1238405Sjkim/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8296341Sdelphij * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296341Sdelphij * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22296341Sdelphij * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37296341Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296341Sdelphij * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52296341Sdelphij * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5889837Skris/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 6089837Skris * 6189837Skris * Redistribution and use in source and binary forms, with or without 6289837Skris * modification, are permitted provided that the following conditions 6389837Skris * are met: 6489837Skris * 6589837Skris * 1. Redistributions of source code must retain the above copyright 66296341Sdelphij * notice, this list of conditions and the following disclaimer. 6789837Skris * 6889837Skris * 2. Redistributions in binary form must reproduce the above copyright 6989837Skris * notice, this list of conditions and the following disclaimer in 7089837Skris * the documentation and/or other materials provided with the 7189837Skris * distribution. 7289837Skris * 7389837Skris * 3. All advertising materials mentioning features or use of this 7489837Skris * software must display the following acknowledgment: 7589837Skris * "This product includes software developed by the OpenSSL Project 7689837Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7789837Skris * 7889837Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7989837Skris * endorse or promote products derived from this software without 8089837Skris * prior written permission. For written permission, please contact 8189837Skris * openssl-core@openssl.org. 8289837Skris * 8389837Skris * 5. Products derived from this software may not be called "OpenSSL" 8489837Skris * nor may "OpenSSL" appear in their names without prior written 8589837Skris * permission of the OpenSSL Project. 8689837Skris * 8789837Skris * 6. Redistributions of any form whatsoever must retain the following 8889837Skris * acknowledgment: 8989837Skris * "This product includes software developed by the OpenSSL Project 9089837Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9189837Skris * 9289837Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9389837Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9489837Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9589837Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9689837Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9789837Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9889837Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9989837Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10089837Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10189837Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10289837Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10389837Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10489837Skris * ==================================================================== 10589837Skris * 10689837Skris * This product includes cryptographic software written by Eric Young 10789837Skris * (eay@cryptsoft.com). This product includes software written by Tim 10889837Skris * Hudson (tjh@cryptsoft.com). 10989837Skris * 11089837Skris */ 111160814Ssimon/* ==================================================================== 112160814Ssimon * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113160814Ssimon * 114296341Sdelphij * Portions of the attached software ("Contribution") are developed by 115160814Ssimon * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116160814Ssimon * 117160814Ssimon * The Contribution is licensed pursuant to the OpenSSL open source 118160814Ssimon * license provided above. 119160814Ssimon * 120160814Ssimon * ECC cipher suite support in OpenSSL originally written by 121160814Ssimon * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122160814Ssimon * 123160814Ssimon */ 124238405Sjkim/* ==================================================================== 125238405Sjkim * Copyright 2005 Nokia. All rights reserved. 126238405Sjkim * 127238405Sjkim * The portions of the attached software ("Contribution") is developed by 128238405Sjkim * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129238405Sjkim * license. 130238405Sjkim * 131238405Sjkim * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132238405Sjkim * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133238405Sjkim * support (see RFC 4279) to OpenSSL. 134238405Sjkim * 135238405Sjkim * No patent licenses or other rights except those expressly stated in 136238405Sjkim * the OpenSSL open source license shall be deemed granted or received 137238405Sjkim * expressly, by implication, estoppel, or otherwise. 138238405Sjkim * 139238405Sjkim * No assurances are provided by Nokia that the Contribution does not 140238405Sjkim * infringe the patent or other intellectual property rights of any third 141238405Sjkim * party or that the license provides you with all the necessary rights 142238405Sjkim * to make use of the Contribution. 143238405Sjkim * 144238405Sjkim * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145238405Sjkim * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146238405Sjkim * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147238405Sjkim * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148238405Sjkim * OTHERWISE. 149238405Sjkim */ 15055714Skris 15155714Skris#define REUSE_CIPHER_BUG 15259191Skris#define NETSCAPE_HANG_BUG 15355714Skris 15455714Skris#include <stdio.h> 155109998Smarkm#include "ssl_locl.h" 156109998Smarkm#include "kssl_lcl.h" 157273399Sdelphij#include "../crypto/constant_time_locl.h" 15855714Skris#include <openssl/buffer.h> 15955714Skris#include <openssl/rand.h> 16055714Skris#include <openssl/objects.h> 16155714Skris#include <openssl/evp.h> 162194206Ssimon#include <openssl/hmac.h> 16355714Skris#include <openssl/x509.h> 164160814Ssimon#ifndef OPENSSL_NO_DH 165296341Sdelphij# include <openssl/dh.h> 166160814Ssimon#endif 167160814Ssimon#include <openssl/bn.h> 168127128Snectar#ifndef OPENSSL_NO_KRB5 169296341Sdelphij# include <openssl/krb5_asn.h> 170127128Snectar#endif 171109998Smarkm#include <openssl/md5.h> 17255714Skris 173279264Sdelphij#ifndef OPENSSL_NO_SSL3_METHOD 174238405Sjkimstatic const SSL_METHOD *ssl3_get_server_method(int ver); 175160814Ssimon 176238405Sjkimstatic const SSL_METHOD *ssl3_get_server_method(int ver) 177296341Sdelphij{ 178296341Sdelphij if (ver == SSL3_VERSION) 179296341Sdelphij return (SSLv3_server_method()); 180296341Sdelphij else 181296341Sdelphij return (NULL); 182296341Sdelphij} 18355714Skris 184279264SdelphijIMPLEMENT_ssl3_meth_func(SSLv3_server_method, 185296341Sdelphij ssl3_accept, 186296341Sdelphij ssl_undefined_function, ssl3_get_server_method) 187279264Sdelphij#endif 188238405Sjkim#ifndef OPENSSL_NO_SRP 189238405Sjkimstatic int ssl_check_srp_ext_ClientHello(SSL *s, int *al) 190296341Sdelphij{ 191296341Sdelphij int ret = SSL_ERROR_NONE; 192238405Sjkim 193296341Sdelphij *al = SSL_AD_UNRECOGNIZED_NAME; 194238405Sjkim 195296341Sdelphij if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 196296341Sdelphij (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { 197296341Sdelphij if (s->srp_ctx.login == NULL) { 198296341Sdelphij /* 199296341Sdelphij * RFC 5054 says SHOULD reject, we do so if There is no srp 200296341Sdelphij * login name 201296341Sdelphij */ 202296341Sdelphij ret = SSL3_AL_FATAL; 203296341Sdelphij *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 204296341Sdelphij } else { 205296341Sdelphij ret = SSL_srp_server_param_with_username(s, al); 206296341Sdelphij } 207296341Sdelphij } 208296341Sdelphij return ret; 209296341Sdelphij} 210238405Sjkim#endif 211238405Sjkim 21255714Skrisint ssl3_accept(SSL *s) 213296341Sdelphij{ 214296341Sdelphij BUF_MEM *buf; 215296341Sdelphij unsigned long alg_k, Time = (unsigned long)time(NULL); 216296341Sdelphij void (*cb) (const SSL *ssl, int type, int val) = NULL; 217296341Sdelphij int ret = -1; 218296341Sdelphij int new_state, state, skip = 0; 21955714Skris 220296341Sdelphij RAND_add(&Time, sizeof(Time), 0); 221296341Sdelphij ERR_clear_error(); 222296341Sdelphij clear_sys_error(); 22355714Skris 224296341Sdelphij if (s->info_callback != NULL) 225296341Sdelphij cb = s->info_callback; 226296341Sdelphij else if (s->ctx->info_callback != NULL) 227296341Sdelphij cb = s->ctx->info_callback; 22855714Skris 229296341Sdelphij /* init things to blank */ 230296341Sdelphij s->in_handshake++; 231296341Sdelphij if (!SSL_in_init(s) || SSL_in_before(s)) 232296341Sdelphij SSL_clear(s); 23355714Skris 234296341Sdelphij if (s->cert == NULL) { 235296341Sdelphij SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET); 236296341Sdelphij return (-1); 237296341Sdelphij } 238238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 239296341Sdelphij /* 240296341Sdelphij * If we're awaiting a HeartbeatResponse, pretend we already got and 241296341Sdelphij * don't await it anymore, because Heartbeats don't make sense during 242296341Sdelphij * handshakes anyway. 243296341Sdelphij */ 244296341Sdelphij if (s->tlsext_hb_pending) { 245296341Sdelphij s->tlsext_hb_pending = 0; 246296341Sdelphij s->tlsext_hb_seq++; 247296341Sdelphij } 248238405Sjkim#endif 249238405Sjkim 250296341Sdelphij for (;;) { 251296341Sdelphij state = s->state; 25255714Skris 253296341Sdelphij switch (s->state) { 254296341Sdelphij case SSL_ST_RENEGOTIATE: 255296341Sdelphij s->renegotiate = 1; 256296341Sdelphij /* s->state=SSL_ST_ACCEPT; */ 25755714Skris 258296341Sdelphij case SSL_ST_BEFORE: 259296341Sdelphij case SSL_ST_ACCEPT: 260296341Sdelphij case SSL_ST_BEFORE | SSL_ST_ACCEPT: 261296341Sdelphij case SSL_ST_OK | SSL_ST_ACCEPT: 26255714Skris 263296341Sdelphij s->server = 1; 264296341Sdelphij if (cb != NULL) 265296341Sdelphij cb(s, SSL_CB_HANDSHAKE_START, 1); 26655714Skris 267296341Sdelphij if ((s->version >> 8) != 3) { 268296341Sdelphij SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 269296341Sdelphij s->state = SSL_ST_ERR; 270296341Sdelphij return -1; 271296341Sdelphij } 272296341Sdelphij s->type = SSL_ST_ACCEPT; 27355714Skris 274296341Sdelphij if (s->init_buf == NULL) { 275296341Sdelphij if ((buf = BUF_MEM_new()) == NULL) { 276296341Sdelphij ret = -1; 277296341Sdelphij s->state = SSL_ST_ERR; 278296341Sdelphij goto end; 279296341Sdelphij } 280296341Sdelphij if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 281296341Sdelphij BUF_MEM_free(buf); 282296341Sdelphij ret = -1; 283296341Sdelphij s->state = SSL_ST_ERR; 284296341Sdelphij goto end; 285296341Sdelphij } 286296341Sdelphij s->init_buf = buf; 287296341Sdelphij } 28855714Skris 289296341Sdelphij if (!ssl3_setup_buffers(s)) { 290296341Sdelphij ret = -1; 291296341Sdelphij s->state = SSL_ST_ERR; 292296341Sdelphij goto end; 293296341Sdelphij } 29455714Skris 295296341Sdelphij s->init_num = 0; 296296341Sdelphij s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 297296341Sdelphij s->s3->flags &= ~SSL3_FLAGS_CCS_OK; 298296341Sdelphij /* 299296341Sdelphij * Should have been reset by ssl3_get_finished, too. 300296341Sdelphij */ 301296341Sdelphij s->s3->change_cipher_spec = 0; 30255714Skris 303296341Sdelphij if (s->state != SSL_ST_RENEGOTIATE) { 304296341Sdelphij /* 305296341Sdelphij * Ok, we now need to push on a buffering BIO so that the 306296341Sdelphij * output is sent in a way that TCP likes :-) 307296341Sdelphij */ 308296341Sdelphij if (!ssl_init_wbio_buffer(s, 1)) { 309296341Sdelphij ret = -1; 310296341Sdelphij s->state = SSL_ST_ERR; 311296341Sdelphij goto end; 312296341Sdelphij } 31355714Skris 314296341Sdelphij ssl3_init_finished_mac(s); 315296341Sdelphij s->state = SSL3_ST_SR_CLNT_HELLO_A; 316296341Sdelphij s->ctx->stats.sess_accept++; 317296341Sdelphij } else if (!s->s3->send_connection_binding && 318296341Sdelphij !(s->options & 319296341Sdelphij SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 320296341Sdelphij /* 321296341Sdelphij * Server attempting to renegotiate with client that doesn't 322296341Sdelphij * support secure renegotiation. 323296341Sdelphij */ 324296341Sdelphij SSLerr(SSL_F_SSL3_ACCEPT, 325296341Sdelphij SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 326296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 327296341Sdelphij ret = -1; 328296341Sdelphij s->state = SSL_ST_ERR; 329296341Sdelphij goto end; 330296341Sdelphij } else { 331296341Sdelphij /* 332296341Sdelphij * s->state == SSL_ST_RENEGOTIATE, we will just send a 333296341Sdelphij * HelloRequest 334296341Sdelphij */ 335296341Sdelphij s->ctx->stats.sess_accept_renegotiate++; 336296341Sdelphij s->state = SSL3_ST_SW_HELLO_REQ_A; 337296341Sdelphij } 338296341Sdelphij break; 33955714Skris 340296341Sdelphij case SSL3_ST_SW_HELLO_REQ_A: 341296341Sdelphij case SSL3_ST_SW_HELLO_REQ_B: 34255714Skris 343296341Sdelphij s->shutdown = 0; 344296341Sdelphij ret = ssl3_send_hello_request(s); 345296341Sdelphij if (ret <= 0) 346296341Sdelphij goto end; 347296341Sdelphij s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C; 348296341Sdelphij s->state = SSL3_ST_SW_FLUSH; 349296341Sdelphij s->init_num = 0; 35055714Skris 351296341Sdelphij ssl3_init_finished_mac(s); 352296341Sdelphij break; 35355714Skris 354296341Sdelphij case SSL3_ST_SW_HELLO_REQ_C: 355296341Sdelphij s->state = SSL_ST_OK; 356296341Sdelphij break; 35755714Skris 358296341Sdelphij case SSL3_ST_SR_CLNT_HELLO_A: 359296341Sdelphij case SSL3_ST_SR_CLNT_HELLO_B: 360296341Sdelphij case SSL3_ST_SR_CLNT_HELLO_C: 361296341Sdelphij 362296341Sdelphij s->shutdown = 0; 363296341Sdelphij if (s->rwstate != SSL_X509_LOOKUP) { 364296341Sdelphij ret = ssl3_get_client_hello(s); 365296341Sdelphij if (ret <= 0) 366296341Sdelphij goto end; 367296341Sdelphij } 368238405Sjkim#ifndef OPENSSL_NO_SRP 369296341Sdelphij { 370296341Sdelphij int al; 371296341Sdelphij if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) { 372296341Sdelphij /* 373296341Sdelphij * callback indicates firther work to be done 374296341Sdelphij */ 375296341Sdelphij s->rwstate = SSL_X509_LOOKUP; 376296341Sdelphij goto end; 377296341Sdelphij } 378296341Sdelphij if (ret != SSL_ERROR_NONE) { 379296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 380296341Sdelphij /* 381296341Sdelphij * This is not really an error but the only means to for 382296341Sdelphij * a client to detect whether srp is supported. 383296341Sdelphij */ 384296341Sdelphij if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 385296341Sdelphij SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT); 386296341Sdelphij ret = SSL_TLSEXT_ERR_ALERT_FATAL; 387296341Sdelphij ret = -1; 388296341Sdelphij s->state = SSL_ST_ERR; 389296341Sdelphij goto end; 390296341Sdelphij } 391296341Sdelphij } 392296341Sdelphij#endif 39355714Skris 394296341Sdelphij s->renegotiate = 2; 395296341Sdelphij s->state = SSL3_ST_SW_SRVR_HELLO_A; 396296341Sdelphij s->init_num = 0; 397296341Sdelphij break; 398296341Sdelphij 399296341Sdelphij case SSL3_ST_SW_SRVR_HELLO_A: 400296341Sdelphij case SSL3_ST_SW_SRVR_HELLO_B: 401296341Sdelphij ret = ssl3_send_server_hello(s); 402296341Sdelphij if (ret <= 0) 403296341Sdelphij goto end; 404194206Ssimon#ifndef OPENSSL_NO_TLSEXT 405296341Sdelphij if (s->hit) { 406296341Sdelphij if (s->tlsext_ticket_expected) 407296341Sdelphij s->state = SSL3_ST_SW_SESSION_TICKET_A; 408296341Sdelphij else 409296341Sdelphij s->state = SSL3_ST_SW_CHANGE_A; 410296341Sdelphij } 411194206Ssimon#else 412296341Sdelphij if (s->hit) 413296341Sdelphij s->state = SSL3_ST_SW_CHANGE_A; 414194206Ssimon#endif 415296341Sdelphij else 416296341Sdelphij s->state = SSL3_ST_SW_CERT_A; 417296341Sdelphij s->init_num = 0; 418296341Sdelphij break; 41955714Skris 420296341Sdelphij case SSL3_ST_SW_CERT_A: 421296341Sdelphij case SSL3_ST_SW_CERT_B: 422296341Sdelphij /* Check if it is anon DH or anon ECDH, */ 423296341Sdelphij /* normal PSK or KRB5 or SRP */ 424296341Sdelphij if (! 425296341Sdelphij (s->s3->tmp. 426296341Sdelphij new_cipher->algorithm_auth & (SSL_aNULL | SSL_aKRB5 | 427296341Sdelphij SSL_aSRP)) 428296341Sdelphij&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 429296341Sdelphij ret = ssl3_send_server_certificate(s); 430296341Sdelphij if (ret <= 0) 431296341Sdelphij goto end; 432194206Ssimon#ifndef OPENSSL_NO_TLSEXT 433296341Sdelphij if (s->tlsext_status_expected) 434296341Sdelphij s->state = SSL3_ST_SW_CERT_STATUS_A; 435296341Sdelphij else 436296341Sdelphij s->state = SSL3_ST_SW_KEY_EXCH_A; 437296341Sdelphij } else { 438296341Sdelphij skip = 1; 439296341Sdelphij s->state = SSL3_ST_SW_KEY_EXCH_A; 440296341Sdelphij } 441194206Ssimon#else 442296341Sdelphij } else 443296341Sdelphij skip = 1; 444194206Ssimon 445296341Sdelphij s->state = SSL3_ST_SW_KEY_EXCH_A; 446194206Ssimon#endif 447296341Sdelphij s->init_num = 0; 448296341Sdelphij break; 44955714Skris 450296341Sdelphij case SSL3_ST_SW_KEY_EXCH_A: 451296341Sdelphij case SSL3_ST_SW_KEY_EXCH_B: 452296341Sdelphij alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 45355714Skris 454296341Sdelphij /* 455296341Sdelphij * clear this, it may get reset by 456296341Sdelphij * send_server_key_exchange 457296341Sdelphij */ 458296341Sdelphij s->s3->tmp.use_rsa_tmp = 0; 45955714Skris 460296341Sdelphij /* 461296341Sdelphij * only send if a DH key exchange, fortezza or RSA but we have a 462296341Sdelphij * sign only certificate PSK: may send PSK identity hints For 463296341Sdelphij * ECC ciphersuites, we send a serverKeyExchange message only if 464296341Sdelphij * the cipher suite is either ECDH-anon or ECDHE. In other cases, 465296341Sdelphij * the server certificate contains the server's public key for 466296341Sdelphij * key exchange. 