1 /* $OpenBSD: ssl_srvr.c,v 1.28 2018/01/28 09:21:34 inoguchi Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
153 #include "ssl_locl.h"
155 #include <openssl/bn.h>
156 #include <openssl/buffer.h>
157 #include <openssl/curve25519.h>
158 #include <openssl/evp.h>
159 #include <openssl/dh.h>
160 #ifndef OPENSSL_NO_GOST
161 #include <openssl/gost.h>
163 #include <openssl/hmac.h>
164 #include <openssl/md5.h>
165 #include <openssl/objects.h>
166 #include <openssl/x509.h>
168 #include "bytestring.h"
169 #include "ssl_tlsext.h"
174 void (*cb
)(const SSL
*ssl
, int type
, int val
) = NULL
;
177 int new_state
, state
, skip
= 0;
183 if (s
->internal
->info_callback
!= NULL
)
184 cb
= s
->internal
->info_callback
;
185 else if (s
->ctx
->internal
->info_callback
!= NULL
)
186 cb
= s
->ctx
->internal
->info_callback
;
189 listen
= D1I(s
)->listen
;
191 /* init things to blank */
192 s
->internal
->in_handshake
++;
193 if (!SSL_in_init(s
) || SSL_in_before(s
))
197 D1I(s
)->listen
= listen
;
199 if (s
->cert
== NULL
) {
200 SSLerror(s
, SSL_R_NO_CERTIFICATE_SET
);
206 state
= S3I(s
)->hs
.state
;
208 switch (S3I(s
)->hs
.state
) {
209 case SSL_ST_RENEGOTIATE
:
210 s
->internal
->renegotiate
= 1;
211 /* S3I(s)->hs.state=SSL_ST_ACCEPT; */
215 case SSL_ST_BEFORE
|SSL_ST_ACCEPT
:
216 case SSL_ST_OK
|SSL_ST_ACCEPT
:
219 cb(s
, SSL_CB_HANDSHAKE_START
, 1);
221 if (SSL_IS_DTLS(s
)) {
222 if ((s
->version
& 0xff00) != (DTLS1_VERSION
& 0xff00)) {
223 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
228 if ((s
->version
>> 8) != 3) {
229 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
234 s
->internal
->type
= SSL_ST_ACCEPT
;
236 if (!ssl3_setup_init_buffer(s
)) {
240 if (!ssl3_setup_buffers(s
)) {
245 s
->internal
->init_num
= 0;
247 if (S3I(s
)->hs
.state
!= SSL_ST_RENEGOTIATE
) {
249 * Ok, we now need to push on a buffering BIO
250 * so that the output is sent in a way that
253 if (!ssl_init_wbio_buffer(s
, 1)) {
257 if (!tls1_init_finished_mac(s
)) {
262 S3I(s
)->hs
.state
= SSL3_ST_SR_CLNT_HELLO_A
;
263 s
->ctx
->internal
->stats
.sess_accept
++;
264 } else if (!SSL_IS_DTLS(s
) && !S3I(s
)->send_connection_binding
) {
266 * Server attempting to renegotiate with
267 * client that doesn't support secure
270 SSLerror(s
, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
);
271 ssl3_send_alert(s
, SSL3_AL_FATAL
,
272 SSL_AD_HANDSHAKE_FAILURE
);
277 * S3I(s)->hs.state == SSL_ST_RENEGOTIATE,
278 * we will just send a HelloRequest.
280 s
->ctx
->internal
->stats
.sess_accept_renegotiate
++;
281 S3I(s
)->hs
.state
= SSL3_ST_SW_HELLO_REQ_A
;
285 case SSL3_ST_SW_HELLO_REQ_A
:
286 case SSL3_ST_SW_HELLO_REQ_B
:
287 s
->internal
->shutdown
= 0;
288 if (SSL_IS_DTLS(s
)) {
289 dtls1_clear_record_buffer(s
);
290 dtls1_start_timer(s
);
292 ret
= ssl3_send_hello_request(s
);
296 S3I(s
)->hs
.next_state
= SSL3_ST_SR_CLNT_HELLO_A
;
298 S3I(s
)->hs
.next_state
= SSL3_ST_SW_HELLO_REQ_C
;
299 S3I(s
)->hs
.state
= SSL3_ST_SW_FLUSH
;
300 s
->internal
->init_num
= 0;
302 if (!tls1_init_finished_mac(s
)) {
308 case SSL3_ST_SW_HELLO_REQ_C
:
309 S3I(s
)->hs
.state
= SSL_ST_OK
;
312 case SSL3_ST_SR_CLNT_HELLO_A
:
313 case SSL3_ST_SR_CLNT_HELLO_B
:
314 case SSL3_ST_SR_CLNT_HELLO_C
:
315 s
->internal
->shutdown
= 0;
316 if (SSL_IS_DTLS(s
)) {
317 ret
= ssl3_get_client_hello(s
);
323 (SSL_get_options(s
) & SSL_OP_COOKIE_EXCHANGE
))
324 S3I(s
)->hs
.state
= DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A
;
326 S3I(s
)->hs
.state
= SSL3_ST_SW_SRVR_HELLO_A
;
328 s
->internal
->init_num
= 0;
331 * Reflect ClientHello sequence to remain
332 * stateless while listening.
335 memcpy(S3I(s
)->write_sequence
,
336 S3I(s
)->read_sequence
,
337 sizeof(S3I(s
)->write_sequence
));
340 /* If we're just listening, stop here */
341 if (listen
&& S3I(s
)->hs
.state
== SSL3_ST_SW_SRVR_HELLO_A
) {
345 * Set expected sequence numbers to
346 * continue the handshake.
348 D1I(s
)->handshake_read_seq
= 2;
349 D1I(s
)->handshake_write_seq
= 1;
350 D1I(s
)->next_handshake_write_seq
= 1;
354 if (s
->internal
->rwstate
!= SSL_X509_LOOKUP
) {
355 ret
= ssl3_get_client_hello(s
);
360 s
->internal
->renegotiate
= 2;
361 S3I(s
)->hs
.state
= SSL3_ST_SW_SRVR_HELLO_A
;
362 s
->internal
->init_num
= 0;
366 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A
:
367 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B
:
368 ret
= dtls1_send_hello_verify_request(s
);
371 S3I(s
)->hs
.state
= SSL3_ST_SW_FLUSH
;
372 S3I(s
)->hs
.next_state
= SSL3_ST_SR_CLNT_HELLO_A
;
374 /* HelloVerifyRequest resets Finished MAC. */
375 if (!tls1_init_finished_mac(s
)) {
381 case SSL3_ST_SW_SRVR_HELLO_A
:
382 case SSL3_ST_SW_SRVR_HELLO_B
:
383 if (SSL_IS_DTLS(s
)) {
384 s
->internal
->renegotiate
= 2;
385 dtls1_start_timer(s
);
387 ret
= ssl3_send_server_hello(s
);
390 if (s
->internal
->hit
) {
391 if (s
->internal
->tlsext_ticket_expected
)
392 S3I(s
)->hs
.state
= SSL3_ST_SW_SESSION_TICKET_A
;
394 S3I(s
)->hs
.state
= SSL3_ST_SW_CHANGE_A
;
396 S3I(s
)->hs
.state
= SSL3_ST_SW_CERT_A
;
398 s
->internal
->init_num
= 0;
401 case SSL3_ST_SW_CERT_A
:
402 case SSL3_ST_SW_CERT_B
:
403 /* Check if it is anon DH or anon ECDH. */
404 if (!(S3I(s
)->hs
.new_cipher
->algorithm_auth
&
407 dtls1_start_timer(s
);
408 ret
= ssl3_send_server_certificate(s
);
411 if (s
->internal
->tlsext_status_expected
)
412 S3I(s
)->hs
.state
= SSL3_ST_SW_CERT_STATUS_A
;
414 S3I(s
)->hs
.state
= SSL3_ST_SW_KEY_EXCH_A
;
417 S3I(s
)->hs
.state
= SSL3_ST_SW_KEY_EXCH_A
;
419 s
->internal
->init_num
= 0;
422 case SSL3_ST_SW_KEY_EXCH_A
:
423 case SSL3_ST_SW_KEY_EXCH_B
:
424 alg_k
= S3I(s
)->hs
.new_cipher
->algorithm_mkey
;
427 * Only send if using a DH key exchange.
429 * For ECC ciphersuites, we send a ServerKeyExchange
430 * message only if the cipher suite is ECDHE. In other
431 * cases, the server certificate contains the server's
432 * public key for key exchange.
434 if (alg_k
& (SSL_kDHE
|SSL_kECDHE
)) {
436 dtls1_start_timer(s
);
437 ret
= ssl3_send_server_key_exchange(s
);
443 S3I(s
)->hs
.state
= SSL3_ST_SW_CERT_REQ_A
;
444 s
->internal
->init_num
= 0;
447 case SSL3_ST_SW_CERT_REQ_A
:
448 case SSL3_ST_SW_CERT_REQ_B
:
450 * Determine whether or not we need to request a
453 * Do not request a certificate if:
455 * - We did not ask for it (SSL_VERIFY_PEER is unset).
457 * - SSL_VERIFY_CLIENT_ONCE is set and we are
460 * - We are using an anonymous ciphersuites
461 * (see section "Certificate request" in SSL 3 drafts
462 * and in RFC 2246) ... except when the application
463 * insists on verification (against the specs, but
464 * s3_clnt.c accepts this for SSL 3).
