| blob | 94974a6afc8c9348a864225effcdc5475a0f167d |
1 /* $OpenBSD: s3_srvr.c,v 1.125 2016/03/11 07:08:45 mmcc Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
151 #include <stdio.h>
155 #include <openssl/bn.h>
156 #include <openssl/buffer.h>
157 #include <openssl/evp.h>
158 #include <openssl/dh.h>
159 #ifndef OPENSSL_NO_GOST
160 #include <openssl/gost.h>
161 #endif
162 #include <openssl/hmac.h>
163 #include <openssl/md5.h>
164 #include <openssl/objects.h>
165 #include <openssl/x509.h>
169 int
171 {
185 /* init things to blank */
194 }
202 /* s->state=SSL_ST_ACCEPT; */
217 }
223 }
227 }
232 /*
233 * Ok, we now need to push on a buffering BIO
234 * so that the output is sent in a way that
235 * TCP likes :-)
236 */
240 }
245 }
250 /*
251 * Server attempting to renegotiate with
252 * client that doesn't support secure
253 * renegotiation.
254 */
256 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
258 SSL_AD_HANDSHAKE_FAILURE);
262 /*
263 * s->state == SSL_ST_RENEGOTIATE,
264 * we will just send a HelloRequest
265 */
268 }
285 }
301 }
316 else
318 }
319 else
326 /* Check if it is anon DH or anon ECDH. */
328 SSL_aNULL)) {
334 else
339 }
347 /*
348 * Only send if using a DH key exchange.
349 *
350 * For ECC ciphersuites, we send a ServerKeyExchange
351 * message only if the cipher suite is ECDHE. In other
352 * cases, the server certificate contains the server's
353 * public key for key exchange.
354 */
368 /*
369 * Determine whether or not we need to request a
370 * certificate.
371 *
372 * Do not request a certificate if:
373 *
374 * - We did not ask for it (SSL_VERIFY_PEER is unset).
375 *
376 * - SSL_VERIFY_CLIENT_ONCE is set and we are
377 * renegotiating.
378 *
379 * - We are using an anonymous ciphersuites
380 * (see section "Certificate request" in SSL 3 drafts
381 * and in RFC 2246) ... except when the application
382 * insists on verification (against the specs, but
383 * s3_clnt.c accepts this for SSL 3).
384 */
390 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
391 /* No cert request */
399 }
400 }
408 }
423 /*
424 * This code originally checked to see if
425 * any data was pending using BIO_CTRL_INFO
426 * and then flushed. This caused problems
427 * as documented in PR#1939. The proposed
428 * fix doesn't completely resolve this issue
429 * as buggy implementations of BIO_CTRL_PENDING
430 * still exist. So instead we just flush
431 * unconditionally.
432 */
438 }
450 }
462 /*
463 * For the ECDH ciphersuites when
464 * the client sends its ECDH pub key in
465 * a certificate, the CertificateVerify
466 * message is not sent.
467 * Also for GOST ciphersuites when
468 * the client uses its key from the certificate
469 * for key exchange.
470 */
473 else
481 /*
482 * For sigalgs freeze the handshake buffer
483 * at this point and digest cached records.
484 */
487 ERR_R_INTERNAL_ERROR);
490 }
495 }
503 /*
504 * We need to get hashes here so if there is
505 * a client cert, it can be verified
506 * FIXME - digest processing for
507 * CertificateVerify should be generalized.
508 * But it is next step
509 */
514 }
515 }
517 dgst_num++)
530 }
532 }
533 }
540 /* we should decide if we expected this one */
547 else
565 SSL3_ST_SR_FINISHED_B);
572 else
603 }
617 }
634 SSL3_ST_SR_NEXT_PROTO_A;
637 SSL3_ST_SR_FINISHED_A;
644 /* clean a few things up */
650 /* remove buffering on output */
655 /* skipped if we just sent a HelloRequest */
663 /* s->server=1; */
668 }
672 /* break; */
676 SSL_R_UNKNOWN_STATE);
679 /* break; */
680 }
686 }
694 }
695 }
697 }
698 end:
699 /* BIO_flush(s->wbio); */
705 }
707 int
709 {
715 }
717 /* SSL3_ST_SW_HELLO_REQ_B */
719 }
721 int
723 {
733 /*
734 * We do this so that we will respond with our native type.
