Coverage Report

Created: 2024-07-27 06:36

/src/openssl/ssl/statem/statem_clnt.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
6
 * Licensed under the Apache License 2.0 (the "License").  You may not use
7
 * this file except in compliance with the License.  You can obtain a copy
8
 * in the file LICENSE in the source distribution or at
9
 * https://www.openssl.org/source/license.html
10
 */
11
12
#include <stdio.h>
13
#include <time.h>
14
#include <assert.h>
15
#include "../ssl_local.h"
16
#include "statem_local.h"
17
#include <openssl/buffer.h>
18
#include <openssl/rand.h>
19
#include <openssl/objects.h>
20
#include <openssl/evp.h>
21
#include <openssl/md5.h>
22
#include <openssl/dh.h>
23
#include <openssl/rsa.h>
24
#include <openssl/bn.h>
25
#include <openssl/engine.h>
26
#include <openssl/trace.h>
27
#include <openssl/core_names.h>
28
#include <openssl/param_build.h>
29
#include "internal/cryptlib.h"
30
#include "internal/comp.h"
31
32
static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
33
                                                             PACKET *pkt);
34
static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s,
35
                                                           PACKET *pkt);
36
37
static ossl_inline int cert_req_allowed(SSL_CONNECTION *s);
38
static int key_exchange_expected(SSL_CONNECTION *s);
39
static int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
40
                                    WPACKET *pkt);
41
42
static ossl_inline int received_server_cert(SSL_CONNECTION *sc)
43
0
{
44
0
    return sc->session->peer_rpk != NULL || sc->session->peer != NULL;
45
0
}
46
47
/*
48
 * Is a CertificateRequest message allowed at the moment or not?
49
 *
50
 *  Return values are:
51
 *  1: Yes
52
 *  0: No
53
 */
54
static ossl_inline int cert_req_allowed(SSL_CONNECTION *s)
55
0
{
56
    /* TLS does not like anon-DH with client cert */
57
0
    if ((s->version > SSL3_VERSION
58
0
         && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL))
59
0
        || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
60
0
        return 0;
61
62
0
    return 1;
63
0
}
64
65
/*
66
 * Should we expect the ServerKeyExchange message or not?
67
 *
68
 *  Return values are:
69
 *  1: Yes
70
 *  0: No
71
 */
72
static int key_exchange_expected(SSL_CONNECTION *s)
73
0
{
74
0
    long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
75
76
    /*
77
     * Can't skip server key exchange if this is an ephemeral
78
     * ciphersuite or for SRP
79
     */
80
0
    if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
81
0
                 | SSL_kSRP)) {
82
0
        return 1;
83
0
    }
84
85
0
    return 0;
86
0
}
87
88
/*
89
 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
90
 * handshake state transitions when a TLS1.3 client is reading messages from the
91
 * server. The message type that the server has sent is provided in |mt|. The
92
 * current state is in |s->statem.hand_state|.
93
 *
94
 * Return values are 1 for success (transition allowed) and  0 on error
95
 * (transition not allowed)
96
 */
97
static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt)
98
0
{
99
0
    OSSL_STATEM *st = &s->statem;
100
101
    /*
102
     * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
103
     * yet negotiated TLSv1.3 at that point so that is handled by
104
     * ossl_statem_client_read_transition()
105
     */
106
107
0
    switch (st->hand_state) {
108
0
    default:
109
0
        break;
110
111
0
    case TLS_ST_CW_CLNT_HELLO:
112
        /*
113
         * This must a ClientHello following a HelloRetryRequest, so the only
114
         * thing we can get now is a ServerHello.
115
         */
116
0
        if (mt == SSL3_MT_SERVER_HELLO) {
117
0
            st->hand_state = TLS_ST_CR_SRVR_HELLO;
118
0
            return 1;
119
0
        }
120
0
        break;
121
122
0
    case TLS_ST_CR_SRVR_HELLO:
123
0
        if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
124
0
            st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
125
0
            return 1;
126
0
        }
127
0
        break;
128
129
0
    case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
130
0
        if (s->hit) {
131
0
            if (mt == SSL3_MT_FINISHED) {
132
0
                st->hand_state = TLS_ST_CR_FINISHED;
133
0
                return 1;
134
0
            }
135
0
        } else {
136
0
            if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
137
0
                st->hand_state = TLS_ST_CR_CERT_REQ;
138
0
                return 1;
139
0
            }
140
0
            if (mt == SSL3_MT_CERTIFICATE) {
141
0
                st->hand_state = TLS_ST_CR_CERT;
142
0
                return 1;
143
0
            }
144
#ifndef OPENSSL_NO_COMP_ALG
145
            if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
146
                    && s->ext.compress_certificate_sent) {
147
                st->hand_state = TLS_ST_CR_COMP_CERT;
148
                return 1;
149
            }
150
#endif
151
0
        }
152
0
        break;
153
154
0
    case TLS_ST_CR_CERT_REQ:
155
0
        if (mt == SSL3_MT_CERTIFICATE) {
156
0
            st->hand_state = TLS_ST_CR_CERT;
157
0
            return 1;
158
0
        }
159
#ifndef OPENSSL_NO_COMP_ALG
160
        if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
161
                && s->ext.compress_certificate_sent) {
162
            st->hand_state = TLS_ST_CR_COMP_CERT;
163
            return 1;
164
        }
165
#endif
166
0
        break;
167
168
0
    case TLS_ST_CR_CERT:
169
0
    case TLS_ST_CR_COMP_CERT:
170
0
        if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
171
0
            st->hand_state = TLS_ST_CR_CERT_VRFY;
172
0
            return 1;
173
0
        }
174
0
        break;
175
176
0
    case TLS_ST_CR_CERT_VRFY:
177
0
        if (mt == SSL3_MT_FINISHED) {
178
0
            st->hand_state = TLS_ST_CR_FINISHED;
179
0
            return 1;
180
0
        }
181
0
        break;
182
183
0
    case TLS_ST_OK:
184
0
        if (mt == SSL3_MT_NEWSESSION_TICKET) {
185
0
            st->hand_state = TLS_ST_CR_SESSION_TICKET;
186
0
            return 1;
187
0
        }
188
0
        if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) {
189
0
            st->hand_state = TLS_ST_CR_KEY_UPDATE;
190
0
            return 1;
191
0
        }
192
0
        if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
193
#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
194
            /* Restore digest for PHA before adding message.*/
195
# error Internal DTLS version error
196
#endif
197
0
            if (!SSL_CONNECTION_IS_DTLS(s)
198
0
                && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
199
0
                s->post_handshake_auth = SSL_PHA_REQUESTED;
200
                /*
201
                 * In TLS, this is called before the message is added to the
202
                 * digest. In DTLS, this is expected to be called after adding
203
                 * to the digest. Either move the digest restore, or add the
204
                 * message here after the swap, or do it after the clientFinished?
205
                 */
206
0
                if (!tls13_restore_handshake_digest_for_pha(s)) {
207
                    /* SSLfatal() already called */
208
0
                    return 0;
209
0
                }
210
0
                st->hand_state = TLS_ST_CR_CERT_REQ;
211
0
                return 1;
212
0
            }
213
0
        }
214
0
        break;
215
0
    }
216
217
    /* No valid transition found */
218
0
    return 0;
219
0
}
220
221
/*
222
 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
223
 * handshake state transitions when the client is reading messages from the
224
 * server. The message type that the server has sent is provided in |mt|. The
225
 * current state is in |s->statem.hand_state|.
226
 *
227
 * Return values are 1 for success (transition allowed) and  0 on error
228
 * (transition not allowed)
229
 */
230
int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt)
231
0
{
232
0
    OSSL_STATEM *st = &s->statem;
233
0
    int ske_expected;
234
235
    /*
236
     * Note that after writing the first ClientHello we don't know what version
237
     * we are going to negotiate yet, so we don't take this branch until later.
238
     */
239
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
240
0
        if (!ossl_statem_client13_read_transition(s, mt))
241
0
            goto err;
242
0
        return 1;
243
0
    }
244
245
0
    switch (st->hand_state) {
246
0
    default:
247
0
        break;
248
249
0
    case TLS_ST_CW_CLNT_HELLO:
250
0
        if (mt == SSL3_MT_SERVER_HELLO) {
251
0
            st->hand_state = TLS_ST_CR_SRVR_HELLO;
252
0
            return 1;
253
0
        }
254
255
0
        if (SSL_CONNECTION_IS_DTLS(s)) {
256
0
            if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
257
0
                st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
258
0
                return 1;
259
0
            }
260
0
        }
261
0
        break;
262
263
0
    case TLS_ST_EARLY_DATA:
264
        /*
265
         * We've not actually selected TLSv1.3 yet, but we have sent early
266
         * data. The only thing allowed now is a ServerHello or a
267
         * HelloRetryRequest.
268
         */
269
0
        if (mt == SSL3_MT_SERVER_HELLO) {
270
0
            st->hand_state = TLS_ST_CR_SRVR_HELLO;
271
0
            return 1;
272
0
        }
273
0
        break;
274
275
0
    case TLS_ST_CR_SRVR_HELLO:
276
0
        if (s->hit) {
277
0
            if (s->ext.ticket_expected) {
278
0
                if (mt == SSL3_MT_NEWSESSION_TICKET) {
279
0
                    st->hand_state = TLS_ST_CR_SESSION_TICKET;
280
0
                    return 1;
281
0
                }
282
0
            } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
283
0
                st->hand_state = TLS_ST_CR_CHANGE;
284
0
                return 1;
285
0
            }
286
0
        } else {
287
0
            if (SSL_CONNECTION_IS_DTLS(s)
288
0
                && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
289
0
                st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
290
0
                return 1;
291
0
            } else if (s->version >= TLS1_VERSION
292
0
                       && s->ext.session_secret_cb != NULL
293
0
                       && s->session->ext.tick != NULL
294
0
                       && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
295
                /*
296
                 * Normally, we can tell if the server is resuming the session
297
                 * from the session ID. EAP-FAST (RFC 4851), however, relies on
298
                 * the next server message after the ServerHello to determine if
299
                 * the server is resuming.
300
                 */
301
0
                s->hit = 1;
302
0
                st->hand_state = TLS_ST_CR_CHANGE;
303
0
                return 1;
304
0
            } else if (!(s->s3.tmp.new_cipher->algorithm_auth
305
0
                         & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
306
0
                if (mt == SSL3_MT_CERTIFICATE) {
307
0
                    st->hand_state = TLS_ST_CR_CERT;
308
0
                    return 1;
309
0
                }
310
0
            } else {
311
0
                ske_expected = key_exchange_expected(s);
312
                /* SKE is optional for some PSK ciphersuites */
313
0
                if (ske_expected
314
0
                    || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
315
0
                        && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
316
0
                    if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
317
0
                        st->hand_state = TLS_ST_CR_KEY_EXCH;
318
0
                        return 1;
319
0
                    }
320
0
                } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
321
0
                           && cert_req_allowed(s)) {
322
0
                    st->hand_state = TLS_ST_CR_CERT_REQ;
323
0
                    return 1;
324
0
                } else if (mt == SSL3_MT_SERVER_DONE) {
325
0
                    st->hand_state = TLS_ST_CR_SRVR_DONE;
326
0
                    return 1;
327
0
                }
328
0
            }
329
0
        }
330
0
        break;
331
332
0
    case TLS_ST_CR_CERT:
333
0
    case TLS_ST_CR_COMP_CERT:
334
        /*
335
         * The CertificateStatus message is optional even if
336
         * |ext.status_expected| is set
337
         */
338
0
        if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
339
0
            st->hand_state = TLS_ST_CR_CERT_STATUS;
340
0
            return 1;
341
0
        }
342
        /* Fall through */
343
344
0
    case TLS_ST_CR_CERT_STATUS:
345
0
        ske_expected = key_exchange_expected(s);
346
        /* SKE is optional for some PSK ciphersuites */
347
0
        if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
348
0
                             && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
349
0
            if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
350
0
                st->hand_state = TLS_ST_CR_KEY_EXCH;
351
0
                return 1;
352
0
            }
353
0
            goto err;
354
0
        }
355
        /* Fall through */
356
357
0
    case TLS_ST_CR_KEY_EXCH:
358
0
        if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
359
0
            if (cert_req_allowed(s)) {
360
0
                st->hand_state = TLS_ST_CR_CERT_REQ;
361
0
                return 1;
362
0
            }
363
0
            goto err;
364
0
        }
365
        /* Fall through */
366
367
0
    case TLS_ST_CR_CERT_REQ:
368
0
        if (mt == SSL3_MT_SERVER_DONE) {
369
0
            st->hand_state = TLS_ST_CR_SRVR_DONE;
370
0
            return 1;
371
0
        }
372
0
        break;
373
374
0
    case TLS_ST_CW_FINISHED:
375
0
        if (s->ext.ticket_expected) {
376
0
            if (mt == SSL3_MT_NEWSESSION_TICKET) {
377
0
                st->hand_state = TLS_ST_CR_SESSION_TICKET;
378
0
                return 1;
379
0
            }
380
0
        } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
381
0
            st->hand_state = TLS_ST_CR_CHANGE;
382
0
            return 1;
383
0
        }
384
0
        break;
385
386
0
    case TLS_ST_CR_SESSION_TICKET:
387
0
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
388
0
            st->hand_state = TLS_ST_CR_CHANGE;
389
0
            return 1;
390
0
        }
391
0
        break;
392
393
0
    case TLS_ST_CR_CHANGE:
394
0
        if (mt == SSL3_MT_FINISHED) {
395
0
            st->hand_state = TLS_ST_CR_FINISHED;
396
0
            return 1;
397
0
        }
398
0
        break;
399
400
0
    case TLS_ST_OK:
401
0
        if (mt == SSL3_MT_HELLO_REQUEST) {
402
0
            st->hand_state = TLS_ST_CR_HELLO_REQ;
403
0
            return 1;
404
0
        }
405
0
        break;
406
0
    }
407
408
0
 err:
409
    /* No valid transition found */
410
0
    if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
411
0
        BIO *rbio;
412
413
        /*
414
         * CCS messages don't have a message sequence number so this is probably
415
         * because of an out-of-order CCS. We'll just drop it.
416
         */
417
0
        s->init_num = 0;
418
0
        s->rwstate = SSL_READING;
419
0
        rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s));
420
0
        BIO_clear_retry_flags(rbio);
421
0
        BIO_set_retry_read(rbio);
422
0
        return 0;
423
0
    }
424
0
    SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
425
0
    return 0;
426
0
}
427
428
static int do_compressed_cert(SSL_CONNECTION *sc)
429
0
{
430
    /* If we negotiated RPK, we won't try to compress it */
431
0
    return sc->ext.client_cert_type == TLSEXT_cert_type_x509
432
0
        && sc->ext.compress_certificate_from_peer[0] != TLSEXT_comp_cert_none;
433
0
}
434
435
/*
436
 * ossl_statem_client13_write_transition() works out what handshake state to
437
 * move to next when the TLSv1.3 client is writing messages to be sent to the
438
 * server.
439
 */
440
static WRITE_TRAN ossl_statem_client13_write_transition(SSL_CONNECTION *s)
441
0
{
442
0
    OSSL_STATEM *st = &s->statem;
443
444
    /*
445
     * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
446
     * TLSv1.3 yet at that point. They are handled by
447
     * ossl_statem_client_write_transition().
448
     */
449
0
    switch (st->hand_state) {
450
0
    default:
451
        /* Shouldn't happen */
452
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
453
0
        return WRITE_TRAN_ERROR;
454
455
0
    case TLS_ST_CR_CERT_REQ:
456
0
        if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
457
0
            if (do_compressed_cert(s))
458
0
                st->hand_state = TLS_ST_CW_COMP_CERT;
459
0
            else
460
0
                st->hand_state = TLS_ST_CW_CERT;
461
0
            return WRITE_TRAN_CONTINUE;
462
0
        }
463
        /*
464
         * We should only get here if we received a CertificateRequest after
465
         * we already sent close_notify
466
         */
467
0
        if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) {
468
            /* Shouldn't happen - same as default case */
469
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
470
0
            return WRITE_TRAN_ERROR;
471
0
        }
472
0
        st->hand_state = TLS_ST_OK;
473
0
        return WRITE_TRAN_CONTINUE;
474
475
0
    case TLS_ST_CR_FINISHED:
476
0
        if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
477
0
                || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
478
0
            st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
479
0
        else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
480
0
                 && s->hello_retry_request == SSL_HRR_NONE)
481
0
            st->hand_state = TLS_ST_CW_CHANGE;
482
0
        else if (s->s3.tmp.cert_req == 0)
483
0
            st->hand_state = TLS_ST_CW_FINISHED;
484
0
        else if (do_compressed_cert(s))
485
0
            st->hand_state = TLS_ST_CW_COMP_CERT;
486
0
        else
487
0
            st->hand_state = TLS_ST_CW_CERT;
488
489
0
        s->ts_msg_read = ossl_time_now();
490
0
        return WRITE_TRAN_CONTINUE;
491
492
0
    case TLS_ST_PENDING_EARLY_DATA_END:
493
0
        if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
494
0
            st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
495
0
            return WRITE_TRAN_CONTINUE;
496
0
        }
497
        /* Fall through */
498
499
0
    case TLS_ST_CW_END_OF_EARLY_DATA:
500
0
    case TLS_ST_CW_CHANGE:
501
0
        if (s->s3.tmp.cert_req == 0)
502
0
            st->hand_state = TLS_ST_CW_FINISHED;
503
0
        else if (do_compressed_cert(s))
504
0
            st->hand_state = TLS_ST_CW_COMP_CERT;
505
0
        else
506
0
            st->hand_state = TLS_ST_CW_CERT;
507
0
        return WRITE_TRAN_CONTINUE;
508
509
0
    case TLS_ST_CW_COMP_CERT:
510
0
    case TLS_ST_CW_CERT:
511
        /* If a non-empty Certificate we also send CertificateVerify */
512
0
        st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
513
0
                                                    : TLS_ST_CW_FINISHED;
514
0
        return WRITE_TRAN_CONTINUE;
515
516
0
    case TLS_ST_CW_CERT_VRFY:
517
0
        st->hand_state = TLS_ST_CW_FINISHED;
518
0
        return WRITE_TRAN_CONTINUE;
519
520
0
    case TLS_ST_CR_KEY_UPDATE:
521
0
    case TLS_ST_CW_KEY_UPDATE:
522
0
    case TLS_ST_CR_SESSION_TICKET:
523
0
    case TLS_ST_CW_FINISHED:
524
0
        st->hand_state = TLS_ST_OK;
525
0
        return WRITE_TRAN_CONTINUE;
526
527
0
    case TLS_ST_OK:
528
0
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
529
0
            st->hand_state = TLS_ST_CW_KEY_UPDATE;
530
0
            return WRITE_TRAN_CONTINUE;
531
0
        }
532
533
        /* Try to read from the server instead */
534
0
        return WRITE_TRAN_FINISHED;
535
0
    }
536
0
}
537
538
/*
539
 * ossl_statem_client_write_transition() works out what handshake state to
540
 * move to next when the client is writing messages to be sent to the server.
