Google Git
Sign in
flutter / third_party / openssl / 16abbd11cdc2124f12d90efffb5cd79236e72fa0 / . / ssl / statem / statem_clnt.c
blob: 432dc915b7e5b57f57e695a0c7f62c6f3e402bc7 [file] [log] [blame]
Rich Salz846e33c2016-05-17 14:18:30 -0400[diff] [blame]1/*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3 *
Rich Salz846e33c2016-05-17 14:18:30 -0400[diff] [blame]4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]8 */
Rich Salz846e33c2016-05-17 14:18:30 -0400[diff] [blame]9
Bodo Möllerea262262002-08-09 08:56:08 +0000[diff] [blame]10/* ====================================================================
11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
12 *
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]13 * Portions of the attached software ("Contribution") are developed by
Bodo Möllerea262262002-08-09 08:56:08 +0000[diff] [blame]14 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
15 *
16 * The Contribution is licensed pursuant to the OpenSSL open source
17 * license provided above.
18 *
Bodo Möllerea262262002-08-09 08:56:08 +0000[diff] [blame]19 * ECC cipher suite support in OpenSSL originally written by
20 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
21 *
22 */
Nils Larschddac1972006-03-10 23:06:27 +0000[diff] [blame]23/* ====================================================================
24 * Copyright 2005 Nokia. All rights reserved.
25 *
26 * The portions of the attached software ("Contribution") is developed by
27 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
28 * license.
29 *
30 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
31 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
32 * support (see RFC 4279) to OpenSSL.
33 *
34 * No patent licenses or other rights except those expressly stated in
35 * the OpenSSL open source license shall be deemed granted or received
36 * expressly, by implication, estoppel, or otherwise.
37 *
38 * No assurances are provided by Nokia that the Contribution does not
39 * infringe the patent or other intellectual property rights of any third
40 * party or that the license provides you with all the necessary rights
41 * to make use of the Contribution.
42 *
43 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
44 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
45 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
46 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
47 * OTHERWISE.
48 */
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]49
50#include <stdio.h>
Matt Caswell8ba708e2015-09-11 10:48:59 +0100[diff] [blame]51#include "../ssl_locl.h"
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]52#include "statem_locl.h"
Bodo Möllerec577821999-04-23 22:13:45 +0000[diff] [blame]53#include <openssl/buffer.h>
54#include <openssl/rand.h>
55#include <openssl/objects.h>
56#include <openssl/evp.h>
Ben Lauriedbad1692001-07-30 23:57:25 +0000[diff] [blame]57#include <openssl/md5.h>
Rich Salz3c272082016-03-18 14:30:20 -0400[diff] [blame]58#include <openssl/dh.h>
Geoff Thorped095b682004-05-17 18:53:47 +0000[diff] [blame]59#include <openssl/bn.h>
Rich Salz3c272082016-03-18 14:30:20 -0400[diff] [blame]60#include <openssl/engine.h>
Richard Levittef9b3bff2000-11-30 22:53:34 +0000[diff] [blame]61
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]62static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
63
Matt Caswell7ab09632015-12-23 09:45:02 +0000[diff] [blame]64static ossl_inline int cert_req_allowed(SSL *s);
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]65static int key_exchange_expected(SSL *s);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]66static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]67static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
Matt Caswellae2f7b32016-09-05 17:34:04 +0100[diff] [blame]68 WPACKET *pkt);
Bodo Möllerea262262002-08-09 08:56:08 +0000[diff] [blame]69
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]70/*
71 * Is a CertificateRequest message allowed at the moment or not?
72 *
73 * Return values are:
74 * 1: Yes
75 * 0: No
76 */
Matt Caswell7ab09632015-12-23 09:45:02 +0000[diff] [blame]77static ossl_inline int cert_req_allowed(SSL *s)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]78{
79 /* TLS does not like anon-DH with client cert */
Matt Caswellb7fa1f92015-10-26 23:11:44 +0000[diff] [blame]80 if ((s->version > SSL3_VERSION
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]81 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
82 || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]83 return 0;
84
85 return 1;
86}
87
88/*
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]89 * Should we expect the ServerKeyExchange message or not?
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]90 *
91 * Return values are:
92 * 1: Yes
93 * 0: No
94 */
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]95static int key_exchange_expected(SSL *s)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]96{
97 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
98
99 /*
100 * Can't skip server key exchange if this is an ephemeral
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]101 * ciphersuite or for SRP
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]102 */
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]103 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
104 | SSL_kSRP)) {
105 return 1;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]106 }
107
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]108 return 0;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]109}
110
111/*
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]112 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]113 * handshake state transitions when a TLS1.3 client is reading messages from the
114 * server. The message type that the server has sent is provided in |mt|. The
115 * current state is in |s->statem.hand_state|.
116 *
Matt Caswell94ed2c62016-11-14 14:53:31 +0000[diff] [blame]117 * Return values are 1 for success (transition allowed) and 0 on error
118 * (transition not allowed)
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]119 */
120static int ossl_statem_client13_read_transition(SSL *s, int mt)
121{
122 OSSL_STATEM *st = &s->statem;
123
124 /*
Matt Caswell94ed2c62016-11-14 14:53:31 +0000[diff] [blame]125 * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
126 * we will update this to look more like real TLSv1.3
127 */
128
129 /*
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]130 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
131 * yet negotiated TLSv1.3 at that point so that is handled by
132 * ossl_statem_client_read_transition()
133 */
134
135 switch (st->hand_state) {
136 default:
137 break;
138
139 case TLS_ST_CR_SRVR_HELLO:
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]140 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
141 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
142 return 1;
143 }
144 break;
145
146 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]147 if (s->hit) {
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]148 if (mt == SSL3_MT_FINISHED) {
149 st->hand_state = TLS_ST_CR_FINISHED;
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]150 return 1;
151 }
152 } else {
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]153 if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
154 st->hand_state = TLS_ST_CR_CERT_REQ;
155 return 1;
Matt Caswellf5ca0b02016-11-21 12:10:35 +0000[diff] [blame]156 }
157 if (mt == SSL3_MT_CERTIFICATE) {
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]158 st->hand_state = TLS_ST_CR_CERT;
159 return 1;
160 }
161 }
162 break;
163
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]164 case TLS_ST_CR_CERT_REQ:
165 if (mt == SSL3_MT_CERTIFICATE) {
166 st->hand_state = TLS_ST_CR_CERT;
167 return 1;
168 }
169 break;
170
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]171 case TLS_ST_CR_CERT:
Matt Caswell2c5dfdc2016-12-05 17:04:51 +0000[diff] [blame]172 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
173 st->hand_state = TLS_ST_CR_CERT_VRFY;
174 return 1;
175 }
176 break;
177
178 case TLS_ST_CR_CERT_VRFY:
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]179 if (mt == SSL3_MT_FINISHED) {
180 st->hand_state = TLS_ST_CR_FINISHED;
181 return 1;
182 }
183 break;
184 }
185
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]186 /* No valid transition found */
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]187 return 0;
188}
189
190/*
191 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]192 * handshake state transitions when the client is reading messages from the
193 * server. The message type that the server has sent is provided in |mt|. The
194 * current state is in |s->statem.hand_state|.
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]195 *
Matt Caswell94ed2c62016-11-14 14:53:31 +0000[diff] [blame]196 * Return values are 1 for success (transition allowed) and 0 on error
197 * (transition not allowed)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]198 */
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]199int ossl_statem_client_read_transition(SSL *s, int mt)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]200{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]201 OSSL_STATEM *st = &s->statem;
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]202 int ske_expected;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]203
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]204 /*
205 * Note that after a ClientHello we don't know what version we are going
206 * to negotiate yet, so we don't take this branch until later
207 */
Matt Caswellf5ca0b02016-11-21 12:10:35 +0000[diff] [blame]208 if (SSL_IS_TLS13(s)) {
Matt Caswell5abeaf32016-11-15 10:30:34 +0000[diff] [blame]209 if (!ossl_statem_client13_read_transition(s, mt))
210 goto err;
211 return 1;
212 }
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]213
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]214 switch (st->hand_state) {
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]215 default:
216 break;
217
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]218 case TLS_ST_CW_CLNT_HELLO:
219 if (mt == SSL3_MT_SERVER_HELLO) {
220 st->hand_state = TLS_ST_CR_SRVR_HELLO;
221 return 1;
222 }
223
224 if (SSL_IS_DTLS(s)) {
225 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
226 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
227 return 1;
228 }
229 }
230 break;
231
232 case TLS_ST_CR_SRVR_HELLO:
233 if (s->hit) {
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]234 if (s->ext.ticket_expected) {
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]235 if (mt == SSL3_MT_NEWSESSION_TICKET) {
236 st->hand_state = TLS_ST_CR_SESSION_TICKET;
237 return 1;
238 }
239 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
240 st->hand_state = TLS_ST_CR_CHANGE;
241 return 1;
242 }
243 } else {
244 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
245 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
246 return 1;
Matt Caswellad3819c2015-12-04 10:18:01 +0000[diff] [blame]247 } else if (s->version >= TLS1_VERSION
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]248 && s->ext.session_secret_cb != NULL
249 && s->session->ext.tick != NULL
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]250 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
Matt Caswellad3819c2015-12-04 10:18:01 +0000[diff] [blame]251 /*
252 * Normally, we can tell if the server is resuming the session
253 * from the session ID. EAP-FAST (RFC 4851), however, relies on
254 * the next server message after the ServerHello to determine if
255 * the server is resuming.
256 */
257 s->hit = 1;
258 st->hand_state = TLS_ST_CR_CHANGE;
259 return 1;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]260 } else if (!(s->s3->tmp.new_cipher->algorithm_auth
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]261 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]262 if (mt == SSL3_MT_CERTIFICATE) {
263 st->hand_state = TLS_ST_CR_CERT;
264 return 1;
265 }
266 } else {
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]267 ske_expected = key_exchange_expected(s);
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]268 /* SKE is optional for some PSK ciphersuites */
269 if (ske_expected
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]270 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
271 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]272 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
273 st->hand_state = TLS_ST_CR_KEY_EXCH;
274 return 1;
275 }
276 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]277 && cert_req_allowed(s)) {
278 st->hand_state = TLS_ST_CR_CERT_REQ;
279 return 1;
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]280 } else if (mt == SSL3_MT_SERVER_DONE) {
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]281 st->hand_state = TLS_ST_CR_SRVR_DONE;
282 return 1;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]283 }
284 }
285 }
286 break;
287
288 case TLS_ST_CR_CERT:
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]289 /*
290 * The CertificateStatus message is optional even if
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]291 * |ext.status_expected| is set
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]292 */
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]293 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]294 st->hand_state = TLS_ST_CR_CERT_STATUS;
295 return 1;
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]296 }
297 /* Fall through */
298
299 case TLS_ST_CR_CERT_STATUS:
300 ske_expected = key_exchange_expected(s);
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]301 /* SKE is optional for some PSK ciphersuites */
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]302 if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
303 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]304 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
305 st->hand_state = TLS_ST_CR_KEY_EXCH;
306 return 1;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]307 }
Matt Caswell672f3332016-06-22 19:43:46 +0100[diff] [blame]308 goto err;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]309 }
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]310 /* Fall through */
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]311
312 case TLS_ST_CR_KEY_EXCH:
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]313 if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
314 if (cert_req_allowed(s)) {
315 st->hand_state = TLS_ST_CR_CERT_REQ;
316 return 1;
317 }
Matt Caswell672f3332016-06-22 19:43:46 +0100[diff] [blame]318 goto err;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]319 }
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]320 /* Fall through */
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]321
322 case TLS_ST_CR_CERT_REQ:
323 if (mt == SSL3_MT_SERVER_DONE) {
324 st->hand_state = TLS_ST_CR_SRVR_DONE;
325 return 1;
326 }
327 break;
328
329 case TLS_ST_CW_FINISHED:
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]330 if (s->ext.ticket_expected) {
David Benjaminc45d6b22016-03-05 19:35:52 -0500[diff] [blame]331 if (mt == SSL3_MT_NEWSESSION_TICKET) {
332 st->hand_state = TLS_ST_CR_SESSION_TICKET;
333 return 1;
334 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]335 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
336 st->hand_state = TLS_ST_CR_CHANGE;
337 return 1;
338 }
339 break;
340
341 case TLS_ST_CR_SESSION_TICKET:
342 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
343 st->hand_state = TLS_ST_CR_CHANGE;
344 return 1;
345 }
346 break;
347
348 case TLS_ST_CR_CHANGE:
349 if (mt == SSL3_MT_FINISHED) {
350 st->hand_state = TLS_ST_CR_FINISHED;
351 return 1;
352 }
353 break;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]354 }
355
Matt Caswell672f3332016-06-22 19:43:46 +0100[diff] [blame]356 err:
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]357 /* No valid transition found */
Matt Caswell672f3332016-06-22 19:43:46 +0100[diff] [blame]358 ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
Richard Levitte340a2822016-07-19 11:50:31 +0200[diff] [blame]359 SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]360 return 0;
361}
362
363/*
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]364 * ossl_statem_client13_write_transition() works out what handshake state to
365 * move to next when the TLSv1.3 client is writing messages to be sent to the
366 * server.
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]367 */
368static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
369{
370 OSSL_STATEM *st = &s->statem;
371
372 /*
Matt Caswell94ed2c62016-11-14 14:53:31 +0000[diff] [blame]373 * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
374 * we will update this to look more like real TLSv1.3
375 */
376
377 /*
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]378 * Note: There are no cases for TLS_ST_BEFORE or TLS_ST_CW_CLNT_HELLO,
379 * because we haven't negotiated TLSv1.3 yet at that point. They are
380 * handled by ossl_statem_client_write_transition().
381 */
382 switch (st->hand_state) {
383 default:
384 /* Shouldn't happen */
385 return WRITE_TRAN_ERROR;
386
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]387 case TLS_ST_CR_FINISHED:
Matt Caswell94ed2c62016-11-14 14:53:31 +0000[diff] [blame]388 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]389 : TLS_ST_CW_FINISHED;
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]390 return WRITE_TRAN_CONTINUE;
391
392 case TLS_ST_CW_CERT:
393 /* If a non-empty Certificate we also send CertificateVerify */
Matt Caswell94ed2c62016-11-14 14:53:31 +0000[diff] [blame]394 st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]395 : TLS_ST_CW_FINISHED;
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]396 return WRITE_TRAN_CONTINUE;
397
398 case TLS_ST_CW_CERT_VRFY:
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]399 st->hand_state = TLS_ST_CW_FINISHED;
400 return WRITE_TRAN_CONTINUE;
401
402 case TLS_ST_CW_FINISHED:
Matt Caswell94ed2c62016-11-14 14:53:31 +0000[diff] [blame]403 st->hand_state = TLS_ST_OK;
404 ossl_statem_set_in_init(s, 0);
405 return WRITE_TRAN_CONTINUE;
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]406 }
407}
408
409/*
410 * ossl_statem_client_write_transition() works out what handshake state to
411 * move to next when the client is writing messages to be sent to the server.