466 if (!(s
->verify_mode
& SSL_VERIFY_PEER
) ||
467 ((s
->session
->peer
!= NULL
) &&
468 (s
->verify_mode
& SSL_VERIFY_CLIENT_ONCE
)) ||
469 ((S3I(s
)->hs
.new_cipher
->algorithm_auth
&
470 SSL_aNULL
) && !(s
->verify_mode
&
471 SSL_VERIFY_FAIL_IF_NO_PEER_CERT
))) {
472 /* No cert request. */
474 S3I(s
)->tmp
.cert_request
= 0;
475 S3I(s
)->hs
.state
= SSL3_ST_SW_SRVR_DONE_A
;
476 if (!SSL_IS_DTLS(s
) && S3I(s
)->handshake_buffer
) {
477 if (!tls1_digest_cached_records(s
)) {
483 S3I(s
)->tmp
.cert_request
= 1;
485 dtls1_start_timer(s
);
486 ret
= ssl3_send_certificate_request(s
);
489 S3I(s
)->hs
.state
= SSL3_ST_SW_SRVR_DONE_A
;
490 s
->internal
->init_num
= 0;
494 case SSL3_ST_SW_SRVR_DONE_A
:
495 case SSL3_ST_SW_SRVR_DONE_B
:
497 dtls1_start_timer(s
);
498 ret
= ssl3_send_server_done(s
);
501 S3I(s
)->hs
.next_state
= SSL3_ST_SR_CERT_A
;
502 S3I(s
)->hs
.state
= SSL3_ST_SW_FLUSH
;
503 s
->internal
->init_num
= 0;
506 case SSL3_ST_SW_FLUSH
:
508 * This code originally checked to see if
509 * any data was pending using BIO_CTRL_INFO
510 * and then flushed. This caused problems
511 * as documented in PR#1939. The proposed
512 * fix doesn't completely resolve this issue
513 * as buggy implementations of BIO_CTRL_PENDING
514 * still exist. So instead we just flush
517 s
->internal
->rwstate
= SSL_WRITING
;
518 if (BIO_flush(s
->wbio
) <= 0) {
519 if (SSL_IS_DTLS(s
)) {
520 /* If the write error was fatal, stop trying. */
521 if (!BIO_should_retry(s
->wbio
)) {
522 s
->internal
->rwstate
= SSL_NOTHING
;
523 S3I(s
)->hs
.state
= S3I(s
)->hs
.next_state
;
529 s
->internal
->rwstate
= SSL_NOTHING
;
530 S3I(s
)->hs
.state
= S3I(s
)->hs
.next_state
;
533 case SSL3_ST_SR_CERT_A
:
534 case SSL3_ST_SR_CERT_B
:
535 if (S3I(s
)->tmp
.cert_request
) {
536 ret
= ssl3_get_client_certificate(s
);
540 s
->internal
->init_num
= 0;
541 S3I(s
)->hs
.state
= SSL3_ST_SR_KEY_EXCH_A
;
544 case SSL3_ST_SR_KEY_EXCH_A
:
545 case SSL3_ST_SR_KEY_EXCH_B
:
546 ret
= ssl3_get_client_key_exchange(s
);
550 if (SSL_IS_DTLS(s
)) {
551 S3I(s
)->hs
.state
= SSL3_ST_SR_CERT_VRFY_A
;
552 s
->internal
->init_num
= 0;
555 alg_k
= S3I(s
)->hs
.new_cipher
->algorithm_mkey
;
558 * For the ECDH ciphersuites when
559 * the client sends its ECDH pub key in
560 * a certificate, the CertificateVerify
561 * message is not sent.
562 * Also for GOST ciphersuites when
563 * the client uses its key from the certificate
566 S3I(s
)->hs
.state
= SSL3_ST_SR_FINISHED_A
;
567 s
->internal
->init_num
= 0;
568 } else if (SSL_USE_SIGALGS(s
) || (alg_k
& SSL_kGOST
)) {
569 S3I(s
)->hs
.state
= SSL3_ST_SR_CERT_VRFY_A
;
570 s
->internal
->init_num
= 0;
571 if (!s
->session
->peer
)
574 * For sigalgs freeze the handshake buffer
575 * at this point and digest cached records.
577 if (!S3I(s
)->handshake_buffer
) {
578 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
582 s
->s3
->flags
|= TLS1_FLAGS_KEEP_HANDSHAKE
;
583 if (!tls1_digest_cached_records(s
)) {
588 S3I(s
)->hs
.state
= SSL3_ST_SR_CERT_VRFY_A
;
589 s
->internal
->init_num
= 0;
592 * We need to get hashes here so if there is
593 * a client cert, it can be verified.
595 if (S3I(s
)->handshake_buffer
) {
596 if (!tls1_digest_cached_records(s
)) {
601 if (!tls1_handshake_hash_value(s
,
602 S3I(s
)->tmp
.cert_verify_md
,
603 sizeof(S3I(s
)->tmp
.cert_verify_md
),
611 case SSL3_ST_SR_CERT_VRFY_A
:
612 case SSL3_ST_SR_CERT_VRFY_B
:
614 D1I(s
)->change_cipher_spec_ok
= 1;
616 s
->s3
->flags
|= SSL3_FLAGS_CCS_OK
;
618 /* we should decide if we expected this one */
619 ret
= ssl3_get_cert_verify(s
);
622 S3I(s
)->hs
.state
= SSL3_ST_SR_FINISHED_A
;
623 s
->internal
->init_num
= 0;
626 case SSL3_ST_SR_FINISHED_A
:
627 case SSL3_ST_SR_FINISHED_B
:
629 D1I(s
)->change_cipher_spec_ok
= 1;
631 s
->s3
->flags
|= SSL3_FLAGS_CCS_OK
;
632 ret
= ssl3_get_finished(s
, SSL3_ST_SR_FINISHED_A
,
633 SSL3_ST_SR_FINISHED_B
);
638 if (s
->internal
->hit
)
639 S3I(s
)->hs
.state
= SSL_ST_OK
;
640 else if (s
->internal
->tlsext_ticket_expected
)
641 S3I(s
)->hs
.state
= SSL3_ST_SW_SESSION_TICKET_A
;
643 S3I(s
)->hs
.state
= SSL3_ST_SW_CHANGE_A
;
644 s
->internal
->init_num
= 0;
647 case SSL3_ST_SW_SESSION_TICKET_A
:
648 case SSL3_ST_SW_SESSION_TICKET_B
:
649 ret
= ssl3_send_newsession_ticket(s
);
652 S3I(s
)->hs
.state
= SSL3_ST_SW_CHANGE_A
;
653 s
->internal
->init_num
= 0;
656 case SSL3_ST_SW_CERT_STATUS_A
:
657 case SSL3_ST_SW_CERT_STATUS_B
:
658 ret
= ssl3_send_cert_status(s
);
661 S3I(s
)->hs
.state
= SSL3_ST_SW_KEY_EXCH_A
;
662 s
->internal
->init_num
= 0;
665 case SSL3_ST_SW_CHANGE_A
:
666 case SSL3_ST_SW_CHANGE_B
:
667 s
->session
->cipher
= S3I(s
)->hs
.new_cipher
;
668 if (!tls1_setup_key_block(s
)) {
673 ret
= ssl3_send_change_cipher_spec(s
,
674 SSL3_ST_SW_CHANGE_A
, SSL3_ST_SW_CHANGE_B
);
677 S3I(s
)->hs
.state
= SSL3_ST_SW_FINISHED_A
;
678 s
->internal
->init_num
= 0;
680 if (!tls1_change_cipher_state(s
,
681 SSL3_CHANGE_CIPHER_SERVER_WRITE
)) {
687 dtls1_reset_seq_numbers(s
, SSL3_CC_WRITE
);
690 case SSL3_ST_SW_FINISHED_A
:
691 case SSL3_ST_SW_FINISHED_B
:
692 ret
= ssl3_send_finished(s
,
693 SSL3_ST_SW_FINISHED_A
, SSL3_ST_SW_FINISHED_B
,
694 TLS_MD_SERVER_FINISH_CONST
,
695 TLS_MD_SERVER_FINISH_CONST_SIZE
);
698 S3I(s
)->hs
.state
= SSL3_ST_SW_FLUSH
;
699 if (s
->internal
->hit
)
700 S3I(s
)->hs
.next_state
= SSL3_ST_SR_FINISHED_A
;
702 S3I(s
)->hs
.next_state
= SSL_ST_OK
;
703 s
->internal
->init_num
= 0;
707 /* clean a few things up */
708 tls1_cleanup_key_block(s
);
710 if (!SSL_IS_DTLS(s
)) {
711 BUF_MEM_free(s
->internal
->init_buf
);
712 s
->internal
->init_buf
= NULL
;
715 /* remove buffering on output */
716 ssl_free_wbio_buffer(s
);
718 s
->internal
->init_num
= 0;
720 /* Skipped if we just sent a HelloRequest. */
721 if (s
->internal
->renegotiate
== 2) {
722 s
->internal
->renegotiate
= 0;
723 s
->internal
->new_session
= 0;
725 ssl_update_cache(s
, SSL_SESS_CACHE_SERVER
);
727 s
->ctx
->internal
->stats
.sess_accept_good
++;
729 s
->internal
->handshake_func
= ssl3_accept
;
732 cb(s
, SSL_CB_HANDSHAKE_DONE
, 1);
737 if (SSL_IS_DTLS(s
)) {
738 /* Done handshaking, next message is client hello. */
739 D1I(s
)->handshake_read_seq
= 0;
740 /* Next message is server hello. */
741 D1I(s
)->handshake_write_seq
= 0;
742 D1I(s
)->next_handshake_write_seq
= 0;
748 SSLerror(s
, SSL_R_UNKNOWN_STATE
);
754 if (!S3I(s
)->tmp
.reuse_message
&& !skip
) {
755 if (s
->internal
->debug
) {
756 if ((ret
= BIO_flush(s
->wbio
)) <= 0)
761 if ((cb
!= NULL
) && (S3I(s
)->hs
.state
!= state
)) {
762 new_state
= S3I(s
)->hs
.state
;
763 S3I(s
)->hs
.state
= state
;
764 cb(s
, SSL_CB_ACCEPT_LOOP
, 1);
765 S3I(s
)->hs
.state
= new_state
;
771 /* BIO_flush(s->wbio); */
772 s
->internal
->in_handshake
--;
774 cb(s
, SSL_CB_ACCEPT_EXIT
, ret
);
780 ssl3_send_hello_request(SSL
*s
)
784 memset(&cbb
, 0, sizeof(cbb
));
786 if (S3I(s
)->hs
.state
== SSL3_ST_SW_HELLO_REQ_A
) {
787 if (!ssl3_handshake_msg_start_cbb(s
, &cbb
, &hello
,
788 SSL3_MT_HELLO_REQUEST
))
790 if (!ssl3_handshake_msg_finish_cbb(s
, &cbb
))
793 S3I(s
)->hs
.state
= SSL3_ST_SW_HELLO_REQ_B
;
796 /* SSL3_ST_SW_HELLO_REQ_B */
797 return (ssl3_handshake_write(s
));
806 ssl3_get_client_hello(SSL
*s
)
808 CBS cbs
, client_random
, session_id
, cookie
, cipher_suites
;
809 CBS compression_methods
;
810 uint16_t client_version
;
813 int i
, j
, ok
, al
, ret
= -1, cookie_valid
= 0;
817 STACK_OF(SSL_CIPHER
) *ciphers
= NULL
;
819 const SSL_METHOD
*method
;
820 uint16_t shared_version
;
824 * We do this so that we will respond with our native type.
