search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update LibreSSL from version 2.4.3 => 2.4.4
[dragonfly.git] / crypto / libressl / ssl / s3_srvr.c
blobe5d9767bcfc3bf8faa12b44602771e5fd393828a
1 /* $OpenBSD: s3_srvr.c,v 1.126 2016/05/30 13:42:54 beck Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151 #include <stdio.h>
152
153 #include "ssl_locl.h"
154
155 #include <openssl/bn.h>
156 #include <openssl/buffer.h>
157 #include <openssl/evp.h>
158 #include <openssl/dh.h>
159 #ifndef OPENSSL_NO_GOST
160 #include <openssl/gost.h>
161 #endif
162 #include <openssl/hmac.h>
163 #include <openssl/md5.h>
164 #include <openssl/objects.h>
165 #include <openssl/x509.h>
166
167 #include "bytestring.h"
168
169 int
170 ssl3_accept(SSL *s)
171 {
172 unsigned long alg_k;
173 void (*cb)(const SSL *ssl, int type, int val) = NULL;
174 int ret = -1;
175 int new_state, state, skip = 0;
176
177 ERR_clear_error();
178 errno = 0;
179
180 if (s->info_callback != NULL)
181 cb = s->info_callback;
182 else if (s->ctx->info_callback != NULL)
183 cb = s->ctx->info_callback;
184
185 /* init things to blank */
186 s->in_handshake++;
187 if (!SSL_in_init(s) || SSL_in_before(s))
188 SSL_clear(s);
189
190 if (s->cert == NULL) {
191 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
192 ret = -1;
193 goto end;
194 }
195
196 for (;;) {
197 state = s->state;
198
199 switch (s->state) {
200 case SSL_ST_RENEGOTIATE:
201 s->renegotiate = 1;
202 /* s->state=SSL_ST_ACCEPT; */
203
204 case SSL_ST_BEFORE:
205 case SSL_ST_ACCEPT:
206 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
207 case SSL_ST_OK|SSL_ST_ACCEPT:
208
209 s->server = 1;
210 if (cb != NULL)
211 cb(s, SSL_CB_HANDSHAKE_START, 1);
212
213 if ((s->version >> 8) != 3) {
214 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
215 ret = -1;
216 goto end;
217 }
218 s->type = SSL_ST_ACCEPT;
219
220 if (!ssl3_setup_init_buffer(s)) {
221 ret = -1;
222 goto end;
223 }
224 if (!ssl3_setup_buffers(s)) {
225 ret = -1;
226 goto end;
227 }
228
229 s->init_num = 0;
230
231 if (s->state != SSL_ST_RENEGOTIATE) {
232 /*
233 * Ok, we now need to push on a buffering BIO
234 * so that the output is sent in a way that
235 * TCP likes :-)
236 */
237 if (!ssl_init_wbio_buffer(s, 1)) {
238 ret = -1;
239 goto end;
240 }
241
242 if (!tls1_init_finished_mac(s)) {
243 ret = -1;
244 goto end;
245 }
246
247 s->state = SSL3_ST_SR_CLNT_HELLO_A;
248 s->ctx->stats.sess_accept++;
249 } else if (!s->s3->send_connection_binding) {
250 /*
251 * Server attempting to renegotiate with
252 * client that doesn't support secure
253 * renegotiation.
254 */
255 SSLerr(SSL_F_SSL3_ACCEPT,
256 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
257 ssl3_send_alert(s, SSL3_AL_FATAL,
258 SSL_AD_HANDSHAKE_FAILURE);
259 ret = -1;
260 goto end;
261 } else {
262 /*
263 * s->state == SSL_ST_RENEGOTIATE,
264 * we will just send a HelloRequest
265 */
266 s->ctx->stats.sess_accept_renegotiate++;
267 s->state = SSL3_ST_SW_HELLO_REQ_A;
268 }
269 break;
270
271 case SSL3_ST_SW_HELLO_REQ_A:
272 case SSL3_ST_SW_HELLO_REQ_B:
273
274 s->shutdown = 0;
275 ret = ssl3_send_hello_request(s);
276 if (ret <= 0)
277 goto end;
278 s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
279 s->state = SSL3_ST_SW_FLUSH;
280 s->init_num = 0;
281
282 if (!tls1_init_finished_mac(s)) {
283 ret = -1;
284 goto end;
285 }
286 break;
287
288 case SSL3_ST_SW_HELLO_REQ_C:
289 s->state = SSL_ST_OK;
290 break;
291
292 case SSL3_ST_SR_CLNT_HELLO_A:
293 case SSL3_ST_SR_CLNT_HELLO_B:
294 case SSL3_ST_SR_CLNT_HELLO_C:
295
296 s->shutdown = 0;
297 if (s->rwstate != SSL_X509_LOOKUP) {
298 ret = ssl3_get_client_hello(s);
299 if (ret <= 0)
300 goto end;
301 }
302
303 s->renegotiate = 2;
304 s->state = SSL3_ST_SW_SRVR_HELLO_A;
305 s->init_num = 0;
306 break;
307
308 case SSL3_ST_SW_SRVR_HELLO_A:
309 case SSL3_ST_SW_SRVR_HELLO_B:
310 ret = ssl3_send_server_hello(s);
311 if (ret <= 0)
312 goto end;
313 if (s->hit) {
314 if (s->tlsext_ticket_expected)
315 s->state = SSL3_ST_SW_SESSION_TICKET_A;
316 else
317 s->state = SSL3_ST_SW_CHANGE_A;
318 }
319 else
320 s->state = SSL3_ST_SW_CERT_A;
321 s->init_num = 0;
322 break;
323
324 case SSL3_ST_SW_CERT_A:
325 case SSL3_ST_SW_CERT_B:
326 /* Check if it is anon DH or anon ECDH. */
327 if (!(s->s3->tmp.new_cipher->algorithm_auth &
328 SSL_aNULL)) {
329 ret = ssl3_send_server_certificate(s);
330 if (ret <= 0)
331 goto end;
332 if (s->tlsext_status_expected)
333 s->state = SSL3_ST_SW_CERT_STATUS_A;
334 else
335 s->state = SSL3_ST_SW_KEY_EXCH_A;
336 } else {
337 skip = 1;
338 s->state = SSL3_ST_SW_KEY_EXCH_A;
339 }
340 s->init_num = 0;
341 break;
342
343 case SSL3_ST_SW_KEY_EXCH_A:
344 case SSL3_ST_SW_KEY_EXCH_B:
345 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
346
347 /*
348 * Only send if using a DH key exchange.
349 *
350 * For ECC ciphersuites, we send a ServerKeyExchange
351 * message only if the cipher suite is ECDHE. In other
352 * cases, the server certificate contains the server's
353 * public key for key exchange.
354 */
355 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
356 ret = ssl3_send_server_key_exchange(s);
357 if (ret <= 0)
358 goto end;
359 } else
360 skip = 1;
361
362 s->state = SSL3_ST_SW_CERT_REQ_A;
363 s->init_num = 0;
364 break;
365
366 case SSL3_ST_SW_CERT_REQ_A:
367 case SSL3_ST_SW_CERT_REQ_B:
368 /*
369 * Determine whether or not we need to request a
370 * certificate.
371 *
372 * Do not request a certificate if:
373 *
374 * - We did not ask for it (SSL_VERIFY_PEER is unset).
375 *
376 * - SSL_VERIFY_CLIENT_ONCE is set and we are
377 * renegotiating.
378 *
379 * - We are using an anonymous ciphersuites
380 * (see section "Certificate request" in SSL 3 drafts
381 * and in RFC 2246) ... except when the application
382 * insists on verification (against the specs, but
383 * s3_clnt.c accepts this for SSL 3).
384 */
385 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
386 ((s->session->peer != NULL) &&
387 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
388 ((s->s3->tmp.new_cipher->algorithm_auth &
389 SSL_aNULL) && !(s->verify_mode &
390 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
391 /* No cert request */
392 skip = 1;
393 s->s3->tmp.cert_request = 0;
394 s->state = SSL3_ST_SW_SRVR_DONE_A;
395 if (s->s3->handshake_buffer) {
396 if (!tls1_digest_cached_records(s)) {
397 ret = -1;
398 goto end;
399 }
400 }
401 } else {
402 s->s3->tmp.cert_request = 1;
403 ret = ssl3_send_certificate_request(s);
404 if (ret <= 0)
405 goto end;
406 s->state = SSL3_ST_SW_SRVR_DONE_A;
407 s->init_num = 0;
408 }
409 break;
410
411 case SSL3_ST_SW_SRVR_DONE_A:
412 case SSL3_ST_SW_SRVR_DONE_B:
413 ret = ssl3_send_server_done(s);
414 if (ret <= 0)
415 goto end;
416 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
417 s->state = SSL3_ST_SW_FLUSH;
418 s->init_num = 0;
419 break;
420
421 case SSL3_ST_SW_FLUSH:
422
423 /*
424 * This code originally checked to see if
425 * any data was pending using BIO_CTRL_INFO
426 * and then flushed. This caused problems
427 * as documented in PR#1939. The proposed
428 * fix doesn't completely resolve this issue
429 * as buggy implementations of BIO_CTRL_PENDING
430 * still exist. So instead we just flush
431 * unconditionally.
432 */
433
434 s->rwstate = SSL_WRITING;
435 if (BIO_flush(s->wbio) <= 0) {
436 ret = -1;
437 goto end;
438 }
439 s->rwstate = SSL_NOTHING;
440
441 s->state = s->s3->tmp.next_state;
442 break;
443
444 case SSL3_ST_SR_CERT_A:
445 case SSL3_ST_SR_CERT_B:
446 if (s->s3->tmp.cert_request) {
447 ret = ssl3_get_client_certificate(s);
448 if (ret <= 0)
449 goto end;
450 }
451 s->init_num = 0;
452 s->state = SSL3_ST_SR_KEY_EXCH_A;
453 break;
454
455 case SSL3_ST_SR_KEY_EXCH_A:
456 case SSL3_ST_SR_KEY_EXCH_B:
457 ret = ssl3_get_client_key_exchange(s);
458 if (ret <= 0)
459 goto end;
460 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
461 if (ret == 2) {
462 /*
463 * For the ECDH ciphersuites when
464 * the client sends its ECDH pub key in
465 * a certificate, the CertificateVerify
466 * message is not sent.