541
 */
542
WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s)
543
0
{
544
0
    OSSL_STATEM *st = &s->statem;
545
546
    /*
547
     * Note that immediately before/after a ClientHello we don't know what
548
     * version we are going to negotiate yet, so we don't take this branch until
549
     * later
550
     */
551
0
    if (SSL_CONNECTION_IS_TLS13(s))
552
0
        return ossl_statem_client13_write_transition(s);
553
554
0
    switch (st->hand_state) {
555
0
    default:
556
        /* Shouldn't happen */
557
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
558
0
        return WRITE_TRAN_ERROR;
559
560
0
    case TLS_ST_OK:
561
0
        if (!s->renegotiate) {
562
            /*
563
             * We haven't requested a renegotiation ourselves so we must have
564
             * received a message from the server. Better read it.
565
             */
566
0
            return WRITE_TRAN_FINISHED;
567
0
        }
568
        /* Renegotiation */
569
        /* fall thru */
570
0
    case TLS_ST_BEFORE:
571
0
        st->hand_state = TLS_ST_CW_CLNT_HELLO;
572
0
        return WRITE_TRAN_CONTINUE;
573
574
0
    case TLS_ST_CW_CLNT_HELLO:
575
0
        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
576
            /*
577
             * We are assuming this is a TLSv1.3 connection, although we haven't
578
             * actually selected a version yet.
579
             */
580
0
            if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
581
0
                st->hand_state = TLS_ST_CW_CHANGE;
582
0
            else
583
0
                st->hand_state = TLS_ST_EARLY_DATA;
584
0
            return WRITE_TRAN_CONTINUE;
585
0
        }
586
        /*
587
         * No transition at the end of writing because we don't know what
588
         * we will be sent
589
         */
590
0
        s->ts_msg_write = ossl_time_now();
591
0
        return WRITE_TRAN_FINISHED;
592
593
0
    case TLS_ST_CR_SRVR_HELLO:
594
        /*
595
         * We only get here in TLSv1.3. We just received an HRR, so issue a
596
         * CCS unless middlebox compat mode is off, or we already issued one
597
         * because we did early data.
598
         */
599
0
        if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
600
0
                && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
601
0
            st->hand_state = TLS_ST_CW_CHANGE;
602
0
        else
603
0
            st->hand_state = TLS_ST_CW_CLNT_HELLO;
604
0
        return WRITE_TRAN_CONTINUE;
605
606
0
    case TLS_ST_EARLY_DATA:
607
0
        s->ts_msg_write = ossl_time_now();
608
0
        return WRITE_TRAN_FINISHED;
609
610
0
    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
611
0
        st->hand_state = TLS_ST_CW_CLNT_HELLO;
612
0
        return WRITE_TRAN_CONTINUE;
613
614
0
    case TLS_ST_CR_SRVR_DONE:
615
0
        s->ts_msg_read = ossl_time_now();
616
0
        if (s->s3.tmp.cert_req)
617
0
            st->hand_state = TLS_ST_CW_CERT;
618
0
        else
619
0
            st->hand_state = TLS_ST_CW_KEY_EXCH;
620
0
        return WRITE_TRAN_CONTINUE;
621
622
0
    case TLS_ST_CW_CERT:
623
0
        st->hand_state = TLS_ST_CW_KEY_EXCH;
624
0
        return WRITE_TRAN_CONTINUE;
625
626
0
    case TLS_ST_CW_KEY_EXCH:
627
        /*
628
         * For TLS, cert_req is set to 2, so a cert chain of nothing is
629
         * sent, but no verify packet is sent
630
         */
631
        /*
632
         * XXX: For now, we do not support client authentication in ECDH
633
         * cipher suites with ECDH (rather than ECDSA) certificates. We
634
         * need to skip the certificate verify message when client's
635
         * ECDH public key is sent inside the client certificate.
636
         */
637
0
        if (s->s3.tmp.cert_req == 1) {
638
0
            st->hand_state = TLS_ST_CW_CERT_VRFY;
639
0
        } else {
640
0
            st->hand_state = TLS_ST_CW_CHANGE;
641
0
        }
642
0
        if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
643
0
            st->hand_state = TLS_ST_CW_CHANGE;
644
0
        }
645
0
        return WRITE_TRAN_CONTINUE;
646
647
0
    case TLS_ST_CW_CERT_VRFY:
648
0
        st->hand_state = TLS_ST_CW_CHANGE;
649
0
        return WRITE_TRAN_CONTINUE;
650
651
0
    case TLS_ST_CW_CHANGE:
652
0
        if (s->hello_retry_request == SSL_HRR_PENDING) {
653
0
            st->hand_state = TLS_ST_CW_CLNT_HELLO;
654
0
        } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
655
0
            st->hand_state = TLS_ST_EARLY_DATA;
656
0
        } else {
657
#if defined(OPENSSL_NO_NEXTPROTONEG)
658
            st->hand_state = TLS_ST_CW_FINISHED;
659
#else
660
0
            if (!SSL_CONNECTION_IS_DTLS(s) && s->s3.npn_seen)
661
0
                st->hand_state = TLS_ST_CW_NEXT_PROTO;
662
0
            else
663
0
                st->hand_state = TLS_ST_CW_FINISHED;
664
0
#endif
665
0
        }
666
0
        return WRITE_TRAN_CONTINUE;
667
668
0
#if !defined(OPENSSL_NO_NEXTPROTONEG)
669
0
    case TLS_ST_CW_NEXT_PROTO:
670
0
        st->hand_state = TLS_ST_CW_FINISHED;
671
0
        return WRITE_TRAN_CONTINUE;
672
0
#endif
673
674
0
    case TLS_ST_CW_FINISHED:
675
0
        if (s->hit) {
676
0
            st->hand_state = TLS_ST_OK;
677
0
            return WRITE_TRAN_CONTINUE;
678
0
        } else {
679
0
            return WRITE_TRAN_FINISHED;
680
0
        }
681
682
0
    case TLS_ST_CR_FINISHED:
683
0
        if (s->hit) {
684
0
            st->hand_state = TLS_ST_CW_CHANGE;
685
0
            return WRITE_TRAN_CONTINUE;
686
0
        } else {
687
0
            st->hand_state = TLS_ST_OK;
688
0
            return WRITE_TRAN_CONTINUE;
689
0
        }
690
691
0
    case TLS_ST_CR_HELLO_REQ:
692
        /*
693
         * If we can renegotiate now then do so, otherwise wait for a more
694
         * convenient time.
695
         */
696
0
        if (ssl3_renegotiate_check(SSL_CONNECTION_GET_SSL(s), 1)) {
697
0
            if (!tls_setup_handshake(s)) {
698
                /* SSLfatal() already called */
699
0
                return WRITE_TRAN_ERROR;
700
0
            }
701
0
            st->hand_state = TLS_ST_CW_CLNT_HELLO;
702
0
            return WRITE_TRAN_CONTINUE;
703
0
        }
704
0
        st->hand_state = TLS_ST_OK;
705
0
        return WRITE_TRAN_CONTINUE;
706
0
    }
707
0
}
708
709
/*
710
 * Perform any pre work that needs to be done prior to sending a message from
711
 * the client to the server.
712
 */
713
WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
714
0
{
715
0
    OSSL_STATEM *st = &s->statem;
716
717
0
    switch (st->hand_state) {
718
0
    default:
719
        /* No pre work to be done */
720
0
        break;
721
722
0
    case TLS_ST_CW_CLNT_HELLO:
723
0
        s->shutdown = 0;
724
0
        if (SSL_CONNECTION_IS_DTLS(s)) {
725
            /* every DTLS ClientHello resets Finished MAC */
726
0
            if (!ssl3_init_finished_mac(s)) {
727
                /* SSLfatal() already called */
728
0
                return WORK_ERROR;
729
0
            }
730
0
        } else if (s->ext.early_data == SSL_EARLY_DATA_REJECTED) {
731
            /*
732
             * This must be a second ClientHello after an HRR following an
733
             * earlier rejected attempt to send early data. Since we were
734
             * previously encrypting the early data we now need to reset the
735
             * write record layer in order to write in plaintext again.
736
             */
737
0
            if (!ssl_set_new_record_layer(s,
738
0
                                          TLS_ANY_VERSION,
739
0
                                          OSSL_RECORD_DIRECTION_WRITE,
740
0
                                          OSSL_RECORD_PROTECTION_LEVEL_NONE,
741
0
                                          NULL, 0, NULL, 0, NULL, 0, NULL,  0,
742
0
                                          NULL, 0, NID_undef, NULL, NULL,
743
0
                                          NULL)) {
744
                /* SSLfatal already called */
745
0
                return WORK_ERROR;
746
0
            }
747
0
        }
748
0
        break;
749
750
0
    case TLS_ST_CW_CHANGE:
751
0
        if (SSL_CONNECTION_IS_DTLS(s)) {
752
0
            if (s->hit) {
753
                /*
754
                 * We're into the last flight so we don't retransmit these
755
                 * messages unless we need to.
756
                 */
757
0
                st->use_timer = 0;
758
0
            }
759
#ifndef OPENSSL_NO_SCTP
760
            if (BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))) {
761
                /* Calls SSLfatal() as required */
762
                return dtls_wait_for_dry(s);
763
            }
764
#endif
765
0
        }
766
0
        break;
767
768
0
    case TLS_ST_PENDING_EARLY_DATA_END:
769
        /*
770
         * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
771
         * attempt to write early data before calling SSL_read() then we press
772
         * on with the handshake. Otherwise we pause here.
773
         */
774
0
        if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
775
0
                || s->early_data_state == SSL_EARLY_DATA_NONE)
776
0
            return WORK_FINISHED_CONTINUE;
777
        /* Fall through */
778
779
0
    case TLS_ST_EARLY_DATA:
780
0
        return tls_finish_handshake(s, wst, 0, 1);
781
782
0
    case TLS_ST_OK:
783
        /* Calls SSLfatal() as required */
784
0
        return tls_finish_handshake(s, wst, 1, 1);
785
0
    }
786
787
0
    return WORK_FINISHED_CONTINUE;
788
0
}
789
790
/*
791
 * Perform any work that needs to be done after sending a message from the
792
 * client to the server.
793
 */
794
WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst)
795
0
{
796
0
    OSSL_STATEM *st = &s->statem;
797
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
798
799
0
    s->init_num = 0;
800
801
0
    switch (st->hand_state) {
802
0
    default:
803
        /* No post work to be done */
804
0
        break;
805
806
0
    case TLS_ST_CW_CLNT_HELLO:
807
0
        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
808
0
                && s->max_early_data > 0) {
809
            /*
810
             * We haven't selected TLSv1.3 yet so we don't call the change
811
             * cipher state function associated with the SSL_METHOD. Instead
812
             * we call tls13_change_cipher_state() directly.
813
             */
814
0
            if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
815
0
                if (!tls13_change_cipher_state(s,
816
0
                            SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
817
                    /* SSLfatal() already called */
818
0
                    return WORK_ERROR;
819
0
                }
820
0
            }
821
            /* else we're in compat mode so we delay flushing until after CCS */
822
0
        } else if (!statem_flush(s)) {
823
0
            return WORK_MORE_A;
824
0
        }
825
826
0
        if (SSL_CONNECTION_IS_DTLS(s)) {
827
            /* Treat the next message as the first packet */
828
0
            s->first_packet = 1;
829
0
        }
830
0
        break;
831
832
0
    case TLS_ST_CW_KEY_EXCH:
833
0
        if (tls_client_key_exchange_post_work(s) == 0) {
834
            /* SSLfatal() already called */
835
0
            return WORK_ERROR;
836
0
        }
837
0
        break;
838
839
0
    case TLS_ST_CW_CHANGE:
840
0
        if (SSL_CONNECTION_IS_TLS13(s)
841
0
            || s->hello_retry_request == SSL_HRR_PENDING)
842
0
            break;
843
0
        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
844
0
                    && s->max_early_data > 0) {
845
            /*
846
             * We haven't selected TLSv1.3 yet so we don't call the change
847
             * cipher state function associated with the SSL_METHOD. Instead
848
             * we call tls13_change_cipher_state() directly.
849
             */
850
0
            if (!tls13_change_cipher_state(s,
851
0
                        SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
852
0
                return WORK_ERROR;
853
0
            break;
854
0
        }
855
0
        s->session->cipher = s->s3.tmp.new_cipher;
856
#ifdef OPENSSL_NO_COMP
857
        s->session->compress_meth = 0;
858
#else
859
0
        if (s->s3.tmp.new_compression == NULL)
860
0
            s->session->compress_meth = 0;
861
0
        else
862
0
            s->session->compress_meth = s->s3.tmp.new_compression->id;
863
0
#endif
864
0
        if (!ssl->method->ssl3_enc->setup_key_block(s)) {
865
            /* SSLfatal() already called */
866
0
            return WORK_ERROR;
867
0
        }
868
869
0
        if (!ssl->method->ssl3_enc->change_cipher_state(s,
870
0
                                          SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
871
            /* SSLfatal() already called */
872
0
            return WORK_ERROR;
873
0
        }
874
875
#ifndef OPENSSL_NO_SCTP
876
        if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
877
            /*
878
            * Change to new shared key of SCTP-Auth, will be ignored if
879
            * no SCTP used.
880
            */
881
            BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
882
                     0, NULL);
883
        }
884
#endif
885
0
        break;
886
887
0
    case TLS_ST_CW_FINISHED:
888
#ifndef OPENSSL_NO_SCTP
889
        if (wst == WORK_MORE_A && SSL_CONNECTION_IS_DTLS(s) && s->hit == 0) {
890
            /*
891
             * Change to new shared key of SCTP-Auth, will be ignored if
892
             * no SCTP used.
893
             */
894
            BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
895
                     0, NULL);
896
        }
897
#endif
898
0
        if (statem_flush(s) != 1)
899
0
            return WORK_MORE_B;
900
901
0
        if (SSL_CONNECTION_IS_TLS13(s)) {
902
0
            if (!tls13_save_handshake_digest_for_pha(s)) {
903
                /* SSLfatal() already called */
904
0
                return WORK_ERROR;
905
0
            }
906
0
            if (s->post_handshake_auth != SSL_PHA_REQUESTED) {
907
0
                if (!ssl->method->ssl3_enc->change_cipher_state(s,
908
0
                        SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
909
                    /* SSLfatal() already called */
910
0
                    return WORK_ERROR;
911
0
                }
912
0
            }
913
0
        }
914
0
        break;
915
916
0
    case TLS_ST_CW_KEY_UPDATE:
917
0
        if (statem_flush(s) != 1)
918
0
            return WORK_MORE_A;
919
0
        if (!tls13_update_key(s, 1)) {
920
            /* SSLfatal() already called */
921
0
            return WORK_ERROR;
922
0
        }
923
0
        break;
924
0
    }
925
926
0
    return WORK_FINISHED_CONTINUE;
927
0
}
928
929
/*
930
 * Get the message construction function and message type for sending from the
931
 * client
932
 *
933
 * Valid return values are:
934
 *   1: Success
935
 *   0: Error
936
 */
937
int ossl_statem_client_construct_message(SSL_CONNECTION *s,
938
                                         confunc_f *confunc, int *mt)
939
0
{
940
0
    OSSL_STATEM *st = &s->statem;
941
942
0
    switch (st->hand_state) {
943
0
    default:
944
        /* Shouldn't happen */
945
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
946
0
        return 0;
947
948
0
    case TLS_ST_CW_CHANGE:
949
0
        if (SSL_CONNECTION_IS_DTLS(s))
950
0
            *confunc = dtls_construct_change_cipher_spec;
951
0
        else
952
0
            *confunc = tls_construct_change_cipher_spec;
953
0
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
954
0
        break;
955
956
0
    case TLS_ST_CW_CLNT_HELLO:
957
0
        *confunc = tls_construct_client_hello;
958
0
        *mt = SSL3_MT_CLIENT_HELLO;
959
0
        break;
960
961
0
    case TLS_ST_CW_END_OF_EARLY_DATA:
962
0
        *confunc = tls_construct_end_of_early_data;
963
0
        *mt = SSL3_MT_END_OF_EARLY_DATA;
964
0
        break;
965
966
0
    case TLS_ST_PENDING_EARLY_DATA_END:
967
0
        *confunc = NULL;
968
0
        *mt = SSL3_MT_DUMMY;
969
0
        break;
970
971
0
    case TLS_ST_CW_CERT:
972
0
        *confunc = tls_construct_client_certificate;
973
0
        *mt = SSL3_MT_CERTIFICATE;
974
0
        break;
975
976
#ifndef OPENSSL_NO_COMP_ALG
977
    case TLS_ST_CW_COMP_CERT:
978
        *confunc = tls_construct_client_compressed_certificate;
979
        *mt = SSL3_MT_COMPRESSED_CERTIFICATE;
980
        break;
981
#endif
982
983
0
    case TLS_ST_CW_KEY_EXCH:
984
0
        *confunc = tls_construct_client_key_exchange;
985
0
        *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
986
0
        break;
987
988
0
    case TLS_ST_CW_CERT_VRFY:
989
0
        *confunc = tls_construct_cert_verify;
990
0
        *mt = SSL3_MT_CERTIFICATE_VERIFY;
991
0
        break;
992
993
0
#if !defined(OPENSSL_NO_NEXTPROTONEG)
994
0
    case TLS_ST_CW_NEXT_PROTO:
995
0
        *confunc = tls_construct_next_proto;
996
0
        *mt = SSL3_MT_NEXT_PROTO;
997
0
        break;
998
0
#endif
999
0
    case TLS_ST_CW_FINISHED:
1000
0
        *confunc = tls_construct_finished;
1001
0
        *mt = SSL3_MT_FINISHED;
1002
0
        break;
1003
1004
0
    case TLS_ST_CW_KEY_UPDATE:
1005
0
        *confunc = tls_construct_key_update;
1006
0
        *mt = SSL3_MT_KEY_UPDATE;
1007
0
        break;
1008
0
    }
1009
1010
0
    return 1;
1011
0
}
1012
1013
/*
1014
 * Returns the maximum allowed length for the current message that we are
1015
 * reading. Excludes the message header.
