1 /* $OpenBSD: ssl_srvr.c,v 1.149 2022/08/17 07:39:19 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
153 #include <openssl/bn.h>
154 #include <openssl/buffer.h>
155 #include <openssl/curve25519.h>
156 #include <openssl/evp.h>
157 #include <openssl/dh.h>
158 #include <openssl/hmac.h>
159 #include <openssl/md5.h>
160 #include <openssl/objects.h>
161 #include <openssl/opensslconf.h>
162 #include <openssl/x509.h>
164 #ifndef OPENSSL_NO_GOST
165 #include <openssl/gost.h>
168 #include "bytestring.h"
169 #include "dtls_locl.h"
170 #include "ssl_locl.h"
171 #include "ssl_sigalgs.h"
172 #include "ssl_tlsext.h"
178 int new_state
, state
, skip
= 0;
186 listen
= s
->d1
->listen
;
188 /* init things to blank */
189 s
->internal
->in_handshake
++;
190 if (!SSL_in_init(s
) || SSL_in_before(s
))
194 s
->d1
->listen
= listen
;
197 state
= s
->s3
->hs
.state
;
199 switch (s
->s3
->hs
.state
) {
200 case SSL_ST_RENEGOTIATE
:
201 s
->internal
->renegotiate
= 1;
202 /* s->s3->hs.state=SSL_ST_ACCEPT; */
206 case SSL_ST_BEFORE
|SSL_ST_ACCEPT
:
207 case SSL_ST_OK
|SSL_ST_ACCEPT
:
210 ssl_info_callback(s
, SSL_CB_HANDSHAKE_START
, 1);
212 if (!ssl_legacy_stack_version(s
, s
->version
)) {
213 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
218 if (!ssl_supported_tls_version_range(s
,
219 &s
->s3
->hs
.our_min_tls_version
,
220 &s
->s3
->hs
.our_max_tls_version
)) {
221 SSLerror(s
, SSL_R_NO_PROTOCOLS_AVAILABLE
);
226 if (!ssl_security_version(s
,
227 s
->s3
->hs
.our_min_tls_version
)) {
228 SSLerror(s
, SSL_R_VERSION_TOO_LOW
);
233 if (!ssl3_setup_init_buffer(s
)) {
237 if (!ssl3_setup_buffers(s
)) {
242 s
->internal
->init_num
= 0;
244 if (s
->s3
->hs
.state
!= SSL_ST_RENEGOTIATE
) {
246 * Ok, we now need to push on a buffering BIO
247 * so that the output is sent in a way that
250 if (!ssl_init_wbio_buffer(s
, 1)) {
255 if (!tls1_transcript_init(s
)) {
260 s
->s3
->hs
.state
= SSL3_ST_SR_CLNT_HELLO_A
;
261 s
->ctx
->internal
->stats
.sess_accept
++;
262 } else if (!SSL_is_dtls(s
) && !s
->s3
->send_connection_binding
) {
264 * Server attempting to renegotiate with
265 * client that doesn't support secure
268 SSLerror(s
, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
);
269 ssl3_send_alert(s
, SSL3_AL_FATAL
,
270 SSL_AD_HANDSHAKE_FAILURE
);
275 * s->s3->hs.state == SSL_ST_RENEGOTIATE,
276 * we will just send a HelloRequest.
278 s
->ctx
->internal
->stats
.sess_accept_renegotiate
++;
279 s
->s3
->hs
.state
= SSL3_ST_SW_HELLO_REQ_A
;
283 case SSL3_ST_SW_HELLO_REQ_A
:
284 case SSL3_ST_SW_HELLO_REQ_B
:
285 s
->internal
->shutdown
= 0;
286 if (SSL_is_dtls(s
)) {
287 dtls1_clear_record_buffer(s
);
288 dtls1_start_timer(s
);
290 ret
= ssl3_send_hello_request(s
);
294 s
->s3
->hs
.tls12
.next_state
= SSL3_ST_SR_CLNT_HELLO_A
;
296 s
->s3
->hs
.tls12
.next_state
= SSL3_ST_SW_HELLO_REQ_C
;
297 s
->s3
->hs
.state
= SSL3_ST_SW_FLUSH
;
298 s
->internal
->init_num
= 0;
300 if (SSL_is_dtls(s
)) {
301 if (!tls1_transcript_init(s
)) {
308 case SSL3_ST_SW_HELLO_REQ_C
:
309 s
->s3
->hs
.state
= SSL_ST_OK
;
312 case SSL3_ST_SR_CLNT_HELLO_A
:
313 case SSL3_ST_SR_CLNT_HELLO_B
:
314 case SSL3_ST_SR_CLNT_HELLO_C
:
315 s
->internal
->shutdown
= 0;
316 if (SSL_is_dtls(s
)) {
317 ret
= ssl3_get_client_hello(s
);
323 (SSL_get_options(s
) & SSL_OP_COOKIE_EXCHANGE
))
324 s
->s3
->hs
.state
= DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A
;
326 s
->s3
->hs
.state
= SSL3_ST_SW_SRVR_HELLO_A
;
328 s
->internal
->init_num
= 0;
331 * Reflect ClientHello sequence to remain
332 * stateless while listening.
335 tls12_record_layer_reflect_seq_num(
339 /* If we're just listening, stop here */
340 if (listen
&& s
->s3
->hs
.state
== SSL3_ST_SW_SRVR_HELLO_A
) {
344 * Set expected sequence numbers to
345 * continue the handshake.
347 s
->d1
->handshake_read_seq
= 2;
348 s
->d1
->handshake_write_seq
= 1;
349 s
->d1
->next_handshake_write_seq
= 1;
353 if (s
->internal
->rwstate
!= SSL_X509_LOOKUP
) {
354 ret
= ssl3_get_client_hello(s
);
359 s
->internal
->renegotiate
= 2;
360 s
->s3
->hs
.state
= SSL3_ST_SW_SRVR_HELLO_A
;
361 s
->internal
->init_num
= 0;
365 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A
:
366 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B
:
367 ret
= ssl3_send_dtls_hello_verify_request(s
);
370 s
->s3
->hs
.state
= SSL3_ST_SW_FLUSH
;
371 s
->s3
->hs
.tls12
.next_state
= SSL3_ST_SR_CLNT_HELLO_A
;
373 /* HelloVerifyRequest resets Finished MAC. */
374 tls1_transcript_reset(s
);
377 case SSL3_ST_SW_SRVR_HELLO_A
:
378 case SSL3_ST_SW_SRVR_HELLO_B
:
379 if (SSL_is_dtls(s
)) {
380 s
->internal
->renegotiate
= 2;
381 dtls1_start_timer(s
);
383 ret
= ssl3_send_server_hello(s
);
386 if (s
->internal
->hit
) {
387 if (s
->internal
->tlsext_ticket_expected
)
388 s
->s3
->hs
.state
= SSL3_ST_SW_SESSION_TICKET_A
;
390 s
->s3
->hs
.state
= SSL3_ST_SW_CHANGE_A
;
392 s
->s3
->hs
.state
= SSL3_ST_SW_CERT_A
;
394 s
->internal
->init_num
= 0;
397 case SSL3_ST_SW_CERT_A
:
398 case SSL3_ST_SW_CERT_B
:
399 /* Check if it is anon DH or anon ECDH. */
400 if (!(s
->s3
->hs
.cipher
->algorithm_auth
&
403 dtls1_start_timer(s
);
404 ret
= ssl3_send_server_certificate(s
);
407 if (s
->internal
->tlsext_status_expected
)
408 s
->s3
->hs
.state
= SSL3_ST_SW_CERT_STATUS_A
;
410 s
->s3
->hs
.state
= SSL3_ST_SW_KEY_EXCH_A
;
413 s
->s3
->hs
.state
= SSL3_ST_SW_KEY_EXCH_A
;
415 s
->internal
->init_num
= 0;
418 case SSL3_ST_SW_KEY_EXCH_A
:
419 case SSL3_ST_SW_KEY_EXCH_B
:
420 alg_k
= s
->s3
->hs
.cipher
->algorithm_mkey
;
423 * Only send if using a DH key exchange.
425 * For ECC ciphersuites, we send a ServerKeyExchange
426 * message only if the cipher suite is ECDHE. In other
427 * cases, the server certificate contains the server's
428 * public key for key exchange.
430 if (alg_k
& (SSL_kDHE
|SSL_kECDHE
)) {
432 dtls1_start_timer(s
);
433 ret
= ssl3_send_server_key_exchange(s
);
439 s
->s3
->hs
.state
= SSL3_ST_SW_CERT_REQ_A
;
440 s
->internal
->init_num
= 0;
443 case SSL3_ST_SW_CERT_REQ_A
:
444 case SSL3_ST_SW_CERT_REQ_B
:
446 * Determine whether or not we need to request a
449 * Do not request a certificate if:
451 * - We did not ask for it (SSL_VERIFY_PEER is unset).
453 * - SSL_VERIFY_CLIENT_ONCE is set and we are
456 * - We are using an anonymous ciphersuites
457 * (see section "Certificate request" in SSL 3 drafts
458 * and in RFC 2246) ... except when the application
459 * insists on verification (against the specs, but
460 * s3_clnt.c accepts this for SSL 3).
