| blob | 8885694c02b34522d8acb980727c4a7841716993 |
1 /* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
151 #define REUSE_CIPHER_BUG
152 #define NETSCAPE_HANG_BUG
154 #include <stdio.h>
158 #include <openssl/buffer.h>
159 #include <openssl/rand.h>
160 #include <openssl/objects.h>
161 #include <openssl/evp.h>
162 #include <openssl/hmac.h>
163 #include <openssl/x509.h>
164 #ifndef OPENSSL_NO_DH
165 # include <openssl/dh.h>
166 #endif
167 #include <openssl/bn.h>
168 #ifndef OPENSSL_NO_KRB5
169 # include <openssl/krb5_asn.h>
170 #endif
171 #include <openssl/md5.h>
173 #ifndef OPENSSL_NO_SSL3_METHOD
177 {
180 else
182 }
185 ssl3_accept,
187 #endif
188 #ifndef OPENSSL_NO_SRP
190 {
198 /*
199 * RFC 5054 says SHOULD reject, we do so if There is no srp
200 * login name
201 */
206 }
207 }
209 }
210 #endif
213 {
229 /* init things to blank */
237 }
238 #ifndef OPENSSL_NO_HEARTBEATS
239 /*
240 * If we're awaiting a HeartbeatResponse, pretend we already got and
241 * don't await it anymore, because Heartbeats don't make sense during
242 * handshakes anyway.
243 */
247 }
248 #endif
256 /* s->state=SSL_ST_ACCEPT; */
271 }
279 }
285 }
287 }
293 }
298 /*
299 * Should have been reset by ssl3_get_finished, too.
300 */
304 /*
305 * Ok, we now need to push on a buffering BIO so that the
306 * output is sent in a way that TCP likes :-)
307 */
312 }
319 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
320 /*
321 * Server attempting to renegotiate with client that doesn't
322 * support secure renegotiation.
323 */
325 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
331 /*
332 * s->state == SSL_ST_RENEGOTIATE, we will just send a
333 * HelloRequest
334 */
337 }
366 #ifndef OPENSSL_NO_SRP
369 {
372 /*
373 * callback indicates firther work to be done
374 */
377 }
380 /*
381 * This is not really an error but the only means to for
382 * a client to detect whether srp is supported.
383 */
390 }
391 }
392 #endif
404 #ifndef OPENSSL_NO_TLSEXT
408 else
410 }
411 #else
414 #endif
415 else
422 /* Check if it is anon DH or anon ECDH, */
423 /* normal PSK or KRB5 or SRP */
427 SSL_aSRP))
432 #ifndef OPENSSL_NO_TLSEXT
435 else
440 }
441 #else
446 #endif
454 /*
455 * clear this, it may get reset by
456 * send_server_key_exchange
457 */
460 /*
461 * only send if a DH key exchange, fortezza or RSA but we have a
462 * sign only certificate PSK: may send PSK identity hints For
463 * ECC ciphersuites, we send a serverKeyExchange message only if
464 * the cipher suite is either ECDH-anon or ECDHE. In other cases,
465 * the server certificate contains the server's public key for
466 * key exchange.
467 */
469 /*
470 * PSK: send ServerKeyExchange if PSK identity hint if
471 * provided
472 */
473 #ifndef OPENSSL_NO_PSK
475 #endif
476 #ifndef OPENSSL_NO_SRP
477 /* SRP: send ServerKeyExchange */
479 #endif
488 )
489 )
490 )
491 ) {
506 /*
507 * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
508 * during re-negotiation:
509 */
512 /*
513 * never request cert in anonymous ciphersuites (see
514 * section "Certificate request" in SSL 3 drafts and in
515 * RFC 2246):
516 */
518 /*
519 * ... except when the application insists on
520 * verification (against the specs, but s3_clnt.c accepts
521 * this for SSL 3)
522 */
524 /*
525 * never request cert in Kerberos ciphersuites
526 */
528 /* don't request certificate for SRP auth */
530 /*
531 * With normal PSK Certificates and Certificate Requests
532 * are omitted
533 */
535 /* no cert request */
543 }
544 }
550 #ifndef NETSCAPE_HANG_BUG
552 #else
555 #endif
557 }
572 /*
573 * This code originally checked to see if any data was pending
574 * using BIO_CTRL_INFO and then flushed. This caused problems as
575 * documented in PR#1939. The proposed fix doesn't completely
576 * resolve this issue as buggy implementations of
577 * BIO_CTRL_PENDING still exist. So instead we just flush
578 * unconditionally.