1016
 */
1017
size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s)
1018
0
{
1019
0
    OSSL_STATEM *st = &s->statem;
1020
1021
0
    switch (st->hand_state) {
1022
0
    default:
1023
        /* Shouldn't happen */
1024
0
        return 0;
1025
1026
0
    case TLS_ST_CR_SRVR_HELLO:
1027
0
        return SERVER_HELLO_MAX_LENGTH;
1028
1029
0
    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1030
0
        return HELLO_VERIFY_REQUEST_MAX_LENGTH;
1031
1032
0
    case TLS_ST_CR_COMP_CERT:
1033
0
    case TLS_ST_CR_CERT:
1034
0
        return s->max_cert_list;
1035
1036
0
    case TLS_ST_CR_CERT_VRFY:
1037
0
        return CERTIFICATE_VERIFY_MAX_LENGTH;
1038
1039
0
    case TLS_ST_CR_CERT_STATUS:
1040
0
        return SSL3_RT_MAX_PLAIN_LENGTH;
1041
1042
0
    case TLS_ST_CR_KEY_EXCH:
1043
0
        return SERVER_KEY_EXCH_MAX_LENGTH;
1044
1045
0
    case TLS_ST_CR_CERT_REQ:
1046
        /*
1047
         * Set to s->max_cert_list for compatibility with previous releases. In
1048
         * practice these messages can get quite long if servers are configured
1049
         * to provide a long list of acceptable CAs
1050
         */
1051
0
        return s->max_cert_list;
1052
1053
0
    case TLS_ST_CR_SRVR_DONE:
1054
0
        return SERVER_HELLO_DONE_MAX_LENGTH;
1055
1056
0
    case TLS_ST_CR_CHANGE:
1057
0
        if (s->version == DTLS1_BAD_VER)
1058
0
            return 3;
1059
0
        return CCS_MAX_LENGTH;
1060
1061
0
    case TLS_ST_CR_SESSION_TICKET:
1062
0
        return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
1063
0
                                            : SESSION_TICKET_MAX_LENGTH_TLS12;
1064
1065
0
    case TLS_ST_CR_FINISHED:
1066
0
        return FINISHED_MAX_LENGTH;
1067
1068
0
    case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1069
0
        return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
1070
1071
0
    case TLS_ST_CR_KEY_UPDATE:
1072
0
        return KEY_UPDATE_MAX_LENGTH;
1073
0
    }
1074
0
}
1075
1076
/*
1077
 * Process a message that the client has received from the server.
1078
 */
1079
MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL_CONNECTION *s,
1080
                                                      PACKET *pkt)
1081
0
{
1082
0
    OSSL_STATEM *st = &s->statem;
1083
1084
0
    switch (st->hand_state) {
1085
0
    default:
1086
        /* Shouldn't happen */
1087
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1088
0
        return MSG_PROCESS_ERROR;
1089
1090
0
    case TLS_ST_CR_SRVR_HELLO:
1091
0
        return tls_process_server_hello(s, pkt);
1092
1093
0
    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1094
0
        return dtls_process_hello_verify(s, pkt);
1095
1096
0
    case TLS_ST_CR_CERT:
1097
0
        return tls_process_server_certificate(s, pkt);
1098
1099
#ifndef OPENSSL_NO_COMP_ALG
1100
    case TLS_ST_CR_COMP_CERT:
1101
        return tls_process_server_compressed_certificate(s, pkt);
1102
#endif
1103
1104
0
    case TLS_ST_CR_CERT_VRFY:
1105
0
        return tls_process_cert_verify(s, pkt);
1106
1107
0
    case TLS_ST_CR_CERT_STATUS:
1108
0
        return tls_process_cert_status(s, pkt);
1109
1110
0
    case TLS_ST_CR_KEY_EXCH:
1111
0
        return tls_process_key_exchange(s, pkt);
1112
1113
0
    case TLS_ST_CR_CERT_REQ:
1114
0
        return tls_process_certificate_request(s, pkt);
1115
1116
0
    case TLS_ST_CR_SRVR_DONE:
1117
0
        return tls_process_server_done(s, pkt);
1118
1119
0
    case TLS_ST_CR_CHANGE:
1120
0
        return tls_process_change_cipher_spec(s, pkt);
1121
1122
0
    case TLS_ST_CR_SESSION_TICKET:
1123
0
        return tls_process_new_session_ticket(s, pkt);
1124
1125
0
    case TLS_ST_CR_FINISHED:
1126
0
        return tls_process_finished(s, pkt);
1127
1128
0
    case TLS_ST_CR_HELLO_REQ:
1129
0
        return tls_process_hello_req(s, pkt);
1130
1131
0
    case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1132
0
        return tls_process_encrypted_extensions(s, pkt);
1133
1134
0
    case TLS_ST_CR_KEY_UPDATE:
1135
0
        return tls_process_key_update(s, pkt);
1136
0
    }
1137
0
}
1138
1139
/*
1140
 * Perform any further processing required following the receipt of a message
1141
 * from the server
1142
 */
1143
WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s,
1144
                                                   WORK_STATE wst)
1145
0
{
1146
0
    OSSL_STATEM *st = &s->statem;
1147
1148
0
    switch (st->hand_state) {
1149
0
    default:
1150
        /* Shouldn't happen */
1151
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1152
0
        return WORK_ERROR;
1153
1154
0
    case TLS_ST_CR_CERT:
1155
0
    case TLS_ST_CR_COMP_CERT:
1156
0
        return tls_post_process_server_certificate(s, wst);
1157
1158
0
    case TLS_ST_CR_CERT_VRFY:
1159
0
    case TLS_ST_CR_CERT_REQ:
1160
0
        return tls_prepare_client_certificate(s, wst);
1161
0
    }
1162
0
}
1163
1164
CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
1165
0
{
1166
0
    unsigned char *p;
1167
0
    size_t sess_id_len;
1168
0
    int i, protverr;
1169
0
#ifndef OPENSSL_NO_COMP
1170
0
    SSL_COMP *comp;
1171
0
#endif
1172
0
    SSL_SESSION *sess = s->session;
1173
0
    unsigned char *session_id;
1174
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1175
1176
    /* Work out what SSL/TLS/DTLS version to use */
1177
0
    protverr = ssl_set_client_hello_version(s);
1178
0
    if (protverr != 0) {
1179
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr);
1180
0
        return CON_FUNC_ERROR;
1181
0
    }
1182
1183
0
    if (sess == NULL
1184
0
            || !ssl_version_supported(s, sess->ssl_version, NULL)
1185
0
            || !SSL_SESSION_is_resumable(sess)) {
1186
0
        if (s->hello_retry_request == SSL_HRR_NONE
1187
0
                && !ssl_get_new_session(s, 0)) {
1188
            /* SSLfatal() already called */
1189
0
            return CON_FUNC_ERROR;
1190
0
        }
1191
0
    }
1192
    /* else use the pre-loaded session */
1193
1194
0
    p = s->s3.client_random;
1195
1196
    /*
1197
     * for DTLS if client_random is initialized, reuse it, we are
1198
     * required to use same upon reply to HelloVerify
1199
     */
1200
0
    if (SSL_CONNECTION_IS_DTLS(s)) {
1201
0
        size_t idx;
1202
0
        i = 1;
1203
0
        for (idx = 0; idx < sizeof(s->s3.client_random); idx++) {
1204
0
            if (p[idx]) {
1205
0
                i = 0;
1206
0
                break;
1207
0
            }
1208
0
        }
1209
0
    } else {
1210
0
        i = (s->hello_retry_request == SSL_HRR_NONE);
1211
0
    }
1212
1213
0
    if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
1214
0
                                   DOWNGRADE_NONE) <= 0) {
1215
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1216
0
        return CON_FUNC_ERROR;
1217
0
    }
1218
1219
    /*-
1220
     * version indicates the negotiated version: for example from
1221
     * an SSLv2/v3 compatible client hello). The client_version
1222
     * field is the maximum version we permit and it is also
1223
     * used in RSA encrypted premaster secrets. Some servers can
1224
     * choke if we initially report a higher version then
1225
     * renegotiate to a lower one in the premaster secret. This
1226
     * didn't happen with TLS 1.0 as most servers supported it
1227
     * but it can with TLS 1.1 or later if the server only supports
1228
     * 1.0.
1229
     *
1230
     * Possible scenario with previous logic:
1231
     *      1. Client hello indicates TLS 1.2
1232
     *      2. Server hello says TLS 1.0
1233
     *      3. RSA encrypted premaster secret uses 1.2.
1234
     *      4. Handshake proceeds using TLS 1.0.
1235
     *      5. Server sends hello request to renegotiate.
1236
     *      6. Client hello indicates TLS v1.0 as we now
1237
     *         know that is maximum server supports.
1238
     *      7. Server chokes on RSA encrypted premaster secret
1239
     *         containing version 1.0.
1240
     *
1241
     * For interoperability it should be OK to always use the
1242
     * maximum version we support in client hello and then rely
1243
     * on the checking of version to ensure the servers isn't
1244
     * being inconsistent: for example initially negotiating with
1245
     * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1246
     * client_version in client hello and not resetting it to
1247
     * the negotiated version.
1248
     *
1249
     * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
1250
     * supported_versions extension for the real supported versions.
1251
     */
1252
0
    if (!WPACKET_put_bytes_u16(pkt, s->client_version)
1253
0
            || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) {
1254
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1255
0
        return CON_FUNC_ERROR;
1256
0
    }
1257
1258
    /* Session ID */
1259
0
    session_id = s->session->session_id;
1260
0
    if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) {
1261
0
        if (s->version == TLS1_3_VERSION
1262
0
                && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
1263
0
            sess_id_len = sizeof(s->tmp_session_id);
1264
0
            s->tmp_session_id_len = sess_id_len;
1265
0
            session_id = s->tmp_session_id;
1266
0
            if (s->hello_retry_request == SSL_HRR_NONE
1267
0
                    && RAND_bytes_ex(sctx->libctx, s->tmp_session_id,
1268
0
                                     sess_id_len, 0) <= 0) {
1269
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1270
0
                return CON_FUNC_ERROR;
1271
0
            }
1272
0
        } else {
1273
0
            sess_id_len = 0;
1274
0
        }
1275
0
    } else {
1276
0
        assert(s->session->session_id_length <= sizeof(s->session->session_id));
1277
0
        sess_id_len = s->session->session_id_length;
1278
0
        if (s->version == TLS1_3_VERSION) {
1279
0
            s->tmp_session_id_len = sess_id_len;
1280
0
            memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
1281
0
        }
1282
0
    }
1283
0
    if (!WPACKET_start_sub_packet_u8(pkt)
1284
0
            || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
1285
0
                                                    sess_id_len))
1286
0
            || !WPACKET_close(pkt)) {
1287
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1288
0
        return CON_FUNC_ERROR;
1289
0
    }
1290
1291
    /* cookie stuff for DTLS */
1292
0
    if (SSL_CONNECTION_IS_DTLS(s)) {
1293
0
        if (s->d1->cookie_len > sizeof(s->d1->cookie)
1294
0
                || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
1295
0
                                          s->d1->cookie_len)) {
1296
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1297
0
            return CON_FUNC_ERROR;
1298
0
        }
1299
0
    }
1300
1301
    /* Ciphers supported */
1302
0
    if (!WPACKET_start_sub_packet_u16(pkt)) {
1303
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1304
0
        return CON_FUNC_ERROR;
1305
0
    }
1306
1307
0
    if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)),
1308
0
                                  pkt)) {
1309
        /* SSLfatal() already called */
1310
0
        return CON_FUNC_ERROR;
1311
0
    }
1312
0
    if (!WPACKET_close(pkt)) {
1313
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1314
0
        return CON_FUNC_ERROR;
1315
0
    }
1316
1317
    /* COMPRESSION */
1318
0
    if (!WPACKET_start_sub_packet_u8(pkt)) {
1319
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1320
0
        return CON_FUNC_ERROR;
1321
0
    }
1322
0
#ifndef OPENSSL_NO_COMP
1323
0
    if (ssl_allow_compression(s)
1324
0
            && sctx->comp_methods
1325
0
            && (SSL_CONNECTION_IS_DTLS(s)
1326
0
                || s->s3.tmp.max_ver < TLS1_3_VERSION)) {
1327
0
        int compnum = sk_SSL_COMP_num(sctx->comp_methods);
1328
0
        for (i = 0; i < compnum; i++) {
1329
0
            comp = sk_SSL_COMP_value(sctx->comp_methods, i);
1330
0
            if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
1331
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1332
0
                return CON_FUNC_ERROR;
1333
0
            }
1334
0
        }
1335
0
    }
1336
0
#endif
1337
    /* Add the NULL method */
1338
0
    if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
1339
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1340
0
        return CON_FUNC_ERROR;
1341
0
    }
1342
1343
    /* TLS extensions */
1344
0
    if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
1345
        /* SSLfatal() already called */
1346
0
        return CON_FUNC_ERROR;
1347
0
    }
1348
1349
0
    return CON_FUNC_SUCCESS;
1350
0
}
1351
1352
MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt)
1353
0
{
1354
0
    size_t cookie_len;
1355
0
    PACKET cookiepkt;
1356
1357
0
    if (!PACKET_forward(pkt, 2)
1358
0
        || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
1359
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1360
0
        return MSG_PROCESS_ERROR;
1361
0
    }
1362
1363
0
    cookie_len = PACKET_remaining(&cookiepkt);
1364
0
    if (cookie_len > sizeof(s->d1->cookie)) {
1365
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG);
1366
0
        return MSG_PROCESS_ERROR;
1367
0
    }
1368
1369
0
    if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
1370
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1371
0
        return MSG_PROCESS_ERROR;
1372
0
    }
1373
0
    s->d1->cookie_len = cookie_len;
1374
1375
0
    return MSG_PROCESS_FINISHED_READING;
1376
0
}
1377
1378
static int set_client_ciphersuite(SSL_CONNECTION *s,
1379
                                  const unsigned char *cipherchars)
1380
0
{
1381
0
    STACK_OF(SSL_CIPHER) *sk;
1382
0
    const SSL_CIPHER *c;
1383
0
    int i;
1384
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1385
1386
0
    c = ssl_get_cipher_by_char(s, cipherchars, 0);
1387
0
    if (c == NULL) {
1388
        /* unknown cipher */
1389
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED);
1390
0
        return 0;
1391
0
    }
1392
    /*
1393
     * If it is a disabled cipher we either didn't send it in client hello,
1394
     * or it's not allowed for the selected protocol. So we return an error.
1395
     */
1396
0
    if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
1397
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
1398
0
        return 0;
1399
0
    }
1400
1401
0
    sk = ssl_get_ciphers_by_id(s);
1402
0
    i = sk_SSL_CIPHER_find(sk, c);
1403
0
    if (i < 0) {
1404
        /* we did not say we would use this cipher */
1405
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
1406
0
        return 0;
1407
0
    }
1408
1409
0
    if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL
1410
0
            && s->s3.tmp.new_cipher->id != c->id) {
1411
        /* ServerHello selected a different ciphersuite to that in the HRR */
1412
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
1413
0
        return 0;
1414
0
    }
1415
1416
    /*
1417
     * Depending on the session caching (internal/external), the cipher
1418
     * and/or cipher_id values may not be set. Make sure that cipher_id is
1419
     * set and use it for comparison.
1420
     */
1421
0
    if (s->session->cipher != NULL)
1422
0
        s->session->cipher_id = s->session->cipher->id;
1423
0
    if (s->hit && (s->session->cipher_id != c->id)) {
1424
0
        if (SSL_CONNECTION_IS_TLS13(s)) {
1425
0
            const EVP_MD *md = ssl_md(sctx, c->algorithm2);
1426
1427
0
            if (!ossl_assert(s->session->cipher != NULL)) {
1428
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1429
0
                return 0;
1430
0
            }
1431
            /*
1432
             * In TLSv1.3 it is valid for the server to select a different
1433
             * ciphersuite as long as the hash is the same.
1434
             */
1435
0
            if (md == NULL
1436
0
                    || md != ssl_md(sctx, s->session->cipher->algorithm2)) {
1437
0
                SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1438
0
                         SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
1439
0
                return 0;
1440
0
            }
1441
0
        } else {
1442
            /*
1443
             * Prior to TLSv1.3 resuming a session always meant using the same
1444
             * ciphersuite.
1445
             */
1446
0
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1447
0
                     SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1448
0
            return 0;
1449
0
        }
1450
0
    }
1451
0
    s->s3.tmp.new_cipher = c;
1452
1453
0
    return 1;
1454
0
}
1455
1456
MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
1457
0
{
1458
0
    PACKET session_id, extpkt;
1459
0
    size_t session_id_len;
1460
0
    const unsigned char *cipherchars;
1461
0
    int hrr = 0;
1462
0
    unsigned int compression;
1463
0
    unsigned int sversion;
1464
0
    unsigned int context;
1465
0
    RAW_EXTENSION *extensions = NULL;
1466
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1467
0
#ifndef OPENSSL_NO_COMP
1468
0
    SSL_COMP *comp;
1469
0
#endif
1470
1471
0
    if (!PACKET_get_net_2(pkt, &sversion)) {
1472
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1473
0
        goto err;
1474
0
    }
1475
1476
    /* load the server random */
1477
0
    if (s->version == TLS1_3_VERSION
1478
0
            && sversion == TLS1_2_VERSION
1479
0
            && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
1480
0
            && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
1481
0
        if (s->hello_retry_request != SSL_HRR_NONE) {
1482
0
            SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
1483
0
            goto err;
1484
0
        }
1485
0
        s->hello_retry_request = SSL_HRR_PENDING;
1486
        /* Tell the record layer that we know we're going to get TLSv1.3 */
1487
0
        if (!ssl_set_record_protocol_version(s, s->version)) {
1488
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1489
0
            goto err;
1490
0
        }
1491
0
        hrr = 1;
1492
0
        if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
1493
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1494
0
            goto err;
1495
0
        }
1496
0
    } else {
1497
0
        if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) {
1498
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1499
0
            goto err;
1500
0
        }
1501
0
    }
1502
1503
    /* Get the session-id. */
1504
0
    if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1505
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1506
0
        goto err;
1507
0
    }
1508
0
    session_id_len = PACKET_remaining(&session_id);
1509
0
    if (session_id_len > sizeof(s->session->session_id)
1510
0
        || session_id_len > SSL3_SESSION_ID_SIZE) {
1511
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG);
1512
0
        goto err;
1513
0
    }
1514
1515
0
    if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
1516
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1517
0
        goto err;
1518
0
    }
1519
1520
0
    if (!PACKET_get_1(pkt, &compression)) {
1521
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1522
0
        goto err;
1523
0
    }
1524
1525
    /* TLS extensions */
1526
0
    if (PACKET_remaining(pkt) == 0 && !hrr) {
1527
0
        PACKET_null_init(&extpkt);
1528
0
    } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
1529
0
               || PACKET_remaining(pkt) != 0) {
1530
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1531
0
        goto err;
1532
0
    }
1533
1534
0
    if (!hrr) {
1535
0
        if (!tls_collect_extensions(s, &extpkt,
1536
0
                                    SSL_EXT_TLS1_2_SERVER_HELLO
1537
0
                                    | SSL_EXT_TLS1_3_SERVER_HELLO,
1538
0
                                    &extensions, NULL, 1)) {
1539
            /* SSLfatal() already called */
1540
0
            goto err;
1541
0
        }
1542
1543
0
        if (!ssl_choose_client_version(s, sversion, extensions)) {
1544
            /* SSLfatal() already called */
1545
0
            goto err;
1546
0
        }
1547
0
    }
1548
1549
0
    if (SSL_CONNECTION_IS_TLS13(s) || hrr) {
1550
0
        if (compression != 0) {
1551
0
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1552
0
                     SSL_R_INVALID_COMPRESSION_ALGORITHM);
1553
0
            goto err;
1554
0
        }
1555
1556
0
        if (session_id_len != s->tmp_session_id_len
1557
0
                || memcmp(PACKET_data(&session_id), s->tmp_session_id,
1558
0
                          session_id_len) != 0) {
1559
0
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID);
1560
0
            goto err;
1561
0
        }
1562
0
    }
1563
1564
0
    if (hrr) {
1565
0
        if (!set_client_ciphersuite(s, cipherchars)) {
1566
            /* SSLfatal() already called */
1567
0
            goto err;
1568
0
        }
1569
1570
0
        return tls_process_as_hello_retry_request(s, &extpkt);
1571
0
    }
1572
1573
    /*
1574
     * Now we have chosen the version we need to check again that the extensions
1575
     * are appropriate for this version.