825 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
826 * This down switching should be handled by a different method.
827 * If we are SSLv3, we will respond with SSLv3, even if prompted with
830 if (S3I(s
)->hs
.state
== SSL3_ST_SR_CLNT_HELLO_A
) {
831 S3I(s
)->hs
.state
= SSL3_ST_SR_CLNT_HELLO_B
;
834 s
->internal
->first_packet
= 1;
835 n
= s
->method
->internal
->ssl_get_message(s
, SSL3_ST_SR_CLNT_HELLO_B
,
836 SSL3_ST_SR_CLNT_HELLO_C
, SSL3_MT_CLIENT_HELLO
,
837 SSL3_RT_MAX_PLAIN_LENGTH
, &ok
);
840 s
->internal
->first_packet
= 0;
845 end
= (unsigned char *)s
->internal
->init_msg
+ n
;
847 CBS_init(&cbs
, s
->internal
->init_msg
, n
);
850 * Use version from inside client hello, not from record header.
851 * (may differ: see RFC 2246, Appendix E, second paragraph)
853 if (!CBS_get_u16(&cbs
, &client_version
))
856 if (ssl_max_shared_version(s
, client_version
, &shared_version
) != 1) {
857 SSLerror(s
, SSL_R_WRONG_VERSION_NUMBER
);
858 if ((s
->client_version
>> 8) == SSL3_VERSION_MAJOR
&&
859 !s
->internal
->enc_write_ctx
&& !s
->internal
->write_hash
) {
861 * Similar to ssl3_get_record, send alert using remote
864 s
->version
= s
->client_version
;
866 al
= SSL_AD_PROTOCOL_VERSION
;
869 s
->client_version
= client_version
;
870 s
->version
= shared_version
;
872 if ((method
= tls1_get_server_method(shared_version
)) == NULL
)
873 method
= dtls1_get_server_method(shared_version
);
874 if (method
== NULL
) {
875 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
880 if (!CBS_get_bytes(&cbs
, &client_random
, SSL3_RANDOM_SIZE
))
882 if (!CBS_get_u8_length_prefixed(&cbs
, &session_id
))
886 * If we require cookies (DTLS) and this ClientHello doesn't
887 * contain one, just return since we do not want to
888 * allocate any memory yet. So check cookie length...
890 if (SSL_IS_DTLS(s
)) {
891 if (!CBS_get_u8_length_prefixed(&cbs
, &cookie
))
893 if (SSL_get_options(s
) & SSL_OP_COOKIE_EXCHANGE
) {
894 if (CBS_len(&cookie
) == 0)
899 if (!CBS_write_bytes(&client_random
, s
->s3
->client_random
,
900 sizeof(s
->s3
->client_random
), NULL
))
903 s
->internal
->hit
= 0;
906 * Versions before 0.9.7 always allow clients to resume sessions in
907 * renegotiation. 0.9.7 and later allow this by default, but optionally
908 * ignore resumption requests with flag
909 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
910 * rather than a change to default behavior so that applications
911 * relying on this for security won't even compile against older
914 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
915 * to request renegotiation but not a new session (s->internal->new_session
916 * remains unset): for servers, this essentially just means that the
917 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
920 if ((s
->internal
->new_session
&& (s
->internal
->options
&
921 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
))) {
922 if (!ssl_get_new_session(s
, 1))
925 /* XXX - pass CBS through instead... */
926 i
= ssl_get_prev_session(s
,
927 (unsigned char *)CBS_data(&session_id
),
928 CBS_len(&session_id
), end
);
929 if (i
== 1) { /* previous session */
930 s
->internal
->hit
= 1;
935 if (!ssl_get_new_session(s
, 1))
940 if (SSL_IS_DTLS(s
)) {
942 * The ClientHello may contain a cookie even if the HelloVerify
943 * message has not been sent - make sure that it does not cause
946 if (CBS_len(&cookie
) > sizeof(D1I(s
)->rcvd_cookie
)) {
947 al
= SSL_AD_DECODE_ERROR
;
948 SSLerror(s
, SSL_R_COOKIE_MISMATCH
);
952 /* Verify the cookie if appropriate option is set. */
953 if ((SSL_get_options(s
) & SSL_OP_COOKIE_EXCHANGE
) &&
954 CBS_len(&cookie
) > 0) {
957 /* XXX - rcvd_cookie seems to only be used here... */
958 if (!CBS_write_bytes(&cookie
, D1I(s
)->rcvd_cookie
,
959 sizeof(D1I(s
)->rcvd_cookie
), &cookie_len
))
962 if (s
->ctx
->internal
->app_verify_cookie_cb
!= NULL
) {
963 if (s
->ctx
->internal
->app_verify_cookie_cb(s
,
964 D1I(s
)->rcvd_cookie
, cookie_len
) == 0) {
965 al
= SSL_AD_HANDSHAKE_FAILURE
;
966 SSLerror(s
, SSL_R_COOKIE_MISMATCH
);
969 /* else cookie verification succeeded */
970 /* XXX - can d1->cookie_len > sizeof(rcvd_cookie) ? */
971 } else if (timingsafe_memcmp(D1I(s
)->rcvd_cookie
,
972 D1I(s
)->cookie
, D1I(s
)->cookie_len
) != 0) {
973 /* default verification */
974 al
= SSL_AD_HANDSHAKE_FAILURE
;
975 SSLerror(s
, SSL_R_COOKIE_MISMATCH
);
982 if (!CBS_get_u16_length_prefixed(&cbs
, &cipher_suites
))
985 /* XXX - This logic seems wrong... */
986 if (CBS_len(&cipher_suites
) == 0 && CBS_len(&session_id
) != 0) {
987 /* we need a cipher if we are not resuming a session */
988 al
= SSL_AD_ILLEGAL_PARAMETER
;
989 SSLerror(s
, SSL_R_NO_CIPHERS_SPECIFIED
);
993 if (CBS_len(&cipher_suites
) > 0) {
994 if ((ciphers
= ssl_bytes_to_cipher_list(s
,
995 &cipher_suites
)) == NULL
)
999 /* If it is a hit, check that the cipher is in the list */
1000 /* XXX - CBS_len(&cipher_suites) will always be zero here... */
1001 if (s
->internal
->hit
&& CBS_len(&cipher_suites
) > 0) {
1003 id
= s
->session
->cipher
->id
;
1005 for (i
= 0; i
< sk_SSL_CIPHER_num(ciphers
); i
++) {
1006 c
= sk_SSL_CIPHER_value(ciphers
, i
);
1014 * We need to have the cipher in the cipher
1015 * list if we are asked to reuse it
1017 al
= SSL_AD_ILLEGAL_PARAMETER
;
1018 SSLerror(s
, SSL_R_REQUIRED_CIPHER_MISSING
);
1023 if (!CBS_get_u8_length_prefixed(&cbs
, &compression_methods
))
1027 while (CBS_len(&compression_methods
) > 0) {
1028 if (!CBS_get_u8(&compression_methods
, &comp_method
))
1030 if (comp_method
== 0)
1033 if (comp_null
== 0) {
1034 al
= SSL_AD_DECODE_ERROR
;
1035 SSLerror(s
, SSL_R_NO_COMPRESSION_SPECIFIED
);
1039 if (!tlsext_clienthello_parse(s
, &cbs
, &al
)) {
1040 SSLerror(s
, SSL_R_PARSE_TLSEXT
);
1044 if (!S3I(s
)->renegotiate_seen
&& s
->internal
->renegotiate
) {
1045 al
= SSL_AD_HANDSHAKE_FAILURE
;
1046 SSLerror(s
, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
);
1050 if (ssl_check_clienthello_tlsext_early(s
) <= 0) {
1051 SSLerror(s
, SSL_R_CLIENTHELLO_TLSEXT
);
1056 * Check if we want to use external pre-shared secret for this
1057 * handshake for not reused session only. We need to generate
1058 * server_random before calling tls_session_secret_cb in order to allow
1059 * SessionTicket processing to use it in key derivation.
1061 arc4random_buf(s
->s3
->server_random
, SSL3_RANDOM_SIZE
);
1063 if (!s
->internal
->hit
&& s
->internal
->tls_session_secret_cb
) {
1064 SSL_CIPHER
*pref_cipher
= NULL
;
1066 s
->session
->master_key_length
= sizeof(s
->session
->master_key
);
1067 if (s
->internal
->tls_session_secret_cb(s
, s
->session
->master_key
,
1068 &s
->session
->master_key_length
, ciphers
, &pref_cipher
,
1069 s
->internal
->tls_session_secret_cb_arg
)) {
1070 s
->internal
->hit
= 1;
1071 s
->session
->ciphers
= ciphers
;
1072 s
->session
->verify_result
= X509_V_OK
;
1076 /* check if some cipher was preferred by call back */
1077 pref_cipher
= pref_cipher
? pref_cipher
:
1078 ssl3_choose_cipher(s
, s
->session
->ciphers
,
1079 SSL_get_ciphers(s
));
1080 if (pref_cipher
== NULL
) {
1081 al
= SSL_AD_HANDSHAKE_FAILURE
;
1082 SSLerror(s
, SSL_R_NO_SHARED_CIPHER
);
1086 s
->session
->cipher
= pref_cipher
;
1088 sk_SSL_CIPHER_free(s
->cipher_list
);
1089 sk_SSL_CIPHER_free(s
->internal
->cipher_list_by_id
);
1091 s
->cipher_list
= sk_SSL_CIPHER_dup(s
->session
->ciphers
);
1092 s
->internal
->cipher_list_by_id
=
1093 sk_SSL_CIPHER_dup(s
->session
->ciphers
);
1098 * Given s->session->ciphers and SSL_get_ciphers, we must
1102 if (!s
->internal
->hit
) {
1103 sk_SSL_CIPHER_free(s
->session
->ciphers
);
1104 s
->session
->ciphers
= ciphers
;
1105 if (ciphers
== NULL
) {
1106 al
= SSL_AD_ILLEGAL_PARAMETER
;
1107 SSLerror(s
, SSL_R_NO_CIPHERS_PASSED
);
1111 c
= ssl3_choose_cipher(s
, s
->session
->ciphers
,
1112 SSL_get_ciphers(s
));
1115 al
= SSL_AD_HANDSHAKE_FAILURE
;
1116 SSLerror(s
, SSL_R_NO_SHARED_CIPHER
);
1119 S3I(s
)->hs
.new_cipher
= c
;
1121 S3I(s
)->hs
.new_cipher
= s
->session
->cipher
;
1124 if (!tls1_handshake_hash_init(s
))
1127 alg_k
= S3I(s
)->hs
.new_cipher
->algorithm_mkey
;
1128 if (!(SSL_USE_SIGALGS(s
) || (alg_k
& SSL_kGOST
)) ||
1129 !(s
->verify_mode
& SSL_VERIFY_PEER
)) {
1130 if (!tls1_digest_cached_records(s
)) {
1131 al
= SSL_AD_INTERNAL_ERROR
;
1137 * We now have the following setup.
