X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=f95c19b41bf7c7071f8147252222f7940d1f0355;hp=919469faa09c486b4c79a0a99182e219cd541e29;hb=dd5a4279f9be3988023a72c7f840aa2690c264f3;hpb=bd79bcb42bab120575fc398692b7b61b1c5e6ed2 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 919469faa0..f95c19b41b 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1,5 +1,7 @@ /* * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,46 +9,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include #include "../ssl_locl.h" #include "statem_locl.h" @@ -86,15 +48,14 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) default: break; - case TLS_ST_SW_HELLO_RETRY_REQUEST: - if (mt == SSL3_MT_CLIENT_HELLO) { - st->hand_state = TLS_ST_SR_CLNT_HELLO; - return 1; - } - break; - case TLS_ST_EARLY_DATA: - if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { + if (s->hello_retry_request) { + if (mt == SSL3_MT_CLIENT_HELLO) { + st->hand_state = TLS_ST_SR_CLNT_HELLO; + return 1; + } + break; + } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { if (mt == SSL3_MT_END_OF_EARLY_DATA) { st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA; return 1; @@ -210,10 +171,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt) * not going to accept it because we require a client * cert. */ - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL3_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, + SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); return 0; } st->hand_state = TLS_ST_SR_KEY_EXCH; @@ -310,8 +270,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt) err: /* No valid transition found */ - ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); + SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, + SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, + SSL_R_UNEXPECTED_MESSAGE); return 0; } @@ -417,6 +378,9 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) switch (st->hand_state) { default: /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION, + ERR_R_INTERNAL_ERROR); return WRITE_TRAN_ERROR; case TLS_ST_OK: @@ -435,7 +399,8 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_HELLO_RETRY_REQUEST: - return WRITE_TRAN_FINISHED; + st->hand_state = TLS_ST_EARLY_DATA; + return WRITE_TRAN_CONTINUE; case TLS_ST_SW_SRVR_HELLO: st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; @@ -515,6 +480,9 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) switch (st->hand_state) { default: /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION, + ERR_R_INTERNAL_ERROR); return WRITE_TRAN_ERROR; case TLS_ST_OK: @@ -526,7 +494,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) } /* Must be an incoming ClientHello */ if (!tls_setup_handshake(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WRITE_TRAN_ERROR; } /* Fall through */ @@ -668,8 +636,10 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_SRVR_DONE: #ifndef OPENSSL_NO_SCTP - if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) + if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { + /* Calls SSLfatal() as required */ return dtls_wait_for_dry(s); + } #endif return WORK_FINISHED_CONTINUE; @@ -679,6 +649,8 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) * Actually this is the end of the handshake, but we're going * straight into writing the session ticket out. So we finish off * the handshake, but keep the various buffers active. + * + * Calls SSLfatal as required. */ return tls_finish_handshake(s, wst, 0); } if (SSL_IS_DTLS(s)) { @@ -693,7 +665,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_CHANGE: s->session->cipher = s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } if (SSL_IS_DTLS(s)) { @@ -713,6 +685,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) /* Fall through */ case TLS_ST_OK: + /* Calls SSLfatal() as required */ return tls_finish_handshake(s, wst, 1); } @@ -743,7 +716,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_A; if (!ssl3_init_finished_mac(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } break; @@ -753,7 +726,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) return WORK_MORE_A; /* HelloVerifyRequest resets Finished MAC */ if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } /* @@ -780,7 +753,9 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) sizeof(sctpauthkey), labelbuffer, sizeof(labelbuffer), NULL, 0, 0) <= 0) { - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_POST_WORK, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; } @@ -797,13 +772,17 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) if (SSL_IS_TLS13(s)) { if (!s->method->ssl3_enc->setup_key_block(s) || !s->method->ssl3_enc->change_cipher_state(s, - SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { + /* SSLfatal() already called */ return WORK_ERROR; + } if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED && !s->method->ssl3_enc->change_cipher_state(s, - SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) + SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) { + /* SSLfatal() already called */ return WORK_ERROR; + } } break; @@ -821,7 +800,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) if (!s->method->ssl3_enc->change_cipher_state(s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } @@ -853,6 +832,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) &s->session->master_key_length) || !s->method->ssl3_enc->change_cipher_state(s, SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) + /* SSLfatal() already called */ return WORK_ERROR; } break; @@ -860,8 +840,10 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_KEY_UPDATE: if (statem_flush(s) != 1) return WORK_MORE_A; - if (!tls13_update_key(s, 1)) + if (!tls13_update_key(s, 1)) { + /* SSLfatal() already called */ return WORK_ERROR; + } break; case TLS_ST_SW_SESSION_TICKET: @@ -889,6 +871,9 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, switch (st->hand_state) { default: /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, + SSL_R_BAD_HANDSHAKE_STATE); return 0; case TLS_ST_SW_CHANGE: @@ -1054,6 +1039,9 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) switch (st->hand_state) { default: /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, + ERR_R_INTERNAL_ERROR); return MSG_PROCESS_ERROR; case TLS_ST_SR_CLNT_HELLO: @@ -1099,6 +1087,9 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) switch (st->hand_state) { default: /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; case TLS_ST_SR_CLNT_HELLO: @@ -1111,11 +1102,11 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) } #ifndef OPENSSL_NO_SRP -static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) +/* Returns 1 on success, 0 for retryable error, -1 for fatal error */ +static int ssl_check_srp_ext_ClientHello(SSL *s) { - int ret = SSL_ERROR_NONE; - - *al = SSL_AD_UNRECOGNIZED_NAME; + int ret; + int al = SSL_AD_UNRECOGNIZED_NAME; if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { @@ -1124,13 +1115,24 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) * RFC 5054 says SHOULD reject, we do so if There is no srp * login name */ - ret = SSL3_AL_FATAL; - *al = SSL_AD_UNKNOWN_PSK_IDENTITY; + SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, + SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO, + SSL_R_PSK_IDENTITY_NOT_FOUND); + return -1; } else { - ret = SSL_srp_server_param_with_username(s, al); + ret = SSL_srp_server_param_with_username(s, &al); + if (ret < 0) + return 0; + if (ret == SSL3_AL_FATAL) { + SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO, + al == SSL_AD_UNKNOWN_PSK_IDENTITY + ? SSL_R_PSK_IDENTITY_NOT_FOUND + : SSL_R_CLIENTHELLO_TLSEXT); + return -1; + } } } - return ret; + return 1; } #endif @@ -1152,15 +1154,16 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) s->ctx->app_gen_cookie_cb(s, s->d1->cookie, &cookie_leni) == 0 || cookie_leni > 255) { - SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, - SSL_R_COOKIE_GEN_CALLBACK_FAILURE); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, + SSL_R_COOKIE_GEN_CALLBACK_FAILURE); return 0; } s->d1->cookie_len = cookie_leni; if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, s->d1->cookie_len)) { - SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, + ERR_R_INTERNAL_ERROR); return 