579 */
585 }
597 }
608 /*
609 * For the ECDH ciphersuites when the client sends its ECDH
610 * pub key in a certificate, the CertificateVerify message is
611 * not sent. Also for GOST ciphersuites when the client uses
612 * its key from the certificate for key exchange.
613 */
614 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
616 #else
619 else
621 #endif
628 /*
629 * For sigalgs freeze the handshake buffer at this point and
630 * digest cached records.
631 */
636 }
641 }
649 /*
650 * We need to get hashes here so if there is a client cert,
651 * it can be verified FIXME - digest processing for
652 * CertificateVerify should be generalized. But it is next
653 * step
654 */
659 }
660 }
666 EVP_MD_CTX_type
668 s3->handshake_dgst
671 tmp.cert_verify_md
673 dgst_size =
679 }
681 }
682 }
691 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
693 #else
696 else
698 #endif
702 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
705 /*
706 * Enable CCS for NPN. Receiving a CCS clears the flag, so make
707 * sure not to re-enable it to ban duplicates. This *should* be the
708 * first time we have received one - but we check anyway to be
709 * cautious.
710 * s->s3->change_cipher_spec is set when a CCS is
711 * processed in s3_pkt.c, and remains set until
712 * the client's Finished message is read.
713 */
723 #endif
727 /*
728 * Enable CCS for handshakes without NPN. In NPN the CCS flag has
729 * already been set. Receiving a CCS clears the flag, so make
730 * sure not to re-enable it to ban duplicates.
731 * s->s3->change_cipher_spec is set when a CCS is
732 * processed in s3_pkt.c, and remains set until
733 * the client's Finished message is read.
734 */
738 SSL3_ST_SR_FINISHED_B);
743 #ifndef OPENSSL_NO_TLSEXT
746 #endif
747 else
752 #ifndef OPENSSL_NO_TLSEXT
771 #endif
781 }
784 SSL3_ST_SW_CHANGE_A,
785 SSL3_ST_SW_CHANGE_B);
793 SSL3_CHANGE_CIPHER_SERVER_WRITE))
794 {
798 }
805 SSL3_ST_SW_FINISHED_A,
806 SSL3_ST_SW_FINISHED_B,
815 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
817 #else
822 #endif
829 /* clean a few things up */
835 /* remove buffering on output */
841 * HelloRequest */
848 /* s->server=1; */
853 }
857 /* break; */
864 /* break; */
865 }
871 }
878 }
879 }
881 }
882 end:
883 /* BIO_flush(s->wbio); */
889 }
892 {
897 }
899 /* SSL3_ST_SW_HELLO_REQ_B */
901 }
904 {
911 #ifndef OPENSSL_NO_COMP
914 #endif
920 /*
921 * We do this so that we will respond with our native type. If we are
922 * TLSv1 and we get SSLv3, we will respond with TLSv1, This down
923 * switching should be handled by a different method. If we are SSLv3, we
924 * will respond with SSLv3, even if prompted with TLSv1.
925 */
928 }
931 SSL3_ST_SR_CLNT_HELLO_B,
932 SSL3_ST_SR_CLNT_HELLO_C,
933 SSL3_MT_CLIENT_HELLO,
941 /*
942 * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte
943 * for session id length
944 */
949 }
951 /*
952 * use version from inside client hello, not from record header (may
953 * differ: see RFC 2246, Appendix E, second paragraph)
954 */
964 /*
965 * similar to ssl3_get_record, send alert using remote version
966 * number
967 */
969 }
972 }
974 /*
975 * If we require cookies and this ClientHello doesn't contain one, just
976 * return since we do not want to allocate any memory yet. So check
977 * cookie length...
978 */
988 }
993 }
995 /* load the client random */
999 /* get the session-id */
1006 }
1009 /*
1010 * Versions before 0.9.7 always allow clients to resume sessions in
1011 * renegotiation. 0.9.7 and later allow this by default, but optionally
1012 * ignore resumption requests with flag
1013 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
1014 * than a change to default behavior so that applications relying on this
1015 * for security won't even compile against older library versions).
1016 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
1017 * request renegotiation but not a new session (s->new_session remains
1018 * unset): for servers, this essentially just means that the
1019 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be ignored.