1139 * cipher_list - our prefered list of ciphers
1140 * ciphers - the clients prefered list of ciphers
1141 * compression - basically ignored right now
1142 * ssl version is set - sslv3
1143 * s->session - The ssl session has been setup.
1144 * s->internal->hit - session reuse flag
1145 * s->hs.new_cipher - the new cipher to use.
1148 /* Handles TLS extensions that we couldn't check earlier */
1149 if (ssl_check_clienthello_tlsext_late(s
) <= 0) {
1150 SSLerror(s
, SSL_R_CLIENTHELLO_TLSEXT
);
1154 ret
= cookie_valid
? 2 : 1;
1158 al
= SSL_AD_DECODE_ERROR
;
1159 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1161 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1164 sk_SSL_CIPHER_free(ciphers
);
1170 ssl3_send_server_hello(SSL
*s
)
1172 CBB cbb
, server_hello
, session_id
;
1175 memset(&cbb
, 0, sizeof(cbb
));
1177 if (S3I(s
)->hs
.state
== SSL3_ST_SW_SRVR_HELLO_A
) {
1178 if (!ssl3_handshake_msg_start_cbb(s
, &cbb
, &server_hello
,
1179 SSL3_MT_SERVER_HELLO
))
1182 if (!CBB_add_u16(&server_hello
, s
->version
))
1184 if (!CBB_add_bytes(&server_hello
, s
->s3
->server_random
,
1185 sizeof(s
->s3
->server_random
)))
1189 * There are several cases for the session ID to send
1190 * back in the server hello:
1192 * - For session reuse from the session cache,
1193 * we send back the old session ID.
1194 * - If stateless session reuse (using a session ticket)
1195 * is successful, we send back the client's "session ID"
1196 * (which doesn't actually identify the session).
1197 * - If it is a new session, we send back the new
1199 * - However, if we want the new session to be single-use,
1200 * we send back a 0-length session ID.
1202 * s->internal->hit is non-zero in either case of session reuse,
1203 * so the following won't overwrite an ID that we're supposed
1206 if (!(s
->ctx
->internal
->session_cache_mode
& SSL_SESS_CACHE_SERVER
)
1207 && !s
->internal
->hit
)
1208 s
->session
->session_id_length
= 0;
1210 sl
= s
->session
->session_id_length
;
1211 if (sl
> sizeof(s
->session
->session_id
)) {
1212 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1215 if (!CBB_add_u8_length_prefixed(&server_hello
, &session_id
))
1217 if (!CBB_add_bytes(&session_id
, s
->session
->session_id
, sl
))
1221 if (!CBB_add_u16(&server_hello
,
1222 ssl3_cipher_get_value(S3I(s
)->hs
.new_cipher
)))
1225 /* Compression method (null). */
1226 if (!CBB_add_u8(&server_hello
, 0))
1229 /* TLS extensions */
1230 if (!tlsext_serverhello_build(s
, &server_hello
)) {
1231 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1235 if (!ssl3_handshake_msg_finish_cbb(s
, &cbb
))
1239 /* SSL3_ST_SW_SRVR_HELLO_B */
1240 return (ssl3_handshake_write(s
));
1249 ssl3_send_server_done(SSL
*s
)
1253 memset(&cbb
, 0, sizeof(cbb
));
1255 if (S3I(s
)->hs
.state
== SSL3_ST_SW_SRVR_DONE_A
) {
1256 if (!ssl3_handshake_msg_start_cbb(s
, &cbb
, &done
,
1257 SSL3_MT_SERVER_DONE
))
1259 if (!ssl3_handshake_msg_finish_cbb(s
, &cbb
))
1262 S3I(s
)->hs
.state
= SSL3_ST_SW_SRVR_DONE_B
;
1265 /* SSL3_ST_SW_SRVR_DONE_B */
1266 return (ssl3_handshake_write(s
));
1275 ssl3_send_server_kex_dhe(SSL
*s
, CBB
*cbb
)
1277 CBB dh_p
, dh_g
, dh_Ys
;
1278 DH
*dh
= NULL
, *dhp
;
1279 unsigned char *data
;
1282 if (s
->cert
->dh_tmp_auto
!= 0) {
1283 if ((dhp
= ssl_get_auto_dh(s
)) == NULL
) {
1284 al
= SSL_AD_INTERNAL_ERROR
;
1285 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1289 dhp
= s
->cert
->dh_tmp
;
1291 if (dhp
== NULL
&& s
->cert
->dh_tmp_cb
!= NULL
)
1292 dhp
= s
->cert
->dh_tmp_cb(s
, 0,
1293 SSL_C_PKEYLENGTH(S3I(s
)->hs
.new_cipher
));
1296 al
= SSL_AD_HANDSHAKE_FAILURE
;
1297 SSLerror(s
, SSL_R_MISSING_TMP_DH_KEY
);
1301 if (S3I(s
)->tmp
.dh
!= NULL
) {
1302 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1306 if (s
->cert
->dh_tmp_auto
!= 0) {
1308 } else if ((dh
= DHparams_dup(dhp
)) == NULL
) {
1309 SSLerror(s
, ERR_R_DH_LIB
);
1312 S3I(s
)->tmp
.dh
= dh
;
1313 if (!DH_generate_key(dh
)) {
1314 SSLerror(s
, ERR_R_DH_LIB
);
1319 * Serialize the DH parameters and public key.
1321 if (!CBB_add_u16_length_prefixed(cbb
, &dh_p
))
1323 if (!CBB_add_space(&dh_p
, &data
, BN_num_bytes(dh
->p
)))
1325 BN_bn2bin(dh
->p
, data
);
1327 if (!CBB_add_u16_length_prefixed(cbb
, &dh_g
))
1329 if (!CBB_add_space(&dh_g
, &data
, BN_num_bytes(dh
->g
)))
1331 BN_bn2bin(dh
->g
, data
);
1333 if (!CBB_add_u16_length_prefixed(cbb
, &dh_Ys
))
1335 if (!CBB_add_space(&dh_Ys
, &data
, BN_num_bytes(dh
->pub_key
)))
1337 BN_bn2bin(dh
->pub_key
, data
);
1339 if (!CBB_flush(cbb
))
1345 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1351 ssl3_send_server_kex_ecdhe_ecp(SSL
*s
, int nid
, CBB
*cbb
)
1353 const EC_GROUP
*group
;
1354 const EC_POINT
*pubkey
;
1355 unsigned char *data
;
1356 int encoded_len
= 0;
1358 BN_CTX
*bn_ctx
= NULL
;
1364 * Only named curves are supported in ECDH ephemeral key exchanges.
1365 * For supported named curves, curve_id is non-zero.
1367 if ((curve_id
= tls1_ec_nid2curve_id(nid
)) == 0) {
1368 SSLerror(s
, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE
);
1372 if (S3I(s
)->tmp
.ecdh
!= NULL
) {
1373 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1377 if ((S3I(s
)->tmp
.ecdh
= EC_KEY_new_by_curve_name(nid
)) == NULL
) {
1378 al
= SSL_AD_HANDSHAKE_FAILURE
;
1379 SSLerror(s
, SSL_R_MISSING_TMP_ECDH_KEY
);
1382 ecdh
= S3I(s
)->tmp
.ecdh
;
1384 if (!EC_KEY_generate_key(ecdh
)) {
1385 SSLerror(s
, ERR_R_ECDH_LIB
);
1388 if ((group
= EC_KEY_get0_group(ecdh
)) == NULL
||
1389 (pubkey
= EC_KEY_get0_public_key(ecdh
)) == NULL
||
1390 EC_KEY_get0_private_key(ecdh
) == NULL
) {
1391 SSLerror(s
, ERR_R_ECDH_LIB
);
1396 * Encode the public key.
1398 encoded_len
= EC_POINT_point2oct(group
, pubkey
,
1399 POINT_CONVERSION_UNCOMPRESSED
, NULL
, 0, NULL
);
1400 if (encoded_len
== 0) {
1401 SSLerror(s
, ERR_R_ECDH_LIB
);
1404 if ((bn_ctx
= BN_CTX_new()) == NULL
) {
1405 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
1410 * Only named curves are supported in ECDH ephemeral key exchanges.
1411 * In this case the ServerKeyExchange message has:
1412 * [1 byte CurveType], [2 byte CurveName]
1413 * [1 byte length of encoded point], followed by
1414 * the actual encoded point itself.