0; } @@ -1175,6 +1178,7 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) * SNI, * elliptic_curves * ec_point_formats + * signature_algorithms (for TLSv1.2 only) * * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. @@ -1232,7 +1236,6 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { - int al = SSL_AD_INTERNAL_ERROR; /* |cookie| will only be initialized for DTLS. */ PACKET session_id, compression, extensions, cookie; static const unsigned char null_compression = 0; @@ -1240,11 +1243,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) clienthello = OPENSSL_zalloc(sizeof(*clienthello)); if (clienthello == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); goto err; } /* Check if this is actually an unexpected renegotiation ClientHello */ if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { + ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); + goto err; + } s->renegotiate = 1; s->new_session = 1; } @@ -1259,9 +1267,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) unsigned int mt; if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE); + goto err; } /*- @@ -1286,14 +1294,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * layer in order to have determined that this is a SSLv2 record * in the first place */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); goto err; } } if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_TOO_SHORT); goto err; } @@ -1310,16 +1319,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (!PACKET_get_net_2(pkt, &ciphersuite_len) || !PACKET_get_net_2(pkt, &session_id_len) || !PACKET_get_net_2(pkt, &challenge_len)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_RECORD_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_RECORD_LENGTH_MISMATCH); + goto err; } if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto err; } if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, @@ -1328,10 +1336,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) /* No extensions. */ || PACKET_remaining(pkt) != 0) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_RECORD_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_RECORD_LENGTH_MISMATCH); + goto err; } clienthello->session_id_len = session_id_len; @@ -1348,9 +1355,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) challenge_len, challenge_len) /* Advertise only null compression. */ || !PACKET_buf_init(&compression, &null_compression, 1)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; } PACKET_null_init(&clienthello->extensions); @@ -1361,23 +1368,23 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) || !PACKET_copy_all(&session_id, clienthello->session_id, SSL_MAX_SSL_SESSION_ID_LENGTH, &clienthello->session_id_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } if (SSL_IS_DTLS(s)) { if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, DTLS1_COOKIE_LENGTH, &clienthello->dtls_cookie_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto err; } /* * If we require cookies and this ClientHello doesn't contain one, @@ -1386,30 +1393,31 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (clienthello->dtls_cookie_len == 0) - return 1; + return MSG_PROCESS_FINISHED_READING; } } if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } if (!PACKET_get_length_prefixed_1(pkt, &compression)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } /* Could be empty. */ if (PACKET_remaining(pkt) == 0) { PACKET_null_init(&clienthello->extensions); } else { - if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } } } @@ -1417,37 +1425,35 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (!PACKET_copy_all(&compression, clienthello->compressions, MAX_COMPRESSIONS_SIZE, &clienthello->compressions_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; } /* Preserve the raw extensions PACKET for later use */ extensions = clienthello->extensions; if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO, - &clienthello->pre_proc_exts, &al, - &clienthello->pre_proc_exts_len)) { - /* SSLerr already been called */ - goto f_err; + &clienthello->pre_proc_exts, + &clienthello->pre_proc_exts_len, 1)) { + /* SSLfatal already been called */ + goto err; } s->clienthello = clienthello; return MSG_PROCESS_CONTINUE_PROCESSING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - ossl_statem_set_error(s); - OPENSSL_free(clienthello->pre_proc_exts); + err: + if (clienthello != NULL) + OPENSSL_free(clienthello->pre_proc_exts); OPENSSL_free(clienthello); return MSG_PROCESS_ERROR; } -static int tls_early_post_process_client_hello(SSL *s, int *al) +static int tls_early_post_process_client_hello(SSL *s) { unsigned int j; - int i; + int i, al = SSL_AD_INTERNAL_ERROR; int protverr; size_t loop; unsigned long id; @@ -1460,18 +1466,22 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) CLIENTHELLO_MSG *clienthello = s->clienthello; DOWNGRADE dgrd = DOWNGRADE_NONE; - *al = SSL_AD_INTERNAL_ERROR; /* Finished parsing the ClientHello, now we can start processing it */ - /* Give the early callback a crack at things */ - if (s->ctx->early_cb != NULL) { - int code; - /* A failure in the early callback terminates the connection. */ - code = s->ctx->early_cb(s, al, s->ctx->early_cb_arg); - if (code == 0) + /* Give the ClientHello callback a crack at things */ + if (s->ctx->client_hello_cb != NULL) { + /* A failure in the ClientHello callback terminates the connection. */ + switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) { + case SSL_CLIENT_HELLO_SUCCESS: + break; + case SSL_CLIENT_HELLO_RETRY: + s->rwstate = SSL_CLIENT_HELLO_CB; + return -1; + case SSL_CLIENT_HELLO_ERROR: + default: + SSLfatal(s, al, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_CALLBACK_FAILED); goto err; - if (code < 0) { - s->rwstate = SSL_EARLY_WORK; - return code; } } @@ -1485,10 +1495,12 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) || (clienthello->legacy_version & 0xff00) != (SSL3_VERSION_MAJOR << 8)) { /* - * This is real SSLv2 or something complete unknown. We don't + * This is real SSLv2 or something completely unknown. We don't * support it. */ - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_UNKNOWN_PROTOCOL); goto err; } /* SSLv3/TLS */ @@ -1508,20 +1520,20 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) } if (protverr) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); if (SSL_IS_FIRST_HANDSHAKE(s)) { /* like ssl3_get_record, send alert using remote version number */ s->version = s->client_version = clienthello->legacy_version; } - *al = SSL_AD_PROTOCOL_VERSION; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); goto err; } /* TLSv1.3 specifies that a ClientHello must end on a record boundary */ if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { - *al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_NOT_ON_RECORD_BOUNDARY); + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NOT_ON_RECORD_BOUNDARY); goto err; } @@ -1531,9 +1543,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) if (s->ctx->app_verify_cookie_cb != NULL) { if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, clienthello->dtls_cookie_len) == 0) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_COOKIE_MISMATCH); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_COOKIE_MISMATCH); goto err; /* else cookie verification succeeded */ } @@ -1541,8 +1553,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) } else if (s->d1->cookie_len != clienthello->dtls_cookie_len || memcmp(clienthello->dtls_cookie, s->d1->cookie, s->d1->cookie_len) != 0) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_COOKIE_MISMATCH); goto err; } s->d1->cookie_verified = 1; @@ -1550,9 +1563,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) if (s->method->version == DTLS_ANY_VERSION) { protverr = ssl_choose_server_version(s, clienthello, &dgrd); if (protverr != 0) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); s->version = s->client_version; - *al = SSL_AD_PROTOCOL_VERSION; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); goto err; } } @@ -1560,11 +1573,76 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) s->hit = 0; + if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, + clienthello->isv2) || + !