1020 */
1027 /*
1028 * Only resume if the session's version matches the negotiated
1029 * version.
1030 * RFC 5246 does not provide much useful advice on resumption
1031 * with a different protocol version. It doesn't forbid it but
1032 * the sanity of such behaviour would be questionable.
1033 * In practice, clients do not accept a version mismatch and
1034 * will abort the handshake with an error.
1035 */
1037 * session */
1045 }
1046 }
1051 /* cookie stuff */
1056 }
1063 }
1065 /*
1066 * The ClientHello may contain a cookie even if the
1067 * HelloVerify message has not been sent--make sure that it
1068 * does not cause an overflow.
1069 */
1071 /* too much data */
1075 }
1077 /* verify the cookie if appropriate option is set. */
1086 SSL_R_COOKIE_MISMATCH);
1088 }
1089 /* else cookie verification succeeded */
1090 }
1091 /* default verification */
1097 }
1098 /* Set to -2 so if successful we return 2 */
1100 }
1104 /* Select version to use */
1111 SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
1121 SSL_R_WRONG_VERSION_NUMBER);
1125 }
1127 }
1128 }
1134 }
1141 }
1143 /* i bytes of cipher data + 1 byte for compression length later */
1145 /* not enough data */
1149 }
1152 }
1155 /* If it is a hit, check that the cipher is in the list */
1160 #ifdef CIPHER_DEBUG
1163 #endif
1166 #ifdef CIPHER_DEBUG
1169 #endif
1173 }
1174 }
1175 /*
1176 * Disabled because it can be used in a ciphersuite downgrade attack:
1177 * CVE-2010-4180.
1178 */
1179 #if 0
1182 /*
1183 * Special case as client bug workaround: the previously used
1184 * cipher may not be in the current list, the client instead
1185 * might be trying to continue using a cipher that before wasn't
1186 * chosen due to server preferences. We'll have to reject the
1187 * connection if the cipher is not enabled, though.
1188 */
1193 }
1194 }
1195 #endif
1197 /*
1198 * we need to have the cipher in the cipher list if we are asked
1199 * to reuse it
1200 */
1203 SSL_R_REQUIRED_CIPHER_MISSING);
1205 }
1206 }
1208 /* compression */
1211 /* not enough data */
1215 }
1216 #ifndef OPENSSL_NO_COMP
1218 #endif
1222 }
1226 /* no compress */
1230 }
1231 #ifndef OPENSSL_NO_TLSEXT
1232 /* TLS extensions */
1237 }
1238 }
1240 /*
1241 * Check if we want to use external pre-shared secret for this handshake
1242 * for not reused session only. We need to generate server_random before
1243 * calling tls_session_secret_cb in order to allow SessionTicket
1244 * processing to use it in key derivation.
1245 */
1246 {
1251 }
1252 }
1268 /* check if some cipher was preferred by call back */
1269 pref_cipher =
1271 s->
1273 SSL_get_ciphers
1279 }
1291 }
1292 }
1293 #endif
1295 /*
1296 * Worst case, we will use the NULL compression, but if we have other
1297 * options, we will now look for them. We have i-1 compression
1298 * algorithms from the client, starting at q.
1299 */
1301 #ifndef OPENSSL_NO_COMP
1302 /* This only happens if we have a cache hit */
1305 /* Perform sanity checks on resumed compression algorithm */
1306 /* Can't disable compression */
1309 SSL_R_INCONSISTENT_COMPRESSION);
1311 }
1312 /* Look for resumed compression method */
1318 }
1319 }
1322 SSL_R_INVALID_COMPRESSION_ALGORITHM);
1324 }
1325 /* Look for resumed method in compression list */
1329 }
1333 SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1335 }
1339 /* See if we have a match */
1350 }
1351 }
1354 }
1357 else
1359 }
1360 #else
1361 /*
1362 * If compression is disabled we'd better not try to resume a session
1363 * using compression.
1364 */
1368 }
1369 #endif
1371 /*
1372 * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
1373 */
1376 #ifdef OPENSSL_NO_COMP
1378 #else
1380 #endif
1388 }
1393 }
1394 /* Let cert callback update server certificates if required */
1395 retry_cert:
1402 }
1406 }
1408 }
1415 }
1418 /* Session-id reuse */
1419 #ifdef REUSE_CIPHER_BUG
1432 }
1437 else
1440 #endif
1442 }
1447 }
1449 /*-
1450 * we now have the following setup.