467 * Also for GOST ciphersuites when
468 * the client uses its key from the certificate
469 * for key exchange.
470 */
471 if (s->s3->next_proto_neg_seen)
472 s->state = SSL3_ST_SR_NEXT_PROTO_A;
473 else
474 s->state = SSL3_ST_SR_FINISHED_A;
475 s->init_num = 0;
476 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
477 s->state = SSL3_ST_SR_CERT_VRFY_A;
478 s->init_num = 0;
479 if (!s->session->peer)
480 break;
481 /*
482 * For sigalgs freeze the handshake buffer
483 * at this point and digest cached records.
484 */
485 if (!s->s3->handshake_buffer) {
486 SSLerr(SSL_F_SSL3_ACCEPT,
487 ERR_R_INTERNAL_ERROR);
488 ret = -1;
489 goto end;
490 }
491 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
492 if (!tls1_digest_cached_records(s)) {
493 ret = -1;
494 goto end;
495 }
496 } else {
497 int offset = 0;
498 int dgst_num;
499
500 s->state = SSL3_ST_SR_CERT_VRFY_A;
501 s->init_num = 0;
502
503 /*
504 * We need to get hashes here so if there is
505 * a client cert, it can be verified
506 * FIXME - digest processing for
507 * CertificateVerify should be generalized.
508 * But it is next step
509 */
510 if (s->s3->handshake_buffer) {
511 if (!tls1_digest_cached_records(s)) {
512 ret = -1;
513 goto end;
514 }
515 }
516 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
517 dgst_num++)
518 if (s->s3->handshake_dgst[dgst_num]) {
519 int dgst_size;
520
521 s->method->ssl3_enc->cert_verify_mac(s,
522 EVP_MD_CTX_type(
523 s->s3->handshake_dgst[dgst_num]),
524 &(s->s3->tmp.cert_verify_md[offset]));
525 dgst_size = EVP_MD_CTX_size(
526 s->s3->handshake_dgst[dgst_num]);
527 if (dgst_size < 0) {
528 ret = -1;
529 goto end;
530 }
531 offset += dgst_size;
532 }
533 }
534 break;
535
536 case SSL3_ST_SR_CERT_VRFY_A:
537 case SSL3_ST_SR_CERT_VRFY_B:
538 s->s3->flags |= SSL3_FLAGS_CCS_OK;
539
540 /* we should decide if we expected this one */
541 ret = ssl3_get_cert_verify(s);
542 if (ret <= 0)
543 goto end;
544
545 if (s->s3->next_proto_neg_seen)
546 s->state = SSL3_ST_SR_NEXT_PROTO_A;
547 else
548 s->state = SSL3_ST_SR_FINISHED_A;
549 s->init_num = 0;
550 break;
551
552 case SSL3_ST_SR_NEXT_PROTO_A:
553 case SSL3_ST_SR_NEXT_PROTO_B:
554 ret = ssl3_get_next_proto(s);
555 if (ret <= 0)
556 goto end;
557 s->init_num = 0;
558 s->state = SSL3_ST_SR_FINISHED_A;
559 break;
560
561 case SSL3_ST_SR_FINISHED_A:
562 case SSL3_ST_SR_FINISHED_B:
563 s->s3->flags |= SSL3_FLAGS_CCS_OK;
564 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
565 SSL3_ST_SR_FINISHED_B);
566 if (ret <= 0)
567 goto end;
568 if (s->hit)
569 s->state = SSL_ST_OK;
570 else if (s->tlsext_ticket_expected)
571 s->state = SSL3_ST_SW_SESSION_TICKET_A;
572 else
573 s->state = SSL3_ST_SW_CHANGE_A;
574 s->init_num = 0;
575 break;
576
577 case SSL3_ST_SW_SESSION_TICKET_A:
578 case SSL3_ST_SW_SESSION_TICKET_B:
579 ret = ssl3_send_newsession_ticket(s);
580 if (ret <= 0)
581 goto end;
582 s->state = SSL3_ST_SW_CHANGE_A;
583 s->init_num = 0;
584 break;
585
586 case SSL3_ST_SW_CERT_STATUS_A:
587 case SSL3_ST_SW_CERT_STATUS_B:
588 ret = ssl3_send_cert_status(s);
589 if (ret <= 0)
590 goto end;
591 s->state = SSL3_ST_SW_KEY_EXCH_A;
592 s->init_num = 0;
593 break;
594
595
596 case SSL3_ST_SW_CHANGE_A:
597 case SSL3_ST_SW_CHANGE_B:
598
599 s->session->cipher = s->s3->tmp.new_cipher;
600 if (!s->method->ssl3_enc->setup_key_block(s)) {
601 ret = -1;
602 goto end;
603 }
604
605 ret = ssl3_send_change_cipher_spec(s,
606 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
607
608 if (ret <= 0)
609 goto end;
610 s->state = SSL3_ST_SW_FINISHED_A;
611 s->init_num = 0;
612
613 if (!s->method->ssl3_enc->change_cipher_state(
614 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
615 ret = -1;
616 goto end;
617 }
618
619 break;
620
621 case SSL3_ST_SW_FINISHED_A:
622 case SSL3_ST_SW_FINISHED_B:
623 ret = ssl3_send_finished(s,
624 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
625 s->method->ssl3_enc->server_finished_label,
626 s->method->ssl3_enc->server_finished_label_len);
627 if (ret <= 0)
628 goto end;
629 s->state = SSL3_ST_SW_FLUSH;
630 if (s->hit) {
631 if (s->s3->next_proto_neg_seen) {
632 s->s3->flags |= SSL3_FLAGS_CCS_OK;
633 s->s3->tmp.next_state =
634 SSL3_ST_SR_NEXT_PROTO_A;
635 } else
636 s->s3->tmp.next_state =
637 SSL3_ST_SR_FINISHED_A;
638 } else
639 s->s3->tmp.next_state = SSL_ST_OK;
640 s->init_num = 0;
641 break;
642
643 case SSL_ST_OK:
644 /* clean a few things up */
645 tls1_cleanup_key_block(s);
646
647 BUF_MEM_free(s->init_buf);
648 s->init_buf = NULL;
649
650 /* remove buffering on output */
651 ssl_free_wbio_buffer(s);
652
653 s->init_num = 0;
654
655 /* skipped if we just sent a HelloRequest */
656 if (s->renegotiate == 2) {
657 s->renegotiate = 0;
658 s->new_session = 0;
659
660 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
661
662 s->ctx->stats.sess_accept_good++;
663 /* s->server=1; */
664 s->handshake_func = ssl3_accept;
665
666 if (cb != NULL)
667 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
668 }
669
670 ret = 1;
671 goto end;
672 /* break; */
673
674 default:
675 SSLerr(SSL_F_SSL3_ACCEPT,
676 SSL_R_UNKNOWN_STATE);
677 ret = -1;
678 goto end;
679 /* break; */
680 }
681
682 if (!s->s3->tmp.reuse_message && !skip) {
683 if (s->debug) {
684 if ((ret = BIO_flush(s->wbio)) <= 0)
685 goto end;
686 }
687
688
689 if ((cb != NULL) && (s->state != state)) {
690 new_state = s->state;
691 s->state = state;
692 cb(s, SSL_CB_ACCEPT_LOOP, 1);
693 s->state = new_state;
694 }
695 }
696 skip = 0;
697 }
698 end:
699 /* BIO_flush(s->wbio); */
700
701 s->in_handshake--;
702 if (cb != NULL)
703 cb(s, SSL_CB_ACCEPT_EXIT, ret);
704 return (ret);
705 }
706
707 int
708 ssl3_send_hello_request(SSL *s)
709 {
710 if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
711 ssl3_handshake_msg_start(s, SSL3_MT_HELLO_REQUEST);
712 ssl3_handshake_msg_finish(s, 0);
713
714 s->state = SSL3_ST_SW_HELLO_REQ_B;
715 }
716
717 /* SSL3_ST_SW_HELLO_REQ_B */
718 return (ssl3_handshake_write(s));
719 }
720
721 int
722 ssl3_get_client_hello(SSL *s)
723 {
724 int i, j, ok, al, ret = -1;
725 unsigned int cookie_len;
726 long n;
727 unsigned long id;
728 unsigned char *p, *d;
729 SSL_CIPHER *c;
730 STACK_OF(SSL_CIPHER) *ciphers = NULL;
731 unsigned long alg_k;
732
733 /*
734 * We do this so that we will respond with our native type.
735 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
736 * This down switching should be handled by a different method.
737 * If we are SSLv3, we will respond with SSLv3, even if prompted with
738 * TLSv1.
739 */
740 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
741 s->state = SSL3_ST_SR_CLNT_HELLO_B;
742 }
743 s->first_packet = 1;
744 n = s->method->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
745 SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
746 SSL3_RT_MAX_PLAIN_LENGTH, &ok);
747
748 if (!ok)
749 return ((int)n);
750 s->first_packet = 0;
751 d = p = (unsigned char *)s->init_msg;
752
753 if (2 > n)
754 goto truncated;
755 /*
756 * Use version from inside client hello, not from record header.
757 * (may differ: see RFC 2246, Appendix E, second paragraph)
758 */
759 s->client_version = (((int)p[0]) << 8)|(int)p[1];
760 p += 2;
761
762 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
763 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
764 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
765 SSL_R_WRONG_VERSION_NUMBER);
766 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
767 !s->enc_write_ctx && !s->write_hash) {
768 /*
769 * Similar to ssl3_get_record, send alert using remote
770 * version number
771 */
772 s->version = s->client_version;
773 }
774 al = SSL_AD_PROTOCOL_VERSION;
775 goto f_err;
776 }
777
778 /*
779 * If we require cookies (DTLS) and this ClientHello doesn't
780 * contain one, just return since we do not want to
781 * allocate any memory yet. So check cookie length...