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, + clienthello->isv2, 1)) { + /* SSLfatal() already called */ + goto err; + } + + s->s3->send_connection_binding = 0; + /* Check what signalling cipher-suite values were received. */ + if (scsvs != NULL) { + for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) { + c = sk_SSL_CIPHER_value(scsvs, i); + if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { + if (s->renegotiate) { + /* SCSV is fatal if renegotiating */ + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + goto err; + } + s->s3->send_connection_binding = 1; + } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && + !ssl_check_version_downgrade(s)) { + /* + * This SCSV indicates that the client previously tried + * a higher version. We should fail if the current version + * is an unexpected downgrade, as that indicates that the first + * connection may have been tampered with in order to trigger + * an insecure downgrade. + */ + SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INAPPROPRIATE_FALLBACK); + goto err; + } + } + } + + /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ + if (SSL_IS_TLS13(s)) { + const SSL_CIPHER *cipher = + ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); + + if (cipher == NULL) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER); + goto err; + } + if (s->hello_retry_request + && (s->s3->tmp.new_cipher == NULL + || s->s3->tmp.new_cipher->id != cipher->id)) { + /* + * A previous HRR picked a different ciphersuite to the one we + * just selected. Something must have changed. + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_BAD_CIPHER); + goto err; + } + s->s3->tmp.new_cipher = cipher; + } + /* We need to do this before getting the session */ if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, SSL_EXT_CLIENT_HELLO, - clienthello->pre_proc_exts, NULL, 0, al)) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + clienthello->pre_proc_exts, NULL, 0)) { + /* SSLfatal() already called */ goto err; } @@ -1587,62 +1665,32 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) if (clienthello->isv2 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { - if (!ssl_get_new_session(s, 1)) + if (!ssl_get_new_session(s, 1)) { + /* SSLfatal() already called */ goto err; + } } else { - i = ssl_get_prev_session(s, clienthello, al); + i = ssl_get_prev_session(s, clienthello); if (i == 1) { /* previous session */ s->hit = 1; } else if (i == -1) { + /* SSLfatal() already called */ goto err; } else { /* i == 0 */ - if (!ssl_get_new_session(s, 1)) - goto err; - } - } - - if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, - clienthello->isv2, al) || - !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, - clienthello->isv2, al)) { - goto err; - } - - s->s3->send_connection_binding = 0; - /* Check what signalling cipher-suite values were received. */ - if (scsvs != NULL) { - for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) { - c = sk_SSL_CIPHER_value(scsvs, i); - if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { - if (s->renegotiate) { - /* SCSV is fatal if renegotiating */ - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); - *al = SSL_AD_HANDSHAKE_FAILURE; - goto err; - } - s->s3->send_connection_binding = 1; - } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && - !ssl_check_version_downgrade(s)) { - /* - * This SCSV indicates that the client previously tried - * a higher version. We should fail if the current version - * is an unexpected downgrade, as that indicates that the first - * connection may have been tampered with in order to trigger - * an insecure downgrade. - */ - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_INAPPROPRIATE_FALLBACK); - *al = SSL_AD_INAPPROPRIATE_FALLBACK; + if (!ssl_get_new_session(s, 1)) { + /* SSLfatal() already called */ goto err; } } } - /* If it is a hit, check that the cipher is in the list */ - if (s->hit) { + /* + * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check + * ciphersuite compatibility with the session as part of resumption. + */ + if (!SSL_IS_TLS13(s) && s->hit) { j = 0; id = s->session->cipher->id; @@ -1665,9 +1713,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) * we need to have the cipher in the cipher list if we are asked * to reuse it */ - *al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_REQUIRED_CIPHER_MISSING); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_REQUIRED_CIPHER_MISSING); goto err; } } @@ -1679,8 +1727,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) if (loop >= clienthello->compressions_len) { /* no compress */ - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_COMPRESSION_SPECIFIED); goto err; } @@ -1691,8 +1740,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) /* TLS extensions */ if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, - clienthello->pre_proc_exts, NULL, 0, al)) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); + clienthello->pre_proc_exts, NULL, 0, 1)) { + /* SSLfatal() already called */ goto err; } @@ -1706,11 +1755,18 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) unsigned char *pos; pos = s->s3->server_random; if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); goto err; } } - if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) { + if (!s->hit + && s->version >= TLS1_VERSION + && !SSL_IS_TLS13(s) + && !SSL_IS_DTLS(s) + && s->ext.session_secret_cb) { const SSL_CIPHER *pref_cipher = NULL; /* * s->session->master_key_length is a size_t, but this is an int for @@ -1736,8 +1792,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); if (pref_cipher == NULL) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER); goto err; } @@ -1755,16 +1812,30 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) * algorithms from the client, starting at q. */ s->s3->tmp.new_compression = NULL; + if (SSL_IS_TLS13(s)) { + /* + * We already checked above that the NULL compression method appears in + * the list. Now we check there aren't any others (which is illegal in + * a TLSv1.3 ClientHello. + */ + if (clienthello->compressions_len != 1) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INVALID_COMPRESSION_ALGORITHM); + goto err; + } + } #ifndef OPENSSL_NO_COMP /* This only happens if we have a cache hit */ - if (s->session->compress_meth != 0 && !SSL_IS_TLS13(s)) { + else if (s->session->compress_meth != 0) { int m, comp_id = s->session->compress_meth; unsigned int k; /* Perform sanity checks on resumed compression algorithm */ /* Can't disable compression */ if (!ssl_allow_compression(s)) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_INCONSISTENT_COMPRESSION); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INCONSISTENT_COMPRESSION); goto err; } /* Look for resumed compression method */ @@ -1776,8 +1847,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) } } if (s->s3->tmp.new_compression == NULL) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_INVALID_COMPRESSION_ALGORITHM); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INVALID_COMPRESSION_ALGORITHM); goto err; } /* Look for resumed method in compression list */ @@ -1786,15 +1858,14 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) break; } if (k >= clienthello->compressions_len) { - *al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, - SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); goto err; } } else if (s->hit) { comp = NULL; - } else if (ssl_allow_compression(s) && s->ctx->comp_methods - && !SSL_IS_TLS13(s)) { + } else if (ssl_allow_compression(s) && s->ctx->comp_methods) { /* See if we have a match */ int m, nn, v, done = 0; unsigned int o; @@ -1823,7 +1894,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) * using compression. */ if (s->session->compress_meth != 0) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INCONSISTENT_COMPRESSION); goto err; } #endif @@ -1832,12 +1905,13 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher */ - if (!s->hit || s->hello_retry_request) { + if (!s->hit || SSL_IS_TLS13(s)) { sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); goto err; } ciphers = NULL; @@ -1850,7 +1924,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) s->session->compress_meth = (comp == NULL) ? 