1416 if (!CBB_add_u8(cbb
, NAMED_CURVE_TYPE
))
1418 if (!CBB_add_u16(cbb
, curve_id
))
1420 if (!CBB_add_u8_length_prefixed(cbb
, &ecpoint
))
1422 if (!CBB_add_space(&ecpoint
, &data
, encoded_len
))
1424 if (EC_POINT_point2oct(group
, pubkey
, POINT_CONVERSION_UNCOMPRESSED
,
1425 data
, encoded_len
, bn_ctx
) == 0) {
1426 SSLerror(s
, ERR_R_ECDH_LIB
);
1429 if (!CBB_flush(cbb
))
1432 BN_CTX_free(bn_ctx
);
1437 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1439 BN_CTX_free(bn_ctx
);
1445 ssl3_send_server_kex_ecdhe_ecx(SSL
*s
, int nid
, CBB
*cbb
)
1447 uint8_t *public_key
= NULL
;
1452 /* Generate an X25519 key pair. */
1453 if (S3I(s
)->tmp
.x25519
!= NULL
) {
1454 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1457 if ((S3I(s
)->tmp
.x25519
= malloc(X25519_KEY_LENGTH
)) == NULL
)
1459 if ((public_key
= malloc(X25519_KEY_LENGTH
)) == NULL
)
1461 X25519_keypair(public_key
, S3I(s
)->tmp
.x25519
);
1463 /* Serialize public key. */
1464 if ((curve_id
= tls1_ec_nid2curve_id(nid
)) == 0) {
1465 SSLerror(s
, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE
);
1469 if (!CBB_add_u8(cbb
, NAMED_CURVE_TYPE
))
1471 if (!CBB_add_u16(cbb
, curve_id
))
1473 if (!CBB_add_u8_length_prefixed(cbb
, &ecpoint
))
1475 if (!CBB_add_bytes(&ecpoint
, public_key
, X25519_KEY_LENGTH
))
1477 if (!CBB_flush(cbb
))
1489 ssl3_send_server_kex_ecdhe(SSL
*s
, CBB
*cbb
)
1493 nid
= tls1_get_shared_curve(s
);
1495 if (nid
== NID_X25519
)
1496 return ssl3_send_server_kex_ecdhe_ecx(s
, nid
, cbb
);
1498 return ssl3_send_server_kex_ecdhe_ecp(s
, nid
, cbb
);
1502 ssl3_send_server_key_exchange(SSL
*s
)
1505 unsigned char *params
= NULL
;
1508 unsigned char md_buf
[MD5_DIGEST_LENGTH
+ SHA_DIGEST_LENGTH
];
1511 const EVP_MD
*md
= NULL
;
1512 unsigned char *p
, *d
;
1513 int al
, i
, j
, n
, kn
;
1518 memset(&cbb
, 0, sizeof(cbb
));
1520 EVP_MD_CTX_init(&md_ctx
);
1521 if (S3I(s
)->hs
.state
== SSL3_ST_SW_KEY_EXCH_A
) {
1522 type
= S3I(s
)->hs
.new_cipher
->algorithm_mkey
;
1524 buf
= s
->internal
->init_buf
;
1526 if (!CBB_init(&cbb
, 0))
1529 if (type
& SSL_kDHE
) {
1530 if (ssl3_send_server_kex_dhe(s
, &cbb
) != 1)
1532 } else if (type
& SSL_kECDHE
) {
1533 if (ssl3_send_server_kex_ecdhe(s
, &cbb
) != 1)
1536 al
= SSL_AD_HANDSHAKE_FAILURE
;
1537 SSLerror(s
, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE
);
1541 if (!CBB_finish(&cbb
, ¶ms
, ¶ms_len
))
1544 if (!(S3I(s
)->hs
.new_cipher
->algorithm_auth
& SSL_aNULL
)) {
1545 if ((pkey
= ssl_get_sign_pkey(
1546 s
, S3I(s
)->hs
.new_cipher
, &md
)) == NULL
) {
1547 al
= SSL_AD_DECODE_ERROR
;
1550 kn
= EVP_PKEY_size(pkey
);
1556 if (!BUF_MEM_grow_clean(buf
, ssl3_handshake_msg_hdr_len(s
) +
1558 SSLerror(s
, ERR_LIB_BUF
);
1562 d
= p
= ssl3_handshake_msg_start(s
,
1563 SSL3_MT_SERVER_KEY_EXCHANGE
);
1565 memcpy(p
, params
, params_len
);
1576 * n is the length of the params, they start at &(d[4])
1577 * and p points to the space at the end.
1579 if (pkey
->type
== EVP_PKEY_RSA
&& !SSL_USE_SIGALGS(s
)) {
1582 if (!EVP_DigestInit_ex(&md_ctx
, EVP_md5_sha1(),
1585 EVP_DigestUpdate(&md_ctx
, s
->s3
->client_random
,
1587 EVP_DigestUpdate(&md_ctx
, s
->s3
->server_random
,
1589 EVP_DigestUpdate(&md_ctx
, d
, n
);
1590 EVP_DigestFinal_ex(&md_ctx
, q
,
1591 (unsigned int *)&i
);
1594 if (RSA_sign(NID_md5_sha1
, md_buf
, j
,
1595 &(p
[2]), &u
, pkey
->pkey
.rsa
) <= 0) {
1596 SSLerror(s
, ERR_R_RSA_LIB
);
1602 /* Send signature algorithm. */
1603 if (SSL_USE_SIGALGS(s
)) {
1604 if (!tls12_get_sigandhash(p
, pkey
, md
)) {
1605 /* Should never happen */
1606 al
= SSL_AD_INTERNAL_ERROR
;
1607 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
1612 EVP_SignInit_ex(&md_ctx
, md
, NULL
);
1613 EVP_SignUpdate(&md_ctx
,
1614 s
->s3
->client_random
,
1616 EVP_SignUpdate(&md_ctx
,
1617 s
->s3
->server_random
,
1619 EVP_SignUpdate(&md_ctx
, d
, n
);
1620 if (!EVP_SignFinal(&md_ctx
, &p
[2],
1621 (unsigned int *)&i
, pkey
)) {
1622 SSLerror(s
, ERR_R_EVP_LIB
);
1627 if (SSL_USE_SIGALGS(s
))
1630 /* Is this error check actually needed? */
1631 al
= SSL_AD_HANDSHAKE_FAILURE
;
1632 SSLerror(s
, SSL_R_UNKNOWN_PKEY_TYPE
);
1637 ssl3_handshake_msg_finish(s
, n
);
1640 S3I(s
)->hs
.state
= SSL3_ST_SW_KEY_EXCH_B
;
1642 EVP_MD_CTX_cleanup(&md_ctx
);
1644 return (ssl3_handshake_write(s
));
1647 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1650 EVP_MD_CTX_cleanup(&md_ctx
);
1657 ssl3_send_certificate_request(SSL
*s
)
1659 CBB cbb
, cert_request
, cert_types
, sigalgs
, cert_auth
, dn
;
1660 STACK_OF(X509_NAME
) *sk
= NULL
;
1665 * Certificate Request - RFC 5246 section 7.4.4.
1668 memset(&cbb
, 0, sizeof(cbb
));
1670 if (S3I(s
)->hs
.state
== SSL3_ST_SW_CERT_REQ_A
) {
1671 if (!ssl3_handshake_msg_start_cbb(s
, &cbb
, &cert_request
,
1672 SSL3_MT_CERTIFICATE_REQUEST
))
1675 if (!CBB_add_u8_length_prefixed(&cert_request
, &cert_types
))
1677 if (!ssl3_get_req_cert_types(s
, &cert_types
))
1680 if (SSL_USE_SIGALGS(s
)) {
1681 unsigned char *sigalgs_data
;
1684 tls12_get_req_sig_algs(s
, &sigalgs_data
, &sigalgs_len
);
1686 if (!CBB_add_u16_length_prefixed(&cert_request
, &sigalgs
))
1688 if (!CBB_add_bytes(&sigalgs
, sigalgs_data
, sigalgs_len
))
1692 if (!CBB_add_u16_length_prefixed(&cert_request
, &cert_auth
))
1695 sk
= SSL_get_client_CA_list(s
);
1696 for (i
= 0; i
< sk_X509_NAME_num(sk
); i
++) {
1697 unsigned char *name_data
;
1700 name
= sk_X509_NAME_value(sk
, i
);
1701 name_len
= i2d_X509_NAME(name
, NULL
);
1703 if (!CBB_add_u16_length_prefixed(&cert_auth
, &dn
))
1705 if (!CBB_add_space(&dn
, &name_data
, name_len
))
1707 if (i2d_X509_NAME(name
, &name_data
) != name_len
)
1711 if (!ssl3_handshake_msg_finish_cbb(s
, &cbb
))
1714 S3I(s
)->hs
.state
= SSL3_ST_SW_CERT_REQ_B
;
1717 /* SSL3_ST_SW_CERT_REQ_B */
1718 return (ssl3_handshake_write(s
));
1727 ssl3_get_client_kex_rsa(SSL
*s
, unsigned char *p
, long n
)
1729 unsigned char fakekey
[SSL_MAX_MASTER_KEY_LENGTH
];
1732 EVP_PKEY
*pkey
= NULL
;
1737 arc4random_buf(fakekey
, sizeof(fakekey
));
1738 fakekey
[0] = s
->client_version
>> 8;
1739 fakekey
[1] = s
->client_version
& 0xff;
1741 pkey
= s
->cert
->pkeys
[SSL_PKEY_RSA_ENC
].privatekey
;
1742 if ((pkey
== NULL
) || (pkey
->type
!= EVP_PKEY_RSA
) ||
1743 (pkey
->pkey
.rsa
== NULL
)) {
1744 al
= SSL_AD_HANDSHAKE_FAILURE
;
1745 SSLerror(s
, SSL_R_MISSING_RSA_CERTIFICATE
);
1748 rsa
= pkey
->pkey
.rsa
;
1754 SSLerror(s
, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
);
1759 i
= RSA_private_decrypt((int)n
, p
, p
, rsa
, RSA_PKCS1_PADDING
);
1765 if (i
!= SSL_MAX_MASTER_KEY_LENGTH
) {
1766 al
= SSL_AD_DECODE_ERROR
;
1767 /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
1770 if (p
- d
+ 2 > n
) /* needed in the SSL3 case */
1772 if ((al
== -1) && !((p
[0] == (s
->client_version
>> 8)) &&
1773 (p
[1] == (s
->client_version
& 0xff)))) {
1775 * The premaster secret must contain the same version
1776 * number as the ClientHello to detect version rollback
1777 * attacks (strangely, the protocol does not offer such
1778 * protection for DH ciphersuites).
1779 * However, buggy clients exist that send the negotiated
1780 * protocol version instead if the server does not
1781 * support the requested protocol version.
1782 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
1785 if (!((s
->internal
->options
& SSL_OP_TLS_ROLLBACK_BUG
) &&
1786 (p
[0] == (s
->version
>> 8)) &&
1787 (p
[1] == (s
->version
& 0xff)))) {
1788 al
= SSL_AD_DECODE_ERROR
;
1789 /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1792 * The Klima-Pokorny-Rosa extension of
1793 * Bleichenbacher's attack
1794 * (http://eprint.iacr.org/2003/052/) exploits
1795 * the version number check as a "bad version
1796 * oracle" -- an alert would reveal that the
1797 * plaintext corresponding to some ciphertext
1798 * made up by the adversary is properly
1799 * formatted except that the version number is
1801 * To avoid such attacks, we should treat this
1802 * just like any other decryption error.
