summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c2863
1 files changed, 0 insertions, 2863 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
deleted file mode 100644
index 0bff0204d9..0000000000
--- a/src/lib/libssl/s3_srvr.c
+++ /dev/null
@@ -1,2863 +0,0 @@
1/* $OpenBSD: s3_srvr.c,v 1.100 2015/02/25 03:49:21 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#define REUSE_CIPHER_BUG
152
153#include <stdio.h>
154
155#include "ssl_locl.h"
156
157#include <openssl/bn.h>
158#include <openssl/buffer.h>
159#include <openssl/evp.h>
160#include <openssl/dh.h>
161#ifndef OPENSSL_NO_GOST
162#include <openssl/gost.h>
163#endif
164#include <openssl/hmac.h>
165#include <openssl/md5.h>
166#include <openssl/objects.h>
167#include <openssl/x509.h>
168
169static const SSL_METHOD *ssl3_get_server_method(int ver);
170
171const SSL_METHOD SSLv3_server_method_data = {
172 .version = SSL3_VERSION,
173 .ssl_new = ssl3_new,
174 .ssl_clear = ssl3_clear,
175 .ssl_free = ssl3_free,
176 .ssl_accept = ssl3_accept,
177 .ssl_connect = ssl_undefined_function,
178 .ssl_read = ssl3_read,
179 .ssl_peek = ssl3_peek,
180 .ssl_write = ssl3_write,
181 .ssl_shutdown = ssl3_shutdown,
182 .ssl_renegotiate = ssl3_renegotiate,
183 .ssl_renegotiate_check = ssl3_renegotiate_check,
184 .ssl_get_message = ssl3_get_message,
185 .ssl_read_bytes = ssl3_read_bytes,
186 .ssl_write_bytes = ssl3_write_bytes,
187 .ssl_dispatch_alert = ssl3_dispatch_alert,
188 .ssl_ctrl = ssl3_ctrl,
189 .ssl_ctx_ctrl = ssl3_ctx_ctrl,
190 .get_cipher_by_char = ssl3_get_cipher_by_char,
191 .put_cipher_by_char = ssl3_put_cipher_by_char,
192 .ssl_pending = ssl3_pending,
193 .num_ciphers = ssl3_num_ciphers,
194 .get_cipher = ssl3_get_cipher,
195 .get_ssl_method = ssl3_get_server_method,
196 .get_timeout = ssl3_default_timeout,
197 .ssl3_enc = &SSLv3_enc_data,
198 .ssl_version = ssl_undefined_void_function,
199 .ssl_callback_ctrl = ssl3_callback_ctrl,
200 .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
201};
202
203const SSL_METHOD *
204SSLv3_server_method(void)
205{
206 return &SSLv3_server_method_data;
207}
208
209static const SSL_METHOD *
210ssl3_get_server_method(int ver)
211{
212 if (ver == SSL3_VERSION)
213 return (SSLv3_server_method());
214 return (NULL);
215}
216
217int
218ssl3_accept(SSL *s)
219{
220 unsigned long alg_k;
221 void (*cb)(const SSL *ssl, int type, int val) = NULL;
222 int ret = -1;
223 int new_state, state, skip = 0;
224
225 ERR_clear_error();
226 errno = 0;
227
228 if (s->info_callback != NULL)
229 cb = s->info_callback;
230 else if (s->ctx->info_callback != NULL)
231 cb = s->ctx->info_callback;
232
233 /* init things to blank */
234 s->in_handshake++;
235 if (!SSL_in_init(s) || SSL_in_before(s))
236 SSL_clear(s);
237
238 if (s->cert == NULL) {
239 SSLerr(SSL_F_SSL3_ACCEPT,
240 SSL_R_NO_CERTIFICATE_SET);
241 return (-1);
242 }
243
244 for (;;) {
245 state = s->state;
246
247 switch (s->state) {
248 case SSL_ST_RENEGOTIATE:
249 s->renegotiate = 1;
250 /* s->state=SSL_ST_ACCEPT; */
251
252 case SSL_ST_BEFORE:
253 case SSL_ST_ACCEPT:
254 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
255 case SSL_ST_OK|SSL_ST_ACCEPT:
256
257 s->server = 1;
258 if (cb != NULL)
259 cb(s, SSL_CB_HANDSHAKE_START, 1);
260
261 if ((s->version >> 8) != 3) {
262 SSLerr(SSL_F_SSL3_ACCEPT,
263 ERR_R_INTERNAL_ERROR);
264 return (-1);
265 }
266 s->type = SSL_ST_ACCEPT;
267
268 if (s->init_buf == NULL) {
269 BUF_MEM *buf;
270 if ((buf = BUF_MEM_new()) == NULL) {
271 ret = -1;
272 goto end;
273 }
274 if (!BUF_MEM_grow(buf,
275 SSL3_RT_MAX_PLAIN_LENGTH)) {
276 BUF_MEM_free(buf);
277 ret = -1;
278 goto end;
279 }
280 s->init_buf = buf;
281 }
282
283 if (!ssl3_setup_buffers(s)) {
284 ret = -1;
285 goto end;
286 }
287
288 s->init_num = 0;
289 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
290
291 if (s->state != SSL_ST_RENEGOTIATE) {
292 /*
293 * Ok, we now need to push on a buffering BIO
294 * so that the output is sent in a way that
295 * TCP likes :-)
296 */
297 if (!ssl_init_wbio_buffer(s, 1)) {
298 ret = -1;
299 goto end;
300 }
301
302 if (!ssl3_init_finished_mac(s)) {
303 ret = -1;
304 goto end;
305 }
306
307 s->state = SSL3_ST_SR_CLNT_HELLO_A;
308 s->ctx->stats.sess_accept++;
309 } else if (!s->s3->send_connection_binding) {
310 /*
311 * Server attempting to renegotiate with
312 * client that doesn't support secure
313 * renegotiation.
314 */
315 SSLerr(SSL_F_SSL3_ACCEPT,
316 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
317 ssl3_send_alert(s, SSL3_AL_FATAL,
318 SSL_AD_HANDSHAKE_FAILURE);
319 ret = -1;
320 goto end;
321 } else {
322 /*
323 * s->state == SSL_ST_RENEGOTIATE,
324 * we will just send a HelloRequest
325 */
326 s->ctx->stats.sess_accept_renegotiate++;
327 s->state = SSL3_ST_SW_HELLO_REQ_A;
328 }
329 break;
330
331 case SSL3_ST_SW_HELLO_REQ_A:
332 case SSL3_ST_SW_HELLO_REQ_B:
333
334 s->shutdown = 0;
335 ret = ssl3_send_hello_request(s);
336 if (ret <= 0)
337 goto end;
338 s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
339 s->state = SSL3_ST_SW_FLUSH;
340 s->init_num = 0;
341
342 if (!ssl3_init_finished_mac(s)) {
343 ret = -1;
344 goto end;
345 }
346 break;
347
348 case SSL3_ST_SW_HELLO_REQ_C:
349 s->state = SSL_ST_OK;
350 break;
351
352 case SSL3_ST_SR_CLNT_HELLO_A:
353 case SSL3_ST_SR_CLNT_HELLO_B:
354 case SSL3_ST_SR_CLNT_HELLO_C:
355
356 s->shutdown = 0;
357 if (s->rwstate != SSL_X509_LOOKUP) {
358 ret = ssl3_get_client_hello(s);
359 if (ret <= 0)
360 goto end;
361 }
362
363 s->renegotiate = 2;
364 s->state = SSL3_ST_SW_SRVR_HELLO_A;
365 s->init_num = 0;
366 break;
367
368 case SSL3_ST_SW_SRVR_HELLO_A:
369 case SSL3_ST_SW_SRVR_HELLO_B:
370 ret = ssl3_send_server_hello(s);
371 if (ret <= 0)
372 goto end;
373 if (s->hit) {
374 if (s->tlsext_ticket_expected)
375 s->state = SSL3_ST_SW_SESSION_TICKET_A;
376 else
377 s->state = SSL3_ST_SW_CHANGE_A;
378 }
379 else
380 s->state = SSL3_ST_SW_CERT_A;
381 s->init_num = 0;
382 break;
383
384 case SSL3_ST_SW_CERT_A:
385 case SSL3_ST_SW_CERT_B:
386 /* Check if it is anon DH or anon ECDH. */
387 if (!(s->s3->tmp.new_cipher->algorithm_auth &
388 SSL_aNULL)) {
389 ret = ssl3_send_server_certificate(s);
390 if (ret <= 0)
391 goto end;
392 if (s->tlsext_status_expected)
393 s->state = SSL3_ST_SW_CERT_STATUS_A;
394 else
395 s->state = SSL3_ST_SW_KEY_EXCH_A;
396 } else {
397 skip = 1;
398 s->state = SSL3_ST_SW_KEY_EXCH_A;
399 }
400 s->init_num = 0;
401 break;
402
403 case SSL3_ST_SW_KEY_EXCH_A:
404 case SSL3_ST_SW_KEY_EXCH_B:
405 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
406
407 /*
408 * Only send if using a DH key exchange.
409 *
410 * For ECC ciphersuites, we send a ServerKeyExchange
411 * message only if the cipher suite is ECDHE. In other
412 * cases, the server certificate contains the server's
413 * public key for key exchange.
414 */
415 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
416 ret = ssl3_send_server_key_exchange(s);
417 if (ret <= 0)
418 goto end;
419 } else
420 skip = 1;
421
422 s->state = SSL3_ST_SW_CERT_REQ_A;
423 s->init_num = 0;
424 break;
425
426 case SSL3_ST_SW_CERT_REQ_A:
427 case SSL3_ST_SW_CERT_REQ_B:
428 /*
429 * Determine whether or not we need to request a
430 * certificate.
431 *
432 * Do not request a certificate if:
433 *
434 * - We did not ask for it (SSL_VERIFY_PEER is unset).
435 *
436 * - SSL_VERIFY_CLIENT_ONCE is set and we are
437 * renegotiating.
438 *
439 * - We are using an anonymous ciphersuites
440 * (see section "Certificate request" in SSL 3 drafts
441 * and in RFC 2246) ... except when the application
442 * insists on verification (against the specs, but
443 * s3_clnt.c accepts this for SSL 3).
