39Sopenharmony_ci */ 3531e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); 3532e1051a39Sopenharmony_ci return 0; 3533e1051a39Sopenharmony_ci } 3534e1051a39Sopenharmony_ci 3535e1051a39Sopenharmony_ci return 1; 3536e1051a39Sopenharmony_ci} 3537e1051a39Sopenharmony_ci 3538e1051a39Sopenharmony_ciint ssl3_check_cert_and_algorithm(SSL *s) 3539e1051a39Sopenharmony_ci{ 3540e1051a39Sopenharmony_ci const SSL_CERT_LOOKUP *clu; 3541e1051a39Sopenharmony_ci size_t idx; 3542e1051a39Sopenharmony_ci long alg_k, alg_a; 3543e1051a39Sopenharmony_ci 3544e1051a39Sopenharmony_ci alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 3545e1051a39Sopenharmony_ci alg_a = s->s3.tmp.new_cipher->algorithm_auth; 3546e1051a39Sopenharmony_ci 3547e1051a39Sopenharmony_ci /* we don't have a certificate */ 3548e1051a39Sopenharmony_ci if (!(alg_a & SSL_aCERT)) 3549e1051a39Sopenharmony_ci return 1; 3550e1051a39Sopenharmony_ci 3551e1051a39Sopenharmony_ci /* This is the passed certificate */ 3552e1051a39Sopenharmony_ci clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); 3553e1051a39Sopenharmony_ci 3554e1051a39Sopenharmony_ci /* Check certificate is recognised and suitable for cipher */ 3555e1051a39Sopenharmony_ci if (clu == NULL || (alg_a & clu->amask) == 0) { 3556e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT); 3557e1051a39Sopenharmony_ci return 0; 3558e1051a39Sopenharmony_ci } 3559e1051a39Sopenharmony_ci 3560e1051a39Sopenharmony_ci if (clu->amask & SSL_aECDSA) { 3561e1051a39Sopenharmony_ci if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) 3562e1051a39Sopenharmony_ci return 1; 3563e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); 3564e1051a39Sopenharmony_ci return 0; 3565e1051a39Sopenharmony_ci } 3566e1051a39Sopenharmony_ci 3567e1051a39Sopenharmony_ci if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { 3568e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3569e1051a39Sopenharmony_ci SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3570e1051a39Sopenharmony_ci return 0; 3571e1051a39Sopenharmony_ci } 3572e1051a39Sopenharmony_ci 3573e1051a39Sopenharmony_ci if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { 3574e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3575e1051a39Sopenharmony_ci return 0; 3576e1051a39Sopenharmony_ci } 3577e1051a39Sopenharmony_ci 3578e1051a39Sopenharmony_ci return 1; 3579e1051a39Sopenharmony_ci} 3580e1051a39Sopenharmony_ci 3581e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_NEXTPROTONEG 3582e1051a39Sopenharmony_ciint tls_construct_next_proto(SSL *s, WPACKET *pkt) 3583e1051a39Sopenharmony_ci{ 3584e1051a39Sopenharmony_ci size_t len, padding_len; 3585e1051a39Sopenharmony_ci unsigned char *padding = NULL; 3586e1051a39Sopenharmony_ci 3587e1051a39Sopenharmony_ci len = s->ext.npn_len; 3588e1051a39Sopenharmony_ci padding_len = 32 - ((len + 2) % 32); 3589e1051a39Sopenharmony_ci 3590e1051a39Sopenharmony_ci if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) 3591e1051a39Sopenharmony_ci || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { 3592e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3593e1051a39Sopenharmony_ci return 0; 3594e1051a39Sopenharmony_ci } 3595e1051a39Sopenharmony_ci 3596e1051a39Sopenharmony_ci memset(padding, 0, padding_len); 3597e1051a39Sopenharmony_ci 3598e1051a39Sopenharmony_ci return 1; 3599e1051a39Sopenharmony_ci} 3600e1051a39Sopenharmony_ci#endif 3601e1051a39Sopenharmony_ci 3602e1051a39Sopenharmony_ciMSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) 3603e1051a39Sopenharmony_ci{ 3604e1051a39Sopenharmony_ci if (PACKET_remaining(pkt) > 0) { 3605e1051a39Sopenharmony_ci /* should contain no data */ 3606e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 3607e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 3608e1051a39Sopenharmony_ci } 3609e1051a39Sopenharmony_ci 3610e1051a39Sopenharmony_ci if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 3611e1051a39Sopenharmony_ci ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 3612e1051a39Sopenharmony_ci return MSG_PROCESS_FINISHED_READING; 3613e1051a39Sopenharmony_ci } 3614e1051a39Sopenharmony_ci 3615e1051a39Sopenharmony_ci /* 3616e1051a39Sopenharmony_ci * This is a historical discrepancy (not in the RFC) maintained for 3617e1051a39Sopenharmony_ci * compatibility reasons. If