462 if (!(s
->verify_mode
& SSL_VERIFY_PEER
) ||
463 ((s
->session
->peer_cert
!= NULL
) &&
464 (s
->verify_mode
& SSL_VERIFY_CLIENT_ONCE
)) ||
465 ((s
->s3
->hs
.cipher
->algorithm_auth
&
466 SSL_aNULL
) && !(s
->verify_mode
&
467 SSL_VERIFY_FAIL_IF_NO_PEER_CERT
))) {
468 /* No cert request. */
470 s
->s3
->hs
.tls12
.cert_request
= 0;
471 s
->s3
->hs
.state
= SSL3_ST_SW_SRVR_DONE_A
;
474 tls1_transcript_free(s
);
476 s
->s3
->hs
.tls12
.cert_request
= 1;
478 dtls1_start_timer(s
);
479 ret
= ssl3_send_certificate_request(s
);
482 s
->s3
->hs
.state
= SSL3_ST_SW_SRVR_DONE_A
;
483 s
->internal
->init_num
= 0;
487 case SSL3_ST_SW_SRVR_DONE_A
:
488 case SSL3_ST_SW_SRVR_DONE_B
:
490 dtls1_start_timer(s
);
491 ret
= ssl3_send_server_done(s
);
494 s
->s3
->hs
.tls12
.next_state
= SSL3_ST_SR_CERT_A
;
495 s
->s3
->hs
.state
= SSL3_ST_SW_FLUSH
;
496 s
->internal
->init_num
= 0;
499 case SSL3_ST_SW_FLUSH
:
501 * This code originally checked to see if
502 * any data was pending using BIO_CTRL_INFO
503 * and then flushed. This caused problems
504 * as documented in PR#1939. The proposed
505 * fix doesn't completely resolve this issue
506 * as buggy implementations of BIO_CTRL_PENDING
507 * still exist. So instead we just flush
510 s
->internal
->rwstate
= SSL_WRITING
;
511 if (BIO_flush(s
->wbio
) <= 0) {
512 if (SSL_is_dtls(s
)) {
513 /* If the write error was fatal, stop trying. */
514 if (!BIO_should_retry(s
->wbio
)) {
515 s
->internal
->rwstate
= SSL_NOTHING
;
516 s
->s3
->hs
.state
= s
->s3
->hs
.tls12
.next_state
;
522 s
->internal
->rwstate
= SSL_NOTHING
;
523 s
->s3
->hs
.state
= s
->s3
->hs
.tls12
.next_state
;
526 case SSL3_ST_SR_CERT_A
:
527 case SSL3_ST_SR_CERT_B
:
528 if (s
->s3
->hs
.tls12
.cert_request
!= 0) {
529 ret
= ssl3_get_client_certificate(s
);
533 s
->internal
->init_num
= 0;
534 s
->s3
->hs
.state
= SSL3_ST_SR_KEY_EXCH_A
;
537 case SSL3_ST_SR_KEY_EXCH_A
:
538 case SSL3_ST_SR_KEY_EXCH_B
:
539 ret
= ssl3_get_client_key_exchange(s
);
543 if (SSL_is_dtls(s
)) {
544 s
->s3
->hs
.state
= SSL3_ST_SR_CERT_VRFY_A
;
545 s
->internal
->init_num
= 0;
548 alg_k
= s
->s3
->hs
.cipher
->algorithm_mkey
;
549 if (s
->s3
->flags
& TLS1_FLAGS_SKIP_CERT_VERIFY
) {
551 * A GOST client may use the key from its
552 * certificate for key exchange, in which case
553 * the CertificateVerify message is not sent.
555 s
->s3
->hs
.state
= SSL3_ST_SR_FINISHED_A
;
556 s
->internal
->init_num
= 0;
557 } else if (SSL_USE_SIGALGS(s
) || (alg_k
& SSL_kGOST
)) {
558 s
->s3
->hs
.state
= SSL3_ST_SR_CERT_VRFY_A
;
559 s
->internal
->init_num
= 0;
560 if (!s
->session
->peer_cert
)
563 * Freeze the transcript for use during client
564 * certificate verification.
566 tls1_transcript_freeze(s
);
568 s
->s3
->hs
.state
= SSL3_ST_SR_CERT_VRFY_A
;
569 s
->internal
->init_num
= 0;
571 tls1_transcript_free(s
);
574 * We need to get hashes here so if there is
575 * a client cert, it can be verified.
577 if (!tls1_transcript_hash_value(s
,
578 s
->s3
->hs
.tls12
.cert_verify
,
579 sizeof(s
->s3
->hs
.tls12
.cert_verify
),
587 case SSL3_ST_SR_CERT_VRFY_A
:
588 case SSL3_ST_SR_CERT_VRFY_B
:
590 s
->d1
->change_cipher_spec_ok
= 1;
592 s
->s3
->flags
|= SSL3_FLAGS_CCS_OK
;
594 /* we should decide if we expected this one */
595 ret
= ssl3_get_cert_verify(s
);
598 s
->s3
->hs
.state
= SSL3_ST_SR_FINISHED_A
;
599 s
->internal
->init_num
= 0;
602 case SSL3_ST_SR_FINISHED_A
:
603 case SSL3_ST_SR_FINISHED_B
:
605 s
->d1
->change_cipher_spec_ok
= 1;
607 s
->s3
->flags
|= SSL3_FLAGS_CCS_OK
;
608 ret
= ssl3_get_finished(s
, SSL3_ST_SR_FINISHED_A
,
609 SSL3_ST_SR_FINISHED_B
);
614 if (s
->internal
->hit
)
615 s
->s3
->hs
.state
= SSL_ST_OK
;
616 else if (s
->internal
->tlsext_ticket_expected
)
617 s
->s3
->hs
.state
= SSL3_ST_SW_SESSION_TICKET_A
;
619 s
->s3
->hs
.state
= SSL3_ST_SW_CHANGE_A
;
620 s
->internal
->init_num
= 0;
623 case SSL3_ST_SW_SESSION_TICKET_A
:
624 case SSL3_ST_SW_SESSION_TICKET_B
:
625 ret
= ssl3_send_newsession_ticket(s
);
628 s
->s3
->hs
.state
= SSL3_ST_SW_CHANGE_A
;
629 s
->internal
->init_num
= 0;
632 case SSL3_ST_SW_CERT_STATUS_A
:
633 case SSL3_ST_SW_CERT_STATUS_B
:
634 ret
= ssl3_send_cert_status(s
);
637 s
->s3
->hs
.state
= SSL3_ST_SW_KEY_EXCH_A
;
638 s
->internal
->init_num
= 0;
641 case SSL3_ST_SW_CHANGE_A
:
642 case SSL3_ST_SW_CHANGE_B
:
643 ret
= ssl3_send_change_cipher_spec(s
,
644 SSL3_ST_SW_CHANGE_A
, SSL3_ST_SW_CHANGE_B
);
647 s
->s3
->hs
.state
= SSL3_ST_SW_FINISHED_A
;
648 s
->internal
->init_num
= 0;
649 s
->session
->cipher
= s
->s3
->hs
.cipher
;
651 if (!tls1_setup_key_block(s
)) {
655 if (!tls1_change_write_cipher_state(s
)) {
661 case SSL3_ST_SW_FINISHED_A
:
662 case SSL3_ST_SW_FINISHED_B
:
663 ret
= ssl3_send_finished(s
, SSL3_ST_SW_FINISHED_A
,
664 SSL3_ST_SW_FINISHED_B
);
667 s
->s3
->hs
.state
= SSL3_ST_SW_FLUSH
;
668 if (s
->internal
->hit
) {
669 s
->s3
->hs
.tls12
.next_state
= SSL3_ST_SR_FINISHED_A
;
670 tls1_transcript_free(s
);
672 s
->s3
->hs
.tls12
.next_state
= SSL_ST_OK
;
673 s
->internal
->init_num
= 0;
677 /* clean a few things up */
678 tls1_cleanup_key_block(s
);
680 if (s
->s3
->handshake_transcript
!= NULL
) {
681 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
687 ssl3_release_init_buffer(s
);
689 /* remove buffering on output */
690 ssl_free_wbio_buffer(s
);
692 s
->internal
->init_num
= 0;
694 /* Skipped if we just sent a HelloRequest. */
695 if (s
->internal
->renegotiate
== 2) {
696 s
->internal
->renegotiate
= 0;
697 s
->internal
->new_session
= 0;
699 ssl_update_cache(s
, SSL_SESS_CACHE_SERVER
);
701 s
->ctx
->internal
->stats
.sess_accept_good
++;
703 s
->internal
->handshake_func
= ssl3_accept
;
705 ssl_info_callback(s
, SSL_CB_HANDSHAKE_DONE
, 1);
710 if (SSL_is_dtls(s
)) {
711 /* Done handshaking, next message is client hello. */
712 s
->d1
->handshake_read_seq
= 0;
713 /* Next message is server hello. */
714 s
->d1
->handshake_write_seq
= 0;
715 s
->d1
->next_handshake_write_seq
= 0;
721 SSLerror(s
, SSL_R_UNKNOWN_STATE
);
727 if (!s
->s3
->hs
.tls12
.reuse_message
&& !skip
) {
728 if (s
->internal
->debug
) {
729 if ((ret
= BIO_flush(s
->wbio
)) <= 0)
734 if (s
->s3
->hs
.state
!= state
) {
735 new_state
= s
->s3
->hs
.state
;
736 s
->s3
->hs
.state
= state
;
737 ssl_info_callback(s
, SSL_CB_ACCEPT_LOOP
, 1);
738 s
->s3
->hs
.state
= new_state
;
744 /* BIO_flush(s->wbio); */
745 s
->internal
->in_handshake
--;
746 ssl_info_callback(s
, SSL_CB_ACCEPT_EXIT
, ret
);
752 ssl3_send_hello_request(SSL
*s
)
756 memset(&cbb
, 0, sizeof(cbb
));
758 if (s
->s3
->hs
.state
== SSL3_ST_SW_HELLO_REQ_A
) {
759 if (!ssl3_handshake_msg_start(s
, &cbb
, &hello
,
760 SSL3_MT_HELLO_REQUEST
))
762 if (!ssl3_handshake_msg_finish(s
, &cbb
))
765 s
->s3
->hs
.state
= SSL3_ST_SW_HELLO_REQ_B
;
768 /* SSL3_ST_SW_HELLO_REQ_B */
769 return (ssl3_handshake_write(s
));
778 ssl3_get_client_hello(SSL
*s
)
780 CBS cbs
, client_random
, session_id
, cookie
, cipher_suites
;
781 CBS compression_methods
;
782 uint16_t client_version
;
785 int i
, j
, al
, ret
, cookie_valid
= 0;
788 STACK_OF(SSL_CIPHER
) *ciphers
= NULL
;
790 const SSL_METHOD
*method
;
791 uint16_t shared_version
;
794 * We do this so that we will respond with our native type.