735 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
736 * This down switching should be handled by a different method.
737 * If we are SSLv3, we will respond with SSLv3, even if prompted with
738 * TLSv1.
739 */
742 }
755 /*
756 * Use version from inside client hello, not from record header.
757 * (may differ: see RFC 2246, Appendix E, second paragraph)
758 */
765 SSL_R_WRONG_VERSION_NUMBER);
768 /*
769 * Similar to ssl3_get_record, send alert using remote
770 * version number
771 */
773 }
776 }
778 /*
779 * If we require cookies and this ClientHello doesn't
780 * contain one, just return since we do not want to
781 * allocate any memory yet. So check cookie length...
782 */
791 }
796 /* load the client random */
800 /* get the session-id */
806 /*
807 * Versions before 0.9.7 always allow clients to resume sessions in
808 * renegotiation. 0.9.7 and later allow this by default, but optionally
809 * ignore resumption requests with flag
810 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
811 * rather than a change to default behavior so that applications
812 * relying on this for security won't even compile against older
813 * library versions).
814 *
815 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
816 * to request renegotiation but not a new session (s->new_session
817 * remains unset): for servers, this essentially just means that the
818 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
819 * ignored.
820 */
822 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
832 /* i == 0 */
835 }
836 }
841 /* cookie stuff */
846 /*
847 * The ClientHello may contain a cookie even if the
848 * HelloVerify message has not been sent--make sure that it
849 * does not cause an overflow.
850 */
852 /* too much data */
855 SSL_R_COOKIE_MISMATCH);
857 }
862 /* verify the cookie if appropriate option is set. */
872 SSL_R_COOKIE_MISMATCH);
874 }
875 /* else cookie verification succeeded */
878 /* default verification */
881 SSL_R_COOKIE_MISMATCH);
883 }
886 }
889 }
895 /* we need a cipher if we are not resuming a session */
898 SSL_R_NO_CIPHERS_SPECIFIED);
900 }
906 }
909 /* If it is a hit, check that the cipher is in the list */
919 }
920 }
922 /*
923 * We need to have the cipher in the cipher
924 * list if we are asked to reuse it
925 */
928 SSL_R_REQUIRED_CIPHER_MISSING);
930 }
931 }
933 /* compression */
942 }
946 /* no compress */
949 SSL_R_NO_COMPRESSION_SPECIFIED);
951 }
953 /* TLS extensions*/
955 /* 'al' set by ssl_parse_clienthello_tlsext */
958 }
961 SSL_R_CLIENTHELLO_TLSEXT);
963 }
965 /*
966 * Check if we want to use external pre-shared secret for this
967 * handshake for not reused session only. We need to generate
968 * server_random before calling tls_session_secret_cb in order to allow
969 * SessionTicket processing to use it in key derivation.
970 */
986 /* check if some cipher was preferred by call back */
993 SSL_R_NO_SHARED_CIPHER);
995 }
1008 }
1009 }
1011 /*
1012 * Given s->session->ciphers and SSL_get_ciphers, we must
1013 * pick a cipher
1014 */
1023 SSL_R_NO_CIPHERS_PASSED);
1025 }
1033 SSL_R_NO_SHARED_CIPHER);
1035 }
1039 }
1047 }
1048 }
1050 /*
1051 * We now have the following setup.
1052 * client_random
1053 * cipher_list - our prefered list of ciphers
1054 * ciphers - the clients prefered list of ciphers
1055 * compression - basically ignored right now
1056 * ssl version is set - sslv3
1057 * s->session - The ssl session has been setup.
1058 * s->hit - session reuse flag
1059 * s->tmp.new_cipher - the new cipher to use.