467296341Sdelphij */ 468296341Sdelphij if (0 469296341Sdelphij /* 470296341Sdelphij * PSK: send ServerKeyExchange if PSK identity hint if 471296341Sdelphij * provided 472296341Sdelphij */ 473238405Sjkim#ifndef OPENSSL_NO_PSK 474296341Sdelphij || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 475238405Sjkim#endif 476238405Sjkim#ifndef OPENSSL_NO_SRP 477296341Sdelphij /* SRP: send ServerKeyExchange */ 478296341Sdelphij || (alg_k & SSL_kSRP) 479238405Sjkim#endif 480296341Sdelphij || (alg_k & (SSL_kDHr | SSL_kDHd | SSL_kEDH)) 481296341Sdelphij || (alg_k & SSL_kEECDH) 482296341Sdelphij || ((alg_k & SSL_kRSA) 483296341Sdelphij && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 484296341Sdelphij || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 485296341Sdelphij && EVP_PKEY_size(s->cert->pkeys 486296341Sdelphij [SSL_PKEY_RSA_ENC].privatekey) * 487296341Sdelphij 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 488296341Sdelphij ) 489296341Sdelphij ) 490296341Sdelphij ) 491296341Sdelphij ) { 492296341Sdelphij ret = ssl3_send_server_key_exchange(s); 493296341Sdelphij if (ret <= 0) 494296341Sdelphij goto end; 495296341Sdelphij } else 496296341Sdelphij skip = 1; 49755714Skris 498296341Sdelphij s->state = SSL3_ST_SW_CERT_REQ_A; 499296341Sdelphij s->init_num = 0; 500296341Sdelphij break; 50155714Skris 502296341Sdelphij case SSL3_ST_SW_CERT_REQ_A: 503296341Sdelphij case SSL3_ST_SW_CERT_REQ_B: 504296341Sdelphij if ( /* don't request cert unless asked for it: */ 505296341Sdelphij !(s->verify_mode & SSL_VERIFY_PEER) || 506296341Sdelphij /* 507296341Sdelphij * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert 508296341Sdelphij * during re-negotiation: 509296341Sdelphij */ 510296341Sdelphij ((s->session->peer != NULL) && 511296341Sdelphij (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 512296341Sdelphij /* 513296341Sdelphij * never request cert in anonymous ciphersuites (see 514296341Sdelphij * section "Certificate request" in SSL 3 drafts and in 515296341Sdelphij * RFC 2246): 516296341Sdelphij */ 517296341Sdelphij ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 518296341Sdelphij /* 519296341Sdelphij * ... except when the application insists on 520296341Sdelphij * verification (against the specs, but s3_clnt.c accepts 521296341Sdelphij * this for SSL 3) 522296341Sdelphij */ 523296341Sdelphij !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 524296341Sdelphij /* 525296341Sdelphij * never request cert in Kerberos ciphersuites 526296341Sdelphij */ 527296341Sdelphij (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) || 528296341Sdelphij /* don't request certificate for SRP auth */ 529296341Sdelphij (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP) 530296341Sdelphij /* 531296341Sdelphij * With normal PSK Certificates and Certificate Requests 532296341Sdelphij * are omitted 533296341Sdelphij */ 534296341Sdelphij || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 535296341Sdelphij /* no cert request */ 536296341Sdelphij skip = 1; 537296341Sdelphij s->s3->tmp.cert_request = 0; 538296341Sdelphij s->state = SSL3_ST_SW_SRVR_DONE_A; 539296341Sdelphij if (s->s3->handshake_buffer) { 540296341Sdelphij if (!ssl3_digest_cached_records(s)) { 541296341Sdelphij s->state = SSL_ST_ERR; 542296341Sdelphij return -1; 543296341Sdelphij } 544296341Sdelphij } 545296341Sdelphij } else { 546296341Sdelphij s->s3->tmp.cert_request = 1; 547296341Sdelphij ret = ssl3_send_certificate_request(s); 548296341Sdelphij if (ret <= 0) 549296341Sdelphij goto end; 55059191Skris#ifndef NETSCAPE_HANG_BUG 551296341Sdelphij s->state = SSL3_ST_SW_SRVR_DONE_A; 55259191Skris#else 553296341Sdelphij s->state = SSL3_ST_SW_FLUSH; 554296341Sdelphij s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; 55559191Skris#endif 556296341Sdelphij s->init_num = 0; 557296341Sdelphij } 558296341Sdelphij break; 55955714Skris 560296341Sdelphij case SSL3_ST_SW_SRVR_DONE_A: 561296341Sdelphij case SSL3_ST_SW_SRVR_DONE_B: 562296341Sdelphij ret = ssl3_send_server_done(s); 563296341Sdelphij if (ret <= 0) 564296341Sdelphij goto end; 565296341Sdelphij s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; 566296341Sdelphij s->state = SSL3_ST_SW_FLUSH; 567296341Sdelphij s->init_num = 0; 568296341Sdelphij break; 569205128Ssimon 570296341Sdelphij case SSL3_ST_SW_FLUSH: 571205128Ssimon 572296341Sdelphij /* 573296341Sdelphij * This code originally checked to see if any data was pending 574296341Sdelphij * using BIO_CTRL_INFO and then flushed. This caused problems as 575296341Sdelphij * documented in PR#1939. The proposed fix doesn't completely 576296341Sdelphij * resolve this issue as buggy implementations of 577296341Sdelphij * BIO_CTRL_PENDING still exist. So instead we just flush 578296341Sdelphij * unconditionally. 579296341Sdelphij */ 58055714Skris 581296341Sdelphij s->rwstate = SSL_WRITING; 582296341Sdelphij if (BIO_flush(s->wbio) <= 0) { 583296341Sdelphij ret = -1; 584296341Sdelphij goto end; 585296341Sdelphij } 586296341Sdelphij s->rwstate = SSL_NOTHING; 58755714Skris 588296341Sdelphij s->state = s->s3->tmp.next_state; 589296341Sdelphij break; 59055714Skris 591296341Sdelphij case SSL3_ST_SR_CERT_A: 592296341Sdelphij case SSL3_ST_SR_CERT_B: 593296341Sdelphij /* Check for second client hello (MS SGC) */ 594296341Sdelphij ret = ssl3_check_client_hello(s); 595296341Sdelphij if (ret <= 0) 596296341Sdelphij goto end; 597296341Sdelphij if (ret == 2) 598296341Sdelphij s->state = SSL3_ST_SR_CLNT_HELLO_C; 599296341Sdelphij else { 600296341Sdelphij if (s->s3->tmp.cert_request) { 601296341Sdelphij ret = ssl3_get_client_certificate(s); 602296341Sdelphij if (ret <= 0) 603296341Sdelphij goto end; 604296341Sdelphij } 605296341Sdelphij s->init_num = 0; 606296341Sdelphij s->state = SSL3_ST_SR_KEY_EXCH_A; 607296341Sdelphij } 608296341Sdelphij break; 609296341Sdelphij 610296341Sdelphij case SSL3_ST_SR_KEY_EXCH_A: 611296341Sdelphij case SSL3_ST_SR_KEY_EXCH_B: 612296341Sdelphij ret = ssl3_get_client_key_exchange(s); 613296341Sdelphij if (ret <= 0) 614296341Sdelphij goto end; 615296341Sdelphij if (ret == 2) { 616296341Sdelphij /* 617296341Sdelphij * For the ECDH ciphersuites when the client sends its ECDH 618296341Sdelphij * pub key in a certificate, the CertificateVerify message is 619296341Sdelphij * not sent. Also for GOST ciphersuites when the client uses 620296341Sdelphij * its key from the certificate for key exchange. 621296341Sdelphij */ 622238405Sjkim#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 623296341Sdelphij s->state = SSL3_ST_SR_FINISHED_A; 624238405Sjkim#else 625296341Sdelphij if (s->s3->next_proto_neg_seen) 626296341Sdelphij s->state = SSL3_ST_SR_NEXT_PROTO_A; 627296341Sdelphij else 628296341Sdelphij s->state = SSL3_ST_SR_FINISHED_A; 629238405Sjkim#endif 630296341Sdelphij s->init_num = 0; 631296341Sdelphij } else if (TLS1_get_version(s) >= TLS1_2_VERSION) { 632296341Sdelphij s->state = SSL3_ST_SR_CERT_VRFY_A; 633296341Sdelphij s->init_num = 0; 634296341Sdelphij if (!s->session->peer) 635296341Sdelphij break; 636296341Sdelphij /* 637296341Sdelphij * For TLS v1.2 freeze the handshake buffer at this point and 638296341Sdelphij * digest cached records. 639296341Sdelphij */ 640296341Sdelphij if (!s->s3->handshake_buffer) { 641296341Sdelphij SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 642296341Sdelphij s->state = SSL_ST_ERR; 643296341Sdelphij return -1; 644296341Sdelphij } 645296341Sdelphij s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 646296341Sdelphij if (!ssl3_digest_cached_records(s)) { 647296341Sdelphij s->state = SSL_ST_ERR; 648296341Sdelphij return -1; 649296341Sdelphij } 650296341Sdelphij } else { 651296341Sdelphij int offset = 0; 652296341Sdelphij int dgst_num; 65355714Skris 654296341Sdelphij s->state = SSL3_ST_SR_CERT_VRFY_A; 655296341Sdelphij s->init_num = 0; 656238405Sjkim 657296341Sdelphij /* 658296341Sdelphij * We need to get hashes here so if there is a client cert, 659296341Sdelphij * it can be verified FIXME - digest processing for 660296341Sdelphij * CertificateVerify should be generalized. But it is next 661296341Sdelphij * step 662296341Sdelphij */ 663296341Sdelphij if (s->s3->handshake_buffer) { 664296341Sdelphij if (!ssl3_digest_cached_records(s)) { 665296341Sdelphij s->state = SSL_ST_ERR; 666296341Sdelphij return -1; 667296341Sdelphij } 668296341Sdelphij } 669296341Sdelphij for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) 670296341Sdelphij if (s->s3->handshake_dgst[dgst_num]) { 671296341Sdelphij int dgst_size; 672238405Sjkim 673296341Sdelphij s->method->ssl3_enc->cert_verify_mac(s, 674296341Sdelphij EVP_MD_CTX_type 675296341Sdelphij (s-> 676296341Sdelphij s3->handshake_dgst 677296341Sdelphij [dgst_num]), 678296341Sdelphij &(s->s3-> 679296341Sdelphij tmp.cert_verify_md 680296341Sdelphij [offset])); 681296341Sdelphij dgst_size = 682296341Sdelphij EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 683296341Sdelphij if (dgst_size < 0) { 684296341Sdelphij s->state = SSL_ST_ERR; 685296341Sdelphij ret = -1; 686296341Sdelphij goto end; 687296341Sdelphij } 688296341Sdelphij offset += dgst_size; 689296341Sdelphij } 690296341Sdelphij } 691296341Sdelphij break; 69255714Skris 693296341Sdelphij case SSL3_ST_SR_CERT_VRFY_A: 694296341Sdelphij case SSL3_ST_SR_CERT_VRFY_B: 695296341Sdelphij ret = ssl3_get_cert_verify(s); 696296341Sdelphij if (ret <= 0) 697296341Sdelphij goto end; 69855714Skris 699238405Sjkim#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 700296341Sdelphij s->state = SSL3_ST_SR_FINISHED_A; 701238405Sjkim#else 702296341Sdelphij if (s->s3->next_proto_neg_seen) 703296341Sdelphij s->state = SSL3_ST_SR_NEXT_PROTO_A; 704296341Sdelphij else 705296341Sdelphij s->state = SSL3_ST_SR_FINISHED_A; 706238405Sjkim#endif 707296341Sdelphij s->init_num = 0; 708296341Sdelphij break; 70955714Skris 710238405Sjkim#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 711296341Sdelphij case SSL3_ST_SR_NEXT_PROTO_A: 712296341Sdelphij case SSL3_ST_SR_NEXT_PROTO_B: 713296341Sdelphij /* 714296341Sdelphij * Enable CCS for NPN. Receiving a CCS clears the flag, so make 715296341Sdelphij * sure not to re-enable it to ban duplicates. This *should* be the 716296341Sdelphij * first time we have received one - but we check anyway to be 717296341Sdelphij * cautious. 718296341Sdelphij * s->s3->change_cipher_spec is set when a CCS is 719296341Sdelphij * processed in s3_pkt.c, and remains set until 720296341Sdelphij * the client's Finished message is read. 721296341Sdelphij */ 722296341Sdelphij if (!s->s3->change_cipher_spec) 723296341Sdelphij s->s3->flags |= SSL3_FLAGS_CCS_OK; 724279264Sdelphij 725296341Sdelphij ret = ssl3_get_next_proto(s); 726296341Sdelphij if (ret <= 0) 727296341Sdelphij goto end; 728296341Sdelphij s->init_num = 0; 729296341Sdelphij s->state = SSL3_ST_SR_FINISHED_A; 730296341Sdelphij break; 731238405Sjkim#endif 732238405Sjkim 733296341Sdelphij case SSL3_ST_SR_FINISHED_A: 734296341Sdelphij case SSL3_ST_SR_FINISHED_B: 735296341Sdelphij /* 736296341Sdelphij * Enable CCS for handshakes without NPN. In NPN the CCS flag has 737296341Sdelphij * already been set. Receiving a CCS clears the flag, so make 738296341Sdelphij * sure not to re-enable it to ban duplicates. 739296341Sdelphij * s->s3->change_cipher_spec is set when a CCS is 740296341Sdelphij * processed in s3_pkt.c, and remains set until 741296341Sdelphij * the client's Finished message is read. 742296341Sdelphij */ 743296341Sdelphij if (!s->s3->change_cipher_spec) 744296341Sdelphij s->s3->flags |= SSL3_FLAGS_CCS_OK; 745296341Sdelphij ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, 746296341Sdelphij SSL3_ST_SR_FINISHED_B); 747296341Sdelphij if (ret <= 0) 748296341Sdelphij goto end; 749296341Sdelphij if (s->hit) 750296341Sdelphij s->state = SSL_ST_OK; 751194206Ssimon#ifndef OPENSSL_NO_TLSEXT 752296341Sdelphij else if (s->tlsext_ticket_expected) 753296341Sdelphij s->state = SSL3_ST_SW_SESSION_TICKET_A; 754194206Ssimon#endif 755296341Sdelphij else 756296341Sdelphij s->state = SSL3_ST_SW_CHANGE_A; 757296341Sdelphij s->init_num = 0; 758296341Sdelphij break; 75955714Skris 760194206Ssimon#ifndef OPENSSL_NO_TLSEXT 761296341Sdelphij case SSL3_ST_SW_SESSION_TICKET_A: 762296341Sdelphij case SSL3_ST_SW_SESSION_TICKET_B: 763296341Sdelphij ret = ssl3_send_newsession_ticket(s); 764296341Sdelphij if (ret <= 0) 765296341Sdelphij goto end; 766296341Sdelphij s->state = SSL3_ST_SW_CHANGE_A; 767296341Sdelphij s->init_num = 0; 768296341Sdelphij break; 769194206Ssimon 770296341Sdelphij case SSL3_ST_SW_CERT_STATUS_A: 771296341Sdelphij case SSL3_ST_SW_CERT_STATUS_B: 772296341Sdelphij ret = ssl3_send_cert_status(s); 773296341Sdelphij if (ret <= 0) 774296341Sdelphij goto end; 775296341Sdelphij s->state = SSL3_ST_SW_KEY_EXCH_A; 776296341Sdelphij s->init_num = 0; 777296341Sdelphij break; 778194206Ssimon 779194206Ssimon#endif 780194206Ssimon 781296341Sdelphij case SSL3_ST_SW_CHANGE_A: 782296341Sdelphij case SSL3_ST_SW_CHANGE_B: 78355714Skris 784296341Sdelphij s->session->cipher = s->s3->tmp.new_cipher; 785296341Sdelphij if (!s->method->ssl3_enc->setup_key_block(s)) { 786296341Sdelphij ret = -1; 787296341Sdelphij s->state = SSL_ST_ERR; 788296341Sdelphij goto end; 789296341Sdelphij } 79055714Skris 791296341Sdelphij ret = ssl3_send_change_cipher_spec(s, 792296341Sdelphij SSL3_ST_SW_CHANGE_A, 793296341Sdelphij SSL3_ST_SW_CHANGE_B); 79455714Skris 795296341Sdelphij if (ret <= 0) 796296341Sdelphij goto end; 797296341Sdelphij s->state = SSL3_ST_SW_FINISHED_A; 798296341Sdelphij s->init_num = 0; 79955714Skris 800296341Sdelphij if (!s->method->ssl3_enc->change_cipher_state(s, 801296341Sdelphij SSL3_CHANGE_CIPHER_SERVER_WRITE)) 802296341Sdelphij { 803296341Sdelphij ret = -1; 804296341Sdelphij s->state = SSL_ST_ERR; 805296341Sdelphij goto end; 806296341Sdelphij } 80755714Skris 808296341Sdelphij break; 80955714Skris 810296341Sdelphij case SSL3_ST_SW_FINISHED_A: 811296341Sdelphij case SSL3_ST_SW_FINISHED_B: 812296341Sdelphij ret = ssl3_send_finished(s, 813296341Sdelphij SSL3_ST_SW_FINISHED_A, 814296341Sdelphij SSL3_ST_SW_FINISHED_B, 815296341Sdelphij s->method-> 816296341Sdelphij ssl3_enc->server_finished_label, 817296341Sdelphij s->method-> 818296341Sdelphij ssl3_enc->server_finished_label_len); 819296341Sdelphij if (ret <= 0) 820296341Sdelphij goto end; 821296341Sdelphij s->state = SSL3_ST_SW_FLUSH; 822296341Sdelphij if (s->hit) { 823238405Sjkim#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 824296341Sdelphij s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; 825238405Sjkim#else 826296341Sdelphij if (s->s3->next_proto_neg_seen) { 827296341Sdelphij s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A; 828296341Sdelphij } else 829296341Sdelphij s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; 830238405Sjkim#endif 831296341Sdelphij } else 832296341Sdelphij s->s3->tmp.next_state = SSL_ST_OK; 833296341Sdelphij s->init_num = 0; 834296341Sdelphij break; 83555714Skris 836296341Sdelphij case SSL_ST_OK: 837296341Sdelphij /* clean a few things up */ 838296341Sdelphij ssl3_cleanup_key_block(s); 83955714Skris 840296341Sdelphij BUF_MEM_free(s->init_buf); 841296341Sdelphij s->init_buf = NULL; 84255714Skris 843296341Sdelphij /* remove buffering on output */ 844296341Sdelphij ssl_free_wbio_buffer(s); 84555714Skris 846296341Sdelphij s->init_num = 0; 84755714Skris 848296341Sdelphij if (s->renegotiate == 2) { /* skipped if we just sent a 849296341Sdelphij * HelloRequest */ 850296341Sdelphij s->renegotiate = 0; 851296341Sdelphij s->new_session = 0; 85255714Skris 853296341Sdelphij ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 85455714Skris 855296341Sdelphij s->ctx->stats.sess_accept_good++; 856296341Sdelphij /* s->server=1; */ 857296341Sdelphij s->handshake_func = ssl3_accept; 85855714Skris 859296341Sdelphij if (cb != NULL) 860296341Sdelphij cb(s, SSL_CB_HANDSHAKE_DONE, 1); 861296341Sdelphij } 86255714Skris 863296341Sdelphij ret = 1; 864296341Sdelphij goto end; 865296341Sdelphij /* break; */ 86655714Skris 867296341Sdelphij case SSL_ST_ERR: 868296341Sdelphij default: 869296341Sdelphij SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE); 870296341Sdelphij ret = -1; 871296341Sdelphij goto end; 872296341Sdelphij /* break; */ 873296341Sdelphij } 87455714Skris 875296341Sdelphij if (!s->s3->tmp.reuse_message && !skip) { 876296341Sdelphij if (s->debug) { 877296341Sdelphij if ((ret = BIO_flush(s->wbio)) <= 0) 878296341Sdelphij goto end; 879296341Sdelphij } 880296341Sdelphij 881296341Sdelphij if ((cb != NULL) && (s->state != state)) { 882296341Sdelphij new_state = s->state; 883296341Sdelphij s->state = state; 884296341Sdelphij cb(s, SSL_CB_ACCEPT_LOOP, 1); 885296341Sdelphij s->state = new_state; 886296341Sdelphij } 887296341Sdelphij } 888296341Sdelphij skip = 0; 889296341Sdelphij } 890296341Sdelphij end: 891296341Sdelphij /* BIO_flush(s->wbio); */ 892296341Sdelphij 893296341Sdelphij s->in_handshake--; 894296341Sdelphij if (cb != NULL) 895296341Sdelphij cb(s, SSL_CB_ACCEPT_EXIT, ret); 896296341Sdelphij return (ret); 897296341Sdelphij} 898296341Sdelphij 899160814Ssimonint ssl3_send_hello_request(SSL *s) 900296341Sdelphij{ 901296341Sdelphij unsigned char *p; 90255714Skris 903296341Sdelphij if (s->state == SSL3_ST_SW_HELLO_REQ_A) { 904296341Sdelphij p = (unsigned char *)s->init_buf->data; 905296341Sdelphij *(p++) = SSL3_MT_HELLO_REQUEST; 906296341Sdelphij *(p++) = 0; 907296341Sdelphij *(p++) = 0; 908296341Sdelphij *(p++) = 0; 90955714Skris 910296341Sdelphij s->state = SSL3_ST_SW_HELLO_REQ_B; 911296341Sdelphij /* number of bytes to write */ 912296341Sdelphij s->init_num = 4; 913296341Sdelphij s->init_off = 0; 914296341Sdelphij } 91555714Skris 916296341Sdelphij /* SSL3_ST_SW_HELLO_REQ_B */ 917296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 918296341Sdelphij} 91955714Skris 920160814Ssimonint ssl3_check_client_hello(SSL *s) 921296341Sdelphij{ 922296341Sdelphij int ok; 923296341Sdelphij long n; 92459191Skris 925296341Sdelphij /* 926296341Sdelphij * this function is called when we really expect a Certificate message, 927296341Sdelphij * so permit appropriate message length 928296341Sdelphij */ 929296341Sdelphij n = s->method->ssl_get_message(s, 930296341Sdelphij SSL3_ST_SR_CERT_A, 931296341Sdelphij SSL3_ST_SR_CERT_B, 932296341Sdelphij -1, s->max_cert_list, &ok); 933296341Sdelphij if (!ok) 934296341Sdelphij return ((int)n); 935296341Sdelphij s->s3->tmp.reuse_message = 1; 936296341Sdelphij if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { 937296341Sdelphij /* 938296341Sdelphij * We only allow the client to restart the handshake once per 939296341Sdelphij * negotiation. 