795 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
796 * This down switching should be handled by a different method.
797 * If we are SSLv3, we will respond with SSLv3, even if prompted with
800 if (s
->s3
->hs
.state
== SSL3_ST_SR_CLNT_HELLO_A
)
801 s
->s3
->hs
.state
= SSL3_ST_SR_CLNT_HELLO_B
;
803 s
->internal
->first_packet
= 1;
804 if ((ret
= ssl3_get_message(s
, SSL3_ST_SR_CLNT_HELLO_B
,
805 SSL3_ST_SR_CLNT_HELLO_C
, SSL3_MT_CLIENT_HELLO
,
806 SSL3_RT_MAX_PLAIN_LENGTH
)) <= 0)
808 s
->internal
->first_packet
= 0;
812 if (s
->internal
->init_num
< 0)
815 CBS_init(&cbs
, s
->internal
->init_msg
, s
->internal
->init_num
);
817 /* Parse client hello up until the extensions (if any). */
818 if (!CBS_get_u16(&cbs
, &client_version
))
820 if (!CBS_get_bytes(&cbs
, &client_random
, SSL3_RANDOM_SIZE
))
822 if (!CBS_get_u8_length_prefixed(&cbs
, &session_id
))
824 if (CBS_len(&session_id
) > SSL3_SESSION_ID_SIZE
) {
825 al
= SSL_AD_ILLEGAL_PARAMETER
;
826 SSLerror(s
, SSL_R_SSL3_SESSION_ID_TOO_LONG
);
829 if (SSL_is_dtls(s
)) {
830 if (!CBS_get_u8_length_prefixed(&cbs
, &cookie
))
833 if (!CBS_get_u16_length_prefixed(&cbs
, &cipher_suites
))
835 if (!CBS_get_u8_length_prefixed(&cbs
, &compression_methods
))
839 * Use version from inside client hello, not from record header.
840 * (may differ: see RFC 2246, Appendix E, second paragraph)
842 if (!ssl_max_shared_version(s
, client_version
, &shared_version
)) {
843 if ((client_version
>> 8) == SSL3_VERSION_MAJOR
&&
844 !tls12_record_layer_write_protected(s
->internal
->rl
)) {
846 * Similar to ssl3_get_record, send alert using remote
849 s
->version
= client_version
;
851 SSLerror(s
, SSL_R_WRONG_VERSION_NUMBER
);
852 al
= SSL_AD_PROTOCOL_VERSION
;
855 s
->s3
->hs
.peer_legacy_version
= client_version
;
856 s
->version
= shared_version
;
858 s
->s3
->hs
.negotiated_tls_version
= ssl_tls_version(shared_version
);
859 if (s
->s3
->hs
.negotiated_tls_version
== 0) {
860 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
864 if ((method
= ssl_get_method(shared_version
)) == NULL
) {
865 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
871 * If we require cookies (DTLS) and this ClientHello does not contain
872 * one, just return since we do not want to allocate any memory yet.
873 * So check cookie length...
875 if (SSL_is_dtls(s
)) {
876 if (SSL_get_options(s
) & SSL_OP_COOKIE_EXCHANGE
) {
877 if (CBS_len(&cookie
) == 0)
882 if (!CBS_write_bytes(&client_random
, s
->s3
->client_random
,
883 sizeof(s
->s3
->client_random
), NULL
))
886 s
->internal
->hit
= 0;
889 * Versions before 0.9.7 always allow clients to resume sessions in
890 * renegotiation. 0.9.7 and later allow this by default, but optionally
891 * ignore resumption requests with flag
892 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
893 * rather than a change to default behavior so that applications
894 * relying on this for security won't even compile against older
897 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
898 * to request renegotiation but not a new session (s->internal->new_session
899 * remains unset): for servers, this essentially just means that the
900 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
903 if ((s
->internal
->new_session
&& (s
->internal
->options
&
904 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
))) {
905 if (!ssl_get_new_session(s
, 1))
910 CBS_dup(&cbs
, &ext_block
);
912 i
= ssl_get_prev_session(s
, &session_id
, &ext_block
, &al
);
913 if (i
== 1) { /* previous session */
914 s
->internal
->hit
= 1;
919 if (!ssl_get_new_session(s
, 1))
924 if (SSL_is_dtls(s
)) {
926 * The ClientHello may contain a cookie even if the HelloVerify
927 * message has not been sent - make sure that it does not cause
930 if (CBS_len(&cookie
) > sizeof(s
->d1
->rcvd_cookie
)) {
931 al
= SSL_AD_DECODE_ERROR
;
932 SSLerror(s
, SSL_R_COOKIE_MISMATCH
);
936 /* Verify the cookie if appropriate option is set. */
937 if ((SSL_get_options(s
) & SSL_OP_COOKIE_EXCHANGE
) &&
938 CBS_len(&cookie
) > 0) {
941 /* XXX - rcvd_cookie seems to only be used here... */
942 if (!CBS_write_bytes(&cookie
, s
->d1
->rcvd_cookie
,
943 sizeof(s
->d1
->rcvd_cookie
), &cookie_len
))
946 if (s
->ctx
->internal
->app_verify_cookie_cb
!= NULL
) {
947 if (s
->ctx
->internal
->app_verify_cookie_cb(s
,
948 s
->d1
->rcvd_cookie
, cookie_len
) == 0) {
949 al
= SSL_AD_HANDSHAKE_FAILURE
;
950 SSLerror(s
, SSL_R_COOKIE_MISMATCH
);
953 /* else cookie verification succeeded */
954 /* XXX - can d1->cookie_len > sizeof(rcvd_cookie) ? */
955 } else if (timingsafe_memcmp(s
->d1
->rcvd_cookie
,
956 s
->d1
->cookie
, s
->d1
->cookie_len
) != 0) {
957 /* default verification */
958 al
= SSL_AD_HANDSHAKE_FAILURE
;
959 SSLerror(s
, SSL_R_COOKIE_MISMATCH
);
966 /* XXX - This logic seems wrong... */
967 if (CBS_len(&cipher_suites
) == 0 && CBS_len(&session_id
) != 0) {
968 /* we need a cipher if we are not resuming a session */
969 al
= SSL_AD_ILLEGAL_PARAMETER
;
970 SSLerror(s
, SSL_R_NO_CIPHERS_SPECIFIED
);
974 if (CBS_len(&cipher_suites
) > 0) {
975 if ((ciphers
= ssl_bytes_to_cipher_list(s
,
976 &cipher_suites
)) == NULL
)
980 /* If it is a hit, check that the cipher is in the list */
981 /* XXX - CBS_len(&cipher_suites) will always be zero here... */
982 if (s
->internal
->hit
&& CBS_len(&cipher_suites
) > 0) {
984 id
= s
->session
->cipher
->id
;
986 for (i
= 0; i
< sk_SSL_CIPHER_num(ciphers
); i
++) {
987 c
= sk_SSL_CIPHER_value(ciphers
, i
);
995 * We need to have the cipher in the cipher
996 * list if we are asked to reuse it
998 al
= SSL_AD_ILLEGAL_PARAMETER
;
999 SSLerror(s
, SSL_R_REQUIRED_CIPHER_MISSING
);
1005 while (CBS_len(&compression_methods
) > 0) {
1006 if (!CBS_get_u8(&compression_methods
, &comp_method
))
1008 if (comp_method
== 0)
1011 if (comp_null
== 0) {
1012 al
= SSL_AD_DECODE_ERROR
;
1013 SSLerror(s
, SSL_R_NO_COMPRESSION_SPECIFIED
);
1017 if (!tlsext_server_parse(s
, SSL_TLSEXT_MSG_CH
, &cbs
, &al
)) {
1018 SSLerror(s
, SSL_R_PARSE_TLSEXT
);
1022 if (CBS_len(&cbs
) != 0)
1025 if (!s
->s3
->renegotiate_seen
&& s
->internal
->renegotiate
) {
1026 al
= SSL_AD_HANDSHAKE_FAILURE
;
1027 SSLerror(s
, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
);
1031 if (ssl_check_clienthello_tlsext_early(s
) <= 0) {
1032 SSLerror(s
, SSL_R_CLIENTHELLO_TLSEXT
);
1037 * Check if we want to use external pre-shared secret for this
1038 * handshake for not reused session only. We need to generate
1039 * server_random before calling tls_session_secret_cb in order to allow
1040 * SessionTicket processing to use it in key derivation.