444 */
445 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
446 ((s->session->peer != NULL) &&
447 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
448 ((s->s3->tmp.new_cipher->algorithm_auth &
449 SSL_aNULL) && !(s->verify_mode &
450 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
451 /* No cert request */
452 skip = 1;
453 s->s3->tmp.cert_request = 0;
454 s->state = SSL3_ST_SW_SRVR_DONE_A;
455 if (s->s3->handshake_buffer)
456 if (!ssl3_digest_cached_records(s))
457 return (-1);
458 } else {
459 s->s3->tmp.cert_request = 1;
460 ret = ssl3_send_certificate_request(s);
461 if (ret <= 0)
462 goto end;
463 s->state = SSL3_ST_SW_SRVR_DONE_A;
464 s->init_num = 0;
465 }
466 break;
467
468 case SSL3_ST_SW_SRVR_DONE_A:
469 case SSL3_ST_SW_SRVR_DONE_B:
470 ret = ssl3_send_server_done(s);
471 if (ret <= 0)
472 goto end;
473 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
474 s->state = SSL3_ST_SW_FLUSH;
475 s->init_num = 0;
476 break;
477
478 case SSL3_ST_SW_FLUSH:
479
480 /*
481 * This code originally checked to see if
482 * any data was pending using BIO_CTRL_INFO
483 * and then flushed. This caused problems
484 * as documented in PR#1939. The proposed
485 * fix doesn't completely resolve this issue
486 * as buggy implementations of BIO_CTRL_PENDING
487 * still exist. So instead we just flush
488 * unconditionally.
489 */
490
491 s->rwstate = SSL_WRITING;
492 if (BIO_flush(s->wbio) <= 0) {
493 ret = -1;
494 goto end;
495 }
496 s->rwstate = SSL_NOTHING;
497
498 s->state = s->s3->tmp.next_state;
499 break;
500
501 case SSL3_ST_SR_CERT_A:
502 case SSL3_ST_SR_CERT_B:
503 /* Check for second client hello (MS SGC) */
504 ret = ssl3_check_client_hello(s);
505 if (ret <= 0)
506 goto end;
507 if (ret == 2)
508 s->state = SSL3_ST_SR_CLNT_HELLO_C;
509 else {
510 if (s->s3->tmp.cert_request) {
511 ret = ssl3_get_client_certificate(s);
512 if (ret <= 0)
513 goto end;
514 }
515 s->init_num = 0;
516 s->state = SSL3_ST_SR_KEY_EXCH_A;
517 }
518 break;
519
520 case SSL3_ST_SR_KEY_EXCH_A:
521 case SSL3_ST_SR_KEY_EXCH_B:
522 ret = ssl3_get_client_key_exchange(s);
523 if (ret <= 0)
524 goto end;
525 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
526 if (ret == 2) {
527 /*
528 * For the ECDH ciphersuites when
529 * the client sends its ECDH pub key in
530 * a certificate, the CertificateVerify
531 * message is not sent.
532 * Also for GOST ciphersuites when
533 * the client uses its key from the certificate
534 * for key exchange.
535 */
536 if (s->s3->next_proto_neg_seen)
537 s->state = SSL3_ST_SR_NEXT_PROTO_A;
538 else
539 s->state = SSL3_ST_SR_FINISHED_A;
540 s->init_num = 0;
541 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
542 s->state = SSL3_ST_SR_CERT_VRFY_A;
543 s->init_num = 0;
544 if (!s->session->peer)
545 break;
546 /*
547 * For sigalgs freeze the handshake buffer
548 * at this point and digest cached records.
549 */
550 if (!s->s3->handshake_buffer) {
551 SSLerr(SSL_F_SSL3_ACCEPT,
552 ERR_R_INTERNAL_ERROR);
553 return (-1);
554 }
555 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
556 if (!ssl3_digest_cached_records(s))
557 return (-1);
558 } else {
559 int offset = 0;
560 int dgst_num;
561
562 s->state = SSL3_ST_SR_CERT_VRFY_A;
563 s->init_num = 0;
564
565 /*
566 * We need to get hashes here so if there is
567 * a client cert, it can be verified
568 * FIXME - digest processing for
569 * CertificateVerify should be generalized.
570 * But it is next step
571 */
572 if (s->s3->handshake_buffer)
573 if (!ssl3_digest_cached_records(s))
574 return (-1);
575 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
576 dgst_num++)
577 if (s->s3->handshake_dgst[dgst_num]) {
578 int dgst_size;
579
580 s->method->ssl3_enc->cert_verify_mac(s,
581 EVP_MD_CTX_type(
582 s->s3->handshake_dgst[dgst_num]),
583 &(s->s3->tmp.cert_verify_md[offset]));
584 dgst_size = EVP_MD_CTX_size(
585 s->s3->handshake_dgst[dgst_num]);
586 if (dgst_size < 0) {
587 ret = -1;
588 goto end;
589 }
590 offset += dgst_size;
591 }
592 }
593 break;
594
595 case SSL3_ST_SR_CERT_VRFY_A:
596 case SSL3_ST_SR_CERT_VRFY_B:
597 s->s3->flags |= SSL3_FLAGS_CCS_OK;
598
599 /* we should decide if we expected this one */
600 ret = ssl3_get_cert_verify(s);
601 if (ret <= 0)
602 goto end;
603
604 if (s->s3->next_proto_neg_seen)
605 s->state = SSL3_ST_SR_NEXT_PROTO_A;
606 else
607 s->state = SSL3_ST_SR_FINISHED_A;
608 s->init_num = 0;
609 break;
610
611 case SSL3_ST_SR_NEXT_PROTO_A:
612 case SSL3_ST_SR_NEXT_PROTO_B:
613 ret = ssl3_get_next_proto(s);
614 if (ret <= 0)
615 goto end;
616 s->init_num = 0;
617 s->state = SSL3_ST_SR_FINISHED_A;
618 break;
619
620 case SSL3_ST_SR_FINISHED_A:
621 case SSL3_ST_SR_FINISHED_B:
622 s->s3->flags |= SSL3_FLAGS_CCS_OK;
623 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
624 SSL3_ST_SR_FINISHED_B);
625 if (ret <= 0)
626 goto end;
627 if (s->hit)
628 s->state = SSL_ST_OK;
629 else if (s->tlsext_ticket_expected)
630 s->state = SSL3_ST_SW_SESSION_TICKET_A;
631 else
632 s->state = SSL3_ST_SW_CHANGE_A;
633 s->init_num = 0;
634 break;
635
636 case SSL3_ST_SW_SESSION_TICKET_A:
637 case SSL3_ST_SW_SESSION_TICKET_B:
638 ret = ssl3_send_newsession_ticket(s);
639 if (ret <= 0)
640 goto end;
641 s->state = SSL3_ST_SW_CHANGE_A;
642 s->init_num = 0;
643 break;
644
645 case SSL3_ST_SW_CERT_STATUS_A:
646 case SSL3_ST_SW_CERT_STATUS_B:
647 ret = ssl3_send_cert_status(s);
648 if (ret <= 0)
649 goto end;
650 s->state = SSL3_ST_SW_KEY_EXCH_A;
651 s->init_num = 0;
652 break;
653
654
655 case SSL3_ST_SW_CHANGE_A:
656 case SSL3_ST_SW_CHANGE_B:
657
658 s->session->cipher = s->s3->tmp.new_cipher;
659 if (!s->method->ssl3_enc->setup_key_block(s)) {
660 ret = -1;
661 goto end;
662 }
663
664 ret = ssl3_send_change_cipher_spec(s,
665 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
666
667 if (ret <= 0)
668 goto end;
669 s->state = SSL3_ST_SW_FINISHED_A;
670 s->init_num = 0;
671
672 if (!s->method->ssl3_enc->change_cipher_state(
673 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
674 ret = -1;
675 goto end;
676 }
677
678 break;
679
680 case SSL3_ST_SW_FINISHED_A:
681 case SSL3_ST_SW_FINISHED_B:
682 ret = ssl3_send_finished(s,
683 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
684 s->method->ssl3_enc->server_finished_label,
685 s->method->ssl3_enc->server_finished_label_len);
686 if (ret <= 0)
687 goto end;
688 s->state = SSL3_ST_SW_FLUSH;
689 if (s->hit) {
690 if (s->s3->next_proto_neg_seen) {
691 s->s3->flags |= SSL3_FLAGS_CCS_OK;
692 s->s3->tmp.next_state =
693 SSL3_ST_SR_NEXT_PROTO_A;
694 } else
695 s->s3->tmp.next_state =
696 SSL3_ST_SR_FINISHED_A;
697 } else
698 s->s3->tmp.next_state = SSL_ST_OK;
699 s->init_num = 0;
700 break;
701
702 case SSL_ST_OK:
703 /* clean a few things up */
704 ssl3_cleanup_key_block(s);
705
706 BUF_MEM_free(s->init_buf);
707 s->init_buf = NULL;
708
709 /* remove buffering on output */
710 ssl_free_wbio_buffer(s);
711
712 s->init_num = 0;
713
714 /* skipped if we just sent a HelloRequest */
715 if (s->renegotiate == 2) {
716 s->renegotiate = 0;
717 s->new_session = 0;
718
719 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
720
721 s->ctx->stats.sess_accept_good++;
722 /* s->server=1; */
723 s->handshake_func = ssl3_accept;
724
725 if (cb != NULL)
726 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
727 }
728
729 ret = 1;
730 goto end;
731 /* break; */
732
733 default:
734 SSLerr(SSL_F_SSL3_ACCEPT,
735 SSL_R_UNKNOWN_STATE);
736 ret = -1;
737 goto end;
738 /* break; */
739 }
740
741 if (!s->s3->tmp.reuse_message && !skip) {
742 if (s->debug) {
743 if ((ret = BIO_flush(s->wbio)) <= 0)
744 goto end;
745 }
746
747
748 if ((cb != NULL) && (s->state != state)) {
749 new_state = s->state;
750 s->state = state;
751 cb(s, SSL_CB_ACCEPT_LOOP, 1);
752 s->state = new_state;
753 }
754 }
755 skip = 0;
756 }
757end:
758 /* BIO_flush(s->wbio); */
759
760 s->in_handshake--;
761 if (cb != NULL)
762 cb(s, SSL_CB_ACCEPT_EXIT, ret);
763 return (ret);
764}
765
766int
767ssl3_send_hello_request(SSL *s)
768{
769 if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
770 ssl3_handshake_msg_start(s, SSL3_MT_HELLO_REQUEST);
771 ssl3_handshake_msg_finish(s, 0);
772
773 s->state = SSL3_ST_SW_HELLO_REQ_B;
774 }
775
776 /* SSL3_ST_SW_HELLO_REQ_B */
777 return (ssl3_handshake_write(s));
778}
779
780int
781ssl3_check_client_hello(SSL *s)
782{
783 int ok;
784 long n;
785
786 /*
787 * This function is called when we really expect a Certificate message,
788 * so permit appropriate message length
789 */
790 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A,
791 SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok);
792 if (!ok)
793 return ((int)n);
794 s->s3->tmp.reuse_message = 1;
795 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
796 /*
797 * We only allow the client to restart the handshake once per
798 * negotiation.