782 */
783 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
784 unsigned int session_length, cookie_length;
785
786 if (p - d + SSL3_RANDOM_SIZE + 1 >= n)
787 goto truncated;
788 session_length = *(p + SSL3_RANDOM_SIZE);
789
790 if (p - d + SSL3_RANDOM_SIZE + session_length + 1 >= n)
791 goto truncated;
792 cookie_length = p[SSL3_RANDOM_SIZE + session_length + 1];
793
794 if (cookie_length == 0)
795 return (1);
796 }
797
798 if (p - d + SSL3_RANDOM_SIZE + 1 > n)
799 goto truncated;
800
801 /* load the client random */
802 memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
803 p += SSL3_RANDOM_SIZE;
804
805 /* get the session-id */
806 j= *(p++);
807 if (p - d + j > n)
808 goto truncated;
809
810 s->hit = 0;
811 /*
812 * Versions before 0.9.7 always allow clients to resume sessions in
813 * renegotiation. 0.9.7 and later allow this by default, but optionally
814 * ignore resumption requests with flag
815 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
816 * rather than a change to default behavior so that applications
817 * relying on this for security won't even compile against older
818 * library versions).
819 *
820 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
821 * to request renegotiation but not a new session (s->new_session
822 * remains unset): for servers, this essentially just means that the
823 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
824 * ignored.
825 */
826 if ((s->new_session && (s->options &
827 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
828 if (!ssl_get_new_session(s, 1))
829 goto err;
830 } else {
831 i = ssl_get_prev_session(s, p, j, d + n);
832 if (i == 1) { /* previous session */
833 s->hit = 1;
834 } else if (i == -1)
835 goto err;
836 else {
837 /* i == 0 */
838 if (!ssl_get_new_session(s, 1))
839 goto err;
840 }
841 }
842
843 p += j;
844
845 if (SSL_IS_DTLS(s)) {
846 /* cookie stuff */
847 if (p - d + 1 > n)
848 goto truncated;
849 cookie_len = *(p++);
850
851 /*
852 * The ClientHello may contain a cookie even if the
853 * HelloVerify message has not been sent--make sure that it
854 * does not cause an overflow.
855 */
856 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
857 /* too much data */
858 al = SSL_AD_DECODE_ERROR;
859 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
860 SSL_R_COOKIE_MISMATCH);
861 goto f_err;
862 }
863
864 if (p - d + cookie_len > n)
865 goto truncated;
866
867 /* verify the cookie if appropriate option is set. */
868 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
869 cookie_len > 0) {
870 memcpy(s->d1->rcvd_cookie, p, cookie_len);
871
872 if (s->ctx->app_verify_cookie_cb != NULL) {
873 if (s->ctx->app_verify_cookie_cb(s,
874 s->d1->rcvd_cookie, cookie_len) == 0) {
875 al = SSL_AD_HANDSHAKE_FAILURE;
876 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
877 SSL_R_COOKIE_MISMATCH);
878 goto f_err;
879 }
880 /* else cookie verification succeeded */
881 } else if (timingsafe_memcmp(s->d1->rcvd_cookie, s->d1->cookie,
882 s->d1->cookie_len) != 0) {
883 /* default verification */
884 al = SSL_AD_HANDSHAKE_FAILURE;
885 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
886 SSL_R_COOKIE_MISMATCH);
887 goto f_err;
888 }
889
890 ret = 2;
891 }
892
893 p += cookie_len;
894 }
895
896 if (p - d + 2 > n)
897 goto truncated;
898 n2s(p, i);
899 if ((i == 0) && (j != 0)) {
900 /* we need a cipher if we are not resuming a session */
901 al = SSL_AD_ILLEGAL_PARAMETER;
902 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
903 SSL_R_NO_CIPHERS_SPECIFIED);
904 goto f_err;
905 }
906 if (p - d + i > n)
907 goto truncated;
908 if (i > 0) {
909 if ((ciphers = ssl_bytes_to_cipher_list(s, p, i)) == NULL)
910 goto err;
911 }
912 p += i;
913
914 /* If it is a hit, check that the cipher is in the list */
915 if ((s->hit) && (i > 0)) {
916 j = 0;
917 id = s->session->cipher->id;
918
919 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
920 c = sk_SSL_CIPHER_value(ciphers, i);
921 if (c->id == id) {
922 j = 1;
923 break;
924 }
925 }
926 if (j == 0) {
927 /*
928 * We need to have the cipher in the cipher
929 * list if we are asked to reuse it
930 */
931 al = SSL_AD_ILLEGAL_PARAMETER;
932 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
933 SSL_R_REQUIRED_CIPHER_MISSING);
934 goto f_err;
935 }
936 }
937
938 /* compression */
939 if (p - d + 1 > n)
940 goto truncated;
941 i= *(p++);
942 if (p - d + i > n)
943 goto truncated;
944 for (j = 0; j < i; j++) {
945 if (p[j] == 0)
946 break;
947 }
948
949 p += i;
950 if (j >= i) {
951 /* no compress */
952 al = SSL_AD_DECODE_ERROR;
953 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
954 SSL_R_NO_COMPRESSION_SPECIFIED);
955 goto f_err;
956 }
957
958 /* TLS extensions*/
959 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
960 /* 'al' set by ssl_parse_clienthello_tlsext */
961 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
962 goto f_err;
963 }
964 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
965 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
966 SSL_R_CLIENTHELLO_TLSEXT);
967 goto err;
968 }
969
970 /*
971 * Check if we want to use external pre-shared secret for this
972 * handshake for not reused session only. We need to generate
973 * server_random before calling tls_session_secret_cb in order to allow
974 * SessionTicket processing to use it in key derivation.
975 */
976 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
977
978 if (!s->hit && s->tls_session_secret_cb) {
979 SSL_CIPHER *pref_cipher = NULL;
980
981 s->session->master_key_length = sizeof(s->session->master_key);
982 if (s->tls_session_secret_cb(s, s->session->master_key,
983 &s->session->master_key_length, ciphers, &pref_cipher,
984 s->tls_session_secret_cb_arg)) {
985 s->hit = 1;
986 s->session->ciphers = ciphers;
987 s->session->verify_result = X509_V_OK;
988
989 ciphers = NULL;
990
991 /* check if some cipher was preferred by call back */
992 pref_cipher = pref_cipher ? pref_cipher :
993 ssl3_choose_cipher(s, s->session->ciphers,
994 SSL_get_ciphers(s));
995 if (pref_cipher == NULL) {
996 al = SSL_AD_HANDSHAKE_FAILURE;
997 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
998 SSL_R_NO_SHARED_CIPHER);
999 goto f_err;
1000 }
1001
1002 s->session->cipher = pref_cipher;
1003
1004 if (s->cipher_list)
1005 sk_SSL_CIPHER_free(s->cipher_list);
1006
1007 if (s->cipher_list_by_id)
1008 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1009
1010 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1011 s->cipher_list_by_id =
1012 sk_SSL_CIPHER_dup(s->session->ciphers);
1013 }
1014 }
1015
1016 /*
1017 * Given s->session->ciphers and SSL_get_ciphers, we must
1018 * pick a cipher
1019 */
1020
1021 if (!s->hit) {
1022 if (s->session->ciphers != NULL)
1023 sk_SSL_CIPHER_free(s->session->ciphers);
1024 s->session->ciphers = ciphers;
1025 if (ciphers == NULL) {
1026 al = SSL_AD_ILLEGAL_PARAMETER;
1027 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1028 SSL_R_NO_CIPHERS_PASSED);
1029 goto f_err;
1030 }
1031 ciphers = NULL;
1032 c = ssl3_choose_cipher(s, s->session->ciphers,
1033 SSL_get_ciphers(s));
1034
1035 if (c == NULL) {
1036 al = SSL_AD_HANDSHAKE_FAILURE;
1037 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1038 SSL_R_NO_SHARED_CIPHER);
1039 goto f_err;
1040 }
1041 s->s3->tmp.new_cipher = c;
1042 } else {
1043 s->s3->tmp.new_cipher = s->session->cipher;
1044 }
1045
1046 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1047 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
1048 !(s->verify_mode & SSL_VERIFY_PEER)) {
1049 if (!tls1_digest_cached_records(s)) {
1050 al = SSL_AD_INTERNAL_ERROR;
1051 goto f_err;
1052 }
1053 }
1054
1055 /*
1056 * We now have the following setup.
1057 * client_random
1058 * cipher_list - our prefered list of ciphers
1059 * ciphers - the clients prefered list of ciphers
1060 * compression - basically ignored right now
1061 * ssl version is set - sslv3
1062 * s->session - The ssl session has been setup.
1063 * s->hit - session reuse flag
1064 * s->tmp.new_cipher - the new cipher to use.
1065 */
1066
1067 /* Handles TLS extensions that we couldn't check earlier */
1068 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1069 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1070 goto err;
1071 }
1072
1073 if (ret < 0)
1074 ret = 1;
1075 if (0) {
1076 truncated:
1077 al = SSL_AD_DECODE_ERROR;
1078 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_BAD_PACKET_LENGTH);
1079 f_err:
1080 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1081 }
1082 err:
1083 if (ciphers != NULL)
1084 sk_SSL_CIPHER_free(ciphers);
1085 return (ret);
1086 }
1087
1088 int
1089 ssl3_send_server_hello(SSL *s)
1090 {
1091 unsigned char *bufend;
1092 unsigned char *p, *d;
1093 int sl;
1094
1095 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1096 d = p = ssl3_handshake_msg_start(s, SSL3_MT_SERVER_HELLO);
1097
1098 *(p++) = s->version >> 8;
1099 *(p++) = s->version & 0xff;
1100
1101 /* Random stuff */
1102 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1103 p += SSL3_RANDOM_SIZE;
1104
1105 /*
1106 * There are several cases for the session ID to send
1107 * back in the server hello:
1108 *
1109 * - For session reuse from the session cache,
1110 * we send back the old session ID.
1111 * - If stateless session reuse (using a session ticket)
1112 * is successful, we send back the client's "session ID"
1113 * (which doesn't actually identify the session).