1042 arc4random_buf(s
->s3
->server_random
, SSL3_RANDOM_SIZE
);
1044 if (s
->s3
->hs
.our_max_tls_version
>= TLS1_2_VERSION
&&
1045 s
->s3
->hs
.negotiated_tls_version
< s
->s3
->hs
.our_max_tls_version
) {
1047 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
1048 * we must set the last 8 bytes of the server random to magical
1049 * values to indicate we meant to downgrade. For TLS 1.2 it is
1050 * recommended that we do the same.
1052 size_t index
= SSL3_RANDOM_SIZE
- sizeof(tls13_downgrade_12
);
1053 uint8_t *magic
= &s
->s3
->server_random
[index
];
1054 if (s
->s3
->hs
.negotiated_tls_version
== TLS1_2_VERSION
) {
1055 /* Indicate we chose to downgrade to 1.2. */
1056 memcpy(magic
, tls13_downgrade_12
,
1057 sizeof(tls13_downgrade_12
));
1059 /* Indicate we chose to downgrade to 1.1 or lower */
1060 memcpy(magic
, tls13_downgrade_11
,
1061 sizeof(tls13_downgrade_11
));
1065 if (!s
->internal
->hit
&& s
->internal
->tls_session_secret_cb
!= NULL
) {
1066 SSL_CIPHER
*pref_cipher
= NULL
;
1067 int master_key_length
= sizeof(s
->session
->master_key
);
1069 if (!s
->internal
->tls_session_secret_cb(s
,
1070 s
->session
->master_key
, &master_key_length
, ciphers
,
1071 &pref_cipher
, s
->internal
->tls_session_secret_cb_arg
)) {
1072 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1075 if (master_key_length
<= 0) {
1076 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1079 s
->session
->master_key_length
= master_key_length
;
1081 s
->internal
->hit
= 1;
1082 s
->session
->verify_result
= X509_V_OK
;
1084 sk_SSL_CIPHER_free(s
->session
->ciphers
);
1085 s
->session
->ciphers
= ciphers
;
1088 /* Check if some cipher was preferred by the callback. */
1089 if (pref_cipher
== NULL
)
1090 pref_cipher
= ssl3_choose_cipher(s
, s
->session
->ciphers
,
1091 SSL_get_ciphers(s
));
1092 if (pref_cipher
== NULL
) {
1093 al
= SSL_AD_HANDSHAKE_FAILURE
;
1094 SSLerror(s
, SSL_R_NO_SHARED_CIPHER
);
1097 s
->session
->cipher
= pref_cipher
;
1099 sk_SSL_CIPHER_free(s
->cipher_list
);
1100 s
->cipher_list
= sk_SSL_CIPHER_dup(s
->session
->ciphers
);
1104 * Given s->session->ciphers and SSL_get_ciphers, we must
1108 if (!s
->internal
->hit
) {
1109 if (ciphers
== NULL
) {
1110 al
= SSL_AD_ILLEGAL_PARAMETER
;
1111 SSLerror(s
, SSL_R_NO_CIPHERS_PASSED
);
1114 sk_SSL_CIPHER_free(s
->session
->ciphers
);
1115 s
->session
->ciphers
= ciphers
;
1118 if ((c
= ssl3_choose_cipher(s
, s
->session
->ciphers
,
1119 SSL_get_ciphers(s
))) == NULL
) {
1120 al
= SSL_AD_HANDSHAKE_FAILURE
;
1121 SSLerror(s
, SSL_R_NO_SHARED_CIPHER
);
1124 s
->s3
->hs
.cipher
= c
;
1126 s
->s3
->hs
.cipher
= s
->session
->cipher
;
1129 if (!tls1_transcript_hash_init(s
))
1132 alg_k
= s
->s3
->hs
.cipher
->algorithm_mkey
;
1133 if (!(SSL_USE_SIGALGS(s
) || (alg_k
& SSL_kGOST
)) ||
1134 !(s
->verify_mode
& SSL_VERIFY_PEER
))
1135 tls1_transcript_free(s
);
1138 * We now have the following setup.
1140 * cipher_list - our prefered list of ciphers
1141 * ciphers - the clients prefered list of ciphers
1142 * compression - basically ignored right now
1143 * ssl version is set - sslv3
1144 * s->session - The ssl session has been setup.
1145 * s->internal->hit - session reuse flag
1146 * s->hs.cipher - the new cipher to use.
1149 /* Handles TLS extensions that we couldn't check earlier */
1150 if (ssl_check_clienthello_tlsext_late(s
) <= 0) {
1151 SSLerror(s
, SSL_R_CLIENTHELLO_TLSEXT
);
1155 ret
= cookie_valid
? 2 : 1;
1159 al
= SSL_AD_DECODE_ERROR
;
1160 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1162 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1165 sk_SSL_CIPHER_free(ciphers
);
1171 ssl3_send_dtls_hello_verify_request(SSL
*s
)
1173 CBB cbb
, verify
, cookie
;
1175 memset(&cbb
, 0, sizeof(cbb
));
1177 if (s
->s3
->hs
.state
== DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A
) {
1178 if (s
->ctx
->internal
->app_gen_cookie_cb
== NULL
||
1179 s
->ctx
->internal
->app_gen_cookie_cb(s
, s
->d1
->cookie
,
1180 &(s
->d1
->cookie_len
)) == 0) {
1181 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1186 * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should
1187 * always contain DTLSv1.0 regardless of the version that is
1188 * going to be negotiated.
1190 if (!ssl3_handshake_msg_start(s
, &cbb
, &verify
,
1191 DTLS1_MT_HELLO_VERIFY_REQUEST
))
1193 if (!CBB_add_u16(&verify
, DTLS1_VERSION
))
1195 if (!CBB_add_u8_length_prefixed(&verify
, &cookie
))
1197 if (!CBB_add_bytes(&cookie
, s
->d1
->cookie
, s
->d1
->cookie_len
))
1199 if (!ssl3_handshake_msg_finish(s
, &cbb
))
1202 s
->s3
->hs
.state
= DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B
;
1205 /* s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
1206 return (ssl3_handshake_write(s
));
1215 ssl3_send_server_hello(SSL
*s
)
1217 CBB cbb
, server_hello
, session_id
;
1220 memset(&cbb
, 0, sizeof(cbb
));
1222 if (s
->s3
->hs
.state
== SSL3_ST_SW_SRVR_HELLO_A
) {
1223 if (!ssl3_handshake_msg_start(s
, &cbb
, &server_hello
,
1224 SSL3_MT_SERVER_HELLO
))
1227 if (!CBB_add_u16(&server_hello
, s
->version
))
1229 if (!CBB_add_bytes(&server_hello
, s
->s3
->server_random
,
1230 sizeof(s
->s3
->server_random
)))
1234 * There are several cases for the session ID to send
1235 * back in the server hello:
1237 * - For session reuse from the session cache,
1238 * we send back the old session ID.
1239 * - If stateless session reuse (using a session ticket)
1240 * is successful, we send back the client's "session ID"
1241 * (which doesn't actually identify the session).
1242 * - If it is a new session, we send back the new
1244 * - However, if we want the new session to be single-use,
1245 * we send back a 0-length session ID.