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]412 */
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]413WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]414{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]415 OSSL_STATEM *st = &s->statem;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]416
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]417 /*
418 * Note that immediately before/after a ClientHello we don't know what
419 * version we are going to negotiate yet, so we don't take this branch until
420 * later
421 */
Matt Caswellf5ca0b02016-11-21 12:10:35 +0000[diff] [blame]422 if (SSL_IS_TLS13(s))
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]423 return ossl_statem_client13_write_transition(s);
424
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]425 switch (st->hand_state) {
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]426 default:
427 /* Shouldn't happen */
428 return WRITE_TRAN_ERROR;
429
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]430 case TLS_ST_OK:
431 /* Renegotiation - fall through */
432 case TLS_ST_BEFORE:
433 st->hand_state = TLS_ST_CW_CLNT_HELLO;
434 return WRITE_TRAN_CONTINUE;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]435
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]436 case TLS_ST_CW_CLNT_HELLO:
437 /*
438 * No transition at the end of writing because we don't know what
439 * we will be sent
440 */
441 return WRITE_TRAN_FINISHED;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]442
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]443 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
444 st->hand_state = TLS_ST_CW_CLNT_HELLO;
445 return WRITE_TRAN_CONTINUE;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]446
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]447 case TLS_ST_CR_SRVR_DONE:
448 if (s->s3->tmp.cert_req)
449 st->hand_state = TLS_ST_CW_CERT;
450 else
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]451 st->hand_state = TLS_ST_CW_KEY_EXCH;
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]452 return WRITE_TRAN_CONTINUE;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]453
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]454 case TLS_ST_CW_CERT:
455 st->hand_state = TLS_ST_CW_KEY_EXCH;
456 return WRITE_TRAN_CONTINUE;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]457
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]458 case TLS_ST_CW_KEY_EXCH:
459 /*
460 * For TLS, cert_req is set to 2, so a cert chain of nothing is
461 * sent, but no verify packet is sent
462 */
463 /*
464 * XXX: For now, we do not support client authentication in ECDH
465 * cipher suites with ECDH (rather than ECDSA) certificates. We
466 * need to skip the certificate verify message when client's
467 * ECDH public key is sent inside the client certificate.
468 */
469 if (s->s3->tmp.cert_req == 1) {
470 st->hand_state = TLS_ST_CW_CERT_VRFY;
471 } else {
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]472 st->hand_state = TLS_ST_CW_CHANGE;
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]473 }
474 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
475 st->hand_state = TLS_ST_CW_CHANGE;
476 }
477 return WRITE_TRAN_CONTINUE;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]478
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]479 case TLS_ST_CW_CERT_VRFY:
480 st->hand_state = TLS_ST_CW_CHANGE;
481 return WRITE_TRAN_CONTINUE;
482
483 case TLS_ST_CW_CHANGE:
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]484#if defined(OPENSSL_NO_NEXTPROTONEG)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]485 st->hand_state = TLS_ST_CW_FINISHED;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]486#else
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]487 if (!SSL_IS_DTLS(s) && s->s3->npn_seen)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]488 st->hand_state = TLS_ST_CW_NEXT_PROTO;
489 else
490 st->hand_state = TLS_ST_CW_FINISHED;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]491#endif
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]492 return WRITE_TRAN_CONTINUE;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]493
494#if !defined(OPENSSL_NO_NEXTPROTONEG)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]495 case TLS_ST_CW_NEXT_PROTO:
496 st->hand_state = TLS_ST_CW_FINISHED;
497 return WRITE_TRAN_CONTINUE;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]498#endif
499
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]500 case TLS_ST_CW_FINISHED:
501 if (s->hit) {
502 st->hand_state = TLS_ST_OK;
503 ossl_statem_set_in_init(s, 0);
504 return WRITE_TRAN_CONTINUE;
505 } else {
506 return WRITE_TRAN_FINISHED;
507 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]508
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]509 case TLS_ST_CR_FINISHED:
510 if (s->hit) {
511 st->hand_state = TLS_ST_CW_CHANGE;
512 return WRITE_TRAN_CONTINUE;
513 } else {
514 st->hand_state = TLS_ST_OK;
515 ossl_statem_set_in_init(s, 0);
516 return WRITE_TRAN_CONTINUE;
517 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]518 }
519}
520
521/*
522 * Perform any pre work that needs to be done prior to sending a message from
523 * the client to the server.
524 */
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]525WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]526{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]527 OSSL_STATEM *st = &s->statem;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]528
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]529 switch (st->hand_state) {
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]530 default:
531 /* No pre work to be done */
532 break;
533
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]534 case TLS_ST_CW_CLNT_HELLO:
535 s->shutdown = 0;
536 if (SSL_IS_DTLS(s)) {
537 /* every DTLS ClientHello resets Finished MAC */
Matt Caswell2c4a0562016-06-03 11:59:19 +0100[diff] [blame]538 if (!ssl3_init_finished_mac(s)) {
539 ossl_statem_set_error(s);
540 return WORK_ERROR;
541 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]542 }
543 break;
544
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]545 case TLS_ST_CW_CHANGE:
546 if (SSL_IS_DTLS(s)) {
547 if (s->hit) {
548 /*
549 * We're into the last flight so we don't retransmit these
550 * messages unless we need to.
551 */
552 st->use_timer = 0;
553 }
554#ifndef OPENSSL_NO_SCTP
555 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
556 return dtls_wait_for_dry(s);
557#endif
558 }
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]559 break;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]560
561 case TLS_ST_OK:
562 return tls_finish_handshake(s, wst);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]563 }
564
565 return WORK_FINISHED_CONTINUE;
566}
567
568/*
569 * Perform any work that needs to be done after sending a message from the
570 * client to the server.
Matt Caswell2c5dfdc2016-12-05 17:04:51 +0000[diff] [blame]571 case TLS_ST_SR_CERT_VRFY:
572 return SSL3_RT_MAX_PLAIN_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]573 */
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]574WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]575{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]576 OSSL_STATEM *st = &s->statem;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]577
578 s->init_num = 0;
579
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]580 switch (st->hand_state) {
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]581 default:
582 /* No post work to be done */
583 break;
584
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]585 case TLS_ST_CW_CLNT_HELLO:
Matt Caswell46417562016-05-17 12:28:14 +0100[diff] [blame]586 if (wst == WORK_MORE_A && statem_flush(s) != 1)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]587 return WORK_MORE_A;
Matt Caswell46417562016-05-17 12:28:14 +0100[diff] [blame]588
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]589 if (SSL_IS_DTLS(s)) {
590 /* Treat the next message as the first packet */
591 s->first_packet = 1;
592 }
593 break;
594
595 case TLS_ST_CW_KEY_EXCH:
596 if (tls_client_key_exchange_post_work(s) == 0)
597 return WORK_ERROR;
598 break;
599
600 case TLS_ST_CW_CHANGE:
601 s->session->cipher = s->s3->tmp.new_cipher;
602#ifdef OPENSSL_NO_COMP
603 s->session->compress_meth = 0;
604#else
605 if (s->s3->tmp.new_compression == NULL)
606 s->session->compress_meth = 0;
607 else
608 s->session->compress_meth = s->s3->tmp.new_compression->id;
609#endif
610 if (!s->method->ssl3_enc->setup_key_block(s))
611 return WORK_ERROR;
612
613 if (!s->method->ssl3_enc->change_cipher_state(s,
614 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
615 return WORK_ERROR;
616
617 if (SSL_IS_DTLS(s)) {
618#ifndef OPENSSL_NO_SCTP
619 if (s->hit) {
620 /*
621 * Change to new shared key of SCTP-Auth, will be ignored if
622 * no SCTP used.
623 */
624 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
625 0, NULL);
626 }
627#endif
628
629 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
630 }
631 break;
632
633 case TLS_ST_CW_FINISHED:
634#ifndef OPENSSL_NO_SCTP
635 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
636 /*
637 * Change to new shared key of SCTP-Auth, will be ignored if
638 * no SCTP used.
639 */
640 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
641 0, NULL);
642 }
643#endif
644 if (statem_flush(s) != 1)
645 return WORK_MORE_B;
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]646
647 if (SSL_IS_TLS13(s)) {
648 if (!s->method->ssl3_enc->change_cipher_state(s,
649 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
650 return WORK_ERROR;
651 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]652 break;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]653 }
654
655 return WORK_FINISHED_CONTINUE;
656}
657
658/*
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]659 * Get the message construction function and message type for sending from the
660 * client
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]661 *
662 * Valid return values are:
663 * 1: Success
664 * 0: Error
665 */
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]666int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
Matt Caswella15c9532016-10-03 15:35:17 +0100[diff] [blame]667 confunc_f *confunc, int *mt)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]668{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]669 OSSL_STATEM *st = &s->statem;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]670
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]671 switch (st->hand_state) {
672 default:
673 /* Shouldn't happen */
674 return 0;
675
676 case TLS_ST_CW_CHANGE:
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]677 if (SSL_IS_DTLS(s))
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]678 *confunc = dtls_construct_change_cipher_spec;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]679 else
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]680 *confunc = tls_construct_change_cipher_spec;
681 *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]682 break;
Matt Caswell5923ad42016-09-30 00:27:40 +0100[diff] [blame]683
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]684 case TLS_ST_CW_CLNT_HELLO:
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]685 *confunc = tls_construct_client_hello;
686 *mt = SSL3_MT_CLIENT_HELLO;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]687 break;
Matt Caswell5923ad42016-09-30 00:27:40 +0100[diff] [blame]688
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]689 case TLS_ST_CW_CERT:
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]690 *confunc = tls_construct_client_certificate;
691 *mt = SSL3_MT_CERTIFICATE;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]692 break;
Matt Caswell5923ad42016-09-30 00:27:40 +0100[diff] [blame]693
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]694 case TLS_ST_CW_KEY_EXCH:
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]695 *confunc = tls_construct_client_key_exchange;
696 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]697 break;
Matt Caswell5923ad42016-09-30 00:27:40 +0100[diff] [blame]698
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]699 case TLS_ST_CW_CERT_VRFY:
Matt Caswelld8bc1392016-12-05 14:59:25 +0000[diff] [blame]700 *confunc = tls_construct_cert_verify;
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]701 *mt = SSL3_MT_CERTIFICATE_VERIFY;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]702 break;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]703
704#if !defined(OPENSSL_NO_NEXTPROTONEG)
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]705 case TLS_ST_CW_NEXT_PROTO:
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]706 *confunc = tls_construct_next_proto;
707 *mt = SSL3_MT_NEXT_PROTO;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]708 break;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]709#endif
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]710 case TLS_ST_CW_FINISHED:
Matt Caswell6392fb82016-09-30 11:17:57 +0100[diff] [blame]711 *confunc = tls_construct_finished;
712 *mt = SSL3_MT_FINISHED;
Matt Caswell4a01c592016-09-30 10:38:32 +0100[diff] [blame]713 break;
714 }
Matt Caswell5923ad42016-09-30 00:27:40 +0100[diff] [blame]715
Matt Caswell5923ad42016-09-30 00:27:40 +0100[diff] [blame]716 return 1;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]717}
718
719/*
720 * Returns the maximum allowed length for the current message that we are
721 * reading. Excludes the message header.
722 */
Matt Caswelleda75752016-09-06 12:05:25 +0100[diff] [blame]723size_t ossl_statem_client_max_message_size(SSL *s)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]724{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]725 OSSL_STATEM *st = &s->statem;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]726
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]727 switch (st->hand_state) {
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]728 default:
729 /* Shouldn't happen */
730 return 0;
731
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]732 case TLS_ST_CR_SRVR_HELLO:
733 return SERVER_HELLO_MAX_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]734
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]735 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
736 return HELLO_VERIFY_REQUEST_MAX_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]737
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]738 case TLS_ST_CR_CERT:
739 return s->max_cert_list;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]740
Matt Caswell2c5dfdc2016-12-05 17:04:51 +0000[diff] [blame]741 case TLS_ST_CR_CERT_VRFY:
742 return SSL3_RT_MAX_PLAIN_LENGTH;
743
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]744 case TLS_ST_CR_CERT_STATUS:
745 return SSL3_RT_MAX_PLAIN_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]746
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]747 case TLS_ST_CR_KEY_EXCH:
748 return SERVER_KEY_EXCH_MAX_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]749
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]750 case TLS_ST_CR_CERT_REQ:
751 /*
752 * Set to s->max_cert_list for compatibility with previous releases. In
753 * practice these messages can get quite long if servers are configured
754 * to provide a long list of acceptable CAs
755 */
756 return s->max_cert_list;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]757
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]758 case TLS_ST_CR_SRVR_DONE:
759 return SERVER_HELLO_DONE_MAX_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]760
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]761 case TLS_ST_CR_CHANGE:
762 if (s->version == DTLS1_BAD_VER)
763 return 3;
764 return CCS_MAX_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]765
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]766 case TLS_ST_CR_SESSION_TICKET:
767 return SSL3_RT_MAX_PLAIN_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]768
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]769 case TLS_ST_CR_FINISHED:
770 return FINISHED_MAX_LENGTH;
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]771
772 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
773 return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]774 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]775}
776
777/*
778 * Process a message that the client has been received from the server.
779 */
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]780MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]781{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]782 OSSL_STATEM *st = &s->statem;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]783
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]784 switch (st->hand_state) {
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]785 default:
786 /* Shouldn't happen */
787 return MSG_PROCESS_ERROR;
788
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]789 case TLS_ST_CR_SRVR_HELLO:
790 return tls_process_server_hello(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]791
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]792 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
793 return dtls_process_hello_verify(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]794
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]795 case TLS_ST_CR_CERT:
796 return tls_process_server_certificate(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]797
Matt Caswell2c5dfdc2016-12-05 17:04:51 +0000[diff] [blame]798 case TLS_ST_CR_CERT_VRFY:
799 return tls_process_cert_verify(s, pkt);
800
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]801 case TLS_ST_CR_CERT_STATUS:
802 return tls_process_cert_status(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]803
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]804 case TLS_ST_CR_KEY_EXCH:
805 return tls_process_key_exchange(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]806
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]807 case TLS_ST_CR_CERT_REQ:
808 return tls_process_certificate_request(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]809
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]810 case TLS_ST_CR_SRVR_DONE:
811 return tls_process_server_done(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]812
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]813 case TLS_ST_CR_CHANGE:
814 return tls_process_change_cipher_spec(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]815
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]816 case TLS_ST_CR_SESSION_TICKET:
817 return tls_process_new_session_ticket(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]818
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]819 case TLS_ST_CR_FINISHED:
820 return tls_process_finished(s, pkt);
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]821
822 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
823 return tls_process_encrypted_extensions(s, pkt);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]824 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]825}
826
827/*
828 * Perform any further processing required following the receipt of a message
829 * from the server
830 */
Matt Caswell8481f582015-10-26 11:54:17 +0000[diff] [blame]831WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]832{
Matt Caswelld6f1a6e2015-10-05 10:58:52 +0100[diff] [blame]833 OSSL_STATEM *st = &s->statem;
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]834
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]835 switch (st->hand_state) {
Rich Salzf3b3d7f2016-08-30 13:31:18 -0400[diff] [blame]836 default:
837 /* Shouldn't happen */
838 return WORK_ERROR;
839
Matt Caswell05c4f1d2016-06-22 14:31:32 +0100[diff] [blame]840 case TLS_ST_CR_CERT_REQ:
841 return tls_prepare_client_certificate(s, wst);
842
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]843#ifndef OPENSSL_NO_SCTP
844 case TLS_ST_CR_SRVR_DONE:
845 /* We only get here if we are using SCTP and we are renegotiating */
846 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
847 s->s3->in_read_app_data = 2;
848 s->rwstate = SSL_READING;
849 BIO_clear_retry_flags(SSL_get_rbio(s));
850 BIO_set_retry_read(SSL_get_rbio(s));
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]851 ossl_statem_set_sctp_read_sock(s, 1);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]852 return WORK_MORE_A;
853 }
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]854 ossl_statem_set_sctp_read_sock(s, 0);
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]855 return WORK_FINISHED_STOP;
856#endif
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]857 }
Matt Caswell61ae9352015-09-11 11:23:20 +0100[diff] [blame]858}
859
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]860int tls_construct_client_hello(SSL *s, WPACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]861{
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]862 unsigned char *p;
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]863 size_t sess_id_len;
864 int i, protverr;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]865 int al = SSL_AD_HANDSHAKE_FAILURE;
Dr. Stephen Henson09b6c2e2005-09-30 23:35:33 +0000[diff] [blame]866#ifndef OPENSSL_NO_COMP
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]867 SSL_COMP *comp;
Dr. Stephen Henson09b6c2e2005-09-30 23:35:33 +0000[diff] [blame]868#endif
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]869 SSL_SESSION *sess = s->session;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]870
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]871 if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]872 /* Should not happen */
873 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]874 return 0;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]875 }
Matt Caswell13c9bb32015-03-31 00:18:31 +0100[diff] [blame]876
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]877 /* Work out what SSL/TLS/DTLS version to use */
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]878 protverr = ssl_set_client_hello_version(s);
879 if (protverr != 0) {
880 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]881 return 0;
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]882 }
Matt Caswell13c9bb32015-03-31 00:18:31 +0100[diff] [blame]883
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]884 if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]885 /*
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]886 * In the case of EAP-FAST, we can have a pre-shared
887 * "ticket" without a session ID.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]888 */
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]889 (!sess->session_id_length && !sess->ext.tick) ||
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]890 (sess->not_resumable)) {
891 if (!ssl_get_new_session(s, 0))
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]892 return 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]893 }
894 /* else use the pre-loaded session */
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]895
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]896 p = s->s3->client_random;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]897
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]898 /*
899 * for DTLS if client_random is initialized, reuse it, we are
900 * required to use same upon reply to HelloVerify
901 */
902 if (SSL_IS_DTLS(s)) {
903 size_t idx;
904 i = 1;
905 for (idx = 0; idx < sizeof(s->s3->client_random); idx++) {
906 if (p[idx]) {
907 i = 0;
908 break;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]909 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]910 }
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]911 } else
912 i = 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]913
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]914 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]915 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]916
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]917 /*-
918 * version indicates the negotiated version: for example from
919 * an SSLv2/v3 compatible client hello). The client_version
920 * field is the maximum version we permit and it is also
921 * used in RSA encrypted premaster secrets. Some servers can
922 * choke if we initially report a higher version then
923 * renegotiate to a lower one in the premaster secret. This
924 * didn't happen with TLS 1.0 as most servers supported it
925 * but it can with TLS 1.1 or later if the server only supports
926 * 1.0.