1809 * Some decryption failure -- use random value instead
1810 * as countermeasure against Bleichenbacher's attack
1811 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
1814 i
= SSL_MAX_MASTER_KEY_LENGTH
;
1818 s
->session
->master_key_length
=
1819 tls1_generate_master_secret(s
,
1820 s
->session
->master_key
, p
, i
);
1822 explicit_bzero(p
, i
);
1826 al
= SSL_AD_DECODE_ERROR
;
1827 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1829 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1835 ssl3_get_client_kex_dhe(SSL
*s
, unsigned char *p
, long n
)
1845 CBS_init(&cbs
, p
, n
);
1847 if (!CBS_get_u16_length_prefixed(&cbs
, &dh_Yc
))
1850 if (CBS_len(&cbs
) != 0)
1853 if (S3I(s
)->tmp
.dh
== NULL
) {
1854 al
= SSL_AD_HANDSHAKE_FAILURE
;
1855 SSLerror(s
, SSL_R_MISSING_TMP_DH_KEY
);
1858 dh
= S3I(s
)->tmp
.dh
;
1860 if ((bn
= BN_bin2bn(CBS_data(&dh_Yc
), CBS_len(&dh_Yc
), NULL
)) == NULL
) {
1861 SSLerror(s
, SSL_R_BN_LIB
);
1865 key_size
= DH_compute_key(p
, bn
, dh
);
1866 if (key_size
<= 0) {
1867 SSLerror(s
, ERR_R_DH_LIB
);
1872 s
->session
->master_key_length
=
1873 tls1_generate_master_secret(
1874 s
, s
->session
->master_key
, p
, key_size
);
1876 explicit_bzero(p
, key_size
);
1878 DH_free(S3I(s
)->tmp
.dh
);
1879 S3I(s
)->tmp
.dh
= NULL
;
1886 al
= SSL_AD_DECODE_ERROR
;
1887 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
1889 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1895 ssl3_get_client_kex_ecdhe_ecp(SSL
*s
, unsigned char *p
, long n
)
1897 EC_KEY
*srvr_ecdh
= NULL
;
1898 EVP_PKEY
*clnt_pub_pkey
= NULL
;
1899 EC_POINT
*clnt_ecpoint
= NULL
;
1900 BN_CTX
*bn_ctx
= NULL
;
1906 const EC_GROUP
*group
;
1907 const BIGNUM
*priv_key
;
1909 /* Initialize structures for server's ECDH key pair. */
1910 if ((srvr_ecdh
= EC_KEY_new()) == NULL
) {
1911 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
1916 * Use the ephemeral values we saved when
1917 * generating the ServerKeyExchange message.
1919 tkey
= S3I(s
)->tmp
.ecdh
;
1921 group
= EC_KEY_get0_group(tkey
);
1922 priv_key
= EC_KEY_get0_private_key(tkey
);
1924 if (!EC_KEY_set_group(srvr_ecdh
, group
) ||
1925 !EC_KEY_set_private_key(srvr_ecdh
, priv_key
)) {
1926 SSLerror(s
, ERR_R_EC_LIB
);
1930 /* Let's get client's public key */
1931 if ((clnt_ecpoint
= EC_POINT_new(group
)) == NULL
) {
1932 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
1937 /* Client Publickey was in Client Certificate */
1938 if (((clnt_pub_pkey
= X509_get_pubkey(
1939 s
->session
->peer
)) == NULL
) ||
1940 (clnt_pub_pkey
->type
!= EVP_PKEY_EC
)) {
1942 * XXX: For now, we do not support client
1943 * authentication using ECDH certificates
1944 * so this branch (n == 0L) of the code is
1945 * never executed. When that support is
1946 * added, we ought to ensure the key
1947 * received in the certificate is
1948 * authorized for key agreement.
1949 * ECDH_compute_key implicitly checks that
1950 * the two ECDH shares are for the same
1953 al
= SSL_AD_HANDSHAKE_FAILURE
;
1954 SSLerror(s
, SSL_R_UNABLE_TO_DECODE_ECDH_CERTS
);
1958 if (EC_POINT_copy(clnt_ecpoint
,
1959 EC_KEY_get0_public_key(clnt_pub_pkey
->pkey
.ec
))
1961 SSLerror(s
, ERR_R_EC_LIB
);
1964 ret
= 2; /* Skip certificate verify processing */
1967 * Get client's public key from encoded point
1968 * in the ClientKeyExchange message.
1970 if ((bn_ctx
= BN_CTX_new()) == NULL
) {
1971 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
1975 /* Get encoded point length */
1980 SSLerror(s
, ERR_R_EC_LIB
);
1983 if (EC_POINT_oct2point(group
,
1984 clnt_ecpoint
, p
, i
, bn_ctx
) == 0) {
1985 SSLerror(s
, ERR_R_EC_LIB
);
1989 * p is pointing to somewhere in the buffer
1990 * currently, so set it to the start.
1992 p
= (unsigned char *)s
->internal
->init_buf
->data
;
1995 /* Compute the shared pre-master secret */
1996 key_size
= ECDH_size(srvr_ecdh
);
1997 if (key_size
<= 0) {
1998 SSLerror(s
, ERR_R_ECDH_LIB
);
2001 i
= ECDH_compute_key(p
, key_size
, clnt_ecpoint
, srvr_ecdh
,
2004 SSLerror(s
, ERR_R_ECDH_LIB
);
2008 EVP_PKEY_free(clnt_pub_pkey
);
2009 EC_POINT_free(clnt_ecpoint
);
2010 EC_KEY_free(srvr_ecdh
);
2011 BN_CTX_free(bn_ctx
);
2012 EC_KEY_free(S3I(s
)->tmp
.ecdh
);
2013 S3I(s
)->tmp
.ecdh
= NULL
;
2015 /* Compute the master secret */
2016 s
->session
->master_key_length
=
2017 tls1_generate_master_secret(
2018 s
, s
->session
->master_key
, p
, i
);
2020 explicit_bzero(p
, i
);
2024 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2026 EVP_PKEY_free(clnt_pub_pkey
);
2027 EC_POINT_free(clnt_ecpoint
);
2028 EC_KEY_free(srvr_ecdh
);
2029 BN_CTX_free(bn_ctx
);
2034 ssl3_get_client_kex_ecdhe_ecx(SSL
*s
, unsigned char *p
, long n
)
2036 uint8_t *shared_key
= NULL
;
2043 CBS_init(&cbs
, p
, n
);
2044 if (!CBS_get_u8_length_prefixed(&cbs
, &ecpoint
))
2046 if (CBS_len(&ecpoint
) != X25519_KEY_LENGTH
)
2049 if ((shared_key
= malloc(X25519_KEY_LENGTH
)) == NULL
)
2051 if (!X25519(shared_key
, S3I(s
)->tmp
.x25519
, CBS_data(&ecpoint
)))
2054 freezero(S3I(s
)->tmp
.x25519
, X25519_KEY_LENGTH
);
2055 S3I(s
)->tmp
.x25519
= NULL
;
2057 s
->session
->master_key_length
=
2058 tls1_generate_master_secret(
2059 s
, s
->session
->master_key
, shared_key
, X25519_KEY_LENGTH
);
2064 freezero(shared_key
, X25519_KEY_LENGTH
);
2070 ssl3_get_client_kex_ecdhe(SSL
*s
, unsigned char *p
, long n
)
2072 if (S3I(s
)->tmp
.x25519
!= NULL
)
2073 return ssl3_get_client_kex_ecdhe_ecx(s
, p
, n
);
2075 return ssl3_get_client_kex_ecdhe_ecp(s
, p
, n
);
2079 ssl3_get_client_kex_gost(SSL
*s
, unsigned char *p
, long n
)
2082 EVP_PKEY_CTX
*pkey_ctx
;
2083 EVP_PKEY
*client_pub_pkey
= NULL
, *pk
= NULL
;
2084 unsigned char premaster_secret
[32], *start
;
2085 size_t outlen
= 32, inlen
;
2086 unsigned long alg_a
;
2092 /* Get our certificate private key*/
2093 alg_a
= S3I(s
)->hs
.new_cipher
->algorithm_auth
;
2094 if (alg_a
& SSL_aGOST01
)
2095 pk
= s
->cert
->pkeys
[SSL_PKEY_GOST01
].privatekey
;
2097 pkey_ctx
= EVP_PKEY_CTX_new(pk
, NULL
);
2098 EVP_PKEY_decrypt_init(pkey_ctx
);
2100 * If client certificate is present and is of the same type,
2101 * maybe use it for key exchange.
2102 * Don't mind errors from EVP_PKEY_derive_set_peer, because
2103 * it is completely valid to use a client certificate for
2104 * authorization only.