1060 */
1062 /* Handles TLS extensions that we couldn't check earlier */
1066 }
1071 truncated:
1074 f_err:
1076 }
1077 err:
1081 }
1083 int
1085 {
1096 /* Random stuff */
1100 /*
1101 * There are several cases for the session ID to send
1102 * back in the server hello:
1103 *
1104 * - For session reuse from the session cache,
1105 * we send back the old session ID.
1106 * - If stateless session reuse (using a session ticket)
1107 * is successful, we send back the client's "session ID"
1108 * (which doesn't actually identify the session).
1109 * - If it is a new session, we send back the new
1110 * session ID.
1111 * - However, if we want the new session to be single-use,
1112 * we send back a 0-length session ID.
1113 *
1114 * s->hit is non-zero in either case of session reuse,
1115 * so the following won't overwrite an ID that we're supposed
1116 * to send back.
1117 */
1125 ERR_R_INTERNAL_ERROR);
1127 }
1132 /* put the cipher */
1135 /* put the compression method */
1139 SSL3_RT_MAX_PLAIN_LENGTH;
1142 ERR_R_INTERNAL_ERROR);
1144 }
1147 }
1149 /* SSL3_ST_SW_SRVR_HELLO_B */
1151 }
1153 int
1155 {
1161 }
1163 /* SSL3_ST_SW_SRVR_DONE_B */
1165 }
1167 int
1169 {
1191 EVP_MD_CTX md_ctx;
1207 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1208 ERR_R_INTERNAL_ERROR);
1210 }
1221 SSL_R_MISSING_TMP_DH_KEY);
1223 }
1227 ERR_R_INTERNAL_ERROR);
1229 }
1235 ERR_R_DH_LIB);
1237 }
1241 ERR_R_DH_LIB);
1243 }
1259 }
1263 SSL_R_MISSING_TMP_ECDH_KEY);
1265 }
1269 ERR_R_INTERNAL_ERROR);
1271 }
1273 /* Duplicate the ECDH structure. */
1278 ERR_R_ECDH_LIB);
1280 }
1288 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1289 ERR_R_ECDH_LIB);
1291 }
1292 }
1298 ERR_R_ECDH_LIB);
1300 }
1302 /*
1303 * XXX: For now, we only support ephemeral ECDH
1304 * keys over named (not generic) curves. For
1305 * supported named curves, curve_id is non-zero.
1306 */
1310 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1312 }
1314 /*
1315 * Encode the public key.
1316 * First check the size of encoding and
1317 * allocate memory accordingly.
1318 */
1321 POINT_CONVERSION_UNCOMPRESSED,
1329 ERR_R_MALLOC_FAILURE);
1331 }
1336 POINT_CONVERSION_UNCOMPRESSED,
1341 ERR_R_ECDH_LIB);
1343 }
1348 /*
1349 * XXX: For now, we only support named (not
1350 * generic) curves in ECDH ephemeral key exchanges.
1351 * In this situation, we need four additional bytes
1352 * to encode the entire ServerECDHParams
1353 * structure.
1354 */
1357 /*
1358 * We'll generate the serverKeyExchange message
1359 * explicitly so we can set these to NULLs
1360 */
1366 {
1369 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1371 }
1375 }
1382 }
1387 }
1392 ERR_LIB_BUF);
1394 }
1397 SSL3_MT_SERVER_KEY_EXCHANGE);
1403 }
1406 /*
1407 * XXX: For now, we only support named (not generic)
1408 * curves.
1409 * In this situation, the serverKeyExchange message has:
1410 * [1 byte CurveType], [2 byte CurveName]
1411 * [1 byte length of encoded point], followed by
1412 * the actual encoded point itself
1413 */
1427 }
1430 /* not anonymous */
1432 /*
1433 * n is the length of the params, they start at &(d[4])
1434 * and p points to the space at the end.