927 *
928 * Possible scenario with previous logic:
929 * 1. Client hello indicates TLS 1.2
930 * 2. Server hello says TLS 1.0
931 * 3. RSA encrypted premaster secret uses 1.2.
FdaSilvaYY8483a002016-03-10 21:34:48 +0100[diff] [blame]932 * 4. Handshake proceeds using TLS 1.0.
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]933 * 5. Server sends hello request to renegotiate.
934 * 6. Client hello indicates TLS v1.0 as we now
935 * know that is maximum server supports.
936 * 7. Server chokes on RSA encrypted premaster secret
937 * containing version 1.0.
938 *
939 * For interoperability it should be OK to always use the
940 * maximum version we support in client hello and then rely
941 * on the checking of version to ensure the servers isn't
942 * being inconsistent: for example initially negotiating with
943 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
944 * client_version in client hello and not resetting it to
945 * the negotiated version.
Matt Caswellcd998832016-10-23 00:41:11 +0100[diff] [blame]946 *
947 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
Matt Caswell16bce0e2016-10-31 17:05:20 +0000[diff] [blame]948 * supported_versions extension for the real supported versions.
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]949 */
Matt Caswell7acb8b62016-11-23 13:56:15 +0000[diff] [blame]950 if (!WPACKET_put_bytes_u16(pkt, s->client_version)
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]951 || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]952 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]953 return 0;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]954 }
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]955
956 /* Session ID */
957 if (s->new_session)
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]958 sess_id_len = 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]959 else
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]960 sess_id_len = s->session->session_id_length;
961 if (sess_id_len > sizeof(s->session->session_id)
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]962 || !WPACKET_start_sub_packet_u8(pkt)
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]963 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, s->session->session_id,
964 sess_id_len))
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]965 || !WPACKET_close(pkt)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]966 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]967 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]968 }
969
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]970 /* cookie stuff for DTLS */
971 if (SSL_IS_DTLS(s)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]972 if (s->d1->cookie_len > sizeof(s->d1->cookie)
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]973 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
Matt Caswellb2b30242016-09-13 11:32:52 +0100[diff] [blame]974 s->d1->cookie_len)) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]975 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]976 return 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]977 }
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]978 }
979
980 /* Ciphers supported */
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]981 if (!WPACKET_start_sub_packet_u16(pkt)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]982 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]983 return 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]984 }
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]985 /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]986 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt))
987 return 0;
988 if (!WPACKET_close(pkt)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]989 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]990 return 0;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]991 }
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]992
993 /* COMPRESSION */
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]994 if (!WPACKET_start_sub_packet_u8(pkt)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]995 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]996 return 0;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]997 }
998#ifndef OPENSSL_NO_COMP
999 if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1000 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
1001 for (i = 0; i < compnum; i++) {
1002 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]1003 if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]1004 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]1005 return 0;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]1006 }
1007 }
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1008 }
1009#endif
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]1010 /* Add the NULL method */
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]1011 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]1012 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]1013 return 0;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]1014 }
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1015
1016 /* TLS extensions */
Matt Caswell30aeba42016-12-01 15:00:37 +0000[diff] [blame]1017 if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1018 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1019 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]1020 return 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1021 }
1022
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1023 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1024}
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1025
Matt Caswellbe3583f2015-10-26 11:46:33 +0000[diff] [blame]1026MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
Matt Caswell8ba708e2015-09-11 10:48:59 +0100[diff] [blame]1027{
1028 int al;
Matt Caswellcb150cb2016-10-04 21:04:03 +0100[diff] [blame]1029 size_t cookie_len;
Matt Caswell8ba708e2015-09-11 10:48:59 +0100[diff] [blame]1030 PACKET cookiepkt;
1031
1032 if (!PACKET_forward(pkt, 2)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1033 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
Matt Caswell8ba708e2015-09-11 10:48:59 +0100[diff] [blame]1034 al = SSL_AD_DECODE_ERROR;
1035 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
1036 goto f_err;
1037 }
1038
1039 cookie_len = PACKET_remaining(&cookiepkt);
1040 if (cookie_len > sizeof(s->d1->cookie)) {
1041 al = SSL_AD_ILLEGAL_PARAMETER;
1042 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_TOO_LONG);
1043 goto f_err;
1044 }
1045
1046 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
1047 al = SSL_AD_DECODE_ERROR;
1048 SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
1049 goto f_err;
1050 }
1051 s->d1->cookie_len = cookie_len;
1052
1053 return MSG_PROCESS_FINISHED_READING;
1054 f_err:
1055 ssl3_send_alert(s, SSL3_AL_FATAL, al);
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]1056 ossl_statem_set_error(s);
Matt Caswell8ba708e2015-09-11 10:48:59 +0100[diff] [blame]1057 return MSG_PROCESS_ERROR;
1058}
1059
Matt Caswellbe3583f2015-10-26 11:46:33 +0000[diff] [blame]1060MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1061{
1062 STACK_OF(SSL_CIPHER) *sk;
1063 const SSL_CIPHER *c;
Matt Caswell332eb392016-11-28 16:15:51 +0000[diff] [blame]1064 PACKET session_id, extpkt;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1065 size_t session_id_len;
Emilia Kasperb6981742016-02-01 15:26:18 +0100[diff] [blame]1066 const unsigned char *cipherchars;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1067 int i, al = SSL_AD_INTERNAL_ERROR;
1068 unsigned int compression;
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]1069 unsigned int sversion;
Matt Caswell3434f402016-11-28 16:45:52 +0000[diff] [blame]1070 unsigned int context;
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]1071 int protverr;
Matt Caswell332eb392016-11-28 16:15:51 +0000[diff] [blame]1072 RAW_EXTENSION *extensions = NULL;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1073#ifndef OPENSSL_NO_COMP
1074 SSL_COMP *comp;
1075#endif
1076
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]1077 if (!PACKET_get_net_2(pkt, &sversion)) {
1078 al = SSL_AD_DECODE_ERROR;
1079 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
1080 goto f_err;
1081 }
Kurt Roeckx7946ab32015-12-06 17:56:41 +0100[diff] [blame]1082
Viktor Dukhovni4fa52142015-12-29 03:24:17 -0500[diff] [blame]1083 protverr = ssl_choose_client_version(s, sversion);
1084 if (protverr != 0) {
1085 al = SSL_AD_PROTOCOL_VERSION;
1086 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr);
1087 goto f_err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1088 }
Emilia Kasper7b3ba5082014-11-19 15:56:27 +0100[diff] [blame]1089
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1090 /* load the server hello data */
1091 /* load the server random */
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1092 if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]1093 al = SSL_AD_DECODE_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1094 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]1095 goto f_err;
1096 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1097
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1098 s->hit = 0;
Ben Laurie54a656e2002-11-13 15:43:43 +0000[diff] [blame]1099
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1100 /* Get the session-id. */
Matt Caswell71728dd2016-11-07 13:50:43 +0000[diff] [blame]1101 if (!SSL_IS_TLS13(s)) {
1102 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1103 al = SSL_AD_DECODE_ERROR;
1104 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
1105 goto f_err;
1106 }
1107 session_id_len = PACKET_remaining(&session_id);
1108 if (session_id_len > sizeof s->session->session_id
1109 || session_id_len > SSL3_SESSION_ID_SIZE) {
1110 al = SSL_AD_ILLEGAL_PARAMETER;
1111 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1112 SSL_R_SSL3_SESSION_ID_TOO_LONG);
1113 goto f_err;
1114 }
1115 } else {
Matt Caswell625b0d52016-12-08 09:48:29 +0000[diff] [blame]1116 PACKET_null_init(&session_id);
Matt Caswell71728dd2016-11-07 13:50:43 +0000[diff] [blame]1117 session_id_len = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1118 }
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]1119
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1120 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
Matt Caswellf0659bd2015-10-22 14:02:46 +0100[diff] [blame]1121 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1122 al = SSL_AD_DECODE_ERROR;
1123 goto f_err;
1124 }
1125
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1126 /*
Emilia Kasper6e3d0152015-04-21 18:12:58 +0200[diff] [blame]1127 * Check if we can resume the session based on external pre-shared secret.
1128 * EAP-FAST (RFC 4851) supports two types of session resumption.
1129 * Resumption based on server-side state works with session IDs.
1130 * Resumption based on pre-shared Protected Access Credentials (PACs)
1131 * works by overriding the SessionTicket extension at the application
1132 * layer, and does not send a session ID. (We do not know whether EAP-FAST
1133 * servers would honour the session ID.) Therefore, the session ID alone
1134 * is not a reliable indicator of session resumption, so we first check if
1135 * we can resume, and later peek at the next handshake message to see if the
1136 * server wants to resume.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1137 */
Matt Caswell71728dd2016-11-07 13:50:43 +0000[diff] [blame]1138 if (s->version >= TLS1_VERSION && !SSL_IS_TLS13(s)
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]1139 && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
Dr. Stephen Henson4a640fb2015-12-23 00:47:28 +0000[diff] [blame]1140 const SSL_CIPHER *pref_cipher = NULL;
Matt Caswell8c1a5342016-10-03 23:22:07 +0100[diff] [blame]1141 /*
1142 * s->session->master_key_length is a size_t, but this is an int for
1143 * backwards compat reasons
1144 */
1145 int master_key_length;
1146 master_key_length = sizeof(s->session->master_key);
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]1147 if (s->ext.session_secret_cb(s, s->session->master_key,
Matt Caswell8c1a5342016-10-03 23:22:07 +0100[diff] [blame]1148 &master_key_length,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1149 NULL, &pref_cipher,
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]1150 s->ext.session_secret_cb_arg)
Matt Caswell8c1a5342016-10-03 23:22:07 +0100[diff] [blame]1151 && master_key_length > 0) {
1152 s->session->master_key_length = master_key_length;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1153 s->session->cipher = pref_cipher ?
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]1154 pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
Emilia Kasper6e3d0152015-04-21 18:12:58 +0200[diff] [blame]1155 } else {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1156 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
Emilia Kasper6e3d0152015-04-21 18:12:58 +0200[diff] [blame]1157 al = SSL_AD_INTERNAL_ERROR;
1158 goto f_err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1159 }
1160 }
Dr. Stephen Henson12bf56c2008-11-15 17:18:12 +0000[diff] [blame]1161
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1162 if (session_id_len != 0 && session_id_len == s->session->session_id_length
1163 && memcmp(PACKET_data(&session_id), s->session->session_id,
1164 session_id_len) == 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1165 if (s->sid_ctx_length != s->session->sid_ctx_length
1166 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1167 /* actually a client application bug */
1168 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1169 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1170 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1171 goto f_err;
1172 }
1173 s->hit = 1;
Emilia Kasper6e3d0152015-04-21 18:12:58 +0200[diff] [blame]1174 } else {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1175 /*
Emilia Kasper6e3d0152015-04-21 18:12:58 +0200[diff] [blame]1176 * If we were trying for session-id reuse but the server
1177 * didn't echo the ID, make a new SSL_SESSION.
1178 * In the case of EAP-FAST and PAC, we do not send a session ID,
1179 * so the PAC-based session secret is always preserved. It'll be
1180 * overwritten if the server refuses resumption.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1181 */
1182 if (s->session->session_id_length > 0) {
Laszlo Kovacs4f6eaa52015-02-20 14:35:57 -0500[diff] [blame]1183 s->ctx->stats.sess_miss++;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1184 if (!ssl_get_new_session(s, 0)) {
1185 goto f_err;
1186 }
1187 }
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1188
Fedor Indutnyccae4a12016-03-11 17:44:01 +0300[diff] [blame]1189 s->session->ssl_version = s->version;
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1190 s->session->session_id_length = session_id_len;
1191 /* session_id_len could be 0 */
Kurt Roeckxa19fc662016-12-08 19:20:55 +0100[diff] [blame]1192 if (session_id_len > 0)
1193 memcpy(s->session->session_id, PACKET_data(&session_id),
1194 session_id_len);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1195 }
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]1196
Fedor Indutnyccae4a12016-03-11 17:44:01 +0300[diff] [blame]1197 /* Session version and negotiated protocol version should match */
1198 if (s->version != s->session->ssl_version) {
1199 al = SSL_AD_PROTOCOL_VERSION;
1200
1201 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1202 SSL_R_SSL_SESSION_VERSION_MISMATCH);
1203 goto f_err;
1204 }
1205
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]1206 c = ssl_get_cipher_by_char(s, cipherchars);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1207 if (c == NULL) {
1208 /* unknown cipher */
1209 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1210 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1211 goto f_err;
1212 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1213 /*
Kurt Roeckx3eb2aff2016-02-07 20:17:07 +0100[diff] [blame]1214 * Now that we know the version, update the check to see if it's an allowed
1215 * version.
1216 */
1217 s->s3->tmp.min_ver = s->version;
1218 s->s3->tmp.max_ver = s->version;
1219 /*
1220 * If it is a disabled cipher we either didn't send it in client hello,
1221 * or it's not allowed for the selected protocol. So we return an error.
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1222 */
1223 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
1224 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1225 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1226 goto f_err;
1227 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1228
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1229 sk = ssl_get_ciphers_by_id(s);
1230 i = sk_SSL_CIPHER_find(sk, c);
1231 if (i < 0) {
1232 /* we did not say we would use this cipher */
1233 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1234 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1235 goto f_err;
1236 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1237
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1238 /*
1239 * Depending on the session caching (internal/external), the cipher
1240 * and/or cipher_id values may not be set. Make sure that cipher_id is
1241 * set and use it for comparison.
1242 */
1243 if (s->session->cipher)
1244 s->session->cipher_id = s->session->cipher->id;
1245 if (s->hit && (s->session->cipher_id != c->id)) {
Rich Salz9e9858d2015-02-06 10:52:12 -0500[diff] [blame]1246 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1247 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
Rich Salz9e9858d2015-02-06 10:52:12 -0500[diff] [blame]1248 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1249 goto f_err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1250 }
1251 s->s3->tmp.new_cipher = c;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1252 /* lets get the compression algorithm */
1253 /* COMPRESSION */
Matt Caswell71728dd2016-11-07 13:50:43 +0000[diff] [blame]1254 if (!SSL_IS_TLS13(s)) {
1255 if (!PACKET_get_1(pkt, &compression)) {
1256 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
1257 al = SSL_AD_DECODE_ERROR;
1258 goto f_err;
1259 }
1260 } else {
1261 compression = 0;
Matt Caswell50932c42015-08-04 17:36:02 +0100[diff] [blame]1262 }
Matt Caswell71728dd2016-11-07 13:50:43 +0000[diff] [blame]1263
Dr. Stephen Henson09b6c2e2005-09-30 23:35:33 +0000[diff] [blame]1264#ifdef OPENSSL_NO_COMP
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1265 if (compression != 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1266 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1267 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1268 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1269 goto f_err;
1270 }
1271 /*
1272 * If compression is disabled we'd better not try to resume a session
1273 * using compression.