1114 * - If it is a new session, we send back the new
1115 * session ID.
1116 * - However, if we want the new session to be single-use,
1117 * we send back a 0-length session ID.
1118 *
1119 * s->hit is non-zero in either case of session reuse,
1120 * so the following won't overwrite an ID that we're supposed
1121 * to send back.
1122 */
1123 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1124 && !s->hit)
1125 s->session->session_id_length = 0;
1126
1127 sl = s->session->session_id_length;
1128 if (sl > (int)sizeof(s->session->session_id)) {
1129 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1130 ERR_R_INTERNAL_ERROR);
1131 return (-1);
1132 }
1133 *(p++) = sl;
1134 memcpy(p, s->session->session_id, sl);
1135 p += sl;
1136
1137 /* put the cipher */
1138 s2n(ssl3_cipher_get_value(s->s3->tmp.new_cipher), p);
1139
1140 /* put the compression method */
1141 *(p++) = 0;
1142
1143 bufend = (unsigned char *)s->init_buf->data +
1144 SSL3_RT_MAX_PLAIN_LENGTH;
1145 if ((p = ssl_add_serverhello_tlsext(s, p, bufend)) == NULL) {
1146 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1147 ERR_R_INTERNAL_ERROR);
1148 return (-1);
1149 }
1150
1151 ssl3_handshake_msg_finish(s, p - d);
1152 }
1153
1154 /* SSL3_ST_SW_SRVR_HELLO_B */
1155 return (ssl3_handshake_write(s));
1156 }
1157
1158 int
1159 ssl3_send_server_done(SSL *s)
1160 {
1161 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1162 ssl3_handshake_msg_start(s, SSL3_MT_SERVER_DONE);
1163 ssl3_handshake_msg_finish(s, 0);
1164
1165 s->state = SSL3_ST_SW_SRVR_DONE_B;
1166 }
1167
1168 /* SSL3_ST_SW_SRVR_DONE_B */
1169 return (ssl3_handshake_write(s));
1170 }
1171
1172 int
1173 ssl3_send_server_key_exchange(SSL *s)
1174 {
1175 unsigned char *q;
1176 int j, num;
1177 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1178 unsigned int u;
1179 DH *dh = NULL, *dhp;
1180 EC_KEY *ecdh = NULL, *ecdhp;
1181 unsigned char *encodedPoint = NULL;
1182 int encodedlen = 0;
1183 int curve_id = 0;
1184 BN_CTX *bn_ctx = NULL;
1185
1186 EVP_PKEY *pkey;
1187 const EVP_MD *md = NULL;
1188 unsigned char *p, *d;
1189 int al, i;
1190 unsigned long type;
1191 int n;
1192 CERT *cert;
1193 BIGNUM *r[4];
1194 int nr[4], kn;
1195 BUF_MEM *buf;
1196 EVP_MD_CTX md_ctx;
1197
1198 EVP_MD_CTX_init(&md_ctx);
1199 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1200 type = s->s3->tmp.new_cipher->algorithm_mkey;
1201 cert = s->cert;
1202
1203 buf = s->init_buf;
1204
1205 r[0] = r[1] = r[2] = r[3] = NULL;
1206 n = 0;
1207 if (type & SSL_kDHE) {
1208 if (s->cert->dh_tmp_auto != 0) {
1209 if ((dhp = ssl_get_auto_dh(s)) == NULL) {
1210 al = SSL_AD_INTERNAL_ERROR;
1211 SSLerr(
1212 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1213 ERR_R_INTERNAL_ERROR);
1214 goto f_err;
1215 }
1216 } else
1217 dhp = cert->dh_tmp;
1218
1219 if (dhp == NULL && s->cert->dh_tmp_cb != NULL)
1220 dhp = s->cert->dh_tmp_cb(s, 0,
1221 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1222
1223 if (dhp == NULL) {
1224 al = SSL_AD_HANDSHAKE_FAILURE;
1225 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1226 SSL_R_MISSING_TMP_DH_KEY);
1227 goto f_err;
1228 }
1229
1230 if (s->s3->tmp.dh != NULL) {
1231 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1232 ERR_R_INTERNAL_ERROR);
1233 goto err;
1234 }
1235
1236 if (s->cert->dh_tmp_auto != 0) {
1237 dh = dhp;
1238 } else if ((dh = DHparams_dup(dhp)) == NULL) {
1239 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1240 ERR_R_DH_LIB);
1241 goto err;
1242 }
1243 s->s3->tmp.dh = dh;
1244 if (!DH_generate_key(dh)) {
1245 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1246 ERR_R_DH_LIB);
1247 goto err;
1248 }
1249 r[0] = dh->p;
1250 r[1] = dh->g;
1251 r[2] = dh->pub_key;
1252 } else if (type & SSL_kECDHE) {
1253 const EC_GROUP *group;
1254
1255 ecdhp = cert->ecdh_tmp;
1256 if (s->cert->ecdh_tmp_auto != 0) {
1257 int nid = tls1_get_shared_curve(s);
1258 if (nid != NID_undef)
1259 ecdhp = EC_KEY_new_by_curve_name(nid);
1260 } else if (ecdhp == NULL &&
1261 s->cert->ecdh_tmp_cb != NULL) {
1262 ecdhp = s->cert->ecdh_tmp_cb(s, 0,
1263 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1264 }
1265 if (ecdhp == NULL) {
1266 al = SSL_AD_HANDSHAKE_FAILURE;
1267 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1268 SSL_R_MISSING_TMP_ECDH_KEY);
1269 goto f_err;
1270 }
1271
1272 if (s->s3->tmp.ecdh != NULL) {
1273 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1274 ERR_R_INTERNAL_ERROR);
1275 goto err;
1276 }
1277
1278 /* Duplicate the ECDH structure. */
1279 if (s->cert->ecdh_tmp_auto != 0) {
1280 ecdh = ecdhp;
1281 } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1282 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1283 ERR_R_ECDH_LIB);
1284 goto err;
1285 }
1286 s->s3->tmp.ecdh = ecdh;
1287
1288 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1289 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1290 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1291 if (!EC_KEY_generate_key(ecdh)) {
1292 SSLerr(
1293 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1294 ERR_R_ECDH_LIB);
1295 goto err;
1296 }
1297 }
1298
1299 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1300 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1301 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1302 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1303 ERR_R_ECDH_LIB);
1304 goto err;
1305 }
1306
1307 /*
1308 * XXX: For now, we only support ephemeral ECDH
1309 * keys over named (not generic) curves. For
1310 * supported named curves, curve_id is non-zero.
1311 */
1312 if ((curve_id = tls1_ec_nid2curve_id(
1313 EC_GROUP_get_curve_name(group))) == 0) {
1314 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1315 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1316 goto err;
1317 }
1318
1319 /*
1320 * Encode the public key.
1321 * First check the size of encoding and
1322 * allocate memory accordingly.
1323 */
1324 encodedlen = EC_POINT_point2oct(group,
1325 EC_KEY_get0_public_key(ecdh),
1326 POINT_CONVERSION_UNCOMPRESSED,
1327 NULL, 0, NULL);
1328
1329 encodedPoint = malloc(encodedlen);
1330
1331 bn_ctx = BN_CTX_new();
1332 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1333 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1334 ERR_R_MALLOC_FAILURE);
1335 goto err;
1336 }
1337
1338
1339 encodedlen = EC_POINT_point2oct(group,
1340 EC_KEY_get0_public_key(ecdh),
1341 POINT_CONVERSION_UNCOMPRESSED,
1342 encodedPoint, encodedlen, bn_ctx);
1343
1344 if (encodedlen == 0) {
1345 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1346 ERR_R_ECDH_LIB);
1347 goto err;
1348 }
1349
1350 BN_CTX_free(bn_ctx);
1351 bn_ctx = NULL;
1352
1353 /*
1354 * XXX: For now, we only support named (not
1355 * generic) curves in ECDH ephemeral key exchanges.
1356 * In this situation, we need four additional bytes
1357 * to encode the entire ServerECDHParams
1358 * structure.
1359 */
1360 n = 4 + encodedlen;
1361
1362 /*
1363 * We'll generate the serverKeyExchange message
1364 * explicitly so we can set these to NULLs
1365 */
1366 r[0] = NULL;
1367 r[1] = NULL;
1368 r[2] = NULL;
1369 r[3] = NULL;
1370 } else
1371 {
1372 al = SSL_AD_HANDSHAKE_FAILURE;
1373 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1374 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1375 goto f_err;
1376 }
1377 for (i = 0; i < 4 && r[i] != NULL; i++) {
1378 nr[i] = BN_num_bytes(r[i]);
1379 n += 2 + nr[i];
1380 }
1381
1382 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1383 if ((pkey = ssl_get_sign_pkey(
1384 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1385 al = SSL_AD_DECODE_ERROR;
1386 goto f_err;
1387 }
1388 kn = EVP_PKEY_size(pkey);
1389 } else {
1390 pkey = NULL;
1391 kn = 0;
1392 }
1393
1394 if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) +
1395 n + kn)) {
1396 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1397 ERR_LIB_BUF);
1398 goto err;
1399 }
1400
1401 d = p = ssl3_handshake_msg_start(s,
1402 SSL3_MT_SERVER_KEY_EXCHANGE);
1403
1404 for (i = 0; i < 4 && r[i] != NULL; i++) {
1405 s2n(nr[i], p);
1406 BN_bn2bin(r[i], p);
1407 p += nr[i];
1408 }
1409
1410 if (type & SSL_kECDHE) {
1411 /*
1412 * XXX: For now, we only support named (not generic)
1413 * curves.
1414 * In this situation, the serverKeyExchange message has:
1415 * [1 byte CurveType], [2 byte CurveName]
1416 * [1 byte length of encoded point], followed by
1417 * the actual encoded point itself
1418 */
1419 *p = NAMED_CURVE_TYPE;
1420 p += 1;
1421 *p = 0;
1422 p += 1;
1423 *p = curve_id;
1424 p += 1;
1425 *p = encodedlen;
1426 p += 1;
1427 memcpy((unsigned char*)p,
1428 (unsigned char *)encodedPoint, encodedlen);
1429 free(encodedPoint);
1430 encodedPoint = NULL;
1431 p += encodedlen;
1432 }
1433
1434
1435 /* not anonymous */
1436 if (pkey != NULL) {
1437 /*
1438 * n is the length of the params, they start at &(d[4])
1439 * and p points to the space at the end.