1576
     */
1577
0
    context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
1578
0
                                         : SSL_EXT_TLS1_2_SERVER_HELLO;
1579
0
    if (!tls_validate_all_contexts(s, context, extensions)) {
1580
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
1581
0
        goto err;
1582
0
    }
1583
1584
0
    s->hit = 0;
1585
1586
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
1587
        /*
1588
         * In TLSv1.3 a ServerHello message signals a key change so the end of
1589
         * the message must be on a record boundary.
1590
         */
1591
0
        if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1592
0
            SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1593
0
                     SSL_R_NOT_ON_RECORD_BOUNDARY);
1594
0
            goto err;
1595
0
        }
1596
1597
        /* This will set s->hit if we are resuming */
1598
0
        if (!tls_parse_extension(s, TLSEXT_IDX_psk,
1599
0
                                 SSL_EXT_TLS1_3_SERVER_HELLO,
1600
0
                                 extensions, NULL, 0)) {
1601
            /* SSLfatal() already called */
1602
0
            goto err;
1603
0
        }
1604
0
    } else {
1605
        /*
1606
         * Check if we can resume the session based on external pre-shared
1607
         * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1608
         * Resumption based on server-side state works with session IDs.
1609
         * Resumption based on pre-shared Protected Access Credentials (PACs)
1610
         * works by overriding the SessionTicket extension at the application
1611
         * layer, and does not send a session ID. (We do not know whether
1612
         * EAP-FAST servers would honour the session ID.) Therefore, the session
1613
         * ID alone is not a reliable indicator of session resumption, so we
1614
         * first check if we can resume, and later peek at the next handshake
1615
         * message to see if the server wants to resume.
1616
         */
1617
0
        if (s->version >= TLS1_VERSION
1618
0
                && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
1619
0
            const SSL_CIPHER *pref_cipher = NULL;
1620
            /*
1621
             * s->session->master_key_length is a size_t, but this is an int for
1622
             * backwards compat reasons
1623
             */
1624
0
            int master_key_length;
1625
1626
0
            master_key_length = sizeof(s->session->master_key);
1627
0
            if (s->ext.session_secret_cb(ssl, s->session->master_key,
1628
0
                                         &master_key_length,
1629
0
                                         NULL, &pref_cipher,
1630
0
                                         s->ext.session_secret_cb_arg)
1631
0
                     && master_key_length > 0) {
1632
0
                s->session->master_key_length = master_key_length;
1633
0
                s->session->cipher = pref_cipher ?
1634
0
                    pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
1635
0
            } else {
1636
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1637
0
                goto err;
1638
0
            }
1639
0
        }
1640
1641
0
        if (session_id_len != 0
1642
0
                && session_id_len == s->session->session_id_length
1643
0
                && memcmp(PACKET_data(&session_id), s->session->session_id,
1644
0
                          session_id_len) == 0)
1645
0
            s->hit = 1;
1646
0
    }
1647
1648
0
    if (s->hit) {
1649
0
        if (s->sid_ctx_length != s->session->sid_ctx_length
1650
0
                || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1651
            /* actually a client application bug */
1652
0
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1653
0
                     SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1654
0
            goto err;
1655
0
        }
1656
0
    } else {
1657
        /*
1658
         * If we were trying for session-id reuse but the server
1659
         * didn't resume, make a new SSL_SESSION.
1660
         * In the case of EAP-FAST and PAC, we do not send a session ID,
1661
         * so the PAC-based session secret is always preserved. It'll be
1662
         * overwritten if the server refuses resumption.
1663
         */
1664
0
        if (s->session->session_id_length > 0) {
1665
0
            ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss);
1666
0
            if (!ssl_get_new_session(s, 0)) {
1667
                /* SSLfatal() already called */
1668
0
                goto err;
1669
0
            }
1670
0
        }
1671
1672
0
        s->session->ssl_version = s->version;
1673
        /*
1674
         * In TLSv1.2 and below we save the session id we were sent so we can
1675
         * resume it later. In TLSv1.3 the session id we were sent is just an
1676
         * echo of what we originally sent in the ClientHello and should not be
1677
         * used for resumption.
1678
         */
1679
0
        if (!SSL_CONNECTION_IS_TLS13(s)) {
1680
0
            s->session->session_id_length = session_id_len;
1681
            /* session_id_len could be 0 */
1682
0
            if (session_id_len > 0)
1683
0
                memcpy(s->session->session_id, PACKET_data(&session_id),
1684
0
                       session_id_len);
1685
0
        }
1686
0
    }
1687
1688
    /* Session version and negotiated protocol version should match */
1689
0
    if (s->version != s->session->ssl_version) {
1690
0
        SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1691
0
                 SSL_R_SSL_SESSION_VERSION_MISMATCH);
1692
0
        goto err;
1693
0
    }
1694
    /*
1695
     * Now that we know the version, update the check to see if it's an allowed
1696
     * version.
1697
     */
1698
0
    s->s3.tmp.min_ver = s->version;
1699
0
    s->s3.tmp.max_ver = s->version;
1700
1701
0
    if (!set_client_ciphersuite(s, cipherchars)) {
1702
        /* SSLfatal() already called */
1703
0
        goto err;
1704
0
    }
1705
1706
#ifdef OPENSSL_NO_COMP
1707
    if (compression != 0) {
1708
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1709
                 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1710
        goto err;
1711
    }
1712
    /*
1713
     * If compression is disabled we'd better not try to resume a session
1714
     * using compression.
1715
     */
1716
    if (s->session->compress_meth != 0) {
1717
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
1718
        goto err;
1719
    }
1720
#else
1721
0
    if (s->hit && compression != s->session->compress_meth) {
1722
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1723
0
                 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1724
0
        goto err;
1725
0
    }
1726
0
    if (compression == 0)
1727
0
        comp = NULL;
1728
0
    else if (!ssl_allow_compression(s)) {
1729
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED);
1730
0
        goto err;
1731
0
    } else {
1732
0
        comp = ssl3_comp_find(SSL_CONNECTION_GET_CTX(s)->comp_methods,
1733
0
                              compression);
1734
0
    }
1735
1736
0
    if (compression != 0 && comp == NULL) {
1737
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1738
0
                 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1739
0
        goto err;
1740
0
    } else {
1741
0
        s->s3.tmp.new_compression = comp;
1742
0
    }
1743
0
#endif
1744
1745
0
    if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) {
1746
        /* SSLfatal() already called */
1747
0
        goto err;
1748
0
    }
1749
1750
#ifndef OPENSSL_NO_SCTP
1751
    if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
1752
        unsigned char sctpauthkey[64];
1753
        char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1754
        size_t labellen;
1755
1756
        /*
1757
         * Add new shared key for SCTP-Auth, will be ignored if
1758
         * no SCTP used.
1759
         */
1760
        memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1761
               sizeof(DTLS1_SCTP_AUTH_LABEL));
1762
1763
        /* Don't include the terminating zero. */
1764
        labellen = sizeof(labelbuffer) - 1;
1765
        if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
1766
            labellen += 1;
1767
1768
        if (SSL_export_keying_material(ssl, sctpauthkey,
1769
                                       sizeof(sctpauthkey),
1770
                                       labelbuffer,
1771
                                       labellen, NULL, 0, 0) <= 0) {
1772
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1773
            goto err;
1774
        }
1775
1776
        BIO_ctrl(SSL_get_wbio(ssl),
1777
                 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1778
                 sizeof(sctpauthkey), sctpauthkey);
1779
    }
1780
#endif
1781
1782
    /*
1783
     * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1784
     * we're done with this message
1785
     */
1786
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
1787
0
        if (!ssl->method->ssl3_enc->setup_key_block(s)
1788
0
                || !ssl->method->ssl3_enc->change_cipher_state(s,
1789
0
                    SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
1790
            /* SSLfatal() already called */
1791
0
            goto err;
1792
0
        }
1793
        /*
1794
         * If we're not doing early-data and we're not going to send a dummy CCS
1795
         * (i.e. no middlebox compat mode) then we can change the write keys
1796
         * immediately. Otherwise we have to defer this until after all possible
1797
         * early data is written. We could just always defer until the last
1798
         * moment except QUIC needs it done at the same time as the read keys
1799
         * are changed. Since QUIC doesn't do TLS early data or need middlebox
1800
         * compat this doesn't cause a problem.
1801
         */
1802
0
        if (s->early_data_state == SSL_EARLY_DATA_NONE
1803
0
                && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
1804
0
                && !ssl->method->ssl3_enc->change_cipher_state(s,
1805
0
                    SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
1806
            /* SSLfatal() already called */
1807
0
            goto err;
1808
0
        }
1809
0
    }
1810
1811
0
    OPENSSL_free(extensions);
1812
0
    return MSG_PROCESS_CONTINUE_READING;
1813
0
 err:
1814
0
    OPENSSL_free(extensions);
1815
0
    return MSG_PROCESS_ERROR;
1816
0
}
1817
1818
static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
1819
                                                             PACKET *extpkt)
1820
0
{
1821
0
    RAW_EXTENSION *extensions = NULL;
1822
1823
    /*
1824
     * If we were sending early_data then any alerts should not be sent using
1825
     * the old wrlmethod.
1826
     */
1827
0
    if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
1828
0
            && !ssl_set_new_record_layer(s,
1829
0
                                         TLS_ANY_VERSION,
1830
0
                                         OSSL_RECORD_DIRECTION_WRITE,
1831
0
                                         OSSL_RECORD_PROTECTION_LEVEL_NONE,
1832
0
                                         NULL, 0, NULL, 0, NULL, 0, NULL,  0,
1833
0
                                         NULL, 0, NID_undef, NULL, NULL, NULL)) {
1834
        /* SSLfatal already called */
1835
0
        goto err;
1836
0
    }
1837
    /* We are definitely going to be using TLSv1.3 */
1838
0
    s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION);
1839
1840
0
    if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
1841
0
                                &extensions, NULL, 1)
1842
0
            || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
1843
0
                                         extensions, NULL, 0, 1)) {
1844
        /* SSLfatal() already called */
1845
0
        goto err;
1846
0
    }
1847
1848
0
    OPENSSL_free(extensions);
1849
0
    extensions = NULL;
1850
1851
0
    if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) {
1852
        /*
1853
         * We didn't receive a cookie or a new key_share so the next
1854
         * ClientHello will not change
1855
         */
1856
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR);
1857
0
        goto err;
1858
0
    }
1859
1860
    /*
1861
     * Re-initialise the Transcript Hash. We're going to prepopulate it with
1862
     * a synthetic message_hash in place of ClientHello1.
1863
     */
1864
0
    if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
1865
        /* SSLfatal() already called */
1866
0
        goto err;
1867
0
    }
1868
1869
    /*
1870
     * Add this message to the Transcript Hash. Normally this is done
1871
     * automatically prior to the message processing stage. However due to the
1872
     * need to create the synthetic message hash, we defer that step until now
1873
     * for HRR messages.
1874
     */
1875
0
    if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1876
0
                                s->init_num + SSL3_HM_HEADER_LENGTH)) {
1877
        /* SSLfatal() already called */
1878
0
        goto err;
1879
0
    }
1880
1881
0
    return MSG_PROCESS_FINISHED_READING;
1882
0
 err:
1883
0
    OPENSSL_free(extensions);
1884
0
    return MSG_PROCESS_ERROR;
1885
0
}
1886
1887
MSG_PROCESS_RETURN tls_process_server_rpk(SSL_CONNECTION *sc, PACKET *pkt)
1888
0
{
1889
0
    EVP_PKEY *peer_rpk = NULL;
1890
1891
0
    if (!tls_process_rpk(sc, pkt, &peer_rpk)) {
1892
        /* SSLfatal() already called */
1893
0
        return MSG_PROCESS_ERROR;
1894
0
    }
1895
1896
0
    if (peer_rpk == NULL) {
1897
0
        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_CERTIFICATE);
1898
0
        return MSG_PROCESS_ERROR;
1899
0
    }
1900
1901
0
    EVP_PKEY_free(sc->session->peer_rpk);
1902
0
    sc->session->peer_rpk = peer_rpk;
1903
1904
0
    return MSG_PROCESS_CONTINUE_PROCESSING;
1905
0
}
1906
1907
static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc,
1908
                                              WORK_STATE wst)
1909
0
{
1910
0
    size_t certidx;
1911
0
    const SSL_CERT_LOOKUP *clu;
1912
1913
0
    if (sc->session->peer_rpk == NULL) {
1914
0
        SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER,
1915
0
                 SSL_R_INVALID_RAW_PUBLIC_KEY);
1916
0
        return WORK_ERROR;
1917
0
    }
1918
1919
0
    if (sc->rwstate == SSL_RETRY_VERIFY)
1920
0
        sc->rwstate = SSL_NOTHING;
1921
0
    if (ssl_verify_rpk(sc, sc->session->peer_rpk) > 0
1922
0
            && sc->rwstate == SSL_RETRY_VERIFY)
1923
0
        return WORK_MORE_A;
1924
1925
0
    if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx,
1926
0
                                       SSL_CONNECTION_GET_CTX(sc))) == NULL) {
1927
0
        SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1928
0
        return WORK_ERROR;
1929
0
    }
1930
1931
    /*
1932
     * Check certificate type is consistent with ciphersuite. For TLS 1.3
1933
     * skip check since TLS 1.3 ciphersuites can be used with any certificate
1934
     * type.
1935
     */
1936
0
    if (!SSL_CONNECTION_IS_TLS13(sc)) {
1937
0
        if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) {
1938
0
            SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_RPK_TYPE);
1939
0
            return WORK_ERROR;
1940
0
        }
1941
0
    }
1942
1943
    /* Ensure there is no peer/peer_chain */
1944
0
    X509_free(sc->session->peer);
1945
0
    sc->session->peer = NULL;
1946
0
    sk_X509_pop_free(sc->session->peer_chain, X509_free);
1947
0
    sc->session->peer_chain = NULL;
1948
0
    sc->session->verify_result = sc->verify_result;
1949
1950
    /* Save the current hash state for when we receive the CertificateVerify */
1951
0
    if (SSL_CONNECTION_IS_TLS13(sc)
1952
0
            && !ssl_handshake_hash(sc, sc->cert_verify_hash,
1953
0
                                   sizeof(sc->cert_verify_hash),
1954
0
                                   &sc->cert_verify_hash_len)) {
1955
        /* SSLfatal() already called */
1956
0
        return WORK_ERROR;
1957
0
    }
1958
1959
0
    return WORK_FINISHED_CONTINUE;
1960
0
}
1961
1962
/* prepare server cert verification by setting s->session->peer_chain from pkt */
1963
MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s,
1964
                                                  PACKET *pkt)
1965
0
{
1966
0
    unsigned long cert_list_len, cert_len;
1967
0
    X509 *x = NULL;
1968
0
    const unsigned char *certstart, *certbytes;
1969
0
    size_t chainidx;
1970
0
    unsigned int context = 0;
1971
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1972
1973
0
    if (s->ext.server_cert_type == TLSEXT_cert_type_rpk)
1974
0
        return tls_process_server_rpk(s, pkt);
1975
0
    if (s->ext.server_cert_type != TLSEXT_cert_type_x509) {
1976
0
        SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE,
1977
0
                 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1978
0
        goto err;
1979
0
    }
1980
1981
0
    if ((s->session->peer_chain = sk_X509_new_null()) == NULL) {
1982
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
1983
0
        goto err;
1984
0
    }
1985
1986
0
    if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
1987
0
            || context != 0
1988
0
            || !PACKET_get_net_3(pkt, &cert_list_len)
1989
0
            || PACKET_remaining(pkt) != cert_list_len
1990
0
            || PACKET_remaining(pkt) == 0) {
1991
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1992
0
        goto err;
1993
0
    }
1994
0
    for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
1995
0
        if (!PACKET_get_net_3(pkt, &cert_len)
1996
0
            || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
1997
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
1998
0
            goto err;
1999
0
        }
2000
2001
0
        certstart = certbytes;
2002
0
        x = X509_new_ex(sctx->libctx, sctx->propq);
2003
0
        if (x == NULL) {
2004
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2005
0
            goto err;
2006
0
        }
2007
0
        if (d2i_X509(&x, (const unsigned char **)&certbytes,
2008
0
                     cert_len) == NULL) {
2009
0
            SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB);
2010
0
            goto err;
2011
0
        }
2012
2013
0
        if (certbytes != (certstart + cert_len)) {
2014
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
2015
0
            goto err;
2016
0
        }
2017
2018
0
        if (SSL_CONNECTION_IS_TLS13(s)) {
2019
0
            RAW_EXTENSION *rawexts = NULL;
2020
0
            PACKET extensions;
2021
2022
0
            if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
2023
0
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
2024
0
                goto err;
2025
0
            }
2026
0
            if (!tls_collect_extensions(s, &extensions,
2027
0
                                        SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
2028
0
                                        NULL, chainidx == 0)
2029
0
                || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
2030
0
                                             rawexts, x, chainidx,
2031
0
                                             PACKET_remaining(pkt) == 0)) {
2032
0
                OPENSSL_free(rawexts);
2033
                /* SSLfatal already called */
2034
0
                goto err;
2035
0
            }
2036
0
            OPENSSL_free(rawexts);
2037
0
        }
2038
2039
0
        if (!sk_X509_push(s->session->peer_chain, x)) {
2040
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
2041
0
            goto err;
2042
0
        }
2043
0
        x = NULL;
2044
0
    }
2045
0
    return MSG_PROCESS_CONTINUE_PROCESSING;
2046
2047
0
 err:
2048
0
    X509_free(x);
2049
0
    OSSL_STACK_OF_X509_free(s->session->peer_chain);
2050
0
    s->session->peer_chain = NULL;
2051
0
    return MSG_PROCESS_ERROR;
2052
0
}
2053
2054
/*
2055
 * Verify the s->session->peer_chain and check server cert type.