2106 client_pub_pkey
= X509_get_pubkey(s
->session
->peer
);
2107 if (client_pub_pkey
) {
2108 if (EVP_PKEY_derive_set_peer(pkey_ctx
,
2109 client_pub_pkey
) <= 0)
2114 /* Decrypt session key */
2115 if (ASN1_get_object((const unsigned char **)&p
, &Tlen
, &Ttag
,
2116 &Tclass
, n
) != V_ASN1_CONSTRUCTED
||
2117 Ttag
!= V_ASN1_SEQUENCE
|| Tclass
!= V_ASN1_UNIVERSAL
) {
2118 SSLerror(s
, SSL_R_DECRYPTION_FAILED
);
2123 if (EVP_PKEY_decrypt(pkey_ctx
, premaster_secret
, &outlen
,
2124 start
, inlen
) <=0) {
2125 SSLerror(s
, SSL_R_DECRYPTION_FAILED
);
2128 /* Generate master secret */
2129 s
->session
->master_key_length
=
2130 tls1_generate_master_secret(
2131 s
, s
->session
->master_key
, premaster_secret
, 32);
2132 /* Check if pubkey from client certificate was used */
2133 if (EVP_PKEY_CTX_ctrl(pkey_ctx
, -1, -1,
2134 EVP_PKEY_CTRL_PEER_KEY
, 2, NULL
) > 0)
2139 EVP_PKEY_free(client_pub_pkey
);
2140 EVP_PKEY_CTX_free(pkey_ctx
);
2147 al
= SSL_AD_DECODE_ERROR
;
2148 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
2149 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2155 ssl3_get_client_key_exchange(SSL
*s
)
2157 unsigned long alg_k
;
2162 /* 2048 maxlen is a guess. How long a key does that permit? */
2163 n
= s
->method
->internal
->ssl_get_message(s
, SSL3_ST_SR_KEY_EXCH_A
,
2164 SSL3_ST_SR_KEY_EXCH_B
, SSL3_MT_CLIENT_KEY_EXCHANGE
, 2048, &ok
);
2168 p
= (unsigned char *)s
->internal
->init_msg
;
2170 alg_k
= S3I(s
)->hs
.new_cipher
->algorithm_mkey
;
2172 if (alg_k
& SSL_kRSA
) {
2173 if (ssl3_get_client_kex_rsa(s
, p
, n
) != 1)
2175 } else if (alg_k
& SSL_kDHE
) {
2176 if (ssl3_get_client_kex_dhe(s
, p
, n
) != 1)
2178 } else if (alg_k
& SSL_kECDHE
) {
2179 if (ssl3_get_client_kex_ecdhe(s
, p
, n
) != 1)
2181 } else if (alg_k
& SSL_kGOST
) {
2182 if (ssl3_get_client_kex_gost(s
, p
, n
) != 1)
2185 al
= SSL_AD_HANDSHAKE_FAILURE
;
2186 SSLerror(s
, SSL_R_UNKNOWN_CIPHER_TYPE
);
2193 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2199 ssl3_get_cert_verify(SSL
*s
)
2201 EVP_PKEY
*pkey
= NULL
;
2203 int al
, ok
, ret
= 0;
2207 const EVP_MD
*md
= NULL
;
2209 EVP_MD_CTX_init(&mctx
);
2211 n
= s
->method
->internal
->ssl_get_message(s
, SSL3_ST_SR_CERT_VRFY_A
,
2212 SSL3_ST_SR_CERT_VRFY_B
, -1, SSL3_RT_MAX_PLAIN_LENGTH
, &ok
);
2216 if (s
->session
->peer
!= NULL
) {
2217 peer
= s
->session
->peer
;
2218 pkey
= X509_get_pubkey(peer
);
2219 type
= X509_certificate_type(peer
, pkey
);
2225 if (S3I(s
)->tmp
.message_type
!= SSL3_MT_CERTIFICATE_VERIFY
) {
2226 S3I(s
)->tmp
.reuse_message
= 1;
2228 al
= SSL_AD_UNEXPECTED_MESSAGE
;
2229 SSLerror(s
, SSL_R_MISSING_VERIFY_MESSAGE
);
2237 SSLerror(s
, SSL_R_NO_CLIENT_CERT_RECEIVED
);
2238 al
= SSL_AD_UNEXPECTED_MESSAGE
;
2242 if (!(type
& EVP_PKT_SIGN
)) {
2243 SSLerror(s
, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE
);
2244 al
= SSL_AD_ILLEGAL_PARAMETER
;
2248 if (S3I(s
)->change_cipher_spec
) {
2249 SSLerror(s
, SSL_R_CCS_RECEIVED_EARLY
);
2250 al
= SSL_AD_UNEXPECTED_MESSAGE
;
2254 /* we now have a signature that we need to verify */
2255 p
= (unsigned char *)s
->internal
->init_msg
;
2257 * Check for broken implementations of GOST ciphersuites.
2259 * If key is GOST and n is exactly 64, it is a bare
2260 * signature without length field.
2262 if (n
== 64 && (pkey
->type
== NID_id_GostR3410_94
||
2263 pkey
->type
== NID_id_GostR3410_2001
) ) {
2266 if (SSL_USE_SIGALGS(s
)) {
2267 int sigalg
= tls12_get_sigid(pkey
);
2268 /* Should never happen */
2270 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2271 al
= SSL_AD_INTERNAL_ERROR
;
2276 /* Check key type is consistent with signature */
2277 if (sigalg
!= (int)p
[1]) {
2278 SSLerror(s
, SSL_R_WRONG_SIGNATURE_TYPE
);
2279 al
= SSL_AD_DECODE_ERROR
;
2282 md
= tls12_get_hash(p
[0]);
2284 SSLerror(s
, SSL_R_UNKNOWN_DIGEST
);
2285 al
= SSL_AD_DECODE_ERROR
;
2298 j
= EVP_PKEY_size(pkey
);
2299 if ((i
> j
) || (n
> j
) || (n
<= 0)) {
2300 SSLerror(s
, SSL_R_WRONG_SIGNATURE_SIZE
);
2301 al
= SSL_AD_DECODE_ERROR
;
2305 if (SSL_USE_SIGALGS(s
)) {
2308 hdatalen
= BIO_get_mem_data(S3I(s
)->handshake_buffer
, &hdata
);
2309 if (hdatalen
<= 0) {
2310 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2311 al
= SSL_AD_INTERNAL_ERROR
;
2314 if (!EVP_VerifyInit_ex(&mctx
, md
, NULL
) ||
2315 !EVP_VerifyUpdate(&mctx
, hdata
, hdatalen
)) {
2316 SSLerror(s
, ERR_R_EVP_LIB
);
2317 al
= SSL_AD_INTERNAL_ERROR
;
2321 if (EVP_VerifyFinal(&mctx
, p
, i
, pkey
) <= 0) {
2322 al
= SSL_AD_DECRYPT_ERROR
;
2323 SSLerror(s
, SSL_R_BAD_SIGNATURE
);
2327 if (pkey
->type
== EVP_PKEY_RSA
) {
2328 i
= RSA_verify(NID_md5_sha1
, S3I(s
)->tmp
.cert_verify_md
,
2329 MD5_DIGEST_LENGTH
+ SHA_DIGEST_LENGTH
, p
, i
,
2332 al
= SSL_AD_DECRYPT_ERROR
;
2333 SSLerror(s
, SSL_R_BAD_RSA_DECRYPT
);
2337 al
= SSL_AD_DECRYPT_ERROR
;
2338 SSLerror(s
, SSL_R_BAD_RSA_SIGNATURE
);
2342 if (pkey
->type
== EVP_PKEY_EC
) {
2343 j
= ECDSA_verify(pkey
->save_type
,
2344 &(S3I(s
)->tmp
.cert_verify_md
[MD5_DIGEST_LENGTH
]),
2345 SHA_DIGEST_LENGTH
, p
, i
, pkey
->pkey
.ec
);
2348 al
= SSL_AD_DECRYPT_ERROR
;
2349 SSLerror(s
, SSL_R_BAD_ECDSA_SIGNATURE
);
2353 #ifndef OPENSSL_NO_GOST
2354 if (pkey
->type
== NID_id_GostR3410_94
||
2355 pkey
->type
== NID_id_GostR3410_2001
) {
2358 unsigned char signature
[128];
2359 unsigned int siglen
= sizeof(signature
);
2363 hdatalen
= BIO_get_mem_data(S3I(s
)->handshake_buffer
, &hdata
);
2364 if (hdatalen
<= 0) {
2365 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2366 al
= SSL_AD_INTERNAL_ERROR
;
2369 if (!EVP_PKEY_get_default_digest_nid(pkey
, &nid
) ||
2370 !(md
= EVP_get_digestbynid(nid
))) {
2371 SSLerror(s
, ERR_R_EVP_LIB
);
2372 al
= SSL_AD_INTERNAL_ERROR
;
2375 pctx
= EVP_PKEY_CTX_new(pkey
, NULL
);
2377 SSLerror(s
, ERR_R_EVP_LIB
);
2378 al
= SSL_AD_INTERNAL_ERROR
;
2381 if (!EVP_DigestInit_ex(&mctx
, md
, NULL
) ||
2382 !EVP_DigestUpdate(&mctx
, hdata
, hdatalen
) ||
2383 !EVP_DigestFinal(&mctx
, signature
, &siglen
) ||
2384 (EVP_PKEY_verify_init(pctx
) <= 0) ||
2385 (EVP_PKEY_CTX_set_signature_md(pctx
, md
) <= 0) ||
2386 (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_VERIFY
,
2387 EVP_PKEY_CTRL_GOST_SIG_FORMAT
,
2388 GOST_SIG_FORMAT_RS_LE
,
2390 SSLerror(s
, ERR_R_EVP_LIB
);
2391 al
= SSL_AD_INTERNAL_ERROR
;
2392 EVP_PKEY_CTX_free(pctx
);
2396 if (EVP_PKEY_verify(pctx
, p
, i
, signature
, siglen
) <= 0) {
2397 al
= SSL_AD_DECRYPT_ERROR
;
2398 SSLerror(s
, SSL_R_BAD_SIGNATURE
);
2399 EVP_PKEY_CTX_free(pctx
);
2403 EVP_PKEY_CTX_free(pctx
);
2407 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2408 al
= SSL_AD_UNSUPPORTED_CERTIFICATE
;
2416 al
= SSL_AD_DECODE_ERROR
;
2417 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
2419 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2422 if (S3I(s
)->handshake_buffer
) {
2423 BIO_free(S3I(s
)->handshake_buffer
);
2424 S3I(s
)->handshake_buffer
= NULL
;
2425 s
->s3
->flags
&= ~TLS1_FLAGS_KEEP_HANDSHAKE
;
2427 EVP_MD_CTX_cleanup(&mctx
);
2428 EVP_PKEY_free(pkey
);
2433 ssl3_get_client_certificate(SSL
*s
)
2435 CBS cbs
, client_certs
;
2436 int i
, ok
, al
, ret
= -1;
2439 const unsigned char *q
;
2440 STACK_OF(X509
) *sk
= NULL
;
2442 n
= s
->method
->internal
->ssl_get_message(s
, SSL3_ST_SR_CERT_A
, SSL3_ST_SR_CERT_B
,
2443 -1, s
->internal
->max_cert_list
, &ok
);
2448 if (S3I(s
)->tmp
.message_type
== SSL3_MT_CLIENT_KEY_EXCHANGE
) {
2449 if ((s
->verify_mode
& SSL_VERIFY_PEER
) &&
2450 (s
->verify_mode
& SSL_VERIFY_FAIL_IF_NO_PEER_CERT
)) {
2451 SSLerror(s
, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
);
2452 al
= SSL_AD_HANDSHAKE_FAILURE
;
2456 * If tls asked for a client cert,
2457 * the client must return a 0 list.
