summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_clnt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
-rw-r--r--src/lib/libssl/ssl_clnt.c2678
1 files changed, 0 insertions, 2678 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
deleted file mode 100644
index 441da643fd..0000000000
--- a/src/lib/libssl/ssl_clnt.c
+++ /dev/null
@@ -1,2678 +0,0 @@
1/* $OpenBSD: ssl_clnt.c,v 1.161 2023/07/08 16:40:13 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <limits.h>
152#include <stdint.h>
153#include <stdio.h>
154
155#include <openssl/bn.h>
156#include <openssl/buffer.h>
157#include <openssl/curve25519.h>
158#include <openssl/dh.h>
159#include <openssl/evp.h>
160#include <openssl/md5.h>
161#include <openssl/objects.h>
162#include <openssl/opensslconf.h>
163
164#ifndef OPENSSL_NO_ENGINE
165#include <openssl/engine.h>
166#endif
167#ifndef OPENSSL_NO_GOST
168#include <openssl/gost.h>
169#endif
170
171#include "bytestring.h"
172#include "dtls_local.h"
173#include "ssl_local.h"
174#include "ssl_sigalgs.h"
175#include "ssl_tlsext.h"
176
177static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
178
179static int ssl3_send_client_hello(SSL *s);
180static int ssl3_get_dtls_hello_verify(SSL *s);
181static int ssl3_get_server_hello(SSL *s);
182static int ssl3_get_certificate_request(SSL *s);
183static int ssl3_get_new_session_ticket(SSL *s);
184static int ssl3_get_cert_status(SSL *s);
185static int ssl3_get_server_done(SSL *s);
186static int ssl3_send_client_verify(SSL *s);
187static int ssl3_send_client_certificate(SSL *s);
188static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
189static int ssl3_send_client_key_exchange(SSL *s);
190static int ssl3_get_server_key_exchange(SSL *s);
191static int ssl3_get_server_certificate(SSL *s);
192static int ssl3_check_cert_and_algorithm(SSL *s);
193static int ssl3_check_finished(SSL *s);
194static int ssl3_send_client_change_cipher_spec(SSL *s);
195static int ssl3_send_client_finished(SSL *s);
196static int ssl3_get_server_finished(SSL *s);
197
198int
199ssl3_connect(SSL *s)
200{
201 int new_state, state, skip = 0;
202 int ret = -1;
203
204 ERR_clear_error();
205 errno = 0;
206
207 s->in_handshake++;
208 if (!SSL_in_init(s) || SSL_in_before(s))
209 SSL_clear(s);
210
211 for (;;) {
212 state = s->s3->hs.state;
213
214 switch (s->s3->hs.state) {
215 case SSL_ST_RENEGOTIATE:
216 s->renegotiate = 1;
217 s->s3->hs.state = SSL_ST_CONNECT;
218 s->ctx->stats.sess_connect_renegotiate++;
219 /* break */
220 case SSL_ST_BEFORE:
221 case SSL_ST_CONNECT:
222 case SSL_ST_BEFORE|SSL_ST_CONNECT:
223 case SSL_ST_OK|SSL_ST_CONNECT:
224
225 s->server = 0;
226
227 ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
228
229 if (!ssl_legacy_stack_version(s, s->version)) {
230 SSLerror(s, ERR_R_INTERNAL_ERROR);
231 ret = -1;
232 goto end;
233 }
234
235 if (!ssl_supported_tls_version_range(s,
236 &s->s3->hs.our_min_tls_version,
237 &s->s3->hs.our_max_tls_version)) {
238 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
239 ret = -1;
240 goto end;
241 }
242
243 if (!ssl_security_version(s,
244 s->s3->hs.our_min_tls_version)) {
245 SSLerror(s, SSL_R_VERSION_TOO_LOW);
246 ret = -1;
247 goto end;
248 }
249
250 if (!ssl3_setup_init_buffer(s)) {
251 ret = -1;
252 goto end;
253 }
254 if (!ssl3_setup_buffers(s)) {
255 ret = -1;
256 goto end;
257 }
258 if (!ssl_init_wbio_buffer(s, 0)) {
259 ret = -1;
260 goto end;
261 }
262
263 /* don't push the buffering BIO quite yet */
264
265 if (!tls1_transcript_init(s)) {
266 ret = -1;
267 goto end;
268 }
269
270 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
271 s->ctx->stats.sess_connect++;
272 s->init_num = 0;
273
274 if (SSL_is_dtls(s)) {
275 /* mark client_random uninitialized */
276 memset(s->s3->client_random, 0,
277 sizeof(s->s3->client_random));
278 s->d1->send_cookie = 0;
279 s->hit = 0;
280 }
281 break;
282
283 case SSL3_ST_CW_CLNT_HELLO_A:
284 case SSL3_ST_CW_CLNT_HELLO_B:
285 s->shutdown = 0;
286
287 if (SSL_is_dtls(s)) {
288 /* every DTLS ClientHello resets Finished MAC */
289 tls1_transcript_reset(s);
290
291 dtls1_start_timer(s);
292 }
293
294 ret = ssl3_send_client_hello(s);
295 if (ret <= 0)
296 goto end;
297
298 if (SSL_is_dtls(s) && s->d1->send_cookie) {
299 s->s3->hs.state = SSL3_ST_CW_FLUSH;
300 s->s3->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A;
301 } else
302 s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
303
304 s->init_num = 0;
305
306 /* turn on buffering for the next lot of output */
307 if (s->bbio != s->wbio)
308 s->wbio = BIO_push(s->bbio, s->wbio);
309
310 break;
311
312 case SSL3_ST_CR_SRVR_HELLO_A:
313 case SSL3_ST_CR_SRVR_HELLO_B:
314 ret = ssl3_get_server_hello(s);
315 if (ret <= 0)
316 goto end;
317
318 if (s->hit) {
319 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
320 if (!SSL_is_dtls(s)) {
321 if (s->tlsext_ticket_expected) {
322 /* receive renewed session ticket */
323 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
324 }
325
326 /* No client certificate verification. */
327 tls1_transcript_free(s);
328 }
329 } else if (SSL_is_dtls(s)) {
330 s->s3->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
331 } else {
332 s->s3->hs.state = SSL3_ST_CR_CERT_A;
333 }
334 s->init_num = 0;
335 break;
336
337 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
338 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
339 ret = ssl3_get_dtls_hello_verify(s);
340 if (ret <= 0)
341 goto end;
342 dtls1_stop_timer(s);
343 if (s->d1->send_cookie) /* start again, with a cookie */
344 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
345 else
346 s->s3->hs.state = SSL3_ST_CR_CERT_A;
347 s->init_num = 0;
348 break;
349
350 case SSL3_ST_CR_CERT_A:
351 case SSL3_ST_CR_CERT_B:
352 ret = ssl3_check_finished(s);
353 if (ret <= 0)
354 goto end;
355 if (ret == 2) {
356 s->hit = 1;
357 if (s->tlsext_ticket_expected)
358 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
359 else
360 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
361 s->init_num = 0;
362 break;
363 }
364 /* Check if it is anon DH/ECDH. */
365 if (!(s->s3->hs.cipher->algorithm_auth &
366 SSL_aNULL)) {
367 ret = ssl3_get_server_certificate(s);
368 if (ret <= 0)
369 goto end;
370 if (s->tlsext_status_expected)
371 s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A;
372 else
373 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
374 } else {
375 skip = 1;
376 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
377 }
378 s->init_num = 0;
379 break;
380
381 case SSL3_ST_CR_KEY_EXCH_A:
382 case SSL3_ST_CR_KEY_EXCH_B:
383 ret = ssl3_get_server_key_exchange(s);
384 if (ret <= 0)
385 goto end;
386 s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A;
387 s->init_num = 0;
388
389 /*
390 * At this point we check that we have the
391 * required stuff from the server.
392 */
393 if (!ssl3_check_cert_and_algorithm(s)) {
394 ret = -1;
395 goto end;
396 }
397 break;
398
399 case SSL3_ST_CR_CERT_REQ_A:
400 case SSL3_ST_CR_CERT_REQ_B:
401 ret = ssl3_get_certificate_request(s);
402 if (ret <= 0)
403 goto end;
404 s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A;
405 s->init_num = 0;
406 break;
407
408 case SSL3_ST_CR_SRVR_DONE_A:
409 case SSL3_ST_CR_SRVR_DONE_B:
410 ret = ssl3_get_server_done(s);
411 if (ret <= 0)
412 goto end;
413 if (SSL_is_dtls(s))
414 dtls1_stop_timer(s);
415 if (s->s3->hs.tls12.cert_request)
416 s->s3->hs.state = SSL3_ST_CW_CERT_A;
417 else
418 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
419 s->init_num = 0;
420
421 break;
422
423 case SSL3_ST_CW_CERT_A:
424 case SSL3_ST_CW_CERT_B:
425 case SSL3_ST_CW_CERT_C:
426 case SSL3_ST_CW_CERT_D:
427 if (SSL_is_dtls(s))
428 dtls1_start_timer(s);
429 ret = ssl3_send_client_certificate(s);
430 if (ret <= 0)
431 goto end;
432 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
433 s->init_num = 0;
434 break;
435
436 case SSL3_ST_CW_KEY_EXCH_A:
437 case SSL3_ST_CW_KEY_EXCH_B:
438 if (SSL_is_dtls(s))
439 dtls1_start_timer(s);
440 ret = ssl3_send_client_key_exchange(s);
441 if (ret <= 0)
442 goto end;
443 /*
444 * EAY EAY EAY need to check for DH fix cert
445 * sent back
446 */
447 /*
448 * For TLS, cert_req is set to 2, so a cert chain
449 * of nothing is sent, but no verify packet is sent
450 */
451 /*
452 * XXX: For now, we do not support client
453 * authentication in ECDH cipher suites with
454 * ECDH (rather than ECDSA) certificates.