799 */
800 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
801 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO,
802 SSL_R_MULTIPLE_SGC_RESTARTS);
803 return (-1);
804 }
805 /*
806 * Throw away what we have done so far in the current handshake,
807 * which will now be aborted. (A full SSL_clear would be too
808 * much.)
809 */
810 DH_free(s->s3->tmp.dh);
811 s->s3->tmp.dh = NULL;
812 EC_KEY_free(s->s3->tmp.ecdh);
813 s->s3->tmp.ecdh = NULL;
814 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
815 return (2);
816 }
817 return (1);
818}
819
820int
821ssl3_get_client_hello(SSL *s)
822{
823 int i, j, ok, al, ret = -1;
824 unsigned int cookie_len;
825 long n;
826 unsigned long id;
827 unsigned char *p, *d;
828 SSL_CIPHER *c;
829 STACK_OF(SSL_CIPHER) *ciphers = NULL;
830 unsigned long alg_k;
831
832 /*
833 * We do this so that we will respond with our native type.
834 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
835 * This down switching should be handled by a different method.
836 * If we are SSLv3, we will respond with SSLv3, even if prompted with
837 * TLSv1.
838 */
839 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
840 s->state = SSL3_ST_SR_CLNT_HELLO_B;
841 }
842 s->first_packet = 1;
843 n = s->method->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
844 SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
845 SSL3_RT_MAX_PLAIN_LENGTH, &ok);
846
847 if (!ok)
848 return ((int)n);
849 s->first_packet = 0;
850 d = p = (unsigned char *)s->init_msg;
851
852 if (2 > n)
853 goto truncated;
854 /*
855 * Use version from inside client hello, not from record header.
856 * (may differ: see RFC 2246, Appendix E, second paragraph)
857 */
858 s->client_version = (((int)p[0]) << 8)|(int)p[1];
859 p += 2;
860
861 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
862 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
863 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
864 SSL_R_WRONG_VERSION_NUMBER);
865 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
866 !s->enc_write_ctx && !s->write_hash) {
867 /*
868 * Similar to ssl3_get_record, send alert using remote
869 * version number
870 */
871 s->version = s->client_version;
872 }
873 al = SSL_AD_PROTOCOL_VERSION;
874 goto f_err;
875 }
876
877 /*
878 * If we require cookies and this ClientHello doesn't
879 * contain one, just return since we do not want to
880 * allocate any memory yet. So check cookie length...
881 */
882 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
883 unsigned int session_length, cookie_length;
884
885 session_length = *(p + SSL3_RANDOM_SIZE);
886 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
887
888 if (cookie_length == 0)
889 return (1);
890 }
891
892 if (p + SSL3_RANDOM_SIZE + 1 - d > n)
893 goto truncated;
894
895 /* load the client random */
896 memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
897 p += SSL3_RANDOM_SIZE;
898
899 /* get the session-id */
900 j= *(p++);
901 if (p + j - d > n)
902 goto truncated;
903
904 s->hit = 0;
905 /*
906 * Versions before 0.9.7 always allow clients to resume sessions in
907 * renegotiation. 0.9.7 and later allow this by default, but optionally
908 * ignore resumption requests with flag
909 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
910 * rather than a change to default behavior so that applications
911 * relying on this for security won't even compile against older
912 * library versions).
913 *
914 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
915 * to request renegotiation but not a new session (s->new_session
916 * remains unset): for servers, this essentially just means that the
917 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
918 * ignored.
919 */
920 if ((s->new_session && (s->options &
921 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
922 if (!ssl_get_new_session(s, 1))
923 goto err;
924 } else {
925 i = ssl_get_prev_session(s, p, j, d + n);
926 if (i == 1) { /* previous session */
927 s->hit = 1;
928 } else if (i == -1)
929 goto err;
930 else {
931 /* i == 0 */
932 if (!ssl_get_new_session(s, 1))
933 goto err;
934 }
935 }
936
937 p += j;
938
939 if (SSL_IS_DTLS(s)) {
940 /* cookie stuff */
941 if (p + 1 - d > n)
942 goto truncated;
943 cookie_len = *(p++);
944
945 /*
946 * The ClientHello may contain a cookie even if the
947 * HelloVerify message has not been sent--make sure that it
948 * does not cause an overflow.
949 */
950 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
951 /* too much data */
952 al = SSL_AD_DECODE_ERROR;
953 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
954 SSL_R_COOKIE_MISMATCH);
955 goto f_err;
956 }
957
958 if (p + cookie_len - d > n)
959 goto truncated;
960
961 /* verify the cookie if appropriate option is set. */
962 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
963 cookie_len > 0) {
964 memcpy(s->d1->rcvd_cookie, p, cookie_len);
965
966 if (s->ctx->app_verify_cookie_cb != NULL) {
967 if (s->ctx->app_verify_cookie_cb(s,
968 s->d1->rcvd_cookie, cookie_len) == 0) {
969 al = SSL_AD_HANDSHAKE_FAILURE;
970 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
971 SSL_R_COOKIE_MISMATCH);
972 goto f_err;
973 }
974 /* else cookie verification succeeded */
975 } else if (timingsafe_memcmp(s->d1->rcvd_cookie, s->d1->cookie,
976 s->d1->cookie_len) != 0) {
977 /* default verification */
978 al = SSL_AD_HANDSHAKE_FAILURE;
979 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
980 SSL_R_COOKIE_MISMATCH);
981 goto f_err;
982 }
983
984 ret = 2;
985 }
986
987 p += cookie_len;
988 }
989
990 if (p + 2 - d > n)
991 goto truncated;
992 n2s(p, i);
993 if ((i == 0) && (j != 0)) {
994 /* we need a cipher if we are not resuming a session */
995 al = SSL_AD_ILLEGAL_PARAMETER;
996 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
997 SSL_R_NO_CIPHERS_SPECIFIED);
998 goto f_err;
999 }
1000 if (p + i - d > n)
1001 goto truncated;
1002 if ((i > 0) &&
1003 (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL)) {
1004 goto err;
1005 }
1006 p += i;
1007
1008 /* If it is a hit, check that the cipher is in the list */
1009 if ((s->hit) && (i > 0)) {
1010 j = 0;
1011 id = s->session->cipher->id;
1012
1013 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1014 c = sk_SSL_CIPHER_value(ciphers, i);
1015 if (c->id == id) {
1016 j = 1;
1017 break;
1018 }
1019 }
1020 if (j == 0) {
1021 /*
1022 * We need to have the cipher in the cipher
1023 * list if we are asked to reuse it
1024 */
1025 al = SSL_AD_ILLEGAL_PARAMETER;
1026 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1027 SSL_R_REQUIRED_CIPHER_MISSING);
1028 goto f_err;
1029 }
1030 }
1031
1032 /* compression */
1033 if (p + 1 - d > n)
1034 goto truncated;
1035 i= *(p++);
1036 if (p + i - d > n)
1037 goto truncated;
1038 for (j = 0; j < i; j++) {
1039 if (p[j] == 0)
1040 break;
1041 }
1042
1043 p += i;
1044 if (j >= i) {
1045 /* no compress */
1046 al = SSL_AD_DECODE_ERROR;
1047 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1048 SSL_R_NO_COMPRESSION_SPECIFIED);
1049 goto f_err;
1050 }
1051
1052 /* TLS extensions*/
1053 if (s->version >= SSL3_VERSION) {
1054 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
1055 /* 'al' set by ssl_parse_clienthello_tlsext */
1056 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1057 SSL_R_PARSE_TLSEXT);
1058 goto f_err;
1059 }
1060 }
1061 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1062 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1063 SSL_R_CLIENTHELLO_TLSEXT);
1064 goto err;
1065 }
1066
1067 /*
1068 * Check if we want to use external pre-shared secret for this
1069 * handshake for not reused session only. We need to generate
1070 * server_random before calling tls_session_secret_cb in order to allow
1071 * SessionTicket processing to use it in key derivation.
1072 */
1073 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
1074
1075 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1076 SSL_CIPHER *pref_cipher = NULL;
1077
1078 s->session->master_key_length = sizeof(s->session->master_key);
1079 if (s->tls_session_secret_cb(s, s->session->master_key,
1080 &s->session->master_key_length, ciphers, &pref_cipher,
1081 s->tls_session_secret_cb_arg)) {
1082 s->hit = 1;
1083 s->session->ciphers = ciphers;
1084 s->session->verify_result = X509_V_OK;
1085
1086 ciphers = NULL;
1087
1088 /* check if some cipher was preferred by call back */
1089 pref_cipher = pref_cipher ? pref_cipher :
1090 ssl3_choose_cipher(s, s->session->ciphers,
1091 SSL_get_ciphers(s));
1092 if (pref_cipher == NULL) {
1093 al = SSL_AD_HANDSHAKE_FAILURE;
1094 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1095 SSL_R_NO_SHARED_CIPHER);
1096 goto f_err;
1097 }
1098
1099 s->session->cipher = pref_cipher;
1100
1101 if (s->cipher_list)
1102 sk_SSL_CIPHER_free(s->cipher_list);
1103
1104 if (s->cipher_list_by_id)
1105 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1106
1107 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1108 s->cipher_list_by_id =
1109 sk_SSL_CIPHER_dup(s->session->ciphers);
1110 }
1111 }
1112
1113 /*
1114 * Given s->session->ciphers and SSL_get_ciphers, we must
1115 * pick a cipher
1116 */
1117
1118 if (!s->hit) {
1119 if (s->session->ciphers != NULL)
1120 sk_SSL_CIPHER_free(s->session->ciphers);
1121 s->session->ciphers = ciphers;
1122 if (ciphers == NULL) {
1123 al = SSL_AD_ILLEGAL_PARAMETER;
1124 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1125 SSL_R_NO_CIPHERS_PASSED);
1126 goto f_err;
1127 }
1128 ciphers = NULL;
1129 c = ssl3_choose_cipher(s, s->session->ciphers,
1130 SSL_get_ciphers(s));
1131
1132 if (c == NULL) {
1133 al = SSL_AD_HANDSHAKE_FAILURE;
1134 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1135 SSL_R_NO_SHARED_CIPHER);
1136 goto f_err;
1137 }
1138 s->s3->tmp.new_cipher = c;
1139 } else {
1140 /* Session-id reuse */
1141#ifdef REUSE_CIPHER_BUG
1142 STACK_OF(SSL_CIPHER) *sk;
1143 SSL_CIPHER *nc = NULL;
1144 SSL_CIPHER *ec = NULL;
1145
1146 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
1147 sk = s->session->ciphers;
1148 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
1149 c = sk_SSL_CIPHER_value(sk, i);
1150 if (c->algorithm_enc & SSL_eNULL)
1151 nc = c;
1152 }
1153 if (nc != NULL)
1154 s->s3->tmp.new_cipher = nc;
1155 else if (ec != NULL)
1156 s->s3->tmp.new_cipher = ec;
1157 else
1158 s->s3->tmp.new_cipher = s->session->cipher;
1159 } else
1160#endif
1161 s->s3->tmp.new_cipher = s->session->cipher;
1162 }
1163
1164 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1165 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
1166 !(s->verify_mode & SSL_VERIFY_PEER)) {
1167 if (!ssl3_digest_cached_records(s)) {
1168 al = SSL_AD_INTERNAL_ERROR;
1169 goto f_err;
1170 }
1171 }
1172
1173 /*
1174 * We now have the following setup.