940296341Sdelphij */ 941296341Sdelphij if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { 942296341Sdelphij SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, 943296341Sdelphij SSL_R_MULTIPLE_SGC_RESTARTS); 944296341Sdelphij return -1; 945296341Sdelphij } 946296341Sdelphij /* 947296341Sdelphij * Throw away what we have done so far in the current handshake, 948296341Sdelphij * which will now be aborted. (A full SSL_clear would be too much.) 949296341Sdelphij */ 950109998Smarkm#ifndef OPENSSL_NO_DH 951296341Sdelphij if (s->s3->tmp.dh != NULL) { 952296341Sdelphij DH_free(s->s3->tmp.dh); 953296341Sdelphij s->s3->tmp.dh = NULL; 954296341Sdelphij } 95559191Skris#endif 956225446Sdelphij#ifndef OPENSSL_NO_ECDH 957296341Sdelphij if (s->s3->tmp.ecdh != NULL) { 958296341Sdelphij EC_KEY_free(s->s3->tmp.ecdh); 959296341Sdelphij s->s3->tmp.ecdh = NULL; 960296341Sdelphij } 961225446Sdelphij#endif 962296341Sdelphij s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 963296341Sdelphij return 2; 964296341Sdelphij } 965296341Sdelphij return 1; 96659191Skris} 96759191Skris 968160814Ssimonint ssl3_get_client_hello(SSL *s) 969296341Sdelphij{ 970296341Sdelphij int i, j, ok, al, ret = -1; 971296341Sdelphij unsigned int cookie_len; 972296341Sdelphij long n; 973296341Sdelphij unsigned long id; 974296341Sdelphij unsigned char *p, *d, *q; 975296341Sdelphij SSL_CIPHER *c; 976160814Ssimon#ifndef OPENSSL_NO_COMP 977296341Sdelphij SSL_COMP *comp = NULL; 978160814Ssimon#endif 979296341Sdelphij STACK_OF(SSL_CIPHER) *ciphers = NULL; 98055714Skris 981296341Sdelphij /* 982296341Sdelphij * We do this so that we will respond with our native type. If we are 983296341Sdelphij * TLSv1 and we get SSLv3, we will respond with TLSv1, This down 984296341Sdelphij * switching should be handled by a different method. If we are SSLv3, we 985296341Sdelphij * will respond with SSLv3, even if prompted with TLSv1. 986296341Sdelphij */ 987296341Sdelphij if (s->state == SSL3_ST_SR_CLNT_HELLO_A) { 988296341Sdelphij s->state = SSL3_ST_SR_CLNT_HELLO_B; 989296341Sdelphij } 990296341Sdelphij s->first_packet = 1; 991296341Sdelphij n = s->method->ssl_get_message(s, 992296341Sdelphij SSL3_ST_SR_CLNT_HELLO_B, 993296341Sdelphij SSL3_ST_SR_CLNT_HELLO_C, 994296341Sdelphij SSL3_MT_CLIENT_HELLO, 995296341Sdelphij SSL3_RT_MAX_PLAIN_LENGTH, &ok); 99655714Skris 997296341Sdelphij if (!ok) 998296341Sdelphij return ((int)n); 999296341Sdelphij s->first_packet = 0; 1000296341Sdelphij d = p = (unsigned char *)s->init_msg; 100155714Skris 1002296341Sdelphij /* 1003296341Sdelphij * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte 1004296341Sdelphij * for session id length 1005296341Sdelphij */ 1006296341Sdelphij if (n < 2 + SSL3_RANDOM_SIZE + 1) { 1007296341Sdelphij al = SSL_AD_DECODE_ERROR; 1008296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); 1009296341Sdelphij goto f_err; 1010296341Sdelphij } 101155714Skris 1012296341Sdelphij /* 1013296341Sdelphij * use version from inside client hello, not from record header (may 1014296341Sdelphij * differ: see RFC 2246, Appendix E, second paragraph) 1015296341Sdelphij */ 1016296341Sdelphij s->client_version = (((int)p[0]) << 8) | (int)p[1]; 1017296341Sdelphij p += 2; 101889837Skris 1019296341Sdelphij if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 1020296341Sdelphij (s->version != DTLS1_VERSION && s->client_version < s->version)) { 1021296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 1022296341Sdelphij if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && 1023296341Sdelphij !s->enc_write_ctx && !s->write_hash) { 1024296341Sdelphij /* 1025296341Sdelphij * similar to ssl3_get_record, send alert using remote version 1026296341Sdelphij * number 1027296341Sdelphij */ 1028296341Sdelphij s->version = s->client_version; 1029296341Sdelphij } 1030296341Sdelphij al = SSL_AD_PROTOCOL_VERSION; 1031296341Sdelphij goto f_err; 1032296341Sdelphij } 1033205128Ssimon 1034296341Sdelphij /* 1035296341Sdelphij * If we require cookies and this ClientHello doesn't contain one, just 1036296341Sdelphij * return since we do not want to allocate any memory yet. So check 1037296341Sdelphij * cookie length... 1038296341Sdelphij */ 1039296341Sdelphij if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { 1040296341Sdelphij unsigned int session_length, cookie_length; 1041205128Ssimon 1042296341Sdelphij session_length = *(p + SSL3_RANDOM_SIZE); 104355714Skris 1044306230Sdelphij if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { 1045296341Sdelphij al = SSL_AD_DECODE_ERROR; 1046296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); 1047296341Sdelphij goto f_err; 1048296341Sdelphij } 1049296341Sdelphij cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 105055714Skris 1051296341Sdelphij if (cookie_length == 0) 1052296341Sdelphij return 1; 1053296341Sdelphij } 105455714Skris 1055296341Sdelphij /* load the client random */ 1056296341Sdelphij memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE); 1057296341Sdelphij p += SSL3_RANDOM_SIZE; 1058160814Ssimon 1059296341Sdelphij /* get the session-id */ 1060296341Sdelphij j = *(p++); 1061160814Ssimon 1062306230Sdelphij if ((d + n) - p < j) { 1063296341Sdelphij al = SSL_AD_DECODE_ERROR; 1064296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); 1065296341Sdelphij goto f_err; 1066296341Sdelphij } 1067160814Ssimon 1068296341Sdelphij s->hit = 0; 1069296341Sdelphij /* 1070296341Sdelphij * Versions before 0.9.7 always allow clients to resume sessions in 1071296341Sdelphij * renegotiation. 0.9.7 and later allow this by default, but optionally 1072296341Sdelphij * ignore resumption requests with flag 1073296341Sdelphij * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 1074296341Sdelphij * than a change to default behavior so that applications relying on this 1075296341Sdelphij * for security won't even compile against older library versions). 1076296341Sdelphij * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to 1077296341Sdelphij * request renegotiation but not a new session (s->new_session remains 1078296341Sdelphij * unset): for servers, this essentially just means that the 1079296341Sdelphij * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be ignored. 1080296341Sdelphij */ 1081296341Sdelphij if ((s->new_session 1082296341Sdelphij && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { 1083296341Sdelphij if (!ssl_get_new_session(s, 1)) 1084296341Sdelphij goto err; 1085296341Sdelphij } else { 1086296341Sdelphij i = ssl_get_prev_session(s, p, j, d + n); 1087296341Sdelphij /* 1088296341Sdelphij * Only resume if the session's version matches the negotiated 1089296341Sdelphij * version. 1090296341Sdelphij * RFC 5246 does not provide much useful advice on resumption 1091296341Sdelphij * with a different protocol version. It doesn't forbid it but 1092296341Sdelphij * the sanity of such behaviour would be questionable. 1093296341Sdelphij * In practice, clients do not accept a version mismatch and 1094296341Sdelphij * will abort the handshake with an error. 1095296341Sdelphij */ 1096296341Sdelphij if (i == 1 && s->version == s->session->ssl_version) { /* previous 1097296341Sdelphij * session */ 1098296341Sdelphij s->hit = 1; 1099296341Sdelphij } else if (i == -1) 1100296341Sdelphij goto err; 1101296341Sdelphij else { /* i == 0 */ 1102160814Ssimon 1103296341Sdelphij if (!ssl_get_new_session(s, 1)) 1104296341Sdelphij goto err; 1105296341Sdelphij } 1106296341Sdelphij } 1107205128Ssimon 1108296341Sdelphij p += j; 1109160814Ssimon 1110296341Sdelphij if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { 1111296341Sdelphij /* cookie stuff */ 1112306230Sdelphij if ((d + n) - p < 1) { 1113296341Sdelphij al = SSL_AD_DECODE_ERROR; 1114296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); 1115296341Sdelphij goto f_err; 1116296341Sdelphij } 1117296341Sdelphij cookie_len = *(p++); 1118160814Ssimon 1119306230Sdelphij if ((d + n ) - p < cookie_len) { 1120296341Sdelphij al = SSL_AD_DECODE_ERROR; 1121296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); 1122296341Sdelphij goto f_err; 1123296341Sdelphij } 112455714Skris 1125296341Sdelphij /* 1126296341Sdelphij * The ClientHello may contain a cookie even if the 1127296341Sdelphij * HelloVerify message has not been sent--make sure that it 1128296341Sdelphij * does not cause an overflow. 1129296341Sdelphij */ 1130296341Sdelphij if (cookie_len > sizeof(s->d1->rcvd_cookie)) { 1131296341Sdelphij /* too much data */ 1132296341Sdelphij al = SSL_AD_DECODE_ERROR; 1133296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1134296341Sdelphij goto f_err; 1135296341Sdelphij } 113655714Skris 1137296341Sdelphij /* verify the cookie if appropriate option is set. */ 1138296341Sdelphij if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && cookie_len > 0) { 1139296341Sdelphij memcpy(s->d1->rcvd_cookie, p, cookie_len); 1140296341Sdelphij 1141296341Sdelphij if (s->ctx->app_verify_cookie_cb != NULL) { 1142296341Sdelphij if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1143296341Sdelphij cookie_len) == 0) { 1144296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1145296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1146296341Sdelphij SSL_R_COOKIE_MISMATCH); 1147296341Sdelphij goto f_err; 1148296341Sdelphij } 1149296341Sdelphij /* else cookie verification succeeded */ 1150296341Sdelphij } 1151296341Sdelphij /* default verification */ 1152296341Sdelphij else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie, 1153296341Sdelphij s->d1->cookie_len) != 0) { 1154296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1155296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1156296341Sdelphij goto f_err; 1157296341Sdelphij } 1158296341Sdelphij 1159296341Sdelphij ret = 2; 1160296341Sdelphij } 1161296341Sdelphij 1162296341Sdelphij p += cookie_len; 1163296341Sdelphij } 1164296341Sdelphij 1165306230Sdelphij if ((d + n ) - p < 2) { 1166296341Sdelphij al = SSL_AD_DECODE_ERROR; 1167296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); 1168296341Sdelphij goto f_err; 1169296341Sdelphij } 1170296341Sdelphij n2s(p, i); 1171296341Sdelphij 1172296341Sdelphij if (i == 0) { 1173296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 1174296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); 1175296341Sdelphij goto f_err; 1176296341Sdelphij } 1177296341Sdelphij 1178296341Sdelphij /* i bytes of cipher data + 1 byte for compression length later */ 1179306230Sdelphij if ((d + n) - p < i + 1) { 1180296341Sdelphij /* not enough data */ 1181296341Sdelphij al = SSL_AD_DECODE_ERROR; 1182296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 1183296341Sdelphij goto f_err; 1184296341Sdelphij } 1185296341Sdelphij if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) { 1186296341Sdelphij goto err; 1187296341Sdelphij } 1188296341Sdelphij p += i; 1189296341Sdelphij 1190296341Sdelphij /* If it is a hit, check that the cipher is in the list */ 1191296341Sdelphij if (s->hit) { 1192296341Sdelphij j = 0; 1193296341Sdelphij id = s->session->cipher->id; 1194296341Sdelphij 119555714Skris#ifdef CIPHER_DEBUG 1196296341Sdelphij fprintf(stderr, "client sent %d ciphers\n", 1197296341Sdelphij sk_SSL_CIPHER_num(ciphers)); 119855714Skris#endif 1199296341Sdelphij for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 1200296341Sdelphij c = sk_SSL_CIPHER_value(ciphers, i); 120155714Skris#ifdef CIPHER_DEBUG 1202296341Sdelphij fprintf(stderr, "client [%2d of %2d]:%s\n", 1203296341Sdelphij i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c)); 120455714Skris#endif 1205296341Sdelphij if (c->id == id) { 1206296341Sdelphij j = 1; 1207296341Sdelphij break; 1208296341Sdelphij } 1209296341Sdelphij } 1210296341Sdelphij /* 1211296341Sdelphij * Disabled because it can be used in a ciphersuite downgrade attack: 1212296341Sdelphij * CVE-2010-4180. 1213296341Sdelphij */ 1214216166Ssimon#if 0 1215296341Sdelphij if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) 1216296341Sdelphij && (sk_SSL_CIPHER_num(ciphers) == 1)) { 1217296341Sdelphij /* 1218296341Sdelphij * Special case as client bug workaround: the previously used 1219296341Sdelphij * cipher may not be in the current list, the client instead 1220296341Sdelphij * might be trying to continue using a cipher that before wasn't 1221296341Sdelphij * chosen due to server preferences. We'll have to reject the 1222296341Sdelphij * connection if the cipher is not enabled, though. 1223296341Sdelphij */ 1224296341Sdelphij c = sk_SSL_CIPHER_value(ciphers, 0); 1225296341Sdelphij if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) { 1226296341Sdelphij s->session->cipher = c; 1227296341Sdelphij j = 1; 1228296341Sdelphij } 1229296341Sdelphij } 1230216166Ssimon#endif 1231296341Sdelphij if (j == 0) { 1232296341Sdelphij /* 1233296341Sdelphij * we need to have the cipher in the cipher list if we are asked 1234296341Sdelphij * to reuse it 1235296341Sdelphij */ 1236296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 1237296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1238296341Sdelphij SSL_R_REQUIRED_CIPHER_MISSING); 1239296341Sdelphij goto f_err; 1240296341Sdelphij } 1241296341Sdelphij } 124255714Skris 1243296341Sdelphij /* compression */ 1244296341Sdelphij i = *(p++); 1245306230Sdelphij if ((d + n) - p < i) { 1246296341Sdelphij /* not enough data */ 1247296341Sdelphij al = SSL_AD_DECODE_ERROR; 1248296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 1249296341Sdelphij goto f_err; 1250296341Sdelphij } 1251296341Sdelphij q = p; 1252296341Sdelphij for (j = 0; j < i; j++) { 1253296341Sdelphij if (p[j] == 0) 1254296341Sdelphij break; 1255296341Sdelphij } 125655714Skris 1257296341Sdelphij p += i; 1258296341Sdelphij if (j >= i) { 1259296341Sdelphij /* no compress */ 1260296341Sdelphij al = SSL_AD_DECODE_ERROR; 1261296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); 1262296341Sdelphij goto f_err; 1263296341Sdelphij } 1264194206Ssimon#ifndef OPENSSL_NO_TLSEXT 1265296341Sdelphij /* TLS extensions */ 1266296341Sdelphij if (s->version >= SSL3_VERSION) { 1267306230Sdelphij if (!ssl_parse_clienthello_tlsext(s, &p, d + n, &al)) { 1268296341Sdelphij /* 'al' set by ssl_parse_clienthello_tlsext */ 1269296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); 1270296341Sdelphij goto f_err; 1271296341Sdelphij } 1272296341Sdelphij } 1273296341Sdelphij if (ssl_check_clienthello_tlsext_early(s) <= 0) { 1274296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1275296341Sdelphij goto err; 1276296341Sdelphij } 1277238405Sjkim 1278296341Sdelphij /* 1279296341Sdelphij * Check if we want to use external pre-shared secret for this handshake 1280296341Sdelphij * for not reused session only. We need to generate server_random before 1281296341Sdelphij * calling tls_session_secret_cb in order to allow SessionTicket 1282296341Sdelphij * processing to use it in key derivation. 