2459 if (S3I(s
)->tmp
.cert_request
) {
2460 SSLerror(s
, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
2462 al
= SSL_AD_UNEXPECTED_MESSAGE
;
2465 S3I(s
)->tmp
.reuse_message
= 1;
2469 if (S3I(s
)->tmp
.message_type
!= SSL3_MT_CERTIFICATE
) {
2470 al
= SSL_AD_UNEXPECTED_MESSAGE
;
2471 SSLerror(s
, SSL_R_WRONG_MESSAGE_TYPE
);
2478 CBS_init(&cbs
, s
->internal
->init_msg
, n
);
2480 if ((sk
= sk_X509_new_null()) == NULL
) {
2481 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
2485 if (!CBS_get_u24_length_prefixed(&cbs
, &client_certs
) ||
2489 while (CBS_len(&client_certs
) > 0) {
2492 if (!CBS_get_u24_length_prefixed(&client_certs
, &cert
)) {
2493 al
= SSL_AD_DECODE_ERROR
;
2494 SSLerror(s
, SSL_R_CERT_LENGTH_MISMATCH
);
2498 q
= CBS_data(&cert
);
2499 x
= d2i_X509(NULL
, &q
, CBS_len(&cert
));
2501 SSLerror(s
, ERR_R_ASN1_LIB
);
2504 if (q
!= CBS_data(&cert
) + CBS_len(&cert
)) {
2505 al
= SSL_AD_DECODE_ERROR
;
2506 SSLerror(s
, SSL_R_CERT_LENGTH_MISMATCH
);
2509 if (!sk_X509_push(sk
, x
)) {
2510 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
2516 if (sk_X509_num(sk
) <= 0) {
2518 * TLS does not mind 0 certs returned.
2519 * Fail for TLS only if we required a certificate.
2521 if ((s
->verify_mode
& SSL_VERIFY_PEER
) &&
2522 (s
->verify_mode
& SSL_VERIFY_FAIL_IF_NO_PEER_CERT
)) {
2523 SSLerror(s
, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
);
2524 al
= SSL_AD_HANDSHAKE_FAILURE
;
2527 /* No client certificate so digest cached records */
2528 if (S3I(s
)->handshake_buffer
&& !tls1_digest_cached_records(s
)) {
2529 al
= SSL_AD_INTERNAL_ERROR
;
2533 i
= ssl_verify_cert_chain(s
, sk
);
2535 al
= ssl_verify_alarm_type(s
->verify_result
);
2536 SSLerror(s
, SSL_R_NO_CERTIFICATE_RETURNED
);
2541 X509_free(s
->session
->peer
);
2542 s
->session
->peer
= sk_X509_shift(sk
);
2543 s
->session
->verify_result
= s
->verify_result
;
2546 * With the current implementation, sess_cert will always be NULL
2547 * when we arrive here
2549 if (SSI(s
)->sess_cert
== NULL
) {
2550 SSI(s
)->sess_cert
= ssl_sess_cert_new();
2551 if (SSI(s
)->sess_cert
== NULL
) {
2552 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
2556 sk_X509_pop_free(SSI(s
)->sess_cert
->cert_chain
, X509_free
);
2557 SSI(s
)->sess_cert
->cert_chain
= sk
;
2560 * Inconsistency alert: cert_chain does *not* include the
2561 * peer's own certificate, while we do include it in s3_clnt.c
2569 al
= SSL_AD_DECODE_ERROR
;
2570 SSLerror(s
, SSL_R_BAD_PACKET_LENGTH
);
2572 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
2576 sk_X509_pop_free(sk
, X509_free
);
2582 ssl3_send_server_certificate(SSL
*s
)
2584 CBB cbb
, server_cert
;
2588 * Server Certificate - RFC 5246, section 7.4.2.
2591 memset(&cbb
, 0, sizeof(cbb
));
2593 if (S3I(s
)->hs
.state
== SSL3_ST_SW_CERT_A
) {
2594 if ((x
= ssl_get_server_send_cert(s
)) == NULL
) {
2595 SSLerror(s
, ERR_R_INTERNAL_ERROR
);
2599 if (!ssl3_handshake_msg_start_cbb(s
, &cbb
, &server_cert
,
2600 SSL3_MT_CERTIFICATE
))
2602 if (!ssl3_output_cert_chain(s
, &server_cert
, x
))
2604 if (!ssl3_handshake_msg_finish_cbb(s
, &cbb
))
2607 S3I(s
)->hs
.state
= SSL3_ST_SW_CERT_B
;
2610 /* SSL3_ST_SW_CERT_B */
2611 return (ssl3_handshake_write(s
));
2619 /* send a new session ticket (not necessarily for a new session) */
2621 ssl3_send_newsession_ticket(SSL
*s
)
2623 unsigned char *d
, *p
, *macstart
;
2624 unsigned char *senc
= NULL
;
2625 const unsigned char *const_p
;
2626 int len
, slen_full
, slen
;
2631 SSL_CTX
*tctx
= s
->initial_ctx
;
2632 unsigned char iv
[EVP_MAX_IV_LENGTH
];
2633 unsigned char key_name
[16];
2635 if (S3I(s
)->hs
.state
== SSL3_ST_SW_SESSION_TICKET_A
) {
2636 /* get session encoding length */
2637 slen_full
= i2d_SSL_SESSION(s
->session
, NULL
);
2639 * Some length values are 16 bits, so forget it if session is
2642 if (slen_full
> 0xFF00)
2644 senc
= malloc(slen_full
);
2648 i2d_SSL_SESSION(s
->session
, &p
);
2651 * Create a fresh copy (not shared with other threads) to
2655 sess
= d2i_SSL_SESSION(NULL
, &const_p
, slen_full
);
2659 /* ID is irrelevant for the ticket */
2660 sess
->session_id_length
= 0;
2662 slen
= i2d_SSL_SESSION(sess
, NULL
);
2663 if (slen
> slen_full
) {
2664 /* shouldn't ever happen */
2668 i2d_SSL_SESSION(sess
, &p
);
2669 SSL_SESSION_free(sess
);
2672 * Grow buffer if need be: the length calculation is as
2673 * follows 1 (size of message name) + 3 (message length
2674 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
2675 * 16 (key name) + max_iv_len (iv length) +
2676 * session_length + max_enc_block_size (max encrypted session
2677 * length) + max_md_size (HMAC).
2679 if (!BUF_MEM_grow(s
->internal
->init_buf
, ssl3_handshake_msg_hdr_len(s
) +
2680 22 + EVP_MAX_IV_LENGTH
+ EVP_MAX_BLOCK_LENGTH
+
2681 EVP_MAX_MD_SIZE
+ slen
))
2684 d
= p
= ssl3_handshake_msg_start(s
, SSL3_MT_NEWSESSION_TICKET
);
2686 EVP_CIPHER_CTX_init(&ctx
);
2687 HMAC_CTX_init(&hctx
);
2690 * Initialize HMAC and cipher contexts. If callback present
2691 * it does all the work otherwise use generated values
2694 if (tctx
->internal
->tlsext_ticket_key_cb
) {
2695 if (tctx
->internal
->tlsext_ticket_key_cb(s
,
2696 key_name
, iv
, &ctx
, &hctx
, 1) < 0) {
2697 EVP_CIPHER_CTX_cleanup(&ctx
);
2701 arc4random_buf(iv
, 16);
2702 EVP_EncryptInit_ex(&ctx
, EVP_aes_128_cbc(), NULL
,
2703 tctx
->internal
->tlsext_tick_aes_key
, iv
);
2704 HMAC_Init_ex(&hctx
, tctx
->internal
->tlsext_tick_hmac_key
,
2705 16, tlsext_tick_md(), NULL
);
2706 memcpy(key_name
, tctx
->internal
->tlsext_tick_key_name
, 16);
2710 * Ticket lifetime hint (advisory only):
2711 * We leave this unspecified for resumed session
2712 * (for simplicity), and guess that tickets for new
2713 * sessions will live as long as their sessions.
2715 l2n(s
->internal
->hit
? 0 : s
->session
->timeout
, p
);
2717 /* Skip ticket length for now */
2719 /* Output key name */
2721 memcpy(p
, key_name
, 16);
2724 memcpy(p
, iv
, EVP_CIPHER_CTX_iv_length(&ctx
));
2725 p
+= EVP_CIPHER_CTX_iv_length(&ctx
);
2726 /* Encrypt session data */
2727 EVP_EncryptUpdate(&ctx
, p
, &len
, senc
, slen
);
2729 EVP_EncryptFinal_ex(&ctx
, p
, &len
);
2731 EVP_CIPHER_CTX_cleanup(&ctx
);
2733 HMAC_Update(&hctx
, macstart
, p
- macstart
);
2734 HMAC_Final(&hctx
, p
, &hlen
);
2735 HMAC_CTX_cleanup(&hctx
);
2738 /* Now write out lengths: p points to end of data written */
2742 /* Skip ticket lifetime hint. */
2744 s2n(len
- 6, p
); /* Message length */
2746 ssl3_handshake_msg_finish(s
, len
);
2748 S3I(s
)->hs
.state
= SSL3_ST_SW_SESSION_TICKET_B
;
2750 freezero(senc
, slen_full
);
2753 /* SSL3_ST_SW_SESSION_TICKET_B */
2754 return (ssl3_handshake_write(s
));
2757 freezero(senc
, slen_full
);
2763 ssl3_send_cert_status(SSL
*s
)
2765 CBB cbb
, certstatus
, ocspresp
;
2767 memset(&cbb
, 0, sizeof(cbb
));
2769 if (S3I(s
)->hs
.state
== SSL3_ST_SW_CERT_STATUS_A
) {
2770 if (!ssl3_handshake_msg_start_cbb(s
, &cbb
, &certstatus
,
2771 SSL3_MT_CERTIFICATE_STATUS
))
2773 if (!CBB_add_u8(&certstatus
, s
->tlsext_status_type
))
2775 if (!CBB_add_u24_length_prefixed(&certstatus
, &ocspresp
))
2777 if (!CBB_add_bytes(&ocspresp
, s
->internal
->tlsext_ocsp_resp
,
2778 s
->internal
->tlsext_ocsp_resplen
))
2780 if (!ssl3_handshake_msg_finish_cbb(s
, &cbb
))
2783 S3I(s
)->hs
.state
= SSL3_ST_SW_CERT_STATUS_B
;
2786 /* SSL3_ST_SW_CERT_STATUS_B */
2787 return (ssl3_handshake_write(s
));