1451 * client_random
1452 * cipher_list - our prefered list of ciphers
1453 * ciphers - the clients prefered list of ciphers
1454 * compression - basically ignored right now
1455 * ssl version is set - sslv3
1456 * s->session - The ssl session has been setup.
1457 * s->hit - session reuse flag
1458 * s->tmp.new_cipher - the new cipher to use.
1459 */
1461 /* Handles TLS extensions that we couldn't check earlier */
1466 }
1467 }
1472 f_err:
1474 err:
1476 }
1481 }
1484 {
1493 #ifdef OPENSSL_NO_TLSEXT
1498 }
1499 #endif
1500 /* Do the message type and length last */
1506 /* Random stuff */
1510 /*-
1511 * There are several cases for the session ID to send
1512 * back in the server hello:
1513 * - For session reuse from the session cache,
1514 * we send back the old session ID.
1515 * - If stateless session reuse (using a session ticket)
1516 * is successful, we send back the client's "session ID"
1517 * (which doesn't actually identify the session).
1518 * - If it is a new session, we send back the new
1519 * session ID.
1520 * - However, if we want the new session to be single-use,
1521 * we send back a 0-length session ID.
1522 * s->hit is non-zero in either case of session reuse,
1523 * so the following won't overwrite an ID that we're supposed
1524 * to send back.
1525 */
1535 }
1540 /* put the cipher */
1544 /* put the compression method */
1545 #ifdef OPENSSL_NO_COMP
1547 #else
1550 else
1552 #endif
1553 #ifndef OPENSSL_NO_TLSEXT
1558 }
1566 }
1567 #endif
1568 /* do the header */
1572 }
1574 /* SSL3_ST_SW_SRVR_HELLO_B */
1576 }
1579 {
1584 }
1586 /* SSL3_ST_SW_SRVR_DONE_B */
1588 }
1591 {
1592 #ifndef OPENSSL_NO_RSA
1598 #endif
1599 #ifndef OPENSSL_NO_DH
1601 #endif
1602 #ifndef OPENSSL_NO_ECDH
1608 #endif
1619 EVP_MD_CTX md_ctx;
1630 #ifndef OPENSSL_NO_RSA
1642 SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1644 }
1647 }
1651 SSL_R_MISSING_TMP_RSA_KEY);
1653 }
1658 #endif
1659 #ifndef OPENSSL_NO_DH
1671 SSL_R_MISSING_TMP_DH_KEY);
1673 }
1677 ERR_R_INTERNAL_ERROR);
1679 }
1684 }
1693 }
1700 }
1701 }
1706 #endif
1707 #ifndef OPENSSL_NO_ECDH
1713 /* Get NID of appropriate shared curve */
1723 }
1727 SSL_R_MISSING_TMP_ECDH_KEY);
1729 }
1733 ERR_R_INTERNAL_ERROR);
1735 }
1737 /* Duplicate the ECDH structure. */
1741 }
1747 }
1755 ERR_R_ECDH_LIB);
1757 }
1758 }
1765 }
1770 SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1772 }
1774 /*
1775 * XXX: For now, we only support ephemeral ECDH keys over named
1776 * (not generic) curves. For supported named curves, curve_id is
1777 * non-zero.
1778 */
1783 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1785 }
1787 /*
1788 * Encode the public key. First check the size of encoding and
1789 * allocate memory accordingly.
1790 */
1793 POINT_CONVERSION_UNCOMPRESSED,
1801 ERR_R_MALLOC_FAILURE);
1803 }
1807 POINT_CONVERSION_UNCOMPRESSED,
1813 }
1818 /*
1819 * XXX: For now, we only support named (not generic) curves in
1820 * ECDH ephemeral key exchanges. In this situation, we need four
1821 * additional bytes to encode the entire ServerECDHParams
1822 * structure.