455 * We need to skip the certificate verify
456 * message when client's ECDH public key is sent
457 * inside the client certificate.
458 */
459 if (s->s3->hs.tls12.cert_request == 1) {
460 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_A;
461 } else {
462 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
463 s->s3->change_cipher_spec = 0;
464 }
465 if (!SSL_is_dtls(s)) {
466 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
467 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
468 s->s3->change_cipher_spec = 0;
469 }
470 }
471
472 s->init_num = 0;
473 break;
474
475 case SSL3_ST_CW_CERT_VRFY_A:
476 case SSL3_ST_CW_CERT_VRFY_B:
477 if (SSL_is_dtls(s))
478 dtls1_start_timer(s);
479 ret = ssl3_send_client_verify(s);
480 if (ret <= 0)
481 goto end;
482 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
483 s->init_num = 0;
484 s->s3->change_cipher_spec = 0;
485 break;
486
487 case SSL3_ST_CW_CHANGE_A:
488 case SSL3_ST_CW_CHANGE_B:
489 if (SSL_is_dtls(s) && !s->hit)
490 dtls1_start_timer(s);
491 ret = ssl3_send_client_change_cipher_spec(s);
492 if (ret <= 0)
493 goto end;
494
495 s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
496 s->init_num = 0;
497 s->session->cipher = s->s3->hs.cipher;
498
499 if (!tls1_setup_key_block(s)) {
500 ret = -1;
501 goto end;
502 }
503 if (!tls1_change_write_cipher_state(s)) {
504 ret = -1;
505 goto end;
506 }
507 break;
508
509 case SSL3_ST_CW_FINISHED_A:
510 case SSL3_ST_CW_FINISHED_B:
511 if (SSL_is_dtls(s) && !s->hit)
512 dtls1_start_timer(s);
513 ret = ssl3_send_client_finished(s);
514 if (ret <= 0)
515 goto end;
516 if (!SSL_is_dtls(s))
517 s->s3->flags |= SSL3_FLAGS_CCS_OK;
518 s->s3->hs.state = SSL3_ST_CW_FLUSH;
519
520 /* clear flags */
521 if (s->hit) {
522 s->s3->hs.tls12.next_state = SSL_ST_OK;
523 } else {
524 /* Allow NewSessionTicket if ticket expected */
525 if (s->tlsext_ticket_expected)
526 s->s3->hs.tls12.next_state =
527 SSL3_ST_CR_SESSION_TICKET_A;
528 else
529 s->s3->hs.tls12.next_state =
530 SSL3_ST_CR_FINISHED_A;
531 }
532 s->init_num = 0;
533 break;
534
535 case SSL3_ST_CR_SESSION_TICKET_A:
536 case SSL3_ST_CR_SESSION_TICKET_B:
537 ret = ssl3_get_new_session_ticket(s);
538 if (ret <= 0)
539 goto end;
540 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
541 s->init_num = 0;
542 break;
543
544 case SSL3_ST_CR_CERT_STATUS_A:
545 case SSL3_ST_CR_CERT_STATUS_B:
546 ret = ssl3_get_cert_status(s);
547 if (ret <= 0)
548 goto end;
549 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
550 s->init_num = 0;
551 break;
552
553 case SSL3_ST_CR_FINISHED_A:
554 case SSL3_ST_CR_FINISHED_B:
555 if (SSL_is_dtls(s))
556 s->d1->change_cipher_spec_ok = 1;
557 else
558 s->s3->flags |= SSL3_FLAGS_CCS_OK;
559 ret = ssl3_get_server_finished(s);
560 if (ret <= 0)
561 goto end;
562 if (SSL_is_dtls(s))
563 dtls1_stop_timer(s);
564
565 if (s->hit)
566 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
567 else
568 s->s3->hs.state = SSL_ST_OK;
569 s->init_num = 0;
570 break;
571
572 case SSL3_ST_CW_FLUSH:
573 s->rwstate = SSL_WRITING;
574 if (BIO_flush(s->wbio) <= 0) {
575 if (SSL_is_dtls(s)) {
576 /* If the write error was fatal, stop trying */
577 if (!BIO_should_retry(s->wbio)) {
578 s->rwstate = SSL_NOTHING;
579 s->s3->hs.state = s->s3->hs.tls12.next_state;
580 }
581 }
582 ret = -1;
583 goto end;
584 }
585 s->rwstate = SSL_NOTHING;
586 s->s3->hs.state = s->s3->hs.tls12.next_state;
587 break;
588
589 case SSL_ST_OK:
590 /* clean a few things up */
591 tls1_cleanup_key_block(s);
592
593 if (s->s3->handshake_transcript != NULL) {
594 SSLerror(s, ERR_R_INTERNAL_ERROR);
595 ret = -1;
596 goto end;
597 }
598
599 if (!SSL_is_dtls(s))
600 ssl3_release_init_buffer(s);
601
602 ssl_free_wbio_buffer(s);
603
604 s->init_num = 0;
605 s->renegotiate = 0;
606 s->new_session = 0;
607
608 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
609 if (s->hit)
610 s->ctx->stats.sess_hit++;
611
612 ret = 1;
613 /* s->server=0; */
614 s->handshake_func = ssl3_connect;
615 s->ctx->stats.sess_connect_good++;
616
617 ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
618
619 if (SSL_is_dtls(s)) {
620 /* done with handshaking */
621 s->d1->handshake_read_seq = 0;
622 s->d1->next_handshake_write_seq = 0;
623 }
624
625 goto end;
626 /* break; */
627
628 default:
629 SSLerror(s, SSL_R_UNKNOWN_STATE);
630 ret = -1;
631 goto end;
632 /* break; */
633 }
634
635 /* did we do anything */
636 if (!s->s3->hs.tls12.reuse_message && !skip) {
637 if (s->debug) {
638 if ((ret = BIO_flush(s->wbio)) <= 0)
639 goto end;
640 }
641
642 if (s->s3->hs.state != state) {
643 new_state = s->s3->hs.state;
644 s->s3->hs.state = state;
645 ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1);
646 s->s3->hs.state = new_state;
647 }
648 }
649 skip = 0;
650 }
651
652 end:
653 s->in_handshake--;
654 ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret);
655
656 return (ret);
657}
658
659static int
660ssl3_send_client_hello(SSL *s)
661{
662 CBB cbb, client_hello, session_id, cookie, cipher_suites;
663 CBB compression_methods;
664 uint16_t max_version;
665 size_t sl;
666
667 memset(&cbb, 0, sizeof(cbb));
668
669 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_A) {
670 SSL_SESSION *sess = s->session;
671
672 if (!ssl_max_supported_version(s, &max_version)) {
673 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
674 return (-1);
675 }
676 s->version = max_version;
677
678 if (sess == NULL || sess->ssl_version != s->version ||
679 (sess->session_id_length == 0 && sess->tlsext_tick == NULL) ||
680 sess->not_resumable) {
681 if (!ssl_get_new_session(s, 0))
682 goto err;
683 }
684 /* else use the pre-loaded session */
685
686 /*
687 * If a DTLS ClientHello message is being resent after a
688 * HelloVerifyRequest, we must retain the original client
689 * random value.
690 */
691 if (!SSL_is_dtls(s) || s->d1->send_cookie == 0)
692 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
693
694 if (!ssl3_handshake_msg_start(s, &cbb, &client_hello,
695 SSL3_MT_CLIENT_HELLO))
696 goto err;
697
698 if (!CBB_add_u16(&client_hello, s->version))
699 goto err;
700
701 /* Random stuff */
702 if (!CBB_add_bytes(&client_hello, s->s3->client_random,
703 sizeof(s->s3->client_random)))
704 goto err;
705
706 /* Session ID */
707 if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
708 goto err;
709 if (!s->new_session &&
710 s->session->session_id_length > 0) {
711 sl = s->session->session_id_length;
712 if (sl > sizeof(s->session->session_id)) {
713 SSLerror(s, ERR_R_INTERNAL_ERROR);
714 goto err;
715 }
716 if (!CBB_add_bytes(&session_id,
717 s->session->session_id, sl))
718 goto err;
719 }
720
721 /* DTLS Cookie. */
722 if (SSL_is_dtls(s)) {
723 if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
724 SSLerror(s, ERR_R_INTERNAL_ERROR);
725 goto err;
726 }
727 if (!CBB_add_u8_length_prefixed(&client_hello, &cookie))
728 goto err;
729 if (!CBB_add_bytes(&cookie, s->d1->cookie,
730 s->d1->cookie_len))
731 goto err;
732 }
733
734 /* Ciphers supported */
735 if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
736 return 0;
737 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s),
738 &cipher_suites)) {
739 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
740 goto err;
741 }
742
743 /* Add in compression methods (null) */
744 if (!CBB_add_u8_length_prefixed(&client_hello,
745 &compression_methods))
746 goto err;
747 if (!CBB_add_u8(&compression_methods, 0))
748 goto err;
749
750 /* TLS extensions */
751 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) {
752 SSLerror(s, ERR_R_INTERNAL_ERROR);
753 goto err;
754 }
755
756 if (!ssl3_handshake_msg_finish(s, &cbb))
757 goto err;
758
759 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_B;
760 }
761
762 /* SSL3_ST_CW_CLNT_HELLO_B */
763 return (ssl3_handshake_write(s));
764
765 err:
766 CBB_cleanup(&cbb);
767
768 return (-1);
769}
770
771static int
772ssl3_get_dtls_hello_verify(SSL *s)
773{
774 CBS hello_verify_request, cookie;
775 size_t cookie_len;
776 uint16_t ssl_version;
777 int al, ret;
778
779 if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
780 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list)) <= 0)
781 return ret;
782
783 if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
784 s->d1->send_cookie = 0;
785 s->s3->hs.tls12.reuse_message = 1;
786 return (1);
787 }
788
789 if (s->init_num < 0)
790 goto decode_err;
791
792 CBS_init(&hello_verify_request, s->init_msg,
793 s->init_num);
794
795 if (!CBS_get_u16(&hello_verify_request, &ssl_version))
796 goto decode_err;
797 if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))
798 goto decode_err;
799 if (CBS_len(&hello_verify_request) != 0)
800 goto decode_err;
801
802 /*
803 * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always
804 * contain DTLSv1.0 the version that is going to be negotiated.