2056
 * On success set s->session->peer and s->session->verify_result.
2057
 * Else the peer certificate verification callback may request retry.
2058
 */
2059
WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s,
2060
                                               WORK_STATE wst)
2061
0
{
2062
0
    X509 *x;
2063
0
    EVP_PKEY *pkey = NULL;
2064
0
    const SSL_CERT_LOOKUP *clu;
2065
0
    size_t certidx;
2066
0
    int i;
2067
2068
0
    if (s->ext.server_cert_type == TLSEXT_cert_type_rpk)
2069
0
        return tls_post_process_server_rpk(s, wst);
2070
2071
0
    if (s->rwstate == SSL_RETRY_VERIFY)
2072
0
        s->rwstate = SSL_NOTHING;
2073
0
    i = ssl_verify_cert_chain(s, s->session->peer_chain);
2074
0
    if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) {
2075
0
        return WORK_MORE_A;
2076
0
    }
2077
    /*
2078
     * The documented interface is that SSL_VERIFY_PEER should be set in order
2079
     * for client side verification of the server certificate to take place.
2080
     * However, historically the code has only checked that *any* flag is set
2081
     * to cause server verification to take place. Use of the other flags makes
2082
     * no sense in client mode. An attempt to clean up the semantics was
2083
     * reverted because at least one application *only* set
2084
     * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
2085
     * server verification to take place, after the clean up it silently did
2086
     * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
2087
     * sent to them because they are void functions. Therefore, we now use the
2088
     * (less clean) historic behaviour of performing validation if any flag is
2089
     * set. The *documented* interface remains the same.
2090
     */
2091
0
    if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
2092
0
        SSLfatal(s, ssl_x509err2alert(s->verify_result),
2093
0
                 SSL_R_CERTIFICATE_VERIFY_FAILED);
2094
0
        return WORK_ERROR;
2095
0
    }
2096
0
    ERR_clear_error();          /* but we keep s->verify_result */
2097
2098
    /*
2099
     * Inconsistency alert: cert_chain does include the peer's certificate,
2100
     * which we don't include in statem_srvr.c
2101
     */
2102
0
    x = sk_X509_value(s->session->peer_chain, 0);
2103
2104
0
    pkey = X509_get0_pubkey(x);
2105
2106
0
    if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
2107
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2108
0
                 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
2109
0
        return WORK_ERROR;
2110
0
    }
2111
2112
0
    if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx,
2113
0
               SSL_CONNECTION_GET_CTX(s))) == NULL) {
2114
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
2115
0
        return WORK_ERROR;
2116
0
    }
2117
    /*
2118
     * Check certificate type is consistent with ciphersuite. For TLS 1.3
2119
     * skip check since TLS 1.3 ciphersuites can be used with any certificate
2120
     * type.
2121
     */
2122
0
    if (!SSL_CONNECTION_IS_TLS13(s)) {
2123
0
        if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) {
2124
0
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE);
2125
0
            return WORK_ERROR;
2126
0
        }
2127
0
    }
2128
2129
0
    X509_free(s->session->peer);
2130
0
    X509_up_ref(x);
2131
0
    s->session->peer = x;
2132
0
    s->session->verify_result = s->verify_result;
2133
    /* Ensure there is no RPK */
2134
0
    EVP_PKEY_free(s->session->peer_rpk);
2135
0
    s->session->peer_rpk = NULL;
2136
2137
    /* Save the current hash state for when we receive the CertificateVerify */
2138
0
    if (SSL_CONNECTION_IS_TLS13(s)
2139
0
            && !ssl_handshake_hash(s, s->cert_verify_hash,
2140
0
                                   sizeof(s->cert_verify_hash),
2141
0
                                   &s->cert_verify_hash_len)) {
2142
0
        /* SSLfatal() already called */;
2143
0
        return WORK_ERROR;
2144
0
    }
2145
0
    return WORK_FINISHED_CONTINUE;
2146
0
}
2147
2148
#ifndef OPENSSL_NO_COMP_ALG
2149
MSG_PROCESS_RETURN tls_process_server_compressed_certificate(SSL_CONNECTION *sc, PACKET *pkt)
2150
{
2151
    MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
2152
    PACKET tmppkt;
2153
    BUF_MEM *buf = BUF_MEM_new();
2154
2155
    if (tls13_process_compressed_certificate(sc, pkt, &tmppkt, buf) != MSG_PROCESS_ERROR)
2156
        ret = tls_process_server_certificate(sc, &tmppkt);
2157
2158
    BUF_MEM_free(buf);
2159
    return ret;
2160
}
2161
#endif
2162
2163
static int tls_process_ske_psk_preamble(SSL_CONNECTION *s, PACKET *pkt)
2164
0
{
2165
0
#ifndef OPENSSL_NO_PSK
2166
0
    PACKET psk_identity_hint;
2167
2168
    /* PSK ciphersuites are preceded by an identity hint */
2169
2170
0
    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
2171
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2172
0
        return 0;
2173
0
    }
2174
2175
    /*
2176
     * Store PSK identity hint for later use, hint is used in
2177
     * tls_construct_client_key_exchange.  Assume that the maximum length of
2178
     * a PSK identity hint can be as long as the maximum length of a PSK
2179
     * identity.
2180
     */
2181
0
    if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
2182
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG);
2183
0
        return 0;
2184
0
    }
2185
2186
0
    if (PACKET_remaining(&psk_identity_hint) == 0) {
2187
0
        OPENSSL_free(s->session->psk_identity_hint);
2188
0
        s->session->psk_identity_hint = NULL;
2189
0
    } else if (!PACKET_strndup(&psk_identity_hint,
2190
0
                               &s->session->psk_identity_hint)) {
2191
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2192
0
        return 0;
2193
0
    }
2194
2195
0
    return 1;
2196
#else
2197
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2198
    return 0;
2199
#endif
2200
0
}
2201
2202
static int tls_process_ske_srp(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey)
2203
0
{
2204
0
#ifndef OPENSSL_NO_SRP
2205
0
    PACKET prime, generator, salt, server_pub;
2206
2207
0
    if (!PACKET_get_length_prefixed_2(pkt, &prime)
2208
0
        || !PACKET_get_length_prefixed_2(pkt, &generator)
2209
0
        || !PACKET_get_length_prefixed_1(pkt, &salt)
2210
0
        || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
2211
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2212
0
        return 0;
2213
0
    }
2214
2215
0
    if ((s->srp_ctx.N =
2216
0
         BN_bin2bn(PACKET_data(&prime),
2217
0
                   (int)PACKET_remaining(&prime), NULL)) == NULL
2218
0
        || (s->srp_ctx.g =
2219
0
            BN_bin2bn(PACKET_data(&generator),
2220
0
                      (int)PACKET_remaining(&generator), NULL)) == NULL
2221
0
        || (s->srp_ctx.s =
2222
0
            BN_bin2bn(PACKET_data(&salt),
2223
0
                      (int)PACKET_remaining(&salt), NULL)) == NULL
2224
0
        || (s->srp_ctx.B =
2225
0
            BN_bin2bn(PACKET_data(&server_pub),
2226
0
                      (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
2227
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
2228
0
        return 0;
2229
0
    }
2230
2231
0
    if (!srp_verify_server_param(s)) {
2232
        /* SSLfatal() already called */
2233
0
        return 0;
2234
0
    }
2235
2236
    /* We must check if there is a certificate */
2237
0
    if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
2238
0
        *pkey = tls_get_peer_pkey(s);
2239
2240
0
    return 1;
2241
#else
2242
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2243
    return 0;
2244
#endif
2245
0
}
2246
2247
static int tls_process_ske_dhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey)
2248
0
{
2249
0
    PACKET prime, generator, pub_key;
2250
0
    EVP_PKEY *peer_tmp = NULL;
2251
0
    BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
2252
0
    EVP_PKEY_CTX *pctx = NULL;
2253
0
    OSSL_PARAM *params = NULL;
2254
0
    OSSL_PARAM_BLD *tmpl = NULL;
2255
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2256
0
    int ret = 0;
2257
2258
0
    if (!PACKET_get_length_prefixed_2(pkt, &prime)
2259
0
        || !PACKET_get_length_prefixed_2(pkt, &generator)
2260
0
        || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
2261
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2262
0
        return 0;
2263
0
    }
2264
2265
0
    p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
2266
0
    g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
2267
0
                  NULL);
2268
0
    bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
2269
0
                          (int)PACKET_remaining(&pub_key), NULL);
2270
0
    if (p == NULL || g == NULL || bnpub_key == NULL) {
2271
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
2272
0
        goto err;
2273
0
    }
2274
2275
0
    tmpl = OSSL_PARAM_BLD_new();
2276
0
    if (tmpl == NULL
2277
0
            || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
2278
0
            || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g)
2279
0
            || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY,
2280
0
                                       bnpub_key)
2281
0
            || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
2282
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2283
0
        goto err;
2284
0
    }
2285
2286
0
    pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq);
2287
0
    if (pctx == NULL) {
2288
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2289
0
        goto err;
2290
0
    }
2291
0
    if (EVP_PKEY_fromdata_init(pctx) <= 0
2292
0
            || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) {
2293
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE);
2294
0
        goto err;
2295
0
    }
2296
2297
0
    EVP_PKEY_CTX_free(pctx);
2298
0
    pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, peer_tmp, sctx->propq);
2299
0
    if (pctx == NULL
2300
            /*
2301
             * EVP_PKEY_param_check() will verify that the DH params are using
2302
             * a safe prime. In this context, because we're using ephemeral DH,
2303
             * we're ok with it not being a safe prime.
2304
             * EVP_PKEY_param_check_quick() skips the safe prime check.
2305
             */
2306
0
            || EVP_PKEY_param_check_quick(pctx) != 1
2307
0
            || EVP_PKEY_public_check(pctx) != 1) {
2308
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE);
2309
0
        goto err;
2310
0
    }
2311
2312
0
    if (!ssl_security(s, SSL_SECOP_TMP_DH,
2313
0
                      EVP_PKEY_get_security_bits(peer_tmp),
2314
0
                      0, peer_tmp)) {
2315
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
2316
0
        goto err;
2317
0
    }
2318
2319
0
    s->s3.peer_tmp = peer_tmp;
2320
0
    peer_tmp = NULL;
2321
2322
    /*
2323
     * FIXME: This makes assumptions about which ciphersuites come with
2324
     * public keys. We should have a less ad-hoc way of doing this
2325
     */
2326
0
    if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
2327
0
        *pkey = tls_get_peer_pkey(s);
2328
    /* else anonymous DH, so no certificate or pkey. */
2329
2330
0
    ret = 1;
2331
2332
0
 err:
2333
0
    OSSL_PARAM_BLD_free(tmpl);
2334
0
    OSSL_PARAM_free(params);
2335
0
    EVP_PKEY_free(peer_tmp);
2336
0
    EVP_PKEY_CTX_free(pctx);
2337
0
    BN_free(p);
2338
0
    BN_free(g);
2339
0
    BN_free(bnpub_key);
2340
2341
0
    return ret;
2342
0
}
2343
2344
static int tls_process_ske_ecdhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey)
2345
0
{
2346
0
    PACKET encoded_pt;
2347
0
    unsigned int curve_type, curve_id;
2348
2349
    /*
2350
     * Extract elliptic curve parameters and the server's ephemeral ECDH
2351
     * public key. We only support named (not generic) curves and
2352
     * ECParameters in this case is just three bytes.
2353
     */
2354
0
    if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) {
2355
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
2356
0
        return 0;
2357
0
    }
2358
    /*
2359
     * Check curve is named curve type and one of our preferences, if not
2360
     * server has sent an invalid curve.
2361
     */
2362
0
    if (curve_type != NAMED_CURVE_TYPE
2363
0
            || !tls1_check_group_id(s, curve_id, 1)) {
2364
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
2365
0
        return 0;
2366
0
    }
2367
2368
0
    if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) {
2369
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2370
0
                 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
2371
0
        return 0;
2372
0
    }
2373
2374
0
    if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
2375
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2376
0
        return 0;
2377
0
    }
2378
2379
0
    if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
2380
0
                                         PACKET_data(&encoded_pt),
2381
0
                                         PACKET_remaining(&encoded_pt)) <= 0) {
2382
0
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
2383
0
        return 0;
2384
0
    }
2385
2386
    /*
2387
     * The ECC/TLS specification does not mention the use of DSA to sign
2388
     * ECParameters in the server key exchange message. We do support RSA
2389
     * and ECDSA.
2390
     */
2391
0
    if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA)
2392
0
        *pkey = tls_get_peer_pkey(s);
2393
0
    else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA)
2394
0
        *pkey = tls_get_peer_pkey(s);
2395
    /* else anonymous ECDH, so no certificate or pkey. */
2396
2397
    /* Cache the agreed upon group in the SSL_SESSION */
2398
0
    s->session->kex_group = curve_id;
2399
0
    return 1;
2400
0
}
2401
2402
MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt)
2403
0
{
2404
0
    long alg_k;
2405
0
    EVP_PKEY *pkey = NULL;
2406
0
    EVP_MD_CTX *md_ctx = NULL;
2407
0
    EVP_PKEY_CTX *pctx = NULL;
2408
0
    PACKET save_param_start, signature;
2409
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2410
2411
0
    alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
2412
2413
0
    save_param_start = *pkt;
2414
2415
0
    EVP_PKEY_free(s->s3.peer_tmp);
2416
0
    s->s3.peer_tmp = NULL;
2417
2418
0
    if (alg_k & SSL_PSK) {
2419
0
        if (!tls_process_ske_psk_preamble(s, pkt)) {
2420
            /* SSLfatal() already called */
2421
0
            goto err;
2422
0
        }
2423
0
    }
2424
2425
    /* Nothing else to do for plain PSK or RSAPSK */
2426
0
    if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
2427
0
    } else if (alg_k & SSL_kSRP) {
2428
0
        if (!tls_process_ske_srp(s, pkt, &pkey)) {
2429
            /* SSLfatal() already called */
2430
0
            goto err;
2431
0
        }
2432
0
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2433
0
        if (!tls_process_ske_dhe(s, pkt, &pkey)) {
2434
            /* SSLfatal() already called */
2435
0
            goto err;
2436
0
        }
2437
0
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
2438
0
        if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
2439
            /* SSLfatal() already called */
2440
0
            goto err;
2441
0
        }
2442
0
    } else if (alg_k) {
2443
0
        SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
2444
0
        goto err;
2445
0
    }
2446
2447
    /* if it was signed, check the signature */
2448
0
    if (pkey != NULL) {
2449
0
        PACKET params;
2450
0
        const EVP_MD *md = NULL;
2451
0
        unsigned char *tbs;
2452
0
        size_t tbslen;
2453
0
        int rv;
2454
2455
        /*
2456
         * |pkt| now points to the beginning of the signature, so the difference
2457
         * equals the length of the parameters.
2458
         */
2459
0
        if (!PACKET_get_sub_packet(&save_param_start, &params,
2460
0
                                   PACKET_remaining(&save_param_start) -
2461
0
                                   PACKET_remaining(pkt))) {
2462
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
2463
0
            goto err;
2464
0
        }
2465
2466
0
        if (SSL_USE_SIGALGS(s)) {
2467
0
            unsigned int sigalg;
2468
2469
0
            if (!PACKET_get_net_2(pkt, &sigalg)) {
2470
0
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
2471
0
                goto err;
2472
0
            }
2473
0
            if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
2474
                /* SSLfatal() already called */
2475
0
                goto err;
2476
0
            }
2477
0
        } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
2478
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2479
0
                     SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
2480
0
            goto err;
2481
0
        }
2482
2483
0
        if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
2484
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2485
0
                     SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
2486
0
            goto err;
2487
0
        }
2488
0
        if (SSL_USE_SIGALGS(s))
2489
0
            OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
2490
0
                        md == NULL ? "n/a" : EVP_MD_get0_name(md));
2491
2492
0
        if (!PACKET_get_length_prefixed_2(pkt, &signature)
2493
0
            || PACKET_remaining(pkt) != 0) {
2494
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2495
0
            goto err;
2496
0
        }
2497
2498
0
        md_ctx = EVP_MD_CTX_new();
2499
0
        if (md_ctx == NULL) {
2500
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2501
0
            goto err;
2502
0
        }
2503
2504
0
        if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
2505
0
                                    md == NULL ? NULL : EVP_MD_get0_name(md),
2506
0
                                    sctx->libctx, sctx->propq, pkey,
2507
0
                                    NULL) <= 0) {
2508
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2509
0
            goto err;
2510
0
        }
2511
0
        if (SSL_USE_PSS(s)) {
2512
0
            if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
2513
0
                || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
2514
0
                                                RSA_PSS_SALTLEN_DIGEST) <= 0) {
2515
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2516
0
                goto err;
2517
0
            }
2518
0
        }
2519
0
        tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
2520
0
                                            PACKET_remaining(&params));
2521
0
        if (tbslen == 0) {
2522
            /* SSLfatal() already called */
2523
0
            goto err;
2524
0
        }
2525
2526
0
        rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
2527
0
                              PACKET_remaining(&signature), tbs, tbslen);
2528
0
        OPENSSL_free(tbs);
2529
0
        if (rv <= 0) {
2530
0
            SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
2531
0
            goto err;
2532
0
        }
2533
0
        EVP_MD_CTX_free(md_ctx);
2534
0
        md_ctx = NULL;
2535
0
    } else {
2536
        /* aNULL, aSRP or PSK do not need public keys */
2537
0
        if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
2538
0
            && !(alg_k & SSL_PSK)) {
2539
            /* Might be wrong key type, check it */
2540
0
            if (ssl3_check_cert_and_algorithm(s)) {
2541
0
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA);
2542
0
            }
2543
            /* else this shouldn't happen, SSLfatal() already called */
2544
0
            goto err;
2545
0
        }
2546
        /* still data left over */
2547
0
        if (PACKET_remaining(pkt) != 0) {
2548
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE);
2549
0
            goto err;
2550
0
        }
2551
0
    }
2552
2553
0
    return MSG_PROCESS_CONTINUE_READING;
2554
0
 err:
2555
0
    EVP_MD_CTX_free(md_ctx);
2556
0
    return MSG_PROCESS_ERROR;
2557
0
}
2558
2559
MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s,
2560
                                                   PACKET *pkt)
2561
0
{
2562
    /* Clear certificate validity flags */
2563
0
    if (s->s3.tmp.valid_flags != NULL)
2564
0
        memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t));
2565
0
    else
2566
0
        s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t));
2567
2568
    /* Give up for good if allocation didn't work */
2569
0
    if (s->s3.tmp.valid_flags == NULL)
2570
0
        return 0;
2571
2572
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
2573
0
        PACKET reqctx, extensions;
2574
0
        RAW_EXTENSION *rawexts = NULL;
2575
2576
0
        if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
2577
            /*
2578
             * We already sent close_notify. This can only happen in TLSv1.3
2579
             * post-handshake messages. We can't reasonably respond to this, so
2580
             * we just ignore it
2581
             */
2582
0
            return MSG_PROCESS_FINISHED_READING;
2583
0
        }
2584
2585
        /* Free and zero certificate types: it is not present in TLS 1.3 */
2586
0
        OPENSSL_free(s->s3.tmp.ctype);
2587
0
        s->s3.tmp.ctype = NULL;
2588
0
        s->s3.tmp.ctype_len = 0;
2589
0
        OPENSSL_free(s->pha_context);
2590
0
        s->pha_context = NULL;
2591
0
        s->pha_context_len = 0;
2592
2593
0
        if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
2594
0
            !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
2595
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2596
0
            return MSG_PROCESS_ERROR;
2597
0
        }
2598
2599
0
        if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
2600
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
2601
0
            return MSG_PROCESS_ERROR;
2602
0
        }
2603
0
        if (!tls_collect_extensions(s, &extensions,
2604
0
                                    SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
2605
0
                                    &rawexts, NULL, 1)
2606
0
            || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
2607
0
                                         rawexts, NULL, 0, 1)) {
2608
            /* SSLfatal() already called */
2609
0
            OPENSSL_free(rawexts);
2610
0
            return MSG_PROCESS_ERROR;
2611
0
        }
2612
0
        OPENSSL_free(rawexts);
2613
0
        if (!tls1_process_sigalgs(s)) {
2614
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH);
2615
0
            return MSG_PROCESS_ERROR;
2616
0
        }
2617
0
    } else {
2618
0
        PACKET ctypes;
2619
2620
        /* get the certificate types */
2621
0
        if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
2622
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2623
0
            return MSG_PROCESS_ERROR;
2624
0
        }
2625
2626
0
        if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) {
2627
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2628
0
            return MSG_PROCESS_ERROR;
2629
0
        }
2630
2631
0
        if (SSL_USE_SIGALGS(s)) {
2632
0
            PACKET sigalgs;
2633
2634
0
            if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
2635
0
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2636
0
                return MSG_PROCESS_ERROR;
2637
0
            }
2638
2639
            /*
2640
             * Despite this being for certificates, preserve compatibility
2641
             * with pre-TLS 1.3 and use the regular sigalgs field.