1823 */
1826 /*
1827 * We'll generate the serverKeyExchange message explicitly so we
1828 * can set these to NULLs
1829 */
1836 #ifndef OPENSSL_NO_PSK
1838 /*
1839 * reserve size for record length and PSK identity hint
1840 */
1844 #ifndef OPENSSL_NO_SRP
1850 SSL_R_MISSING_SRP_PARAM);
1852 }
1858 #endif
1859 {
1862 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1864 }
1867 #ifndef OPENSSL_NO_SRP
1870 else
1871 #endif
1873 }
1881 }
1886 }
1891 }
1895 #ifndef OPENSSL_NO_SRP
1898 p++;
1900 #endif
1904 }
1906 #ifndef OPENSSL_NO_ECDH
1908 /*
1909 * XXX: For now, we only support named (not generic) curves. In
1910 * this situation, the serverKeyExchange message has: [1 byte
1911 * CurveType], [2 byte CurveName] [1 byte length of encoded
1912 * point], followed by the actual encoded point itself
1913 */
1927 }
1928 #endif
1930 #ifndef OPENSSL_NO_PSK
1932 /* copy PSK identity hint */
1937 }
1938 #endif
1940 /* not anonymous */
1942 /*
1943 * n is the length of the params, they start at &(d[4]) and p
1944 * points to the space at the end.
1945 */
1946 #ifndef OPENSSL_NO_RSA
1952 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1956 SSL3_RANDOM_SIZE);
1958 SSL3_RANDOM_SIZE);
1963 }
1968 }
1972 #endif
1974 /* send signature algorithm */
1977 /* Should never happen */
1980 ERR_R_INTERNAL_ERROR);
1982 }
1984 }
1985 #ifdef SSL_DEBUG
1987 #endif
1990 SSL3_RANDOM_SIZE);
1992 SSL3_RANDOM_SIZE);
1998 }
2004 /* Is this error check actually needed? */
2007 SSL_R_UNKNOWN_PKEY_TYPE);
2009 }
2010 }
2013 }
2018 f_err:
2020 err:
2021 #ifndef OPENSSL_NO_ECDH
2025 #endif
2029 }
2032 {
2044 /* get the list of acceptable cert types */
2045 p++;
2049 n++;
2058 }
2073 ERR_R_BUF_LIB);
2075 }
2090 }
2091 }
2092 }
2093 /* else no CA names */
2099 #ifdef NETSCAPE_HANG_BUG
2104 }
2106 /* do the header */
2112 }
2113 #endif
2116 }
2118 /* SSL3_ST_SW_CERT_REQ_B */
2120 err:
2123 }
2126 {
2131 #ifndef OPENSSL_NO_RSA
2134 #endif
2135 #ifndef OPENSSL_NO_DH
2138 #endif
2139 #ifndef OPENSSL_NO_KRB5
2140 KSSL_ERR kssl_err;
2143 #ifndef OPENSSL_NO_ECDH
2148 #endif
2151 SSL3_ST_SR_KEY_EXCH_A,
2152 SSL3_ST_SR_KEY_EXCH_B,
2161 #ifndef OPENSSL_NO_RSA
2168 /* FIX THIS UP EAY EAY EAY EAY */
2172 /*
2173 * Don't do a callback because rsa_tmp should be sent already
2174 */
2178 SSL_R_MISSING_TMP_RSA_PKEY);
2181 }
2188 SSL_R_MISSING_RSA_CERTIFICATE);
2190 }
2192 }
2194 /* TLS and [incidentally] DTLS{0xFEFF} */
2201 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2207 }
2209 /*
2210 * Reject overly short RSA ciphertext because we want to be sure
2211 * that the buffer size makes it safe to iterate over the entire
2212 * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
2213 * actual expected size is larger due to RSA padding, but the
2214 * bound is sufficient to be safe.
2215 */
2219 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2221 }
2223 /*
2224 * We must not leak whether a decryption failure occurs because of
2225 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
2226 * section 7.4.7.1). The code follows that advice of the TLS RFC and
2227 * generates a random premaster secret for the case that the decrypt
2228 * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
2229 */
2231 /*
2232 * should be RAND_bytes, but we cannot work around a failure.
2233 */
2237 decrypt_len =
2241 /*
2242 * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
2243 * be 0xff if so and zero otherwise.
2244 */
2245 decrypt_good =
2248 /*
2249 * If the version in the decrypted pre-master secret is correct then
2250 * version_good will be 0xff, otherwise it'll be zero. The
2251 * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
2252 * (http://eprint.iacr.org/2003/052/) exploits the version number
2253 * check as a "bad version oracle". Thus version checks are done in
2254 * constant time and are treated like any other decryption error.