1440 */
1441 if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
1442 q = md_buf;
1443 j = 0;
1444 for (num = 2; num > 0; num--) {
1445 if (!EVP_DigestInit_ex(&md_ctx,
1446 (num == 2) ? s->ctx->md5 :
1447 s->ctx->sha1, NULL))
1448 goto err;
1449 EVP_DigestUpdate(&md_ctx,
1450 s->s3->client_random,
1451 SSL3_RANDOM_SIZE);
1452 EVP_DigestUpdate(&md_ctx,
1453 s->s3->server_random,
1454 SSL3_RANDOM_SIZE);
1455 EVP_DigestUpdate(&md_ctx, d, n);
1456 EVP_DigestFinal_ex(&md_ctx, q,
1457 (unsigned int *)&i);
1458 q += i;
1459 j += i;
1460 }
1461 if (RSA_sign(NID_md5_sha1, md_buf, j,
1462 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1463 SSLerr(
1464 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1465 ERR_LIB_RSA);
1466 goto err;
1467 }
1468 s2n(u, p);
1469 n += u + 2;
1470 } else if (md) {
1471 /* Send signature algorithm. */
1472 if (SSL_USE_SIGALGS(s)) {
1473 if (!tls12_get_sigandhash(p, pkey, md)) {
1474 /* Should never happen */
1475 al = SSL_AD_INTERNAL_ERROR;
1476 SSLerr(
1477 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1478 ERR_R_INTERNAL_ERROR);
1479 goto f_err;
1480 }
1481 p += 2;
1482 }
1483 EVP_SignInit_ex(&md_ctx, md, NULL);
1484 EVP_SignUpdate(&md_ctx,
1485 s->s3->client_random,
1486 SSL3_RANDOM_SIZE);
1487 EVP_SignUpdate(&md_ctx,
1488 s->s3->server_random,
1489 SSL3_RANDOM_SIZE);
1490 EVP_SignUpdate(&md_ctx, d, n);
1491 if (!EVP_SignFinal(&md_ctx, &p[2],
1492 (unsigned int *)&i, pkey)) {
1493 SSLerr(
1494 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1495 ERR_LIB_EVP);
1496 goto err;
1497 }
1498 s2n(i, p);
1499 n += i + 2;
1500 if (SSL_USE_SIGALGS(s))
1501 n += 2;
1502 } else {
1503 /* Is this error check actually needed? */
1504 al = SSL_AD_HANDSHAKE_FAILURE;
1505 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1506 SSL_R_UNKNOWN_PKEY_TYPE);
1507 goto f_err;
1508 }
1509 }
1510
1511 ssl3_handshake_msg_finish(s, n);
1512 }
1513
1514 s->state = SSL3_ST_SW_KEY_EXCH_B;
1515 EVP_MD_CTX_cleanup(&md_ctx);
1516
1517 return (ssl3_handshake_write(s));
1518
1519 f_err:
1520 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1521 err:
1522 free(encodedPoint);
1523 BN_CTX_free(bn_ctx);
1524 EVP_MD_CTX_cleanup(&md_ctx);
1525 return (-1);
1526 }
1527
1528 int
1529 ssl3_send_certificate_request(SSL *s)
1530 {
1531 unsigned char *p, *d;
1532 int i, j, nl, off, n;
1533 STACK_OF(X509_NAME) *sk = NULL;
1534 X509_NAME *name;
1535 BUF_MEM *buf;
1536
1537 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
1538 buf = s->init_buf;
1539
1540 d = p = ssl3_handshake_msg_start(s,
1541 SSL3_MT_CERTIFICATE_REQUEST);
1542
1543 /* get the list of acceptable cert types */
1544 p++;
1545 n = ssl3_get_req_cert_type(s, p);
1546 d[0] = n;
1547 p += n;
1548 n++;
1549
1550 if (SSL_USE_SIGALGS(s)) {
1551 nl = tls12_get_req_sig_algs(s, p + 2);
1552 s2n(nl, p);
1553 p += nl + 2;
1554 n += nl + 2;
1555 }
1556
1557 off = n;
1558 p += 2;
1559 n += 2;
1560
1561 sk = SSL_get_client_CA_list(s);
1562 nl = 0;
1563 if (sk != NULL) {
1564 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1565 name = sk_X509_NAME_value(sk, i);
1566 j = i2d_X509_NAME(name, NULL);
1567 if (!BUF_MEM_grow_clean(buf,
1568 ssl3_handshake_msg_hdr_len(s) + n + j
1569 + 2)) {
1570 SSLerr(
1571 SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
1572 ERR_R_BUF_LIB);
1573 goto err;
1574 }
1575 p = ssl3_handshake_msg_start(s,
1576 SSL3_MT_CERTIFICATE_REQUEST) + n;
1577 s2n(j, p);
1578 i2d_X509_NAME(name, &p);
1579 n += 2 + j;
1580 nl += 2 + j;
1581 }
1582 }
1583 /* else no CA names */
1584 p = ssl3_handshake_msg_start(s,
1585 SSL3_MT_CERTIFICATE_REQUEST) + off;
1586 s2n(nl, p);
1587
1588 ssl3_handshake_msg_finish(s, n);
1589
1590 s->state = SSL3_ST_SW_CERT_REQ_B;
1591 }
1592
1593 /* SSL3_ST_SW_CERT_REQ_B */
1594 return (ssl3_handshake_write(s));
1595 err:
1596 return (-1);
1597 }
1598
1599 int
1600 ssl3_get_client_key_exchange(SSL *s)
1601 {
1602 int i, al, ok;
1603 long n;
1604 unsigned long alg_k;
1605 unsigned char *d, *p;
1606 RSA *rsa = NULL;
1607 EVP_PKEY *pkey = NULL;
1608 BIGNUM *pub = NULL;
1609 DH *dh_srvr;
1610
1611 EC_KEY *srvr_ecdh = NULL;
1612 EVP_PKEY *clnt_pub_pkey = NULL;
1613 EC_POINT *clnt_ecpoint = NULL;
1614 BN_CTX *bn_ctx = NULL;
1615
1616 /* 2048 maxlen is a guess. How long a key does that permit? */
1617 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1618 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
1619 if (!ok)
1620 return ((int)n);
1621 d = p = (unsigned char *)s->init_msg;
1622
1623 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1624
1625 if (alg_k & SSL_kRSA) {
1626 char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
1627
1628 arc4random_buf(fakekey, sizeof(fakekey));
1629 fakekey[0] = s->client_version >> 8;
1630 fakekey[1] = s->client_version & 0xff;
1631
1632 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1633 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
1634 (pkey->pkey.rsa == NULL)) {
1635 al = SSL_AD_HANDSHAKE_FAILURE;
1636 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1637 SSL_R_MISSING_RSA_CERTIFICATE);
1638 goto f_err;
1639 }
1640 rsa = pkey->pkey.rsa;
1641
1642 if (2 > n)
1643 goto truncated;
1644 n2s(p, i);
1645 if (n != i + 2) {
1646 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1647 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1648 goto err;
1649 } else
1650 n = i;
1651
1652 i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
1653
1654 ERR_clear_error();
1655
1656 al = -1;
1657
1658 if (i != SSL_MAX_MASTER_KEY_LENGTH) {
1659 al = SSL_AD_DECODE_ERROR;
1660 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
1661 }
1662
1663 if (p - d + 2 > n) /* needed in the SSL3 case */
1664 goto truncated;
1665 if ((al == -1) && !((p[0] == (s->client_version >> 8)) &&
1666 (p[1] == (s->client_version & 0xff)))) {
1667 /*
1668 * The premaster secret must contain the same version
1669 * number as the ClientHello to detect version rollback
1670 * attacks (strangely, the protocol does not offer such
1671 * protection for DH ciphersuites).
1672 * However, buggy clients exist that send the negotiated
1673 * protocol version instead if the server does not
1674 * support the requested protocol version.
1675 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
1676 * clients.
1677 */
1678 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
1679 (p[0] == (s->version >> 8)) &&
1680 (p[1] == (s->version & 0xff)))) {
1681 al = SSL_AD_DECODE_ERROR;
1682 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1683
1684 /*
1685 * The Klima-Pokorny-Rosa extension of
1686 * Bleichenbacher's attack
1687 * (http://eprint.iacr.org/2003/052/) exploits
1688 * the version number check as a "bad version
1689 * oracle" -- an alert would reveal that the
1690 * plaintext corresponding to some ciphertext
1691 * made up by the adversary is properly
1692 * formatted except that the version number is
1693 * wrong.
1694 * To avoid such attacks, we should treat this
1695 * just like any other decryption error.
1696 */
1697 }
1698 }
1699
1700 if (al != -1) {
1701 /*
1702 * Some decryption failure -- use random value instead
1703 * as countermeasure against Bleichenbacher's attack
1704 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
1705 * section 7.4.7.1).