2642
             */
2643
0
            if (!tls1_save_sigalgs(s, &sigalgs, 0)) {
2644
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2645
0
                         SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2646
0
                return MSG_PROCESS_ERROR;
2647
0
            }
2648
0
            if (!tls1_process_sigalgs(s)) {
2649
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
2650
0
                return MSG_PROCESS_ERROR;
2651
0
            }
2652
0
        }
2653
2654
        /* get the CA RDNs */
2655
0
        if (!parse_ca_names(s, pkt)) {
2656
            /* SSLfatal() already called */
2657
0
            return MSG_PROCESS_ERROR;
2658
0
        }
2659
0
    }
2660
2661
0
    if (PACKET_remaining(pkt) != 0) {
2662
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2663
0
        return MSG_PROCESS_ERROR;
2664
0
    }
2665
2666
    /* we should setup a certificate to return.... */
2667
0
    s->s3.tmp.cert_req = 1;
2668
2669
    /*
2670
     * In TLSv1.3 we don't prepare the client certificate yet. We wait until
2671
     * after the CertificateVerify message has been received. This is because
2672
     * in TLSv1.3 the CertificateRequest arrives before the Certificate message
2673
     * but in TLSv1.2 it is the other way around. We want to make sure that
2674
     * SSL_get1_peer_certificate() returns something sensible in
2675
     * client_cert_cb.
2676
     */
2677
0
    if (SSL_CONNECTION_IS_TLS13(s)
2678
0
        && s->post_handshake_auth != SSL_PHA_REQUESTED)
2679
0
        return MSG_PROCESS_CONTINUE_READING;
2680
2681
0
    return MSG_PROCESS_CONTINUE_PROCESSING;
2682
0
}
2683
2684
MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s,
2685
                                                  PACKET *pkt)
2686
0
{
2687
0
    unsigned int ticklen;
2688
0
    unsigned long ticket_lifetime_hint, age_add = 0;
2689
0
    unsigned int sess_len;
2690
0
    RAW_EXTENSION *exts = NULL;
2691
0
    PACKET nonce;
2692
0
    EVP_MD *sha256 = NULL;
2693
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2694
2695
0
    PACKET_null_init(&nonce);
2696
2697
0
    if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
2698
0
        || (SSL_CONNECTION_IS_TLS13(s)
2699
0
            && (!PACKET_get_net_4(pkt, &age_add)
2700
0
                || !PACKET_get_length_prefixed_1(pkt, &nonce)))
2701
0
        || !PACKET_get_net_2(pkt, &ticklen)
2702
0
        || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0
2703
0
                                          || PACKET_remaining(pkt) < ticklen)
2704
0
                                       : PACKET_remaining(pkt) != ticklen)) {
2705
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2706
0
        goto err;
2707
0
    }
2708
2709
    /*
2710
     * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2711
     * ticket. We already checked this TLSv1.3 case above, so it should never
2712
     * be 0 here in that instance
2713
     */
2714
0
    if (ticklen == 0)
2715
0
        return MSG_PROCESS_CONTINUE_READING;
2716
2717
    /*
2718
     * Sessions must be immutable once they go into the session cache. Otherwise
2719
     * we can get multi-thread problems. Therefore we don't "update" sessions,
2720
     * we replace them with a duplicate. In TLSv1.3 we need to do this every
2721
     * time a NewSessionTicket arrives because those messages arrive
2722
     * post-handshake and the session may have already gone into the session
2723
     * cache.
2724
     */
2725
0
    if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) {
2726
0
        SSL_SESSION *new_sess;
2727
2728
        /*
2729
         * We reused an existing session, so we need to replace it with a new
2730
         * one
2731
         */
2732
0
        if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2733
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
2734
0
            goto err;
2735
0
        }
2736
2737
0
        if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
2738
0
                && !SSL_CONNECTION_IS_TLS13(s)) {
2739
            /*
2740
             * In TLSv1.2 and below the arrival of a new tickets signals that
2741
             * any old ticket we were using is now out of date, so we remove the
2742
             * old session from the cache. We carry on if this fails
2743
             */
2744
0
            SSL_CTX_remove_session(s->session_ctx, s->session);
2745
0
        }
2746
2747
0
        SSL_SESSION_free(s->session);
2748
0
        s->session = new_sess;
2749
0
    }
2750
2751
0
    s->session->time = ossl_time_now();
2752
0
    ssl_session_calculate_timeout(s->session);
2753
2754
0
    OPENSSL_free(s->session->ext.tick);
2755
0
    s->session->ext.tick = NULL;
2756
0
    s->session->ext.ticklen = 0;
2757
2758
0
    s->session->ext.tick = OPENSSL_malloc(ticklen);
2759
0
    if (s->session->ext.tick == NULL) {
2760
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
2761
0
        goto err;
2762
0
    }
2763
0
    if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
2764
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2765
0
        goto err;
2766
0
    }
2767
2768
0
    s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
2769
0
    s->session->ext.tick_age_add = age_add;
2770
0
    s->session->ext.ticklen = ticklen;
2771
2772
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
2773
0
        PACKET extpkt;
2774
2775
0
        if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
2776
0
                || PACKET_remaining(pkt) != 0) {
2777
0
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2778
0
            goto err;
2779
0
        }
2780
2781
0
        if (!tls_collect_extensions(s, &extpkt,
2782
0
                                    SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts,
2783
0
                                    NULL, 1)
2784
0
                || !tls_parse_all_extensions(s,
2785
0
                                             SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
2786
0
                                             exts, NULL, 0, 1)) {
2787
            /* SSLfatal() already called */
2788
0
            goto err;
2789
0
        }
2790
0
    }
2791
2792
    /*
2793
     * There are two ways to detect a resumed ticket session. One is to set
2794
     * an appropriate session ID and then the server must return a match in
2795
     * ServerHello. This allows the normal client session ID matching to work
2796
     * and we know much earlier that the ticket has been accepted. The
2797
     * other way is to set zero length session ID when the ticket is
2798
     * presented and rely on the handshake to determine session resumption.
2799
     * We choose the former approach because this fits in with assumptions
2800
     * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
2801
     * ticket.
2802
     */
2803
0
    sha256 = EVP_MD_fetch(sctx->libctx, "SHA2-256", sctx->propq);
2804
0
    if (sha256 == NULL) {
2805
        /* Error is already recorded */
2806
0
        SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
2807
0
        goto err;
2808
0
    }
2809
    /*
2810
     * We use sess_len here because EVP_Digest expects an int
2811
     * but s->session->session_id_length is a size_t
2812
     */
2813
0
    if (!EVP_Digest(s->session->ext.tick, ticklen,
2814
0
                    s->session->session_id, &sess_len,
2815
0
                    sha256, NULL)) {
2816
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2817
0
        goto err;
2818
0
    }
2819
0
    EVP_MD_free(sha256);
2820
0
    sha256 = NULL;
2821
0
    s->session->session_id_length = sess_len;
2822
0
    s->session->not_resumable = 0;
2823
2824
    /* This is a standalone message in TLSv1.3, so there is no more to read */
2825
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
2826
0
        const EVP_MD *md = ssl_handshake_md(s);
2827
0
        int hashleni = EVP_MD_get_size(md);
2828
0
        size_t hashlen;
2829
0
        static const unsigned char nonce_label[] = "resumption";
2830
2831
        /* Ensure cast to size_t is safe */
2832
0
        if (!ossl_assert(hashleni >= 0)) {
2833
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2834
0
            goto err;
2835
0
        }
2836
0
        hashlen = (size_t)hashleni;
2837
2838
0
        if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
2839
0
                               nonce_label,
2840
0
                               sizeof(nonce_label) - 1,
2841
0
                               PACKET_data(&nonce),
2842
0
                               PACKET_remaining(&nonce),
2843
0
                               s->session->master_key,
2844
0
                               hashlen, 1)) {
2845
            /* SSLfatal() already called */
2846
0
            goto err;
2847
0
        }
2848
0
        s->session->master_key_length = hashlen;
2849
2850
0
        OPENSSL_free(exts);
2851
0
        ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
2852
0
        return MSG_PROCESS_FINISHED_READING;
2853
0
    }
2854
2855
0
    return MSG_PROCESS_CONTINUE_READING;
2856
0
 err:
2857
0
    EVP_MD_free(sha256);
2858
0
    OPENSSL_free(exts);
2859
0
    return MSG_PROCESS_ERROR;
2860
0
}
2861
2862
/*
2863
 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
2864
 * parse a separate message. Returns 1 on success or 0 on failure
2865
 */
2866
int tls_process_cert_status_body(SSL_CONNECTION *s, PACKET *pkt)
2867
0
{
2868
0
    size_t resplen;
2869
0
    unsigned int type;
2870
2871
0
    if (!PACKET_get_1(pkt, &type)
2872
0
        || type != TLSEXT_STATUSTYPE_ocsp) {
2873
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE);
2874
0
        return 0;
2875
0
    }
2876
0
    if (!PACKET_get_net_3_len(pkt, &resplen)
2877
0
        || PACKET_remaining(pkt) != resplen) {
2878
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2879
0
        return 0;
2880
0
    }
2881
0
    s->ext.ocsp.resp = OPENSSL_malloc(resplen);
2882
0
    if (s->ext.ocsp.resp == NULL) {
2883
0
        s->ext.ocsp.resp_len = 0;
2884
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
2885
0
        return 0;
2886
0
    }
2887
0
    s->ext.ocsp.resp_len = resplen;
2888
0
    if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
2889
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2890
0
        return 0;
2891
0
    }
2892
2893
0
    return 1;
2894
0
}
2895
2896
2897
MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s, PACKET *pkt)
2898
0
{
2899
0
    if (!tls_process_cert_status_body(s, pkt)) {
2900
        /* SSLfatal() already called */
2901
0
        return MSG_PROCESS_ERROR;
2902
0
    }
2903
2904
0
    return MSG_PROCESS_CONTINUE_READING;
2905
0
}
2906
2907
/*
2908
 * Perform miscellaneous checks and processing after we have received the
2909
 * server's initial flight. In TLS1.3 this is after the Server Finished message.
2910
 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2911
 * on failure.
2912
 */
2913
int tls_process_initial_server_flight(SSL_CONNECTION *s)
2914
0
{
2915
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2916
2917
    /*
2918
     * at this point we check that we have the required stuff from
2919
     * the server
2920
     */
2921
0
    if (!ssl3_check_cert_and_algorithm(s)) {
2922
        /* SSLfatal() already called */
2923
0
        return 0;
2924
0
    }
2925
2926
    /*
2927
     * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2928
     * |ext.ocsp.resp_len| values will be set if we actually received a status
2929
     * message, or NULL and -1 otherwise
2930
     */
2931
0
    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
2932
0
            && sctx->ext.status_cb != NULL) {
2933
0
        int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s),
2934
0
                                      sctx->ext.status_arg);
2935
2936
0
        if (ret == 0) {
2937
0
            SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
2938
0
                     SSL_R_INVALID_STATUS_RESPONSE);
2939
0
            return 0;
2940
0
        }
2941
0
        if (ret < 0) {
2942
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2943
0
                     SSL_R_OCSP_CALLBACK_FAILURE);
2944
0
            return 0;
2945
0
        }
2946
0
    }
2947
0
#ifndef OPENSSL_NO_CT
2948
0
    if (s->ct_validation_callback != NULL) {
2949
        /* Note we validate the SCTs whether or not we abort on error */
2950
0
        if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
2951
            /* SSLfatal() already called */
2952
0
            return 0;
2953
0
        }
2954
0
    }
2955
0
#endif
2956
2957
0
    return 1;
2958
0
}
2959
2960
MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s, PACKET *pkt)
2961
0
{
2962
0
    if (PACKET_remaining(pkt) > 0) {
2963
        /* should contain no data */
2964
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2965
0
        return MSG_PROCESS_ERROR;
2966
0
    }
2967
0
#ifndef OPENSSL_NO_SRP
2968
0
    if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2969
0
        if (ssl_srp_calc_a_param_intern(s) <= 0) {
2970
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC);
2971
0
            return MSG_PROCESS_ERROR;
2972
0
        }
2973
0
    }
2974
0
#endif
2975
2976
0
    if (!tls_process_initial_server_flight(s)) {
2977
        /* SSLfatal() already called */
2978
0
        return MSG_PROCESS_ERROR;
2979
0
    }
2980
2981
0
    return MSG_PROCESS_FINISHED_READING;
2982
0
}
2983
2984
static int tls_construct_cke_psk_preamble(SSL_CONNECTION *s, WPACKET *pkt)
2985
0
{
2986
0
#ifndef OPENSSL_NO_PSK
2987
0
    int ret = 0;
2988
    /*
2989
     * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2990
     * \0-terminated identity. The last byte is for us for simulating
2991
     * strnlen.
2992
     */
2993
0
    char identity[PSK_MAX_IDENTITY_LEN + 1];
2994
0
    size_t identitylen = 0;
2995
0
    unsigned char psk[PSK_MAX_PSK_LEN];
2996
0
    unsigned char *tmppsk = NULL;
2997
0
    char *tmpidentity = NULL;
2998
0
    size_t psklen = 0;
2999
3000
0
    if (s->psk_client_callback == NULL) {
3001
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB);
3002
0
        goto err;
3003
0
    }
3004
3005
0
    memset(identity, 0, sizeof(identity));
3006
3007
0
    psklen = s->psk_client_callback(SSL_CONNECTION_GET_SSL(s),
3008
0
                                    s->session->psk_identity_hint,
3009
0
                                    identity, sizeof(identity) - 1,
3010
0
                                    psk, sizeof(psk));
3011
3012
0
    if (psklen > PSK_MAX_PSK_LEN) {
3013
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
3014
0
        psklen = PSK_MAX_PSK_LEN;   /* Avoid overrunning the array on cleanse */
3015
0
        goto err;
3016
0
    } else if (psklen == 0) {
3017
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND);
3018
0
        goto err;
3019
0
    }
3020
3021
0
    identitylen = strlen(identity);
3022
0
    if (identitylen > PSK_MAX_IDENTITY_LEN) {
3023
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3024
0
        goto err;
3025
0
    }
3026
3027
0
    tmppsk = OPENSSL_memdup(psk, psklen);
3028
0
    tmpidentity = OPENSSL_strdup(identity);
3029
0
    if (tmppsk == NULL || tmpidentity == NULL) {
3030
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
3031
0
        goto err;
3032
0
    }
3033
3034
0
    OPENSSL_free(s->s3.tmp.psk);
3035
0
    s->s3.tmp.psk = tmppsk;
3036
0
    s->s3.tmp.psklen = psklen;
3037
0
    tmppsk = NULL;
3038
0
    OPENSSL_free(s->session->psk_identity);
3039
0
    s->session->psk_identity = tmpidentity;
3040
0
    tmpidentity = NULL;
3041
3042
0
    if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen))  {
3043
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3044
0
        goto err;
3045
0
    }
3046
3047
0
    ret = 1;
3048
3049
0
 err:
3050
0
    OPENSSL_cleanse(psk, psklen);
3051
0
    OPENSSL_cleanse(identity, sizeof(identity));
3052
0
    OPENSSL_clear_free(tmppsk, psklen);
3053
0
    OPENSSL_clear_free(tmpidentity, identitylen);
3054
3055
0
    return ret;
3056
#else
3057
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3058
    return 0;
3059
#endif
3060
0
}
3061
3062
static int tls_construct_cke_rsa(SSL_CONNECTION *s, WPACKET *pkt)
3063
0
{
3064
0
    unsigned char *encdata = NULL;
3065
0
    EVP_PKEY *pkey = NULL;
3066
0
    EVP_PKEY_CTX *pctx = NULL;
3067
0
    size_t enclen;
3068
0
    unsigned char *pms = NULL;
3069
0
    size_t pmslen = 0;
3070
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3071
3072
0
    if (!received_server_cert(s)) {
3073
        /*
3074
         * We should always have a server certificate with SSL_kRSA.