805 * Tolerate DTLSv1.2 just in case.
806 */
807 if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) {
808 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
809 s->version = (s->version & 0xff00) | (ssl_version & 0xff);
810 al = SSL_AD_PROTOCOL_VERSION;
811 goto fatal_err;
812 }
813
814 if (!CBS_write_bytes(&cookie, s->d1->cookie,
815 sizeof(s->d1->cookie), &cookie_len)) {
816 s->d1->cookie_len = 0;
817 al = SSL_AD_ILLEGAL_PARAMETER;
818 goto fatal_err;
819 }
820 s->d1->cookie_len = cookie_len;
821 s->d1->send_cookie = 1;
822
823 return 1;
824
825 decode_err:
826 al = SSL_AD_DECODE_ERROR;
827 fatal_err:
828 ssl3_send_alert(s, SSL3_AL_FATAL, al);
829 return -1;
830}
831
832static int
833ssl3_get_server_hello(SSL *s)
834{
835 CBS cbs, server_random, session_id;
836 uint16_t server_version, cipher_suite;
837 uint8_t compression_method;
838 const SSL_CIPHER *cipher;
839 const SSL_METHOD *method;
840 unsigned long alg_k;
841 int al, ret;
842
843 s->first_packet = 1;
844 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
845 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000 /* ?? */)) <= 0)
846 return ret;
847 s->first_packet = 0;
848
849 if (s->init_num < 0)
850 goto decode_err;
851
852 CBS_init(&cbs, s->init_msg, s->init_num);
853
854 if (SSL_is_dtls(s)) {
855 if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
856 if (s->d1->send_cookie == 0) {
857 s->s3->hs.tls12.reuse_message = 1;
858 return (1);
859 } else {
860 /* Already sent a cookie. */
861 al = SSL_AD_UNEXPECTED_MESSAGE;
862 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
863 goto fatal_err;
864 }
865 }
866 }
867
868 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) {
869 al = SSL_AD_UNEXPECTED_MESSAGE;
870 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
871 goto fatal_err;
872 }
873
874 if (!CBS_get_u16(&cbs, &server_version))
875 goto decode_err;
876
877 if (!ssl_check_version_from_server(s, server_version)) {
878 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
879 s->version = (s->version & 0xff00) | (server_version & 0xff);
880 al = SSL_AD_PROTOCOL_VERSION;
881 goto fatal_err;
882 }
883 s->s3->hs.peer_legacy_version = server_version;
884 s->version = server_version;
885
886 s->s3->hs.negotiated_tls_version = ssl_tls_version(server_version);
887 if (s->s3->hs.negotiated_tls_version == 0) {
888 SSLerror(s, ERR_R_INTERNAL_ERROR);
889 goto err;
890 }
891
892 if ((method = ssl_get_method(server_version)) == NULL) {
893 SSLerror(s, ERR_R_INTERNAL_ERROR);
894 goto err;
895 }
896 s->method = method;
897
898 /* Server random. */
899 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE))
900 goto decode_err;
901 if (!CBS_write_bytes(&server_random, s->s3->server_random,
902 sizeof(s->s3->server_random), NULL))
903 goto err;
904
905 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
906 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
907 /*
908 * RFC 8446 section 4.1.3. We must not downgrade if the server
909 * random value contains the TLS 1.2 or TLS 1.1 magical value.
910 */
911 if (!CBS_skip(&server_random,
912 CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
913 goto err;
914 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION &&
915 CBS_mem_equal(&server_random, tls13_downgrade_12,
916 sizeof(tls13_downgrade_12))) {
917 al = SSL_AD_ILLEGAL_PARAMETER;
918 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
919 goto fatal_err;
920 }
921 if (CBS_mem_equal(&server_random, tls13_downgrade_11,
922 sizeof(tls13_downgrade_11))) {
923 al = SSL_AD_ILLEGAL_PARAMETER;
924 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
925 goto fatal_err;
926 }
927 }
928
929 /* Session ID. */
930 if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
931 goto decode_err;
932
933 if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) {
934 al = SSL_AD_ILLEGAL_PARAMETER;
935 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
936 goto fatal_err;
937 }
938
939 /* Cipher suite. */
940 if (!CBS_get_u16(&cbs, &cipher_suite))
941 goto decode_err;
942
943 /*
944 * Check if we want to resume the session based on external
945 * pre-shared secret.
946 */
947 if (s->tls_session_secret_cb != NULL) {
948 SSL_CIPHER *pref_cipher = NULL;
949 int master_key_length = sizeof(s->session->master_key);
950
951 if (!s->tls_session_secret_cb(s,
952 s->session->master_key, &master_key_length, NULL,
953 &pref_cipher, s->tls_session_secret_cb_arg)) {
954 SSLerror(s, ERR_R_INTERNAL_ERROR);
955 goto err;
956 }
957 if (master_key_length <= 0) {
958 SSLerror(s, ERR_R_INTERNAL_ERROR);
959 goto err;
960 }
961 s->session->master_key_length = master_key_length;
962
963 if ((s->session->cipher = pref_cipher) == NULL)
964 s->session->cipher =
965 ssl3_get_cipher_by_value(cipher_suite);
966 s->s3->flags |= SSL3_FLAGS_CCS_OK;
967 }
968
969 if (s->session->session_id_length != 0 &&
970 CBS_mem_equal(&session_id, s->session->session_id,
971 s->session->session_id_length)) {
972 if (s->sid_ctx_length != s->session->sid_ctx_length ||
973 timingsafe_memcmp(s->session->sid_ctx,
974 s->sid_ctx, s->sid_ctx_length) != 0) {
975 /* actually a client application bug */
976 al = SSL_AD_ILLEGAL_PARAMETER;
977 SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
978 goto fatal_err;
979 }
980 s->s3->flags |= SSL3_FLAGS_CCS_OK;
981 s->hit = 1;
982 } else {
983 /* a miss or crap from the other end */
984
985 /* If we were trying for session-id reuse, make a new
986 * SSL_SESSION so we don't stuff up other people */
987 s->hit = 0;
988 if (s->session->session_id_length > 0) {
989 if (!ssl_get_new_session(s, 0)) {
990 al = SSL_AD_INTERNAL_ERROR;
991 goto fatal_err;
992 }
993 }
994
995 /*
996 * XXX - improve the handling for the case where there is a
997 * zero length session identifier.
998 */
999 if (!CBS_write_bytes(&session_id, s->session->session_id,
1000 sizeof(s->session->session_id),
1001 &s->session->session_id_length))
1002 goto err;
1003
1004 s->session->ssl_version = s->version;
1005 }
1006
1007 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
1008 al = SSL_AD_ILLEGAL_PARAMETER;
1009 SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED);
1010 goto fatal_err;
1011 }
1012
1013 /* TLS v1.2 only ciphersuites require v1.2 or later. */
1014 if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
1015 s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) {
1016 al = SSL_AD_ILLEGAL_PARAMETER;
1017 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1018 goto fatal_err;
1019 }
1020
1021 if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
1022 /* we did not say we would use this cipher */
1023 al = SSL_AD_ILLEGAL_PARAMETER;
1024 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1025 goto fatal_err;
1026 }
1027
1028 /*
1029 * Depending on the session caching (internal/external), the cipher
1030 * and/or cipher_id values may not be set. Make sure that
1031 * cipher_id is set and use it for comparison.
1032 */
1033 if (s->session->cipher)
1034 s->session->cipher_id = s->session->cipher->id;
1035 if (s->hit && (s->session->cipher_id != cipher->id)) {
1036 al = SSL_AD_ILLEGAL_PARAMETER;
1037 SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1038 goto fatal_err;
1039 }
1040 s->s3->hs.cipher = cipher;
1041
1042 if (!tls1_transcript_hash_init(s))
1043 goto err;
1044
1045 /*
1046 * Don't digest cached records if no sigalgs: we may need them for
1047 * client authentication.