1175 * client_random
1176 * cipher_list - our prefered list of ciphers
1177 * ciphers - the clients prefered list of ciphers
1178 * compression - basically ignored right now
1179 * ssl version is set - sslv3
1180 * s->session - The ssl session has been setup.
1181 * s->hit - session reuse flag
1182 * s->tmp.new_cipher - the new cipher to use.
1183 */
1184
1185 /* Handles TLS extensions that we couldn't check earlier */
1186 if (s->version >= SSL3_VERSION) {
1187 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1189 SSL_R_CLIENTHELLO_TLSEXT);
1190 goto err;
1191 }
1192 }
1193
1194 if (ret < 0)
1195 ret = 1;
1196 if (0) {
1197truncated:
1198 al = SSL_AD_DECODE_ERROR;
1199 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_BAD_PACKET_LENGTH);
1200f_err:
1201 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1202 }
1203err:
1204 if (ciphers != NULL)
1205 sk_SSL_CIPHER_free(ciphers);
1206 return (ret);
1207}
1208
1209int
1210ssl3_send_server_hello(SSL *s)
1211{
1212 unsigned char *bufend;
1213 unsigned char *p, *d;
1214 int sl;
1215
1216 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1217 d = p = ssl3_handshake_msg_start(s, SSL3_MT_SERVER_HELLO);
1218
1219 *(p++) = s->version >> 8;
1220 *(p++) = s->version & 0xff;
1221
1222 /* Random stuff */
1223 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1224 p += SSL3_RANDOM_SIZE;
1225
1226 /*
1227 * There are several cases for the session ID to send
1228 * back in the server hello:
1229 *
1230 * - For session reuse from the session cache,
1231 * we send back the old session ID.
1232 * - If stateless session reuse (using a session ticket)
1233 * is successful, we send back the client's "session ID"
1234 * (which doesn't actually identify the session).
1235 * - If it is a new session, we send back the new
1236 * session ID.
1237 * - However, if we want the new session to be single-use,
1238 * we send back a 0-length session ID.
1239 *
1240 * s->hit is non-zero in either case of session reuse,
1241 * so the following won't overwrite an ID that we're supposed
1242 * to send back.
1243 */
1244 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1245 && !s->hit)
1246 s->session->session_id_length = 0;
1247
1248 sl = s->session->session_id_length;
1249 if (sl > (int)sizeof(s->session->session_id)) {
1250 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1251 ERR_R_INTERNAL_ERROR);
1252 return (-1);
1253 }
1254 *(p++) = sl;
1255 memcpy(p, s->session->session_id, sl);
1256 p += sl;
1257
1258 /* put the cipher */
1259 s2n(ssl3_cipher_get_value(s->s3->tmp.new_cipher), p);
1260
1261 /* put the compression method */
1262 *(p++) = 0;
1263
1264 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1265 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1266 SSL_R_SERVERHELLO_TLSEXT);
1267 return (-1);
1268 }
1269 bufend = (unsigned char *)s->init_buf->data +
1270 SSL3_RT_MAX_PLAIN_LENGTH;
1271 if ((p = ssl_add_serverhello_tlsext(s, p, bufend)) == NULL) {
1272 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1273 ERR_R_INTERNAL_ERROR);
1274 return (-1);
1275 }
1276
1277 ssl3_handshake_msg_finish(s, p - d);
1278 }
1279
1280 /* SSL3_ST_SW_SRVR_HELLO_B */
1281 return (ssl3_handshake_write(s));
1282}
1283
1284int
1285ssl3_send_server_done(SSL *s)
1286{
1287 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1288 ssl3_handshake_msg_start(s, SSL3_MT_SERVER_DONE);
1289 ssl3_handshake_msg_finish(s, 0);
1290
1291 s->state = SSL3_ST_SW_SRVR_DONE_B;
1292 }
1293
1294 /* SSL3_ST_SW_SRVR_DONE_B */
1295 return (ssl3_handshake_write(s));
1296}
1297
1298int
1299ssl3_send_server_key_exchange(SSL *s)
1300{
1301 unsigned char *q;
1302 int j, num;
1303 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1304 unsigned int u;
1305 DH *dh = NULL, *dhp;
1306 EC_KEY *ecdh = NULL, *ecdhp;
1307 unsigned char *encodedPoint = NULL;
1308 int encodedlen = 0;
1309 int curve_id = 0;
1310 BN_CTX *bn_ctx = NULL;
1311
1312 EVP_PKEY *pkey;
1313 const EVP_MD *md = NULL;
1314 unsigned char *p, *d;
1315 int al, i;
1316 unsigned long type;
1317 int n;
1318 CERT *cert;
1319 BIGNUM *r[4];
1320 int nr[4], kn;
1321 BUF_MEM *buf;
1322 EVP_MD_CTX md_ctx;
1323
1324 EVP_MD_CTX_init(&md_ctx);
1325 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1326 type = s->s3->tmp.new_cipher->algorithm_mkey;
1327 cert = s->cert;
1328
1329 buf = s->init_buf;
1330
1331 r[0] = r[1] = r[2] = r[3] = NULL;
1332 n = 0;
1333 if (type & SSL_kDHE) {
1334 if (s->cert->dh_tmp_auto != 0) {
1335 if ((dhp = ssl_get_auto_dh(s)) == NULL) {
1336 al = SSL_AD_INTERNAL_ERROR;
1337 SSLerr(
1338 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1339 ERR_R_INTERNAL_ERROR);
1340 goto f_err;
1341 }
1342 } else
1343 dhp = cert->dh_tmp;
1344
1345 if (dhp == NULL && s->cert->dh_tmp_cb != NULL)
1346 dhp = s->cert->dh_tmp_cb(s, 0,
1347 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1348
1349 if (dhp == NULL) {
1350 al = SSL_AD_HANDSHAKE_FAILURE;
1351 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1352 SSL_R_MISSING_TMP_DH_KEY);
1353 goto f_err;
1354 }
1355
1356 if (s->s3->tmp.dh != NULL) {
1357 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1358 ERR_R_INTERNAL_ERROR);
1359 goto err;
1360 }
1361
1362 if (s->cert->dh_tmp_auto != 0) {
1363 dh = dhp;
1364 } else if ((dh = DHparams_dup(dhp)) == NULL) {
1365 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1366 ERR_R_DH_LIB);
1367 goto err;
1368 }
1369 s->s3->tmp.dh = dh;
1370
1371 if ((dhp->pub_key == NULL || dhp->priv_key == NULL ||
1372 (s->options & SSL_OP_SINGLE_DH_USE))) {
1373 if (!DH_generate_key(dh)) {
1374 SSLerr(
1375 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1376 ERR_R_DH_LIB);
1377 goto err;
1378 }
1379 } else {
1380 dh->pub_key = BN_dup(dhp->pub_key);
1381 dh->priv_key = BN_dup(dhp->priv_key);
1382 if ((dh->pub_key == NULL) ||
1383 (dh->priv_key == NULL)) {
1384 SSLerr(
1385 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1386 ERR_R_DH_LIB);
1387 goto err;
1388 }
1389 }
1390 r[0] = dh->p;
1391 r[1] = dh->g;
1392 r[2] = dh->pub_key;
1393 } else
1394 if (type & SSL_kECDHE) {
1395 const EC_GROUP *group;
1396
1397 ecdhp = cert->ecdh_tmp;
1398 if (s->cert->ecdh_tmp_auto != 0) {
1399 int nid = tls1_get_shared_curve(s);
1400 if (nid != NID_undef)
1401 ecdhp = EC_KEY_new_by_curve_name(nid);
1402 } else if (ecdhp == NULL &&
1403 s->cert->ecdh_tmp_cb != NULL) {
1404 ecdhp = s->cert->ecdh_tmp_cb(s, 0,
1405 SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1406 }
1407 if (ecdhp == NULL) {
1408 al = SSL_AD_HANDSHAKE_FAILURE;
1409 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1410 SSL_R_MISSING_TMP_ECDH_KEY);
1411 goto f_err;
1412 }
1413
1414 if (s->s3->tmp.ecdh != NULL) {
1415 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1416 ERR_R_INTERNAL_ERROR);
1417 goto err;
1418 }
1419
1420 /* Duplicate the ECDH structure. */
1421 if (s->cert->ecdh_tmp_auto != 0) {
1422 ecdh = ecdhp;
1423 } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1424 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1425 ERR_R_ECDH_LIB);
1426 goto err;
1427 }
1428 s->s3->tmp.ecdh = ecdh;
1429
1430 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1431 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1432 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1433 if (!EC_KEY_generate_key(ecdh)) {
1434 SSLerr(
1435 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1436 ERR_R_ECDH_LIB);
1437 goto err;
1438 }
1439 }
1440
1441 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1442 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1443 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1444 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1445 goto err;
1446 }
1447
1448 /*
1449 * XXX: For now, we only support ephemeral ECDH
1450 * keys over named (not generic) curves. For
1451 * supported named curves, curve_id is non-zero.
1452 */
1453 if ((curve_id = tls1_ec_nid2curve_id(
1454 EC_GROUP_get_curve_name(group))) == 0) {
1455 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1456 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1457 goto err;
1458 }
1459
1460 /*
1461 * Encode the public key.
1462 * First check the size of encoding and
1463 * allocate memory accordingly.
1464 */
1465 encodedlen = EC_POINT_point2oct(group,
1466 EC_KEY_get0_public_key(ecdh),
1467 POINT_CONVERSION_UNCOMPRESSED,
1468 NULL, 0, NULL);
1469
1470 encodedPoint = malloc(encodedlen);
1471
1472 bn_ctx = BN_CTX_new();
1473 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1474 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1475 ERR_R_MALLOC_FAILURE);
1476 goto err;
1477 }
1478
1479
1480 encodedlen = EC_POINT_point2oct(group,
1481 EC_KEY_get0_public_key(ecdh),
1482 POINT_CONVERSION_UNCOMPRESSED,
1483 encodedPoint, encodedlen, bn_ctx);
1484
1485 if (encodedlen == 0) {
1486 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1487 ERR_R_ECDH_LIB);
1488 goto err;
1489 }
1490
1491 BN_CTX_free(bn_ctx);
1492 bn_ctx = NULL;
1493
1494 /*
1495 * XXX: For now, we only support named (not
1496 * generic) curves in ECDH ephemeral key exchanges.