3075
         */
3076
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3077
0
        return 0;
3078
0
    }
3079
3080
0
    if ((pkey = tls_get_peer_pkey(s)) == NULL) {
3081
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3082
0
        return 0;
3083
0
    }
3084
3085
0
    if (!EVP_PKEY_is_a(pkey, "RSA")) {
3086
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3087
0
        return 0;
3088
0
    }
3089
3090
0
    pmslen = SSL_MAX_MASTER_KEY_LENGTH;
3091
0
    pms = OPENSSL_malloc(pmslen);
3092
0
    if (pms == NULL) {
3093
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
3094
0
        return 0;
3095
0
    }
3096
3097
0
    pms[0] = s->client_version >> 8;
3098
0
    pms[1] = s->client_version & 0xff;
3099
0
    if (RAND_bytes_ex(sctx->libctx, pms + 2, pmslen - 2, 0) <= 0) {
3100
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_RAND_LIB);
3101
0
        goto err;
3102
0
    }
3103
3104
    /* Fix buf for TLS and beyond */
3105
0
    if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
3106
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3107
0
        goto err;
3108
0
    }
3109
3110
0
    pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pkey, sctx->propq);
3111
0
    if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
3112
0
        || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
3113
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
3114
0
        goto err;
3115
0
    }
3116
0
    if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
3117
0
            || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
3118
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT);
3119
0
        goto err;
3120
0
    }
3121
0
    EVP_PKEY_CTX_free(pctx);
3122
0
    pctx = NULL;
3123
3124
    /* Fix buf for TLS and beyond */
3125
0
    if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
3126
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3127
0
        goto err;
3128
0
    }
3129
3130
    /* Log the premaster secret, if logging is enabled. */
3131
0
    if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
3132
        /* SSLfatal() already called */
3133
0
        goto err;
3134
0
    }
3135
3136
0
    s->s3.tmp.pms = pms;
3137
0
    s->s3.tmp.pmslen = pmslen;
3138
3139
0
    return 1;
3140
0
 err:
3141
0
    OPENSSL_clear_free(pms, pmslen);
3142
0
    EVP_PKEY_CTX_free(pctx);
3143
3144
0
    return 0;
3145
0
}
3146
3147
static int tls_construct_cke_dhe(SSL_CONNECTION *s, WPACKET *pkt)
3148
0
{
3149
0
    EVP_PKEY *ckey = NULL, *skey = NULL;
3150
0
    unsigned char *keybytes = NULL;
3151
0
    int prime_len;
3152
0
    unsigned char *encoded_pub = NULL;
3153
0
    size_t encoded_pub_len, pad_len;
3154
0
    int ret = 0;
3155
3156
0
    skey = s->s3.peer_tmp;
3157
0
    if (skey == NULL) {
3158
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3159
0
        goto err;
3160
0
    }
3161
3162
0
    ckey = ssl_generate_pkey(s, skey);
3163
0
    if (ckey == NULL) {
3164
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3165
0
        goto err;
3166
0
    }
3167
3168
0
    if (ssl_derive(s, ckey, skey, 0) == 0) {
3169
        /* SSLfatal() already called */
3170
0
        goto err;
3171
0
    }
3172
3173
    /* send off the data */
3174
3175
    /* Generate encoding of server key */
3176
0
    encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub);
3177
0
    if (encoded_pub_len == 0) {
3178
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3179
0
        EVP_PKEY_free(ckey);
3180
0
        return EXT_RETURN_FAIL;
3181
0
    }
3182
3183
    /*
3184
     * For interoperability with some versions of the Microsoft TLS
3185
     * stack, we need to zero pad the DHE pub key to the same length
3186
     * as the prime.
3187
     */
3188
0
    prime_len = EVP_PKEY_get_size(ckey);
3189
0
    pad_len = prime_len - encoded_pub_len;
3190
0
    if (pad_len > 0) {
3191
0
        if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) {
3192
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3193
0
            goto err;
3194
0
        }
3195
0
        memset(keybytes, 0, pad_len);
3196
0
    }
3197
3198
0
    if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)) {
3199
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3200
0
        goto err;
3201
0
    }
3202
3203
0
    ret = 1;
3204
0
 err:
3205
0
    OPENSSL_free(encoded_pub);
3206
0
    EVP_PKEY_free(ckey);
3207
0
    return ret;
3208
0
}
3209
3210
static int tls_construct_cke_ecdhe(SSL_CONNECTION *s, WPACKET *pkt)
3211
0
{
3212
0
    unsigned char *encodedPoint = NULL;
3213
0
    size_t encoded_pt_len = 0;
3214
0
    EVP_PKEY *ckey = NULL, *skey = NULL;
3215
0
    int ret = 0;
3216
3217
0
    skey = s->s3.peer_tmp;
3218
0
    if (skey == NULL) {
3219
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3220
0
        return 0;
3221
0
    }
3222
3223
0
    ckey = ssl_generate_pkey(s, skey);
3224
0
    if (ckey == NULL) {
3225
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
3226
0
        goto err;
3227
0
    }
3228
3229
0
    if (ssl_derive(s, ckey, skey, 0) == 0) {
3230
        /* SSLfatal() already called */
3231
0
        goto err;
3232
0
    }
3233
3234
    /* Generate encoding of client key */
3235
0
    encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint);
3236
3237
0
    if (encoded_pt_len == 0) {
3238
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
3239
0
        goto err;
3240
0
    }
3241
3242
0
    if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
3243
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3244
0
        goto err;
3245
0
    }
3246
3247
0
    ret = 1;
3248
0
 err:
3249
0
    OPENSSL_free(encodedPoint);
3250
0
    EVP_PKEY_free(ckey);
3251
0
    return ret;
3252
0
}
3253
3254
static int tls_construct_cke_gost(SSL_CONNECTION *s, WPACKET *pkt)
3255
0
{
3256
0
#ifndef OPENSSL_NO_GOST
3257
    /* GOST key exchange message creation */
3258
0
    EVP_PKEY_CTX *pkey_ctx = NULL;
3259
0
    EVP_PKEY *pkey = NULL;
3260
0
    size_t msglen;
3261
0
    unsigned int md_len;
3262
0
    unsigned char shared_ukm[32], tmp[256];
3263
0
    EVP_MD_CTX *ukm_hash = NULL;
3264
0
    int dgst_nid = NID_id_GostR3411_94;
3265
0
    unsigned char *pms = NULL;
3266
0
    size_t pmslen = 0;
3267
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3268
3269
0
    if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
3270
0
        dgst_nid = NID_id_GostR3411_2012_256;
3271
3272
    /*
3273
     * Get server certificate PKEY and create ctx from it
3274
     */
3275
0
    if ((pkey = tls_get_peer_pkey(s)) == NULL) {
3276
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3277
0
                 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3278
0
        return 0;
3279
0
    }
3280
3281
0
    pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx,
3282
0
                                          pkey,
3283
0
                                          sctx->propq);
3284
0
    if (pkey_ctx == NULL) {
3285
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
3286
0
        return 0;
3287
0
    }
3288
    /*
3289
     * If we have send a certificate, and certificate key
3290
     * parameters match those of server certificate, use
3291
     * certificate key for key exchange
3292
     */
3293
3294
    /* Otherwise, generate ephemeral key pair */
3295
0
    pmslen = 32;
3296
0
    pms = OPENSSL_malloc(pmslen);
3297
0
    if (pms == NULL) {
3298
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
3299
0
        goto err;
3300
0
    }
3301
3302
0
    if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
3303
        /* Generate session key
3304
         */
3305
0
        || RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) {
3306
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3307
0
        goto err;
3308
0
    };
3309
    /*
3310
     * Compute shared IV and store it in algorithm-specific context
3311
     * data
3312
     */
3313
0
    ukm_hash = EVP_MD_CTX_new();
3314
0
    if (ukm_hash == NULL
3315
0
        || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
3316
0
        || EVP_DigestUpdate(ukm_hash, s->s3.client_random,
3317
0
                            SSL3_RANDOM_SIZE) <= 0
3318
0
        || EVP_DigestUpdate(ukm_hash, s->s3.server_random,
3319
0
                            SSL3_RANDOM_SIZE) <= 0
3320
0
        || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
3321
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3322
0
        goto err;
3323
0
    }
3324
0
    EVP_MD_CTX_free(ukm_hash);
3325
0
    ukm_hash = NULL;
3326
0
    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3327
0
                          EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) <= 0) {
3328
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3329
0
        goto err;
3330
0
    }
3331
    /* Make GOST keytransport blob message */
3332
    /*
3333
     * Encapsulate it into sequence
3334
     */
3335
0
    msglen = 255;
3336
0
    if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
3337
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3338
0
        goto err;
3339
0
    }
3340
3341
0
    if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
3342
0
            || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
3343
0
            || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
3344
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3345
0
        goto err;
3346
0
    }
3347
3348
0
    EVP_PKEY_CTX_free(pkey_ctx);
3349
0
    s->s3.tmp.pms = pms;
3350
0
    s->s3.tmp.pmslen = pmslen;
3351
3352
0
    return 1;
3353
0
 err:
3354
0
    EVP_PKEY_CTX_free(pkey_ctx);
3355
0
    OPENSSL_clear_free(pms, pmslen);
3356
0
    EVP_MD_CTX_free(ukm_hash);
3357
0
    return 0;
3358
#else
3359
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3360
    return 0;
3361
#endif
3362
0
}
3363
3364
#ifndef OPENSSL_NO_GOST
3365
int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION *s)
3366
0
{
3367
0
    if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
3368
0
        return NID_magma_ctr;
3369
0
    else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
3370
0
        return NID_kuznyechik_ctr;
3371
3372
0
    return NID_undef;
3373
0
}
3374
3375
int ossl_gost_ukm(const SSL_CONNECTION *s, unsigned char *dgst_buf)
3376
0
{
3377
0
    EVP_MD_CTX *hash = NULL;
3378
0
    unsigned int md_len;
3379
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3380
0
    const EVP_MD *md = ssl_evp_md_fetch(sctx->libctx, NID_id_GostR3411_2012_256,
3381
0
                                        sctx->propq);
3382
3383
0
    if (md == NULL)
3384
0
        return 0;
3385
3386
0
    if ((hash = EVP_MD_CTX_new()) == NULL
3387
0
        || EVP_DigestInit(hash, md) <= 0
3388
0
        || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0
3389
0
        || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0
3390
0
        || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
3391
0
        EVP_MD_CTX_free(hash);
3392
0
        ssl_evp_md_free(md);
3393
0
        return 0;
3394
0
    }
3395
3396
0
    EVP_MD_CTX_free(hash);
3397
0
    ssl_evp_md_free(md);
3398
0
    return 1;
3399
0
}
3400
#endif
3401
3402
static int tls_construct_cke_gost18(SSL_CONNECTION *s, WPACKET *pkt)
3403
0
{
3404
0
#ifndef OPENSSL_NO_GOST
3405
    /* GOST 2018 key exchange message creation */
3406
0
    unsigned char rnd_dgst[32];
3407
0
    unsigned char *encdata = NULL;
3408
0
    EVP_PKEY_CTX *pkey_ctx = NULL;
3409
0
    EVP_PKEY *pkey;
3410
0
    unsigned char *pms = NULL;
3411
0
    size_t pmslen = 0;
3412
0
    size_t msglen;
3413
0
    int cipher_nid = ossl_gost18_cke_cipher_nid(s);
3414
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
3415
3416
0
    if (cipher_nid == NID_undef) {
3417
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3418
0
        return 0;
3419
0
    }
3420
3421
0
    if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
3422
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3423
0
        goto err;
3424
0
    }
3425
3426
    /* Pre-master secret - random bytes */
3427
0
    pmslen = 32;
3428
0
    pms = OPENSSL_malloc(pmslen);
3429
0
    if (pms == NULL) {
3430
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
3431
0
        goto err;
3432
0
    }
3433
3434
0
    if (RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) {
3435
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3436
0
        goto err;
3437
0
    }
3438
3439
     /* Get server certificate PKEY and create ctx from it */
3440
0
    if ((pkey = tls_get_peer_pkey(s)) == NULL) {
3441
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3442
0
                 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3443
0
        goto err;
3444
0
    }
3445
3446
0
    pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx,
3447
0
                                          pkey,
3448
0
                                          sctx->propq);
3449
0
    if (pkey_ctx == NULL) {
3450
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
3451
0
        goto err;
3452
0
    }
3453
3454
0
    if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0) {
3455
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3456
0
        goto err;
3457
0
    };
3458
3459
    /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */
3460
0
    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3461
0
                          EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
3462
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3463
0
        goto err;
3464
0
    }
3465
3466
0
    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3467
0
                          EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
3468
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3469
0
        goto err;
3470
0
    }
3471
3472
0
    if (EVP_PKEY_encrypt(pkey_ctx, NULL, &msglen, pms, pmslen) <= 0) {
3473
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
3474
0
        goto err;
3475
0
    }
3476
3477
0
    if (!WPACKET_allocate_bytes(pkt, msglen, &encdata)
3478
0
            || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) {
3479
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
3480
0
        goto err;
3481
0
    }
3482
3483
0
    EVP_PKEY_CTX_free(pkey_ctx);
3484
0
    pkey_ctx = NULL;
3485
0
    s->s3.tmp.pms = pms;
3486
0
    s->s3.tmp.pmslen = pmslen;
3487
3488
0
    return 1;
3489
0
 err:
3490
0
    EVP_PKEY_CTX_free(pkey_ctx);
3491
0
    OPENSSL_clear_free(pms, pmslen);
3492
0
    return 0;
3493
#else
3494
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3495
    return 0;
3496
#endif
3497
0
}
3498
3499
static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt)
3500
0
{
3501
0
#ifndef OPENSSL_NO_SRP
3502
0
    unsigned char *abytes = NULL;
3503
3504
0
    if (s->srp_ctx.A == NULL
3505
0
            || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
3506
0
                                               &abytes)) {
3507
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3508
0
        return 0;
3509
0
    }
3510
0
    BN_bn2bin(s->srp_ctx.A, abytes);
3511
3512
0
    OPENSSL_free(s->session->srp_username);
3513
0
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
3514
0
    if (s->session->srp_username == NULL) {
3515
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
3516
0
        return 0;
3517
0
    }
3518
3519
0
    return 1;
3520
#else
3521
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3522
    return 0;
3523
#endif
3524
0
}
3525
3526
CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s,
3527
                                                  WPACKET *pkt)
3528
0
{
3529
0
    unsigned long alg_k;
3530
3531
0
    alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3532
3533
    /*
3534
     * All of the construct functions below call SSLfatal() if necessary so
3535
     * no need to do so here.
3536
     */
3537
0
    if ((alg_k & SSL_PSK)
3538
0
        && !tls_construct_cke_psk_preamble(s, pkt))
3539
0
        goto err;
3540
3541
0
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3542
0
        if (!tls_construct_cke_rsa(s, pkt))
3543
0
            goto err;
3544
0
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3545
0
        if (!tls_construct_cke_dhe(s, pkt))
3546
0
            goto err;
3547
0
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3548
0
        if (!tls_construct_cke_ecdhe(s, pkt))
3549
0
            goto err;
3550
0
    } else if (alg_k & SSL_kGOST) {
3551
0
        if (!tls_construct_cke_gost(s, pkt))
3552
0
            goto err;
3553
0
    } else if (alg_k & SSL_kGOST18) {
3554
0
        if (!tls_construct_cke_gost18(s, pkt))
3555
0
            goto err;
3556
0
    } else if (alg_k & SSL_kSRP) {
3557
0
        if (!tls_construct_cke_srp(s, pkt))
3558
0
            goto err;
3559
0
    } else if (!(alg_k & SSL_kPSK)) {
3560
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3561
0
        goto err;
3562
0
    }
3563
3564
0
    return CON_FUNC_SUCCESS;
3565
0
 err:
3566
0
    OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen);
3567
0
    s->s3.tmp.pms = NULL;
3568
0
    s->s3.tmp.pmslen = 0;
3569
0
#ifndef OPENSSL_NO_PSK
3570
0
    OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
3571
0
    s->s3.tmp.psk = NULL;
3572
0
    s->s3.tmp.psklen = 0;
3573
0
#endif
3574
0
    return CON_FUNC_ERROR;
3575
0
}
3576
3577
int tls_client_key_exchange_post_work(SSL_CONNECTION *s)
3578
0
{
3579
0
    unsigned char *pms = NULL;
3580
0
    size_t pmslen = 0;
3581
3582
0
    pms = s->s3.tmp.pms;
3583
0
    pmslen = s->s3.tmp.pmslen;
3584
3585
0
#ifndef OPENSSL_NO_SRP
3586
    /* Check for SRP */
3587
0
    if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
3588
0
        if (!srp_generate_client_master_secret(s)) {
3589
            /* SSLfatal() already called */
3590
0
            goto err;
3591
0
        }
3592
0
        return 1;
3593
0
    }
3594
0
#endif
3595
3596
0
    if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
3597
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_PASSED_INVALID_ARGUMENT);
3598
0
        goto err;
3599
0
    }
3600
0
    if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
3601
        /* SSLfatal() already called */
3602
        /* ssl_generate_master_secret frees the pms even on error */
3603
0
        pms = NULL;
3604
0
        pmslen = 0;
3605
0
        goto err;
3606
0
    }
3607
0
    pms = NULL;
3608
0
    pmslen = 0;
3609
3610
#ifndef OPENSSL_NO_SCTP
3611
    if (SSL_CONNECTION_IS_DTLS(s)) {
3612
        unsigned char sctpauthkey[64];
3613
        char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3614
        size_t labellen;
3615
        SSL *ssl = SSL_CONNECTION_GET_SSL(s);
3616
3617
        /*
3618
         * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3619
         * used.
3620
         */
3621
        memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3622
               sizeof(DTLS1_SCTP_AUTH_LABEL));
3623
3624
        /* Don't include the terminating zero. */
3625
        labellen = sizeof(labelbuffer) - 1;
3626
        if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
3627
            labellen += 1;
3628
3629
        if (SSL_export_keying_material(ssl, sctpauthkey,
3630
                                       sizeof(sctpauthkey), labelbuffer,
3631
                                       labellen, NULL, 0, 0) <= 0) {
3632
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3633
            goto err;
3634
        }
3635
3636
        BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3637
                 sizeof(sctpauthkey), sctpauthkey);
3638
    }
3639
#endif
3640
3641
0
    return 1;
3642
0
 err:
3643
0
    OPENSSL_clear_free(pms, pmslen);
3644
0
    s->s3.tmp.pms = NULL;
3645
0
    s->s3.tmp.pmslen = 0;
3646
0
    return 0;
3647
0
}
3648
3649
/*
3650
 * Check a certificate can be used for client authentication. Currently check
3651
 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3652
 * certificates can be used and optionally checks suitability for Suite B.