2255 */
2256 version_good =
2258 version_good &=
2261 /*
2262 * The premaster secret must contain the same version number as the
2263 * ClientHello to detect version rollback attacks (strangely, the
2264 * protocol does not offer such protection for DH ciphersuites).
2265 * However, buggy clients exist that send the negotiated protocol
2266 * version instead if the server does not support the requested
2267 * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2268 * clients.
2269 */
2272 workaround_good =
2274 workaround_good &=
2277 }
2279 /*
2280 * Both decryption and version must be good for decrypt_good to
2281 * remain non-zero (0xff).
2282 */
2285 /*
2286 * Now copy rand_premaster_secret over from p using
2287 * decrypt_good_mask. If decryption failed, then p does not
2288 * contain valid plaintext, however, a check above guarantees
2289 * it is still sufficiently large to read from.
2290 */
2294 }
2298 s->
2300 p,
2301 sizeof
2305 #endif
2306 #ifndef OPENSSL_NO_DH
2316 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2318 }
2320 }
2324 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2329 }
2330 }
2341 SSL_R_MISSING_RSA_CERTIFICATE);
2343 }
2348 SSL_R_MISSING_TMP_DH_KEY);
2354 /* Get pubkey from cert */
2359 }
2363 SSL_R_MISSING_TMP_DH_KEY);
2365 }
2373 }
2381 }
2387 else
2392 s->
2399 #endif
2400 #ifndef OPENSSL_NO_KRB5
2402 krb5_error_code krb5rc;
2403 krb5_data enc_ticket;
2404 krb5_data authenticator;
2405 krb5_data enc_pms;
2407 EVP_CIPHER_CTX ciph_ctx;
2413 krb5_ticket_times ttimes;
2426 SSL_R_DATA_LENGTH_TOO_LONG);
2428 }
2438 SSL_R_DATA_LENGTH_TOO_LONG);
2440 }
2450 /*
2451 * Note that the length is checked again below, ** after decryption
2452 */
2455 SSL_R_DATA_LENGTH_TOO_LONG);
2457 }
2462 SSL_R_DATA_LENGTH_TOO_LONG);
2464 }
2468 # ifdef KSSL_DEBUG
2476 }
2478 /*
2479 * Note: no authenticator is not considered an error, ** but will
2480 * return authtime == 0.
2481 */
2484 # ifdef KSSL_DEBUG
2492 }
2497 }
2498 # ifdef KSSL_DEBUG
2510 SSL_R_DECRYPTION_FAILED);
2512 }
2515 {
2517 SSL_R_DECRYPTION_FAILED);
2520 }
2523 SSL_R_DATA_LENGTH_TOO_LONG);
2526 }
2529 SSL_R_DECRYPTION_FAILED);
2532 }
2536 SSL_R_DATA_LENGTH_TOO_LONG);
2539 }
2542 /*
2543 * The premaster secret must contain the same version number as
2544 * the ClientHello to detect version rollback attacks (strangely,
2545 * the protocol does not offer such protection for DH
2546 * ciphersuites). However, buggy clients exist that send random
2547 * bytes instead of the protocol version. If
2548 * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2549 * (Perhaps we should have a separate BUG value for the Kerberos
2550 * cipher)
2551 */
2554 SSL_AD_DECODE_ERROR);
2557 }
2558 }
2564 s->
2573 len);
2574 }
2575 }
2577 /*- Was doing kssl_ctx_free() here,
2578 * but it caused problems for apache.
2579 * kssl_ctx = kssl_ctx_free(kssl_ctx);
2580 * if (s->kssl_ctx) s->kssl_ctx = NULL;
2581 */
2583 kclean:
2590 #ifndef OPENSSL_NO_ECDH
2598 /* initialize structures for server's ECDH key pair */
2602 }
2604 /* Let's get server private key and group information */
2606 /* use the certificate */
2609 /*
2610 * use the ephermeral values we saved when generating the
2611 * ServerKeyExchange msg.
2612 */
2614 }
2623 }
2625 /* Let's get client's public key */
2629 }
2632 /* Client Publickey was in Client Certificate */
2637 SSL_R_MISSING_TMP_ECDH_KEY);
2639 }
2642 /*
2643 * XXX: For now, we do not support client authentication
2644 * using ECDH certificates so this branch (n == 0L) of the
2645 * code is never executed. When that support is added, we
2646 * ought to ensure the key received in the certificate is
2647 * authorized for key agreement. ECDH_compute_key implicitly
2648 * checks that the two ECDH shares are for the same group.