1247 * s->internal->hit is non-zero in either case of session reuse,
1248 * so the following won't overwrite an ID that we're supposed
1251 if (!(s
->ctx
->internal
->session_cache_mode
& SSL_SESS_CACHE_SERVER
)
1252 && !s
->internal
->hit
)
1253 s
->session
->session_id_length
= 0;
1255 sl
= s
->session
->session_id_length
;
1256 if (sl
> sizeof(s
->session
->session_id
)) {
1257 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1260 if (!CBB_add_u8_length_prefixed(&server_hello
, &session_id
))
1262 if (!CBB_add_bytes(&session_id
, s
->session
->session_id
, sl
))
1266 if (!CBB_add_u16(&server_hello
,
1267 ssl3_cipher_get_value(s
->s3
->hs
.cipher
)))
1270 /* Compression method (null). */
1271 if (!CBB_add_u8(&server_hello
, 0))
1274 /* TLS extensions */
1275 if (!tlsext_server_build(s
, SSL_TLSEXT_MSG_SH
, &server_hello
)) {
1276 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1280 if (!ssl3_handshake_msg_finish(s
, &cbb
))
1284 /* SSL3_ST_SW_SRVR_HELLO_B */
1285 return (ssl3_handshake_write(s
));
1294 ssl3_send_server_done(SSL
*s
)
1298 memset(&cbb
, 0, sizeof(cbb
));
1300 if (s
->s3
->hs
.state
== SSL3_ST_SW_SRVR_DONE_A
) {
1301 if (!ssl3_handshake_msg_start(s
, &cbb
, &done
,
1302 SSL3_MT_SERVER_DONE
))
1304 if (!ssl3_handshake_msg_finish(s
, &cbb
))
1307 s
->s3
->hs
.state
= SSL3_ST_SW_SRVR_DONE_B
;
1310 /* SSL3_ST_SW_SRVR_DONE_B */
1311 return (ssl3_handshake_write(s
));
1320 ssl3_send_server_kex_dhe(SSL
*s
, CBB
*cbb
)
1322 int nid
= NID_dhKeyAgreement
;
1324 tls_key_share_free(s
->s3
->hs
.key_share
);
1325 if ((s
->s3
->hs
.key_share
= tls_key_share_new_nid(nid
)) == NULL
)
1328 if (s
->cert
->dhe_params_auto
!= 0) {
1331 if ((key_bits
= ssl_dhe_params_auto_key_bits(s
)) == 0) {
1332 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1333 ssl3_send_alert(s
, SSL3_AL_FATAL
,
1334 SSL_AD_INTERNAL_ERROR
);
1337 tls_key_share_set_key_bits(s
->s3
->hs
.key_share
,
1340 DH
*dh_params
= s
->cert
->dhe_params
;
1342 if (dh_params
== NULL
&& s
->cert
->dhe_params_cb
!= NULL
)
1343 dh_params
= s
->cert
->dhe_params_cb(s
, 0,
1344 SSL_C_PKEYLENGTH(s
->s3
->hs
.cipher
));
1346 if (dh_params
== NULL
) {
1347 SSLerror(s
, SSL_R_MISSING_TMP_DH_KEY
);
1348 ssl3_send_alert(s
, SSL3_AL_FATAL
,
1349 SSL_AD_HANDSHAKE_FAILURE
);
1353 if (!tls_key_share_set_dh_params(s
->s3
->hs
.key_share
, dh_params
))
1357 if (!tls_key_share_generate(s
->s3
->hs
.key_share
))
1360 if (!tls_key_share_params(s
->s3
->hs
.key_share
, cbb
))
1362 if (!tls_key_share_public(s
->s3
->hs
.key_share
, cbb
))
1365 if (!tls_key_share_peer_security(s
, s
->s3
->hs
.key_share
)) {
1366 SSLerror(s
, SSL_R_DH_KEY_TOO_SMALL
);
1367 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
1378 ssl3_send_server_kex_ecdhe(SSL
*s
, CBB
*cbb
)
1383 if (!tls1_get_supported_group(s
, &nid
)) {
1384 SSLerror(s
, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE
);
1385 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
1389 tls_key_share_free(s
->s3
->hs
.key_share
);
1390 if ((s
->s3
->hs
.key_share
= tls_key_share_new_nid(nid
)) == NULL
)
1393 if (!tls_key_share_generate(s
->s3
->hs
.key_share
))
1397 * ECC key exchange - see RFC 8422, section 5.4.
1399 if (!CBB_add_u8(cbb
, NAMED_CURVE_TYPE
))
1401 if (!CBB_add_u16(cbb
, tls_key_share_group(s
->s3
->hs
.key_share
)))
1403 if (!CBB_add_u8_length_prefixed(cbb
, &public))
1405 if (!tls_key_share_public(s
->s3
->hs
.key_share
, &public))
1407 if (!CBB_flush(cbb
))
1417 ssl3_send_server_key_exchange(SSL
*s
)
1419 CBB cbb
, cbb_params
, cbb_signature
, server_kex
;
1420 const struct ssl_sigalg
*sigalg
= NULL
;
1421 unsigned char *signature
= NULL
;
1422 size_t signature_len
= 0;
1423 unsigned char *params
= NULL
;
1425 const EVP_MD
*md
= NULL
;
1427 EVP_MD_CTX
*md_ctx
= NULL
;
1432 memset(&cbb
, 0, sizeof(cbb
));
1433 memset(&cbb_params
, 0, sizeof(cbb_params
));
1435 if ((md_ctx
= EVP_MD_CTX_new()) == NULL
)
1438 if (s
->s3
->hs
.state
== SSL3_ST_SW_KEY_EXCH_A
) {
1440 if (!ssl3_handshake_msg_start(s
, &cbb
, &server_kex
,
1441 SSL3_MT_SERVER_KEY_EXCHANGE
))
1444 if (!CBB_init(&cbb_params
, 0))
1447 type
= s
->s3
->hs
.cipher
->algorithm_mkey
;
1448 if (type
& SSL_kDHE
) {
1449 if (!ssl3_send_server_kex_dhe(s
, &cbb_params
))
1451 } else if (type
& SSL_kECDHE
) {
1452 if (!ssl3_send_server_kex_ecdhe(s
, &cbb_params
))
1455 al
= SSL_AD_HANDSHAKE_FAILURE
;
1456 SSLerror(s
, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE
);
1460 if (!CBB_finish(&cbb_params
, ¶ms
, ¶ms_len
))
1463 if (!CBB_add_bytes(&server_kex
, params
, params_len
))
1466 /* Add signature unless anonymous. */
1467 if (!(s
->s3
->hs
.cipher
->algorithm_auth
& SSL_aNULL
)) {
1468 if ((pkey
= ssl_get_sign_pkey(s
, s
->s3
->hs
.cipher
,
1469 &md
, &sigalg
)) == NULL
) {
1470 al
= SSL_AD_DECODE_ERROR
;
1473 s
->s3
->hs
.our_sigalg
= sigalg
;
1475 /* Send signature algorithm. */
1476 if (SSL_USE_SIGALGS(s
)) {
1477 if (!CBB_add_u16(&server_kex
, sigalg
->value
)) {
1478 al
= SSL_AD_INTERNAL_ERROR
;
1479 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1484 if (!EVP_DigestSignInit(md_ctx
, &pctx
, md
, NULL
, pkey
)) {
1485 SSLerror(s
, ERR_R_EVP_LIB
);
1488 if ((sigalg
->flags
& SIGALG_FLAG_RSA_PSS
) &&
1489 (!EVP_PKEY_CTX_set_rsa_padding(pctx
,
1490 RSA_PKCS1_PSS_PADDING
) ||
1491 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx
, -1))) {
1492 SSLerror(s
, ERR_R_EVP_LIB
);
1495 if (!EVP_DigestSignUpdate(md_ctx
, s
->s3
->client_random
,
1496 SSL3_RANDOM_SIZE
)) {
1497 SSLerror(s
, ERR_R_EVP_LIB
);
1500 if (!EVP_DigestSignUpdate(md_ctx
, s
->s3
->server_random
,
1501 SSL3_RANDOM_SIZE
)) {
1502 SSLerror(s
, ERR_R_EVP_LIB
);
1505 if (!EVP_DigestSignUpdate(md_ctx
, params
, params_len
)) {
1506 SSLerror(s
, ERR_R_EVP_LIB
);
1509 if (!EVP_DigestSignFinal(md_ctx
, NULL
, &signature_len
) ||
1511 SSLerror(s
, ERR_R_EVP_LIB
);
1514 if ((signature
= calloc(1, signature_len
)) == NULL
) {
1515 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
1518 if (!EVP_DigestSignFinal(md_ctx
, signature
, &signature_len
)) {
1519 SSLerror(s
, ERR_R_EVP_LIB
);
1523 if (!CBB_add_u16_length_prefixed(&server_kex
,
1526 if (!CBB_add_bytes(&cbb_signature
, signature
,
1531 if (!ssl3_handshake_msg_finish(s
, &cbb
))
1534 s
->s3
->hs
.state
= SSL3_ST_SW_KEY_EXCH_B
;
1537 EVP_MD_CTX_free(md_ctx
);
1541 return (ssl3_handshake_write(s
));
1544 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1546 CBB_cleanup(&cbb_params
);
1548 EVP_MD_CTX_free(md_ctx
);
1556 ssl3_send_certificate_request(SSL
*s
)
1558 CBB cbb
, cert_request
, cert_types
, sigalgs
, cert_auth
, dn
;
1559 STACK_OF(X509_NAME
) *sk
= NULL
;
1564 * Certificate Request - RFC 5246 section 7.4.4.