1706 */
1707 i = SSL_MAX_MASTER_KEY_LENGTH;
1708 p = fakekey;
1709 }
1710
1711 s->session->master_key_length =
1712 s->method->ssl3_enc->generate_master_secret(s,
1713 s->session->master_key,
1714 p, i);
1715 explicit_bzero(p, i);
1716 } else if (alg_k & SSL_kDHE) {
1717 if (2 > n)
1718 goto truncated;
1719 n2s(p, i);
1720 if (n != i + 2) {
1721 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1722 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1723 goto err;
1724 }
1725
1726 if (n == 0L) {
1727 /* the parameters are in the cert */
1728 al = SSL_AD_HANDSHAKE_FAILURE;
1729 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1730 SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1731 goto f_err;
1732 } else {
1733 if (s->s3->tmp.dh == NULL) {
1734 al = SSL_AD_HANDSHAKE_FAILURE;
1735 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1736 SSL_R_MISSING_TMP_DH_KEY);
1737 goto f_err;
1738 } else
1739 dh_srvr = s->s3->tmp.dh;
1740 }
1741
1742 pub = BN_bin2bn(p, i, NULL);
1743 if (pub == NULL) {
1744 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1745 SSL_R_BN_LIB);
1746 goto err;
1747 }
1748
1749 i = DH_compute_key(p, pub, dh_srvr);
1750
1751 if (i <= 0) {
1752 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1753 ERR_R_DH_LIB);
1754 BN_clear_free(pub);
1755 goto err;
1756 }
1757
1758 DH_free(s->s3->tmp.dh);
1759 s->s3->tmp.dh = NULL;
1760
1761 BN_clear_free(pub);
1762 pub = NULL;
1763 s->session->master_key_length =
1764 s->method->ssl3_enc->generate_master_secret(
1765 s, s->session->master_key, p, i);
1766 explicit_bzero(p, i);
1767 } else
1768
1769 if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) {
1770 int ret = 1;
1771 int key_size;
1772 const EC_KEY *tkey;
1773 const EC_GROUP *group;
1774 const BIGNUM *priv_key;
1775
1776 /* Initialize structures for server's ECDH key pair. */
1777 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
1778 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1779 ERR_R_MALLOC_FAILURE);
1780 goto err;
1781 }
1782
1783 /* Let's get server private key and group information. */
1784 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
1785 /* Use the certificate */
1786 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
1787 } else {
1788 /*
1789 * Use the ephermeral values we saved when
1790 * generating the ServerKeyExchange msg.
1791 */
1792 tkey = s->s3->tmp.ecdh;
1793 }
1794
1795 group = EC_KEY_get0_group(tkey);
1796 priv_key = EC_KEY_get0_private_key(tkey);
1797
1798 if (!EC_KEY_set_group(srvr_ecdh, group) ||
1799 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
1800 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1801 ERR_R_EC_LIB);
1802 goto err;
1803 }
1804
1805 /* Let's get client's public key */
1806 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
1807 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1808 ERR_R_MALLOC_FAILURE);
1809 goto err;
1810 }
1811
1812 if (n == 0L) {
1813 /* Client Publickey was in Client Certificate */
1814
1815 if (alg_k & SSL_kECDHE) {
1816 al = SSL_AD_HANDSHAKE_FAILURE;
1817 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1818 SSL_R_MISSING_TMP_ECDH_KEY);
1819 goto f_err;
1820 }
1821 if (((clnt_pub_pkey = X509_get_pubkey(
1822 s->session->peer)) == NULL) ||
1823 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
1824 /*
1825 * XXX: For now, we do not support client
1826 * authentication using ECDH certificates
1827 * so this branch (n == 0L) of the code is
1828 * never executed. When that support is
1829 * added, we ought to ensure the key
1830 * received in the certificate is
1831 * authorized for key agreement.
1832 * ECDH_compute_key implicitly checks that
1833 * the two ECDH shares are for the same
1834 * group.
1835 */
1836 al = SSL_AD_HANDSHAKE_FAILURE;
1837 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1838 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
1839 goto f_err;
1840 }
1841
1842 if (EC_POINT_copy(clnt_ecpoint,
1843 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec))
1844 == 0) {
1845 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1846 ERR_R_EC_LIB);
1847 goto err;
1848 }
1849 ret = 2; /* Skip certificate verify processing */
1850 } else {
1851 /*
1852 * Get client's public key from encoded point
1853 * in the ClientKeyExchange message.
1854 */
1855 if ((bn_ctx = BN_CTX_new()) == NULL) {
1856 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1857 ERR_R_MALLOC_FAILURE);
1858 goto err;
1859 }
1860
1861 /* Get encoded point length */
1862 i = *p;
1863
1864 p += 1;
1865 if (n != 1 + i) {
1866 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1867 ERR_R_EC_LIB);
1868 goto err;
1869 }
1870 if (EC_POINT_oct2point(group,
1871 clnt_ecpoint, p, i, bn_ctx) == 0) {
1872 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1873 ERR_R_EC_LIB);
1874 goto err;
1875 }
1876 /*
1877 * p is pointing to somewhere in the buffer
1878 * currently, so set it to the start.
1879 */
1880 p = (unsigned char *)s->init_buf->data;
1881 }
1882
1883 /* Compute the shared pre-master secret */
1884 key_size = ECDH_size(srvr_ecdh);
1885 if (key_size <= 0) {
1886 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1887 ERR_R_ECDH_LIB);
1888 goto err;
1889 }
1890 i = ECDH_compute_key(p, key_size, clnt_ecpoint, srvr_ecdh,
1891 NULL);
1892 if (i <= 0) {
1893 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1894 ERR_R_ECDH_LIB);
1895 goto err;
1896 }
1897
1898 EVP_PKEY_free(clnt_pub_pkey);
1899 EC_POINT_free(clnt_ecpoint);
1900 EC_KEY_free(srvr_ecdh);
1901 BN_CTX_free(bn_ctx);
1902 EC_KEY_free(s->s3->tmp.ecdh);
1903 s->s3->tmp.ecdh = NULL;
1904
1905
1906 /* Compute the master secret */
1907 s->session->master_key_length = s->method->ssl3_enc-> \
1908 generate_master_secret(s, s->session->master_key, p, i);
1909
1910 explicit_bzero(p, i);
1911 return (ret);
1912 } else
1913 if (alg_k & SSL_kGOST) {
1914 int ret = 0;
1915 EVP_PKEY_CTX *pkey_ctx;
1916 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
1917 unsigned char premaster_secret[32], *start;
1918 size_t outlen = 32, inlen;
1919 unsigned long alg_a;
1920 int Ttag, Tclass;
1921 long Tlen;
1922
1923 /* Get our certificate private key*/
1924 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1925 if (alg_a & SSL_aGOST01)
1926 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1927
1928 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
1929 EVP_PKEY_decrypt_init(pkey_ctx);
1930 /*
1931 * If client certificate is present and is of the same type,
1932 * maybe use it for key exchange.
1933 * Don't mind errors from EVP_PKEY_derive_set_peer, because
1934 * it is completely valid to use a client certificate for
1935 * authorization only.
1936 */
1937 client_pub_pkey = X509_get_pubkey(s->session->peer);
1938 if (client_pub_pkey) {
1939 if (EVP_PKEY_derive_set_peer(pkey_ctx,
1940 client_pub_pkey) <= 0)
1941 ERR_clear_error();
1942 }
1943 if (2 > n)
1944 goto truncated;
1945 /* Decrypt session key */
1946 if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag,
1947 &Tclass, n) != V_ASN1_CONSTRUCTED ||
1948 Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
1949 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1950 SSL_R_DECRYPTION_FAILED);
1951 goto gerr;
1952 }
1953 start = p;
1954 inlen = Tlen;
1955 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
1956 start, inlen) <=0) {
1957 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1958 SSL_R_DECRYPTION_FAILED);
1959 goto gerr;
1960 }
1961 /* Generate master secret */
1962 s->session->master_key_length =
1963 s->method->ssl3_enc->generate_master_secret(
1964 s, s->session->master_key, premaster_secret, 32);
1965 /* Check if pubkey from client certificate was used */
1966 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
1967 EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
1968 ret = 2;
1969 else
1970 ret = 1;
1971 gerr:
1972 EVP_PKEY_free(client_pub_pkey);
1973 EVP_PKEY_CTX_free(pkey_ctx);
1974 if (ret)
1975 return (ret);
1976 else
1977 goto err;
1978 } else {
1979 al = SSL_AD_HANDSHAKE_FAILURE;
1980 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1981 SSL_R_UNKNOWN_CIPHER_TYPE);
1982 goto f_err;
1983 }
1984
1985 return (1);
1986 truncated:
1987 al = SSL_AD_DECODE_ERROR;
1988 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
1989 f_err:
1990 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1991 err:
1992 EVP_PKEY_free(clnt_pub_pkey);
1993 EC_POINT_free(clnt_ecpoint);
1994 EC_KEY_free(srvr_ecdh);
1995 BN_CTX_free(bn_ctx);
1996 return (-1);
1997 }
1998
1999 int
2000 ssl3_get_cert_verify(SSL *s)
2001 {
2002 EVP_PKEY *pkey = NULL;
2003 unsigned char *p;
2004 int al, ok, ret = 0;
2005 long n;
2006 int type = 0, i, j;
2007 X509 *peer;
2008 const EVP_MD *md = NULL;
2009 EVP_MD_CTX mctx;
2010 EVP_MD_CTX_init(&mctx);
2011
2012 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2013 SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok);
2014 if (!ok)
2015 return ((int)n);
2016
2017 if (s->session->peer != NULL) {
2018 peer = s->session->peer;
2019 pkey = X509_get_pubkey(peer);
2020 type = X509_certificate_type(peer, pkey);
2021 } else {
2022 peer = NULL;
2023 pkey = NULL;
2024 }
2025
2026 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2027 s->s3->tmp.reuse_message = 1;
2028 if (peer != NULL) {
2029 al = SSL_AD_UNEXPECTED_MESSAGE;
2030 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2031 SSL_R_MISSING_VERIFY_MESSAGE);
2032 goto f_err;
2033 }
2034 ret = 1;
2035 goto end;
2036 }
2037
2038 if (peer == NULL) {
2039 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2040 SSL_R_NO_CLIENT_CERT_RECEIVED);
2041 al = SSL_AD_UNEXPECTED_MESSAGE;
2042 goto f_err;
2043 }
2044
2045 if (!(type & EVP_PKT_SIGN)) {
2046 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2047 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2048 al = SSL_AD_ILLEGAL_PARAMETER;
2049 goto f_err;
2050 }
2051
2052 if (s->s3->change_cipher_spec) {
2053 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2054 SSL_R_CCS_RECEIVED_EARLY);
2055 al = SSL_AD_UNEXPECTED_MESSAGE;
2056 goto f_err;
2057 }
2058
2059 /* we now have a signature that we need to verify */
2060 p = (unsigned char *)s->init_msg;
2061 /*
2062 * Check for broken implementations of GOST ciphersuites.