1274 */
1275 if (s->session->compress_meth != 0) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1276 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1277 goto f_err;
1278 }
Dr. Stephen Henson09b6c2e2005-09-30 23:35:33 +0000[diff] [blame]1279#else
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1280 if (s->hit && compression != s->session->compress_meth) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1281 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1282 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1283 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1284 goto f_err;
1285 }
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1286 if (compression == 0)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1287 comp = NULL;
1288 else if (!ssl_allow_compression(s)) {
1289 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1290 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1291 goto f_err;
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1292 } else {
1293 comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1294 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1295
Emilia Kasperfc5ce512015-09-18 14:09:37 +0200[diff] [blame]1296 if (compression != 0 && comp == NULL) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1297 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1298 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1299 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1300 goto f_err;
1301 } else {
1302 s->s3->tmp.new_compression = comp;
1303 }
Dr. Stephen Henson09b6c2e2005-09-30 23:35:33 +0000[diff] [blame]1304#endif
Bodo Möller761772d2007-09-21 06:54:24 +0000[diff] [blame]1305
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1306 /* TLS extensions */
Matt Caswell332eb392016-11-28 16:15:51 +0000[diff] [blame]1307 if (PACKET_remaining(pkt) == 0) {
1308 PACKET_null_init(&extpkt);
1309 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1310 al = SSL_AD_DECODE_ERROR;
Matt Caswell332eb392016-11-28 16:15:51 +0000[diff] [blame]1311 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1312 goto f_err;
1313 }
Matt Caswell332eb392016-11-28 16:15:51 +0000[diff] [blame]1314
Matt Caswell3434f402016-11-28 16:45:52 +0000[diff] [blame]1315 context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO
1316 : EXT_TLS1_2_SERVER_HELLO;
1317 if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al)
Matt Caswellf97d4c32016-12-01 15:21:08 +0000[diff] [blame]1318 || !tls_parse_all_extensions(s, context, extensions, NULL, 0, &al))
Matt Caswell332eb392016-11-28 16:15:51 +0000[diff] [blame]1319 goto f_err;
1320
Matt Caswell87235882015-09-07 16:36:53 +0100[diff] [blame]1321#ifndef OPENSSL_NO_SCTP
1322 if (SSL_IS_DTLS(s) && s->hit) {
1323 unsigned char sctpauthkey[64];
1324 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1325
1326 /*
1327 * Add new shared key for SCTP-Auth, will be ignored if
1328 * no SCTP used.
1329 */
Matt Caswell141eb8c2015-10-26 12:00:00 +0000[diff] [blame]1330 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1331 sizeof(DTLS1_SCTP_AUTH_LABEL));
Matt Caswell87235882015-09-07 16:36:53 +0100[diff] [blame]1332
1333 if (SSL_export_keying_material(s, sctpauthkey,
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1334 sizeof(sctpauthkey),
1335 labelbuffer,
1336 sizeof(labelbuffer), NULL, 0, 0) <= 0)
Richard Levittec0aa6b82016-12-19 14:07:52 +0100[diff] [blame]1337 goto f_err;
Matt Caswell87235882015-09-07 16:36:53 +0100[diff] [blame]1338
1339 BIO_ctrl(SSL_get_wbio(s),
1340 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1341 sizeof(sctpauthkey), sctpauthkey);
1342 }
1343#endif
1344
Matt Caswell92760c22016-11-09 14:06:12 +0000[diff] [blame]1345 /*
1346 * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1347 * we're done with this message
1348 */
1349 if (SSL_IS_TLS13(s)
1350 && (!s->method->ssl3_enc->setup_key_block(s)
1351 || !s->method->ssl3_enc->change_cipher_state(s,
1352 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)
1353 || !s->method->ssl3_enc->change_cipher_state(s,
1354 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
1355 al = SSL_AD_INTERNAL_ERROR;
1356 SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_CANNOT_CHANGE_CIPHER);
1357 goto f_err;
1358 }
1359
Matt Caswell1b0286a2016-12-05 17:31:37 +0000[diff] [blame]1360 OPENSSL_free(extensions);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1361 return MSG_PROCESS_CONTINUE_READING;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1362 f_err:
1363 ssl3_send_alert(s, SSL3_AL_FATAL, al);
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]1364 ossl_statem_set_error(s);
Matt Caswell1b0286a2016-12-05 17:31:37 +0000[diff] [blame]1365 OPENSSL_free(extensions);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1366 return MSG_PROCESS_ERROR;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1367}
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1368
Matt Caswellbe3583f2015-10-26 11:46:33 +0000[diff] [blame]1369MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1370{
1371 int al, i, ret = MSG_PROCESS_ERROR, exp_idx;
1372 unsigned long cert_list_len, cert_len;
1373 X509 *x = NULL;
Emilia Kasperb6981742016-02-01 15:26:18 +0100[diff] [blame]1374 const unsigned char *certstart, *certbytes;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1375 STACK_OF(X509) *sk = NULL;
1376 EVP_PKEY *pkey = NULL;
Matt Caswelld805a572017-01-06 11:01:14 +0000[diff] [blame]1377 size_t chainidx;
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]1378 unsigned int context = 0;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1379
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1380 if ((sk = sk_X509_new_null()) == NULL) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1381 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
Matt Caswellcc273a92015-04-30 11:32:35 +0100[diff] [blame]1382 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1383 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1384
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]1385 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
1386 || context != 0
1387 || !PACKET_get_net_3(pkt, &cert_list_len)
1388 || PACKET_remaining(pkt) != cert_list_len) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1389 al = SSL_AD_DECODE_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1390 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1391 goto f_err;
1392 }
Matt Caswelld805a572017-01-06 11:01:14 +0000[diff] [blame]1393 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1394 if (!PACKET_get_net_3(pkt, &cert_len)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1395 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1396 al = SSL_AD_DECODE_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1397 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1398 SSL_R_CERT_LENGTH_MISMATCH);
1399 goto f_err;
1400 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1401
Matt Caswelldf758a82015-08-04 20:10:06 +0100[diff] [blame]1402 certstart = certbytes;
1403 x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1404 if (x == NULL) {
1405 al = SSL_AD_BAD_CERTIFICATE;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1406 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1407 goto f_err;
1408 }
Matt Caswelldf758a82015-08-04 20:10:06 +0100[diff] [blame]1409 if (certbytes != (certstart + cert_len)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1410 al = SSL_AD_DECODE_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1411 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1412 SSL_R_CERT_LENGTH_MISMATCH);
1413 goto f_err;
1414 }
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]1415
1416 if (SSL_IS_TLS13(s)) {
1417 RAW_EXTENSION *rawexts = NULL;
1418 PACKET extensions;
1419
1420 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
1421 al = SSL_AD_DECODE_ERROR;
1422 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH);
1423 goto f_err;
1424 }
1425 if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
1426 &rawexts, &al)
1427 || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
Matt Caswelld805a572017-01-06 11:01:14 +0000[diff] [blame]1428 rawexts, x, chainidx, &al))
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]1429 goto f_err;
1430 }
1431
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1432 if (!sk_X509_push(sk, x)) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1433 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
Matt Caswellcc273a92015-04-30 11:32:35 +0100[diff] [blame]1434 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1435 }
1436 x = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1437 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1438
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1439 i = ssl_verify_cert_chain(s, sk);
Matt Caswellc8e2f982016-10-27 10:46:25 +0100[diff] [blame]1440 /*
1441 * The documented interface is that SSL_VERIFY_PEER should be set in order
1442 * for client side verification of the server certificate to take place.
1443 * However, historically the code has only checked that *any* flag is set
1444 * to cause server verification to take place. Use of the other flags makes
1445 * no sense in client mode. An attempt to clean up the semantics was
1446 * reverted because at least one application *only* set
1447 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
1448 * server verification to take place, after the clean up it silently did
1449 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
1450 * sent to them because they are void functions. Therefore, we now use the
1451 * (less clean) historic behaviour of performing validation if any flag is
1452 * set. The *documented* interface remains the same.
1453 */
1454 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1455 al = ssl_verify_alarm_type(s->verify_result);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1456 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1457 SSL_R_CERTIFICATE_VERIFY_FAILED);
1458 goto f_err;
1459 }
1460 ERR_clear_error(); /* but we keep s->verify_result */
1461 if (i > 1) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1462 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1463 al = SSL_AD_HANDSHAKE_FAILURE;
1464 goto f_err;
1465 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1466
Dr. Stephen Hensonc34b0f92015-06-21 19:34:33 +0100[diff] [blame]1467 s->session->peer_chain = sk;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1468 /*
1469 * Inconsistency alert: cert_chain does include the peer's certificate,
Matt Caswelld4d78942016-05-17 11:51:00 +0100[diff] [blame]1470 * which we don't include in statem_srvr.c
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1471 */
1472 x = sk_X509_value(sk, 0);
1473 sk = NULL;
1474 /*
1475 * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
1476 */
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1477
Dr. Stephen Henson8382fd32015-12-20 00:32:36 +0000[diff] [blame]1478 pkey = X509_get0_pubkey(x);
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1479
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]1480 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1481 x = NULL;
1482 al = SSL3_AL_FATAL;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1483 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1484 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1485 goto f_err;
1486 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1487
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1488 i = ssl_cert_type(x, pkey);
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]1489 if (i < 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1490 x = NULL;
1491 al = SSL3_AL_FATAL;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1492 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1493 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1494 goto f_err;
1495 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1496
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]1497 exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
Dmitry Belyavskye44380a2015-11-17 15:32:30 +0000[diff] [blame]1498 if (exp_idx >= 0 && i != exp_idx
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1499 && (exp_idx != SSL_PKEY_GOST_EC ||
1500 (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
1501 && i != SSL_PKEY_GOST01))) {
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]1502 x = NULL;
1503 al = SSL_AD_ILLEGAL_PARAMETER;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1504 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]1505 SSL_R_WRONG_CERTIFICATE_TYPE);
1506 goto f_err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1507 }
Dr. Stephen Hensona273c6e2015-06-21 19:08:57 +0100[diff] [blame]1508 s->session->peer_type = i;
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]1509
1510 X509_free(s->session->peer);
Dr. Stephen Henson05f0fb92015-08-31 20:29:57 +0100[diff] [blame]1511 X509_up_ref(x);
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]1512 s->session->peer = x;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1513 s->session->verify_result = s->verify_result;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1514 x = NULL;
Matt Caswell2c5dfdc2016-12-05 17:04:51 +0000[diff] [blame]1515
1516 /* Save the current hash state for when we receive the CertificateVerify */
1517 if (SSL_IS_TLS13(s)
1518 && !ssl_handshake_hash(s, s->cert_verify_hash,
1519 sizeof(s->cert_verify_hash),
1520 &s->cert_verify_hash_len)) {
1521 al = SSL_AD_INTERNAL_ERROR;
1522 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
1523 goto f_err;
1524 }
1525
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1526 ret = MSG_PROCESS_CONTINUE_READING;
Rich Salz66696472015-05-01 14:29:48 -0400[diff] [blame]1527 goto done;
1528
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1529 f_err:
Rich Salz66696472015-05-01 14:29:48 -0400[diff] [blame]1530 ssl3_send_alert(s, SSL3_AL_FATAL, al);
Matt Caswellcc273a92015-04-30 11:32:35 +0100[diff] [blame]1531 err:
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]1532 ossl_statem_set_error(s);
Rich Salz66696472015-05-01 14:29:48 -0400[diff] [blame]1533 done:
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1534 X509_free(x);
1535 sk_X509_pop_free(sk, X509_free);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1536 return ret;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1537}
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1538
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1539static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al)
Matt Caswell02a74592016-07-08 12:20:42 +0100[diff] [blame]1540{
1541#ifndef OPENSSL_NO_PSK
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1542 PACKET psk_identity_hint;
Matt Caswell02a74592016-07-08 12:20:42 +0100[diff] [blame]1543
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1544 /* PSK ciphersuites are preceded by an identity hint */
1545
1546 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
1547 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1548 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1549 return 0;
1550 }
1551
1552 /*
1553 * Store PSK identity hint for later use, hint is used in
1554 * tls_construct_client_key_exchange. Assume that the maximum length of
1555 * a PSK identity hint can be as long as the maximum length of a PSK
1556 * identity.
1557 */
1558 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
1559 *al = SSL_AD_HANDSHAKE_FAILURE;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1560 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1561 return 0;
1562 }
1563
1564 if (PACKET_remaining(&psk_identity_hint) == 0) {
1565 OPENSSL_free(s->session->psk_identity_hint);
1566 s->session->psk_identity_hint = NULL;
1567 } else if (!PACKET_strndup(&psk_identity_hint,
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1568 &s->session->psk_identity_hint)) {
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1569 *al = SSL_AD_INTERNAL_ERROR;
1570 return 0;
1571 }
1572
1573 return 1;
Matt Caswell02a74592016-07-08 12:20:42 +0100[diff] [blame]1574#else
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1575 SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1576 *al = SSL_AD_INTERNAL_ERROR;
1577 return 0;
Matt Caswell02a74592016-07-08 12:20:42 +0100[diff] [blame]1578#endif
1579}
1580
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1581static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
1582{
1583#ifndef OPENSSL_NO_SRP
1584 PACKET prime, generator, salt, server_pub;
1585
1586 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1587 || !PACKET_get_length_prefixed_2(pkt, &generator)
1588 || !PACKET_get_length_prefixed_1(pkt, &salt)
1589 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
1590 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1591 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_LENGTH_MISMATCH);
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1592 return 0;
1593 }
1594
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1595 /* TODO(size_t): Convert BN_bin2bn() calls */
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1596 if ((s->srp_ctx.N =
1597 BN_bin2bn(PACKET_data(&prime),
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1598 (int)PACKET_remaining(&prime), NULL)) == NULL
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1599 || (s->srp_ctx.g =
1600 BN_bin2bn(PACKET_data(&generator),
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1601 (int)PACKET_remaining(&generator), NULL)) == NULL
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1602 || (s->srp_ctx.s =
1603 BN_bin2bn(PACKET_data(&salt),
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1604 (int)PACKET_remaining(&salt), NULL)) == NULL
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1605 || (s->srp_ctx.B =
1606 BN_bin2bn(PACKET_data(&server_pub),
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1607 (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1608 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1609 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_BN_LIB);
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1610 return 0;
1611 }
1612
1613 if (!srp_verify_server_param(s, al)) {
1614 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1615 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1616 return 0;
1617 }
1618
1619 /* We must check if there is a certificate */
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1620 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1621 *pkey = X509_get0_pubkey(s->session->peer);
1622
1623 return 1;
1624#else
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1625 SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_INTERNAL_ERROR);
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1626 *al = SSL_AD_INTERNAL_ERROR;
1627 return 0;
1628#endif
1629}
1630
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1631static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
1632{
1633#ifndef OPENSSL_NO_DH
1634 PACKET prime, generator, pub_key;
1635 EVP_PKEY *peer_tmp = NULL;
1636
1637 DH *dh = NULL;
1638 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
1639
1640 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1641 || !PACKET_get_length_prefixed_2(pkt, &generator)
1642 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
1643 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1644 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_LENGTH_MISMATCH);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1645 return 0;
1646 }
1647
1648 peer_tmp = EVP_PKEY_new();
1649 dh = DH_new();
1650
1651 if (peer_tmp == NULL || dh == NULL) {
1652 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1653 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_MALLOC_FAILURE);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1654 goto err;
1655 }
1656
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1657 /* TODO(size_t): Convert these calls */
1658 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
1659 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
1660 NULL);
1661 bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
1662 (int)PACKET_remaining(&pub_key), NULL);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1663 if (p == NULL || g == NULL || bnpub_key == NULL) {
1664 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1665 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1666 goto err;
1667 }
1668
1669 if (BN_is_zero(p) || BN_is_zero(g) || BN_is_zero(bnpub_key)) {
1670 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1671 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1672 goto err;
1673 }
1674
1675 if (!DH_set0_pqg(dh, p, NULL, g)) {
1676 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1677 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1678 goto err;
1679 }
1680 p = g = NULL;
1681
1682 if (!DH_set0_key(dh, bnpub_key, NULL)) {
1683 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1684 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1685 goto err;
1686 }
1687 bnpub_key = NULL;
1688
1689 if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
1690 *al = SSL_AD_HANDSHAKE_FAILURE;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1691 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_DH_KEY_TOO_SMALL);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1692 goto err;
1693 }
1694
1695 if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
1696 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1697 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_EVP_LIB);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1698 goto err;
1699 }
1700
1701 s->s3->peer_tmp = peer_tmp;
1702
1703 /*
1704 * FIXME: This makes assumptions about which ciphersuites come with
1705 * public keys. We should have a less ad-hoc way of doing this
1706 */
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1707 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1708 *pkey = X509_get0_pubkey(s->session->peer);
1709 /* else anonymous DH, so no certificate or pkey. */
1710
1711 return 1;
1712
1713 err:
1714 BN_free(p);
1715 BN_free(g);
1716 BN_free(bnpub_key);
1717 DH_free(dh);
1718 EVP_PKEY_free(peer_tmp);
1719
1720 return 0;
1721#else
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1722 SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_INTERNAL_ERROR);
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1723 *al = SSL_AD_INTERNAL_ERROR;
1724 return 0;
1725#endif
1726}
1727
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1728static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
1729{
1730#ifndef OPENSSL_NO_EC
1731 PACKET encoded_pt;
1732 const unsigned char *ecparams;
1733 int curve_nid;
Dr. Stephen Hensonec246302016-08-11 15:41:49 +0100[diff] [blame]1734 unsigned int curve_flags;
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1735 EVP_PKEY_CTX *pctx = NULL;
1736
1737 /*
1738 * Extract elliptic curve parameters and the server's ephemeral ECDH
1739 * public key. For now we only support named (not generic) curves and
1740 * ECParameters in this case is just three bytes.