1497 * In this situation, we need four additional bytes
1498 * to encode the entire ServerECDHParams
1499 * structure.
1500 */
1501 n = 4 + encodedlen;
1502
1503 /*
1504 * We'll generate the serverKeyExchange message
1505 * explicitly so we can set these to NULLs
1506 */
1507 r[0] = NULL;
1508 r[1] = NULL;
1509 r[2] = NULL;
1510 r[3] = NULL;
1511 } else
1512 {
1513 al = SSL_AD_HANDSHAKE_FAILURE;
1514 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1515 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1516 goto f_err;
1517 }
1518 for (i = 0; i < 4 && r[i] != NULL; i++) {
1519 nr[i] = BN_num_bytes(r[i]);
1520 n += 2 + nr[i];
1521 }
1522
1523 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1524 if ((pkey = ssl_get_sign_pkey(
1525 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1526 al = SSL_AD_DECODE_ERROR;
1527 goto f_err;
1528 }
1529 kn = EVP_PKEY_size(pkey);
1530 } else {
1531 pkey = NULL;
1532 kn = 0;
1533 }
1534
1535 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) {
1536 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1537 ERR_LIB_BUF);
1538 goto err;
1539 }
1540 d = (unsigned char *)s->init_buf->data;
1541 p = &d[4];
1542
1543 for (i = 0; i < 4 && r[i] != NULL; i++) {
1544 s2n(nr[i], p);
1545 BN_bn2bin(r[i], p);
1546 p += nr[i];
1547 }
1548
1549 if (type & SSL_kECDHE) {
1550 /*
1551 * XXX: For now, we only support named (not generic)
1552 * curves.
1553 * In this situation, the serverKeyExchange message has:
1554 * [1 byte CurveType], [2 byte CurveName]
1555 * [1 byte length of encoded point], followed by
1556 * the actual encoded point itself
1557 */
1558 *p = NAMED_CURVE_TYPE;
1559 p += 1;
1560 *p = 0;
1561 p += 1;
1562 *p = curve_id;
1563 p += 1;
1564 *p = encodedlen;
1565 p += 1;
1566 memcpy((unsigned char*)p,
1567 (unsigned char *)encodedPoint, encodedlen);
1568 free(encodedPoint);
1569 encodedPoint = NULL;
1570 p += encodedlen;
1571 }
1572
1573
1574 /* not anonymous */
1575 if (pkey != NULL) {
1576 /*
1577 * n is the length of the params, they start at &(d[4])
1578 * and p points to the space at the end.
1579 */
1580 if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
1581 q = md_buf;
1582 j = 0;
1583 for (num = 2; num > 0; num--) {
1584 if (!EVP_DigestInit_ex(&md_ctx,
1585 (num == 2) ? s->ctx->md5 :
1586 s->ctx->sha1, NULL))
1587 goto err;
1588 EVP_DigestUpdate(&md_ctx,
1589 s->s3->client_random,
1590 SSL3_RANDOM_SIZE);
1591 EVP_DigestUpdate(&md_ctx,
1592 s->s3->server_random,
1593 SSL3_RANDOM_SIZE);
1594 EVP_DigestUpdate(&md_ctx, &d[4], n);
1595 EVP_DigestFinal_ex(&md_ctx, q,
1596 (unsigned int *)&i);
1597 q += i;
1598 j += i;
1599 }
1600 if (RSA_sign(NID_md5_sha1, md_buf, j,
1601 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1602 SSLerr(
1603 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1604 ERR_LIB_RSA);
1605 goto err;
1606 }
1607 s2n(u, p);
1608 n += u + 2;
1609 } else if (md) {
1610 /* Send signature algorithm. */
1611 if (SSL_USE_SIGALGS(s)) {
1612 if (!tls12_get_sigandhash(p, pkey, md)) {
1613 /* Should never happen */
1614 al = SSL_AD_INTERNAL_ERROR;
1615 SSLerr(
1616 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1617 ERR_R_INTERNAL_ERROR);
1618 goto f_err;
1619 }
1620 p += 2;
1621 }
1622 EVP_SignInit_ex(&md_ctx, md, NULL);
1623 EVP_SignUpdate(&md_ctx,
1624 s->s3->client_random,
1625 SSL3_RANDOM_SIZE);
1626 EVP_SignUpdate(&md_ctx,
1627 s->s3->server_random,
1628 SSL3_RANDOM_SIZE);
1629 EVP_SignUpdate(&md_ctx, &d[4], n);
1630 if (!EVP_SignFinal(&md_ctx, &p[2],
1631 (unsigned int *)&i, pkey)) {
1632 SSLerr(
1633 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1634 ERR_LIB_EVP);
1635 goto err;
1636 }
1637 s2n(i, p);
1638 n += i + 2;
1639 if (SSL_USE_SIGALGS(s))
1640 n += 2;
1641 } else {
1642 /* Is this error check actually needed? */
1643 al = SSL_AD_HANDSHAKE_FAILURE;
1644 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1645 SSL_R_UNKNOWN_PKEY_TYPE);
1646 goto f_err;
1647 }
1648 }
1649
1650 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
1651 l2n3(n, d);
1652
1653 /* we should now have things packed up, so lets send it off */
1654 s->init_num = n + 4;
1655 s->init_off = 0;
1656 }
1657
1658 s->state = SSL3_ST_SW_KEY_EXCH_B;
1659 EVP_MD_CTX_cleanup(&md_ctx);
1660 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1661f_err:
1662 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1663err:
1664 free(encodedPoint);
1665 BN_CTX_free(bn_ctx);
1666 EVP_MD_CTX_cleanup(&md_ctx);
1667 return (-1);
1668}
1669
1670int
1671ssl3_send_certificate_request(SSL *s)
1672{
1673 unsigned char *p, *d;
1674 int i, j, nl, off, n;
1675 STACK_OF(X509_NAME) *sk = NULL;
1676 X509_NAME *name;
1677 BUF_MEM *buf;
1678
1679 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
1680 buf = s->init_buf;
1681
1682 d = p = (unsigned char *)&(buf->data[4]);
1683
1684 /* get the list of acceptable cert types */
1685 p++;
1686 n = ssl3_get_req_cert_type(s, p);
1687 d[0] = n;
1688 p += n;
1689 n++;
1690
1691 if (SSL_USE_SIGALGS(s)) {
1692 nl = tls12_get_req_sig_algs(s, p + 2);
1693 s2n(nl, p);
1694 p += nl + 2;
1695 n += nl + 2;
1696 }
1697
1698 off = n;
1699 p += 2;
1700 n += 2;
1701
1702 sk = SSL_get_client_CA_list(s);
1703 nl = 0;
1704 if (sk != NULL) {
1705 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1706 name = sk_X509_NAME_value(sk, i);
1707 j = i2d_X509_NAME(name, NULL);
1708 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) {
1709 SSLerr(
1710 SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
1711 ERR_R_BUF_LIB);
1712 goto err;
1713 }
1714 p = (unsigned char *)&(buf->data[4 + n]);
1715 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
1716 s2n(j, p);
1717 i2d_X509_NAME(name, &p);
1718 n += 2 + j;
1719 nl += 2 + j;
1720 } else {
1721 d = p;
1722 i2d_X509_NAME(name, &p);
1723 j -= 2;
1724 s2n(j, d);
1725 j += 2;
1726 n += j;
1727 nl += j;
1728 }
1729 }
1730 }
1731 /* else no CA names */
1732 p = (unsigned char *)&(buf->data[4 + off]);
1733 s2n(nl, p);
1734
1735 d = (unsigned char *)buf->data;
1736 *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
1737 l2n3(n, d);
1738
1739 /* we should now have things packed up, so lets send it off */
1740 s->init_num = n + 4;
1741 s->init_off = 0;
1742
1743 s->state = SSL3_ST_SW_CERT_REQ_B;
1744 }
1745
1746 /* SSL3_ST_SW_CERT_REQ_B */
1747 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1748err:
1749 return (-1);
1750}
1751
1752int
1753ssl3_get_client_key_exchange(SSL *s)
1754{
1755 int i, al, ok;
1756 long n;
1757 unsigned long alg_k;
1758 unsigned char *d, *p;
1759 RSA *rsa = NULL;
1760 EVP_PKEY *pkey = NULL;
1761 BIGNUM *pub = NULL;
1762 DH *dh_srvr;
1763
1764 EC_KEY *srvr_ecdh = NULL;
1765 EVP_PKEY *clnt_pub_pkey = NULL;
1766 EC_POINT *clnt_ecpoint = NULL;
1767 BN_CTX *bn_ctx = NULL;
1768
1769 /* 2048 maxlen is a guess. How long a key does that permit? */
1770 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1771 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
1772 if (!ok)
1773 return ((int)n);
1774 d = p = (unsigned char *)s->init_msg;
1775
1776 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1777
1778 if (alg_k & SSL_kRSA) {
1779 char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
1780
1781 arc4random_buf(fakekey, sizeof(fakekey));
1782 fakekey[0] = s->client_version >> 8;
1783 fakekey[1] = s->client_version & 0xff;
1784
1785 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1786 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
1787 (pkey->pkey.rsa == NULL)) {
1788 al = SSL_AD_HANDSHAKE_FAILURE;
1789 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1790 SSL_R_MISSING_RSA_CERTIFICATE);
1791 goto f_err;
1792 }
1793 rsa = pkey->pkey.rsa;
1794
1795 /* TLS and [incidentally] DTLS{0xFEFF} */
1796 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
1797 if (2 > n)
1798 goto truncated;
1799 n2s(p, i);
1800 if (n != i + 2) {
1801 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
1802 SSLerr(
1803 SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1804 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1805 goto err;
1806 } else
1807 p -= 2;
1808 } else
1809 n = i;
1810 }
1811
1812 i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
1813
1814 ERR_clear_error();
1815
1816 al = -1;
1817
1818 if (i != SSL_MAX_MASTER_KEY_LENGTH) {
1819 al = SSL_AD_DECODE_ERROR;
1820 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
1821 }
1822
1823 if (p + 2 - d > n) /* needed in the SSL3 case */
1824 goto truncated;
1825 if ((al == -1) && !((p[0] == (s->client_version >> 8)) &&
1826 (p[1] == (s->client_version & 0xff)))) {
1827 /*
1828 * The premaster secret must contain the same version
1829 * number as the ClientHello to detect version rollback
1830 * attacks (strangely, the protocol does not offer such
1831 * protection for DH ciphersuites).