0 : comp->id; #endif if (!tls1_set_server_sigalgs(s)) { - SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + /* SSLfatal() already called */ goto err; } } @@ -1862,8 +1936,6 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) s->clienthello = NULL; return 1; err: - ossl_statem_set_error(s); - sk_SSL_CIPHER_free(ciphers); sk_SSL_CIPHER_free(scsvs); OPENSSL_free(clienthello->pre_proc_exts); @@ -1875,9 +1947,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) /* * Call the status request callback if needed. Upon success, returns 1. - * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert. + * Upon failure, returns 0. */ -static int tls_handle_status_request(SSL *s, int *al) +static int tls_handle_status_request(SSL *s) { s->ext.status_expected = 0; @@ -1912,7 +1984,9 @@ static int tls_handle_status_request(SSL *s, int *al) /* something bad happened */ case SSL_TLSEXT_ERR_ALERT_FATAL: default: - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_HANDLE_STATUS_REQUEST, + SSL_R_CLIENTHELLO_TLSEXT); return 0; } } @@ -1921,31 +1995,102 @@ static int tls_handle_status_request(SSL *s, int *al) return 1; } +/* + * Call the alpn_select callback if needed. Upon success, returns 1. + * Upon failure, returns 0. + */ +int tls_handle_alpn(SSL *s) +{ + const unsigned char *selected = NULL; + unsigned char selected_len = 0; + + if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { + int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, + s->s3->alpn_proposed, + (unsigned int)s->s3->alpn_proposed_len, + s->ctx->ext.alpn_select_cb_arg); + + if (r == SSL_TLSEXT_ERR_OK) { + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); + if (s->s3->alpn_selected == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->s3->alpn_selected_len = selected_len; +#ifndef OPENSSL_NO_NEXTPROTONEG + /* ALPN takes precedence over NPN. */ + s->s3->npn_seen = 0; +#endif + + /* Check ALPN is consistent with session */ + if (s->session->ext.alpn_selected == NULL + || selected_len != s->session->ext.alpn_selected_len + || memcmp(selected, s->session->ext.alpn_selected, + selected_len) != 0) { + /* Not consistent so can't be used for early_data */ + s->ext.early_data_ok = 0; + + if (!s->hit) { + /* If a new session update it with the new ALPN value */ + s->session->ext.alpn_selected = OPENSSL_memdup(selected, + selected_len); + if (s->session->ext.alpn_selected == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_HANDLE_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->session->ext.alpn_selected_len = selected_len; + } + } + + return 1; + } else if (r != SSL_TLSEXT_ERR_NOACK) { + SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN, + SSL_R_NO_APPLICATION_PROTOCOL); + return 0; + } + /* + * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was + * present. + */ + } + + /* Check ALPN is consistent with session */ + if (s->session->ext.alpn_selected != NULL) { + /* Not consistent so can't be used for early_data */ + s->ext.early_data_ok = 0; + } + + return 1; +} + WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) { - int al = SSL_AD_HANDSHAKE_FAILURE; const SSL_CIPHER *cipher; if (wst == WORK_MORE_A) { - int rv = tls_early_post_process_client_hello(s, &al); + int rv = tls_early_post_process_client_hello(s); if (rv == 0) { - /* SSLErr() was already called */ - goto f_err; + /* SSLfatal() was already called */ + goto err; } if (rv < 0) return WORK_MORE_A; wst = WORK_MORE_B; } if (wst == WORK_MORE_B) { - if (!s->hit || s->hello_retry_request) { + if (!s->hit || SSL_IS_TLS13(s)) { /* Let cert callback update server certificates if required */ - if (s->cert->cert_cb) { + if (!s->hit && s->cert->cert_cb != NULL) { int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); if (rv == 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CERT_CB_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_CERT_CB_ERROR); + goto err; } if (rv < 0) { s->rwstate = SSL_X509_LOOKUP; @@ -1953,34 +2098,31 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) } s->rwstate = SSL_NOTHING; } - cipher = - ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); - if (cipher == NULL) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_NO_SHARED_CIPHER); - goto f_err; - } - if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL - && s->s3->tmp.new_cipher->id != cipher->id) { - /* - * A previous HRR picked a different ciphersuite to the one we - * just selected. Something must have changed. - */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_BAD_CIPHER); - goto f_err; + /* In TLSv1.3 we selected the ciphersuite before resumption */ + if (!SSL_IS_TLS13(s)) { + cipher = + ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + + if (cipher == NULL) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER); + goto err; + } + s->s3->tmp.new_cipher = cipher; } - s->s3->tmp.new_cipher = cipher; if (!s->hit) { - if (!tls_choose_sigalg(s, &al)) - goto f_err; + if (!tls_choose_sigalg(s, 1)) { + /* SSLfatal already called */ + goto err; + } /* check whether we should disable session resumption */ if (s->not_resumable_session_cb != NULL) s->session->not_resumable = - s->not_resumable_session_cb(s, ((cipher->algorithm_mkey - & (SSL_kDHE | SSL_kECDHE)) - != 0)); + s->not_resumable_session_cb(s, + ((s->s3->tmp.new_cipher->algorithm_mkey + & (SSL_kDHE | SSL_kECDHE)) != 0)); if (s->session->not_resumable) /* do not send a session ticket */ s->ext.ticket_expected = 0; @@ -2006,10 +2148,19 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) * Call status_request callback if needed. Has to be done after the * certificate callbacks etc above. */ - if (!tls_handle_status_request(s, &al)) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); - goto f_err; + if (!tls_handle_status_request(s)) { + /* SSLfatal() already called */ + goto err; + } + /* + * Call alpn_select callback if needed. Has to be done after SNI and + * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 + * we already did this because cipher negotiation happens earlier, and + * we must handle ALPN before we decide whether to accept early_data. + */ + if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) { + /* SSLfatal() already called */ + goto err; } wst = WORK_MORE_C; @@ -2017,39 +2168,28 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) #ifndef OPENSSL_NO_SRP if (wst == WORK_MORE_C) { int ret; - if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) { + if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) { /* * callback indicates further work to be done */ s->rwstate = SSL_X509_LOOKUP; return WORK_MORE_C; } - if (ret != SSL_ERROR_NONE) { - /* - * This is not really an error but the only means to for - * a client to detect whether srp is supported. - */ - if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); - else - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_PSK_IDENTITY_NOT_FOUND); - goto f_err; + if (ret < 0) { + /* SSLfatal() already called */ + goto err; } } #endif return WORK_FINISHED_STOP; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); + err: return WORK_ERROR; } int tls_construct_server_hello(SSL *s, WPACKET *pkt) { - int compm, al = SSL_AD_INTERNAL_ERROR; + int compm; size_t sl, len; int version; @@ -2061,8 +2201,9 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) * tls_process_client_hello() */ || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } /*- @@ -2088,8 +2229,9 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) sl = s->session->session_id_length; if (sl > sizeof(s->session->session_id)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } /* set up the compression method */ @@ -2111,28 +2253,25 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO, - NULL, 0, &al)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - goto err; + NULL, 0)) { + /* SSLfatal() already called */ + return 0; } if (!