1741 */
1742 if (!PACKET_get_bytes(pkt, &ecparams, 3)) {
1743 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1744 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_TOO_SHORT);
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1745 return 0;
1746 }
1747 /*
1748 * Check curve is one of our preferences, if not server has sent an
1749 * invalid curve. ECParameters is 3 bytes.
1750 */
1751 if (!tls1_check_curve(s, ecparams, 3)) {
1752 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1753 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE);
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1754 return 0;
1755 }
1756
Dr. Stephen Hensonec246302016-08-11 15:41:49 +0100[diff] [blame]1757 curve_nid = tls1_ec_curve_id2nid(*(ecparams + 2), &curve_flags);
1758
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1759 if (curve_nid == 0) {
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1760 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1761 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE,
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1762 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1763 return 0;
1764 }
1765
Dr. Stephen Hensonec246302016-08-11 15:41:49 +0100[diff] [blame]1766 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
1767 EVP_PKEY *key = EVP_PKEY_new();
1768
1769 if (key == NULL || !EVP_PKEY_set_type(key, curve_nid)) {
1770 *al = SSL_AD_INTERNAL_ERROR;
1771 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB);
1772 EVP_PKEY_free(key);
1773 return 0;
1774 }
1775 s->s3->peer_tmp = key;
1776 } else {
1777 /* Set up EVP_PKEY with named curve as parameters */
1778 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1779 if (pctx == NULL
1780 || EVP_PKEY_paramgen_init(pctx) <= 0
1781 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, curve_nid) <= 0
1782 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
1783 *al = SSL_AD_INTERNAL_ERROR;
1784 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB);
1785 EVP_PKEY_CTX_free(pctx);
1786 return 0;
1787 }
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1788 EVP_PKEY_CTX_free(pctx);
Dr. Stephen Hensonec246302016-08-11 15:41:49 +0100[diff] [blame]1789 pctx = NULL;
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1790 }
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1791
1792 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
1793 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1794 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_MISMATCH);
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1795 return 0;
1796 }
1797
Dr. Stephen Hensonec246302016-08-11 15:41:49 +0100[diff] [blame]1798 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
1799 PACKET_data(&encoded_pt),
1800 PACKET_remaining(&encoded_pt))) {
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1801 *al = SSL_AD_DECODE_ERROR;
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1802 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_BAD_ECPOINT);
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1803 return 0;
1804 }
1805
1806 /*
1807 * The ECC/TLS specification does not mention the use of DSA to sign
1808 * ECParameters in the server key exchange message. We do support RSA
1809 * and ECDSA.
1810 */
1811 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA)
1812 *pkey = X509_get0_pubkey(s->session->peer);
1813 else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA)
1814 *pkey = X509_get0_pubkey(s->session->peer);
1815 /* else anonymous ECDH, so no certificate or pkey. */
1816
1817 return 1;
1818#else
Matt Caswell4fa88862016-07-08 15:48:26 +0100[diff] [blame]1819 SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_INTERNAL_ERROR);
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1820 *al = SSL_AD_INTERNAL_ERROR;
1821 return 0;
1822#endif
1823}
1824
Matt Caswellbe3583f2015-10-26 11:46:33 +0000[diff] [blame]1825MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1826{
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1827 int al = -1;
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1828 long alg_k;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1829 EVP_PKEY *pkey = NULL;
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1830 PACKET save_param_start, signature;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1831
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1832 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
Dr. Stephen Hensonb15f8762014-10-24 12:30:33 +0100[diff] [blame]1833
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1834 save_param_start = *pkt;
Dr. Stephen Henson8d92c1f2015-06-21 16:26:08 +0100[diff] [blame]1835
Ben Laurie3260adf2016-07-31 15:48:24 +0100[diff] [blame]1836#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
Dr. Stephen Henson61dd9f72015-12-14 00:33:33 +0000[diff] [blame]1837 EVP_PKEY_free(s->s3->peer_tmp);
1838 s->s3->peer_tmp = NULL;
Ben Laurie3260adf2016-07-31 15:48:24 +0100[diff] [blame]1839#endif
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1840
Dr. Stephen Henson76890822015-06-28 17:15:10 +0100[diff] [blame]1841 if (alg_k & SSL_PSK) {
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1842 if (!tls_process_ske_psk_preamble(s, pkt, &al))
1843 goto err;
Dr. Stephen Henson76890822015-06-28 17:15:10 +0100[diff] [blame]1844 }
1845
1846 /* Nothing else to do for plain PSK or RSAPSK */
1847 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
Matt Caswell25c6c102016-07-08 14:55:56 +0100[diff] [blame]1848 } else if (alg_k & SSL_kSRP) {
1849 if (!tls_process_ske_srp(s, pkt, &pkey, &al))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1850 goto err;
Matt Caswelle01a6102016-07-08 15:08:50 +0100[diff] [blame]1851 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
1852 if (!tls_process_ske_dhe(s, pkt, &pkey, &al))
1853 goto err;
Matt Caswellff74aeb2016-07-08 15:26:13 +0100[diff] [blame]1854 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
1855 if (!tls_process_ske_ecdhe(s, pkt, &pkey, &al))
1856 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1857 } else if (alg_k) {
1858 al = SSL_AD_UNEXPECTED_MESSAGE;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1859 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1860 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1861 }
Ralf S. Engelschalldfeab061998-12-21 11:00:56 +0000[diff] [blame]1862
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1863 /* if it was signed, check the signature */
1864 if (pkey != NULL) {
Emilia Kasper32942872015-10-02 14:40:30 +0200[diff] [blame]1865 PACKET params;
Matt Caswellbe8dba22016-07-08 12:18:18 +0100[diff] [blame]1866 int maxsig;
1867 const EVP_MD *md = NULL;
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1868 EVP_MD_CTX *md_ctx;
1869
Emilia Kasper32942872015-10-02 14:40:30 +0200[diff] [blame]1870 /*
1871 * |pkt| now points to the beginning of the signature, so the difference
1872 * equals the length of the parameters.
1873 */
1874 if (!PACKET_get_sub_packet(&save_param_start, &params,
1875 PACKET_remaining(&save_param_start) -
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1876 PACKET_remaining(pkt))) {
Emilia Kasper32942872015-10-02 14:40:30 +0200[diff] [blame]1877 al = SSL_AD_INTERNAL_ERROR;
Matt Caswellf0659bd2015-10-22 14:02:46 +0100[diff] [blame]1878 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1879 goto err;
Emilia Kasper32942872015-10-02 14:40:30 +0200[diff] [blame]1880 }
1881
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1882 if (SSL_USE_SIGALGS(s)) {
Matt Caswell703bcee2016-12-14 14:31:21 +0000[diff] [blame]1883 unsigned int sigalg;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1884 int rv;
Matt Caswell703bcee2016-12-14 14:31:21 +0000[diff] [blame]1885
1886 if (!PACKET_get_net_2(pkt, &sigalg)) {
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1887 al = SSL_AD_DECODE_ERROR;
Matt Caswellf0659bd2015-10-22 14:02:46 +0100[diff] [blame]1888 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1889 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1890 }
Matt Caswell703bcee2016-12-14 14:31:21 +0000[diff] [blame]1891 rv = tls12_check_peer_sigalg(&md, s, sigalg, pkey);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1892 if (rv == -1) {
1893 al = SSL_AD_INTERNAL_ERROR;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1894 goto err;
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1895 } else if (rv == 0) {
1896 al = SSL_AD_DECODE_ERROR;
1897 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1898 }
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]1899#ifdef SSL_DEBUG
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1900 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
Dr. Stephen Hensona2f92002011-05-09 15:44:01 +0000[diff] [blame]1901#endif
Dr. Stephen Henson3aeb9342016-01-19 00:21:12 +0000[diff] [blame]1902 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
Dr. Stephen Henson192e4bb2015-11-21 03:56:52 +0000[diff] [blame]1903 md = EVP_md5_sha1();
Emilia Kasper32942872015-10-02 14:40:30 +0200[diff] [blame]1904 } else {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1905 md = EVP_sha1();
Emilia Kasper32942872015-10-02 14:40:30 +0200[diff] [blame]1906 }
Matt Caswellf2be92b2014-07-26 23:47:40 +0100[diff] [blame]1907
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1908 if (!PACKET_get_length_prefixed_2(pkt, &signature)
1909 || PACKET_remaining(pkt) != 0) {
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1910 al = SSL_AD_DECODE_ERROR;
Matt Caswellf0659bd2015-10-22 14:02:46 +0100[diff] [blame]1911 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1912 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1913 }
Matt Caswellbe8dba22016-07-08 12:18:18 +0100[diff] [blame]1914 maxsig = EVP_PKEY_size(pkey);
1915 if (maxsig < 0) {
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1916 al = SSL_AD_INTERNAL_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1917 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1918 goto err;
Matt Caswell8098fc52015-08-04 21:22:31 +0100[diff] [blame]1919 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1920
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1921 /*
Matt Caswell8098fc52015-08-04 21:22:31 +0100[diff] [blame]1922 * Check signature length
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1923 */
Matt Caswellbe8dba22016-07-08 12:18:18 +0100[diff] [blame]1924 if (PACKET_remaining(&signature) > (size_t)maxsig) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1925 /* wrong packet length */
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1926 al = SSL_AD_DECODE_ERROR;
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1927 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
1928 SSL_R_WRONG_SIGNATURE_LENGTH);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1929 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1930 }
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1931
1932 md_ctx = EVP_MD_CTX_new();
1933 if (md_ctx == NULL) {
1934 al = SSL_AD_INTERNAL_ERROR;
1935 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1936 goto err;
1937 }
1938
Richard Levitte6e59a892015-11-27 14:02:12 +0100[diff] [blame]1939 if (EVP_VerifyInit_ex(md_ctx, md, NULL) <= 0
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1940 || EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]),
1941 SSL3_RANDOM_SIZE) <= 0
1942 || EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]),
1943 SSL3_RANDOM_SIZE) <= 0
1944 || EVP_VerifyUpdate(md_ctx, PACKET_data(&params),
1945 PACKET_remaining(&params)) <= 0) {
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1946 EVP_MD_CTX_free(md_ctx);
Dr. Stephen Henson192e4bb2015-11-21 03:56:52 +0000[diff] [blame]1947 al = SSL_AD_INTERNAL_ERROR;
1948 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1949 goto err;
Dr. Stephen Henson192e4bb2015-11-21 03:56:52 +0000[diff] [blame]1950 }
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1951 /* TODO(size_t): Convert this call */
Richard Levitte6e59a892015-11-27 14:02:12 +0100[diff] [blame]1952 if (EVP_VerifyFinal(md_ctx, PACKET_data(&signature),
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]1953 (unsigned int)PACKET_remaining(&signature),
1954 pkey) <= 0) {
Dr. Stephen Henson192e4bb2015-11-21 03:56:52 +0000[diff] [blame]1955 /* bad signature */
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1956 EVP_MD_CTX_free(md_ctx);
Dr. Stephen Henson192e4bb2015-11-21 03:56:52 +0000[diff] [blame]1957 al = SSL_AD_DECRYPT_ERROR;
1958 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1959 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1960 }
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1961 EVP_MD_CTX_free(md_ctx);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1962 } else {
Dr. Stephen Henson76890822015-06-28 17:15:10 +0100[diff] [blame]1963 /* aNULL, aSRP or PSK do not need public keys */
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1964 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]1965 && !(alg_k & SSL_PSK)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1966 /* Might be wrong key type, check it */
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1967 if (ssl3_check_cert_and_algorithm(s)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1968 /* Otherwise this shouldn't happen */
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1969 al = SSL_AD_INTERNAL_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1970 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1971 } else {
1972 al = SSL_AD_DECODE_ERROR;
1973 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1974 goto err;
1975 }
1976 /* still data left over */
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]1977 if (PACKET_remaining(pkt) != 0) {
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1978 al = SSL_AD_DECODE_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1979 SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1980 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1981 }
1982 }
Matt Caswelle1e588a2016-07-08 15:41:36 +0100[diff] [blame]1983
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1984 return MSG_PROCESS_CONTINUE_READING;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1985 err:
Matt Caswell7dc1c642016-07-08 12:44:53 +0100[diff] [blame]1986 if (al != -1)
1987 ssl3_send_alert(s, SSL3_AL_FATAL, al);
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]1988 ossl_statem_set_error(s);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1989 return MSG_PROCESS_ERROR;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]1990}
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]1991
Matt Caswellbe3583f2015-10-26 11:46:33 +0000[diff] [blame]1992MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1993{
1994 int ret = MSG_PROCESS_ERROR;
1995 unsigned int list_len, ctype_num, i, name_len;
1996 X509_NAME *xn = NULL;
Emilia Kasperb6981742016-02-01 15:26:18 +0100[diff] [blame]1997 const unsigned char *data;
1998 const unsigned char *namestart, *namebytes;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]1999 STACK_OF(X509_NAME) *ca_sk = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2000
2001 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2002 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2003 goto err;
2004 }
2005
2006 /* get the certificate types */
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]2007 if (!PACKET_get_1(pkt, &ctype_num)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2008 || !PACKET_get_bytes(pkt, &data, ctype_num)) {
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2009 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2010 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2011 goto err;
2012 }
Rich Salzb548a1f2015-05-01 10:02:07 -0400[diff] [blame]2013 OPENSSL_free(s->cert->ctypes);
2014 s->cert->ctypes = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2015 if (ctype_num > SSL3_CT_NUMBER) {
2016 /* If we exceed static buffer copy all to cert structure */
2017 s->cert->ctypes = OPENSSL_malloc(ctype_num);
2018 if (s->cert->ctypes == NULL) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2019 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2020 goto err;
2021 }
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2022 memcpy(s->cert->ctypes, data, ctype_num);
Matt Caswelld736bc12016-10-04 21:22:19 +0100[diff] [blame]2023 s->cert->ctype_num = ctype_num;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2024 ctype_num = SSL3_CT_NUMBER;
2025 }
2026 for (i = 0; i < ctype_num; i++)
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2027 s->s3->tmp.ctype[i] = data[i];
2028
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2029 if (SSL_USE_SIGALGS(s)) {
Matt Caswell703bcee2016-12-14 14:31:21 +0000[diff] [blame]2030 PACKET sigalgs;
2031