1435 */
1446 SSL3_RANDOM_SIZE);
1449 SSL3_RANDOM_SIZE);
1455 }
1459 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1460 ERR_LIB_RSA);
1462 }
1466 /* Send signature algorithm. */
1469 /* Should never happen */
1472 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1473 ERR_R_INTERNAL_ERROR);
1475 }
1477 }
1481 SSL3_RANDOM_SIZE);
1484 SSL3_RANDOM_SIZE);
1489 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1490 ERR_LIB_EVP);
1492 }
1498 /* Is this error check actually needed? */
1501 SSL_R_UNKNOWN_PKEY_TYPE);
1503 }
1504 }
1507 }
1514 f_err:
1516 err:
1521 }
1523 int
1525 {
1536 SSL3_MT_CERTIFICATE_REQUEST);
1538 /* get the list of acceptable cert types */
1539 p++;
1543 n++;
1550 }
1566 SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
1567 ERR_R_BUF_LIB);
1569 }
1576 }
1577 }
1578 /* else no CA names */
1586 }
1588 /* SSL3_ST_SW_CERT_REQ_B */
1590 err:
1592 }
1594 int
1596 {
1611 /* 2048 maxlen is a guess. How long a key does that permit? */
1632 SSL_R_MISSING_RSA_CERTIFICATE);
1634 }
1642 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1655 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
1656 }
1662 /*
1663 * The premaster secret must contain the same version
1664 * number as the ClientHello to detect version rollback
1665 * attacks (strangely, the protocol does not offer such
1666 * protection for DH ciphersuites).
1667 * However, buggy clients exist that send the negotiated
1668 * protocol version instead if the server does not
1669 * support the requested protocol version.
1670 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
1671 * clients.
1672 */
1677 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1679 /*
1680 * The Klima-Pokorny-Rosa extension of
1681 * Bleichenbacher's attack
1682 * (http://eprint.iacr.org/2003/052/) exploits
1683 * the version number check as a "bad version
1684 * oracle" -- an alert would reveal that the
1685 * plaintext corresponding to some ciphertext
1686 * made up by the adversary is properly
1687 * formatted except that the version number is
1688 * wrong.
1689 * To avoid such attacks, we should treat this
1690 * just like any other decryption error.
1691 */
1692 }
1693 }
1696 /*
1697 * Some decryption failure -- use random value instead
1698 * as countermeasure against Bleichenbacher's attack
1699 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
1700 * section 7.4.7.1).
1701 */
1704 }
1717 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1719 }
1722 /* the parameters are in the cert */
1725 SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1731 SSL_R_MISSING_TMP_DH_KEY);
1735 }
1740 SSL_R_BN_LIB);
1742 }
1748 ERR_R_DH_LIB);
1751 }
1771 /* Initialize structures for server's ECDH key pair. */
1774 ERR_R_MALLOC_FAILURE);
1776 }
1778 /* Let's get server private key and group information. */
1780 /* Use the certificate */
1783 /*
1784 * Use the ephermeral values we saved when
1785 * generating the ServerKeyExchange msg.
1786 */
1788 }
1796 ERR_R_EC_LIB);
1798 }
1800 /* Let's get client's public key */
1803 ERR_R_MALLOC_FAILURE);
1805 }
1808 /* Client Publickey was in Client Certificate */
1813 SSL_R_MISSING_TMP_ECDH_KEY);
1815 }
1819 /*
1820 * XXX: For now, we do not support client
1821 * authentication using ECDH certificates
1822 * so this branch (n == 0L) of the code is
1823 * never executed. When that support is
1824 * added, we ought to ensure the key
1825 * received in the certificate is
1826 * authorized for key agreement.
1827 * ECDH_compute_key implicitly checks that
1828 * the two ECDH shares are for the same
1829 * group.
1830 */
1833 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
1835 }
1841 ERR_R_EC_LIB);
1843 }
1846 /*
1847 * Get client's public key from encoded point
1848 * in the ClientKeyExchange message.
1849 */
1852 ERR_R_MALLOC_FAILURE);
1854 }
1856 /* Get encoded point length */
1862 ERR_R_EC_LIB);
1864 }
1868 ERR_R_EC_LIB);
1870 }
1871 /*
1872 * p is pointing to somewhere in the buffer
1873 * currently, so set it to the start.