1283296341Sdelphij */ 1284296341Sdelphij { 1285296341Sdelphij unsigned char *pos; 1286296341Sdelphij pos = s->s3->server_random; 1287296341Sdelphij if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { 1288296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1289296341Sdelphij goto f_err; 1290296341Sdelphij } 1291296341Sdelphij } 1292238405Sjkim 1293296341Sdelphij if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { 1294296341Sdelphij SSL_CIPHER *pref_cipher = NULL; 1295238405Sjkim 1296296341Sdelphij s->session->master_key_length = sizeof(s->session->master_key); 1297296341Sdelphij if (s->tls_session_secret_cb(s, s->session->master_key, 1298296341Sdelphij &s->session->master_key_length, ciphers, 1299296341Sdelphij &pref_cipher, 1300296341Sdelphij s->tls_session_secret_cb_arg)) { 1301296341Sdelphij s->hit = 1; 1302296341Sdelphij s->session->ciphers = ciphers; 1303296341Sdelphij s->session->verify_result = X509_V_OK; 1304238405Sjkim 1305296341Sdelphij ciphers = NULL; 1306238405Sjkim 1307296341Sdelphij /* check if some cipher was preferred by call back */ 1308296341Sdelphij pref_cipher = 1309296341Sdelphij pref_cipher ? pref_cipher : ssl3_choose_cipher(s, 1310296341Sdelphij s-> 1311296341Sdelphij session->ciphers, 1312296341Sdelphij SSL_get_ciphers 1313296341Sdelphij (s)); 1314296341Sdelphij if (pref_cipher == NULL) { 1315296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1316296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); 1317296341Sdelphij goto f_err; 1318296341Sdelphij } 1319238405Sjkim 1320296341Sdelphij s->session->cipher = pref_cipher; 1321238405Sjkim 1322296341Sdelphij if (s->cipher_list) 1323296341Sdelphij sk_SSL_CIPHER_free(s->cipher_list); 1324238405Sjkim 1325296341Sdelphij if (s->cipher_list_by_id) 1326296341Sdelphij sk_SSL_CIPHER_free(s->cipher_list_by_id); 1327238405Sjkim 1328296341Sdelphij s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1329296341Sdelphij s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1330296341Sdelphij } 1331296341Sdelphij } 1332194206Ssimon#endif 1333238405Sjkim 1334296341Sdelphij /* 1335296341Sdelphij * Worst case, we will use the NULL compression, but if we have other 1336296341Sdelphij * options, we will now look for them. We have i-1 compression 1337296341Sdelphij * algorithms from the client, starting at q. 1338296341Sdelphij */ 1339296341Sdelphij s->s3->tmp.new_compression = NULL; 1340160814Ssimon#ifndef OPENSSL_NO_COMP 1341296341Sdelphij /* This only happens if we have a cache hit */ 1342296341Sdelphij if (s->session->compress_meth != 0) { 1343296341Sdelphij int m, comp_id = s->session->compress_meth; 1344296341Sdelphij /* Perform sanity checks on resumed compression algorithm */ 1345296341Sdelphij /* Can't disable compression */ 1346296341Sdelphij if (s->options & SSL_OP_NO_COMPRESSION) { 1347296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1348296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1349296341Sdelphij SSL_R_INCONSISTENT_COMPRESSION); 1350296341Sdelphij goto f_err; 1351296341Sdelphij } 1352296341Sdelphij /* Look for resumed compression method */ 1353296341Sdelphij for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) { 1354296341Sdelphij comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); 1355296341Sdelphij if (comp_id == comp->id) { 1356296341Sdelphij s->s3->tmp.new_compression = comp; 1357296341Sdelphij break; 1358296341Sdelphij } 1359296341Sdelphij } 1360296341Sdelphij if (s->s3->tmp.new_compression == NULL) { 1361296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1362296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1363296341Sdelphij SSL_R_INVALID_COMPRESSION_ALGORITHM); 1364296341Sdelphij goto f_err; 1365296341Sdelphij } 1366296341Sdelphij /* Look for resumed method in compression list */ 1367296341Sdelphij for (m = 0; m < i; m++) { 1368296341Sdelphij if (q[m] == comp_id) 1369296341Sdelphij break; 1370296341Sdelphij } 1371296341Sdelphij if (m >= i) { 1372296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 1373296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1374296341Sdelphij SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); 1375296341Sdelphij goto f_err; 1376296341Sdelphij } 1377296341Sdelphij } else if (s->hit) 1378296341Sdelphij comp = NULL; 1379296341Sdelphij else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) { 1380296341Sdelphij /* See if we have a match */ 1381296341Sdelphij int m, nn, o, v, done = 0; 138255714Skris 1383296341Sdelphij nn = sk_SSL_COMP_num(s->ctx->comp_methods); 1384296341Sdelphij for (m = 0; m < nn; m++) { 1385296341Sdelphij comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); 1386296341Sdelphij v = comp->id; 1387296341Sdelphij for (o = 0; o < i; o++) { 1388296341Sdelphij if (v == q[o]) { 1389296341Sdelphij done = 1; 1390296341Sdelphij break; 1391296341Sdelphij } 1392296341Sdelphij } 1393296341Sdelphij if (done) 1394296341Sdelphij break; 1395296341Sdelphij } 1396296341Sdelphij if (done) 1397296341Sdelphij s->s3->tmp.new_compression = comp; 1398296341Sdelphij else 1399296341Sdelphij comp = NULL; 1400296341Sdelphij } 1401238405Sjkim#else 1402296341Sdelphij /* 1403296341Sdelphij * If compression is disabled we'd better not try to resume a session 1404296341Sdelphij * using compression. 1405296341Sdelphij */ 1406296341Sdelphij if (s->session->compress_meth != 0) { 1407296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1408296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); 1409296341Sdelphij goto f_err; 1410296341Sdelphij } 1411120631Snectar#endif 141255714Skris 1413296341Sdelphij /* 1414296341Sdelphij * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher 1415296341Sdelphij */ 141655714Skris 1417296341Sdelphij if (!s->hit) { 1418160814Ssimon#ifdef OPENSSL_NO_COMP 1419296341Sdelphij s->session->compress_meth = 0; 1420160814Ssimon#else 1421296341Sdelphij s->session->compress_meth = (comp == NULL) ? 0 : comp->id; 1422160814Ssimon#endif 1423296341Sdelphij if (s->session->ciphers != NULL) 1424296341Sdelphij sk_SSL_CIPHER_free(s->session->ciphers); 1425296341Sdelphij s->session->ciphers = ciphers; 1426296341Sdelphij if (ciphers == NULL) { 1427296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1428296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 1429296341Sdelphij goto f_err; 1430296341Sdelphij } 1431296341Sdelphij ciphers = NULL; 1432296341Sdelphij c = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 143355714Skris 1434296341Sdelphij if (c == NULL) { 1435296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1436296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); 1437296341Sdelphij goto f_err; 1438296341Sdelphij } 1439296341Sdelphij s->s3->tmp.new_cipher = c; 1440296341Sdelphij } else { 1441296341Sdelphij /* Session-id reuse */ 144255714Skris#ifdef REUSE_CIPHER_BUG 1443296341Sdelphij STACK_OF(SSL_CIPHER) *sk; 1444296341Sdelphij SSL_CIPHER *nc = NULL; 1445296341Sdelphij SSL_CIPHER *ec = NULL; 144655714Skris 1447296341Sdelphij if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) { 1448296341Sdelphij sk = s->session->ciphers; 1449296341Sdelphij for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { 1450296341Sdelphij c = sk_SSL_CIPHER_value(sk, i); 1451296341Sdelphij if (c->algorithm_enc & SSL_eNULL) 1452296341Sdelphij nc = c; 1453296341Sdelphij if (SSL_C_IS_EXPORT(c)) 1454296341Sdelphij ec = c; 1455296341Sdelphij } 1456296341Sdelphij if (nc != NULL) 1457296341Sdelphij s->s3->tmp.new_cipher = nc; 1458296341Sdelphij else if (ec != NULL) 1459296341Sdelphij s->s3->tmp.new_cipher = ec; 1460296341Sdelphij else 1461296341Sdelphij s->s3->tmp.new_cipher = s->session->cipher; 1462296341Sdelphij } else 146355714Skris#endif 1464296341Sdelphij s->s3->tmp.new_cipher = s->session->cipher; 1465296341Sdelphij } 1466238405Sjkim 1467296341Sdelphij if (TLS1_get_version(s) < TLS1_2_VERSION 1468296341Sdelphij || !(s->verify_mode & SSL_VERIFY_PEER)) { 1469296341Sdelphij if (!ssl3_digest_cached_records(s)) { 1470296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 1471296341Sdelphij goto f_err; 1472296341Sdelphij } 1473296341Sdelphij } 147455714Skris 1475296341Sdelphij /*- 1476296341Sdelphij * we now have the following setup. 1477296341Sdelphij * client_random 1478296341Sdelphij * cipher_list - our prefered list of ciphers 1479296341Sdelphij * ciphers - the clients prefered list of ciphers 1480296341Sdelphij * compression - basically ignored right now 1481296341Sdelphij * ssl version is set - sslv3 1482296341Sdelphij * s->session - The ssl session has been setup. 1483296341Sdelphij * s->hit - session reuse flag 1484296341Sdelphij * s->tmp.new_cipher - the new cipher to use. 1485296341Sdelphij */ 1486246772Sjkim 1487296341Sdelphij /* Handles TLS extensions that we couldn't check earlier */ 1488296341Sdelphij if (s->version >= SSL3_VERSION) { 1489296341Sdelphij if (ssl_check_clienthello_tlsext_late(s) <= 0) { 1490296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1491296341Sdelphij goto err; 1492296341Sdelphij } 1493296341Sdelphij } 149455714Skris 1495296341Sdelphij if (ret < 0) 1496296341Sdelphij ret = 1; 1497296341Sdelphij if (0) { 1498296341Sdelphij f_err: 1499296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 1500296341Sdelphij err: 1501296341Sdelphij s->state = SSL_ST_ERR; 1502296341Sdelphij } 1503296341Sdelphij 1504296341Sdelphij if (ciphers != NULL) 1505296341Sdelphij sk_SSL_CIPHER_free(ciphers); 1506296341Sdelphij return (ret); 1507296341Sdelphij} 1508296341Sdelphij 1509160814Ssimonint ssl3_send_server_hello(SSL *s) 1510296341Sdelphij{ 1511296341Sdelphij unsigned char *buf; 1512296341Sdelphij unsigned char *p, *d; 1513296341Sdelphij int i, sl; 1514296341Sdelphij unsigned long l; 151555714Skris 1516296341Sdelphij if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { 1517296341Sdelphij buf = (unsigned char *)s->init_buf->data; 1518238405Sjkim#ifdef OPENSSL_NO_TLSEXT 1519296341Sdelphij p = s->s3->server_random; 1520296341Sdelphij if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) { 1521296341Sdelphij s->state = SSL_ST_ERR; 1522296341Sdelphij return -1; 1523296341Sdelphij } 1524238405Sjkim#endif 1525296341Sdelphij /* Do the message type and length last */ 1526296341Sdelphij d = p = &(buf[4]); 152755714Skris 1528296341Sdelphij *(p++) = s->version >> 8; 1529296341Sdelphij *(p++) = s->version & 0xff; 153055714Skris 1531296341Sdelphij /* Random stuff */ 1532296341Sdelphij memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); 1533296341Sdelphij p += SSL3_RANDOM_SIZE; 153455714Skris 1535296341Sdelphij /*- 1536296341Sdelphij * There are several cases for the session ID to send 1537296341Sdelphij * back in the server hello: 1538296341Sdelphij * - For session reuse from the session cache, 1539296341Sdelphij * we send back the old session ID. 1540296341Sdelphij * - If stateless session reuse (using a session ticket) 1541296341Sdelphij * is successful, we send back the client's "session ID" 1542296341Sdelphij * (which doesn't actually identify the session). 1543296341Sdelphij * - If it is a new session, we send back the new 1544296341Sdelphij * session ID. 1545296341Sdelphij * - However, if we want the new session to be single-use, 1546296341Sdelphij * we send back a 0-length session ID. 1547296341Sdelphij * s->hit is non-zero in either case of session reuse, 1548296341Sdelphij * so the following won't overwrite an ID that we're supposed 1549296341Sdelphij * to send back. 1550296341Sdelphij */ 1551296341Sdelphij if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1552296341Sdelphij && !s->hit) 1553296341Sdelphij s->session->session_id_length = 0; 155455714Skris 1555296341Sdelphij sl = s->session->session_id_length; 1556296341Sdelphij if (sl > (int)sizeof(s->session->session_id)) { 1557296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1558296341Sdelphij s->state = SSL_ST_ERR; 1559296341Sdelphij return -1; 1560296341Sdelphij } 1561296341Sdelphij *(p++) = sl; 1562296341Sdelphij memcpy(p, s->session->session_id, sl); 1563296341Sdelphij p += sl; 156455714Skris 1565296341Sdelphij /* put the cipher */ 1566296341Sdelphij i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p); 1567296341Sdelphij p += i; 156855714Skris 1569296341Sdelphij /* put the compression method */ 1570160814Ssimon#ifdef OPENSSL_NO_COMP 1571296341Sdelphij *(p++) = 0; 1572160814Ssimon#else 1573296341Sdelphij if (s->s3->tmp.new_compression == NULL) 1574296341Sdelphij *(p++) = 0; 1575296341Sdelphij else 1576296341Sdelphij *(p++) = s->s3->tmp.new_compression->id; 1577160814Ssimon#endif 1578194206Ssimon#ifndef OPENSSL_NO_TLSEXT 1579296341Sdelphij if (ssl_prepare_serverhello_tlsext(s) <= 0) { 1580296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); 1581296341Sdelphij s->state = SSL_ST_ERR; 1582296341Sdelphij return -1; 1583296341Sdelphij } 1584296341Sdelphij if ((p = 1585296341Sdelphij ssl_add_serverhello_tlsext(s, p, 1586296341Sdelphij buf + SSL3_RT_MAX_PLAIN_LENGTH)) == 1587296341Sdelphij NULL) { 1588296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1589296341Sdelphij s->state = SSL_ST_ERR; 1590296341Sdelphij return -1; 1591296341Sdelphij } 1592194206Ssimon#endif 1593296341Sdelphij /* do the header */ 1594296341Sdelphij l = (p - d); 1595296341Sdelphij d = buf; 1596296341Sdelphij *(d++) = SSL3_MT_SERVER_HELLO; 1597296341Sdelphij l2n3(l, d); 159855714Skris 1599296341Sdelphij s->state = SSL3_ST_SW_SRVR_HELLO_B; 1600296341Sdelphij /* number of bytes to write */ 1601296341Sdelphij s->init_num = p - buf; 1602296341Sdelphij s->init_off = 0; 1603296341Sdelphij } 160455714Skris 1605296341Sdelphij /* SSL3_ST_SW_SRVR_HELLO_B */ 1606296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 1607296341Sdelphij} 160855714Skris 1609160814Ssimonint ssl3_send_server_done(SSL *s) 1610296341Sdelphij{ 1611296341Sdelphij unsigned char *p; 161255714Skris 1613296341Sdelphij if (s->state == SSL3_ST_SW_SRVR_DONE_A) { 1614296341Sdelphij p = (unsigned char *)s->init_buf->data; 161555714Skris 1616296341Sdelphij /* do the header */ 1617296341Sdelphij *(p++) = SSL3_MT_SERVER_DONE; 1618296341Sdelphij *(p++) = 0; 1619296341Sdelphij *(p++) = 0; 1620296341Sdelphij *(p++) = 0; 162155714Skris 1622296341Sdelphij s->state = SSL3_ST_SW_SRVR_DONE_B; 1623296341Sdelphij /* number of bytes to write */ 1624296341Sdelphij s->init_num = 4; 1625296341Sdelphij s->init_off = 0; 1626296341Sdelphij } 162755714Skris 1628296341Sdelphij /* SSL3_ST_SW_SRVR_DONE_B */ 1629296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 1630296341Sdelphij} 163155714Skris 1632160814Ssimonint ssl3_send_server_key_exchange(SSL *s) 1633296341Sdelphij{ 1634109998Smarkm#ifndef OPENSSL_NO_RSA 1635296341Sdelphij unsigned char *q; 1636296341Sdelphij int j, num; 1637296341Sdelphij RSA *rsa; 1638296341Sdelphij unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1639296341Sdelphij unsigned int u; 164055714Skris#endif 1641109998Smarkm#ifndef OPENSSL_NO_DH 1642296341Sdelphij DH *dh = NULL, *dhp; 164355714Skris#endif 1644160814Ssimon#ifndef OPENSSL_NO_ECDH 1645296341Sdelphij EC_KEY *ecdh = NULL, *ecdhp; 1646296341Sdelphij unsigned char *encodedPoint = NULL; 1647296341Sdelphij int encodedlen = 0; 1648296341Sdelphij int curve_id = 0; 1649296341Sdelphij BN_CTX *bn_ctx = NULL; 1650160814Ssimon#endif 1651296341Sdelphij EVP_PKEY *pkey; 1652296341Sdelphij const EVP_MD *md = NULL; 1653296341Sdelphij unsigned char *p, *d; 1654296341Sdelphij int al, i; 1655296341Sdelphij unsigned long type; 1656296341Sdelphij int n; 1657296341Sdelphij CERT *cert; 1658296341Sdelphij BIGNUM *r[4]; 1659296341Sdelphij int nr[4], kn; 1660296341Sdelphij BUF_MEM *buf; 1661296341Sdelphij EVP_MD_CTX md_ctx; 166255714Skris 1663296341Sdelphij EVP_MD_CTX_init(&md_ctx); 1664296341Sdelphij if (s->state == SSL3_ST_SW_KEY_EXCH_A) { 1665296341Sdelphij type = s->s3->tmp.new_cipher->algorithm_mkey; 1666296341Sdelphij cert = s->cert; 166755714Skris 1668296341Sdelphij buf = s->init_buf; 166955714Skris 1670296341Sdelphij r[0] = r[1] = r[2] = r[3] = NULL; 1671296341Sdelphij n = 0; 1672109998Smarkm#ifndef OPENSSL_NO_RSA 1673296341Sdelphij if (type & SSL_kRSA) { 1674296341Sdelphij rsa = cert->rsa_tmp; 1675296341Sdelphij if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { 1676296341Sdelphij rsa = s->cert->rsa_tmp_cb(s, 1677296341Sdelphij SSL_C_IS_EXPORT(s->s3-> 1678296341Sdelphij tmp.new_cipher), 1679296341Sdelphij SSL_C_EXPORT_PKEYLENGTH(s->s3-> 1680296341Sdelphij tmp.new_cipher)); 1681296341Sdelphij if (rsa == NULL) { 1682296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1683296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1684296341Sdelphij SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1685296341Sdelphij goto f_err; 1686296341Sdelphij } 1687296341Sdelphij RSA_up_ref(rsa); 1688296341Sdelphij cert->rsa_tmp = rsa; 1689296341Sdelphij } 1690296341Sdelphij if (rsa == NULL) { 1691296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1692296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1693296341Sdelphij SSL_R_MISSING_TMP_RSA_KEY); 1694296341Sdelphij goto f_err; 1695296341Sdelphij } 1696296341Sdelphij r[0] = rsa->n; 1697296341Sdelphij r[1] = rsa->e; 1698296341Sdelphij s->s3->tmp.use_rsa_tmp = 1; 1699296341Sdelphij } else 170055714Skris#endif 1701109998Smarkm#ifndef OPENSSL_NO_DH 1702296341Sdelphij if (type & SSL_kEDH) { 1703296341Sdelphij dhp = cert->dh_tmp; 1704296341Sdelphij if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1705296341Sdelphij dhp = s->cert->dh_tmp_cb(s, 1706296341Sdelphij SSL_C_IS_EXPORT(s->s3-> 1707296341Sdelphij tmp.new_cipher), 1708296341Sdelphij SSL_C_EXPORT_PKEYLENGTH(s->s3-> 1709296341Sdelphij tmp.new_cipher)); 1710296341Sdelphij if (dhp == NULL) { 1711296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1712296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1713296341Sdelphij SSL_R_MISSING_TMP_DH_KEY); 1714296341Sdelphij goto f_err; 1715296341Sdelphij } 171659191Skris 1717296341Sdelphij if (s->s3->tmp.dh != NULL) { 1718296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1719296341Sdelphij ERR_R_INTERNAL_ERROR); 1720296341Sdelphij goto err; 1721296341Sdelphij } 172259191Skris 1723296341Sdelphij if ((dh = DHparams_dup(dhp)) == NULL) { 1724296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1725296341Sdelphij