(s->verify_mode & SSL_VERIFY_PEER) && !ssl3_digest_cached_records(s, 0)) { - al = SSL_AD_INTERNAL_ERROR; - goto err; + /* SSLfatal() already called */; + return 0; } return 1; - err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; } int tls_construct_server_done(SSL *s, WPACKET *pkt) { if (!s->s3->tmp.cert_request) { if (!ssl3_digest_cached_records(s, 0)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + /* SSLfatal() already called */ return 0; } } @@ -2150,7 +2289,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) int curve_id = 0; #endif const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; - int al = SSL_AD_INTERNAL_ERROR, i; + int i; unsigned long type; const BIGNUM *r[4]; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); @@ -2158,13 +2297,15 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) size_t paramlen, paramoffset; if (!WPACKET_get_total_written(pkt, ¶moffset)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto err; } if (md_ctx == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + goto err; } type = s->s3->tmp.new_cipher->algorithm_mkey; @@ -2187,9 +2328,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) pkdh = EVP_PKEY_new(); if (pkdh == NULL || dhp == NULL) { DH_free(dhp); - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } EVP_PKEY_assign_DH(pkdh, dhp); pkdhp = pkdh; @@ -2200,35 +2342,36 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); pkdh = ssl_dh_to_pkey(dhp); if (pkdh == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } pkdhp = pkdh; } if (pkdhp == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_MISSING_TMP_DH_KEY); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_MISSING_TMP_DH_KEY); + goto err; } if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_DH_KEY_TOO_SMALL); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_DH_KEY_TOO_SMALL); + goto err; } if (s->s3->tmp.pkey != NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto err; } s->s3->tmp.pkey = ssl_generate_pkey(pkdhp); - if (s->s3->tmp.pkey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); + /* SSLfatal() already called */ goto err; } @@ -2243,34 +2386,35 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) #endif #ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { - int nid; if (s->s3->tmp.pkey != NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto err; } /* Get NID of appropriate shared curve */ - nid = tls1_shared_group(s, -2); - curve_id = tls1_ec_nid2curve_id(nid); + curve_id = tls1_shared_group(s, -2); if (curve_id == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); goto err; } - s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id); + s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id); /* Generate a new key for this curve */ if (s->s3->tmp.pkey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); - goto f_err; + /* SSLfatal() already called */ + goto err; } /* Encode the public key. */ encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey, &encodedPoint); if (encodedlen == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB); goto err; } @@ -2289,8 +2433,9 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) || (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_MISSING_SRP_PARAM); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_MISSING_SRP_PARAM); goto err; } r[0] = s->srp_ctx.N; @@ -2300,18 +2445,19 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else #endif { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); + goto err; } if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { lu = NULL; } else if (lu == NULL) { - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto err; } #ifndef OPENSSL_NO_PSK @@ -2326,9 +2472,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) if (len > PSK_MAX_IDENTITY_LEN || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, len)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } } #endif @@ -2345,9 +2492,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) res = WPACKET_start_sub_packet_u16(pkt); if (!res) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } #ifndef OPENSSL_NO_DH @@ -2361,9 +2509,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) if (len > 0) { if (!WPACKET_allocate_bytes(pkt, len, &binval)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } memset(binval, 0, len); } @@ -2371,9 +2520,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) #endif if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval) || !WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } BN_bn2bin(r[i], binval); @@ -2391,9 +2541,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) || !WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_put_bytes_u8(pkt, curve_id) || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } OPENSSL_free(encodedPoint); encodedPoint = NULL; @@ -2403,16 +2554,17 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) /* not anonymous */ if (lu != NULL) { EVP_PKEY *pkey = s->s3->tmp.cert->privatekey; - const EVP_MD *md = ssl_md(lu->hash_idx); - unsigned char *sigbytes1, *sigbytes2; - size_t siglen; + const EVP_MD *md; + unsigned char *sigbytes1, *sigbytes2, *tbs; + size_t siglen, tbslen; + int rv; - if (pkey == NULL || md == NULL) { + if (pkey == NULL || !tls1_lookup_md(lu, &md)) { /* Should never happen */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } /* * n is the length of the params, they start at &(d[4]) and p @@ -2421,13 +2573,18 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) /* Get length of the parameters we have written above */ if (!WPACKET_get_length(pkt, ¶mlen)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } /* send signature algorithm */ - if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) - return 0; + if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } /* * Create the signature. We don't know the actual length of the sig * until after we've created it, so we reserve enough bytes for it @@ -2437,38 +2594,40 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) siglen = EVP_PKEY_size(pkey); if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } if (lu->sig == EVP_PKEY_RSA_PSS) { if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_EVP_LIB); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_EVP_LIB); + goto err; } } - if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_DigestSignUpdate(md_ctx, - s->init_buf->data + paramoffset, - paramlen) <= 0 - || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0 - || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) + tbslen = construct_key_exchange_tbs(s, &tbs, + s->init_buf->data + paramoffset, + paramlen); + if (tbslen == 0) { + /* SSLfatal() already called */ + goto err; + } + rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen); + OPENSSL_free(tbs); + if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) || sigbytes1 != sigbytes2) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } } EVP_MD_CTX_free(md_ctx); return 1; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); err: #ifndef OPENSSL_NO_DH EVP_PKEY_free(pkdh); @@ -2482,22 +2641,20 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) int tls_construct_certificate_request(SSL *s, WPACKET *pkt) { - int al = SSL_AD_INTERNAL_ERROR; - if (SSL_IS_TLS13(s)) { /* TODO(TLS1.3) for now send empty request context */ if (!WPACKET_put_bytes_u8(pkt, 0)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - ERR_R_INTERNAL_ERROR); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + return 0; } if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, - 0, &al)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - ERR_R_INTERNAL_ERROR); - goto err; + 0)) { + /* SSLfatal() already called */ + return 0; } goto done; } @@ -2505,8 +2662,9 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) /* get the list of acceptable cert types */ if (!WPACKET_start_sub_packet_u8(pkt) || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + return 0; } if (SSL_USE_SIGALGS(s)) { @@ -2517,26 +2675,24 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) || !tls12_copy_sigalgs(s, pkt, psigs, nl) || !WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - ERR_R_INTERNAL_ERROR); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + return 0; } } if (!construct_ca_names(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; + /* SSLfatal() already called */ + return 0; } done: s->s3->tmp.cert_request = 1; return 1; - err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; } -static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_PSK unsigned char psk[PSK_MAX_PSK_LEN]; @@ -2544,24 +2700,24 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) PACKET