2032 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2033 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2034 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2035 SSL_R_LENGTH_MISMATCH);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2036 goto err;
2037 }
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2038
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2039 /* Clear certificate digests and validity flags */
2040 for (i = 0; i < SSL_PKEY_NUM; i++) {
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2041 s->s3->tmp.md[i] = NULL;
Dr. Stephen Henson6383d312015-05-12 22:17:34 +0100[diff] [blame]2042 s->s3->tmp.valid_flags[i] = 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2043 }
Matt Caswell703bcee2016-12-14 14:31:21 +0000[diff] [blame]2044 if (!tls1_save_sigalgs(s, &sigalgs)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2045 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2046 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2047 SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2048 goto err;
2049 }
2050 if (!tls1_process_sigalgs(s)) {
2051 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2052 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2053 goto err;
2054 }
Dr. Stephen Hensona0f63822015-11-24 00:08:35 +0000[diff] [blame]2055 } else {
2056 ssl_set_default_md(s);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2057 }
2058
2059 /* get the CA RDNs */
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]2060 if (!PACKET_get_net_2(pkt, &list_len)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2061 || PACKET_remaining(pkt) != list_len) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2062 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2063 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2064 goto err;
2065 }
2066
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]2067 while (PACKET_remaining(pkt)) {
2068 if (!PACKET_get_net_2(pkt, &name_len)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2069 || !PACKET_get_bytes(pkt, &namebytes, name_len)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2070 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2071 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2072 SSL_R_LENGTH_MISMATCH);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2073 goto err;
2074 }
2075
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2076 namestart = namebytes;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2077
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2078 if ((xn = d2i_X509_NAME(NULL, (const unsigned char **)&namebytes,
2079 name_len)) == NULL) {
Matt Caswell3c33c6f2015-02-05 15:57:54 +0000[diff] [blame]2080 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2081 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
Matt Caswell3c33c6f2015-02-05 15:57:54 +0000[diff] [blame]2082 goto err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2083 }
2084
Matt Caswellac112332015-08-04 22:12:53 +0100[diff] [blame]2085 if (namebytes != (namestart + name_len)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2086 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2087 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2088 SSL_R_CA_DN_LENGTH_MISMATCH);
2089 goto err;
2090 }
2091 if (!sk_X509_NAME_push(ca_sk, xn)) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2092 SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2093 goto err;
2094 }
David Benjamin6afef8b2016-03-14 15:03:07 -0400[diff] [blame]2095 xn = NULL;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2096 }
2097
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2098 /* we should setup a certificate to return.... */
2099 s->s3->tmp.cert_req = 1;
2100 s->s3->tmp.ctype_num = ctype_num;
Rich Salz222561f2015-04-30 17:33:59 -0400[diff] [blame]2101 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2102 s->s3->tmp.ca_names = ca_sk;
2103 ca_sk = NULL;
2104
Matt Caswell05c4f1d2016-06-22 14:31:32 +0100[diff] [blame]2105 ret = MSG_PROCESS_CONTINUE_PROCESSING;
Matt Caswellcc273a92015-04-30 11:32:35 +0100[diff] [blame]2106 goto done;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2107 err:
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]2108 ossl_statem_set_error(s);
Matt Caswellcc273a92015-04-30 11:32:35 +0100[diff] [blame]2109 done:
David Benjamin6afef8b2016-03-14 15:03:07 -0400[diff] [blame]2110 X509_NAME_free(xn);
Rich Salz222561f2015-04-30 17:33:59 -0400[diff] [blame]2111 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2112 return ret;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2113}
2114
2115static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2116{
2117 return (X509_NAME_cmp(*a, *b));
2118}
2119
Matt Caswellbe3583f2015-10-26 11:46:33 +0000[diff] [blame]2120MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2121{
2122 int al;
2123 unsigned int ticklen;
2124 unsigned long ticket_lifetime_hint;
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]2125 unsigned int sess_len;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2126
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]2127 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2128 || !PACKET_get_net_2(pkt, &ticklen)
2129 || PACKET_remaining(pkt) != ticklen) {
Emilia Kaspere711da72015-09-10 16:32:51 +0200[diff] [blame]2130 al = SSL_AD_DECODE_ERROR;
Matt Caswellf0659bd2015-10-22 14:02:46 +0100[diff] [blame]2131 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
Emilia Kaspere711da72015-09-10 16:32:51 +0200[diff] [blame]2132 goto f_err;
2133 }
2134
2135 /* Server is allowed to change its mind and send an empty ticket. */
2136 if (ticklen == 0)
Matt Caswellc9de4a22015-10-22 15:02:14 +0100[diff] [blame]2137 return MSG_PROCESS_CONTINUE_READING;
Emilia Kaspere711da72015-09-10 16:32:51 +0200[diff] [blame]2138
Matt Caswell98ece4e2015-05-18 16:27:48 +0100[diff] [blame]2139 if (s->session->session_id_length > 0) {
2140 int i = s->session_ctx->session_cache_mode;
2141 SSL_SESSION *new_sess;
2142 /*
2143 * We reused an existing session, so we need to replace it with a new
2144 * one
2145 */
2146 if (i & SSL_SESS_CACHE_CLIENT) {
2147 /*
Matt Caswelle4612d02016-06-13 11:24:15 +0100[diff] [blame]2148 * Remove the old session from the cache. We carry on if this fails
Matt Caswell98ece4e2015-05-18 16:27:48 +0100[diff] [blame]2149 */
Matt Caswelle4612d02016-06-13 11:24:15 +0100[diff] [blame]2150 SSL_CTX_remove_session(s->session_ctx, s->session);
Matt Caswell98ece4e2015-05-18 16:27:48 +0100[diff] [blame]2151 }
2152
2153 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2154 al = SSL_AD_INTERNAL_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2155 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
Matt Caswell98ece4e2015-05-18 16:27:48 +0100[diff] [blame]2156 goto f_err;
2157 }
2158
2159 SSL_SESSION_free(s->session);
2160 s->session = new_sess;
2161 }
2162
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]2163 OPENSSL_free(s->session->ext.tick);
2164 s->session->ext.tick = NULL;
2165 s->session->ext.ticklen = 0;
Emilia Kaspere711da72015-09-10 16:32:51 +0200[diff] [blame]2166
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]2167 s->session->ext.tick = OPENSSL_malloc(ticklen);
2168 if (s->session->ext.tick == NULL) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2169 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2170 goto err;
2171 }
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]2172 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
Matt Caswell561e12b2015-08-05 14:50:24 +0100[diff] [blame]2173 al = SSL_AD_DECODE_ERROR;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2174 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
Matt Caswell561e12b2015-08-05 14:50:24 +0100[diff] [blame]2175 goto f_err;
2176 }
Emilia Kaspere711da72015-09-10 16:32:51 +0200[diff] [blame]2177
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]2178 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
2179 s->session->ext.ticklen = ticklen;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2180 /*
2181 * There are two ways to detect a resumed ticket session. One is to set
2182 * an appropriate session ID and then the server must return a match in
2183 * ServerHello. This allows the normal client session ID matching to work
2184 * and we know much earlier that the ticket has been accepted. The
2185 * other way is to set zero length session ID when the ticket is
2186 * presented and rely on the handshake to determine session resumption.
2187 * We choose the former approach because this fits in with assumptions
2188 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
2189 * SHA256 is disabled) hash of the ticket.
2190 */
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]2191 /*
2192 * TODO(size_t): we use sess_len here because EVP_Digest expects an int
2193 * but s->session->session_id_length is a size_t
2194 */
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]2195 if (!EVP_Digest(s->session->ext.tick, ticklen,
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]2196 s->session->session_id, &sess_len,
Dr. Stephen Hensond166ed82016-06-18 15:46:13 +0100[diff] [blame]2197 EVP_sha256(), NULL)) {
2198 SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB);
2199 goto err;
2200 }
Matt Caswellec60ccc2016-10-04 20:31:19 +0100[diff] [blame]2201 s->session->session_id_length = sess_len;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2202 return MSG_PROCESS_CONTINUE_READING;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2203 f_err:
2204 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2205 err:
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]2206 ossl_statem_set_error(s);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2207 return MSG_PROCESS_ERROR;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2208}
2209
Matt Caswellf63e4282016-12-02 14:46:54 +0000[diff] [blame]2210/*
2211 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
2212 * parse a separate message. Returns 1 on success or 0 on failure. On failure
2213 * |*al| is populated with a suitable alert code.
2214 */
2215int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2216{
Matt Caswell8b0e9342016-10-06 19:17:54 +0100[diff] [blame]2217 size_t resplen;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2218 unsigned int type;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2219
Matt Caswell73999b62015-09-10 10:22:30 +0100[diff] [blame]2220 if (!PACKET_get_1(pkt, &type)
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2221 || type != TLSEXT_STATUSTYPE_ocsp) {
Matt Caswellf63e4282016-12-02 14:46:54 +0000[diff] [blame]2222 *al = SSL_AD_DECODE_ERROR;
2223 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2224 SSL_R_UNSUPPORTED_STATUS_TYPE);
2225 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2226 }
Matt Caswell56a26ce2016-10-19 16:28:12 +0100[diff] [blame]2227 if (!PACKET_get_net_3_len(pkt, &resplen)
2228 || PACKET_remaining(pkt) != resplen) {
Matt Caswellf63e4282016-12-02 14:46:54 +0000[diff] [blame]2229 *al = SSL_AD_DECODE_ERROR;
2230 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
2231 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2232 }
Rich Salz8cbfcc72016-12-11 15:01:28 -0500[diff] [blame]2233 s->ext.ocsp.resp = OPENSSL_malloc(resplen);
2234 if (s->ext.ocsp.resp == NULL) {
Matt Caswellf63e4282016-12-02 14:46:54 +0000[diff] [blame]2235 *al = SSL_AD_INTERNAL_ERROR;
2236 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE);
2237 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2238 }
Rich Salz8cbfcc72016-12-11 15:01:28 -0500[diff] [blame]2239 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
Matt Caswellf63e4282016-12-02 14:46:54 +0000[diff] [blame]2240 *al = SSL_AD_DECODE_ERROR;
2241 SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
2242 return 0;
Matt Caswellac637102015-08-05 15:52:26 +0100[diff] [blame]2243 }
Rich Salz8cbfcc72016-12-11 15:01:28 -0500[diff] [blame]2244 s->ext.ocsp.resp_len = resplen;
Matt Caswellf63e4282016-12-02 14:46:54 +0000[diff] [blame]2245
2246 return 1;
2247}
2248
2249
2250MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
2251{
2252 int al;
2253
2254 if (!tls_process_cert_status_body(s, pkt, &al)) {
2255 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2256 ossl_statem_set_error(s);
2257 return MSG_PROCESS_ERROR;
2258 }
2259
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2260 return MSG_PROCESS_CONTINUE_READING;
Ralf S. Engelschalldfeab061998-12-21 11:00:56 +0000[diff] [blame]2261}
Ralf S. Engelschalldfeab061998-12-21 11:00:56 +0000[diff] [blame]2262
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2263/*
2264 * Perform miscellaneous checks and processing after we have received the
2265 * server's initial flight. In TLS1.3 this is after the Server Finished message.
Matt Caswell6530c492016-11-23 15:38:32 +0000[diff] [blame]2266 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2267 * on failure.
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2268 */
2269int tls_process_initial_server_flight(SSL *s, int *al)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2270{
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]2271 /*
2272 * at this point we check that we have the required stuff from
2273 * the server
2274 */
2275 if (!ssl3_check_cert_and_algorithm(s)) {
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2276 *al = SSL_AD_HANDSHAKE_FAILURE;
2277 return 0;
Matt Caswella455d0f2015-09-14 15:06:37 +0100[diff] [blame]2278 }
2279
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2280 /*
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]2281 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2282 * |ext.ocsp.resp_len| values will be set if we actually received a status
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2283 * message, or NULL and -1 otherwise
2284 */
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]2285 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
2286 && s->ctx->ext.status_cb != NULL) {
2287 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2288
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2289 if (ret == 0) {
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2290 *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2291 SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2292 SSL_R_INVALID_STATUS_RESPONSE);
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2293 return 0;
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2294 }
2295 if (ret < 0) {
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2296 *al = SSL_AD_INTERNAL_ERROR;
2297 SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
2298 ERR_R_MALLOC_FAILURE);
2299 return 0;
Matt Caswellbb1aaab2015-11-05 14:31:11 +0000[diff] [blame]2300 }
2301 }
Rob Percivaled29e822016-03-03 16:19:23 +0000[diff] [blame]2302#ifndef OPENSSL_NO_CT
2303 if (s->ct_validation_callback != NULL) {
Viktor Dukhovni43341432016-04-07 14:17:37 -0400[diff] [blame]2304 /* Note we validate the SCTs whether or not we abort on error */
2305 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2306 *al = SSL_AD_HANDSHAKE_FAILURE;
2307 return 0;
Rob Percivaled29e822016-03-03 16:19:23 +0000[diff] [blame]2308 }
2309 }
2310#endif
2311
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2312 return 1;
2313}
2314
2315MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
2316{
2317 int al = SSL_AD_INTERNAL_ERROR;
2318
2319 if (PACKET_remaining(pkt) > 0) {
2320 /* should contain no data */
2321 al = SSL_AD_DECODE_ERROR;
2322 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
2323 goto err;
2324 }
2325#ifndef OPENSSL_NO_SRP
2326 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2327 if (SRP_Calc_A_param(s) <= 0) {
2328 SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC);
2329 goto err;
2330 }
2331 }
2332#endif
2333
2334 /*
2335 * Error queue messages are generated directly by this function
2336 */
2337 if (!tls_process_initial_server_flight(s, &al))
2338 goto err;
2339
Matt Caswell473483d2015-09-07 22:00:36 +0100[diff] [blame]2340#ifndef OPENSSL_NO_SCTP
2341 /* Only applies to renegotiation */
2342 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2343 && s->renegotiate != 0)
Matt Caswell473483d2015-09-07 22:00:36 +0100[diff] [blame]2344 return MSG_PROCESS_CONTINUE_PROCESSING;
2345 else
2346#endif
2347 return MSG_PROCESS_FINISHED_READING;
Matt Caswell7776a362016-11-15 10:13:09 +0000[diff] [blame]2348
2349 err:
2350 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2351 ossl_statem_set_error(s);
2352 return MSG_PROCESS_ERROR;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2353}
Bodo Möller176f31d2003-02-28 15:37:10 +0000[diff] [blame]2354
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2355static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt, int *al)
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2356{
2357#ifndef OPENSSL_NO_PSK
2358 int ret = 0;
2359 /*
2360 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2361 * \0-terminated identity. The last byte is for us for simulating
2362 * strnlen.