1832 * However, buggy clients exist that send the negotiated
1833 * protocol version instead if the server does not
1834 * support the requested protocol version.
1835 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
1836 * clients.
1837 */
1838 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
1839 (p[0] == (s->version >> 8)) &&
1840 (p[1] == (s->version & 0xff)))) {
1841 al = SSL_AD_DECODE_ERROR;
1842 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1843
1844 /*
1845 * The Klima-Pokorny-Rosa extension of
1846 * Bleichenbacher's attack
1847 * (http://eprint.iacr.org/2003/052/) exploits
1848 * the version number check as a "bad version
1849 * oracle" -- an alert would reveal that the
1850 * plaintext corresponding to some ciphertext
1851 * made up by the adversary is properly
1852 * formatted except that the version number is
1853 * wrong.
1854 * To avoid such attacks, we should treat this
1855 * just like any other decryption error.
1856 */
1857 }
1858 }
1859
1860 if (al != -1) {
1861 /*
1862 * Some decryption failure -- use random value instead
1863 * as countermeasure against Bleichenbacher's attack
1864 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
1865 * section 7.4.7.1).
1866 */
1867 i = SSL_MAX_MASTER_KEY_LENGTH;
1868 p = fakekey;
1869 }
1870
1871 s->session->master_key_length =
1872 s->method->ssl3_enc->generate_master_secret(s,
1873 s->session->master_key,
1874 p, i);
1875 OPENSSL_cleanse(p, i);
1876 } else if (alg_k & SSL_kDHE) {
1877 if (2 > n)
1878 goto truncated;
1879 n2s(p, i);
1880 if (n != i + 2) {
1881 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
1882 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1883 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1884 goto err;
1885 } else {
1886 p -= 2;
1887 i = (int)n;
1888 }
1889 }
1890
1891 if (n == 0L) {
1892 /* the parameters are in the cert */
1893 al = SSL_AD_HANDSHAKE_FAILURE;
1894 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1895 SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1896 goto f_err;
1897 } else {
1898 if (s->s3->tmp.dh == NULL) {
1899 al = SSL_AD_HANDSHAKE_FAILURE;
1900 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1901 SSL_R_MISSING_TMP_DH_KEY);
1902 goto f_err;
1903 } else
1904 dh_srvr = s->s3->tmp.dh;
1905 }
1906
1907 pub = BN_bin2bn(p, i, NULL);
1908 if (pub == NULL) {
1909 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1910 SSL_R_BN_LIB);
1911 goto err;
1912 }
1913
1914 i = DH_compute_key(p, pub, dh_srvr);
1915
1916 if (i <= 0) {
1917 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1918 ERR_R_DH_LIB);
1919 BN_clear_free(pub);
1920 goto err;
1921 }
1922
1923 DH_free(s->s3->tmp.dh);
1924 s->s3->tmp.dh = NULL;
1925
1926 BN_clear_free(pub);
1927 pub = NULL;
1928 s->session->master_key_length =
1929 s->method->ssl3_enc->generate_master_secret(
1930 s, s->session->master_key, p, i);
1931 OPENSSL_cleanse(p, i);
1932 } else
1933
1934 if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) {
1935 int ret = 1;
1936 int field_size = 0;
1937 const EC_KEY *tkey;
1938 const EC_GROUP *group;
1939 const BIGNUM *priv_key;
1940
1941 /* Initialize structures for server's ECDH key pair. */
1942 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
1943 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1944 ERR_R_MALLOC_FAILURE);
1945 goto err;
1946 }
1947
1948 /* Let's get server private key and group information. */
1949 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
1950 /* Use the certificate */
1951 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
1952 } else {
1953 /*
1954 * Use the ephermeral values we saved when
1955 * generating the ServerKeyExchange msg.
1956 */
1957 tkey = s->s3->tmp.ecdh;
1958 }
1959
1960 group = EC_KEY_get0_group(tkey);
1961 priv_key = EC_KEY_get0_private_key(tkey);
1962
1963 if (!EC_KEY_set_group(srvr_ecdh, group) ||
1964 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
1965 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1966 ERR_R_EC_LIB);
1967 goto err;
1968 }
1969
1970 /* Let's get client's public key */
1971 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
1972 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1973 ERR_R_MALLOC_FAILURE);
1974 goto err;
1975 }
1976
1977 if (n == 0L) {
1978 /* Client Publickey was in Client Certificate */
1979
1980 if (alg_k & SSL_kECDHE) {
1981 al = SSL_AD_HANDSHAKE_FAILURE;
1982 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1983 SSL_R_MISSING_TMP_ECDH_KEY);
1984 goto f_err;
1985 }
1986 if (((clnt_pub_pkey = X509_get_pubkey(
1987 s->session->peer)) == NULL) ||
1988 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
1989 /*
1990 * XXX: For now, we do not support client
1991 * authentication using ECDH certificates
1992 * so this branch (n == 0L) of the code is
1993 * never executed. When that support is
1994 * added, we ought to ensure the key
1995 * received in the certificate is
1996 * authorized for key agreement.
1997 * ECDH_compute_key implicitly checks that
1998 * the two ECDH shares are for the same
1999 * group.
2000 */
2001 al = SSL_AD_HANDSHAKE_FAILURE;
2002 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2003 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2004 goto f_err;
2005 }
2006
2007 if (EC_POINT_copy(clnt_ecpoint,
2008 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec))
2009 == 0) {
2010 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2011 ERR_R_EC_LIB);
2012 goto err;
2013 }
2014 ret = 2; /* Skip certificate verify processing */
2015 } else {
2016 /*
2017 * Get client's public key from encoded point
2018 * in the ClientKeyExchange message.
2019 */
2020 if ((bn_ctx = BN_CTX_new()) == NULL) {
2021 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2022 ERR_R_MALLOC_FAILURE);
2023 goto err;
2024 }
2025
2026 /* Get encoded point length */
2027 i = *p;
2028
2029 p += 1;
2030 if (n != 1 + i) {
2031 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2032 ERR_R_EC_LIB);
2033 goto err;
2034 }
2035 if (EC_POINT_oct2point(group,
2036 clnt_ecpoint, p, i, bn_ctx) == 0) {
2037 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2038 ERR_R_EC_LIB);
2039 goto err;
2040 }
2041 /*
2042 * p is pointing to somewhere in the buffer
2043 * currently, so set it to the start.
2044 */
2045 p = (unsigned char *)s->init_buf->data;
2046 }
2047
2048 /* Compute the shared pre-master secret */
2049 field_size = EC_GROUP_get_degree(group);
2050 if (field_size <= 0) {
2051 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2052 ERR_R_ECDH_LIB);
2053 goto err;
2054 }
2055 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint,
2056 srvr_ecdh, NULL);
2057 if (i <= 0) {
2058 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2059 ERR_R_ECDH_LIB);
2060 goto err;
2061 }
2062
2063 EVP_PKEY_free(clnt_pub_pkey);
2064 EC_POINT_free(clnt_ecpoint);
2065 EC_KEY_free(srvr_ecdh);
2066 BN_CTX_free(bn_ctx);
2067 EC_KEY_free(s->s3->tmp.ecdh);
2068 s->s3->tmp.ecdh = NULL;
2069
2070
2071 /* Compute the master secret */
2072 s->session->master_key_length = s->method->ssl3_enc-> \
2073 generate_master_secret(s, s->session->master_key, p, i);
2074
2075 OPENSSL_cleanse(p, i);
2076 return (ret);
2077 } else
2078 if (alg_k & SSL_kGOST) {
2079 int ret = 0;
2080 EVP_PKEY_CTX *pkey_ctx;
2081 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2082 unsigned char premaster_secret[32], *start;
2083 size_t outlen = 32, inlen;
2084 unsigned long alg_a;
2085 int Ttag, Tclass;
2086 long Tlen;
2087
2088 /* Get our certificate private key*/
2089 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2090 if (alg_a & SSL_aGOST01)
2091 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2092
2093 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2094 EVP_PKEY_decrypt_init(pkey_ctx);
2095 /*
2096 * If client certificate is present and is of the same type,
2097 * maybe use it for key exchange.
2098 * Don't mind errors from EVP_PKEY_derive_set_peer, because
2099 * it is completely valid to use a client certificate for
2100 * authorization only.
2101 */
2102 client_pub_pkey = X509_get_pubkey(s->session->peer);
2103 if (client_pub_pkey) {
2104 if (EVP_PKEY_derive_set_peer(pkey_ctx,
2105 client_pub_pkey) <= 0)
2106 ERR_clear_error();
2107 }
2108 if (2 > n)
2109 goto truncated;
2110 /* Decrypt session key */
2111 if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag,
2112 &Tclass, n) != V_ASN1_CONSTRUCTED ||
2113 Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
2114 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2115 SSL_R_DECRYPTION_FAILED);
2116 goto gerr;
2117 }
2118 start = p;
2119 inlen = Tlen;
2120 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
2121 start, inlen) <=0) {
2122 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2123 SSL_R_DECRYPTION_FAILED);
2124 goto gerr;
2125 }
2126 /* Generate master secret */
2127 s->session->master_key_length =
2128 s->method->ssl3_enc->generate_master_secret(
2129 s, s->session->master_key, premaster_secret, 32);
2130 /* Check if pubkey from client certificate was used */
2131 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
2132 EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2133 ret = 2;
2134 else
2135 ret = 1;
2136gerr:
2137 EVP_PKEY_free(client_pub_pkey);
2138 EVP_PKEY_CTX_free(pkey_ctx);
2139 if (ret)
2140 return (ret);
2141 else
2142 goto err;
2143 } else {
2144 al = SSL_AD_HANDSHAKE_FAILURE;
2145 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2146 SSL_R_UNKNOWN_CIPHER_TYPE);
2147 goto f_err;
2148 }
2149
2150 return (1);
2151truncated:
2152 al = SSL_AD_DECODE_ERROR;
2153 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
2154f_err:
2155 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2156err:
2157 EVP_PKEY_free(clnt_pub_pkey);
2158 EC_POINT_free(clnt_ecpoint);
2159 EC_KEY_free(srvr_ecdh);
2160 BN_CTX_free(bn_ctx);
2161 return (-1);
2162}
2163
2164int
2165ssl3_get_cert_verify(SSL *s)
2166{
2167 EVP_PKEY *pkey = NULL;
2168 unsigned char *p;
2169 int al, ok, ret = 0;
2170 long n;
2171 int type = 0, i, j;
2172 X509 *peer;
2173 const EVP_MD *md = NULL;
2174 EVP_MD_CTX mctx;
2175 EVP_MD_CTX_init(&mctx);
2176
2177 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2178 SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok);
2179 if (!ok)
2180 return ((int)n);
2181
2182 if (s->session->peer != NULL) {
2183 peer = s->session->peer;
2184 pkey = X509_get_pubkey(peer);
2185 type = X509_certificate_type(peer, pkey);
2186 } else {
2187 peer = NULL;
2188 pkey = NULL;
2189 }
2190
2191 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2192 s->s3->tmp.reuse_message = 1;
2193 if (peer != NULL) {
2194 al = SSL_AD_UNEXPECTED_MESSAGE;
2195 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2196 SSL_R_MISSING_VERIFY_MESSAGE);
2197 goto f_err;
2198 }
2199 ret = 1;
2200 goto end;
2201 }
2202
2203 if (peer == NULL) {
2204 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2205 SSL_R_NO_CLIENT_CERT_RECEIVED);
2206 al = SSL_AD_UNEXPECTED_MESSAGE;
2207 goto f_err;
2208 }
2209
2210 if (!(type & EVP_PKT_SIGN)) {
2211 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2212 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2213 al = SSL_AD_ILLEGAL_PARAMETER;
2214 goto f_err;
2215 }
2216
2217 if (s->s3->change_cipher_spec) {
2218 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2219 SSL_R_CCS_RECEIVED_EARLY);
2220 al = SSL_AD_UNEXPECTED_MESSAGE;
2221 goto f_err;
2222 }
2223
2224 /* we now have a signature that we need to verify */
2225 p = (unsigned char *)s->init_msg;
2226 /*
2227 * Check for broken implementations of GOST ciphersuites.