psk_identity; if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_LENGTH_MISMATCH); return 0; } if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_DATA_LENGTH_TOO_LONG); return 0; } if (s->psk_server_callback == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_PSK_NO_SERVER_CB); return 0; } if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; } @@ -2569,16 +2725,16 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) psk, sizeof(psk)); if (psklen > PSK_MAX_PSK_LEN) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; } else if (psklen == 0) { /* * PSK related to the given identity not found */ - *al = SSL_AD_UNKNOWN_PSK_IDENTITY; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, - SSL_R_PSK_IDENTITY_NOT_FOUND); + SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, + SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_PSK_IDENTITY_NOT_FOUND); return 0; } @@ -2587,8 +2743,8 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) OPENSSL_cleanse(psk, psklen); if (s->s3->tmp.psk == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); return 0; } @@ -2597,13 +2753,13 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) return 1; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_rsa(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_RSA unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; @@ -2617,8 +2773,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey); if (rsa == NULL) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + SSL_R_MISSING_RSA_CERTIFICATE); return 0; } @@ -2628,8 +2784,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) } else { if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster) || PACKET_remaining(pkt) != 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + SSL_R_LENGTH_MISMATCH); return 0; } } @@ -2641,15 +2797,15 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * their ciphertext cannot accommodate a premaster secret anyway. */ if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + RSA_R_KEY_SIZE_TOO_SMALL); return 0; } rsa_decrypt = OPENSSL_malloc(RSA_size(rsa)); if (rsa_decrypt == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_MALLOC_FAILURE); return 0; } @@ -2661,8 +2817,12 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) + if (ssl_randbytes(s, rand_premaster_secret, + sizeof(rand_premaster_secret)) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_INTERNAL_ERROR); goto err; + } /* * Decrypt with no padding. PKCS#1 padding will be removed as part of @@ -2672,8 +2832,11 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster), PACKET_data(&enc_premaster), rsa_decrypt, rsa, RSA_NO_PADDING); - if (decrypt_len < 0) + if (decrypt_len < 0) { + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_INTERNAL_ERROR); goto err; + } /* Check the padding. See RFC 3447, section 7.2.2. */ @@ -2683,8 +2846,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * PS is at least 8 bytes. */ if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) { - *al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED); + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + SSL_R_DECRYPTION_FAILED); goto err; } @@ -2751,8 +2914,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len, sizeof(rand_premaster_secret), 0)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } @@ -2762,13 +2924,13 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_dhe(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_DH EVP_PKEY *skey = NULL; @@ -2780,47 +2942,47 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) int ret = 0; if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); goto err; } skey = s->s3->tmp.pkey; if (skey == NULL) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + SSL_R_MISSING_TMP_DH_KEY); goto err; } if (PACKET_remaining(pkt) == 0L) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + SSL_R_MISSING_TMP_DH_KEY); goto err; } if (!PACKET_get_bytes(pkt, &data, i)) { /* We already checked we have enough data */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + ERR_R_INTERNAL_ERROR); goto err; } ckey = EVP_PKEY_new(); if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) { - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + SSL_R_BN_LIB); goto err; } cdh = EVP_PKEY_get0_DH(ckey); pub_key = BN_bin2bn(data, i, NULL); if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) { - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + ERR_R_INTERNAL_ERROR); if (pub_key != NULL) BN_free(pub_key); goto err; } if (ssl_derive(s, skey, ckey, 1) == 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } @@ -2832,13 +2994,13 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_EC EVP_PKEY *skey = s->s3->tmp.pkey; @@ -2847,8 +3009,8 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) if (PACKET_remaining(pkt) == 0L) { /* We don't support ECDH client auth */ - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE, + SSL_R_MISSING_TMP_ECDH_KEY); goto err; } else { unsigned int i; @@ -2862,25 +3024,25 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) /* Get encoded point length */ if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i) || PACKET_remaining(pkt) != 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + SSL_R_LENGTH_MISMATCH); goto err; } ckey = EVP_PKEY_new(); if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) { - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + ERR_R_EVP_LIB); goto err; } if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + ERR_R_EC_LIB); goto err; } } if (ssl_derive(s, skey, ckey, 1) == 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } @@ -2893,13 +3055,13 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_srp(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_SRP unsigned int i; @@ -2907,41 +3069,43 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) if (!PACKET_get_net_2(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + SSL_R_BAD_SRP_A_LENGTH); return 0; } if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + ERR_R_BN_LIB); return 0; } if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) { - *al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP, + SSL_R_BAD_SRP_PARAMETERS); return 0; } OPENSSL_free(s->session->srp_username); s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); if (s->session->srp_username == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + ERR_R_MALLOC_FAILURE); return 0; } if (!srp_generate_server_master_secret(s)) { - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ return 0; } return 1; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_gost(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_GOST EVP_PKEY_CTX *pkey_ctx; @@ -2975,13 +3139,13 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); if (pkey_ctx == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + ERR_R_MALLOC_FAILURE); return 0; } if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + ERR_R_INTERNAL_ERROR); return 0; } /* @@ -2998,36 +3162,35 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) /* Decrypt session key */ sess_key_len = PACKET_remaining(pkt); if (!PACKET_get_bytes(pkt, &data, sess_key_len)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + ERR_R_INTERNAL_ERROR); goto err; } /* TODO(size_t): Convert this function */ if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag, &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); goto err; } start = data; inlen = Tlen; - if (EVP_PKEY_decrypt - (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); + if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, + inlen) <= 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); goto err; } /* Generate master secret */ if (!ssl_generate_master_secret(s, premaster_secret, sizeof(premaster_secret), 0)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } /* Check if pubkey from client certificate was used */ - if (EVP_PKEY_CTX_ctrl - (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, + NULL) > 0) s->statem.no_cert_verify = 1; ret = 1; @@ -3036,68 +3199,75 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + ERR_R_INTERNAL_ERROR); return 0; #endif } MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) { - int al = -1; unsigned long