1048 */
1049 alg_k = s->s3->hs.cipher->algorithm_mkey;
1050 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)))
1051 tls1_transcript_free(s);
1052
1053 if (!CBS_get_u8(&cbs, &compression_method))
1054 goto decode_err;
1055
1056 if (compression_method != 0) {
1057 al = SSL_AD_ILLEGAL_PARAMETER;
1058 SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1059 goto fatal_err;
1060 }
1061
1062 if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) {
1063 SSLerror(s, SSL_R_PARSE_TLSEXT);
1064 goto fatal_err;
1065 }
1066
1067 if (CBS_len(&cbs) != 0)
1068 goto decode_err;
1069
1070 /*
1071 * Determine if we need to see RI. Strictly speaking if we want to
1072 * avoid an attack we should *always* see RI even on initial server
1073 * hello because the client doesn't see any renegotiation during an
1074 * attack. However this would mean we could not connect to any server
1075 * which doesn't support RI so for the immediate future tolerate RI
1076 * absence on initial connect only.
1077 */
1078 if (!s->s3->renegotiate_seen &&
1079 !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1080 al = SSL_AD_HANDSHAKE_FAILURE;
1081 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1082 goto fatal_err;
1083 }
1084
1085 if (ssl_check_serverhello_tlsext(s) <= 0) {
1086 SSLerror(s, SSL_R_SERVERHELLO_TLSEXT);
1087 goto err;
1088 }
1089
1090 return (1);
1091
1092 decode_err:
1093 /* wrong packet length */
1094 al = SSL_AD_DECODE_ERROR;
1095 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1096 fatal_err:
1097 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1098 err:
1099 return (-1);
1100}
1101
1102static int
1103ssl3_get_server_certificate(SSL *s)
1104{
1105 CBS cbs, cert_list, cert_data;
1106 STACK_OF(X509) *certs = NULL;
1107 X509 *cert = NULL;
1108 const uint8_t *p;
1109 int al, ret;
1110
1111 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
1112 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
1113 return ret;
1114
1115 ret = -1;
1116
1117 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1118 s->s3->hs.tls12.reuse_message = 1;
1119 return (1);
1120 }
1121
1122 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
1123 al = SSL_AD_UNEXPECTED_MESSAGE;
1124 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1125 goto fatal_err;
1126 }
1127
1128 if ((certs = sk_X509_new_null()) == NULL) {
1129 SSLerror(s, ERR_R_MALLOC_FAILURE);
1130 goto err;
1131 }
1132
1133 if (s->init_num < 0)
1134 goto decode_err;
1135
1136 CBS_init(&cbs, s->init_msg, s->init_num);
1137
1138 if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
1139 goto decode_err;
1140 if (CBS_len(&cbs) != 0)
1141 goto decode_err;
1142
1143 while (CBS_len(&cert_list) > 0) {
1144 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
1145 goto decode_err;
1146 p = CBS_data(&cert_data);
1147 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) {
1148 al = SSL_AD_BAD_CERTIFICATE;
1149 SSLerror(s, ERR_R_ASN1_LIB);
1150 goto fatal_err;
1151 }
1152 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
1153 goto decode_err;
1154 if (!sk_X509_push(certs, cert)) {
1155 SSLerror(s, ERR_R_MALLOC_FAILURE);
1156 goto err;
1157 }
1158 cert = NULL;
1159 }
1160
1161 /* A server must always provide a non-empty certificate list. */
1162 if (sk_X509_num(certs) < 1) {
1163 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1164 goto decode_err;
1165 }
1166
1167 if (ssl_verify_cert_chain(s, certs) <= 0 &&
1168 s->verify_mode != SSL_VERIFY_NONE) {
1169 al = ssl_verify_alarm_type(s->verify_result);
1170 SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
1171 goto fatal_err;
1172 }
1173 s->session->verify_result = s->verify_result;
1174 ERR_clear_error();
1175
1176 if (!tls_process_peer_certs(s, certs))
1177 goto err;
1178
1179 ret = 1;
1180
1181 if (0) {
1182 decode_err:
1183 /* wrong packet length */
1184 al = SSL_AD_DECODE_ERROR;
1185 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1186 fatal_err:
1187 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1188 }
1189 err:
1190 sk_X509_pop_free(certs, X509_free);
1191 X509_free(cert);
1192
1193 return (ret);
1194}
1195
1196static int
1197ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
1198{
1199 int decode_error, invalid_params, invalid_key;
1200 int nid = NID_dhKeyAgreement;
1201
1202 tls_key_share_free(s->s3->hs.key_share);
1203 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1204 goto err;
1205
1206 if (!tls_key_share_peer_params(s->s3->hs.key_share, cbs,
1207 &decode_error, &invalid_params)) {
1208 if (decode_error) {
1209 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1210 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1211 }
1212 goto err;
1213 }
1214 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1215 &decode_error, &invalid_key)) {
1216 if (decode_error) {
1217 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1218 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1219 }
1220 goto err;
1221 }
1222
1223 if (invalid_params) {
1224 SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
1225 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1226 goto err;
1227 }
1228 if (invalid_key) {
1229 SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1230 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1231 goto err;
1232 }
1233
1234 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1235 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1236 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1237 return 0;
1238 }
1239
1240 return 1;
1241
1242 err:
1243 return 0;
1244}
1245
1246static int
1247ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1248{
1249 uint8_t curve_type;
1250 uint16_t group_id;
1251 int decode_error;
1252 CBS public;
1253
1254 if (!CBS_get_u8(cbs, &curve_type))
1255 goto decode_err;
1256 if (!CBS_get_u16(cbs, &group_id))
1257 goto decode_err;
1258
1259 /* Only named curves are supported. */
1260 if (curve_type != NAMED_CURVE_TYPE) {
1261 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1262 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1263 goto err;
1264 }
1265
1266 if (!CBS_get_u8_length_prefixed(cbs, &public))
1267 goto decode_err;
1268
1269 /*
1270 * Check that the group is one of our preferences - if it is not,
1271 * the server has sent us an invalid group.
1272 */
1273 if (!tls1_check_group(s, group_id)) {
1274 SSLerror(s, SSL_R_WRONG_CURVE);
1275 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1276 goto err;
1277 }
1278
1279 tls_key_share_free(s->s3->hs.key_share);
1280 if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
1281 goto err;
1282
1283 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1284 &decode_error, NULL)) {
1285 if (decode_error)
1286 goto decode_err;
1287 goto err;
1288 }
1289
1290 return 1;
1291
1292 decode_err:
1293 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1294 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1295 err:
1296 return 0;
1297}
1298
1299static int
1300ssl3_get_server_key_exchange(SSL *s)
1301{
1302 CBB cbb;
1303 CBS cbs, params, signature;
1304 EVP_MD_CTX *md_ctx;
1305 unsigned char *signed_params = NULL;
1306 size_t signed_params_len;
1307 size_t params_len;
1308 long alg_k, alg_a;
1309 int al, ret;
1310
1311 memset(&cbb, 0, sizeof(cbb));
1312
1313 alg_k = s->s3->hs.cipher->algorithm_mkey;
1314 alg_a = s->s3->hs.cipher->algorithm_auth;
1315
1316 /*
1317 * Use same message size as in ssl3_get_certificate_request()
1318 * as ServerKeyExchange message may be skipped.
1319 */
1320 if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1321 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list)) <= 0)
1322 return ret;
1323
1324 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1325 goto err;
1326
1327 if (s->init_num < 0)
1328 goto err;
1329
1330 CBS_init(&cbs, s->init_msg, s->init_num);
1331
1332 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1333 /*
1334 * Do not skip server key exchange if this cipher suite uses
1335 * ephemeral keys.