1567 memset(&cbb
, 0, sizeof(cbb
));
1569 if (s
->s3
->hs
.state
== SSL3_ST_SW_CERT_REQ_A
) {
1570 if (!ssl3_handshake_msg_start(s
, &cbb
, &cert_request
,
1571 SSL3_MT_CERTIFICATE_REQUEST
))
1574 if (!CBB_add_u8_length_prefixed(&cert_request
, &cert_types
))
1576 if (!ssl3_get_req_cert_types(s
, &cert_types
))
1579 if (SSL_USE_SIGALGS(s
)) {
1580 if (!CBB_add_u16_length_prefixed(&cert_request
,
1583 if (!ssl_sigalgs_build(s
->s3
->hs
.negotiated_tls_version
,
1584 &sigalgs
, SSL_get_security_level(s
)))
1588 if (!CBB_add_u16_length_prefixed(&cert_request
, &cert_auth
))
1591 sk
= SSL_get_client_CA_list(s
);
1592 for (i
= 0; i
< sk_X509_NAME_num(sk
); i
++) {
1593 unsigned char *name_data
;
1596 name
= sk_X509_NAME_value(sk
, i
);
1597 name_len
= i2d_X509_NAME(name
, NULL
);
1599 if (!CBB_add_u16_length_prefixed(&cert_auth
, &dn
))
1601 if (!CBB_add_space(&dn
, &name_data
, name_len
))
1603 if (i2d_X509_NAME(name
, &name_data
) != name_len
)
1607 if (!ssl3_handshake_msg_finish(s
, &cbb
))
1610 s
->s3
->hs
.state
= SSL3_ST_SW_CERT_REQ_B
;
1613 /* SSL3_ST_SW_CERT_REQ_B */
1614 return (ssl3_handshake_write(s
));
1623 ssl3_get_client_kex_rsa(SSL
*s
, CBS
*cbs
)
1625 unsigned char fakekey
[SSL_MAX_MASTER_KEY_LENGTH
];
1626 unsigned char *pms
= NULL
;
1629 EVP_PKEY
*pkey
= NULL
;
1635 arc4random_buf(fakekey
, sizeof(fakekey
));
1637 fakekey
[0] = s
->s3
->hs
.peer_legacy_version
>> 8;
1638 fakekey
[1] = s
->s3
->hs
.peer_legacy_version
& 0xff;
1640 pkey
= s
->cert
->pkeys
[SSL_PKEY_RSA
].privatekey
;
1641 if (pkey
== NULL
|| (rsa
= EVP_PKEY_get0_RSA(pkey
)) == NULL
) {
1642 al
= SSL_AD_HANDSHAKE_FAILURE
;
1643 SSLerror(s
, SSL_R_MISSING_RSA_CERTIFICATE
);
1647 pms_len
= RSA_size(rsa
);
1648 if (pms_len
< SSL_MAX_MASTER_KEY_LENGTH
)
1650 if ((pms
= malloc(pms_len
)) == NULL
)
1654 if (!CBS_get_u16_length_prefixed(cbs
, &enc_pms
))
1656 if (CBS_len(cbs
) != 0 || CBS_len(&enc_pms
) != RSA_size(rsa
)) {
1657 SSLerror(s
, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
);
1661 decrypt_len
= RSA_private_decrypt(CBS_len(&enc_pms
), CBS_data(&enc_pms
),
1662 pms
, rsa
, RSA_PKCS1_PADDING
);
1666 if (decrypt_len
!= SSL_MAX_MASTER_KEY_LENGTH
) {
1667 al
= SSL_AD_DECODE_ERROR
;
1668 /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
1671 if ((al
== -1) && !((pms
[0] == (s
->s3
->hs
.peer_legacy_version
>> 8)) &&
1672 (pms
[1] == (s
->s3
->hs
.peer_legacy_version
& 0xff)))) {
1674 * The premaster secret must contain the same version number
1675 * as the ClientHello to detect version rollback attacks
1676 * (strangely, the protocol does not offer such protection for
1679 * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
1680 * (http://eprint.iacr.org/2003/052/) exploits the version
1681 * number check as a "bad version oracle" -- an alert would
1682 * reveal that the plaintext corresponding to some ciphertext
1683 * made up by the adversary is properly formatted except that
1684 * the version number is wrong. To avoid such attacks, we should
1685 * treat this just like any other decryption error.
1687 al
= SSL_AD_DECODE_ERROR
;
1688 /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1693 * Some decryption failure -- use random value instead
1694 * as countermeasure against Bleichenbacher's attack
1695 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
1701 if (!tls12_derive_master_secret(s
, p
, SSL_MAX_MASTER_KEY_LENGTH
))
1704 freezero(pms
, pms_len
);
1709 al
= SSL_AD_DECODE_ERROR
;
1710 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1712 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1714 freezero(pms
, pms_len
);
1720 ssl3_get_client_kex_dhe(SSL
*s
, CBS
*cbs
)
1722 uint8_t *key
= NULL
;
1724 int decode_error
, invalid_key
;
1727 if (s
->s3
->hs
.key_share
== NULL
) {
1728 SSLerror(s
, SSL_R_MISSING_TMP_DH_KEY
);
1729 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
1733 if (!tls_key_share_peer_public(s
->s3
->hs
.key_share
, cbs
,
1734 &decode_error
, &invalid_key
)) {
1736 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1737 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1742 SSLerror(s
, SSL_R_BAD_DH_PUB_KEY_LENGTH
);
1743 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_ILLEGAL_PARAMETER
);
1747 if (!tls_key_share_derive(s
->s3
->hs
.key_share
, &key
, &key_len
))
1750 if (!tls12_derive_master_secret(s
, key
, key_len
))
1756 freezero(key
, key_len
);
1762 ssl3_get_client_kex_ecdhe(SSL
*s
, CBS
*cbs
)
1764 uint8_t *key
= NULL
;
1770 if (s
->s3
->hs
.key_share
== NULL
) {
1771 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
1772 SSLerror(s
, SSL_R_MISSING_TMP_DH_KEY
);
1776 if (!CBS_get_u8_length_prefixed(cbs
, &public)) {
1777 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1778 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1781 if (!tls_key_share_peer_public(s
->s3
->hs
.key_share
, &public,
1782 &decode_error
, NULL
)) {
1784 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1785 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1790 if (!tls_key_share_derive(s
->s3
->hs
.key_share
, &key
, &key_len
))
1793 if (!tls12_derive_master_secret(s
, key
, key_len
))
1799 freezero(key
, key_len
);
1805 ssl3_get_client_kex_gost(SSL
*s
, CBS
*cbs
)
1807 unsigned char premaster_secret
[32];
1808 EVP_PKEY_CTX
*pkey_ctx
= NULL
;
1809 EVP_PKEY
*client_pubkey
;
1810 EVP_PKEY
*pkey
= NULL
;
1814 /* Get our certificate private key*/
1815 if ((s
->s3
->hs
.cipher
->algorithm_auth
& SSL_aGOST01
) != 0)
1816 pkey
= s
->cert
->pkeys
[SSL_PKEY_GOST01
].privatekey
;
1818 if ((pkey_ctx
= EVP_PKEY_CTX_new(pkey
, NULL
)) == NULL
)
1820 if (EVP_PKEY_decrypt_init(pkey_ctx
) <= 0)
1824 * If client certificate is present and is of the same type,
1825 * maybe use it for key exchange.
1826 * Don't mind errors from EVP_PKEY_derive_set_peer, because
1827 * it is completely valid to use a client certificate for
1828 * authorization only.
1830 if ((client_pubkey
= X509_get0_pubkey(s
->session
->peer_cert
)) != NULL
) {
1831 if (EVP_PKEY_derive_set_peer(pkey_ctx
, client_pubkey
) <= 0)
1835 /* Decrypt session key */
1836 if (!CBS_get_asn1(cbs
, &gostblob
, CBS_ASN1_SEQUENCE
))
1838 if (CBS_len(cbs
) != 0)
1840 outlen
= sizeof(premaster_secret
);
1841 if (EVP_PKEY_decrypt(pkey_ctx
, premaster_secret
, &outlen
,
1842 CBS_data(&gostblob
), CBS_len(&gostblob
)) <= 0) {
1843 SSLerror(s
, SSL_R_DECRYPTION_FAILED
);
1847 if (!tls12_derive_master_secret(s
, premaster_secret
,
1848 sizeof(premaster_secret
)))
1851 /* Check if pubkey from client certificate was used */
1852 if (EVP_PKEY_CTX_ctrl(pkey_ctx
, -1, -1, EVP_PKEY_CTRL_PEER_KEY
,
1854 s
->s3
->flags
|= TLS1_FLAGS_SKIP_CERT_VERIFY
;
1856 explicit_bzero(premaster_secret
, sizeof(premaster_secret
));
1857 EVP_PKEY_CTX_free(pkey_ctx
);
1862 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1863 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_DECODE_ERROR
);
1865 explicit_bzero(premaster_secret
, sizeof(premaster_secret
));
1866 EVP_PKEY_CTX_free(pkey_ctx
);
1872 ssl3_get_client_key_exchange(SSL
*s
)
1874 unsigned long alg_k
;
1878 /* 2048 maxlen is a guess. How long a key does that permit? */