2063 *
2064 * If key is GOST and n is exactly 64, it is a bare
2065 * signature without length field.
2066 */
2067 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2068 pkey->type == NID_id_GostR3410_2001) ) {
2069 i = 64;
2070 } else {
2071 if (SSL_USE_SIGALGS(s)) {
2072 int sigalg = tls12_get_sigid(pkey);
2073 /* Should never happen */
2074 if (sigalg == -1) {
2075 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2076 ERR_R_INTERNAL_ERROR);
2077 al = SSL_AD_INTERNAL_ERROR;
2078 goto f_err;
2079 }
2080 if (2 > n)
2081 goto truncated;
2082 /* Check key type is consistent with signature */
2083 if (sigalg != (int)p[1]) {
2084 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2085 SSL_R_WRONG_SIGNATURE_TYPE);
2086 al = SSL_AD_DECODE_ERROR;
2087 goto f_err;
2088 }
2089 md = tls12_get_hash(p[0]);
2090 if (md == NULL) {
2091 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2092 SSL_R_UNKNOWN_DIGEST);
2093 al = SSL_AD_DECODE_ERROR;
2094 goto f_err;
2095 }
2096 p += 2;
2097 n -= 2;
2098 }
2099 if (2 > n)
2100 goto truncated;
2101 n2s(p, i);
2102 n -= 2;
2103 if (i > n)
2104 goto truncated;
2105 }
2106 j = EVP_PKEY_size(pkey);
2107 if ((i > j) || (n > j) || (n <= 0)) {
2108 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2109 SSL_R_WRONG_SIGNATURE_SIZE);
2110 al = SSL_AD_DECODE_ERROR;
2111 goto f_err;
2112 }
2113
2114 if (SSL_USE_SIGALGS(s)) {
2115 long hdatalen = 0;
2116 void *hdata;
2117 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2118 if (hdatalen <= 0) {
2119 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2120 ERR_R_INTERNAL_ERROR);
2121 al = SSL_AD_INTERNAL_ERROR;
2122 goto f_err;
2123 }
2124 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
2125 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
2126 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2127 ERR_R_EVP_LIB);
2128 al = SSL_AD_INTERNAL_ERROR;
2129 goto f_err;
2130 }
2131
2132 if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) {
2133 al = SSL_AD_DECRYPT_ERROR;
2134 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2135 SSL_R_BAD_SIGNATURE);
2136 goto f_err;
2137 }
2138 } else
2139 if (pkey->type == EVP_PKEY_RSA) {
2140 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
2141 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
2142 pkey->pkey.rsa);
2143 if (i < 0) {
2144 al = SSL_AD_DECRYPT_ERROR;
2145 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2146 SSL_R_BAD_RSA_DECRYPT);
2147 goto f_err;
2148 }
2149 if (i == 0) {
2150 al = SSL_AD_DECRYPT_ERROR;
2151 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2152 SSL_R_BAD_RSA_SIGNATURE);
2153 goto f_err;
2154 }
2155 } else
2156 if (pkey->type == EVP_PKEY_DSA) {
2157 j = DSA_verify(pkey->save_type,
2158 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2159 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
2160 if (j <= 0) {
2161 /* bad signature */
2162 al = SSL_AD_DECRYPT_ERROR;
2163 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2164 SSL_R_BAD_DSA_SIGNATURE);
2165 goto f_err;
2166 }
2167 } else
2168 if (pkey->type == EVP_PKEY_EC) {
2169 j = ECDSA_verify(pkey->save_type,
2170 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2171 SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
2172 if (j <= 0) {
2173 /* bad signature */
2174 al = SSL_AD_DECRYPT_ERROR;
2175 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2176 SSL_R_BAD_ECDSA_SIGNATURE);
2177 goto f_err;
2178 }
2179 } else
2180 #ifndef OPENSSL_NO_GOST
2181 if (pkey->type == NID_id_GostR3410_94 ||
2182 pkey->type == NID_id_GostR3410_2001) {
2183 long hdatalen = 0;
2184 void *hdata;
2185 unsigned char signature[128];
2186 unsigned int siglen = sizeof(signature);
2187 int nid;
2188 EVP_PKEY_CTX *pctx;
2189
2190 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2191 if (hdatalen <= 0) {
2192 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2193 ERR_R_INTERNAL_ERROR);
2194 al = SSL_AD_INTERNAL_ERROR;
2195 goto f_err;
2196 }
2197 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2198 !(md = EVP_get_digestbynid(nid))) {
2199 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2200 ERR_R_EVP_LIB);
2201 al = SSL_AD_INTERNAL_ERROR;
2202 goto f_err;
2203 }
2204 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2205 if (!pctx) {
2206 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2207 ERR_R_EVP_LIB);
2208 al = SSL_AD_INTERNAL_ERROR;
2209 goto f_err;
2210 }
2211 if (!EVP_DigestInit_ex(&mctx, md, NULL) ||
2212 !EVP_DigestUpdate(&mctx, hdata, hdatalen) ||
2213 !EVP_DigestFinal(&mctx, signature, &siglen) ||
2214 (EVP_PKEY_verify_init(pctx) <= 0) ||
2215 (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
2216 (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2217 EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2218 GOST_SIG_FORMAT_RS_LE,
2219 NULL) <= 0)) {
2220 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2221 ERR_R_EVP_LIB);
2222 al = SSL_AD_INTERNAL_ERROR;
2223 EVP_PKEY_CTX_free(pctx);
2224 goto f_err;
2225 }
2226
2227 if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) {
2228 al = SSL_AD_DECRYPT_ERROR;
2229 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2230 SSL_R_BAD_SIGNATURE);
2231 EVP_PKEY_CTX_free(pctx);
2232 goto f_err;
2233 }
2234
2235 EVP_PKEY_CTX_free(pctx);
2236 } else
2237 #endif
2238 {
2239 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2240 ERR_R_INTERNAL_ERROR);
2241 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
2242 goto f_err;
2243 }
2244
2245
2246 ret = 1;
2247 if (0) {
2248 truncated:
2249 al = SSL_AD_DECODE_ERROR;
2250 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_PACKET_LENGTH);
2251 f_err:
2252 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2253 }
2254 end:
2255 if (s->s3->handshake_buffer) {
2256 BIO_free(s->s3->handshake_buffer);
2257 s->s3->handshake_buffer = NULL;
2258 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
2259 }
2260 EVP_MD_CTX_cleanup(&mctx);
2261 EVP_PKEY_free(pkey);
2262 return (ret);
2263 }
2264
2265 int
2266 ssl3_get_client_certificate(SSL *s)
2267 {
2268 CBS cbs, client_certs;
2269 int i, ok, al, ret = -1;
2270 X509 *x = NULL;
2271 long n;
2272 const unsigned char *q;
2273 STACK_OF(X509) *sk = NULL;
2274
2275 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2276 -1, s->max_cert_list, &ok);
2277
2278 if (!ok)
2279 return ((int)n);
2280
2281 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2282 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2283 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2284 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2285 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2286 al = SSL_AD_HANDSHAKE_FAILURE;
2287 goto f_err;
2288 }
2289 /*
2290 * If tls asked for a client cert,
2291 * the client must return a 0 list.
2292 */
2293 if (s->s3->tmp.cert_request) {
2294 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2295 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
2296 );
2297 al = SSL_AD_UNEXPECTED_MESSAGE;
2298 goto f_err;
2299 }
2300 s->s3->tmp.reuse_message = 1;
2301 return (1);
2302 }
2303
2304 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
2305 al = SSL_AD_UNEXPECTED_MESSAGE;
2306 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2307 SSL_R_WRONG_MESSAGE_TYPE);
2308 goto f_err;
2309 }
2310
2311 if (n < 0)
2312 goto truncated;
2313
2314 CBS_init(&cbs, s->init_msg, n);
2315
2316 if ((sk = sk_X509_new_null()) == NULL) {
2317 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2318 ERR_R_MALLOC_FAILURE);
2319 goto err;
2320 }
2321
2322 if (!CBS_get_u24_length_prefixed(&cbs, &client_certs) ||
2323 CBS_len(&cbs) != 0)
2324 goto truncated;
2325
2326 while (CBS_len(&client_certs) > 0) {
2327 CBS cert;
2328
2329 if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) {
2330 al = SSL_AD_DECODE_ERROR;
2331 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2332 SSL_R_CERT_LENGTH_MISMATCH);
2333 goto f_err;
2334 }
2335
2336 q = CBS_data(&cert);
2337 x = d2i_X509(NULL, &q, CBS_len(&cert));
2338 if (x == NULL) {
2339 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2340 ERR_R_ASN1_LIB);
2341 goto err;
2342 }
2343 if (q != CBS_data(&cert) + CBS_len(&cert)) {
2344 al = SSL_AD_DECODE_ERROR;
2345 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2346 SSL_R_CERT_LENGTH_MISMATCH);
2347 goto f_err;
2348 }
2349 if (!sk_X509_push(sk, x)) {
2350 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2351 ERR_R_MALLOC_FAILURE);
2352 goto err;
2353 }
2354 x = NULL;
2355 }
2356
2357 if (sk_X509_num(sk) <= 0) {
2358 /*
2359 * TLS does not mind 0 certs returned.
2360 * Fail for TLS only if we required a certificate.