1336 */
1337 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
1338 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1339 al = SSL_AD_UNEXPECTED_MESSAGE;
1340 goto fatal_err;
1341 }
1342
1343 s->s3->hs.tls12.reuse_message = 1;
1344 EVP_MD_CTX_free(md_ctx);
1345 return (1);
1346 }
1347
1348 if (!CBB_init(&cbb, 0))
1349 goto err;
1350 if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
1351 goto err;
1352 if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE))
1353 goto err;
1354
1355 CBS_dup(&cbs, &params);
1356
1357 if (alg_k & SSL_kDHE) {
1358 if (!ssl3_get_server_kex_dhe(s, &cbs))
1359 goto err;
1360 } else if (alg_k & SSL_kECDHE) {
1361 if (!ssl3_get_server_kex_ecdhe(s, &cbs))
1362 goto err;
1363 } else if (alg_k != 0) {
1364 al = SSL_AD_UNEXPECTED_MESSAGE;
1365 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1366 goto fatal_err;
1367 }
1368
1369 if ((params_len = CBS_offset(&cbs)) > CBS_len(&params))
1370 goto err;
1371 if (!CBB_add_bytes(&cbb, CBS_data(&params), params_len))
1372 goto err;
1373 if (!CBB_finish(&cbb, &signed_params, &signed_params_len))
1374 goto err;
1375
1376 /* if it was signed, check the signature */
1377 if ((alg_a & SSL_aNULL) == 0) {
1378 uint16_t sigalg_value = SIGALG_NONE;
1379 const struct ssl_sigalg *sigalg;
1380 EVP_PKEY_CTX *pctx;
1381 EVP_PKEY *pkey = NULL;
1382
1383 if ((alg_a & SSL_aRSA) != 0 &&
1384 s->session->peer_cert_type == SSL_PKEY_RSA) {
1385 pkey = X509_get0_pubkey(s->session->peer_cert);
1386 } else if ((alg_a & SSL_aECDSA) != 0 &&
1387 s->session->peer_cert_type == SSL_PKEY_ECC) {
1388 pkey = X509_get0_pubkey(s->session->peer_cert);
1389 }
1390 if (pkey == NULL) {
1391 al = SSL_AD_ILLEGAL_PARAMETER;
1392 SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1393 goto fatal_err;
1394 }
1395
1396 if (SSL_USE_SIGALGS(s)) {
1397 if (!CBS_get_u16(&cbs, &sigalg_value))
1398 goto decode_err;
1399 }
1400 if (!CBS_get_u16_length_prefixed(&cbs, &signature))
1401 goto decode_err;
1402 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
1403 al = SSL_AD_DECODE_ERROR;
1404 SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);
1405 goto fatal_err;
1406 }
1407
1408 if ((sigalg = ssl_sigalg_for_peer(s, pkey,
1409 sigalg_value)) == NULL) {
1410 al = SSL_AD_DECODE_ERROR;
1411 goto fatal_err;
1412 }
1413 s->s3->hs.peer_sigalg = sigalg;
1414
1415 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(),
1416 NULL, pkey))
1417 goto err;
1418 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
1419 (!EVP_PKEY_CTX_set_rsa_padding(pctx,
1420 RSA_PKCS1_PSS_PADDING) ||
1421 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)))
1422 goto err;
1423 if (EVP_DigestVerify(md_ctx, CBS_data(&signature),
1424 CBS_len(&signature), signed_params, signed_params_len) <= 0) {
1425 al = SSL_AD_DECRYPT_ERROR;
1426 SSLerror(s, SSL_R_BAD_SIGNATURE);
1427 goto fatal_err;
1428 }
1429 }
1430
1431 if (CBS_len(&cbs) != 0) {
1432 al = SSL_AD_DECODE_ERROR;
1433 SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1434 goto fatal_err;
1435 }
1436
1437 EVP_MD_CTX_free(md_ctx);
1438 free(signed_params);
1439
1440 return (1);
1441
1442 decode_err:
1443 al = SSL_AD_DECODE_ERROR;
1444 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1445
1446 fatal_err:
1447 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1448
1449 err:
1450 CBB_cleanup(&cbb);
1451 EVP_MD_CTX_free(md_ctx);
1452 free(signed_params);
1453
1454 return (-1);
1455}
1456
1457static int
1458ssl3_get_certificate_request(SSL *s)
1459{
1460 CBS cert_request, cert_types, rdn_list;
1461 X509_NAME *xn = NULL;
1462 const unsigned char *q;
1463 STACK_OF(X509_NAME) *ca_sk = NULL;
1464 int ret;
1465
1466 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1467 SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list)) <= 0)
1468 return ret;
1469
1470 ret = 0;
1471
1472 s->s3->hs.tls12.cert_request = 0;
1473
1474 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_DONE) {
1475 s->s3->hs.tls12.reuse_message = 1;
1476 /*
1477 * If we get here we don't need any cached handshake records
1478 * as we wont be doing client auth.
1479 */
1480 tls1_transcript_free(s);
1481 return (1);
1482 }
1483
1484 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1485 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1486 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
1487 goto err;
1488 }
1489
1490 /* TLS does not like anon-DH with client cert */
1491 if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
1492 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1493 SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1494 goto err;
1495 }
1496
1497 if (s->init_num < 0)
1498 goto decode_err;
1499 CBS_init(&cert_request, s->init_msg, s->init_num);
1500
1501 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1502 SSLerror(s, ERR_R_MALLOC_FAILURE);
1503 goto err;
1504 }
1505
1506 if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types))
1507 goto decode_err;
1508
1509 if (SSL_USE_SIGALGS(s)) {
1510 CBS sigalgs;
1511
1512 if (CBS_len(&cert_request) < 2) {
1513 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1514 goto err;
1515 }
1516 if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {
1517 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1518 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1519 goto err;
1520 }
1521 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) {
1522 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1523 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1524 goto err;
1525 }
1526 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs,
1527 &s->s3->hs.sigalgs_len))
1528 goto err;
1529 }
1530
1531 /* get the CA RDNs */
1532 if (CBS_len(&cert_request) < 2) {
1533 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1534 goto err;
1535 }
1536
1537 if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) ||
1538 CBS_len(&cert_request) != 0) {
1539 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1540 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1541 goto err;
1542 }
1543
1544 while (CBS_len(&rdn_list) > 0) {
1545 CBS rdn;
1546
1547 if (CBS_len(&rdn_list) < 2) {
1548 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1549 goto err;
1550 }
1551
1552 if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {
1553 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1554 SSLerror(s, SSL_R_CA_DN_TOO_LONG);
1555 goto err;
1556 }
1557
1558 q = CBS_data(&rdn);
1559 if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) {
1560 ssl3_send_alert(s, SSL3_AL_FATAL,
1561 SSL_AD_DECODE_ERROR);
1562 SSLerror(s, ERR_R_ASN1_LIB);
1563 goto err;
1564 }
1565
1566 if (q != CBS_data(&rdn) + CBS_len(&rdn)) {
1567 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1568 SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH);
1569 goto err;
1570 }
1571 if (!sk_X509_NAME_push(ca_sk, xn)) {
1572 SSLerror(s, ERR_R_MALLOC_FAILURE);
1573 goto err;
1574 }
1575 xn = NULL; /* avoid free in err block */
1576 }
1577
1578 /* we should setup a certificate to return.... */
1579 s->s3->hs.tls12.cert_request = 1;
1580 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1581 s->s3->hs.tls12.ca_names = ca_sk;
1582 ca_sk = NULL;
1583
1584 ret = 1;
1585 if (0) {
1586 decode_err:
1587 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1588 }
1589 err:
1590 X509_NAME_free(xn);
1591 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
1592 return (ret);
1593}
1594
1595static int
1596ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1597{
1598 return (X509_NAME_cmp(*a, *b));
1599}
1600
1601static int
1602ssl3_get_new_session_ticket(SSL *s)
1603{
1604 uint32_t lifetime_hint;
1605 CBS cbs, session_ticket;
1606 unsigned int session_id_length = 0;
1607 int al, ret;
1608
1609 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
1610 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384)) <= 0)
1611 return ret;
1612
1613 if (s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) {
1614 s->s3->hs.tls12.reuse_message = 1;
1615 return (1);
1616 }
1617 if (s->s3->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) {
1618 al = SSL_AD_UNEXPECTED_MESSAGE;
1619 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1620 goto fatal_err;
1621 }
1622
1623 if (s->init_num < 0) {
1624 al = SSL_AD_DECODE_ERROR;
1625 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1626 goto fatal_err;
1627 }
1628
1629 CBS_init(&cbs, s->init_msg, s->init_num);
1630 if (!CBS_get_u32(&cbs, &lifetime_hint) ||
1631 !CBS_get_u16_length_prefixed(&cbs, &session_ticket) ||
1632 CBS_len(&cbs) != 0) {
1633 al = SSL_AD_DECODE_ERROR;
1634 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1635 goto fatal_err;
1636 }
1637 s->session->tlsext_tick_lifetime_hint = lifetime_hint;
1638
1639 if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
1640 &s->session->tlsext_ticklen)) {
1641 SSLerror(s, ERR_R_MALLOC_FAILURE);
1642 goto err;
1643 }
1644
1645 /*
1646 * There are two ways to detect a resumed ticket session.
1647 * One is to set an appropriate session ID and then the server
1648 * must return a match in ServerHello. This allows the normal
1649 * client session ID matching to work and we know much
1650 * earlier that the ticket has been accepted.
1651 *
1652 * The other way is to set zero length session ID when the
1653 * ticket is presented and rely on the handshake to determine
1654 * session resumption.
1655 *
1656 * We choose the former approach because this fits in with
1657 * assumptions elsewhere in OpenSSL. The session ID is set
1658 * to the SHA256 hash of the ticket.
1659 */
1660 /* XXX - ensure this doesn't overflow session_id if hash is changed. */
1661 if (!EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket),
1662 s->session->session_id, &session_id_length, EVP_sha256(), NULL)) {
1663 al = SSL_AD_INTERNAL_ERROR;
1664 SSLerror(s, ERR_R_EVP_LIB);
1665 goto fatal_err;
1666 }
1667 s->session->session_id_length = session_id_length;
1668
1669 return (1);
1670
1671 fatal_err:
1672 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1673 err:
1674 return (-1);
1675}
1676
1677static int
1678ssl3_get_cert_status(SSL *s)
1679{
1680 CBS cert_status, response;
1681 uint8_t status_type;
1682 int al, ret;
1683
1684 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1685 SSL3_ST_CR_CERT_STATUS_B, -1, 16384)) <= 0)
1686 return ret;
1687
1688 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1689 /*
1690 * Tell the callback the server did not send us an OSCP
1691 * response, and has decided to head directly to key exchange.