1879 if ((ret
= ssl3_get_message(s
, SSL3_ST_SR_KEY_EXCH_A
,
1880 SSL3_ST_SR_KEY_EXCH_B
, SSL3_MT_CLIENT_KEY_EXCHANGE
, 2048)) <= 0)
1883 if (s
->internal
->init_num
< 0)
1886 CBS_init(&cbs
, s
->internal
->init_msg
, s
->internal
->init_num
);
1888 alg_k
= s
->s3
->hs
.cipher
->algorithm_mkey
;
1890 if (alg_k
& SSL_kRSA
) {
1891 if (!ssl3_get_client_kex_rsa(s
, &cbs
))
1893 } else if (alg_k
& SSL_kDHE
) {
1894 if (!ssl3_get_client_kex_dhe(s
, &cbs
))
1896 } else if (alg_k
& SSL_kECDHE
) {
1897 if (!ssl3_get_client_kex_ecdhe(s
, &cbs
))
1899 } else if (alg_k
& SSL_kGOST
) {
1900 if (!ssl3_get_client_kex_gost(s
, &cbs
))
1903 al
= SSL_AD_HANDSHAKE_FAILURE
;
1904 SSLerror(s
, SSL_R_UNKNOWN_CIPHER_TYPE
);
1908 if (CBS_len(&cbs
) != 0) {
1909 al
= SSL_AD_DECODE_ERROR
;
1910 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1917 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1923 ssl3_get_cert_verify(SSL
*s
)
1926 const struct ssl_sigalg
*sigalg
= NULL
;
1927 uint16_t sigalg_value
= SIGALG_NONE
;
1929 X509
*peer_cert
= NULL
;
1930 EVP_MD_CTX
*mctx
= NULL
;
1932 const unsigned char *hdata
;
1937 if ((ret
= ssl3_get_message(s
, SSL3_ST_SR_CERT_VRFY_A
,
1938 SSL3_ST_SR_CERT_VRFY_B
, -1, SSL3_RT_MAX_PLAIN_LENGTH
)) <= 0)
1943 if (s
->internal
->init_num
< 0)
1946 if ((mctx
= EVP_MD_CTX_new()) == NULL
)
1949 CBS_init(&cbs
, s
->internal
->init_msg
, s
->internal
->init_num
);
1951 peer_cert
= s
->session
->peer_cert
;
1952 pkey
= X509_get0_pubkey(peer_cert
);
1953 type
= X509_certificate_type(peer_cert
, pkey
);
1955 if (s
->s3
->hs
.tls12
.message_type
!= SSL3_MT_CERTIFICATE_VERIFY
) {
1956 s
->s3
->hs
.tls12
.reuse_message
= 1;
1957 if (peer_cert
!= NULL
) {
1958 al
= SSL_AD_UNEXPECTED_MESSAGE
;
1959 SSLerror(s
, SSL_R_MISSING_VERIFY_MESSAGE
);
1966 if (peer_cert
== NULL
) {
1967 SSLerror(s
, SSL_R_NO_CLIENT_CERT_RECEIVED
);
1968 al
= SSL_AD_UNEXPECTED_MESSAGE
;
1972 if (!(type
& EVP_PKT_SIGN
)) {
1973 SSLerror(s
, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE
);
1974 al
= SSL_AD_ILLEGAL_PARAMETER
;
1978 if (s
->s3
->change_cipher_spec
) {
1979 SSLerror(s
, SSL_R_CCS_RECEIVED_EARLY
);
1980 al
= SSL_AD_UNEXPECTED_MESSAGE
;
1984 if (SSL_USE_SIGALGS(s
)) {
1985 if (!CBS_get_u16(&cbs
, &sigalg_value
))
1988 if (!CBS_get_u16_length_prefixed(&cbs
, &signature
))
1990 if (CBS_len(&cbs
) != 0) {
1991 al
= SSL_AD_DECODE_ERROR
;
1992 SSLerror(s
, SSL_R_EXTRA_DATA_IN_MESSAGE
);
1996 if (CBS_len(&signature
) > EVP_PKEY_size(pkey
)) {
1997 SSLerror(s
, SSL_R_WRONG_SIGNATURE_SIZE
);
1998 al
= SSL_AD_DECODE_ERROR
;
2002 if ((sigalg
= ssl_sigalg_for_peer(s
, pkey
,
2003 sigalg_value
)) == NULL
) {
2004 al
= SSL_AD_DECODE_ERROR
;
2007 s
->s3
->hs
.peer_sigalg
= sigalg
;
2009 if (SSL_USE_SIGALGS(s
)) {
2012 if (!tls1_transcript_data(s
, &hdata
, &hdatalen
)) {
2013 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2014 al
= SSL_AD_INTERNAL_ERROR
;
2017 if (!EVP_DigestVerifyInit(mctx
, &pctx
, sigalg
->md(),
2019 SSLerror(s
, ERR_R_EVP_LIB
);
2020 al
= SSL_AD_INTERNAL_ERROR
;
2023 if ((sigalg
->flags
& SIGALG_FLAG_RSA_PSS
) &&
2024 (!EVP_PKEY_CTX_set_rsa_padding(pctx
,
2025 RSA_PKCS1_PSS_PADDING
) ||
2026 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx
, -1))) {
2027 al
= SSL_AD_INTERNAL_ERROR
;
2030 if (sigalg
->key_type
== EVP_PKEY_GOSTR01
&&
2031 EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_VERIFY
,
2032 EVP_PKEY_CTRL_GOST_SIG_FORMAT
, GOST_SIG_FORMAT_RS_LE
,
2034 al
= SSL_AD_INTERNAL_ERROR
;
2037 if (!EVP_DigestVerifyUpdate(mctx
, hdata
, hdatalen
)) {
2038 SSLerror(s
, ERR_R_EVP_LIB
);
2039 al
= SSL_AD_INTERNAL_ERROR
;
2042 if (EVP_DigestVerifyFinal(mctx
, CBS_data(&signature
),
2043 CBS_len(&signature
)) <= 0) {
2044 al
= SSL_AD_DECRYPT_ERROR
;
2045 SSLerror(s
, SSL_R_BAD_SIGNATURE
);
2048 } else if (EVP_PKEY_id(pkey
) == EVP_PKEY_RSA
) {
2051 if ((rsa
= EVP_PKEY_get0_RSA(pkey
)) == NULL
) {
2052 al
= SSL_AD_INTERNAL_ERROR
;
2053 SSLerror(s
, ERR_R_EVP_LIB
);
2056 verify
= RSA_verify(NID_md5_sha1
, s
->s3
->hs
.tls12
.cert_verify
,
2057 MD5_DIGEST_LENGTH
+ SHA_DIGEST_LENGTH
, CBS_data(&signature
),
2058 CBS_len(&signature
), rsa
);
2060 al
= SSL_AD_DECRYPT_ERROR
;
2061 SSLerror(s
, SSL_R_BAD_RSA_DECRYPT
);
2065 al
= SSL_AD_DECRYPT_ERROR
;
2066 SSLerror(s
, SSL_R_BAD_RSA_SIGNATURE
);
2069 } else if (EVP_PKEY_id(pkey
) == EVP_PKEY_EC
) {
2072 if ((eckey
= EVP_PKEY_get0_EC_KEY(pkey
)) == NULL
) {
2073 al
= SSL_AD_INTERNAL_ERROR
;
2074 SSLerror(s
, ERR_R_EVP_LIB
);
2077 verify
= ECDSA_verify(0,
2078 &(s
->s3
->hs
.tls12
.cert_verify
[MD5_DIGEST_LENGTH
]),
2079 SHA_DIGEST_LENGTH
, CBS_data(&signature
),
2080 CBS_len(&signature
), eckey
);
2082 al
= SSL_AD_DECRYPT_ERROR
;
2083 SSLerror(s
, SSL_R_BAD_ECDSA_SIGNATURE
);
2086 #ifndef OPENSSL_NO_GOST
2087 } else if (EVP_PKEY_id(pkey
) == NID_id_GostR3410_94
||
2088 EVP_PKEY_id(pkey
) == NID_id_GostR3410_2001
) {
2089 unsigned char sigbuf
[128];
2090 unsigned int siglen
= sizeof(sigbuf
);
2095 if (!tls1_transcript_data(s
, &hdata
, &hdatalen
)) {
2096 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2097 al
= SSL_AD_INTERNAL_ERROR
;
2100 if (!EVP_PKEY_get_default_digest_nid(pkey
, &nid
) ||
2101 !(md
= EVP_get_digestbynid(nid
))) {
2102 SSLerror(s
, ERR_R_EVP_LIB
);
2103 al
= SSL_AD_INTERNAL_ERROR
;
2106 if ((pctx
= EVP_PKEY_CTX_new(pkey
, NULL
)) == NULL
) {
2107 SSLerror(s
, ERR_R_EVP_LIB
);
2108 al
= SSL_AD_INTERNAL_ERROR
;
2111 if (!EVP_DigestInit_ex(mctx
, md
, NULL
) ||
2112 !EVP_DigestUpdate(mctx
, hdata
, hdatalen
) ||
2113 !EVP_DigestFinal(mctx
, sigbuf
, &siglen
) ||
2114 (EVP_PKEY_verify_init(pctx
) <= 0) ||
2115 (EVP_PKEY_CTX_set_signature_md(pctx
, md
) <= 0) ||
2116 (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_VERIFY
,
2117 EVP_PKEY_CTRL_GOST_SIG_FORMAT
,
2118 GOST_SIG_FORMAT_RS_LE
, NULL
) <= 0)) {
2119 SSLerror(s
, ERR_R_EVP_LIB
);
2120 al
= SSL_AD_INTERNAL_ERROR
;
2121 EVP_PKEY_CTX_free(pctx
);
2124 if (EVP_PKEY_verify(pctx
, CBS_data(&signature
),
2125 CBS_len(&signature
), sigbuf
, siglen
) <= 0) {
2126 al
= SSL_AD_DECRYPT_ERROR
;
2127 SSLerror(s
, SSL_R_BAD_SIGNATURE
);
2128 EVP_PKEY_CTX_free(pctx
);
2132 EVP_PKEY_CTX_free(pctx
);
2135 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2136 al
= SSL_AD_UNSUPPORTED_CERTIFICATE
;
2143 al
= SSL_AD_DECODE_ERROR
;
2144 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
2146 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2149 tls1_transcript_free(s
);
2151 EVP_MD_CTX_free(mctx
);
2157 ssl3_get_client_certificate(SSL
*s
)
2159 CBS cbs
, cert_list
, cert_data
;
2160 STACK_OF(X509
) *certs
= NULL
;
2165 if ((ret
= ssl3_get_message(s
, SSL3_ST_SR_CERT_A
, SSL3_ST_SR_CERT_B
,
2166 -1, s
->internal
->max_cert_list
)) <= 0)
2171 if (s
->s3
->hs
.tls12
.message_type
== SSL3_MT_CLIENT_KEY_EXCHANGE
) {
2172 if ((s
->verify_mode
& SSL_VERIFY_PEER
) &&
2173 (s
->verify_mode
& SSL_VERIFY_FAIL_IF_NO_PEER_CERT
)) {
2174 SSLerror(s
, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
);
2175 al
= SSL_AD_HANDSHAKE_FAILURE
;
2180 * If we asked for a client certificate and the client has none,
2181 * it must respond with a certificate list of length zero.