goto err; 1726296341Sdelphij } 172755714Skris 1728296341Sdelphij s->s3->tmp.dh = dh; 1729296341Sdelphij if ((dhp->pub_key == NULL || 1730296341Sdelphij dhp->priv_key == NULL || 1731296341Sdelphij (s->options & SSL_OP_SINGLE_DH_USE))) { 1732296341Sdelphij if (!DH_generate_key(dh)) { 1733296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1734296341Sdelphij goto err; 1735296341Sdelphij } 1736296341Sdelphij } else { 1737296341Sdelphij dh->pub_key = BN_dup(dhp->pub_key); 1738296341Sdelphij dh->priv_key = BN_dup(dhp->priv_key); 1739296341Sdelphij if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) { 1740296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1741296341Sdelphij goto err; 1742296341Sdelphij } 1743296341Sdelphij } 1744296341Sdelphij r[0] = dh->p; 1745296341Sdelphij r[1] = dh->g; 1746296341Sdelphij r[2] = dh->pub_key; 1747296341Sdelphij } else 174855714Skris#endif 1749160814Ssimon#ifndef OPENSSL_NO_ECDH 1750296341Sdelphij if (type & SSL_kEECDH) { 1751296341Sdelphij const EC_GROUP *group; 1752160814Ssimon 1753296341Sdelphij ecdhp = cert->ecdh_tmp; 1754296341Sdelphij if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) { 1755296341Sdelphij ecdhp = s->cert->ecdh_tmp_cb(s, 1756296341Sdelphij SSL_C_IS_EXPORT(s->s3-> 1757296341Sdelphij tmp.new_cipher), 1758296341Sdelphij SSL_C_EXPORT_PKEYLENGTH(s-> 1759296341Sdelphij s3->tmp.new_cipher)); 1760296341Sdelphij } 1761296341Sdelphij if (ecdhp == NULL) { 1762296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1763296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1764296341Sdelphij SSL_R_MISSING_TMP_ECDH_KEY); 1765296341Sdelphij goto f_err; 1766296341Sdelphij } 1767160814Ssimon 1768296341Sdelphij if (s->s3->tmp.ecdh != NULL) { 1769296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1770296341Sdelphij ERR_R_INTERNAL_ERROR); 1771296341Sdelphij goto err; 1772296341Sdelphij } 1773160814Ssimon 1774296341Sdelphij /* Duplicate the ECDH structure. */ 1775296341Sdelphij if (ecdhp == NULL) { 1776296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1777296341Sdelphij goto err; 1778296341Sdelphij } 1779296341Sdelphij if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { 1780296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1781296341Sdelphij goto err; 1782296341Sdelphij } 1783160814Ssimon 1784296341Sdelphij s->s3->tmp.ecdh = ecdh; 1785296341Sdelphij if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1786296341Sdelphij (EC_KEY_get0_private_key(ecdh) == NULL) || 1787296341Sdelphij (s->options & SSL_OP_SINGLE_ECDH_USE)) { 1788296341Sdelphij if (!EC_KEY_generate_key(ecdh)) { 1789296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1790296341Sdelphij ERR_R_ECDH_LIB); 1791296341Sdelphij goto err; 1792296341Sdelphij } 1793296341Sdelphij } 1794160814Ssimon 1795296341Sdelphij if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1796296341Sdelphij (EC_KEY_get0_public_key(ecdh) == NULL) || 1797296341Sdelphij (EC_KEY_get0_private_key(ecdh) == NULL)) { 1798296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1799296341Sdelphij goto err; 1800296341Sdelphij } 1801160814Ssimon 1802296341Sdelphij if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1803296341Sdelphij (EC_GROUP_get_degree(group) > 163)) { 1804296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1805296341Sdelphij SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1806296341Sdelphij goto err; 1807296341Sdelphij } 1808160814Ssimon 1809296341Sdelphij /* 1810296341Sdelphij * XXX: For now, we only support ephemeral ECDH keys over named 1811296341Sdelphij * (not generic) curves. For supported named curves, curve_id is 1812296341Sdelphij * non-zero. 1813296341Sdelphij */ 1814296341Sdelphij if ((curve_id = 1815296341Sdelphij tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1816296341Sdelphij == 0) { 1817296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1818296341Sdelphij SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1819296341Sdelphij goto err; 1820296341Sdelphij } 1821160814Ssimon 1822296341Sdelphij /* 1823296341Sdelphij * Encode the public key. First check the size of encoding and 1824296341Sdelphij * allocate memory accordingly. 1825296341Sdelphij */ 1826296341Sdelphij encodedlen = EC_POINT_point2oct(group, 1827296341Sdelphij EC_KEY_get0_public_key(ecdh), 1828296341Sdelphij POINT_CONVERSION_UNCOMPRESSED, 1829296341Sdelphij NULL, 0, NULL); 1830160814Ssimon 1831296341Sdelphij encodedPoint = (unsigned char *) 1832296341Sdelphij OPENSSL_malloc(encodedlen * sizeof(unsigned char)); 1833296341Sdelphij bn_ctx = BN_CTX_new(); 1834296341Sdelphij if ((encodedPoint == NULL) || (bn_ctx == NULL)) { 1835296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1836296341Sdelphij ERR_R_MALLOC_FAILURE); 1837296341Sdelphij goto err; 1838296341Sdelphij } 1839160814Ssimon 1840296341Sdelphij encodedlen = EC_POINT_point2oct(group, 1841296341Sdelphij EC_KEY_get0_public_key(ecdh), 1842296341Sdelphij POINT_CONVERSION_UNCOMPRESSED, 1843296341Sdelphij encodedPoint, encodedlen, bn_ctx); 1844160814Ssimon 1845296341Sdelphij if (encodedlen == 0) { 1846296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1847296341Sdelphij goto err; 1848296341Sdelphij } 1849160814Ssimon 1850296341Sdelphij BN_CTX_free(bn_ctx); 1851296341Sdelphij bn_ctx = NULL; 1852160814Ssimon 1853296341Sdelphij /* 1854296341Sdelphij * XXX: For now, we only support named (not generic) curves in 1855296341Sdelphij * ECDH ephemeral key exchanges. In this situation, we need four 1856296341Sdelphij * additional bytes to encode the entire ServerECDHParams 1857296341Sdelphij * structure. 1858296341Sdelphij */ 1859296341Sdelphij n = 4 + encodedlen; 1860160814Ssimon 1861296341Sdelphij /* 1862296341Sdelphij * We'll generate the serverKeyExchange message explicitly so we 1863296341Sdelphij * can set these to NULLs 1864296341Sdelphij */ 1865296341Sdelphij r[0] = NULL; 1866296341Sdelphij r[1] = NULL; 1867296341Sdelphij r[2] = NULL; 1868296341Sdelphij r[3] = NULL; 1869296341Sdelphij } else 1870296341Sdelphij#endif /* !OPENSSL_NO_ECDH */ 1871238405Sjkim#ifndef OPENSSL_NO_PSK 1872296341Sdelphij if (type & SSL_kPSK) { 1873296341Sdelphij /* 1874296341Sdelphij * reserve size for record length and PSK identity hint 1875296341Sdelphij */ 1876296341Sdelphij n += 2 + strlen(s->ctx->psk_identity_hint); 1877296341Sdelphij } else 1878296341Sdelphij#endif /* !OPENSSL_NO_PSK */ 1879238405Sjkim#ifndef OPENSSL_NO_SRP 1880296341Sdelphij if (type & SSL_kSRP) { 1881296341Sdelphij if ((s->srp_ctx.N == NULL) || 1882296341Sdelphij (s->srp_ctx.g == NULL) || 1883296341Sdelphij (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { 1884296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1885296341Sdelphij SSL_R_MISSING_SRP_PARAM); 1886296341Sdelphij goto err; 1887296341Sdelphij } 1888296341Sdelphij r[0] = s->srp_ctx.N; 1889296341Sdelphij r[1] = s->srp_ctx.g; 1890296341Sdelphij r[2] = s->srp_ctx.s; 1891296341Sdelphij r[3] = s->srp_ctx.B; 1892296341Sdelphij } else 1893238405Sjkim#endif 1894296341Sdelphij { 1895296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 1896296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1897296341Sdelphij SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1898296341Sdelphij goto f_err; 1899296341Sdelphij } 1900296341Sdelphij for (i = 0; i < 4 && r[i] != NULL; i++) { 1901296341Sdelphij nr[i] = BN_num_bytes(r[i]); 1902238405Sjkim#ifndef OPENSSL_NO_SRP 1903296341Sdelphij if ((i == 2) && (type & SSL_kSRP)) 1904296341Sdelphij n += 1 + nr[i]; 1905296341Sdelphij else 1906238405Sjkim#endif 1907296341Sdelphij n += 2 + nr[i]; 1908296341Sdelphij } 190955714Skris 1910296341Sdelphij if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) 1911296341Sdelphij && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 1912296341Sdelphij if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md)) 1913296341Sdelphij == NULL) { 1914296341Sdelphij al = SSL_AD_DECODE_ERROR; 1915296341Sdelphij goto f_err; 1916296341Sdelphij } 1917296341Sdelphij kn = EVP_PKEY_size(pkey); 1918296341Sdelphij } else { 1919296341Sdelphij pkey = NULL; 1920296341Sdelphij kn = 0; 1921296341Sdelphij } 192255714Skris 1923296341Sdelphij if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) { 1924296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF); 1925296341Sdelphij goto err; 1926296341Sdelphij } 1927296341Sdelphij d = (unsigned char *)s->init_buf->data; 1928296341Sdelphij p = &(d[4]); 192955714Skris 1930296341Sdelphij for (i = 0; i < 4 && r[i] != NULL; i++) { 1931238405Sjkim#ifndef OPENSSL_NO_SRP 1932296341Sdelphij if ((i == 2) && (type & SSL_kSRP)) { 1933296341Sdelphij *p = nr[i]; 1934296341Sdelphij p++; 1935296341Sdelphij } else 1936238405Sjkim#endif 1937296341Sdelphij s2n(nr[i], p); 1938296341Sdelphij BN_bn2bin(r[i], p); 1939296341Sdelphij p += nr[i]; 1940296341Sdelphij } 194155714Skris 1942160814Ssimon#ifndef OPENSSL_NO_ECDH 1943296341Sdelphij if (type & SSL_kEECDH) { 1944296341Sdelphij /* 1945296341Sdelphij * XXX: For now, we only support named (not generic) curves. In 1946296341Sdelphij * this situation, the serverKeyExchange message has: [1 byte 1947296341Sdelphij * CurveType], [2 byte CurveName] [1 byte length of encoded 1948296341Sdelphij * point], followed by the actual encoded point itself 1949296341Sdelphij */ 1950296341Sdelphij *p = NAMED_CURVE_TYPE; 1951296341Sdelphij p += 1; 1952296341Sdelphij *p = 0; 1953296341Sdelphij p += 1; 1954296341Sdelphij *p = curve_id; 1955296341Sdelphij p += 1; 1956296341Sdelphij *p = encodedlen; 1957296341Sdelphij p += 1; 1958296341Sdelphij memcpy((unsigned char *)p, 1959296341Sdelphij (unsigned char *)encodedPoint, encodedlen); 1960296341Sdelphij OPENSSL_free(encodedPoint); 1961296341Sdelphij encodedPoint = NULL; 1962296341Sdelphij p += encodedlen; 1963296341Sdelphij } 1964160814Ssimon#endif 1965160814Ssimon 1966238405Sjkim#ifndef OPENSSL_NO_PSK 1967296341Sdelphij if (type & SSL_kPSK) { 1968296341Sdelphij /* copy PSK identity hint */ 1969296341Sdelphij s2n(strlen(s->ctx->psk_identity_hint), p); 1970296341Sdelphij strncpy((char *)p, s->ctx->psk_identity_hint, 1971296341Sdelphij strlen(s->ctx->psk_identity_hint)); 1972296341Sdelphij p += strlen(s->ctx->psk_identity_hint); 1973296341Sdelphij } 1974238405Sjkim#endif 1975238405Sjkim 1976296341Sdelphij /* not anonymous */ 1977296341Sdelphij if (pkey != NULL) { 1978296341Sdelphij /* 1979296341Sdelphij * n is the length of the params, they start at &(d[4]) and p 1980296341Sdelphij * points to the space at the end. 1981296341Sdelphij */ 1982109998Smarkm#ifndef OPENSSL_NO_RSA 1983296341Sdelphij if (pkey->type == EVP_PKEY_RSA 1984296341Sdelphij && TLS1_get_version(s) < TLS1_2_VERSION) { 1985296341Sdelphij q = md_buf; 1986296341Sdelphij j = 0; 1987296341Sdelphij for (num = 2; num > 0; num--) { 1988296341Sdelphij EVP_MD_CTX_set_flags(&md_ctx, 1989296341Sdelphij EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1990296341Sdelphij EVP_DigestInit_ex(&md_ctx, (num == 2) 1991296341Sdelphij ? s->ctx->md5 : s->ctx->sha1, NULL); 1992296341Sdelphij EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), 1993296341Sdelphij SSL3_RANDOM_SIZE); 1994296341Sdelphij EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), 1995296341Sdelphij SSL3_RANDOM_SIZE); 1996296341Sdelphij EVP_DigestUpdate(&md_ctx, &(d[4]), n); 1997296341Sdelphij EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i); 1998296341Sdelphij q += i; 1999296341Sdelphij j += i; 2000296341Sdelphij } 2001296341Sdelphij if (RSA_sign(NID_md5_sha1, md_buf, j, 2002296341Sdelphij &(p[2]), &u, pkey->pkey.rsa) <= 0) { 2003296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA); 2004296341Sdelphij goto err; 2005296341Sdelphij } 2006296341Sdelphij s2n(u, p); 2007296341Sdelphij n += u + 2; 2008296341Sdelphij } else 200955714Skris#endif 2010296341Sdelphij if (md) { 2011296341Sdelphij /* 2012296341Sdelphij * For TLS1.2 and later send signature algorithm 2013296341Sdelphij */ 2014296341Sdelphij if (TLS1_get_version(s) >= TLS1_2_VERSION) { 2015296341Sdelphij if (!tls12_get_sigandhash(p, pkey, md)) { 2016296341Sdelphij /* Should never happen */ 2017296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 2018296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 2019296341Sdelphij ERR_R_INTERNAL_ERROR); 2020296341Sdelphij goto f_err; 2021296341Sdelphij } 2022296341Sdelphij p += 2; 2023296341Sdelphij } 2024238405Sjkim#ifdef SSL_DEBUG 2025296341Sdelphij fprintf(stderr, "Using hash %s\n", EVP_MD_name(md)); 202655714Skris#endif 2027296341Sdelphij EVP_SignInit_ex(&md_ctx, md, NULL); 2028296341Sdelphij EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), 2029296341Sdelphij SSL3_RANDOM_SIZE); 2030296341Sdelphij EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), 2031296341Sdelphij SSL3_RANDOM_SIZE); 2032296341Sdelphij EVP_SignUpdate(&md_ctx, &(d[4]), n); 2033296341Sdelphij if (!EVP_SignFinal(&md_ctx, &(p[2]), 2034296341Sdelphij (unsigned int *)&i, pkey)) { 2035296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP); 2036296341Sdelphij goto err; 2037296341Sdelphij } 2038296341Sdelphij s2n(i, p); 2039296341Sdelphij n += i + 2; 2040296341Sdelphij if (TLS1_get_version(s) >= TLS1_2_VERSION) 2041296341Sdelphij n += 2; 2042296341Sdelphij } else { 2043296341Sdelphij /* Is this error check actually needed? */ 2044296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2045296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 2046296341Sdelphij SSL_R_UNKNOWN_PKEY_TYPE); 2047296341Sdelphij goto f_err; 2048296341Sdelphij } 2049296341Sdelphij } 205055714Skris 2051296341Sdelphij *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE; 2052296341Sdelphij l2n3(n, d); 205355714Skris 2054296341Sdelphij /* 2055296341Sdelphij * we should now have things packed up, so lets send it off 2056296341Sdelphij */ 2057296341Sdelphij s->init_num = n + 4; 2058296341Sdelphij s->init_off = 0; 2059296341Sdelphij } 206055714Skris 2061296341Sdelphij s->state = SSL3_ST_SW_KEY_EXCH_B; 2062296341Sdelphij EVP_MD_CTX_cleanup(&md_ctx); 2063296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 2064296341Sdelphij f_err: 2065296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 2066296341Sdelphij err: 2067160814Ssimon#ifndef OPENSSL_NO_ECDH 2068296341Sdelphij if (encodedPoint != NULL) 2069296341Sdelphij OPENSSL_free(encodedPoint); 2070296341Sdelphij BN_CTX_free(bn_ctx); 2071160814Ssimon#endif 2072296341Sdelphij EVP_MD_CTX_cleanup(&md_ctx); 2073296341Sdelphij s->state = SSL_ST_ERR; 2074296341Sdelphij return (-1); 2075296341Sdelphij} 207655714Skris 2077160814Ssimonint ssl3_send_certificate_request(SSL *s) 2078296341Sdelphij{ 2079296341Sdelphij unsigned char *p, *d; 2080296341Sdelphij int i, j, nl, off, n; 2081296341Sdelphij STACK_OF(X509_NAME) *sk = NULL; 2082296341Sdelphij X509_NAME *name; 2083296341Sdelphij BUF_MEM *buf; 208455714Skris 2085296341Sdelphij if (s->state == SSL3_ST_SW_CERT_REQ_A) { 2086296341Sdelphij buf = s->init_buf; 208755714Skris 2088296341Sdelphij d = p = (unsigned char *)&(buf->data[4]); 208955714Skris 2090296341Sdelphij /* get the list of acceptable cert types */ 2091296341Sdelphij p++; 2092296341Sdelphij n = ssl3_get_req_cert_type(s, p); 2093296341Sdelphij d[0] = n; 2094296341Sdelphij p += n; 2095296341Sdelphij n++; 209655714Skris 2097296341Sdelphij if (TLS1_get_version(s) >= TLS1_2_VERSION) { 2098296341Sdelphij nl = tls12_get_req_sig_algs(s, p + 2); 2099296341Sdelphij s2n(nl, p); 2100296341Sdelphij p += nl + 2; 2101296341Sdelphij n += nl + 2; 2102296341Sdelphij } 2103238405Sjkim 2104296341Sdelphij off = n; 2105296341Sdelphij p += 2; 2106296341Sdelphij n += 2; 210755714Skris 2108296341Sdelphij sk = SSL_get_client_CA_list(s); 2109296341Sdelphij nl = 0; 2110296341Sdelphij if (sk != NULL) { 2111296341Sdelphij for (i = 0; i < sk_X509_NAME_num(sk); i++) { 2112296341Sdelphij name = sk_X509_NAME_value(sk, i); 2113296341Sdelphij j = i2d_X509_NAME(name, NULL); 2114296341Sdelphij if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) { 2115296341Sdelphij SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, 2116296341Sdelphij ERR_R_BUF_LIB); 2117296341Sdelphij goto err; 2118296341Sdelphij } 2119296341Sdelphij p = (unsigned char *)&(buf->data[4 + n]); 2120296341Sdelphij if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { 2121296341Sdelphij s2n(j, p); 2122296341Sdelphij i2d_X509_NAME(name, &p); 2123296341Sdelphij n += 2 + j; 2124296341Sdelphij nl += 2 + j; 2125296341Sdelphij } else { 2126296341Sdelphij d = p; 2127296341Sdelphij i2d_X509_NAME(name, &p); 2128296341Sdelphij j -= 2; 2129296341Sdelphij s2n(j, d); 2130296341Sdelphij j += 2; 2131296341Sdelphij n += j; 2132296341Sdelphij nl += j; 2133296341Sdelphij } 2134296341Sdelphij } 2135296341Sdelphij } 2136296341Sdelphij /* else no CA names */ 2137296341Sdelphij p = (unsigned char *)&(buf->data[4 + off]); 2138296341Sdelphij s2n(nl, p); 213955714Skris 2140296341Sdelphij d = (unsigned char *)buf->data; 2141296341Sdelphij *(d++) = SSL3_MT_CERTIFICATE_REQUEST; 2142296341Sdelphij l2n3(n, d); 214355714Skris 2144296341Sdelphij /* 2145296341Sdelphij * we should now have things packed up, so lets send it off 2146296341Sdelphij */ 214755714Skris 2148296341Sdelphij s->init_num = n + 4; 2149296341Sdelphij s->init_off = 0; 215059191Skris#ifdef NETSCAPE_HANG_BUG 2151296341Sdelphij if (!BUF_MEM_grow_clean(buf, s->init_num + 4)) { 2152296341Sdelphij SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); 