alg_k; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; /* For PSK parse and retrieve identity, obtain PSK key */ - if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al)) + if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) { + /* SSLfatal() already called */ goto err; + } if (alg_k & SSL_kPSK) { /* Identity extracted earlier: should be nothing left */ if (PACKET_remaining(pkt) != 0) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, - SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, + SSL_R_LENGTH_MISMATCH); goto err; } /* PSK handled by ssl_generate_master_secret */ if (!ssl_generate_master_secret(s, NULL, 0, 0)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { - if (!tls_process_cke_rsa(s, pkt, &al)) + if (!tls_process_cke_rsa(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { - if (!tls_process_cke_dhe(s, pkt, &al)) + if (!tls_process_cke_dhe(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { - if (!tls_process_cke_ecdhe(s, pkt, &al)) + if (!tls_process_cke_ecdhe(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & SSL_kSRP) { - if (!tls_process_cke_srp(s, pkt, &al)) + if (!tls_process_cke_srp(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & SSL_kGOST) { - if (!tls_process_cke_gost(s, pkt, &al)) + if (!tls_process_cke_gost(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, - SSL_R_UNKNOWN_CIPHER_TYPE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, + SSL_R_UNKNOWN_CIPHER_TYPE); goto err; } return MSG_PROCESS_CONTINUE_PROCESSING; err: - if (al != -1) - ssl3_send_alert(s, SSL3_AL_FATAL, al); #ifndef OPENSSL_NO_PSK OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); s->s3->tmp.psk = NULL; #endif - ossl_statem_set_error(s); return MSG_PROCESS_ERROR; } @@ -3119,7 +3289,9 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) sizeof(sctpauthkey), labelbuffer, sizeof(labelbuffer), NULL, 0, 0) <= 0) { - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; } @@ -3135,15 +3307,15 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) * the handshake_buffer */ if (!ssl3_digest_cached_records(s, 0)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } return WORK_FINISHED_CONTINUE; } else { if (!s->s3->handshake_buffer) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; } /* @@ -3151,7 +3323,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) * extms we've done this already so this is a no-op */ if (!ssl3_digest_cached_records(s, 1)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } } @@ -3161,7 +3333,8 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) { - int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; + int i; + MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; X509 *x = NULL; unsigned long l, llen; const unsigned char *certstart, *certbytes; @@ -3170,8 +3343,9 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) size_t chainidx; if ((sk = sk_X509_new_null()) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + ERR_R_MALLOC_FAILURE); + goto err; } /* TODO(TLS1.3): For now we ignore the context. We need to verify this */ @@ -3179,31 +3353,32 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) || !PACKET_get_net_3(pkt, &llen) || !PACKET_get_sub_packet(pkt, &spkt, llen) || PACKET_remaining(pkt) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_LENGTH_MISMATCH); + goto err; } for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) { if (!PACKET_get_net_3(&spkt, &l) || !PACKET_get_bytes(&spkt, &certbytes, l)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } certstart = certbytes; x = d2i_X509(NULL, (const unsigned char **)&certbytes, l); if (x == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); + goto err; } if (certbytes != (certstart + l)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } if (SSL_IS_TLS13(s)) { @@ -3211,24 +3386,28 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) PACKET extensions; if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_BAD_LENGTH); + goto err; } if (!tls_collect_extensions(s, &extensions, SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, - &al, NULL) - || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, - rawexts, x, chainidx, &al)) { + NULL, chainidx == 0) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, + rawexts, x, chainidx, + PACKET_remaining(&spkt) == 0)) { OPENSSL_free(rawexts); - goto f_err; + goto err; } OPENSSL_free(rawexts); } if (!sk_X509_push(sk, x)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + ERR_R_MALLOC_FAILURE); + goto err; } x = NULL; } @@ -3236,43 +3415,44 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) if (sk_X509_num(sk) <= 0) { /* TLS does not mind 0 certs returned */ if (s->version == SSL3_VERSION) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_NO_CERTIFICATES_RETURNED); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_NO_CERTIFICATES_RETURNED); + goto err; } /* Fail for TLS only if we required a certificate */ else if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); - al = SSL_AD_CERTIFICATE_REQUIRED; - goto f_err; + SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + goto err; } /* No client certificate so digest cached records */ if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) { - goto f_err; + /* SSLfatal() already called */ + goto err; } } else { EVP_PKEY *pkey; i = ssl_verify_cert_chain(s, sk); if (i <= 0) { - al = ssl_verify_alarm_type(s->verify_result); - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_CERTIFICATE_VERIFY_FAILED); - goto f_err; + SSLfatal(s, ssl_verify_alarm_type(s->verify_result), + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_CERTIFICATE_VERIFY_FAILED); + goto err; } if (i > 1) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i); + goto err; } pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); if (pkey == NULL) { - al = SSL3_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_UNKNOWN_CERTIFICATE_TYPE); + goto err; } } @@ -3288,9 +3468,8 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) * message */ if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); - goto f_err; + /* SSLfatal() already called */ + goto err; } /* @@ -3304,18 +3483,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) && !ssl_handshake_hash(s, s->cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); - goto f_err; + /* SSLfatal() already called */ + goto err; } ret = MSG_PROCESS_CONTINUE_READING; - goto done; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - done: + err: X509_free(x); sk_X509_pop_free(sk, X509_free); return ret; @@ -3324,10 +3498,10 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) int tls_construct_server_certificate(SSL *s, WPACKET *pkt) { CERT_PKEY *cpk = s->s3->tmp.cert; - int al = SSL_AD_INTERNAL_ERROR; if (cpk == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); return 0; } @@ -3335,10 +3509,13 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt) * In TLSv1.3 the certificate chain is always preceded by a 0 length context * for the server Certificate message */ - if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) - || !ssl3_output_cert_chain(s, pkt, cpk, &al)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, al); + if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + return 0; + } + if (!ssl3_output_cert_chain(s, pkt, cpk)) { + /* SSLfatal() already called */ return 0; } @@ -3358,7 +3535,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) SSL_CTX *tctx = s->session_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; - int iv_len, al = SSL_AD_INTERNAL_ERROR; + int iv_len; size_t macoffset, macendoffset; union { unsigned char age_add_c[sizeof(uint32_t)]; @@ -3366,17 +3543,36 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) } age_add_u; if (SSL_IS_TLS13(s)) { - if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) + if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; + } s->session->ext.tick_age_add = age_add_u.age_add; + /* + * ticket_nonce is set to a single 0 byte because we only ever send a + * single ticket per connection. IMPORTANT: If we ever support multiple + * tickets per connection then this will need to be changed. + */ + OPENSSL_free(s->session->ext.tick_nonce); + s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char)); + if (s->session->ext.tick_nonce == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_MALLOC_FAILURE); + goto err; + } + s->session->ext.tick_nonce_len = 1; s->session->time = (long)time(NULL); if (s->s3->alpn_selected != NULL) { OPENSSL_free(s->session->ext.alpn_selected); s->session->ext.alpn_selected = OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); if (s->session->ext.alpn_selected == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, - ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_MALLOC_FAILURE); goto err; } s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; @@ -3391,42 +3587,56 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) * long */ if (slen_full == 0 || slen_full > 0xFF00) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; } senc = OPENSSL_malloc(slen_full); if (senc == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); goto err; } ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); if (ctx == NULL || hctx == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); goto err; } p = senc; - if (!i2d_SSL_SESSION(s->session, &p)) + if (!i2d_SSL_SESSION(s->session, &p)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; + } /* * create a fresh copy (not shared with other threads) to clean up */ const_p = senc; sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); - if (sess == NULL) + if (sess == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; + } sess->session_id_length = 0; /* ID is irrelevant for the ticket */ slen = i2d_SSL_SESSION(sess, NULL); - if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */ + if (slen == 0 || slen > slen_full) { + /* shouldn't ever happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); SSL_SESSION_free(sess); goto err; } p = senc; if (!i2d_SSL_SESSION(sess, &p)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); SSL_SESSION_free(sess); goto err; } @@ -3446,8 +3656,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) /* Put timeout and length */ if (!WPACKET_put_bytes_u32(pkt, 0) || !WPACKET_put_bytes_u16(pkt, 0)) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; } OPENSSL_free(senc); @@ -3455,22 +3666,28 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) HMAC_CTX_free(hctx); return 1; } - if (ret < 0) + if (ret < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + SSL_R_CALLBACK_FAILED); goto err; + } iv_len = EVP_CIPHER_CTX_iv_length(ctx); } else { const EVP_CIPHER *cipher = EVP_aes_256_cbc(); iv_len = EVP_CIPHER_iv_length(cipher); - if (RAND_bytes(iv, iv_len) <= 0) - goto err; - if (!EVP_EncryptInit_ex(ctx, cipher, NULL, - tctx->ext.tick_aes_key, iv)) - goto err; - if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key, - sizeof(tctx->ext.tick_hmac_key), - EVP_sha256(), NULL)) + if (ssl_randbytes(s, iv, iv_len) <= 0 + || !EVP_EncryptInit_ex(ctx, cipher, NULL, + tctx->ext.tick_aes_key, iv) + || !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key, + sizeof(tctx->ext.tick_hmac_key), + EVP_sha256(), NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; + } memcpy(key_name, tctx->ext.tick_key_name, sizeof(tctx->ext.tick_key_name)); } @@ -3485,7 +3702,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) (s->hit && !SSL_IS_TLS13(s)) ? 0 : s->session->timeout) || (SSL_IS_TLS13(s) - && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add)) + && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add) + || !WPACKET_sub_memcpy_u8(pkt, s->session->ext.tick_nonce, + s->session->ext.tick_nonce_len))) /* Now the actual ticket data */ || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_get_total_written(pkt, &macoffset) @@ -3512,12 +3731,16 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) || hlen > EVP_MAX_MD_SIZE || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) || macdata1 != macdata2 - || !WPACKET_close(pkt) - || (SSL_IS_TLS13(s) - && !tls_construct_extensions(s, pkt, - SSL_EXT_TLS1_3_NEW_SESSION_TICKET, - NULL, 0, &al))) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); + goto err; + } + if (SSL_IS_TLS13(s) + && !tls_construct_extensions(s, pkt, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, + NULL, 0)) { + /* SSLfatal() already called */ goto err; } EVP_CIPHER_CTX_free(ctx); @@ -3526,11 +3749,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) return 1; err: - ossl_statem_set_error(s); OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; } @@ -3543,7 +3764,8 @@ int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, s->ext.ocsp.resp_len)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, + ERR_R_INTERNAL_ERROR); return 0; } @@ -3553,7 +3775,7 @@ int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) int tls_construct_cert_status(SSL *s, WPACKET *pkt) { if (!tls_construct_cert_status_body(s, pkt)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + /* SSLfatal() already called */ return 0; } @@ -3580,33 +3802,29 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) if (!PACKET_get_length_prefixed_1(pkt, &next_proto) || !PACKET_get_length_prefixed_1(pkt, &padding) || PACKET_remaining(pkt) > 0) { - SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH); - goto err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { s->ext.npn_len = 0; - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; } s->ext.npn_len = (unsigned char)next_proto_len; return MSG_PROCESS_CONTINUE_READING; - err: - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; } #endif static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) { - int al; - if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, - NULL, 0, &al)) { - ssl3_send_alert(s, SSL3_AL_FATAL, al); - SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, al); + NULL, 0)) { + /* SSLfatal() already called */ return 0; } @@ -3615,7 +3833,6 @@ static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) { - int al = SSL_AD_INTERNAL_ERROR; size_t len = 0; /* @@ -3623,12 +3840,17 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) * (should be s->version) */ if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) - || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) - || !tls_construct_extensions(s, pkt, - SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, - NULL, 0, &al)) { - SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; + || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, + &len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); + return 0; + } + + if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, + NULL, 0)) { + /* SSLfatal() already called */ + return 0; } /* Ditch the session. We'll create a new one next time around */ @@ -3640,30 +3862,27 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) * Re-initialise the Transcript Hash. We're going to prepopulate it with * a synthetic message_hash in place of ClientHello1. */ - if (!create_synthetic_message_hash(s)) - goto err; + if (!create_synthetic_message_hash(s)) { + /* SSLfatal() already called */ + return 0; + } return 1; - err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; } MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) { - int al = SSL_AD_INTERNAL_ERROR; - if (PACKET_remaining(pkt) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, SSL_R_LENGTH_MISMATCH); - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, + SSL_R_LENGTH_MISMATCH); return MSG_PROCESS_ERROR; } if (s->early_data_state != SSL_EARLY_DATA_READING && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { - SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, ERR_R_INTERNAL_ERROR); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; } /* @@ -3671,22 +3890,18 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) * a record boundary. */ if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, - SSL_R_NOT_ON_RECORD_BOUNDARY); - goto err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, + SSL_R_NOT_ON_RECORD_BOUNDARY); + return MSG_PROCESS_ERROR; } s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; if (!s->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { - SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, ERR_R_INTERNAL_ERROR); - goto err; + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; } return MSG_PROCESS_CONTINUE_READING; - err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; }