3653
 */
3654
static int ssl3_check_client_certificate(SSL_CONNECTION *s)
3655
0
{
3656
    /* If no suitable signature algorithm can't use certificate */
3657
0
    if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL)
3658
0
        return 0;
3659
    /*
3660
     * If strict mode check suitability of chain before using it. This also
3661
     * adjusts suite B digest if necessary.
3662
     */
3663
0
    if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
3664
0
        !tls1_check_chain(s, NULL, NULL, NULL, -2))
3665
0
        return 0;
3666
0
    return 1;
3667
0
}
3668
3669
WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst)
3670
0
{
3671
0
    X509 *x509 = NULL;
3672
0
    EVP_PKEY *pkey = NULL;
3673
0
    int i;
3674
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
3675
3676
0
    if (wst == WORK_MORE_A) {
3677
        /* Let cert callback update client certificates if required */
3678
0
        if (s->cert->cert_cb) {
3679
0
            i = s->cert->cert_cb(ssl, s->cert->cert_cb_arg);
3680
0
            if (i < 0) {
3681
0
                s->rwstate = SSL_X509_LOOKUP;
3682
0
                return WORK_MORE_A;
3683
0
            }
3684
0
            if (i == 0) {
3685
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
3686
0
                return WORK_ERROR;
3687
0
            }
3688
0
            s->rwstate = SSL_NOTHING;
3689
0
        }
3690
0
        if (ssl3_check_client_certificate(s)) {
3691
0
            if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
3692
0
                return WORK_FINISHED_STOP;
3693
0
            }
3694
0
            return WORK_FINISHED_CONTINUE;
3695
0
        }
3696
3697
        /* Fall through to WORK_MORE_B */
3698
0
        wst = WORK_MORE_B;
3699
0
    }
3700
3701
    /* We need to get a client cert */
3702
0
    if (wst == WORK_MORE_B) {
3703
        /*
3704
         * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3705
         * return(-1); We then get retied later
3706
         */
3707
0
        i = ssl_do_client_cert_cb(s, &x509, &pkey);
3708
0
        if (i < 0) {
3709
0
            s->rwstate = SSL_X509_LOOKUP;
3710
0
            return WORK_MORE_B;
3711
0
        }
3712
0
        s->rwstate = SSL_NOTHING;
3713
0
        if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3714
0
            if (!SSL_use_certificate(ssl, x509)
3715
0
                || !SSL_use_PrivateKey(ssl, pkey))
3716
0
                i = 0;
3717
0
        } else if (i == 1) {
3718
0
            i = 0;
3719
0
            ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3720
0
        }
3721
3722
0
        X509_free(x509);
3723
0
        EVP_PKEY_free(pkey);
3724
0
        if (i && !ssl3_check_client_certificate(s))
3725
0
            i = 0;
3726
0
        if (i == 0) {
3727
0
            if (s->version == SSL3_VERSION) {
3728
0
                s->s3.tmp.cert_req = 0;
3729
0
                ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3730
0
                return WORK_FINISHED_CONTINUE;
3731
0
            } else {
3732
0
                s->s3.tmp.cert_req = 2;
3733
0
                s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
3734
0
                if (!ssl3_digest_cached_records(s, 0)) {
3735
                    /* SSLfatal() already called */
3736
0
                    return WORK_ERROR;
3737
0
                }
3738
0
            }
3739
0
        }
3740
3741
0
        if (!SSL_CONNECTION_IS_TLS13(s)
3742
0
                || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
3743
0
            s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
3744
3745
0
        if (s->post_handshake_auth == SSL_PHA_REQUESTED)
3746
0
            return WORK_FINISHED_STOP;
3747
0
        return WORK_FINISHED_CONTINUE;
3748
0
    }
3749
3750
    /* Shouldn't ever get here */
3751
0
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3752
0
    return WORK_ERROR;
3753
0
}
3754
3755
CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s,
3756
                                                 WPACKET *pkt)
3757
0
{
3758
0
    CERT_PKEY *cpk = NULL;
3759
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
3760
3761
0
    if (SSL_CONNECTION_IS_TLS13(s)) {
3762
0
        if (s->pha_context == NULL) {
3763
            /* no context available, add 0-length context */
3764
0
            if (!WPACKET_put_bytes_u8(pkt, 0)) {
3765
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3766
0
                return CON_FUNC_ERROR;
3767
0
            }
3768
0
        } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
3769
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3770
0
            return CON_FUNC_ERROR;
3771
0
        }
3772
0
    }
3773
0
    if (s->s3.tmp.cert_req != 2)
3774
0
        cpk = s->cert->key;
3775
0
    switch (s->ext.client_cert_type) {
3776
0
    case TLSEXT_cert_type_rpk:
3777
0
        if (!tls_output_rpk(s, pkt, cpk)) {
3778
            /* SSLfatal() already called */
3779
0
            return CON_FUNC_ERROR;
3780
0
        }
3781
0
        break;
3782
0
    case TLSEXT_cert_type_x509:
3783
0
        if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) {
3784
            /* SSLfatal() already called */
3785
0
            return CON_FUNC_ERROR;
3786
0
        }
3787
0
        break;
3788
0
    default:
3789
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3790
0
        return CON_FUNC_ERROR;
3791
0
    }
3792
3793
    /*
3794
     * If we attempted to write early data or we're in middlebox compat mode
3795
     * then we deferred changing the handshake write keys to the last possible
3796
     * moment. We need to do it now.
3797
     */
3798
0
    if (SSL_CONNECTION_IS_TLS13(s)
3799
0
            && SSL_IS_FIRST_HANDSHAKE(s)
3800
0
            && (s->early_data_state != SSL_EARLY_DATA_NONE
3801
0
                || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
3802
0
            && (!ssl->method->ssl3_enc->change_cipher_state(s,
3803
0
                    SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
3804
        /*
3805
         * This is a fatal error, which leaves enc_write_ctx in an inconsistent
3806
         * state and thus ssl3_send_alert may crash.
3807
         */
3808
0
        SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER);
3809
0
        return CON_FUNC_ERROR;
3810
0
    }
3811
3812
0
    return CON_FUNC_SUCCESS;
3813
0
}
3814
3815
#ifndef OPENSSL_NO_COMP_ALG
3816
CON_FUNC_RETURN tls_construct_client_compressed_certificate(SSL_CONNECTION *sc,
3817
                                                            WPACKET *pkt)
3818
{
3819
    SSL *ssl = SSL_CONNECTION_GET_SSL(sc);
3820
    WPACKET tmppkt;
3821
    BUF_MEM *buf = NULL;
3822
    size_t length;
3823
    size_t max_length;
3824
    COMP_METHOD *method;
3825
    COMP_CTX *comp = NULL;
3826
    int comp_len;
3827
    int ret = 0;
3828
    int alg = sc->ext.compress_certificate_from_peer[0];
3829
3830
    /* Note that sc->s3.tmp.cert_req == 2 is checked in write transition */
3831
3832
    if ((buf = BUF_MEM_new()) == NULL || !WPACKET_init(&tmppkt, buf))
3833
        goto err;
3834
3835
    /* Use the |tmppkt| for the to-be-compressed data */
3836
    if (sc->pha_context == NULL) {
3837
        /* no context available, add 0-length context */
3838
        if (!WPACKET_put_bytes_u8(&tmppkt, 0))
3839
            goto err;
3840
    } else if (!WPACKET_sub_memcpy_u8(&tmppkt, sc->pha_context, sc->pha_context_len))
3841
        goto err;
3842
3843
    if (!ssl3_output_cert_chain(sc, &tmppkt, sc->cert->key, 0)) {
3844
        /* SSLfatal() already called */
3845
        goto out;
3846
    }
3847
3848
    /* continue with the real |pkt| */
3849
    if (!WPACKET_put_bytes_u16(pkt, alg)
3850
            || !WPACKET_get_total_written(&tmppkt, &length)
3851
            || !WPACKET_put_bytes_u24(pkt, length))
3852
        goto err;
3853
3854
    switch (alg) {
3855
    case TLSEXT_comp_cert_zlib:
3856
        method = COMP_zlib_oneshot();
3857
        break;
3858
    case TLSEXT_comp_cert_brotli:
3859
        method = COMP_brotli_oneshot();
3860
        break;
3861
    case TLSEXT_comp_cert_zstd:
3862
        method = COMP_zstd_oneshot();
3863
        break;
3864
    default:
3865
        goto err;
3866
    }
3867
    max_length = ossl_calculate_comp_expansion(alg, length);
3868
3869
    if ((comp = COMP_CTX_new(method)) == NULL
3870
            || !WPACKET_start_sub_packet_u24(pkt)
3871
            || !WPACKET_reserve_bytes(pkt, max_length, NULL))
3872
        goto err;
3873
3874
    comp_len = COMP_compress_block(comp, WPACKET_get_curr(pkt), max_length,
3875
                                   (unsigned char *)buf->data, length);
3876
    if (comp_len <= 0)
3877
        goto err;
3878
3879
    if (!WPACKET_allocate_bytes(pkt, comp_len, NULL)
3880
            || !WPACKET_close(pkt))
3881
        goto err;
3882
3883
    /*
3884
     * If we attempted to write early data or we're in middlebox compat mode
3885
     * then we deferred changing the handshake write keys to the last possible
3886
     * moment. We need to do it now.
3887
     */
3888
    if (SSL_IS_FIRST_HANDSHAKE(sc)
3889
            && (sc->early_data_state != SSL_EARLY_DATA_NONE
3890
                || (sc->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
3891
            && (!ssl->method->ssl3_enc->change_cipher_state(sc,
3892
                    SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
3893
        /*
3894
         * This is a fatal error, which leaves sc->enc_write_ctx in an
3895
         * inconsistent state and thus ssl3_send_alert may crash.
3896
         */
3897
        SSLfatal(sc, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER);
3898
        goto out;
3899
    }
3900
    ret = 1;
3901
    goto out;
3902
3903
 err:
3904
    SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3905
 out:
3906
    if (buf != NULL) {
3907
        /* If |buf| is NULL, then |tmppkt| could not have been initialized */
3908
        WPACKET_cleanup(&tmppkt);
3909
    }
3910
    BUF_MEM_free(buf);
3911
    COMP_CTX_free(comp);
3912
    return ret;
3913
}
3914
#endif
3915
3916
int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s)
3917
0
{
3918
0
    const SSL_CERT_LOOKUP *clu;
3919
0
    size_t idx;
3920
0
    long alg_k, alg_a;
3921
0
    EVP_PKEY *pkey;
3922
3923
0
    alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3924
0
    alg_a = s->s3.tmp.new_cipher->algorithm_auth;
3925
3926
    /* we don't have a certificate */
3927
0
    if (!(alg_a & SSL_aCERT))
3928
0
        return 1;
3929
3930
    /* This is the passed certificate */
3931
0
    pkey = tls_get_peer_pkey(s);
3932
0
    clu = ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s));
3933
3934
    /* Check certificate is recognised and suitable for cipher */
3935
0
    if (clu == NULL || (alg_a & clu->amask) == 0) {
3936
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT);
3937
0
        return 0;
3938
0
    }
3939
3940
0
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) {
3941
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3942
0
                 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3943
0
        return 0;
3944
0
    }
3945
3946
0
    if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) {
3947
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3948
0
        return 0;
3949
0
    }
3950
3951
    /* Early out to skip the checks below */
3952
0
    if (s->session->peer_rpk != NULL)
3953
0
        return 1;
3954
3955
0
    if (clu->amask & SSL_aECDSA) {
3956
0
        if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
3957
0
            return 1;
3958
0
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT);
3959
0
        return 0;
3960
0
    }
3961
3962
0
    return 1;
3963
0
}
3964
3965
#ifndef OPENSSL_NO_NEXTPROTONEG
3966
CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt)
3967
0
{
3968
0
    size_t len, padding_len;
3969
0
    unsigned char *padding = NULL;
3970
3971
0
    len = s->ext.npn_len;
3972
0
    padding_len = 32 - ((len + 2) % 32);
3973
3974
0
    if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
3975
0
            || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
3976
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3977
0
        return CON_FUNC_ERROR;
3978
0
    }
3979
3980
0
    memset(padding, 0, padding_len);
3981
3982
0
    return CON_FUNC_SUCCESS;
3983
0
}
3984
#endif
3985
3986
MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt)
3987
0
{
3988
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
3989
3990
0
    if (PACKET_remaining(pkt) > 0) {
3991
        /* should contain no data */
3992
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3993
0
        return MSG_PROCESS_ERROR;
3994
0
    }
3995
3996
0
    if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
3997
0
        ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
3998
0
        return MSG_PROCESS_FINISHED_READING;
3999
0
    }
4000
4001
    /*
4002
     * This is a historical discrepancy (not in the RFC) maintained for
4003
     * compatibility reasons. If a TLS client receives a HelloRequest it will
4004
     * attempt an abbreviated handshake. However if a DTLS client receives a
4005
     * HelloRequest it will do a full handshake. Either behaviour is reasonable
4006
     * but doing one for TLS and another for DTLS is odd.
4007
     */
4008
0
    if (SSL_CONNECTION_IS_DTLS(s))
4009
0
        SSL_renegotiate(ssl);
4010
0
    else
4011
0
        SSL_renegotiate_abbreviated(ssl);
4012
4013
0
    return MSG_PROCESS_FINISHED_READING;
4014
0
}
4015
4016
static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s,
4017
                                                           PACKET *pkt)
4018
0
{
4019
0
    PACKET extensions;
4020
0
    RAW_EXTENSION *rawexts = NULL;
4021
4022
0
    if (!PACKET_as_length_prefixed_2(pkt, &extensions)
4023
0
            || PACKET_remaining(pkt) != 0) {
4024
0
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
4025
0
        goto err;
4026
0
    }
4027
4028
0
    if (!tls_collect_extensions(s, &extensions,
4029
0
                                SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
4030
0
                                NULL, 1)
4031
0
            || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
4032
0
                                         rawexts, NULL, 0, 1)) {
4033
        /* SSLfatal() already called */
4034
0
        goto err;
4035
0
    }
4036
4037
0
    OPENSSL_free(rawexts);
4038
0
    return MSG_PROCESS_CONTINUE_READING;
4039
4040
0
 err:
4041
0
    OPENSSL_free(rawexts);
4042
0
    return MSG_PROCESS_ERROR;
4043
0
}
4044
4045
int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey)
4046
0
{
4047
0
    int i = 0;
4048
0
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
4049
4050
0
#ifndef OPENSSL_NO_ENGINE
4051
0
    if (sctx->client_cert_engine) {
4052
0
        i = tls_engine_load_ssl_client_cert(s, px509, ppkey);
4053
0
        if (i != 0)
4054
0
            return i;
4055
0
    }
4056
0
#endif
4057
0
    if (sctx->client_cert_cb)
4058
0
        i = sctx->client_cert_cb(SSL_CONNECTION_GET_SSL(s), px509, ppkey);
4059
0
    return i;
4060
0
}
4061
4062
int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
4063
                             WPACKET *pkt)
4064
0
{
4065
0
    int i;
4066
0
    size_t totlen = 0, len, maxlen, maxverok = 0;
4067
0
    int empty_reneg_info_scsv = !s->renegotiate
4068
0
                                && !SSL_CONNECTION_IS_DTLS(s)
4069
0
                                && ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL)
4070
0
                                && s->min_proto_version <= TLS1_VERSION;
4071
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
4072
4073
    /* Set disabled masks for this session */
4074
0
    if (!ssl_set_client_disabled(s)) {
4075
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE);
4076
0
        return 0;
4077
0
    }
4078
4079
0
    if (sk == NULL) {
4080
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4081
0
        return 0;
4082
0
    }
4083
4084
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
4085
# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
4086
#  error Max cipher length too short
4087
# endif
4088
    /*
4089
     * Some servers hang if client hello > 256 bytes as hack workaround
4090
     * chop number of supported ciphers to keep it well below this if we
4091
     * use TLS v1.2
4092
     */
4093
    if (TLS1_get_version(ssl) >= TLS1_2_VERSION)
4094
        maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
4095
    else
4096
#endif
4097
        /* Maximum length that can be stored in 2 bytes. Length must be even */
4098
0
        maxlen = 0xfffe;
4099
4100
0
    if (empty_reneg_info_scsv)
4101
0
        maxlen -= 2;
4102
0
    if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
4103
0
        maxlen -= 2;
4104
4105
0
    for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
4106
0
        const SSL_CIPHER *c;
4107
4108
0
        c = sk_SSL_CIPHER_value(sk, i);
4109
        /* Skip disabled ciphers */
4110
0
        if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
4111
0
            continue;
4112
4113
0
        if (!ssl->method->put_cipher_by_char(c, pkt, &len)) {
4114
0
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4115
0
            return 0;
4116
0
        }
4117
4118
        /* Sanity check that the maximum version we offer has ciphers enabled */
4119
0
        if (!maxverok) {
4120
0
            int minproto = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls;
4121
0
            int maxproto = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls;
4122
4123
0
            if (ssl_version_cmp(s, maxproto, s->s3.tmp.max_ver) >= 0
4124
0
                    && ssl_version_cmp(s, minproto, s->s3.tmp.max_ver) <= 0)
4125
0
                maxverok = 1;
4126
0
        }
4127
4128
0
        totlen += len;
4129
0
    }
4130
4131
0
    if (totlen == 0 || !maxverok) {
4132
0
        const char *maxvertext =
4133
0
            !maxverok
4134
0
            ? "No ciphers enabled for max supported SSL/TLS version"
4135
0
            : NULL;
4136
4137
0
        SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE,
4138
0
                      maxvertext);
4139
0
        return 0;
4140
0
    }
4141
4142
0
    if (totlen != 0) {
4143
0
        if (empty_reneg_info_scsv) {
4144
0
            static const SSL_CIPHER scsv = {
4145
0
                0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
4146
0
            };
4147
0
            if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) {
4148
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4149
0
                return 0;
4150
0
            }
4151
0
        }
4152
0
        if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
4153
0
            static const SSL_CIPHER scsv = {
4154
0
                0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
4155
0
            };
4156
0
            if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) {
4157
0
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4158
0
                return 0;
4159
0
            }
4160
0
        }
4161
0
    }
4162
4163
0
    return 1;
4164
0
}
4165
4166
CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt)
4167
0
{
4168
0
    if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
4169
0
            && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
4170
0
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
4171
0
        return CON_FUNC_ERROR;
4172
0
    }
4173
4174
0
    s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
4175
0
    return CON_FUNC_SUCCESS;
4176
0
}