2153296341Sdelphij goto err; 2154296341Sdelphij } 2155296341Sdelphij p = (unsigned char *)s->init_buf->data + s->init_num; 215659191Skris 2157296341Sdelphij /* do the header */ 2158296341Sdelphij *(p++) = SSL3_MT_SERVER_DONE; 2159296341Sdelphij *(p++) = 0; 2160296341Sdelphij *(p++) = 0; 2161296341Sdelphij *(p++) = 0; 2162296341Sdelphij s->init_num += 4; 216359191Skris#endif 216459191Skris 2165296341Sdelphij s->state = SSL3_ST_SW_CERT_REQ_B; 2166296341Sdelphij } 216755714Skris 2168296341Sdelphij /* SSL3_ST_SW_CERT_REQ_B */ 2169296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 2170296341Sdelphij err: 2171296341Sdelphij s->state = SSL_ST_ERR; 2172296341Sdelphij return (-1); 2173296341Sdelphij} 217455714Skris 2175160814Ssimonint ssl3_get_client_key_exchange(SSL *s) 2176296341Sdelphij{ 2177296341Sdelphij int i, al, ok; 2178296341Sdelphij long n; 2179296341Sdelphij unsigned long alg_k; 2180296341Sdelphij unsigned char *p; 2181109998Smarkm#ifndef OPENSSL_NO_RSA 2182296341Sdelphij RSA *rsa = NULL; 2183296341Sdelphij EVP_PKEY *pkey = NULL; 218455714Skris#endif 2185109998Smarkm#ifndef OPENSSL_NO_DH 2186296341Sdelphij BIGNUM *pub = NULL; 2187296341Sdelphij DH *dh_srvr; 218855714Skris#endif 2189109998Smarkm#ifndef OPENSSL_NO_KRB5 2190296341Sdelphij KSSL_ERR kssl_err; 2191296341Sdelphij#endif /* OPENSSL_NO_KRB5 */ 219255714Skris 2193160814Ssimon#ifndef OPENSSL_NO_ECDH 2194296341Sdelphij EC_KEY *srvr_ecdh = NULL; 2195296341Sdelphij EVP_PKEY *clnt_pub_pkey = NULL; 2196296341Sdelphij EC_POINT *clnt_ecpoint = NULL; 2197296341Sdelphij BN_CTX *bn_ctx = NULL; 2198160814Ssimon#endif 2199160814Ssimon 2200296341Sdelphij n = s->method->ssl_get_message(s, 2201296341Sdelphij SSL3_ST_SR_KEY_EXCH_A, 2202296341Sdelphij SSL3_ST_SR_KEY_EXCH_B, 2203296341Sdelphij SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok); 220455714Skris 2205296341Sdelphij if (!ok) 2206296341Sdelphij return ((int)n); 2207296341Sdelphij p = (unsigned char *)s->init_msg; 220855714Skris 2209296341Sdelphij alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 221055714Skris 2211109998Smarkm#ifndef OPENSSL_NO_RSA 2212296341Sdelphij if (alg_k & SSL_kRSA) { 2213296341Sdelphij unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 2214296341Sdelphij int decrypt_len; 2215296341Sdelphij unsigned char decrypt_good, version_good; 2216296341Sdelphij size_t j; 2217273399Sdelphij 2218296341Sdelphij /* FIX THIS UP EAY EAY EAY EAY */ 2219296341Sdelphij if (s->s3->tmp.use_rsa_tmp) { 2220296341Sdelphij if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2221296341Sdelphij rsa = s->cert->rsa_tmp; 2222296341Sdelphij /* 2223296341Sdelphij * Don't do a callback because rsa_tmp should be sent already 2224296341Sdelphij */ 2225296341Sdelphij if (rsa == NULL) { 2226296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2227296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2228296341Sdelphij SSL_R_MISSING_TMP_RSA_PKEY); 2229296341Sdelphij goto f_err; 223055714Skris 2231296341Sdelphij } 2232296341Sdelphij } else { 2233296341Sdelphij pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 2234296341Sdelphij if ((pkey == NULL) || 2235296341Sdelphij (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { 2236296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2237296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2238296341Sdelphij SSL_R_MISSING_RSA_CERTIFICATE); 2239296341Sdelphij goto f_err; 2240296341Sdelphij } 2241296341Sdelphij rsa = pkey->pkey.rsa; 2242296341Sdelphij } 224355714Skris 2244296341Sdelphij /* TLS and [incidentally] DTLS{0xFEFF} */ 2245296341Sdelphij if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) { 2246296341Sdelphij n2s(p, i); 2247296341Sdelphij if (n != i + 2) { 2248296341Sdelphij if (!(s->options & SSL_OP_TLS_D5_BUG)) { 2249296341Sdelphij al = SSL_AD_DECODE_ERROR; 2250296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2251296341Sdelphij SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 2252296341Sdelphij goto f_err; 2253296341Sdelphij } else 2254296341Sdelphij p -= 2; 2255296341Sdelphij } else 2256296341Sdelphij n = i; 2257296341Sdelphij } 225855714Skris 2259296341Sdelphij /* 2260296341Sdelphij * Reject overly short RSA ciphertext because we want to be sure 2261296341Sdelphij * that the buffer size makes it safe to iterate over the entire 2262296341Sdelphij * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The 2263296341Sdelphij * actual expected size is larger due to RSA padding, but the 2264296341Sdelphij * bound is sufficient to be safe. 2265296341Sdelphij */ 2266296341Sdelphij if (n < SSL_MAX_MASTER_KEY_LENGTH) { 2267296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 2268296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2269296341Sdelphij SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 2270296341Sdelphij goto f_err; 2271296341Sdelphij } 2272279264Sdelphij 2273296341Sdelphij /* 2274296341Sdelphij * We must not leak whether a decryption failure occurs because of 2275296341Sdelphij * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, 2276296341Sdelphij * section 7.4.7.1). The code follows that advice of the TLS RFC and 2277296341Sdelphij * generates a random premaster secret for the case that the decrypt 2278296341Sdelphij * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 2279296341Sdelphij */ 228055714Skris 2281296341Sdelphij /* 2282296341Sdelphij * should be RAND_bytes, but we cannot work around a failure. 2283296341Sdelphij */ 2284296341Sdelphij if (RAND_pseudo_bytes(rand_premaster_secret, 2285296341Sdelphij sizeof(rand_premaster_secret)) <= 0) 2286296341Sdelphij goto err; 2287296341Sdelphij decrypt_len = 2288296341Sdelphij RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); 2289296341Sdelphij ERR_clear_error(); 2290273399Sdelphij 2291296341Sdelphij /* 2292296341Sdelphij * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will 2293296341Sdelphij * be 0xff if so and zero otherwise. 2294296341Sdelphij */ 2295296341Sdelphij decrypt_good = 2296296341Sdelphij constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH); 2297273399Sdelphij 2298296341Sdelphij /* 2299296341Sdelphij * If the version in the decrypted pre-master secret is correct then 2300296341Sdelphij * version_good will be 0xff, otherwise it'll be zero. The 2301296341Sdelphij * Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2302296341Sdelphij * (http://eprint.iacr.org/2003/052/) exploits the version number 2303296341Sdelphij * check as a "bad version oracle". Thus version checks are done in 2304296341Sdelphij * constant time and are treated like any other decryption error. 2305296341Sdelphij */ 2306296341Sdelphij version_good = 2307296341Sdelphij constant_time_eq_8(p[0], (unsigned)(s->client_version >> 8)); 2308296341Sdelphij version_good &= 2309296341Sdelphij constant_time_eq_8(p[1], (unsigned)(s->client_version & 0xff)); 2310273399Sdelphij 2311296341Sdelphij /* 2312296341Sdelphij * The premaster secret must contain the same version number as the 2313296341Sdelphij * ClientHello to detect version rollback attacks (strangely, the 2314296341Sdelphij * protocol does not offer such protection for DH ciphersuites). 2315296341Sdelphij * However, buggy clients exist that send the negotiated protocol 2316296341Sdelphij * version instead if the server does not support the requested 2317296341Sdelphij * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such 2318296341Sdelphij * clients. 2319296341Sdelphij */ 2320296341Sdelphij if (s->options & SSL_OP_TLS_ROLLBACK_BUG) { 2321296341Sdelphij unsigned char workaround_good; 2322296341Sdelphij workaround_good = 2323296341Sdelphij constant_time_eq_8(p[0], (unsigned)(s->version >> 8)); 2324296341Sdelphij workaround_good &= 2325296341Sdelphij constant_time_eq_8(p[1], (unsigned)(s->version & 0xff)); 2326296341Sdelphij version_good |= workaround_good; 2327296341Sdelphij } 232855714Skris 2329296341Sdelphij /* 2330296341Sdelphij * Both decryption and version must be good for decrypt_good to 2331296341Sdelphij * remain non-zero (0xff). 2332296341Sdelphij */ 2333296341Sdelphij decrypt_good &= version_good; 2334273399Sdelphij 2335296341Sdelphij /* 2336296341Sdelphij * Now copy rand_premaster_secret over from p using 2337296341Sdelphij * decrypt_good_mask. If decryption failed, then p does not 2338296341Sdelphij * contain valid plaintext, however, a check above guarantees 2339296341Sdelphij * it is still sufficiently large to read from. 2340296341Sdelphij */ 2341296341Sdelphij for (j = 0; j < sizeof(rand_premaster_secret); j++) { 2342296341Sdelphij p[j] = constant_time_select_8(decrypt_good, p[j], 2343296341Sdelphij rand_premaster_secret[j]); 2344296341Sdelphij } 234555714Skris 2346296341Sdelphij s->session->master_key_length = 2347296341Sdelphij s->method->ssl3_enc->generate_master_secret(s, 2348296341Sdelphij s-> 2349296341Sdelphij session->master_key, 2350296341Sdelphij p, 2351296341Sdelphij sizeof 2352296341Sdelphij (rand_premaster_secret)); 2353296341Sdelphij OPENSSL_cleanse(p, sizeof(rand_premaster_secret)); 2354296341Sdelphij } else 235555714Skris#endif 2356109998Smarkm#ifndef OPENSSL_NO_DH 2357296341Sdelphij if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) { 2358296341Sdelphij n2s(p, i); 2359296341Sdelphij if (n != i + 2) { 2360296341Sdelphij if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { 2361296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2362296341Sdelphij SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 2363296341Sdelphij goto err; 2364296341Sdelphij } else { 2365296341Sdelphij p -= 2; 2366296341Sdelphij i = (int)n; 2367296341Sdelphij } 2368296341Sdelphij } 236955714Skris 2370296341Sdelphij if (n == 0L) { /* the parameters are in the cert */ 2371296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2372296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2373296341Sdelphij SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2374296341Sdelphij goto f_err; 2375296341Sdelphij } else { 2376296341Sdelphij if (s->s3->tmp.dh == NULL) { 2377296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2378296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2379296341Sdelphij SSL_R_MISSING_TMP_DH_KEY); 2380296341Sdelphij goto f_err; 2381296341Sdelphij } else 2382296341Sdelphij dh_srvr = s->s3->tmp.dh; 2383296341Sdelphij } 238455714Skris 2385296341Sdelphij pub = BN_bin2bn(p, i, NULL); 2386296341Sdelphij if (pub == NULL) { 2387296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB); 2388296341Sdelphij goto err; 2389296341Sdelphij } 239055714Skris 2391296341Sdelphij i = DH_compute_key(p, pub, dh_srvr); 239255714Skris 2393296341Sdelphij if (i <= 0) { 2394296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 2395296341Sdelphij BN_clear_free(pub); 2396296341Sdelphij goto err; 2397296341Sdelphij } 239855714Skris 2399296341Sdelphij DH_free(s->s3->tmp.dh); 2400296341Sdelphij s->s3->tmp.dh = NULL; 240155714Skris 2402296341Sdelphij BN_clear_free(pub); 2403296341Sdelphij pub = NULL; 2404296341Sdelphij s->session->master_key_length = 2405296341Sdelphij s->method->ssl3_enc->generate_master_secret(s, 2406296341Sdelphij s-> 2407296341Sdelphij session->master_key, 2408296341Sdelphij p, i); 2409296341Sdelphij OPENSSL_cleanse(p, i); 2410296341Sdelphij } else 241155714Skris#endif 2412109998Smarkm#ifndef OPENSSL_NO_KRB5 2413296341Sdelphij if (alg_k & SSL_kKRB5) { 2414296341Sdelphij krb5_error_code krb5rc; 2415296341Sdelphij krb5_data enc_ticket; 2416296341Sdelphij krb5_data authenticator; 2417296341Sdelphij krb5_data enc_pms; 2418296341Sdelphij KSSL_CTX *kssl_ctx = s->kssl_ctx; 2419296341Sdelphij EVP_CIPHER_CTX ciph_ctx; 2420296341Sdelphij const EVP_CIPHER *enc = NULL; 2421296341Sdelphij unsigned char iv[EVP_MAX_IV_LENGTH]; 2422296341Sdelphij unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_BLOCK_LENGTH]; 2423296341Sdelphij int padl, outl; 2424296341Sdelphij krb5_timestamp authtime = 0; 2425296341Sdelphij krb5_ticket_times ttimes; 2426284295Sdelphij int kerr = 0; 2427109998Smarkm 2428296341Sdelphij EVP_CIPHER_CTX_init(&ciph_ctx); 2429109998Smarkm 2430296341Sdelphij if (!kssl_ctx) 2431296341Sdelphij kssl_ctx = kssl_ctx_new(); 2432109998Smarkm 2433296341Sdelphij n2s(p, i); 2434296341Sdelphij enc_ticket.length = i; 2435127128Snectar 2436296341Sdelphij if (n < (long)(enc_ticket.length + 6)) { 2437296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2438296341Sdelphij SSL_R_DATA_LENGTH_TOO_LONG); 2439296341Sdelphij goto err; 2440296341Sdelphij } 2441127128Snectar 2442296341Sdelphij enc_ticket.data = (char *)p; 2443296341Sdelphij p += enc_ticket.length; 2444109998Smarkm 2445296341Sdelphij n2s(p, i); 2446296341Sdelphij authenticator.length = i; 2447127128Snectar 2448296341Sdelphij if (n < (long)(enc_ticket.length + authenticator.length + 6)) { 2449296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2450296341Sdelphij SSL_R_DATA_LENGTH_TOO_LONG); 2451296341Sdelphij goto err; 2452296341Sdelphij } 2453127128Snectar 2454296341Sdelphij authenticator.data = (char *)p; 2455296341Sdelphij p += authenticator.length; 2456109998Smarkm 2457296341Sdelphij n2s(p, i); 2458296341Sdelphij enc_pms.length = i; 2459296341Sdelphij enc_pms.data = (char *)p; 2460296341Sdelphij p += enc_pms.length; 2461109998Smarkm 2462296341Sdelphij /* 2463296341Sdelphij * Note that the length is checked again below, ** after decryption 2464296341Sdelphij */ 2465296341Sdelphij if (enc_pms.length > sizeof pms) { 2466296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2467296341Sdelphij SSL_R_DATA_LENGTH_TOO_LONG); 2468296341Sdelphij goto err; 2469296341Sdelphij } 2470109998Smarkm 2471296341Sdelphij if (n != (long)(enc_ticket.length + authenticator.length + 2472296341Sdelphij enc_pms.length + 6)) { 2473296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2474296341Sdelphij SSL_R_DATA_LENGTH_TOO_LONG); 2475296341Sdelphij goto err; 2476296341Sdelphij } 2477109998Smarkm 2478296341Sdelphij if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2479296341Sdelphij &kssl_err)) != 0) { 2480296341Sdelphij# ifdef KSSL_DEBUG 2481296341Sdelphij fprintf(stderr, "kssl_sget_tkt rtn %d [%d]\n", 2482296341Sdelphij krb5rc, kssl_err.reason); 2483296341Sdelphij if (kssl_err.text) 2484296341Sdelphij fprintf(stderr, "kssl_err text= %s\n", kssl_err.text); 2485296341Sdelphij# endif /* KSSL_DEBUG */ 2486296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason); 2487296341Sdelphij goto err; 2488296341Sdelphij } 2489109998Smarkm 2490296341Sdelphij /* 2491296341Sdelphij * Note: no authenticator is not considered an error, ** but will 2492296341Sdelphij * return authtime == 0. 2493296341Sdelphij */ 2494296341Sdelphij if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2495296341Sdelphij &authtime, &kssl_err)) != 0) { 2496296341Sdelphij# ifdef KSSL_DEBUG 2497296341Sdelphij fprintf(stderr, "kssl_check_authent rtn %d [%d]\n", 2498296341Sdelphij krb5rc, kssl_err.reason); 2499296341Sdelphij if (kssl_err.text) 2500296341Sdelphij fprintf(stderr, "kssl_err text= %s\n", kssl_err.text); 2501296341Sdelphij# endif /* KSSL_DEBUG */ 2502296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason); 2503296341Sdelphij goto err; 2504296341Sdelphij } 2505109998Smarkm 2506296341Sdelphij if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) { 2507296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2508296341Sdelphij goto err; 2509296341Sdelphij } 2510296341Sdelphij# ifdef KSSL_DEBUG 2511296341Sdelphij kssl_ctx_show(kssl_ctx); 2512296341Sdelphij# endif /* KSSL_DEBUG */ 2513109998Smarkm 2514296341Sdelphij enc = kssl_map_enc(kssl_ctx->enctype); 2515296341Sdelphij if (enc == NULL) 2516296341Sdelphij goto err; 2517109998Smarkm 2518296341Sdelphij memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2519109998Smarkm 2520296341Sdelphij if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) { 2521296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2522296341Sdelphij SSL_R_DECRYPTION_FAILED); 2523296341Sdelphij goto err; 2524296341Sdelphij } 2525296341Sdelphij if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl, 2526296341Sdelphij (unsigned char *)enc_pms.data, enc_pms.length)) 2527296341Sdelphij { 2528296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2529296341Sdelphij SSL_R_DECRYPTION_FAILED); 2530284295Sdelphij kerr = 1; 2531284295Sdelphij goto kclean; 2532296341Sdelphij } 2533296341Sdelphij if (outl > SSL_MAX_MASTER_KEY_LENGTH) { 2534296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2535296341Sdelphij SSL_R_DATA_LENGTH_TOO_LONG); 2536284295Sdelphij kerr = 1; 2537284295Sdelphij goto kclean; 2538296341Sdelphij } 2539296341Sdelphij if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) { 2540296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2541296341Sdelphij SSL_R_DECRYPTION_FAILED); 2542284295Sdelphij kerr = 1; 2543284295Sdelphij goto kclean; 2544296341Sdelphij } 2545296341Sdelphij outl += padl; 2546296341Sdelphij if (outl > SSL_MAX_MASTER_KEY_LENGTH) { 2547296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2548296341Sdelphij SSL_R_DATA_LENGTH_TOO_LONG); 2549284295Sdelphij kerr = 1; 2550284295Sdelphij goto kclean; 2551296341Sdelphij } 2552296341Sdelphij if (!