a TLS client receives a HelloRequest it will 3618e1051a39Sopenharmony_ci * attempt an abbreviated handshake. However if a DTLS client receives a 3619e1051a39Sopenharmony_ci * HelloRequest it will do a full handshake. Either behaviour is reasonable 3620e1051a39Sopenharmony_ci * but doing one for TLS and another for DTLS is odd. 3621e1051a39Sopenharmony_ci */ 3622e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) 3623e1051a39Sopenharmony_ci SSL_renegotiate(s); 3624e1051a39Sopenharmony_ci else 3625e1051a39Sopenharmony_ci SSL_renegotiate_abbreviated(s); 3626e1051a39Sopenharmony_ci 3627e1051a39Sopenharmony_ci return MSG_PROCESS_FINISHED_READING; 3628e1051a39Sopenharmony_ci} 3629e1051a39Sopenharmony_ci 3630e1051a39Sopenharmony_cistatic MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) 3631e1051a39Sopenharmony_ci{ 3632e1051a39Sopenharmony_ci PACKET extensions; 3633e1051a39Sopenharmony_ci RAW_EXTENSION *rawexts = NULL; 3634e1051a39Sopenharmony_ci 3635e1051a39Sopenharmony_ci if (!PACKET_as_length_prefixed_2(pkt, &extensions) 3636e1051a39Sopenharmony_ci || PACKET_remaining(pkt) != 0) { 3637e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 3638e1051a39Sopenharmony_ci goto err; 3639e1051a39Sopenharmony_ci } 3640e1051a39Sopenharmony_ci 3641e1051a39Sopenharmony_ci if (!tls_collect_extensions(s, &extensions, 3642e1051a39Sopenharmony_ci SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, 3643e1051a39Sopenharmony_ci NULL, 1) 3644e1051a39Sopenharmony_ci || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 3645e1051a39Sopenharmony_ci rawexts, NULL, 0, 1)) { 3646e1051a39Sopenharmony_ci /* SSLfatal() already called */ 3647e1051a39Sopenharmony_ci goto err; 3648e1051a39Sopenharmony_ci } 3649e1051a39Sopenharmony_ci 3650e1051a39Sopenharmony_ci OPENSSL_free(rawexts); 3651e1051a39Sopenharmony_ci return MSG_PROCESS_CONTINUE_READING; 3652e1051a39Sopenharmony_ci 3653e1051a39Sopenharmony_ci err: 3654e1051a39Sopenharmony_ci OPENSSL_free(rawexts); 3655e1051a39Sopenharmony_ci return MSG_PROCESS_ERROR; 3656e1051a39Sopenharmony_ci} 3657e1051a39Sopenharmony_ci 3658e1051a39Sopenharmony_ciint ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3659e1051a39Sopenharmony_ci{ 3660e1051a39Sopenharmony_ci int i = 0; 3661e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 3662e1051a39Sopenharmony_ci if (s->ctx->client_cert_engine) { 3663e1051a39Sopenharmony_ci i = tls_engine_load_ssl_client_cert(s, px509, ppkey); 3664e1051a39Sopenharmony_ci if (i != 0) 3665e1051a39Sopenharmony_ci return i; 3666e1051a39Sopenharmony_ci } 3667e1051a39Sopenharmony_ci#endif 3668e1051a39Sopenharmony_ci if (s->ctx->client_cert_cb) 3669e1051a39Sopenharmony_ci i = s->ctx->client_cert_cb(s, px509, ppkey); 3670e1051a39Sopenharmony_ci return i; 3671e1051a39Sopenharmony_ci} 3672e1051a39Sopenharmony_ci 3673e1051a39Sopenharmony_ciint ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) 3674e1051a39Sopenharmony_ci{ 3675e1051a39Sopenharmony_ci int i; 3676e1051a39Sopenharmony_ci size_t totlen = 0, len, maxlen, maxverok = 0; 3677e1051a39Sopenharmony_ci int empty_reneg_info_scsv = !s->renegotiate; 3678e1051a39Sopenharmony_ci 3679e1051a39Sopenharmony_ci /* Set disabled masks for this session */ 3680e1051a39Sopenharmony_ci if (!ssl_set_client_disabled(s)) { 3681e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE); 3682e1051a39Sopenharmony_ci return 0; 3683e1051a39Sopenharmony_ci } 3684e1051a39Sopenharmony_ci 3685e1051a39Sopenharmony_ci if (sk == NULL) { 3686e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3687e1051a39Sopenharmony_ci return 0; 3688e1051a39Sopenharmony_ci } 3689e1051a39Sopenharmony_ci 3690e1051a39Sopenharmony_ci#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 3691e1051a39Sopenharmony_ci# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 3692e1051a39Sopenharmony_ci# error Max cipher length too short 3693e1051a39Sopenharmony_ci# endif 3694e1051a39Sopenharmony_ci /* 3695e1051a39Sopenharmony_ci * Some servers hang if client hello > 256 bytes as hack workaround 3696e1051a39Sopenharmony_ci * chop number of supported ciphers to keep it well below this if we 3697e1051a39Sopenharmony_ci * use TLS v1.2 3698e1051a39Sopenharmony_ci */ 3699e1051a39Sopenharmony_ci if (TLS1_get_version(s) >= TLS1_2_VERSION) 3700e1051a39Sopenharmony_ci maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 3701e1051a39Sopenharmony_ci else 3702e1051a39Sopenharmony_ci#endif 3703e1051a39Sopenharmony_ci /* Maximum length that can be stored in 2 bytes. Length must be even */ 3704e1051a39Sopenharmony_ci maxlen = 0xfffe; 3705e1051a39Sopenharmony_ci 3706e1051a39Sopenharmony_ci if (empty_reneg_info_scsv) 3707e1051a39Sopenharmony_ci maxlen -= 2; 3708e1051a39Sopenharmony_ci if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) 3709e1051a39Sopenharmony_ci maxlen -= 2; 3710e1051a39Sopenharmony_ci 3711e1051a39Sopenharmony_ci for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) { 3712e1051a39Sopenharmony_ci const SSL_CIPHER *c; 3713e1051a39Sopenharmony_ci 3714e1051a39Sopenharmony_ci c = sk_SSL_CIPHER_value(sk, i); 3715e1051a39Sopenharmony_ci /* Skip disabled ciphers */ 3716e1051a39Sopenharmony_ci if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 3717e1051a39Sopenharmony_ci continue; 3718e1051a39Sopenharmony_ci 3719e1051a39Sopenharmony_ci if (!s->method->put_cipher_by_char(c, pkt, &len)) { 3720e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3721e1051a39Sopenharmony_ci return 0; 3722e1051a39Sopenharmony_ci } 3723e1051a39Sopenharmony_ci 3724e1051a39Sopenharmony_ci /* Sanity check that the maximum version we offer has ciphers enabled */ 3725e1051a39Sopenharmony_ci if (!maxverok) { 3726e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 3727e1051a39Sopenharmony_ci if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver) 3728e1051a39Sopenharmony_ci && DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver)) 3729e1051a39Sopenharmony_ci maxverok = 1; 3730e1051a39Sopenharmony_ci } else { 3731e1051a39Sopenharmony_ci if (c->max_tls >= s->s3.tmp.max_ver 3732e1051a39Sopenharmony_ci && c->min_tls <= s->s3.tmp.max_ver) 3733e1051a39Sopenharmony_ci maxverok = 1; 3734e1051a39Sopenharmony_ci } 3735e1051a39Sopenharmony_ci } 3736e1051a39Sopenharmony_ci 3737e1051a39Sopenharmony_ci totlen += len; 3738e1051a39Sopenharmony_ci } 3739e1051a39Sopenharmony_ci 3740e1051a39Sopenharmony_ci if (totlen == 0 || !maxverok) { 3741e1051a39Sopenharmony_ci const char *maxvertext = 3742e1051a39Sopenharmony_ci !maxverok 3743e1051a39Sopenharmony_ci ? "No ciphers enabled for max supported SSL/TLS version" 3744e1051a39Sopenharmony_ci : NULL; 3745e1051a39Sopenharmony_ci 3746e1051a39Sopenharmony_ci SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE, 3747e1051a39Sopenharmony_ci maxvertext); 3748e1051a39Sopenharmony_ci return 0; 3749e1051a39Sopenharmony_ci } 3750e1051a39Sopenharmony_ci 3751e1051a39Sopenharmony_ci if (totlen != 0) { 3752e1051a39Sopenharmony_ci if (empty_reneg_info_scsv) { 3753e1051a39Sopenharmony_ci static SSL_CIPHER scsv = { 3754e1051a39Sopenharmony_ci 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3755e1051a39Sopenharmony_ci }; 3756e1051a39Sopenharmony_ci if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3757e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3758e1051a39Sopenharmony_ci return 0; 3759e1051a39Sopenharmony_ci } 3760e1051a39Sopenharmony_ci } 3761e1051a39Sopenharmony_ci if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { 3762e1051a39Sopenharmony_ci static SSL_CIPHER scsv = { 3763e1051a39Sopenharmony_ci 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3764e1051a39Sopenharmony_ci }; 3765e1051a39Sopenharmony_ci if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3766e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3767e1051a39Sopenharmony_ci return 0; 3768e1051a39Sopenharmony_ci } 3769e1051a39Sopenharmony_ci } 3770e1051a39Sopenharmony_ci } 3771e1051a39Sopenharmony_ci 3772e1051a39Sopenharmony_ci return 1; 3773e1051a39Sopenharmony_ci} 3774e1051a39Sopenharmony_ci 3775e1051a39Sopenharmony_ciint tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) 3776e1051a39Sopenharmony_ci{ 3777e1051a39Sopenharmony_ci if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 3778e1051a39Sopenharmony_ci && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { 3779e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3780e1051a39Sopenharmony_ci return 0; 3781e1051a39Sopenharmony_ci } 3782e1051a39Sopenharmony_ci 3783e1051a39Sopenharmony_ci s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 3784e1051a39Sopenharmony_ci return 1; 3785e1051a39Sopenharmony_ci} 3786