2228 *
2229 * If key is GOST and n is exactly 64, it is a bare
2230 * signature without length field.
2231 */
2232 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2233 pkey->type == NID_id_GostR3410_2001) ) {
2234 i = 64;
2235 } else {
2236 if (SSL_USE_SIGALGS(s)) {
2237 int sigalg = tls12_get_sigid(pkey);
2238 /* Should never happen */
2239 if (sigalg == -1) {
2240 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2241 ERR_R_INTERNAL_ERROR);
2242 al = SSL_AD_INTERNAL_ERROR;
2243 goto f_err;
2244 }
2245 if (2 > n)
2246 goto truncated;
2247 /* Check key type is consistent with signature */
2248 if (sigalg != (int)p[1]) {
2249 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2250 SSL_R_WRONG_SIGNATURE_TYPE);
2251 al = SSL_AD_DECODE_ERROR;
2252 goto f_err;
2253 }
2254 md = tls12_get_hash(p[0]);
2255 if (md == NULL) {
2256 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2257 SSL_R_UNKNOWN_DIGEST);
2258 al = SSL_AD_DECODE_ERROR;
2259 goto f_err;
2260 }
2261 p += 2;
2262 n -= 2;
2263 }
2264 if (2 > n)
2265 goto truncated;
2266 n2s(p, i);
2267 n -= 2;
2268 if (i > n)
2269 goto truncated;
2270 }
2271 j = EVP_PKEY_size(pkey);
2272 if ((i > j) || (n > j) || (n <= 0)) {
2273 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2274 SSL_R_WRONG_SIGNATURE_SIZE);
2275 al = SSL_AD_DECODE_ERROR;
2276 goto f_err;
2277 }
2278
2279 if (SSL_USE_SIGALGS(s)) {
2280 long hdatalen = 0;
2281 void *hdata;
2282 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2283 if (hdatalen <= 0) {
2284 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2285 ERR_R_INTERNAL_ERROR);
2286 al = SSL_AD_INTERNAL_ERROR;
2287 goto f_err;
2288 }
2289 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
2290 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
2291 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2292 ERR_R_EVP_LIB);
2293 al = SSL_AD_INTERNAL_ERROR;
2294 goto f_err;
2295 }
2296
2297 if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) {
2298 al = SSL_AD_DECRYPT_ERROR;
2299 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2300 SSL_R_BAD_SIGNATURE);
2301 goto f_err;
2302 }
2303 } else
2304 if (pkey->type == EVP_PKEY_RSA) {
2305 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
2306 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
2307 pkey->pkey.rsa);
2308 if (i < 0) {
2309 al = SSL_AD_DECRYPT_ERROR;
2310 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2311 SSL_R_BAD_RSA_DECRYPT);
2312 goto f_err;
2313 }
2314 if (i == 0) {
2315 al = SSL_AD_DECRYPT_ERROR;
2316 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2317 SSL_R_BAD_RSA_SIGNATURE);
2318 goto f_err;
2319 }
2320 } else
2321 if (pkey->type == EVP_PKEY_DSA) {
2322 j = DSA_verify(pkey->save_type,
2323 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2324 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
2325 if (j <= 0) {
2326 /* bad signature */
2327 al = SSL_AD_DECRYPT_ERROR;
2328 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2329 SSL_R_BAD_DSA_SIGNATURE);
2330 goto f_err;
2331 }
2332 } else
2333 if (pkey->type == EVP_PKEY_EC) {
2334 j = ECDSA_verify(pkey->save_type,
2335 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2336 SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
2337 if (j <= 0) {
2338 /* bad signature */
2339 al = SSL_AD_DECRYPT_ERROR;
2340 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2341 SSL_R_BAD_ECDSA_SIGNATURE);
2342 goto f_err;
2343 }
2344 } else
2345#ifndef OPENSSL_NO_GOST
2346 if (pkey->type == NID_id_GostR3410_94 ||
2347 pkey->type == NID_id_GostR3410_2001) {
2348 long hdatalen = 0;
2349 void *hdata;
2350 unsigned char signature[128];
2351 unsigned int siglen = sizeof(signature);
2352 int nid;
2353 EVP_PKEY_CTX *pctx;
2354
2355 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2356 if (hdatalen <= 0) {
2357 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2358 ERR_R_INTERNAL_ERROR);
2359 al = SSL_AD_INTERNAL_ERROR;
2360 goto f_err;
2361 }
2362 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2363 !(md = EVP_get_digestbynid(nid))) {
2364 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2365 ERR_R_EVP_LIB);
2366 al = SSL_AD_INTERNAL_ERROR;
2367 goto f_err;
2368 }
2369 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2370 if (!pctx) {
2371 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2372 ERR_R_EVP_LIB);
2373 al = SSL_AD_INTERNAL_ERROR;
2374 goto f_err;
2375 }
2376 if (!EVP_DigestInit_ex(&mctx, md, NULL) ||
2377 !EVP_DigestUpdate(&mctx, hdata, hdatalen) ||
2378 !EVP_DigestFinal(&mctx, signature, &siglen) ||
2379 (EVP_PKEY_verify_init(pctx) <= 0) ||
2380 (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
2381 (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2382 EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2383 GOST_SIG_FORMAT_RS_LE,
2384 NULL) <= 0)) {
2385 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2386 ERR_R_EVP_LIB);
2387 al = SSL_AD_INTERNAL_ERROR;
2388 EVP_PKEY_CTX_free(pctx);
2389 goto f_err;
2390 }
2391
2392 if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) {
2393 al = SSL_AD_DECRYPT_ERROR;
2394 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2395 SSL_R_BAD_SIGNATURE);
2396 EVP_PKEY_CTX_free(pctx);
2397 goto f_err;
2398 }
2399
2400 EVP_PKEY_CTX_free(pctx);
2401 } else
2402#endif
2403 {
2404 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2405 ERR_R_INTERNAL_ERROR);
2406 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
2407 goto f_err;
2408 }
2409
2410
2411 ret = 1;
2412 if (0) {
2413truncated:
2414 al = SSL_AD_DECODE_ERROR;
2415 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_PACKET_LENGTH);
2416f_err:
2417 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2418 }
2419end:
2420 if (s->s3->handshake_buffer) {
2421 BIO_free(s->s3->handshake_buffer);
2422 s->s3->handshake_buffer = NULL;
2423 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
2424 }
2425 EVP_MD_CTX_cleanup(&mctx);
2426 EVP_PKEY_free(pkey);
2427 return (ret);
2428}
2429
2430int
2431ssl3_get_client_certificate(SSL *s)
2432{
2433 int i, ok, al, ret = -1;
2434 X509 *x = NULL;
2435 unsigned long l, nc, llen, n;
2436 const unsigned char *p, *q;
2437 STACK_OF(X509) *sk = NULL;
2438
2439 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2440 -1, s->max_cert_list, &ok);
2441
2442 if (!ok)
2443 return ((int)n);
2444
2445 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2446 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2447 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2448 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2449 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2450 al = SSL_AD_HANDSHAKE_FAILURE;
2451 goto f_err;
2452 }
2453 /*
2454 * If tls asked for a client cert,
2455 * the client must return a 0 list.