1874 */
1876 }
1878 /* Compute the shared pre-master secret */
1882 ERR_R_ECDH_LIB);
1884 }
1886 NULL);
1889 ERR_R_ECDH_LIB);
1891 }
1901 /* Compute the master secret */
1918 /* Get our certificate private key*/
1925 /*
1926 * If client certificate is present and is of the same type,
1927 * maybe use it for key exchange.
1928 * Don't mind errors from EVP_PKEY_derive_set_peer, because
1929 * it is completely valid to use a client certificate for
1930 * authorization only.
1931 */
1937 }
1940 /* Decrypt session key */
1945 SSL_R_DECRYPTION_FAILED);
1947 }
1953 SSL_R_DECRYPTION_FAILED);
1955 }
1956 /* Generate master secret */
1960 /* Check if pubkey from client certificate was used */
1964 else
1966 gerr:
1971 else
1976 SSL_R_UNKNOWN_CIPHER_TYPE);
1978 }
1981 truncated:
1984 f_err:
1986 err:
1992 }
1994 int
1996 {
2004 EVP_MD_CTX mctx;
2019 }
2026 SSL_R_MISSING_VERIFY_MESSAGE);
2028 }
2031 }
2035 SSL_R_NO_CLIENT_CERT_RECEIVED);
2038 }
2042 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2045 }
2049 SSL_R_CCS_RECEIVED_EARLY);
2052 }
2054 /* we now have a signature that we need to verify */
2056 /*
2057 * Check for broken implementations of GOST ciphersuites.
2058 *
2059 * If key is GOST and n is exactly 64, it is a bare
2060 * signature without length field.
2061 */
2068 /* Should never happen */
2071 ERR_R_INTERNAL_ERROR);
2074 }
2077 /* Check key type is consistent with signature */
2080 SSL_R_WRONG_SIGNATURE_TYPE);
2083 }
2087 SSL_R_UNKNOWN_DIGEST);
2090 }
2093 }
2100 }
2104 SSL_R_WRONG_SIGNATURE_SIZE);
2107 }
2115 ERR_R_INTERNAL_ERROR);
2118 }
2122 ERR_R_EVP_LIB);
2125 }
2130 SSL_R_BAD_SIGNATURE);
2132 }
2141 SSL_R_BAD_RSA_DECRYPT);
2143 }
2147 SSL_R_BAD_RSA_SIGNATURE);
2149 }
2156 /* bad signature */
2159 SSL_R_BAD_DSA_SIGNATURE);
2161 }
2168 /* bad signature */
2171 SSL_R_BAD_ECDSA_SIGNATURE);
2173 }
2175 #ifndef OPENSSL_NO_GOST
2188 ERR_R_INTERNAL_ERROR);
2191 }
2195 ERR_R_EVP_LIB);
2198 }
2202 ERR_R_EVP_LIB);
2205 }
2212 EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2213 GOST_SIG_FORMAT_RS_LE,
2216 ERR_R_EVP_LIB);
2220 }
2225 SSL_R_BAD_SIGNATURE);
2228 }
2232 #endif
2233 {
2235 ERR_R_INTERNAL_ERROR);
2238 }
2243 truncated:
2246 f_err:
2248 }
2249 end:
2254 }
2258 }
2260 int
2262 {
2280 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2283 }
2284 /*
2285 * If tls asked for a client cert,
2286 * the client must return a 0 list.
2287 */
2290 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
2291 );
2294 }
2297 }
2302 SSL_R_WRONG_MESSAGE_TYPE);
2304 }
2313 ERR_R_MALLOC_FAILURE);
2315 }
2322 CBS cert;
2327 SSL_R_CERT_LENGTH_MISMATCH);
2329 }
2335 ERR_R_ASN1_LIB);
2337 }
2341 SSL_R_CERT_LENGTH_MISMATCH);
2343 }
2346 ERR_R_MALLOC_FAILURE);
2348 }
2350 }
2353 /*
2354 * TLS does not mind 0 certs returned.