2649 */
2652 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2654 }
2661 }
2664 /*
2665 * Get client's public key from encoded point in the
2666 * ClientKeyExchange message.
2667 */
2670 ERR_R_MALLOC_FAILURE);
2672 }
2674 /* Get encoded point length */
2680 }
2684 }
2685 /*
2686 * p is pointing to somewhere in the buffer currently, so set it
2687 * to the start
2688 */
2690 }
2692 /* Compute the shared pre-master secret */
2697 }
2699 NULL);
2703 }
2712 /* Compute the master secret */
2715 s->
2722 #endif
2723 #ifndef OPENSSL_NO_PSK
2737 }
2740 SSL_R_DATA_LENGTH_TOO_LONG);
2742 }
2745 SSL_R_PSK_NO_SERVER_CB);
2747 }
2749 /*
2750 * Create guaranteed NULL-terminated identity string for the callback
2751 */
2755 psk_or_pre_ms,
2763 /*
2764 * PSK related to the given identity not found
2765 */
2767 SSL_R_PSK_IDENTITY_NOT_FOUND);
2770 }
2772 /* create PSK pre_master_secret */
2787 }
2796 }
2800 s->
2802 psk_or_pre_ms,
2803 pre_ms_len);
2805 psk_err:
2810 #endif
2811 #ifndef OPENSSL_NO_SRP
2820 SSL_R_BAD_SRP_A_LENGTH);
2822 }
2826 }
2831 SSL_R_BAD_SRP_PARAMETERS);
2833 }
2840 }
2847 }
2862 /* Get our certificate private key */
2871 /*
2872 * If client certificate is present and is of the same type, maybe
2873 * use it for key exchange. Don't mind errors from
2874 * EVP_PKEY_derive_set_peer, because it is completely valid to use a
2875 * client certificate for authorization only.
2876 */
2881 }
2882 /* Decrypt session key */
2888 SSL_R_DECRYPTION_FAILED);
2890 }
2896 SSL_R_DECRYPTION_FAILED);
2898 }
2899 /* Generate master secret */
2902 s->
2906 /* Check if pubkey from client certificate was used */
2910 else
2912 gerr:
2917 else
2923 }
2926 f_err:
2928 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2929 err:
2930 #endif
2931 #ifndef OPENSSL_NO_ECDH
2937 #endif
2940 }
2943 {
2951 EVP_MD_CTX mctx;
2954 /*
2955 * We should only process a CertificateVerify message if we have received
2956 * a Certificate from the client. If so then |s->session->peer| will be non
2957 * NULL. In some instances a CertificateVerify message is not required even
2958 * if the peer has sent a Certificate (e.g. such as in the case of static
2959 * DH). In that case the ClientKeyExchange processing will skip the
2960 * CertificateVerify state so we should not arrive here.
2961 */
2965 }
2968 SSL3_ST_SR_CERT_VRFY_A,
2969 SSL3_ST_SR_CERT_VRFY_B,
2970 SSL3_MT_CERTIFICATE_VERIFY,
2982 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2985 }
2987 /* we now have a signature that we need to verify */
2989 /* Check for broken implementations of GOST ciphersuites */
2990 /*
2991 * If key is GOST and n is exactly 64, it is bare signature without
2992 * length field
2993 */
3006 }
3007 #ifdef SSL_DEBUG
3009 #endif
3012 }
3019 }
3020 }
3026 }
3036 }
3037 #ifdef SSL_DEBUG
3040 #endif
3046 }
3052 }
3054 #ifndef OPENSSL_NO_RSA
3063 }
3068 }
3070 #endif
3071 #ifndef OPENSSL_NO_DSA
3077 /* bad signature */
3081 }
3083 #endif
3084 #ifndef OPENSSL_NO_ECDSA
3090 /* bad signature */
3094 }
3096 #endif
3105 }
3108 }
3116 }
3121 }
3125 f_err:
3128 }
3129 end:
3134 }
3138 }
3141 {
3150 SSL3_ST_SR_CERT_A,
3151 SSL3_ST_SR_CERT_B,
3161 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3164 }
3165 /*
3166 * If tls asked for a client cert, the client must return a 0 list
3167 */
3170 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
3173 }
3176 }
3182 }
3188 }
3195 }
3201 SSL_R_CERT_LENGTH_MISMATCH);
3203 }
3210 }
3214 SSL_R_CERT_LENGTH_MISMATCH);
3216 }
3220 }
3223 }
3226 /* TLS does not mind 0 certs returned */
3230 SSL_R_NO_CERTIFICATES_RETURNED);
3232 }
3233 /* Fail for TLS only if we required a certificate */
3237 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3240 }
3241 /* No client certificate so digest cached records */
3245 }
3251 SSL_R_CERTIFICATE_VERIFY_FAILED);
3253 }
3254 }
3261 /*
3262 * With the current implementation, sess_cert will always be NULL when we
3263 * arrive here.