2183 if (s
->s3
->hs
.tls12
.cert_request
!= 0) {
2184 SSLerror(s
, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
);
2185 al
= SSL_AD_UNEXPECTED_MESSAGE
;
2188 s
->s3
->hs
.tls12
.reuse_message
= 1;
2192 if (s
->s3
->hs
.tls12
.message_type
!= SSL3_MT_CERTIFICATE
) {
2193 al
= SSL_AD_UNEXPECTED_MESSAGE
;
2194 SSLerror(s
, SSL_R_WRONG_MESSAGE_TYPE
);
2198 if (s
->internal
->init_num
< 0)
2201 CBS_init(&cbs
, s
->internal
->init_msg
, s
->internal
->init_num
);
2203 if (!CBS_get_u24_length_prefixed(&cbs
, &cert_list
))
2205 if (CBS_len(&cbs
) != 0)
2209 * A TLS client must send an empty certificate list, if no suitable
2210 * certificate is available (rather than omitting the Certificate
2211 * handshake message) - see RFC 5246 section 7.4.6.
2213 if (CBS_len(&cert_list
) == 0) {
2214 if ((s
->verify_mode
& SSL_VERIFY_PEER
) &&
2215 (s
->verify_mode
& SSL_VERIFY_FAIL_IF_NO_PEER_CERT
)) {
2216 SSLerror(s
, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
);
2217 al
= SSL_AD_HANDSHAKE_FAILURE
;
2220 /* No client certificate so free transcript. */
2221 tls1_transcript_free(s
);
2225 if ((certs
= sk_X509_new_null()) == NULL
) {
2226 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
2230 while (CBS_len(&cert_list
) > 0) {
2231 if (!CBS_get_u24_length_prefixed(&cert_list
, &cert_data
))
2233 p
= CBS_data(&cert_data
);
2234 if ((cert
= d2i_X509(NULL
, &p
, CBS_len(&cert_data
))) == NULL
) {
2235 SSLerror(s
, ERR_R_ASN1_LIB
);
2238 if (p
!= CBS_data(&cert_data
) + CBS_len(&cert_data
))
2240 if (!sk_X509_push(certs
, cert
)) {
2241 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
2247 if (ssl_verify_cert_chain(s
, certs
) <= 0) {
2248 al
= ssl_verify_alarm_type(s
->verify_result
);
2249 SSLerror(s
, SSL_R_NO_CERTIFICATE_RETURNED
);
2252 s
->session
->verify_result
= s
->verify_result
;
2255 if (!tls_process_peer_certs(s
, certs
))
2262 al
= SSL_AD_DECODE_ERROR
;
2263 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
2265 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2268 sk_X509_pop_free(certs
, X509_free
);
2275 ssl3_send_server_certificate(SSL
*s
)
2277 CBB cbb
, server_cert
;
2281 * Server Certificate - RFC 5246, section 7.4.2.
2284 memset(&cbb
, 0, sizeof(cbb
));
2286 if (s
->s3
->hs
.state
== SSL3_ST_SW_CERT_A
) {
2287 if ((cpk
= ssl_get_server_send_pkey(s
)) == NULL
) {
2288 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2292 if (!ssl3_handshake_msg_start(s
, &cbb
, &server_cert
,
2293 SSL3_MT_CERTIFICATE
))
2295 if (!ssl3_output_cert_chain(s
, &server_cert
, cpk
))
2297 if (!ssl3_handshake_msg_finish(s
, &cbb
))
2300 s
->s3
->hs
.state
= SSL3_ST_SW_CERT_B
;
2303 /* SSL3_ST_SW_CERT_B */
2304 return (ssl3_handshake_write(s
));
2312 /* send a new session ticket (not necessarily for a new session) */
2314 ssl3_send_newsession_ticket(SSL
*s
)
2316 CBB cbb
, session_ticket
, ticket
;
2317 SSL_CTX
*tctx
= s
->initial_ctx
;
2318 size_t enc_session_len
, enc_session_max_len
, hmac_len
;
2319 size_t session_len
= 0;
2320 unsigned char *enc_session
= NULL
, *session
= NULL
;
2321 unsigned char iv
[EVP_MAX_IV_LENGTH
];
2322 unsigned char key_name
[16];
2323 unsigned char *hmac
;
2325 EVP_CIPHER_CTX
*ctx
= NULL
;
2326 HMAC_CTX
*hctx
= NULL
;
2330 * New Session Ticket - RFC 5077, section 3.3.
2333 memset(&cbb
, 0, sizeof(cbb
));
2335 if ((ctx
= EVP_CIPHER_CTX_new()) == NULL
)
2337 if ((hctx
= HMAC_CTX_new()) == NULL
)
2340 if (s
->s3
->hs
.state
== SSL3_ST_SW_SESSION_TICKET_A
) {
2341 if (!ssl3_handshake_msg_start(s
, &cbb
, &session_ticket
,
2342 SSL3_MT_NEWSESSION_TICKET
))
2345 if (!SSL_SESSION_ticket(s
->session
, &session
, &session_len
))
2347 if (session_len
> 0xffff)
2351 * Initialize HMAC and cipher contexts. If callback is present
2352 * it does all the work, otherwise use generated values from
2355 if (tctx
->internal
->tlsext_ticket_key_cb
!= NULL
) {
2356 if (tctx
->internal
->tlsext_ticket_key_cb(s
,
2357 key_name
, iv
, ctx
, hctx
, 1) < 0)
2360 arc4random_buf(iv
, 16);
2361 EVP_EncryptInit_ex(ctx
, EVP_aes_128_cbc(), NULL
,
2362 tctx
->internal
->tlsext_tick_aes_key
, iv
);
2363 HMAC_Init_ex(hctx
, tctx
->internal
->tlsext_tick_hmac_key
,
2364 16, EVP_sha256(), NULL
);
2365 memcpy(key_name
, tctx
->internal
->tlsext_tick_key_name
, 16);
2368 /* Encrypt the session state. */
2369 enc_session_max_len
= session_len
+ EVP_MAX_BLOCK_LENGTH
;
2370 if ((enc_session
= calloc(1, enc_session_max_len
)) == NULL
)
2372 enc_session_len
= 0;
2373 if (!EVP_EncryptUpdate(ctx
, enc_session
, &len
, session
,
2376 enc_session_len
+= len
;
2377 if (!EVP_EncryptFinal_ex(ctx
, enc_session
+ enc_session_len
,
2380 enc_session_len
+= len
;
2382 if (enc_session_len
> enc_session_max_len
)
2385 /* Generate the HMAC. */
2386 if (!HMAC_Update(hctx
, key_name
, sizeof(key_name
)))
2388 if (!HMAC_Update(hctx
, iv
, EVP_CIPHER_CTX_iv_length(ctx
)))
2390 if (!HMAC_Update(hctx
, enc_session
, enc_session_len
))
2393 if ((hmac_len
= HMAC_size(hctx
)) <= 0)
2397 * Ticket lifetime hint (advisory only):
2398 * We leave this unspecified for resumed session
2399 * (for simplicity), and guess that tickets for new
2400 * sessions will live as long as their sessions.
2402 if (!CBB_add_u32(&session_ticket
,
2403 s
->internal
->hit
? 0 : s
->session
->timeout
))
2406 if (!CBB_add_u16_length_prefixed(&session_ticket
, &ticket
))
2408 if (!CBB_add_bytes(&ticket
, key_name
, sizeof(key_name
)))
2410 if (!CBB_add_bytes(&ticket
, iv
, EVP_CIPHER_CTX_iv_length(ctx
)))
2412 if (!CBB_add_bytes(&ticket
, enc_session
, enc_session_len
))
2414 if (!CBB_add_space(&ticket
, &hmac
, hmac_len
))
2417 if (!HMAC_Final(hctx
, hmac
, &hlen
))
2419 if (hlen
!= hmac_len
)
2422 if (!ssl3_handshake_msg_finish(s
, &cbb
))
2425 s
->s3
->hs
.state
= SSL3_ST_SW_SESSION_TICKET_B
;
2428 EVP_CIPHER_CTX_free(ctx
);
2429 HMAC_CTX_free(hctx
);
2430 freezero(session
, session_len
);
2433 /* SSL3_ST_SW_SESSION_TICKET_B */
2434 return (ssl3_handshake_write(s
));
2438 EVP_CIPHER_CTX_free(ctx
);
2439 HMAC_CTX_free(hctx
);
2440 freezero(session
, session_len
);
2447 ssl3_send_cert_status(SSL
*s
)
2449 CBB cbb
, certstatus
, ocspresp
;
2451 memset(&cbb
, 0, sizeof(cbb
));
2453 if (s
->s3
->hs
.state
== SSL3_ST_SW_CERT_STATUS_A
) {
2454 if (!ssl3_handshake_msg_start(s
, &cbb
, &certstatus
,
2455 SSL3_MT_CERTIFICATE_STATUS
))
2457 if (!CBB_add_u8(&certstatus
, s
->tlsext_status_type
))
2459 if (!CBB_add_u24_length_prefixed(&certstatus
, &ocspresp
))
2461 if (!CBB_add_bytes(&ocspresp
, s
->internal
->tlsext_ocsp_resp
,
2462 s
->internal
->tlsext_ocsp_resp_len
))
2464 if (!ssl3_handshake_msg_finish(s
, &cbb
))
2467 s
->s3
->hs
.state
= SSL3_ST_SW_CERT_STATUS_B
;
2470 /* SSL3_ST_SW_CERT_STATUS_B */
2471 return (ssl3_handshake_write(s
));