1692 */
1693 if (s->ctx->tlsext_status_cb) {
1694 free(s->tlsext_ocsp_resp);
1695 s->tlsext_ocsp_resp = NULL;
1696 s->tlsext_ocsp_resp_len = 0;
1697
1698 ret = s->ctx->tlsext_status_cb(s,
1699 s->ctx->tlsext_status_arg);
1700 if (ret == 0) {
1701 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1702 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1703 goto fatal_err;
1704 }
1705 if (ret < 0) {
1706 al = SSL_AD_INTERNAL_ERROR;
1707 SSLerror(s, ERR_R_MALLOC_FAILURE);
1708 goto fatal_err;
1709 }
1710 }
1711 s->s3->hs.tls12.reuse_message = 1;
1712 return (1);
1713 }
1714
1715 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
1716 s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
1717 al = SSL_AD_UNEXPECTED_MESSAGE;
1718 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1719 goto fatal_err;
1720 }
1721
1722 if (s->init_num < 0) {
1723 /* need at least status type + length */
1724 al = SSL_AD_DECODE_ERROR;
1725 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1726 goto fatal_err;
1727 }
1728
1729 CBS_init(&cert_status, s->init_msg, s->init_num);
1730 if (!CBS_get_u8(&cert_status, &status_type) ||
1731 CBS_len(&cert_status) < 3) {
1732 /* need at least status type + length */
1733 al = SSL_AD_DECODE_ERROR;
1734 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1735 goto fatal_err;
1736 }
1737
1738 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1739 al = SSL_AD_DECODE_ERROR;
1740 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1741 goto fatal_err;
1742 }
1743
1744 if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
1745 CBS_len(&cert_status) != 0) {
1746 al = SSL_AD_DECODE_ERROR;
1747 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1748 goto fatal_err;
1749 }
1750
1751 if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1752 &s->tlsext_ocsp_resp_len)) {
1753 al = SSL_AD_INTERNAL_ERROR;
1754 SSLerror(s, ERR_R_MALLOC_FAILURE);
1755 goto fatal_err;
1756 }
1757
1758 if (s->ctx->tlsext_status_cb) {
1759 ret = s->ctx->tlsext_status_cb(s,
1760 s->ctx->tlsext_status_arg);
1761 if (ret == 0) {
1762 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1763 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1764 goto fatal_err;
1765 }
1766 if (ret < 0) {
1767 al = SSL_AD_INTERNAL_ERROR;
1768 SSLerror(s, ERR_R_MALLOC_FAILURE);
1769 goto fatal_err;
1770 }
1771 }
1772 return (1);
1773 fatal_err:
1774 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1775 return (-1);
1776}
1777
1778static int
1779ssl3_get_server_done(SSL *s)
1780{
1781 int ret;
1782
1783 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
1784 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
1785 30 /* should be very small, like 0 :-) */)) <= 0)
1786 return ret;
1787
1788 if (s->init_num != 0) {
1789 /* should contain no data */
1790 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1791 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1792 return -1;
1793 }
1794
1795 return 1;
1796}
1797
1798static int
1799ssl3_send_client_kex_rsa(SSL *s, CBB *cbb)
1800{
1801 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];
1802 unsigned char *enc_pms = NULL;
1803 uint16_t max_legacy_version;
1804 EVP_PKEY *pkey;
1805 RSA *rsa;
1806 int ret = 0;
1807 int enc_len;
1808 CBB epms;
1809
1810 /*
1811 * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1.
1812 */
1813
1814 pkey = X509_get0_pubkey(s->session->peer_cert);
1815 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
1816 SSLerror(s, ERR_R_INTERNAL_ERROR);
1817 goto err;
1818 }
1819
1820 /*
1821 * Our maximum legacy protocol version - while RFC 5246 section 7.4.7.1
1822 * says "The latest (newest) version supported by the client", if we're
1823 * doing RSA key exchange then we have to presume that we're talking to
1824 * a server that does not understand the supported versions extension
1825 * and therefore our maximum version is that sent in the ClientHello.
1826 */
1827 if (!ssl_max_legacy_version(s, &max_legacy_version))
1828 goto err;
1829 pms[0] = max_legacy_version >> 8;
1830 pms[1] = max_legacy_version & 0xff;
1831 arc4random_buf(&pms[2], sizeof(pms) - 2);
1832
1833 if ((enc_pms = malloc(RSA_size(rsa))) == NULL) {
1834 SSLerror(s, ERR_R_MALLOC_FAILURE);
1835 goto err;
1836 }
1837
1838 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
1839 RSA_PKCS1_PADDING);
1840 if (enc_len <= 0) {
1841 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
1842 goto err;
1843 }
1844
1845 if (!CBB_add_u16_length_prefixed(cbb, &epms))
1846 goto err;
1847 if (!CBB_add_bytes(&epms, enc_pms, enc_len))
1848 goto err;
1849 if (!CBB_flush(cbb))
1850 goto err;
1851
1852 if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
1853 goto err;
1854
1855 ret = 1;
1856
1857 err:
1858 explicit_bzero(pms, sizeof(pms));
1859 free(enc_pms);
1860
1861 return ret;
1862}
1863
1864static int
1865ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
1866{
1867 uint8_t *key = NULL;
1868 size_t key_len = 0;
1869 int ret = 0;
1870
1871 /* Ensure that we have an ephemeral key from the server for DHE. */
1872 if (s->s3->hs.key_share == NULL) {
1873 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1874 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1875 goto err;
1876 }
1877
1878 if (!tls_key_share_generate(s->s3->hs.key_share))
1879 goto err;
1880 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1881 goto err;
1882 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1883 goto err;
1884
1885 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1886 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1887 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1888 return 0;
1889 }
1890
1891 if (!tls12_derive_master_secret(s, key, key_len))
1892 goto err;
1893
1894 ret = 1;
1895
1896 err:
1897 freezero(key, key_len);
1898
1899 return ret;
1900}
1901
1902static int
1903ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
1904{
1905 uint8_t *key = NULL;
1906 size_t key_len = 0;
1907 CBB public;
1908 int ret = 0;
1909
1910 /* Ensure that we have an ephemeral key for ECDHE. */
1911 if (s->s3->hs.key_share == NULL) {
1912 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1913 SSLerror(s, ERR_R_INTERNAL_ERROR);
1914 goto err;
1915 }
1916
1917 if (!tls_key_share_generate(s->s3->hs.key_share))
1918 goto err;
1919
1920 if (!CBB_add_u8_length_prefixed(cbb, &public))
1921 return 0;
1922 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1923 goto err;
1924 if (!CBB_flush(cbb))
1925 goto err;
1926
1927 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1928 goto err;
1929
1930 if (!tls12_derive_master_secret(s, key, key_len))
1931 goto err;
1932
1933 ret = 1;
1934
1935 err:
1936 freezero(key, key_len);
1937
1938 return ret;
1939}
1940
1941static int
1942ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
1943{
1944 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
1945 EVP_PKEY_CTX *pkey_ctx = NULL;
1946 EVP_MD_CTX *ukm_hash = NULL;
1947 EVP_PKEY *pkey;
1948 size_t msglen;
1949 unsigned int md_len;
1950 CBB gostblob;
1951 int nid;
1952 int ret = 0;
1953
1954 /* Get server certificate PKEY and create ctx from it */
1955 pkey = X509_get0_pubkey(s->session->peer_cert);
1956 if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
1957 SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
1958 goto err;
1959 }
1960 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
1961 SSLerror(s, ERR_R_MALLOC_FAILURE);
1962 goto err;
1963 }
1964
1965 /*
1966 * If we have send a certificate, and certificate key parameters match
1967 * those of server certificate, use certificate key for key exchange.
1968 * Otherwise, generate ephemeral key pair.
1969 */
1970 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
1971 goto err;
1972
1973 /* Generate session key. */
1974 arc4random_buf(premaster_secret, sizeof(premaster_secret));
1975
1976 /*
1977 * If we have client certificate, use its secret as peer key.
1978 * XXX - this presumably lacks PFS.
1979 */
1980 if (s->s3->hs.tls12.cert_request != 0 &&
1981 s->cert->key->privatekey != NULL) {
1982 if (EVP_PKEY_derive_set_peer(pkey_ctx,
1983 s->cert->key->privatekey) <=0) {
1984 /*
1985 * If there was an error - just ignore it.
1986 * Ephemeral key would be used.
1987 */
1988 ERR_clear_error();
1989 }
1990 }
1991
1992 /*
1993 * Compute shared IV and store it in algorithm-specific context data.
1994 */
1995 if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
1996 SSLerror(s, ERR_R_MALLOC_FAILURE);
1997 goto err;
1998 }
1999
2000 /* XXX check handshake hash instead. */
2001 if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
2002 nid = NID_id_GostR3411_94;
2003 else
2004 nid = NID_id_tc26_gost3411_2012_256;
2005 if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
2006 goto err;
2007 if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
2008 goto err;
2009 if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
2010 goto err;
2011 if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
2012 goto err;
2013 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2014 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2015 SSLerror(s, SSL_R_LIBRARY_BUG);
2016 goto err;
2017 }
2018
2019 /*
2020 * Make GOST keytransport blob message, encapsulate it into sequence.