((pms[0] == (s->client_version >> 8)) 2553296341Sdelphij && (pms[1] == (s->client_version & 0xff)))) { 2554296341Sdelphij /* 2555296341Sdelphij * The premaster secret must contain the same version number as 2556296341Sdelphij * the ClientHello to detect version rollback attacks (strangely, 2557296341Sdelphij * the protocol does not offer such protection for DH 2558296341Sdelphij * ciphersuites). However, buggy clients exist that send random 2559296341Sdelphij * bytes instead of the protocol version. If 2560296341Sdelphij * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2561296341Sdelphij * (Perhaps we should have a separate BUG value for the Kerberos 2562296341Sdelphij * cipher) 2563296341Sdelphij */ 2564296341Sdelphij if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) { 2565296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2566296341Sdelphij SSL_AD_DECODE_ERROR); 2567284295Sdelphij kerr = 1; 2568284295Sdelphij goto kclean; 2569296341Sdelphij } 2570296341Sdelphij } 2571167612Ssimon 2572296341Sdelphij EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2573109998Smarkm 2574296341Sdelphij s->session->master_key_length = 2575296341Sdelphij s->method->ssl3_enc->generate_master_secret(s, 2576296341Sdelphij s-> 2577296341Sdelphij session->master_key, 2578296341Sdelphij pms, outl); 2579109998Smarkm 2580296341Sdelphij if (kssl_ctx->client_princ) { 2581296341Sdelphij size_t len = strlen(kssl_ctx->client_princ); 2582296341Sdelphij if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH) { 2583296341Sdelphij s->session->krb5_client_princ_len = len; 2584296341Sdelphij memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ, 2585296341Sdelphij len); 2586296341Sdelphij } 2587296341Sdelphij } 2588109998Smarkm 2589296341Sdelphij /*- Was doing kssl_ctx_free() here, 2590296341Sdelphij * but it caused problems for apache. 2591296341Sdelphij * kssl_ctx = kssl_ctx_free(kssl_ctx); 2592296341Sdelphij * if (s->kssl_ctx) s->kssl_ctx = NULL; 2593296341Sdelphij */ 2594109998Smarkm 2595284295Sdelphij kclean: 2596284295Sdelphij OPENSSL_cleanse(pms, sizeof(pms)); 2597284295Sdelphij if (kerr) 2598284295Sdelphij goto err; 2599296341Sdelphij } else 2600296341Sdelphij#endif /* OPENSSL_NO_KRB5 */ 2601160814Ssimon 2602160814Ssimon#ifndef OPENSSL_NO_ECDH 2603296341Sdelphij if (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) { 2604296341Sdelphij int ret = 1; 2605296341Sdelphij int field_size = 0; 2606296341Sdelphij const EC_KEY *tkey; 2607296341Sdelphij const EC_GROUP *group; 2608296341Sdelphij const BIGNUM *priv_key; 2609160814Ssimon 2610296341Sdelphij /* initialize structures for server's ECDH key pair */ 2611296341Sdelphij if ((srvr_ecdh = EC_KEY_new()) == NULL) { 2612296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2613296341Sdelphij goto err; 2614296341Sdelphij } 2615160814Ssimon 2616296341Sdelphij /* Let's get server private key and group information */ 2617296341Sdelphij if (alg_k & (SSL_kECDHr | SSL_kECDHe)) { 2618296341Sdelphij /* use the certificate */ 2619296341Sdelphij tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2620296341Sdelphij } else { 2621296341Sdelphij /* 2622296341Sdelphij * use the ephermeral values we saved when generating the 2623296341Sdelphij * ServerKeyExchange msg. 2624296341Sdelphij */ 2625296341Sdelphij tkey = s->s3->tmp.ecdh; 2626296341Sdelphij } 2627160814Ssimon 2628296341Sdelphij group = EC_KEY_get0_group(tkey); 2629296341Sdelphij priv_key = EC_KEY_get0_private_key(tkey); 2630160814Ssimon 2631296341Sdelphij if (!EC_KEY_set_group(srvr_ecdh, group) || 2632296341Sdelphij !EC_KEY_set_private_key(srvr_ecdh, priv_key)) { 2633296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); 2634296341Sdelphij goto err; 2635296341Sdelphij } 2636160814Ssimon 2637296341Sdelphij /* Let's get client's public key */ 2638296341Sdelphij if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) { 2639296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2640296341Sdelphij goto err; 2641296341Sdelphij } 2642160814Ssimon 2643296341Sdelphij if (n == 0L) { 2644296341Sdelphij /* Client Publickey was in Client Certificate */ 2645160814Ssimon 2646296341Sdelphij if (alg_k & SSL_kEECDH) { 2647296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2648296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2649296341Sdelphij SSL_R_MISSING_TMP_ECDH_KEY); 2650296341Sdelphij goto f_err; 2651296341Sdelphij } 2652296341Sdelphij if (((clnt_pub_pkey = X509_get_pubkey(s->session->peer)) 2653296341Sdelphij == NULL) || (clnt_pub_pkey->type != EVP_PKEY_EC)) { 2654296341Sdelphij /* 2655296341Sdelphij * XXX: For now, we do not support client authentication 2656296341Sdelphij * using ECDH certificates so this branch (n == 0L) of the 2657296341Sdelphij * code is never executed. When that support is added, we 2658296341Sdelphij * ought to ensure the key received in the certificate is 2659296341Sdelphij * authorized for key agreement. ECDH_compute_key implicitly 2660296341Sdelphij * checks that the two ECDH shares are for the same group. 2661296341Sdelphij */ 2662296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2663296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2664296341Sdelphij SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2665296341Sdelphij goto f_err; 2666296341Sdelphij } 2667160814Ssimon 2668296341Sdelphij if (EC_POINT_copy(clnt_ecpoint, 2669296341Sdelphij EC_KEY_get0_public_key(clnt_pub_pkey-> 2670296341Sdelphij pkey.ec)) == 0) { 2671296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); 2672296341Sdelphij goto err; 2673296341Sdelphij } 2674296341Sdelphij ret = 2; /* Skip certificate verify processing */ 2675296341Sdelphij } else { 2676296341Sdelphij /* 2677296341Sdelphij * Get client's public key from encoded point in the 2678296341Sdelphij * ClientKeyExchange message. 2679296341Sdelphij */ 2680296341Sdelphij if ((bn_ctx = BN_CTX_new()) == NULL) { 2681296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2682296341Sdelphij ERR_R_MALLOC_FAILURE); 2683296341Sdelphij goto err; 2684296341Sdelphij } 2685160814Ssimon 2686296341Sdelphij /* Get encoded point length */ 2687296341Sdelphij i = *p; 2688296341Sdelphij p += 1; 2689296341Sdelphij if (n != 1 + i) { 2690296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); 2691296341Sdelphij goto err; 2692296341Sdelphij } 2693296341Sdelphij if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) { 2694296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); 2695296341Sdelphij goto err; 2696296341Sdelphij } 2697296341Sdelphij /* 2698296341Sdelphij * p is pointing to somewhere in the buffer currently, so set it 2699296341Sdelphij * to the start 2700296341Sdelphij */ 2701296341Sdelphij p = (unsigned char *)s->init_buf->data; 2702296341Sdelphij } 2703160814Ssimon 2704296341Sdelphij /* Compute the shared pre-master secret */ 2705296341Sdelphij field_size = EC_GROUP_get_degree(group); 2706296341Sdelphij if (field_size <= 0) { 2707296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2708296341Sdelphij goto err; 2709296341Sdelphij } 2710296341Sdelphij i = ECDH_compute_key(p, (field_size + 7) / 8, clnt_ecpoint, srvr_ecdh, 2711296341Sdelphij NULL); 2712296341Sdelphij if (i <= 0) { 2713296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2714296341Sdelphij goto err; 2715296341Sdelphij } 2716160814Ssimon 2717296341Sdelphij EVP_PKEY_free(clnt_pub_pkey); 2718296341Sdelphij EC_POINT_free(clnt_ecpoint); 2719296341Sdelphij EC_KEY_free(srvr_ecdh); 2720296341Sdelphij BN_CTX_free(bn_ctx); 2721296341Sdelphij EC_KEY_free(s->s3->tmp.ecdh); 2722296341Sdelphij s->s3->tmp.ecdh = NULL; 2723160814Ssimon 2724296341Sdelphij /* Compute the master secret */ 2725296341Sdelphij s->session->master_key_length = 2726296341Sdelphij s->method->ssl3_enc->generate_master_secret(s, 2727296341Sdelphij s-> 2728296341Sdelphij session->master_key, 2729296341Sdelphij p, i); 2730296341Sdelphij 2731296341Sdelphij OPENSSL_cleanse(p, i); 2732296341Sdelphij return (ret); 2733296341Sdelphij } else 2734160814Ssimon#endif 2735238405Sjkim#ifndef OPENSSL_NO_PSK 2736296341Sdelphij if (alg_k & SSL_kPSK) { 2737296341Sdelphij unsigned char *t = NULL; 2738296341Sdelphij unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN * 2 + 4]; 2739296341Sdelphij unsigned int pre_ms_len = 0, psk_len = 0; 2740296341Sdelphij int psk_err = 1; 2741296341Sdelphij char tmp_id[PSK_MAX_IDENTITY_LEN + 1]; 2742238405Sjkim 2743296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2744238405Sjkim 2745296341Sdelphij n2s(p, i); 2746296341Sdelphij if (n != i + 2) { 2747296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH); 2748296341Sdelphij goto psk_err; 2749296341Sdelphij } 2750296341Sdelphij if (i > PSK_MAX_IDENTITY_LEN) { 2751296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2752296341Sdelphij SSL_R_DATA_LENGTH_TOO_LONG); 2753296341Sdelphij goto psk_err; 2754296341Sdelphij } 2755296341Sdelphij if (s->psk_server_callback == NULL) { 2756296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2757296341Sdelphij SSL_R_PSK_NO_SERVER_CB); 2758296341Sdelphij goto psk_err; 2759296341Sdelphij } 2760238405Sjkim 2761296341Sdelphij /* 2762296341Sdelphij * Create guaranteed NULL-terminated identity string for the callback 2763296341Sdelphij */ 2764296341Sdelphij memcpy(tmp_id, p, i); 2765296341Sdelphij memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); 2766296341Sdelphij psk_len = s->psk_server_callback(s, tmp_id, 2767296341Sdelphij psk_or_pre_ms, 2768296341Sdelphij sizeof(psk_or_pre_ms)); 2769296341Sdelphij OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1); 2770238405Sjkim 2771296341Sdelphij if (psk_len > PSK_MAX_PSK_LEN) { 2772296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2773296341Sdelphij goto psk_err; 2774296341Sdelphij } else if (psk_len == 0) { 2775296341Sdelphij /* 2776296341Sdelphij * PSK related to the given identity not found 2777296341Sdelphij */ 2778296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2779296341Sdelphij SSL_R_PSK_IDENTITY_NOT_FOUND); 2780296341Sdelphij al = SSL_AD_UNKNOWN_PSK_IDENTITY; 2781296341Sdelphij goto psk_err; 2782296341Sdelphij } 2783238405Sjkim 2784296341Sdelphij /* create PSK pre_master_secret */ 2785296341Sdelphij pre_ms_len = 2 + psk_len + 2 + psk_len; 2786296341Sdelphij t = psk_or_pre_ms; 2787296341Sdelphij memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len); 2788296341Sdelphij s2n(psk_len, t); 2789296341Sdelphij memset(t, 0, psk_len); 2790296341Sdelphij t += psk_len; 2791296341Sdelphij s2n(psk_len, t); 2792238405Sjkim 2793296341Sdelphij if (s->session->psk_identity != NULL) 2794296341Sdelphij OPENSSL_free(s->session->psk_identity); 2795296341Sdelphij s->session->psk_identity = BUF_strndup((char *)p, i); 2796296341Sdelphij if (s->session->psk_identity == NULL) { 2797296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2798296341Sdelphij goto psk_err; 2799296341Sdelphij } 2800238405Sjkim 2801296341Sdelphij if (s->session->psk_identity_hint != NULL) 2802296341Sdelphij OPENSSL_free(s->session->psk_identity_hint); 2803296341Sdelphij s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2804296341Sdelphij if (s->ctx->psk_identity_hint != NULL && 2805296341Sdelphij s->session->psk_identity_hint == NULL) { 2806296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2807296341Sdelphij goto psk_err; 2808296341Sdelphij } 2809238405Sjkim 2810296341Sdelphij s->session->master_key_length = 2811296341Sdelphij s->method->ssl3_enc->generate_master_secret(s, 2812296341Sdelphij s-> 2813296341Sdelphij session->master_key, 2814296341Sdelphij psk_or_pre_ms, 2815296341Sdelphij pre_ms_len); 2816296341Sdelphij psk_err = 0; 2817296341Sdelphij psk_err: 2818296341Sdelphij OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2819296341Sdelphij if (psk_err != 0) 2820296341Sdelphij goto f_err; 2821296341Sdelphij } else 2822238405Sjkim#endif 2823238405Sjkim#ifndef OPENSSL_NO_SRP 2824296341Sdelphij if (alg_k & SSL_kSRP) { 2825296341Sdelphij int param_len; 2826238405Sjkim 2827296341Sdelphij n2s(p, i); 2828296341Sdelphij param_len = i + 2; 2829296341Sdelphij if (param_len > n) { 2830296341Sdelphij al = SSL_AD_DECODE_ERROR; 2831296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2832296341Sdelphij SSL_R_BAD_SRP_A_LENGTH); 2833296341Sdelphij goto f_err; 2834296341Sdelphij } 2835296341Sdelphij if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) { 2836296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB); 2837296341Sdelphij goto err; 2838296341Sdelphij } 2839296341Sdelphij if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 2840296341Sdelphij || BN_is_zero(s->srp_ctx.A)) { 2841296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 2842296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2843296341Sdelphij SSL_R_BAD_SRP_PARAMETERS); 2844296341Sdelphij goto f_err; 2845296341Sdelphij } 2846296341Sdelphij if (s->session->srp_username != NULL) 2847296341Sdelphij OPENSSL_free(s->session->srp_username); 2848296341Sdelphij s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2849296341Sdelphij if (s->session->srp_username == NULL) { 2850296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2851296341Sdelphij goto err; 2852296341Sdelphij } 2853238405Sjkim 2854296341Sdelphij if ((s->session->master_key_length = 2855296341Sdelphij SRP_generate_server_master_secret(s, 2856296341Sdelphij s->session->master_key)) < 0) { 2857296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2858296341Sdelphij goto err; 2859296341Sdelphij } 2860238405Sjkim 2861296341Sdelphij p += i; 2862296341Sdelphij } else 2863296341Sdelphij#endif /* OPENSSL_NO_SRP */ 2864296341Sdelphij if (alg_k & SSL_kGOST) { 2865296341Sdelphij int ret = 0; 2866296341Sdelphij EVP_PKEY_CTX *pkey_ctx; 2867296341Sdelphij EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 2868296341Sdelphij unsigned char premaster_secret[32], *start; 2869296341Sdelphij size_t outlen = 32, inlen; 2870296341Sdelphij unsigned long alg_a; 2871296341Sdelphij int Ttag, Tclass; 2872296341Sdelphij long Tlen; 2873238405Sjkim 2874296341Sdelphij /* Get our certificate private key */ 2875296341Sdelphij alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2876296341Sdelphij if (alg_a & SSL_aGOST94) 2877296341Sdelphij pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 2878296341Sdelphij else if (alg_a & SSL_aGOST01) 2879296341Sdelphij pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2880238405Sjkim 2881296341Sdelphij pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); 2882296341Sdelphij EVP_PKEY_decrypt_init(pkey_ctx); 2883296341Sdelphij /* 2884296341Sdelphij * If client certificate is present and is of the same type, maybe 2885296341Sdelphij * use it for key exchange. Don't mind errors from 2886296341Sdelphij * EVP_PKEY_derive_set_peer, because it is completely valid to use a 2887296341Sdelphij * client certificate for authorization only. 2888296341Sdelphij */ 2889296341Sdelphij client_pub_pkey = X509_get_pubkey(s->session->peer); 2890296341Sdelphij if (client_pub_pkey) { 2891296341Sdelphij if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2892296341Sdelphij ERR_clear_error(); 2893296341Sdelphij } 2894296341Sdelphij /* Decrypt session key */ 2895296341Sdelphij if (ASN1_get_object 2896296341Sdelphij ((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, 2897296341Sdelphij n) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE 2898296341Sdelphij || Tclass != V_ASN1_UNIVERSAL) { 2899296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2900296341Sdelphij SSL_R_DECRYPTION_FAILED); 2901296341Sdelphij goto gerr; 2902296341Sdelphij } 2903296341Sdelphij start = p; 2904296341Sdelphij inlen = Tlen; 2905296341Sdelphij if (EVP_PKEY_decrypt 2906296341Sdelphij (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) { 2907296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2908296341Sdelphij SSL_R_DECRYPTION_FAILED); 2909296341Sdelphij goto gerr; 2910296341Sdelphij } 2911296341Sdelphij /* Generate master secret */ 2912296341Sdelphij s->session->master_key_length = 2913296341Sdelphij s->method->ssl3_enc->generate_master_secret(s, 2914296341Sdelphij s-> 2915296341Sdelphij session->master_key, 2916296341Sdelphij premaster_secret, 32); 2917296341Sdelphij OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret)); 2918296341Sdelphij /* Check if pubkey from client certificate was used */ 2919296341Sdelphij if (EVP_PKEY_CTX_ctrl 2920296341Sdelphij (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2921296341Sdelphij ret = 2; 2922296341Sdelphij else 2923296341Sdelphij ret = 1; 2924296341Sdelphij gerr: 2925296341Sdelphij EVP_PKEY_free(client_pub_pkey); 2926296341Sdelphij EVP_PKEY_CTX_free(pkey_ctx); 2927296341Sdelphij if (ret) 2928296341Sdelphij return ret; 2929296341Sdelphij else 2930296341Sdelphij goto err; 2931296341Sdelphij } else { 2932296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 2933296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE); 2934296341Sdelphij goto f_err; 2935296341Sdelphij } 2936238405Sjkim 2937296341Sdelphij return (1); 2938296341Sdelphij f_err: 2939296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 2940238405Sjkim#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP) 2941296341Sdelphij err: 294255714Skris#endif 2943160814Ssimon#ifndef OPENSSL_NO_ECDH 2944296341Sdelphij EVP_PKEY_free(clnt_pub_pkey); 2945296341Sdelphij EC_POINT_free(clnt_ecpoint); 2946296341Sdelphij if (srvr_ecdh != NULL) 2947296341Sdelphij EC_KEY_free(srvr_ecdh); 2948296341Sdelphij BN_CTX_free(bn_ctx); 2949160814Ssimon#endif 2950296341Sdelphij s->state = SSL_ST_ERR; 2951296341Sdelphij return (-1); 2952296341Sdelphij} 295355714Skris 2954160814Ssimonint ssl3_get_cert_verify(SSL *s) 2955296341Sdelphij{ 2956296341Sdelphij EVP_PKEY *pkey = NULL; 2957296341Sdelphij unsigned char *p; 2958296341Sdelphij int al, ok, ret = 0; 2959296341Sdelphij long n; 2960296341Sdelphij int type = 0, i, j; 2961296341Sdelphij X509 *peer; 2962296341Sdelphij const EVP_MD *md = NULL; 2963296341Sdelphij EVP_MD_CTX mctx; 2964296341Sdelphij EVP_MD_CTX_init(&mctx); 296555714Skris 2966296341Sdelphij /* 2967296341Sdelphij * We should only process a CertificateVerify message if we have received 2968296341Sdelphij * a Certificate from the client. If so then |s->session->peer| will be non 2969296341Sdelphij * NULL. In some instances a CertificateVerify message is not required even 2970296341Sdelphij * if the peer has sent a Certificate (e.g. such as in the case of static 2971296341Sdelphij * DH). In that case the ClientKeyExchange processing will skip the 2972296341Sdelphij * CertificateVerify state so we should not arrive here. 2973296341Sdelphij */ 2974296341Sdelphij if (s->session->peer == NULL) { 2975296341Sdelphij ret = 1; 2976296341Sdelphij goto end; 2977296341Sdelphij } 297855714Skris 2979296341Sdelphij n = s->method->ssl_get_message(s, 2980296341Sdelphij SSL3_ST_SR_CERT_VRFY_A, 2981296341Sdelphij SSL3_ST_SR_CERT_VRFY_B, 2982296341Sdelphij SSL3_MT_CERTIFICATE_VERIFY, 2983296341Sdelphij SSL3_RT_MAX_PLAIN_LENGTH, &ok); 298455714Skris 2985296341Sdelphij if (!ok) 2986296341Sdelphij return ((int)n); 298755714Skris 2988296341Sdelphij peer = s->session->peer; 2989296341Sdelphij pkey = X509_get_pubkey(peer); 2990296341Sdelphij type = X509_certificate_type(peer, pkey); 299155714Skris 2992296341Sdelphij if (!