3264 */
3270 }
3271 }
3275 /*
3276 * Inconsistency alert: cert_chain does *not* include the peer's own
3277 * certificate, while we do include it in s3_clnt.c
3278 */
3284 f_err:
3286 err:
3288 }
3295 }
3298 {
3304 /* VRS: allow null cert if auth == KRB5 */
3308 ERR_R_INTERNAL_ERROR);
3311 }
3312 }
3318 }
3320 }
3322 /* SSL3_ST_SW_CERT_B */
3324 }
3326 #ifndef OPENSSL_NO_TLSEXT
3327 /* send a new session ticket (not necessarily for a new session) */
3329 {
3331 EVP_CIPHER_CTX ctx;
3332 HMAC_CTX hctx;
3344 /* get session encoding length */
3346 /*
3347 * Some length values are 16 bits, so forget it if session is too
3348 * long
3349 */
3353 }
3358 }
3367 /*
3368 * create a fresh copy (not shared with other threads) to clean up
3369 */
3380 }
3385 }
3388 /*-
3389 * Grow buffer if need be: the length calculation is as
3390 * follows handshake_header_length +
3391 * 4 (ticket lifetime hint) + 2 (ticket length) +
3392 * 16 (key name) + max_iv_len (iv length) +
3393 * session_length + max_enc_block_size (max encrypted session
3394 * length) + max_md_size (HMAC).
3395 */
3402 /*
3403 * Initialize HMAC and cipher contexts. If callback present it does
3404 * all the work otherwise use generated values from parent ctx.
3405 */
3420 }
3422 /*
3423 * Ticket lifetime hint (advisory only): We leave this unspecified
3424 * for resumed session (for simplicity), and guess that tickets for
3425 * new sessions will live as long as their sessions.
3426 */
3429 /* Skip ticket length for now */
3431 /* Output key name */
3435 /* output IV */
3438 /* Encrypt session data */
3455 /* Now write out lengths: p points to end of data written */
3456 /* Total length */
3458 /* Skip ticket lifetime hint */
3464 }
3466 /* SSL3_ST_SW_SESSION_TICKET_B */
3468 err:
3475 }
3478 {
3481 /*-
3482 * Grow buffer if need be: the length calculation is as
3483 * follows 1 (message type) + 3 (message length) +
3484 * 1 (ocsp response type) + 3 (ocsp response length)
3485 * + (ocsp response)
3486 */
3490 }
3494 /* do the header */
3496 /* message length */
3498 /* status type */
3500 /* length of OCSP response */
3502 /* actual response */
3504 /* number of bytes to write */
3508 }
3510 /* SSL3_ST_SW_CERT_STATUS_B */
3512 }
3514 # ifndef OPENSSL_NO_NEXTPROTONEG
3515 /*
3516 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
3517 * It sets the next_proto member in s if found
3518 */
3520 {
3526 /*
3527 * Clients cannot send a NextProtocol message if we didn't see the
3528 * extension in their ClientHello
3529 */
3532 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3535 }
3537 /* See the payload format below */
3539 SSL3_ST_SR_NEXT_PROTO_A,
3540 SSL3_ST_SR_NEXT_PROTO_B,
3546 /*
3547 * s->state doesn't reflect whether ChangeCipherSpec has been received in
3548 * this handshake, but s->s3->change_cipher_spec does (will be reset by
3549 * ssl3_get_finished).
3550 */
3555 }
3560 }
3564 /*-
3565 * The payload looks like:
3566 * uint8 proto_len;
3567 * uint8 proto[proto_len];
3568 * uint8 padding_len;
3569 * uint8 padding[padding_len];
3570 */
3575 }
3580 }
3587 }
3592 }
3593 # endif
3595 #endif