2361 */
2362 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2363 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2364 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2365 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2366 al = SSL_AD_HANDSHAKE_FAILURE;
2367 goto f_err;
2368 }
2369 /* No client certificate so digest cached records */
2370 if (s->s3->handshake_buffer && !tls1_digest_cached_records(s)) {
2371 al = SSL_AD_INTERNAL_ERROR;
2372 goto f_err;
2373 }
2374 } else {
2375 i = ssl_verify_cert_chain(s, sk);
2376 if (i <= 0) {
2377 al = ssl_verify_alarm_type(s->verify_result);
2378 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2379 SSL_R_NO_CERTIFICATE_RETURNED);
2380 goto f_err;
2381 }
2382 }
2383
2384 X509_free(s->session->peer);
2385 s->session->peer = sk_X509_shift(sk);
2386 s->session->verify_result = s->verify_result;
2387
2388 /*
2389 * With the current implementation, sess_cert will always be NULL
2390 * when we arrive here
2391 */
2392 if (s->session->sess_cert == NULL) {
2393 s->session->sess_cert = ssl_sess_cert_new();
2394 if (s->session->sess_cert == NULL) {
2395 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2396 ERR_R_MALLOC_FAILURE);
2397 goto err;
2398 }
2399 }
2400 if (s->session->sess_cert->cert_chain != NULL)
2401 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
2402 s->session->sess_cert->cert_chain = sk;
2403
2404 /*
2405 * Inconsistency alert: cert_chain does *not* include the
2406 * peer's own certificate, while we do include it in s3_clnt.c
2407 */
2408
2409 sk = NULL;
2410
2411 ret = 1;
2412 if (0) {
2413 truncated:
2414 al = SSL_AD_DECODE_ERROR;
2415 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2416 SSL_R_BAD_PACKET_LENGTH);
2417 f_err:
2418 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2419 }
2420 err:
2421 X509_free(x);
2422 if (sk != NULL)
2423 sk_X509_pop_free(sk, X509_free);
2424 return (ret);
2425 }
2426
2427 int
2428 ssl3_send_server_certificate(SSL *s)
2429 {
2430 unsigned long l;
2431 X509 *x;
2432
2433 if (s->state == SSL3_ST_SW_CERT_A) {
2434 x = ssl_get_server_send_cert(s);
2435 if (x == NULL) {
2436 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2437 ERR_R_INTERNAL_ERROR);
2438 return (0);
2439 }
2440
2441 l = ssl3_output_cert_chain(s, x);
2442 s->state = SSL3_ST_SW_CERT_B;
2443 s->init_num = (int)l;
2444 s->init_off = 0;
2445 }
2446
2447 /* SSL3_ST_SW_CERT_B */
2448 return (ssl3_handshake_write(s));
2449 }
2450
2451 /* send a new session ticket (not necessarily for a new session) */
2452 int
2453 ssl3_send_newsession_ticket(SSL *s)
2454 {
2455 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
2456 unsigned char *d, *p, *senc, *macstart;
2457 const unsigned char *const_p;
2458 int len, slen_full, slen;
2459 SSL_SESSION *sess;
2460 unsigned int hlen;
2461 EVP_CIPHER_CTX ctx;
2462 HMAC_CTX hctx;
2463 SSL_CTX *tctx = s->initial_ctx;
2464 unsigned char iv[EVP_MAX_IV_LENGTH];
2465 unsigned char key_name[16];
2466
2467 /* get session encoding length */
2468 slen_full = i2d_SSL_SESSION(s->session, NULL);
2469 /*
2470 * Some length values are 16 bits, so forget it if session is
2471 * too long
2472 */
2473 if (slen_full > 0xFF00)
2474 return (-1);
2475 senc = malloc(slen_full);
2476 if (!senc)
2477 return (-1);
2478 p = senc;
2479 i2d_SSL_SESSION(s->session, &p);
2480
2481 /*
2482 * Create a fresh copy (not shared with other threads) to
2483 * clean up
2484 */
2485 const_p = senc;
2486 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
2487 if (sess == NULL) {
2488 free(senc);
2489 return (-1);
2490 }
2491
2492 /* ID is irrelevant for the ticket */
2493 sess->session_id_length = 0;
2494
2495 slen = i2d_SSL_SESSION(sess, NULL);
2496 if (slen > slen_full) {
2497 /* shouldn't ever happen */
2498 free(senc);
2499 return (-1);
2500 }
2501 p = senc;
2502 i2d_SSL_SESSION(sess, &p);
2503 SSL_SESSION_free(sess);
2504
2505 /*
2506 * Grow buffer if need be: the length calculation is as
2507 * follows 1 (size of message name) + 3 (message length
2508 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
2509 * 16 (key name) + max_iv_len (iv length) +
2510 * session_length + max_enc_block_size (max encrypted session
2511 * length) + max_md_size (HMAC).
2512 */
2513 if (!BUF_MEM_grow(s->init_buf, ssl3_handshake_msg_hdr_len(s) +
2514 22 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
2515 EVP_MAX_MD_SIZE + slen)) {
2516 free(senc);
2517 return (-1);
2518 }
2519
2520 d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEWSESSION_TICKET);
2521
2522 EVP_CIPHER_CTX_init(&ctx);
2523 HMAC_CTX_init(&hctx);
2524
2525 /*
2526 * Initialize HMAC and cipher contexts. If callback present
2527 * it does all the work otherwise use generated values
2528 * from parent ctx.
2529 */
2530 if (tctx->tlsext_ticket_key_cb) {
2531 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
2532 &hctx, 1) < 0) {
2533 free(senc);
2534 EVP_CIPHER_CTX_cleanup(&ctx);
2535 return (-1);
2536 }
2537 } else {
2538 arc4random_buf(iv, 16);
2539 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2540 tctx->tlsext_tick_aes_key, iv);
2541 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2542 tlsext_tick_md(), NULL);
2543 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
2544 }
2545
2546 /*
2547 * Ticket lifetime hint (advisory only):
2548 * We leave this unspecified for resumed session
2549 * (for simplicity), and guess that tickets for new
2550 * sessions will live as long as their sessions.
2551 */
2552 l2n(s->hit ? 0 : s->session->timeout, p);
2553
2554 /* Skip ticket length for now */
2555 p += 2;
2556 /* Output key name */
2557 macstart = p;
2558 memcpy(p, key_name, 16);
2559 p += 16;
2560 /* output IV */
2561 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
2562 p += EVP_CIPHER_CTX_iv_length(&ctx);
2563 /* Encrypt session data */
2564 EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
2565 p += len;
2566 EVP_EncryptFinal_ex(&ctx, p, &len);
2567 p += len;
2568 EVP_CIPHER_CTX_cleanup(&ctx);
2569
2570 HMAC_Update(&hctx, macstart, p - macstart);
2571 HMAC_Final(&hctx, p, &hlen);
2572 HMAC_CTX_cleanup(&hctx);
2573 p += hlen;
2574
2575 /* Now write out lengths: p points to end of data written */
2576 /* Total length */
2577 len = p - d;
2578
2579 /* Skip ticket lifetime hint. */
2580 p = d + 4;
2581 s2n(len - 6, p); /* Message length */
2582
2583 ssl3_handshake_msg_finish(s, len);
2584
2585 s->state = SSL3_ST_SW_SESSION_TICKET_B;
2586
2587 free(senc);
2588 }
2589
2590 /* SSL3_ST_SW_SESSION_TICKET_B */
2591 return (ssl3_handshake_write(s));
2592 }
2593
2594 int
2595 ssl3_send_cert_status(SSL *s)
2596 {
2597 unsigned char *p;
2598
2599 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
2600 /*
2601 * Grow buffer if need be: the length calculation is as
2602 * follows 1 (message type) + 3 (message length) +
2603 * 1 (ocsp response type) + 3 (ocsp response length)
2604 * + (ocsp response)
2605 */
2606 if (!BUF_MEM_grow(s->init_buf, SSL3_HM_HEADER_LENGTH + 4 +
2607 s->tlsext_ocsp_resplen))
2608 return (-1);
2609
2610 p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_STATUS);
2611
2612 *(p++) = s->tlsext_status_type;
2613 l2n3(s->tlsext_ocsp_resplen, p);
2614 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
2615
2616 ssl3_handshake_msg_finish(s, s->tlsext_ocsp_resplen + 4);
2617
2618 s->state = SSL3_ST_SW_CERT_STATUS_B;
2619 }
2620
2621 /* SSL3_ST_SW_CERT_STATUS_B */
2622 return (ssl3_handshake_write(s));
2623 }
2624
2625 /*
2626 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
2627 * It sets the next_proto member in s if found
2628 */
2629 int
2630 ssl3_get_next_proto(SSL *s)
2631 {
2632 CBS cbs, proto, padding;
2633 int ok;
2634 long n;
2635 size_t len;
2636
2637 /*
2638 * Clients cannot send a NextProtocol message if we didn't see the
2639 * extension in their ClientHello
2640 */
2641 if (!s->s3->next_proto_neg_seen) {
2642 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
2643 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
2644 return (-1);
2645 }
2646
2647 /* 514 maxlen is enough for the payload format below */
2648 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
2649 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
2650 if (!ok)
2651 return ((int)n);
2652
2653 /*
2654 * s->state doesn't reflect whether ChangeCipherSpec has been received
2655 * in this handshake, but s->s3->change_cipher_spec does (will be reset
2656 * by ssl3_get_finished).
2657 */
2658 if (!s->s3->change_cipher_spec) {
2659 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
2660 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
2661 return (-1);
2662 }
2663
2664 if (n < 2)
2665 return (0);
2666 /* The body must be > 1 bytes long */
2667
2668 CBS_init(&cbs, s->init_msg, s->init_num);
2669
2670 /*
2671 * The payload looks like:
2672 * uint8 proto_len;
2673 * uint8 proto[proto_len];
2674 * uint8 padding_len;
2675 * uint8 padding[padding_len];
2676 */
2677 if (!CBS_get_u8_length_prefixed(&cbs, &proto) ||
2678 !CBS_get_u8_length_prefixed(&cbs, &padding) ||
2679 CBS_len(&cbs) != 0)
2680 return 0;
2681
2682 /*
2683 * XXX We should not NULL it, but this matches old behavior of not
2684 * freeing before malloc.
2685 */
2686 s->next_proto_negotiated = NULL;
2687 s->next_proto_negotiated_len = 0;
2688
2689 if (!CBS_stow(&proto, &s->next_proto_negotiated, &len)) {
2690 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
2691 ERR_R_MALLOC_FAILURE);
2692 return (0);
2693 }
2694 s->next_proto_negotiated_len = (uint8_t)len;
2695
2696 return (1);
2697 }
DragonFly BSD