2363 */
2364 char identity[PSK_MAX_IDENTITY_LEN + 1];
2365 size_t identitylen = 0;
2366 unsigned char psk[PSK_MAX_PSK_LEN];
2367 unsigned char *tmppsk = NULL;
2368 char *tmpidentity = NULL;
2369 size_t psklen = 0;
2370
2371 if (s->psk_client_callback == NULL) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2372 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_CLIENT_CB);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2373 *al = SSL_AD_INTERNAL_ERROR;
2374 goto err;
2375 }
2376
2377 memset(identity, 0, sizeof(identity));
2378
2379 psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2380 identity, sizeof(identity) - 1,
2381 psk, sizeof(psk));
2382
2383 if (psklen > PSK_MAX_PSK_LEN) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2384 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2385 *al = SSL_AD_HANDSHAKE_FAILURE;
2386 goto err;
2387 } else if (psklen == 0) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2388 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2389 SSL_R_PSK_IDENTITY_NOT_FOUND);
2390 *al = SSL_AD_HANDSHAKE_FAILURE;
2391 goto err;
2392 }
2393
2394 identitylen = strlen(identity);
2395 if (identitylen > PSK_MAX_IDENTITY_LEN) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2396 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2397 *al = SSL_AD_HANDSHAKE_FAILURE;
2398 goto err;
2399 }
2400
2401 tmppsk = OPENSSL_memdup(psk, psklen);
2402 tmpidentity = OPENSSL_strdup(identity);
2403 if (tmppsk == NULL || tmpidentity == NULL) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2404 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2405 *al = SSL_AD_INTERNAL_ERROR;
2406 goto err;
2407 }
2408
2409 OPENSSL_free(s->s3->tmp.psk);
2410 s->s3->tmp.psk = tmppsk;
2411 s->s3->tmp.psklen = psklen;
2412 tmppsk = NULL;
2413 OPENSSL_free(s->session->psk_identity);
2414 s->session->psk_identity = tmpidentity;
2415 tmpidentity = NULL;
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2416
Matt Caswellb2b30242016-09-13 11:32:52 +0100[diff] [blame]2417 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) {
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2418 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2419 *al = SSL_AD_INTERNAL_ERROR;
2420 goto err;
2421 }
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2422
2423 ret = 1;
2424
2425 err:
2426 OPENSSL_cleanse(psk, psklen);
2427 OPENSSL_cleanse(identity, sizeof(identity));
2428 OPENSSL_clear_free(tmppsk, psklen);
2429 OPENSSL_clear_free(tmpidentity, identitylen);
2430
2431 return ret;
2432#else
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2433 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2434 *al = SSL_AD_INTERNAL_ERROR;
2435 return 0;
2436#endif
2437}
2438
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2439static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al)
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2440{
2441#ifndef OPENSSL_NO_RSA
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2442 unsigned char *encdata = NULL;
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2443 EVP_PKEY *pkey = NULL;
2444 EVP_PKEY_CTX *pctx = NULL;
2445 size_t enclen;
2446 unsigned char *pms = NULL;
2447 size_t pmslen = 0;
2448
2449 if (s->session->peer == NULL) {
2450 /*
2451 * We should always have a server certificate with SSL_kRSA.
2452 */
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2453 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2454 return 0;
2455 }
2456
2457 pkey = X509_get0_pubkey(s->session->peer);
2458 if (EVP_PKEY_get0_RSA(pkey) == NULL) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2459 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2460 return 0;
2461 }
2462
2463 pmslen = SSL_MAX_MASTER_KEY_LENGTH;
2464 pms = OPENSSL_malloc(pmslen);
2465 if (pms == NULL) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2466 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_MALLOC_FAILURE);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2467 *al = SSL_AD_INTERNAL_ERROR;
2468 return 0;
2469 }
2470
2471 pms[0] = s->client_version >> 8;
2472 pms[1] = s->client_version & 0xff;
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]2473 /* TODO(size_t): Convert this function */
2474 if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) {
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2475 goto err;
2476 }
2477
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2478 /* Fix buf for TLS and beyond */
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2479 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
2480 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
2481 goto err;
2482 }
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2483 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2484 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
2485 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2486 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_EVP_LIB);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2487 goto err;
2488 }
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2489 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
2490 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2491 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, SSL_R_BAD_RSA_ENCRYPT);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2492 goto err;
2493 }
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2494 EVP_PKEY_CTX_free(pctx);
2495 pctx = NULL;
2496# ifdef PKCS1_CHECK
2497 if (s->options & SSL_OP_PKCS1_CHECK_1)
2498 (*p)[1]++;
2499 if (s->options & SSL_OP_PKCS1_CHECK_2)
2500 tmp_buf[0] = 0x70;
2501# endif
2502
2503 /* Fix buf for TLS and beyond */
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2504 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
2505 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
2506 goto err;
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2507 }
2508
2509 s->s3->tmp.pms = pms;
2510 s->s3->tmp.pmslen = pmslen;
2511
2512 return 1;
2513 err:
2514 OPENSSL_clear_free(pms, pmslen);
2515 EVP_PKEY_CTX_free(pctx);
2516
2517 return 0;
2518#else
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2519 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2520 *al = SSL_AD_INTERNAL_ERROR;
2521 return 0;
2522#endif
2523}
2524
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2525static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt, int *al)
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2526{
2527#ifndef OPENSSL_NO_DH
2528 DH *dh_clnt = NULL;
2529 const BIGNUM *pub_key;
2530 EVP_PKEY *ckey = NULL, *skey = NULL;
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2531 unsigned char *keybytes = NULL;
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2532
2533 skey = s->s3->peer_tmp;
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2534 if (skey == NULL)
2535 goto err;
2536
Dr. Stephen Henson0a699a02016-08-15 14:07:33 +0100[diff] [blame]2537 ckey = ssl_generate_pkey(skey);
Matt Caswellb599ce32016-11-23 22:12:40 +0000[diff] [blame]2538 if (ckey == NULL)
2539 goto err;
2540
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2541 dh_clnt = EVP_PKEY_get0_DH(ckey);
2542
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]2543 if (dh_clnt == NULL || ssl_derive(s, ckey, skey, 0) == 0)
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2544 goto err;
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2545
2546 /* send off the data */
2547 DH_get0_key(dh_clnt, &pub_key, NULL);
Matt Caswellb2b30242016-09-13 11:32:52 +0100[diff] [blame]2548 if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), &keybytes))
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2549 goto err;
2550
2551 BN_bn2bin(pub_key, keybytes);
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2552 EVP_PKEY_free(ckey);
2553
2554 return 1;
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2555 err:
2556 EVP_PKEY_free(ckey);
2557#endif
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2558 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR);
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2559 *al = SSL_AD_INTERNAL_ERROR;
2560 return 0;
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2561}
2562
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2563static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, int *al)
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2564{
2565#ifndef OPENSSL_NO_EC
2566 unsigned char *encodedPoint = NULL;
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]2567 size_t encoded_pt_len = 0;
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2568 EVP_PKEY *ckey = NULL, *skey = NULL;
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2569 int ret = 0;
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2570
2571 skey = s->s3->peer_tmp;
Dr. Stephen Hensonec246302016-08-11 15:41:49 +0100[diff] [blame]2572 if (skey == NULL) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2573 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2574 return 0;
2575 }
2576
Dr. Stephen Henson0a699a02016-08-15 14:07:33 +0100[diff] [blame]2577 ckey = ssl_generate_pkey(skey);
Matt Caswellb599ce32016-11-23 22:12:40 +0000[diff] [blame]2578 if (ckey == NULL) {
2579 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_MALLOC_FAILURE);
2580 goto err;
2581 }
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2582
Matt Caswell0f1e51e2016-11-02 15:03:56 +0000[diff] [blame]2583 if (ssl_derive(s, ckey, skey, 0) == 0) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2584 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB);
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2585 goto err;
2586 }
2587
2588 /* Generate encoding of client key */
Dr. Stephen Hensonec246302016-08-11 15:41:49 +0100[diff] [blame]2589 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint);
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2590
2591 if (encoded_pt_len == 0) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2592 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EC_LIB);
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2593 goto err;
2594 }
2595
Matt Caswellb2b30242016-09-13 11:32:52 +0100[diff] [blame]2596 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2597 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2598 goto err;
2599 }
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2600
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2601 ret = 1;
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2602 err:
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2603 OPENSSL_free(encodedPoint);
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2604 EVP_PKEY_free(ckey);
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2605 return ret;
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2606#else
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2607 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2608 *al = SSL_AD_INTERNAL_ERROR;
2609 return 0;
2610#endif
2611}
2612
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2613static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2614{
2615#ifndef OPENSSL_NO_GOST
2616 /* GOST key exchange message creation */
2617 EVP_PKEY_CTX *pkey_ctx = NULL;
2618 X509 *peer_cert;
2619 size_t msglen;
2620 unsigned int md_len;
2621 unsigned char shared_ukm[32], tmp[256];
2622 EVP_MD_CTX *ukm_hash = NULL;
2623 int dgst_nid = NID_id_GostR3411_94;
2624 unsigned char *pms = NULL;
2625 size_t pmslen = 0;
2626
2627 if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
2628 dgst_nid = NID_id_GostR3411_2012_256;
2629
2630 /*
2631 * Get server sertificate PKEY and create ctx from it
2632 */
2633 peer_cert = s->session->peer;
2634 if (!peer_cert) {
2635 *al = SSL_AD_HANDSHAKE_FAILURE;
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2636 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST,
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2637 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2638 return 0;
2639 }
2640
2641 pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
2642 if (pkey_ctx == NULL) {
2643 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2644 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE);
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2645 return 0;
2646 }
2647 /*
2648 * If we have send a certificate, and certificate key
2649 * parameters match those of server certificate, use
2650 * certificate key for key exchange
2651 */
2652
2653 /* Otherwise, generate ephemeral key pair */
2654 pmslen = 32;
2655 pms = OPENSSL_malloc(pmslen);
2656 if (pms == NULL) {
2657 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2658 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE);
Matt Caswell2f3930b2016-08-22 22:17:20 +0100[diff] [blame]2659 goto err;
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2660 }
2661
2662 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
Matt Caswell348240c2016-10-19 15:11:24 +0100[diff] [blame]2663 /* Generate session key
2664 * TODO(size_t): Convert this function
2665 */
2666 || RAND_bytes(pms, (int)pmslen) <= 0) {
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2667 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2668 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2669 goto err;
2670 };
2671 /*
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2672 * Compute shared IV and store it in algorithm-specific context
2673 * data
2674 */
2675 ukm_hash = EVP_MD_CTX_new();
2676 if (ukm_hash == NULL
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2677 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
2678 || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
2679 SSL3_RANDOM_SIZE) <= 0
2680 || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
2681 SSL3_RANDOM_SIZE) <= 0
2682 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2683 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2684 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2685 goto err;
2686 }
2687 EVP_MD_CTX_free(ukm_hash);
2688 ukm_hash = NULL;
2689 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2690 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2691 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2692 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG);
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2693 goto err;
2694 }
2695 /* Make GOST keytransport blob message */
2696 /*
2697 * Encapsulate it into sequence
2698 */
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2699 msglen = 255;
2700 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
2701 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2702 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG);
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2703 goto err;
2704 }
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2705
Matt Caswell08029df2016-09-20 14:47:44 +0100[diff] [blame]2706 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
2707 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
Matt Caswellb2b30242016-09-13 11:32:52 +0100[diff] [blame]2708 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2709 *al = SSL_AD_INTERNAL_ERROR;
2710 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
2711 goto err;
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2712 }
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2713
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2714 EVP_PKEY_CTX_free(pkey_ctx);
2715 s->s3->tmp.pms = pms;
2716 s->s3->tmp.pmslen = pmslen;
2717
2718 return 1;
2719 err:
2720 EVP_PKEY_CTX_free(pkey_ctx);
2721 OPENSSL_clear_free(pms, pmslen);
2722 EVP_MD_CTX_free(ukm_hash);
2723 return 0;
2724#else
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2725 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2726 *al = SSL_AD_INTERNAL_ERROR;
2727 return 0;
2728#endif
2729}
2730
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2731static int tls_construct_cke_srp(SSL *s, WPACKET *pkt, int *al)
Matt Caswell840a2bf2016-07-08 10:43:59 +0100[diff] [blame]2732{
Richard Levitte8b9546c2016-07-22 21:48:05 +0200[diff] [blame]2733#ifndef OPENSSL_NO_SRP
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2734 unsigned char *abytes = NULL;
2735
2736 if (s->srp_ctx.A == NULL
Matt Caswellb2b30242016-09-13 11:32:52 +0100[diff] [blame]2737 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
2738 &abytes)) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2739 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR);
Matt Caswell840a2bf2016-07-08 10:43:59 +0100[diff] [blame]2740 return 0;
2741 }
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2742 BN_bn2bin(s->srp_ctx.A, abytes);
2743
Matt Caswell840a2bf2016-07-08 10:43:59 +0100[diff] [blame]2744 OPENSSL_free(s->session->srp_username);
2745 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
2746 if (s->session->srp_username == NULL) {
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2747 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_MALLOC_FAILURE);
Matt Caswell840a2bf2016-07-08 10:43:59 +0100[diff] [blame]2748 return 0;
2749 }
2750
2751 return 1;
2752#else
Matt Caswell05ec6a22016-07-08 12:27:30 +0100[diff] [blame]2753 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR);
Matt Caswell840a2bf2016-07-08 10:43:59 +0100[diff] [blame]2754 *al = SSL_AD_INTERNAL_ERROR;
2755 return 0;
2756#endif
2757}
2758
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2759int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2760{
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2761 unsigned long alg_k;
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2762 int al = -1;
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2763
Dr. Stephen Henson76890822015-06-28 17:15:10 +0100[diff] [blame]2764 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2765
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2766 if ((alg_k & SSL_PSK)
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2767 && !tls_construct_cke_psk_preamble(s, pkt, &al))
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2768 goto err;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2769
Matt Caswellf1ec23c2016-09-13 11:01:04 +0100[diff] [blame]2770 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2771 if (!tls_construct_cke_rsa(s, pkt, &al))
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2772 goto err;
Matt Caswella8c1c702016-07-08 09:42:07 +0100[diff] [blame]2773 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2774 if (!tls_construct_cke_dhe(s, pkt, &al))
Dr. Stephen Hensonbc71f912015-12-15 23:57:18 +0000[diff] [blame]2775 goto err;
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2776 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2777 if (!tls_construct_cke_ecdhe(s, pkt, &al))
Matt Caswell67ad5aa2016-07-08 09:51:02 +0100[diff] [blame]2778 goto err;
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2779 } else if (alg_k & SSL_kGOST) {
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2780 if (!tls_construct_cke_gost(s, pkt, &al))
Matt Caswelle00e0b32016-07-08 10:07:55 +0100[diff] [blame]2781 goto err;
Matt Caswell840a2bf2016-07-08 10:43:59 +0100[diff] [blame]2782 } else if (alg_k & SSL_kSRP) {
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2783 if (!tls_construct_cke_srp(s, pkt, &al))
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2784 goto err;
Matt Caswell4a424542016-09-29 12:04:08 +0100[diff] [blame]2785 } else if (!(alg_k & SSL_kPSK)) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2786 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2787 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2788 goto err;
2789 }
2790
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2791 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2792 err:
Matt Caswell13c0ec42016-07-07 14:42:27 +0100[diff] [blame]2793 if (al != -1)
2794 ssl3_send_alert(s, SSL3_AL_FATAL, al);
Matt Caswell0bce0b02016-07-07 12:47:07 +0100[diff] [blame]2795 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
Dr. Stephen Henson76106e62015-05-12 17:17:37 +0100[diff] [blame]2796 s->s3->tmp.pms = NULL;
Dr. Stephen Henson76890822015-06-28 17:15:10 +0100[diff] [blame]2797#ifndef OPENSSL_NO_PSK
2798 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
2799 s->s3->tmp.psk = NULL;
2800#endif
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2801 return 0;
2802}
2803
2804int tls_client_key_exchange_post_work(SSL *s)
2805{
2806 unsigned char *pms = NULL;
2807 size_t pmslen = 0;
2808
Matt Caswell6f137372016-04-28 15:12:37 +0100[diff] [blame]2809 pms = s->s3->tmp.pms;
2810 pmslen = s->s3->tmp.pmslen;
2811
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2812#ifndef OPENSSL_NO_SRP
2813 /* Check for SRP */
2814 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2815 if (!srp_generate_client_master_secret(s)) {
2816 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK,
2817 ERR_R_INTERNAL_ERROR);
2818 goto err;
2819 }
2820 return 1;
2821 }
2822#endif
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2823
2824 if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
2825 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2826 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE);
2827 goto err;
2828 }
2829 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
2830 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2831 SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_INTERNAL_ERROR);
Matt Caswell6f137372016-04-28 15:12:37 +0100[diff] [blame]2832 /* ssl_generate_master_secret frees the pms even on error */
2833 pms = NULL;
2834 pmslen = 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2835 goto err;
2836 }
Matt Caswell6f137372016-04-28 15:12:37 +0100[diff] [blame]2837 pms = NULL;
2838 pmslen = 0;
Matt Caswell473483d2015-09-07 22:00:36 +0100[diff] [blame]2839
2840#ifndef OPENSSL_NO_SCTP
2841 if (SSL_IS_DTLS(s)) {
2842 unsigned char sctpauthkey[64];
2843 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
2844
2845 /*
2846 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
2847 * used.