2355 * Fail for TLS only if we required a certificate.
2356 */
2360 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2363 }
2364 /* No client certificate so digest cached records */
2368 }
2374 SSL_R_NO_CERTIFICATE_RETURNED);
2376 }
2377 }
2383 /*
2384 * With the current implementation, sess_cert will always be NULL
2385 * when we arrive here
2386 */
2391 ERR_R_MALLOC_FAILURE);
2393 }
2394 }
2399 /*
2400 * Inconsistency alert: cert_chain does *not* include the
2401 * peer's own certificate, while we do include it in s3_clnt.c
2402 */
2408 truncated:
2411 SSL_R_BAD_PACKET_LENGTH);
2412 f_err:
2414 }
2415 err:
2420 }
2422 int
2424 {
2432 ERR_R_INTERNAL_ERROR);
2434 }
2440 }
2442 /* SSL3_ST_SW_CERT_B */
2444 }
2446 /* send a new session ticket (not necessarily for a new session) */
2447 int
2449 {
2456 EVP_CIPHER_CTX ctx;
2457 HMAC_CTX hctx;
2462 /* get session encoding length */
2464 /*
2465 * Some length values are 16 bits, so forget it if session is
2466 * too long
2467 */
2476 /*
2477 * Create a fresh copy (not shared with other threads) to
2478 * clean up
2479 */
2485 }
2487 /* ID is irrelevant for the ticket */
2492 /* shouldn't ever happen */
2495 }
2500 /*
2501 * Grow buffer if need be: the length calculation is as
2502 * follows 1 (size of message name) + 3 (message length
2503 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
2504 * 16 (key name) + max_iv_len (iv length) +
2505 * session_length + max_enc_block_size (max encrypted session
2506 * length) + max_md_size (HMAC).
2507 */
2513 }
2520 /*
2521 * Initialize HMAC and cipher contexts. If callback present
2522 * it does all the work otherwise use generated values
2523 * from parent ctx.
2524 */
2531 }
2539 }
2541 /*
2542 * Ticket lifetime hint (advisory only):
2543 * We leave this unspecified for resumed session
2544 * (for simplicity), and guess that tickets for new
2545 * sessions will live as long as their sessions.
2546 */
2549 /* Skip ticket length for now */
2551 /* Output key name */
2555 /* output IV */
2558 /* Encrypt session data */
2570 /* Now write out lengths: p points to end of data written */
2571 /* Total length */
2574 /* Skip ticket lifetime hint. */
2583 }
2585 /* SSL3_ST_SW_SESSION_TICKET_B */
2587 }
2589 int
2591 {
2595 /*
2596 * Grow buffer if need be: the length calculation is as
2597 * follows 1 (message type) + 3 (message length) +
2598 * 1 (ocsp response type) + 3 (ocsp response length)
2599 * + (ocsp response)
2600 */
2614 }
2616 /* SSL3_ST_SW_CERT_STATUS_B */
2618 }
2620 /*
2621 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
2622 * It sets the next_proto member in s if found
2623 */
2624 int
2626 {
2632 /*
2633 * Clients cannot send a NextProtocol message if we didn't see the
2634 * extension in their ClientHello
2635 */
2638 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
2640 }
2642 /* 514 maxlen is enough for the payload format below */
2648 /*
2649 * s->state doesn't reflect whether ChangeCipherSpec has been received
2650 * in this handshake, but s->s3->change_cipher_spec does (will be reset
2651 * by ssl3_get_finished).
2652 */
2655 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
2657 }
2661 /* The body must be > 1 bytes long */
2665 /*
2666 * The payload looks like:
2667 * uint8 proto_len;
2668 * uint8 proto[proto_len];
2669 * uint8 padding_len;
2670 * uint8 padding[padding_len];
2671 */
2677 /*
2678 * XXX We should not NULL it, but this matches old behavior of not
2679 * freeing before malloc.
2680 */
2686 ERR_R_MALLOC_FAILURE);
2688 }
2692 }