2021 */
2022 msglen = 255;
2023 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
2024 sizeof(premaster_secret)) < 0) {
2025 SSLerror(s, SSL_R_LIBRARY_BUG);
2026 goto err;
2027 }
2028
2029 if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
2030 goto err;
2031 if (!CBB_add_bytes(&gostblob, tmp, msglen))
2032 goto err;
2033 if (!CBB_flush(cbb))
2034 goto err;
2035
2036 /* Check if pubkey from client certificate was used. */
2037 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
2038 NULL) > 0)
2039 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2040
2041 if (!tls12_derive_master_secret(s, premaster_secret, 32))
2042 goto err;
2043
2044 ret = 1;
2045
2046 err:
2047 explicit_bzero(premaster_secret, sizeof(premaster_secret));
2048 EVP_PKEY_CTX_free(pkey_ctx);
2049 EVP_MD_CTX_free(ukm_hash);
2050
2051 return ret;
2052}
2053
2054static int
2055ssl3_send_client_key_exchange(SSL *s)
2056{
2057 unsigned long alg_k;
2058 CBB cbb, kex;
2059
2060 memset(&cbb, 0, sizeof(cbb));
2061
2062 if (s->s3->hs.state == SSL3_ST_CW_KEY_EXCH_A) {
2063 alg_k = s->s3->hs.cipher->algorithm_mkey;
2064
2065 if (!ssl3_handshake_msg_start(s, &cbb, &kex,
2066 SSL3_MT_CLIENT_KEY_EXCHANGE))
2067 goto err;
2068
2069 if (alg_k & SSL_kRSA) {
2070 if (!ssl3_send_client_kex_rsa(s, &kex))
2071 goto err;
2072 } else if (alg_k & SSL_kDHE) {
2073 if (!ssl3_send_client_kex_dhe(s, &kex))
2074 goto err;
2075 } else if (alg_k & SSL_kECDHE) {
2076 if (!ssl3_send_client_kex_ecdhe(s, &kex))
2077 goto err;
2078 } else if (alg_k & SSL_kGOST) {
2079 if (!ssl3_send_client_kex_gost(s, &kex))
2080 goto err;
2081 } else {
2082 ssl3_send_alert(s, SSL3_AL_FATAL,
2083 SSL_AD_HANDSHAKE_FAILURE);
2084 SSLerror(s, ERR_R_INTERNAL_ERROR);
2085 goto err;
2086 }
2087
2088 if (!ssl3_handshake_msg_finish(s, &cbb))
2089 goto err;
2090
2091 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_B;
2092 }
2093
2094 /* SSL3_ST_CW_KEY_EXCH_B */
2095 return (ssl3_handshake_write(s));
2096
2097 err:
2098 CBB_cleanup(&cbb);
2099
2100 return (-1);
2101}
2102
2103static int
2104ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
2105 const struct ssl_sigalg *sigalg, CBB *cert_verify)
2106{
2107 CBB cbb_signature;
2108 EVP_PKEY_CTX *pctx = NULL;
2109 EVP_MD_CTX *mctx = NULL;
2110 const unsigned char *hdata;
2111 unsigned char *signature = NULL;
2112 size_t signature_len, hdata_len;
2113 int ret = 0;
2114
2115 if ((mctx = EVP_MD_CTX_new()) == NULL)
2116 goto err;
2117
2118 if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2119 SSLerror(s, ERR_R_INTERNAL_ERROR);
2120 goto err;
2121 }
2122 if (!EVP_DigestSignInit(mctx, &pctx, sigalg->md(), NULL, pkey)) {
2123 SSLerror(s, ERR_R_EVP_LIB);
2124 goto err;
2125 }
2126#ifndef OPENSSL_NO_GOST
2127 if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2128 EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2129 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2130 SSLerror(s, ERR_R_EVP_LIB);
2131 goto err;
2132 }
2133#endif
2134 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
2135 (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
2136 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
2137 SSLerror(s, ERR_R_EVP_LIB);
2138 goto err;
2139 }
2140 if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
2141 SSLerror(s, ERR_R_EVP_LIB);
2142 goto err;
2143 }
2144 if ((signature = calloc(1, signature_len)) == NULL) {
2145 SSLerror(s, ERR_R_MALLOC_FAILURE);
2146 goto err;
2147 }
2148 if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
2149 SSLerror(s, ERR_R_EVP_LIB);
2150 goto err;
2151 }
2152
2153 if (!CBB_add_u16(cert_verify, sigalg->value))
2154 goto err;
2155 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2156 goto err;
2157 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2158 goto err;
2159 if (!CBB_flush(cert_verify))
2160 goto err;
2161
2162 ret = 1;
2163
2164 err:
2165 EVP_MD_CTX_free(mctx);
2166 free(signature);
2167 return ret;
2168}
2169
2170static int
2171ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2172{
2173 CBB cbb_signature;
2174 RSA *rsa;
2175 unsigned char data[EVP_MAX_MD_SIZE];
2176 unsigned char *signature = NULL;
2177 unsigned int signature_len;
2178 size_t data_len;
2179 int ret = 0;
2180
2181 if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len))
2182 goto err;
2183 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2184 goto err;
2185 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
2186 goto err;
2187 if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len,
2188 rsa) <= 0 ) {
2189 SSLerror(s, ERR_R_RSA_LIB);
2190 goto err;
2191 }
2192
2193 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2194 goto err;
2195 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2196 goto err;
2197 if (!CBB_flush(cert_verify))
2198 goto err;
2199
2200 ret = 1;
2201 err:
2202 free(signature);
2203 return ret;
2204}
2205
2206static int
2207ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2208{
2209 CBB cbb_signature;
2210 EC_KEY *eckey;
2211 unsigned char data[EVP_MAX_MD_SIZE];
2212 unsigned char *signature = NULL;
2213 unsigned int signature_len;
2214 int ret = 0;
2215
2216 if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL))
2217 goto err;
2218 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2219 goto err;
2220 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
2221 goto err;
2222 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2223 signature, &signature_len, eckey)) {
2224 SSLerror(s, ERR_R_ECDSA_LIB);
2225 goto err;
2226 }
2227
2228 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2229 goto err;
2230 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2231 goto err;
2232 if (!CBB_flush(cert_verify))
2233 goto err;
2234
2235 ret = 1;
2236 err:
2237 free(signature);
2238 return ret;
2239}
2240
2241#ifndef OPENSSL_NO_GOST
2242static int
2243ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2244{
2245 CBB cbb_signature;
2246 EVP_MD_CTX *mctx;
2247 EVP_PKEY_CTX *pctx;
2248 const EVP_MD *md;
2249 const unsigned char *hdata;
2250 unsigned char *signature = NULL;
2251 size_t signature_len;
2252 size_t hdata_len;
2253 int nid;
2254 int ret = 0;
2255
2256 if ((mctx = EVP_MD_CTX_new()) == NULL)
2257 goto err;
2258
2259 if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2260 SSLerror(s, ERR_R_INTERNAL_ERROR);
2261 goto err;
2262 }
2263 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2264 (md = EVP_get_digestbynid(nid)) == NULL) {
2265 SSLerror(s, ERR_R_EVP_LIB);
2266 goto err;
2267 }
2268 if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) {
2269 SSLerror(s, ERR_R_EVP_LIB);
2270 goto err;
2271 }
2272#ifndef OPENSSL_NO_GOST
2273 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2274 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2275 SSLerror(s, ERR_R_EVP_LIB);
2276 goto err;
2277 }
2278#endif
2279 if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
2280 SSLerror(s, ERR_R_EVP_LIB);
2281 goto err;
2282 }
2283 if ((signature = calloc(1, signature_len)) == NULL) {
2284 SSLerror(s, ERR_R_MALLOC_FAILURE);
2285 goto err;
2286 }
2287 if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
2288 SSLerror(s, ERR_R_EVP_LIB);
2289 goto err;
2290 }
2291
2292 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2293 goto err;
2294 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2295 goto err;
2296 if (!CBB_flush(cert_verify))
2297 goto err;
2298
2299 ret = 1;
2300 err:
2301 EVP_MD_CTX_free(mctx);
2302 free(signature);
2303 return ret;
2304}
2305#endif
2306
2307static int
2308ssl3_send_client_verify(SSL *s)
2309{
2310 const struct ssl_sigalg *sigalg;
2311 CBB cbb, cert_verify;
2312 EVP_PKEY *pkey;
2313
2314 memset(&cbb, 0, sizeof(cbb));
2315
2316 if (s->s3->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
2317 if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2318 SSL3_MT_CERTIFICATE_VERIFY))
2319 goto err;
2320
2321 pkey = s->cert->key->privatekey;
2322 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
2323 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2324 goto err;
2325 }
2326 s->s3->hs.our_sigalg = sigalg;
2327
2328 /*
2329 * For TLS v1.2 send signature algorithm and signature using
2330 * agreed digest and cached handshake records.
2331 */
2332 if (SSL_USE_SIGALGS(s)) {
2333 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2334 &cert_verify))
2335 goto err;
2336 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2337 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
2338 goto err;
2339 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2340 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2341 goto err;
2342#ifndef OPENSSL_NO_GOST
2343 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2344 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2345 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
2346 goto err;
2347#endif
2348 } else {
2349 SSLerror(s, ERR_R_INTERNAL_ERROR);
2350 goto err;
2351 }
2352
2353 tls1_transcript_free(s);
2354
2355 if (!ssl3_handshake_msg_finish(s, &cbb))
2356 goto err;
2357
2358 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_B;
2359 }
2360
2361 return (ssl3_handshake_write(s));
2362
2363 err:
2364 CBB_cleanup(&cbb);
2365
2366 return (-1);
2367}
2368
2369static int
2370ssl3_send_client_certificate(SSL *s)
2371{
2372 EVP_PKEY *pkey = NULL;
2373 X509 *x509 = NULL;
2374 CBB cbb, client_cert;
2375 int i;
2376
2377 memset(&cbb, 0, sizeof(cbb));
2378
2379 if (s->s3->hs.state == SSL3_ST_CW_CERT_A) {
2380 if (s->cert->key->x509 == NULL ||
2381 s->cert->key->privatekey == NULL)
2382 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2383 else
2384 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2385 }
2386
2387 /* We need to get a client cert */
2388 if (s->s3->hs.state == SSL3_ST_CW_CERT_B) {
2389 /*
2390 * If we get an error, we need to
2391 * ssl->rwstate = SSL_X509_LOOKUP; return(-1);
2392 * We then get retried later.