2848 */
Matt Caswell141eb8c2015-10-26 12:00:00 +0000[diff] [blame]2849 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
2850 sizeof(DTLS1_SCTP_AUTH_LABEL));
Matt Caswell473483d2015-09-07 22:00:36 +0100[diff] [blame]2851
2852 if (SSL_export_keying_material(s, sctpauthkey,
Emilia Kaspera230b262016-08-05 19:03:17 +0200[diff] [blame]2853 sizeof(sctpauthkey), labelbuffer,
2854 sizeof(labelbuffer), NULL, 0, 0) <= 0)
Matt Caswell473483d2015-09-07 22:00:36 +0100[diff] [blame]2855 goto err;
2856
2857 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
2858 sizeof(sctpauthkey), sctpauthkey);
2859 }
2860#endif
2861
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2862 return 1;
2863 err:
2864 OPENSSL_clear_free(pms, pmslen);
2865 s->s3->tmp.pms = NULL;
2866 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2867}
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2868
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2869/*
2870 * Check a certificate can be used for client authentication. Currently check
2871 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
2872 * certificates can be used and optionally checks suitability for Suite B.
Dr. Stephen Henson0d609392012-01-25 14:51:49 +0000[diff] [blame]2873 */
2874static int ssl3_check_client_certificate(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2875{
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2876 if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
2877 return 0;
2878 /* If no suitable signature algorithm can't use certificate */
Dr. Stephen Hensond376e572015-05-12 18:56:39 +0100[diff] [blame]2879 if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys])
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2880 return 0;
2881 /*
2882 * If strict mode check suitability of chain before using it. This also
2883 * adjusts suite B digest if necessary.
2884 */
2885 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
2886 !tls1_check_chain(s, NULL, NULL, NULL, -2))
2887 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2888 return 1;
2889}
Dr. Stephen Henson0d609392012-01-25 14:51:49 +0000[diff] [blame]2890
Matt Caswellbe3583f2015-10-26 11:46:33 +0000[diff] [blame]2891WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2892{
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2893 X509 *x509 = NULL;
2894 EVP_PKEY *pkey = NULL;
2895 int i;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2896
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2897 if (wst == WORK_MORE_A) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2898 /* Let cert callback update client certificates if required */
2899 if (s->cert->cert_cb) {
2900 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2901 if (i < 0) {
2902 s->rwstate = SSL_X509_LOOKUP;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2903 return WORK_MORE_A;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2904 }
2905 if (i == 0) {
2906 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]2907 ossl_statem_set_error(s);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2908 return 0;
2909 }
2910 s->rwstate = SSL_NOTHING;
2911 }
2912 if (ssl3_check_client_certificate(s))
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2913 return WORK_FINISHED_CONTINUE;
2914
2915 /* Fall through to WORK_MORE_B */
2916 wst = WORK_MORE_B;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2917 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2918
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2919 /* We need to get a client cert */
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2920 if (wst == WORK_MORE_B) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2921 /*
2922 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
2923 * return(-1); We then get retied later
2924 */
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2925 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2926 if (i < 0) {
2927 s->rwstate = SSL_X509_LOOKUP;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2928 return WORK_MORE_B;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2929 }
2930 s->rwstate = SSL_NOTHING;
2931 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2932 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
2933 i = 0;
2934 } else if (i == 1) {
2935 i = 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2936 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2937 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2938 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2939
Rich Salz222561f2015-04-30 17:33:59 -0400[diff] [blame]2940 X509_free(x509);
Rich Salz25aaa982015-05-01 14:37:16 -0400[diff] [blame]2941 EVP_PKEY_free(pkey);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2942 if (i && !ssl3_check_client_certificate(s))
2943 i = 0;
2944 if (i == 0) {
2945 if (s->version == SSL3_VERSION) {
2946 s->s3->tmp.cert_req = 0;
2947 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2948 return WORK_FINISHED_CONTINUE;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2949 } else {
2950 s->s3->tmp.cert_req = 2;
Dr. Stephen Henson124037f2015-06-16 14:44:29 +0100[diff] [blame]2951 if (!ssl3_digest_cached_records(s, 0)) {
Dr. Stephen Hensondab18ab2015-05-07 00:04:48 +0100[diff] [blame]2952 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Matt Caswellfe3a3292015-10-05 10:39:54 +0100[diff] [blame]2953 ossl_statem_set_error(s);
Dr. Stephen Hensondab18ab2015-05-07 00:04:48 +0100[diff] [blame]2954 return 0;
2955 }
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2956 }
2957 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2958
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2959 return WORK_FINISHED_CONTINUE;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2960 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2961
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2962 /* Shouldn't ever get here */
2963 return WORK_ERROR;
2964}
2965
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]2966int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2967{
Matt Caswell0baed5e2017-01-02 11:16:37 +0000[diff] [blame]2968 int al = SSL_AD_INTERNAL_ERROR;
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]2969
2970 /*
2971 * TODO(TLS1.3): For now we must put an empty context. Needs to be filled in
2972 * later
2973 */
2974 if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0))
2975 || !ssl3_output_cert_chain(s, pkt,
Matt Caswellb90506e2016-10-03 15:37:47 +0100[diff] [blame]2976 (s->s3->tmp.cert_req == 2) ? NULL
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]2977 : s->cert->key,
2978 &al)) {
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2979 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]2980 ssl3_send_alert(s, SSL3_AL_FATAL, al);
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2981 return 0;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2982 }
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]2983
2984 return 1;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2985}
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2986
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2987#define has_bits(i,m) (((i)&(m)) == (m))
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2988
Ben Laurie36d16f82005-04-26 16:02:40 +0000[diff] [blame]2989int ssl3_check_cert_and_algorithm(SSL *s)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2990{
Richard Levitte60f43e92015-12-09 23:59:04 +0100[diff] [blame]2991 int i;
2992#ifndef OPENSSL_NO_EC
2993 int idx;
2994#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2995 long alg_k, alg_a;
2996 EVP_PKEY *pkey = NULL;
Kurt Roeckx26c79d52015-04-18 12:23:12 +0200[diff] [blame]2997 int al = SSL_AD_HANDSHAKE_FAILURE;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]2998
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]2999 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3000 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3001
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3002 /* we don't have a certificate */
Matt Caswell55a9a162015-05-12 10:27:53 +0100[diff] [blame]3003 if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3004 return (1);
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3005
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3006 /* This is the passed certificate */
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3007
Rich Salz10bf4fc2015-03-10 19:09:27 -0400[diff] [blame]3008#ifndef OPENSSL_NO_EC
Richard Levitte60f43e92015-12-09 23:59:04 +0100[diff] [blame]3009 idx = s->session->peer_type;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3010 if (idx == SSL_PKEY_ECC) {
Dr. Stephen Hensona273c6e2015-06-21 19:08:57 +0100[diff] [blame]3011 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) {
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3012 /* check failed */
3013 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3014 goto f_err;
3015 } else {
3016 return 1;
3017 }
3018 } else if (alg_a & SSL_aECDSA) {
3019 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3020 SSL_R_MISSING_ECDSA_SIGNING_CERT);
3021 goto f_err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3022 }
Bodo Möllerea262262002-08-09 08:56:08 +0000[diff] [blame]3023#endif
Dr. Stephen Henson8382fd32015-12-20 00:32:36 +0000[diff] [blame]3024 pkey = X509_get0_pubkey(s->session->peer);
Dr. Stephen Hensona273c6e2015-06-21 19:08:57 +0100[diff] [blame]3025 i = X509_certificate_type(s->session->peer, pkey);
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3026
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3027 /* Check that we have a certificate if we require one */
3028 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
3029 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3030 SSL_R_MISSING_RSA_SIGNING_CERT);
3031 goto f_err;
3032 }
Richard Levittebc36ee62001-02-20 08:13:47 +0000[diff] [blame]3033#ifndef OPENSSL_NO_DSA
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3034 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA | EVP_PKT_SIGN)) {
3035 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3036 SSL_R_MISSING_DSA_SIGNING_CERT);
3037 goto f_err;
3038 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3039#endif
Richard Levittebc36ee62001-02-20 08:13:47 +0000[diff] [blame]3040#ifndef OPENSSL_NO_RSA
Kurt Roeckx361a1192015-12-05 02:04:41 +0100[diff] [blame]3041 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) &&
3042 !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
3043 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3044 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3045 goto f_err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3046 }
Ulf Möller79df9d61999-04-27 03:19:12 +0000[diff] [blame]3047#endif
Richard Levittebc36ee62001-02-20 08:13:47 +0000[diff] [blame]3048#ifndef OPENSSL_NO_DH
Dr. Stephen Hensonfb79abe2015-12-17 01:07:46 +0000[diff] [blame]3049 if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) {
Kurt Roeckx26c79d52015-04-18 12:23:12 +0200[diff] [blame]3050 al = SSL_AD_INTERNAL_ERROR;
3051 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3052 goto f_err;
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3053 }
Ralf S. Engelschalld02b48c1998-12-21 10:52:47 +0000[diff] [blame]3054#endif
3055
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3056 return (1);
3057 f_err:
Kurt Roeckx26c79d52015-04-18 12:23:12 +0200[diff] [blame]3058 ssl3_send_alert(s, SSL3_AL_FATAL, al);
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3059 return (0);
3060}
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]3061
Matt Caswelle481f9b2015-05-15 10:49:56 +0100[diff] [blame]3062#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]3063int tls_construct_next_proto(SSL *s, WPACKET *pkt)
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]3064{
Matt Caswell15e6be62016-09-14 12:10:33 +0100[diff] [blame]3065 size_t len, padding_len;
3066 unsigned char *padding = NULL;
Matt Caswell15e6be62016-09-14 12:10:33 +0100[diff] [blame]3067
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]3068 len = s->ext.npn_len;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]3069 padding_len = 32 - ((len + 2) % 32);
Matt Caswell15e6be62016-09-14 12:10:33 +0100[diff] [blame]3070
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]3071 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
Matt Caswell7cea05d2016-09-29 23:28:29 +0100[diff] [blame]3072 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
Matt Caswell15e6be62016-09-14 12:10:33 +0100[diff] [blame]3073 SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
3074 goto err;
3075 }
3076
3077 memset(padding, 0, padding_len);
3078
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]3079 return 1;
Matt Caswell15e6be62016-09-14 12:10:33 +0100[diff] [blame]3080 err:
Matt Caswell15e6be62016-09-14 12:10:33 +0100[diff] [blame]3081 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
3082 return 0;
Matt Caswellb9908bf2015-07-29 14:08:49 +0100[diff] [blame]3083}
Dr. Stephen Henson6434abb2007-08-11 23:18:29 +0000[diff] [blame]3084#endif
Dr. Stephen Henson368888b2008-06-01 22:33:24 +0000[diff] [blame]3085
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]3086static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
3087{
3088 int al = SSL_AD_INTERNAL_ERROR;
3089 PACKET extensions;
Matt Caswell3434f402016-11-28 16:45:52 +0000[diff] [blame]3090 RAW_EXTENSION *rawexts = NULL;
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]3091
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]3092 if (!PACKET_as_length_prefixed_2(pkt, &extensions)) {
3093 al = SSL_AD_DECODE_ERROR;
3094 SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
3095 goto err;
3096 }
3097
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]3098 if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]3099 &rawexts, &al)
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]3100 || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
Matt Caswellf97d4c32016-12-01 15:21:08 +0000[diff] [blame]3101 rawexts, NULL, 0, &al))
Matt Caswell3434f402016-11-28 16:45:52 +0000[diff] [blame]3102 goto err;
3103
Matt Caswell1b0286a2016-12-05 17:31:37 +0000[diff] [blame]3104 OPENSSL_free(rawexts);
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]3105 return MSG_PROCESS_CONTINUE_READING;
3106
3107 err:
3108 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3109 ossl_statem_set_error(s);
Matt Caswell1b0286a2016-12-05 17:31:37 +0000[diff] [blame]3110 OPENSSL_free(rawexts);
Matt Caswelle46f2332016-11-23 15:20:22 +0000[diff] [blame]3111 return MSG_PROCESS_ERROR;
3112}
3113
Dr. Stephen Henson368888b2008-06-01 22:33:24 +0000[diff] [blame]3114int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3115{
3116 int i = 0;
Dr. Stephen Henson368888b2008-06-01 22:33:24 +0000[diff] [blame]3117#ifndef OPENSSL_NO_ENGINE
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3118 if (s->ctx->client_cert_engine) {
3119 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3120 SSL_get_client_CA_list(s),
3121 px509, ppkey, NULL, NULL, NULL);
3122 if (i != 0)
3123 return i;
3124 }
Dr. Stephen Henson368888b2008-06-01 22:33:24 +0000[diff] [blame]3125#endif
Matt Caswell0f113f32015-01-22 03:40:55 +0000[diff] [blame]3126 if (s->ctx->client_cert_cb)
3127 i = s->ctx->client_cert_cb(s, px509, ppkey);
3128 return i;
3129}
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3130
Matt Caswellae2f7b32016-09-05 17:34:04 +0100[diff] [blame]3131int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3132{
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]3133 int i;
3134 size_t totlen = 0, len, maxlen;
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3135 int empty_reneg_info_scsv = !s->renegotiate;
3136 /* Set disabled masks for this session */
3137 ssl_set_client_disabled(s);
3138
3139 if (sk == NULL)
3140 return (0);
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3141
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]3142#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
3143# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
3144# error Max cipher length too short
3145# endif
3146 /*
3147 * Some servers hang if client hello > 256 bytes as hack workaround
3148 * chop number of supported ciphers to keep it well below this if we
3149 * use TLS v1.2
3150 */
3151 if (TLS1_get_version(s) >= TLS1_2_VERSION)
3152 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
3153 else
3154#endif
3155 /* Maximum length that can be stored in 2 bytes. Length must be even */
3156 maxlen = 0xfffe;
3157
3158 if (empty_reneg_info_scsv)
3159 maxlen -= 2;
3160 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
3161 maxlen -= 2;
3162
3163 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
3164 const SSL_CIPHER *c;
3165
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3166 c = sk_SSL_CIPHER_value(sk, i);
3167 /* Skip disabled ciphers */
3168 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
3169 continue;
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]3170
3171 if (!s->method->put_cipher_by_char(c, pkt, &len)) {
3172 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3173 return 0;
3174 }
3175
3176 totlen += len;
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3177 }
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]3178
3179 if (totlen == 0) {
3180 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
3181 return 0;
3182 }
3183
3184 if (totlen != 0) {
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3185 if (empty_reneg_info_scsv) {
3186 static SSL_CIPHER scsv = {
3187 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3188 };
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]3189 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3190 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3191 return 0;
3192 }
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3193 }
3194 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
3195 static SSL_CIPHER scsv = {
3196 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3197 };
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]3198 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3199 SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3200 return 0;
3201 }
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3202 }
3203 }
3204
Matt Caswell2c7b4db2016-08-03 20:57:52 +0100[diff] [blame]3205 return 1;
Matt Caswelld45ba432015-04-24 15:05:27 +0100[diff] [blame]3206}