2456 */
2457 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
2458 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2459 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
2460 );
2461 al = SSL_AD_UNEXPECTED_MESSAGE;
2462 goto f_err;
2463 }
2464 s->s3->tmp.reuse_message = 1;
2465 return (1);
2466 }
2467
2468 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
2469 al = SSL_AD_UNEXPECTED_MESSAGE;
2470 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2471 SSL_R_WRONG_MESSAGE_TYPE);
2472 goto f_err;
2473 }
2474 p = (const unsigned char *)s->init_msg;
2475
2476 if ((sk = sk_X509_new_null()) == NULL) {
2477 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2478 ERR_R_MALLOC_FAILURE);
2479 goto err;
2480 }
2481
2482 if (3 > n)
2483 goto truncated;
2484 n2l3(p, llen);
2485 if (llen + 3 != n)
2486 goto truncated;
2487 for (nc = 0; nc < llen;) {
2488 n2l3(p, l);
2489 if (l + nc + 3 > llen) {
2490 al = SSL_AD_DECODE_ERROR;
2491 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2492 SSL_R_CERT_LENGTH_MISMATCH);
2493 goto f_err;
2494 }
2495
2496 q = p;
2497 x = d2i_X509(NULL, &p, l);
2498 if (x == NULL) {
2499 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2500 ERR_R_ASN1_LIB);
2501 goto err;
2502 }
2503 if (p != (q + l)) {
2504 al = SSL_AD_DECODE_ERROR;
2505 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2506 SSL_R_CERT_LENGTH_MISMATCH);
2507 goto f_err;
2508 }
2509 if (!sk_X509_push(sk, x)) {
2510 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2511 ERR_R_MALLOC_FAILURE);
2512 goto err;
2513 }
2514 x = NULL;
2515 nc += l + 3;
2516 }
2517
2518 if (sk_X509_num(sk) <= 0) {
2519 /* TLS does not mind 0 certs returned */
2520 if (s->version == SSL3_VERSION) {
2521 al = SSL_AD_HANDSHAKE_FAILURE;
2522 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2523 SSL_R_NO_CERTIFICATES_RETURNED);
2524 goto f_err;
2525 }
2526 /* Fail for TLS only if we required a certificate */
2527 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
2528 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2529 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2530 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2531 al = SSL_AD_HANDSHAKE_FAILURE;
2532 goto f_err;
2533 }
2534 /* No client certificate so digest cached records */
2535 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
2536 al = SSL_AD_INTERNAL_ERROR;
2537 goto f_err;
2538 }
2539 } else {
2540 i = ssl_verify_cert_chain(s, sk);
2541 if (i <= 0) {
2542 al = ssl_verify_alarm_type(s->verify_result);
2543 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2544 SSL_R_NO_CERTIFICATE_RETURNED);
2545 goto f_err;
2546 }
2547 }
2548
2549 if (s->session->peer != NULL) /* This should not be needed */
2550 X509_free(s->session->peer);
2551 s->session->peer = sk_X509_shift(sk);
2552 s->session->verify_result = s->verify_result;
2553
2554 /*
2555 * With the current implementation, sess_cert will always be NULL
2556 * when we arrive here
2557 */
2558 if (s->session->sess_cert == NULL) {
2559 s->session->sess_cert = ssl_sess_cert_new();
2560 if (s->session->sess_cert == NULL) {
2561 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2562 ERR_R_MALLOC_FAILURE);
2563 goto err;
2564 }
2565 }
2566 if (s->session->sess_cert->cert_chain != NULL)
2567 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
2568 s->session->sess_cert->cert_chain = sk;
2569
2570 /*
2571 * Inconsistency alert: cert_chain does *not* include the
2572 * peer's own certificate, while we do include it in s3_clnt.c
2573 */
2574
2575 sk = NULL;
2576
2577 ret = 1;
2578 if (0) {
2579truncated:
2580 al = SSL_AD_DECODE_ERROR;
2581 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
2582 SSL_R_BAD_PACKET_LENGTH);
2583f_err:
2584 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2585 }
2586err:
2587 if (x != NULL)
2588 X509_free(x);
2589 if (sk != NULL)
2590 sk_X509_pop_free(sk, X509_free);
2591 return (ret);
2592}
2593
2594int
2595ssl3_send_server_certificate(SSL *s)
2596{
2597 unsigned long l;
2598 X509 *x;
2599
2600 if (s->state == SSL3_ST_SW_CERT_A) {
2601 x = ssl_get_server_send_cert(s);
2602 if (x == NULL) {
2603 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2604 ERR_R_INTERNAL_ERROR);
2605 return (0);
2606 }
2607
2608 l = ssl3_output_cert_chain(s, x);
2609 s->state = SSL3_ST_SW_CERT_B;
2610 s->init_num = (int)l;
2611 s->init_off = 0;
2612 }
2613
2614 /* SSL3_ST_SW_CERT_B */
2615 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2616}
2617
2618/* send a new session ticket (not necessarily for a new session) */
2619int
2620ssl3_send_newsession_ticket(SSL *s)
2621{
2622 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
2623 unsigned char *p, *senc, *macstart;
2624 const unsigned char *const_p;
2625 int len, slen_full, slen;
2626 SSL_SESSION *sess;
2627 unsigned int hlen;
2628 EVP_CIPHER_CTX ctx;
2629 HMAC_CTX hctx;
2630 SSL_CTX *tctx = s->initial_ctx;
2631 unsigned char iv[EVP_MAX_IV_LENGTH];
2632 unsigned char key_name[16];
2633
2634 /* get session encoding length */
2635 slen_full = i2d_SSL_SESSION(s->session, NULL);
2636 /*
2637 * Some length values are 16 bits, so forget it if session is
2638 * too long
2639 */
2640 if (slen_full > 0xFF00)
2641 return (-1);
2642 senc = malloc(slen_full);
2643 if (!senc)
2644 return (-1);
2645 p = senc;
2646 i2d_SSL_SESSION(s->session, &p);
2647
2648 /*
2649 * Create a fresh copy (not shared with other threads) to
2650 * clean up
2651 */
2652 const_p = senc;
2653 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
2654 if (sess == NULL) {
2655 free(senc);
2656 return (-1);
2657 }
2658
2659 /* ID is irrelevant for the ticket */
2660 sess->session_id_length = 0;
2661
2662 slen = i2d_SSL_SESSION(sess, NULL);
2663 if (slen > slen_full) {
2664 /* shouldn't ever happen */
2665 free(senc);
2666 return (-1);
2667 }
2668 p = senc;
2669 i2d_SSL_SESSION(sess, &p);
2670 SSL_SESSION_free(sess);
2671
2672 /*
2673 * Grow buffer if need be: the length calculation is as
2674 * follows 1 (size of message name) + 3 (message length
2675 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
2676 * 16 (key name) + max_iv_len (iv length) +
2677 * session_length + max_enc_block_size (max encrypted session
2678 * length) + max_md_size (HMAC).
2679 */
2680 if (!BUF_MEM_grow(s->init_buf,
2681 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
2682 EVP_MAX_MD_SIZE + slen)) {
2683 free(senc);
2684 return (-1);
2685 }
2686
2687 p = (unsigned char *)s->init_buf->data;
2688 /* do the header */
2689 *(p++) = SSL3_MT_NEWSESSION_TICKET;
2690 /* Skip message length for now */
2691 p += 3;
2692 EVP_CIPHER_CTX_init(&ctx);
2693 HMAC_CTX_init(&hctx);
2694 /*
2695 * Initialize HMAC and cipher contexts. If callback present
2696 * it does all the work otherwise use generated values
2697 * from parent ctx.
2698 */
2699 if (tctx->tlsext_ticket_key_cb) {
2700 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
2701 &hctx, 1) < 0) {
2702 free(senc);
2703 return (-1);
2704 }
2705 } else {
2706 arc4random_buf(iv, 16);
2707 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2708 tctx->tlsext_tick_aes_key, iv);
2709 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2710 tlsext_tick_md(), NULL);
2711 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
2712 }
2713
2714 /*
2715 * Ticket lifetime hint (advisory only):
2716 * We leave this unspecified for resumed session
2717 * (for simplicity), and guess that tickets for new
2718 * sessions will live as long as their sessions.
2719 */
2720 l2n(s->hit ? 0 : s->session->timeout, p);
2721
2722 /* Skip ticket length for now */
2723 p += 2;
2724 /* Output key name */
2725 macstart = p;
2726 memcpy(p, key_name, 16);
2727 p += 16;
2728 /* output IV */
2729 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
2730 p += EVP_CIPHER_CTX_iv_length(&ctx);
2731 /* Encrypt session data */
2732 EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
2733 p += len;
2734 EVP_EncryptFinal(&ctx, p, &len);
2735 p += len;
2736 EVP_CIPHER_CTX_cleanup(&ctx);
2737
2738 HMAC_Update(&hctx, macstart, p - macstart);
2739 HMAC_Final(&hctx, p, &hlen);
2740 HMAC_CTX_cleanup(&hctx);
2741
2742 p += hlen;
2743 /* Now write out lengths: p points to end of data written */
2744 /* Total length */
2745 len = p - (unsigned char *)s->init_buf->data;
2746 p = (unsigned char *)s->init_buf->data + 1;
2747 l2n3(len - 4, p); /* Message length */
2748 p += 4;
2749 s2n(len - 10, p);
2750 /* Ticket length */
2751
2752 /* number of bytes to write */
2753 s->init_num = len;
2754 s->state = SSL3_ST_SW_SESSION_TICKET_B;
2755 s->init_off = 0;
2756 free(senc);
2757 }
2758
2759 /* SSL3_ST_SW_SESSION_TICKET_B */
2760 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2761}
2762
2763int
2764ssl3_send_cert_status(SSL *s)
2765{
2766 unsigned char *p;
2767
2768 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
2769 /*
2770 * Grow buffer if need be: the length calculation is as
2771 * follows 1 (message type) + 3 (message length) +
2772 * 1 (ocsp response type) + 3 (ocsp response length)
2773 * + (ocsp response)
2774 */
2775 if (!BUF_MEM_grow(s->init_buf, SSL3_HM_HEADER_LENGTH + 4 +
2776 s->tlsext_ocsp_resplen))
2777 return (-1);
2778
2779 p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_STATUS);
2780
2781 *(p++) = s->tlsext_status_type;
2782 l2n3(s->tlsext_ocsp_resplen, p);
2783 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
2784
2785 ssl3_handshake_msg_finish(s, s->tlsext_ocsp_resplen + 4);
2786
2787 s->state = SSL3_ST_SW_CERT_STATUS_B;
2788 }
2789
2790 /* SSL3_ST_SW_CERT_STATUS_B */
2791 return (ssl3_handshake_write(s));
2792}
2793
2794/*
2795 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
2796 * It sets the next_proto member in s if found
2797 */
2798int
2799ssl3_get_next_proto(SSL *s)
2800{
2801 int ok;
2802 int proto_len, padding_len;
2803 long n;
2804 const unsigned char *p;
2805
2806 /*
2807 * Clients cannot send a NextProtocol message if we didn't see the
2808 * extension in their ClientHello
2809 */
2810 if (!s->s3->next_proto_neg_seen) {
2811 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
2812 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
2813 return (-1);
2814 }
2815
2816 /* 514 maxlen is enough for the payload format below */
2817 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
2818 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
2819 if (!ok)
2820 return ((int)n);
2821
2822 /*
2823 * s->state doesn't reflect whether ChangeCipherSpec has been received
2824 * in this handshake, but s->s3->change_cipher_spec does (will be reset
2825 * by ssl3_get_finished).
2826 */
2827 if (!s->s3->change_cipher_spec) {
2828 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
2829 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
2830 return (-1);
2831 }
2832
2833 if (n < 2)
2834 return (0);
2835 /* The body must be > 1 bytes long */
2836
2837 p = (unsigned char *)s->init_msg;
2838
2839 /*
2840 * The payload looks like:
2841 * uint8 proto_len;
2842 * uint8 proto[proto_len];
2843 * uint8 padding_len;
2844 * uint8 padding[padding_len];
2845 */
2846 proto_len = p[0];
2847 if (proto_len + 2 > s->init_num)
2848 return (0);
2849 padding_len = p[proto_len + 1];
2850 if (proto_len + padding_len + 2 != s->init_num)
2851 return (0);
2852
2853 s->next_proto_negotiated = malloc(proto_len);
2854 if (!s->next_proto_negotiated) {
2855 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
2856 ERR_R_MALLOC_FAILURE);
2857 return (0);
2858 }
2859 memcpy(s->next_proto_negotiated, p + 1, proto_len);
2860 s->next_proto_negotiated_len = proto_len;
2861
2862 return (1);
2863}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 19:52:29 +0000