2393 */
2394 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2395 if (i < 0) {
2396 s->rwstate = SSL_X509_LOOKUP;
2397 return (-1);
2398 }
2399 s->rwstate = SSL_NOTHING;
2400 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
2401 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2402 if (!SSL_use_certificate(s, x509) ||
2403 !SSL_use_PrivateKey(s, pkey))
2404 i = 0;
2405 } else if (i == 1) {
2406 i = 0;
2407 SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2408 }
2409
2410 X509_free(x509);
2411 EVP_PKEY_free(pkey);
2412 if (i == 0) {
2413 s->s3->hs.tls12.cert_request = 2;
2414
2415 /* There is no client certificate to verify. */
2416 tls1_transcript_free(s);
2417 }
2418
2419 /* Ok, we have a cert */
2420 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2421 }
2422
2423 if (s->s3->hs.state == SSL3_ST_CW_CERT_C) {
2424 if (!ssl3_handshake_msg_start(s, &cbb, &client_cert,
2425 SSL3_MT_CERTIFICATE))
2426 goto err;
2427 if (!ssl3_output_cert_chain(s, &client_cert,
2428 (s->s3->hs.tls12.cert_request == 2) ? NULL : s->cert->key))
2429 goto err;
2430 if (!ssl3_handshake_msg_finish(s, &cbb))
2431 goto err;
2432
2433 s->s3->hs.state = SSL3_ST_CW_CERT_D;
2434 }
2435
2436 /* SSL3_ST_CW_CERT_D */
2437 return (ssl3_handshake_write(s));
2438
2439 err:
2440 CBB_cleanup(&cbb);
2441
2442 return (0);
2443}
2444
2445#define has_bits(i,m) (((i)&(m)) == (m))
2446
2447static int
2448ssl3_check_cert_and_algorithm(SSL *s)
2449{
2450 long alg_k, alg_a;
2451 int nid = NID_undef;
2452 int i;
2453
2454 alg_k = s->s3->hs.cipher->algorithm_mkey;
2455 alg_a = s->s3->hs.cipher->algorithm_auth;
2456
2457 /* We don't have a certificate. */
2458 if (alg_a & SSL_aNULL)
2459 return (1);
2460
2461 if (s->s3->hs.key_share != NULL)
2462 nid = tls_key_share_nid(s->s3->hs.key_share);
2463
2464 /* This is the passed certificate. */
2465
2466 if (s->session->peer_cert_type == SSL_PKEY_ECC) {
2467 if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) {
2468 SSLerror(s, SSL_R_BAD_ECC_CERT);
2469 goto fatal_err;
2470 }
2471 return (1);
2472 }
2473
2474 i = X509_certificate_type(s->session->peer_cert, NULL);
2475
2476 /* Check that we have a certificate if we require one. */
2477 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
2478 SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
2479 goto fatal_err;
2480 }
2481 if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
2482 SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2483 goto fatal_err;
2484 }
2485 if ((alg_k & SSL_kDHE) &&
2486 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) {
2487 SSLerror(s, SSL_R_MISSING_DH_KEY);
2488 goto fatal_err;
2489 }
2490
2491 return (1);
2492
2493 fatal_err:
2494 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2495
2496 return (0);
2497}
2498
2499/*
2500 * Check to see if handshake is full or resumed. Usually this is just a
2501 * case of checking to see if a cache hit has occurred. In the case of
2502 * session tickets we have to check the next message to be sure.
2503 */
2504
2505static int
2506ssl3_check_finished(SSL *s)
2507{
2508 int ret;
2509
2510 /* If we have no ticket it cannot be a resumed session. */
2511 if (!s->session->tlsext_tick)
2512 return (1);
2513 /* this function is called when we really expect a Certificate
2514 * message, so permit appropriate message length */
2515 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
2516 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
2517 return ret;
2518
2519 s->s3->hs.tls12.reuse_message = 1;
2520 if ((s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) ||
2521 (s->s3->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET))
2522 return (2);
2523
2524 return (1);
2525}
2526
2527static int
2528ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2529{
2530 int i = 0;
2531
2532#ifndef OPENSSL_NO_ENGINE
2533 if (s->ctx->client_cert_engine) {
2534 i = ENGINE_load_ssl_client_cert(
2535 s->ctx->client_cert_engine, s,
2536 SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL);
2537 if (i != 0)
2538 return (i);
2539 }
2540#endif
2541 if (s->ctx->client_cert_cb)
2542 i = s->ctx->client_cert_cb(s, px509, ppkey);
2543 return (i);
2544}
2545
2546static int
2547ssl3_send_client_change_cipher_spec(SSL *s)
2548{
2549 size_t outlen;
2550 CBB cbb;
2551
2552 memset(&cbb, 0, sizeof(cbb));
2553
2554 if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) {
2555 if (!CBB_init_fixed(&cbb, s->init_buf->data,
2556 s->init_buf->length))
2557 goto err;
2558 if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
2559 goto err;
2560 if (!CBB_finish(&cbb, NULL, &outlen))
2561 goto err;
2562
2563 if (outlen > INT_MAX)
2564 goto err;
2565
2566 s->init_num = (int)outlen;
2567 s->init_off = 0;
2568
2569 if (SSL_is_dtls(s)) {
2570 s->d1->handshake_write_seq =
2571 s->d1->next_handshake_write_seq;
2572 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
2573 s->d1->handshake_write_seq, 0, 0);
2574 dtls1_buffer_message(s, 1);
2575 }
2576
2577 s->s3->hs.state = SSL3_ST_CW_CHANGE_B;
2578 }
2579
2580 /* SSL3_ST_CW_CHANGE_B */
2581 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
2582
2583 err:
2584 CBB_cleanup(&cbb);
2585
2586 return -1;
2587}
2588
2589static int
2590ssl3_send_client_finished(SSL *s)
2591{
2592 CBB cbb, finished;
2593
2594 memset(&cbb, 0, sizeof(cbb));
2595
2596 if (s->s3->hs.state == SSL3_ST_CW_FINISHED_A) {
2597 if (!tls12_derive_finished(s))
2598 goto err;
2599
2600 /* Copy finished so we can use it for renegotiation checks. */
2601 memcpy(s->s3->previous_client_finished,
2602 s->s3->hs.finished, s->s3->hs.finished_len);
2603 s->s3->previous_client_finished_len =
2604 s->s3->hs.finished_len;
2605
2606 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
2607 SSL3_MT_FINISHED))
2608 goto err;
2609 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
2610 s->s3->hs.finished_len))
2611 goto err;
2612 if (!ssl3_handshake_msg_finish(s, &cbb))
2613 goto err;
2614
2615 s->s3->hs.state = SSL3_ST_CW_FINISHED_B;
2616 }
2617
2618 return (ssl3_handshake_write(s));
2619
2620 err:
2621 CBB_cleanup(&cbb);
2622
2623 return (-1);
2624}
2625
2626static int
2627ssl3_get_server_finished(SSL *s)
2628{
2629 int al, md_len, ret;
2630 CBS cbs;
2631
2632 /* should actually be 36+4 :-) */
2633 if ((ret = ssl3_get_message(s, SSL3_ST_CR_FINISHED_A,
2634 SSL3_ST_CR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0)
2635 return ret;
2636
2637 /* If this occurs, we have missed a message */
2638 if (!s->s3->change_cipher_spec) {
2639 al = SSL_AD_UNEXPECTED_MESSAGE;
2640 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
2641 goto fatal_err;
2642 }
2643 s->s3->change_cipher_spec = 0;
2644
2645 md_len = TLS1_FINISH_MAC_LENGTH;
2646
2647 if (s->init_num < 0) {
2648 al = SSL_AD_DECODE_ERROR;
2649 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2650 goto fatal_err;
2651 }
2652
2653 CBS_init(&cbs, s->init_msg, s->init_num);
2654
2655 if (s->s3->hs.peer_finished_len != md_len ||
2656 CBS_len(&cbs) != md_len) {
2657 al = SSL_AD_DECODE_ERROR;
2658 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2659 goto fatal_err;
2660 }
2661
2662 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
2663 al = SSL_AD_DECRYPT_ERROR;
2664 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
2665 goto fatal_err;
2666 }
2667
2668 /* Copy finished so we can use it for renegotiation checks. */
2669 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
2670 memcpy(s->s3->previous_server_finished,
2671 s->s3->hs.peer_finished, md_len);
2672 s->s3->previous_server_finished_len = md_len;
2673
2674 return (1);
2675 fatal_err:
2676 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2677 return (0);
2678}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 22:31:16 +0000