(type & EVP_PKT_SIGN)) { 2993296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2994296341Sdelphij SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2995296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 2996296341Sdelphij goto f_err; 2997296341Sdelphij } 299855714Skris 2999296341Sdelphij /* we now have a signature that we need to verify */ 3000296341Sdelphij p = (unsigned char *)s->init_msg; 3001296341Sdelphij /* Check for broken implementations of GOST ciphersuites */ 3002296341Sdelphij /* 3003296341Sdelphij * If key is GOST and n is exactly 64, it is bare signature without 3004296341Sdelphij * length field 3005296341Sdelphij */ 3006296341Sdelphij if (n == 64 && (pkey->type == NID_id_GostR3410_94 || 3007296341Sdelphij pkey->type == NID_id_GostR3410_2001)) { 3008296341Sdelphij i = 64; 3009296341Sdelphij } else { 3010296341Sdelphij if (TLS1_get_version(s) >= TLS1_2_VERSION) { 3011296341Sdelphij int sigalg = tls12_get_sigid(pkey); 3012296341Sdelphij /* Should never happen */ 3013296341Sdelphij if (sigalg == -1) { 3014296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 3015296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 3016296341Sdelphij goto f_err; 3017296341Sdelphij } 3018296341Sdelphij /* Check key type is consistent with signature */ 3019296341Sdelphij if (sigalg != (int)p[1]) { 3020296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3021296341Sdelphij SSL_R_WRONG_SIGNATURE_TYPE); 3022296341Sdelphij al = SSL_AD_DECODE_ERROR; 3023296341Sdelphij goto f_err; 3024296341Sdelphij } 3025296341Sdelphij md = tls12_get_hash(p[0]); 3026296341Sdelphij if (md == NULL) { 3027296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_UNKNOWN_DIGEST); 3028296341Sdelphij al = SSL_AD_DECODE_ERROR; 3029296341Sdelphij goto f_err; 3030296341Sdelphij } 3031238405Sjkim#ifdef SSL_DEBUG 3032296341Sdelphij fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 3033238405Sjkim#endif 3034296341Sdelphij p += 2; 3035296341Sdelphij n -= 2; 3036296341Sdelphij } 3037296341Sdelphij n2s(p, i); 3038296341Sdelphij n -= 2; 3039296341Sdelphij if (i > n) { 3040296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); 3041296341Sdelphij al = SSL_AD_DECODE_ERROR; 3042296341Sdelphij goto f_err; 3043296341Sdelphij } 3044296341Sdelphij } 3045296341Sdelphij j = EVP_PKEY_size(pkey); 3046296341Sdelphij if ((i > j) || (n > j) || (n <= 0)) { 3047296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); 3048296341Sdelphij al = SSL_AD_DECODE_ERROR; 3049296341Sdelphij goto f_err; 3050296341Sdelphij } 305155714Skris 3052296341Sdelphij if (TLS1_get_version(s) >= TLS1_2_VERSION) { 3053296341Sdelphij long hdatalen = 0; 3054296341Sdelphij void *hdata; 3055296341Sdelphij hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 3056296341Sdelphij if (hdatalen <= 0) { 3057296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 3058296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 3059296341Sdelphij goto f_err; 3060296341Sdelphij } 3061238405Sjkim#ifdef SSL_DEBUG 3062296341Sdelphij fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 3063296341Sdelphij EVP_MD_name(md)); 3064238405Sjkim#endif 3065296341Sdelphij if (!EVP_VerifyInit_ex(&mctx, md, NULL) 3066296341Sdelphij || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { 3067296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 3068296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 3069296341Sdelphij goto f_err; 3070296341Sdelphij } 3071238405Sjkim 3072296341Sdelphij if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) { 3073296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 3074296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE); 3075296341Sdelphij goto f_err; 3076296341Sdelphij } 3077296341Sdelphij } else 3078296341Sdelphij#ifndef OPENSSL_NO_RSA 3079296341Sdelphij if (pkey->type == EVP_PKEY_RSA) { 3080296341Sdelphij i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 3081296341Sdelphij MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, 3082296341Sdelphij pkey->pkey.rsa); 3083296341Sdelphij if (i < 0) { 3084296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 3085296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT); 3086296341Sdelphij goto f_err; 3087296341Sdelphij } 3088296341Sdelphij if (i == 0) { 3089296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 3090296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE); 3091296341Sdelphij goto f_err; 3092296341Sdelphij } 3093296341Sdelphij } else 309455714Skris#endif 3095109998Smarkm#ifndef OPENSSL_NO_DSA 3096296341Sdelphij if (pkey->type == EVP_PKEY_DSA) { 3097296341Sdelphij j = DSA_verify(pkey->save_type, 3098296341Sdelphij &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3099296341Sdelphij SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa); 3100296341Sdelphij if (j <= 0) { 3101296341Sdelphij /* bad signature */ 3102296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 3103296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE); 3104296341Sdelphij goto f_err; 3105296341Sdelphij } 3106296341Sdelphij } else 310755714Skris#endif 3108160814Ssimon#ifndef OPENSSL_NO_ECDSA 3109296341Sdelphij if (pkey->type == EVP_PKEY_EC) { 3110296341Sdelphij j = ECDSA_verify(pkey->save_type, 3111296341Sdelphij &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3112296341Sdelphij SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec); 3113296341Sdelphij if (j <= 0) { 3114296341Sdelphij /* bad signature */ 3115296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 3116296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE); 3117296341Sdelphij goto f_err; 3118296341Sdelphij } 3119296341Sdelphij } else 3120160814Ssimon#endif 3121296341Sdelphij if (pkey->type == NID_id_GostR3410_94 3122296341Sdelphij || pkey->type == NID_id_GostR3410_2001) { 3123296341Sdelphij unsigned char signature[64]; 3124296341Sdelphij int idx; 3125296341Sdelphij EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL); 3126296341Sdelphij EVP_PKEY_verify_init(pctx); 3127296341Sdelphij if (i != 64) { 3128296341Sdelphij fprintf(stderr, "GOST signature length is %d", i); 3129296341Sdelphij } 3130296341Sdelphij for (idx = 0; idx < 64; idx++) { 3131296341Sdelphij signature[63 - idx] = p[idx]; 3132296341Sdelphij } 3133296341Sdelphij j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md, 3134296341Sdelphij 32); 3135296341Sdelphij EVP_PKEY_CTX_free(pctx); 3136296341Sdelphij if (j <= 0) { 3137296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 3138296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE); 3139296341Sdelphij goto f_err; 3140296341Sdelphij } 3141296341Sdelphij } else { 3142296341Sdelphij SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 3143296341Sdelphij al = SSL_AD_UNSUPPORTED_CERTIFICATE; 3144296341Sdelphij goto f_err; 3145296341Sdelphij } 314655714Skris 3147296341Sdelphij ret = 1; 3148296341Sdelphij if (0) { 3149296341Sdelphij f_err: 3150296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 3151296341Sdelphij s->state = SSL_ST_ERR; 3152296341Sdelphij } 3153296341Sdelphij end: 3154296341Sdelphij if (s->s3->handshake_buffer) { 3155296341Sdelphij BIO_free(s->s3->handshake_buffer); 3156296341Sdelphij s->s3->handshake_buffer = NULL; 3157296341Sdelphij s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; 3158296341Sdelphij } 3159296341Sdelphij EVP_MD_CTX_cleanup(&mctx); 3160296341Sdelphij EVP_PKEY_free(pkey); 3161296341Sdelphij return (ret); 3162296341Sdelphij} 316355714Skris 3164160814Ssimonint ssl3_get_client_certificate(SSL *s) 3165296341Sdelphij{ 3166296341Sdelphij int i, ok, al, ret = -1; 3167296341Sdelphij X509 *x = NULL; 3168296341Sdelphij unsigned long l, nc, llen, n; 3169296341Sdelphij const unsigned char *p, *q; 3170296341Sdelphij unsigned char *d; 3171296341Sdelphij STACK_OF(X509) *sk = NULL; 317255714Skris 3173296341Sdelphij n = s->method->ssl_get_message(s, 3174296341Sdelphij SSL3_ST_SR_CERT_A, 3175296341Sdelphij SSL3_ST_SR_CERT_B, 3176296341Sdelphij -1, s->max_cert_list, &ok); 317755714Skris 3178296341Sdelphij if (!ok) 3179296341Sdelphij return ((int)n); 318055714Skris 3181296341Sdelphij if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { 3182296341Sdelphij if ((s->verify_mode & SSL_VERIFY_PEER) && 3183296341Sdelphij (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 3184296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3185296341Sdelphij SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3186296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 3187296341Sdelphij goto f_err; 3188296341Sdelphij } 3189296341Sdelphij /* 3190296341Sdelphij * If tls asked for a client cert, the client must return a 0 list 3191296341Sdelphij */ 3192296341Sdelphij if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) { 3193296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3194296341Sdelphij SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 3195296341Sdelphij al = SSL_AD_UNEXPECTED_MESSAGE; 3196296341Sdelphij goto f_err; 3197296341Sdelphij } 3198296341Sdelphij s->s3->tmp.reuse_message = 1; 3199296341Sdelphij return (1); 3200296341Sdelphij } 320155714Skris 3202296341Sdelphij if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { 3203296341Sdelphij al = SSL_AD_UNEXPECTED_MESSAGE; 3204296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE); 3205296341Sdelphij goto f_err; 3206296341Sdelphij } 3207296341Sdelphij p = d = (unsigned char *)s->init_msg; 320855714Skris 3209296341Sdelphij if ((sk = sk_X509_new_null()) == NULL) { 3210296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3211296341Sdelphij goto err; 3212296341Sdelphij } 321355714Skris 3214296341Sdelphij n2l3(p, llen); 3215296341Sdelphij if (llen + 3 != n) { 3216296341Sdelphij al = SSL_AD_DECODE_ERROR; 3217296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); 3218296341Sdelphij goto f_err; 3219296341Sdelphij } 3220296341Sdelphij for (nc = 0; nc < llen;) { 3221306230Sdelphij if (nc + 3 > llen) { 3222306230Sdelphij al = SSL_AD_DECODE_ERROR; 3223306230Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3224306230Sdelphij SSL_R_CERT_LENGTH_MISMATCH); 3225306230Sdelphij goto f_err; 3226306230Sdelphij } 3227296341Sdelphij n2l3(p, l); 3228296341Sdelphij if ((l + nc + 3) > llen) { 3229296341Sdelphij al = SSL_AD_DECODE_ERROR; 3230296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3231296341Sdelphij SSL_R_CERT_LENGTH_MISMATCH); 3232296341Sdelphij goto f_err; 3233296341Sdelphij } 323455714Skris 3235296341Sdelphij q = p; 3236296341Sdelphij x = d2i_X509(NULL, &p, l); 3237296341Sdelphij if (x == NULL) { 3238296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); 3239296341Sdelphij goto err; 3240296341Sdelphij } 3241296341Sdelphij if (p != (q + l)) { 3242296341Sdelphij al = SSL_AD_DECODE_ERROR; 3243296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3244296341Sdelphij SSL_R_CERT_LENGTH_MISMATCH); 3245296341Sdelphij goto f_err; 3246296341Sdelphij } 3247296341Sdelphij if (!sk_X509_push(sk, x)) { 3248296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3249296341Sdelphij goto err; 3250296341Sdelphij } 3251296341Sdelphij x = NULL; 3252296341Sdelphij nc += l + 3; 3253296341Sdelphij } 325455714Skris 3255296341Sdelphij if (sk_X509_num(sk) <= 0) { 3256296341Sdelphij /* TLS does not mind 0 certs returned */ 3257296341Sdelphij if (s->version == SSL3_VERSION) { 3258296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 3259296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3260296341Sdelphij SSL_R_NO_CERTIFICATES_RETURNED); 3261296341Sdelphij goto f_err; 3262296341Sdelphij } 3263296341Sdelphij /* Fail for TLS only if we required a certificate */ 3264296341Sdelphij else if ((s->verify_mode & SSL_VERIFY_PEER) && 3265296341Sdelphij (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 3266296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3267296341Sdelphij SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3268296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 3269296341Sdelphij goto f_err; 3270296341Sdelphij } 3271296341Sdelphij /* No client certificate so digest cached records */ 3272296341Sdelphij if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) { 3273296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 3274296341Sdelphij goto f_err; 3275296341Sdelphij } 3276296341Sdelphij } else { 3277296341Sdelphij i = ssl_verify_cert_chain(s, sk); 3278296341Sdelphij if (i <= 0) { 3279296341Sdelphij al = ssl_verify_alarm_type(s->verify_result); 3280296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, 3281296341Sdelphij SSL_R_NO_CERTIFICATE_RETURNED); 3282296341Sdelphij goto f_err; 3283296341Sdelphij } 3284296341Sdelphij } 328555714Skris 3286296341Sdelphij if (s->session->peer != NULL) /* This should not be needed */ 3287296341Sdelphij X509_free(s->session->peer); 3288296341Sdelphij s->session->peer = sk_X509_shift(sk); 3289296341Sdelphij s->session->verify_result = s->verify_result; 329055714Skris 3291296341Sdelphij /* 3292296341Sdelphij * With the current implementation, sess_cert will always be NULL when we 3293296341Sdelphij * arrive here. 3294296341Sdelphij */ 3295296341Sdelphij if (s->session->sess_cert == NULL) { 3296296341Sdelphij s->session->sess_cert = ssl_sess_cert_new(); 3297296341Sdelphij if (s->session->sess_cert == NULL) { 3298296341Sdelphij SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3299296341Sdelphij goto err; 3300296341Sdelphij } 3301296341Sdelphij } 3302296341Sdelphij if (s->session->sess_cert->cert_chain != NULL) 3303296341Sdelphij sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 3304296341Sdelphij s->session->sess_cert->cert_chain = sk; 3305296341Sdelphij /* 3306296341Sdelphij * Inconsistency alert: cert_chain does *not* include the peer's own 3307296341Sdelphij * certificate, while we do include it in s3_clnt.c 3308296341Sdelphij */ 330955714Skris 3310296341Sdelphij sk = NULL; 331155714Skris 3312296341Sdelphij ret = 1; 3313296341Sdelphij if (0) { 3314296341Sdelphij f_err: 3315296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 3316296341Sdelphij err: 3317296341Sdelphij s->state = SSL_ST_ERR; 3318296341Sdelphij } 331955714Skris 3320296341Sdelphij if (x != NULL) 3321296341Sdelphij X509_free(x); 3322296341Sdelphij if (sk != NULL) 3323296341Sdelphij sk_X509_pop_free(sk, X509_free); 3324296341Sdelphij return (ret); 3325296341Sdelphij} 3326296341Sdelphij 332755714Skrisint ssl3_send_server_certificate(SSL *s) 3328296341Sdelphij{ 3329296341Sdelphij unsigned long l; 3330296341Sdelphij X509 *x; 333155714Skris 3332296341Sdelphij if (s->state == SSL3_ST_SW_CERT_A) { 3333296341Sdelphij x = ssl_get_server_send_cert(s); 3334296341Sdelphij if (x == NULL) { 3335296341Sdelphij /* VRS: allow null cert if auth == KRB5 */ 3336296341Sdelphij if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3337296341Sdelphij (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) { 3338296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, 3339296341Sdelphij ERR_R_INTERNAL_ERROR); 3340296341Sdelphij s->state = SSL_ST_ERR; 3341296341Sdelphij return (0); 3342296341Sdelphij } 3343296341Sdelphij } 334455714Skris 3345296341Sdelphij l = ssl3_output_cert_chain(s, x); 3346296341Sdelphij if (!l) { 3347296341Sdelphij SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3348296341Sdelphij s->state = SSL_ST_ERR; 3349296341Sdelphij return (0); 3350296341Sdelphij } 3351296341Sdelphij s->state = SSL3_ST_SW_CERT_B; 3352296341Sdelphij s->init_num = (int)l; 3353296341Sdelphij s->init_off = 0; 3354296341Sdelphij } 335555714Skris 3356296341Sdelphij /* SSL3_ST_SW_CERT_B */ 3357296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 3358296341Sdelphij} 3359160814Ssimon 3360194206Ssimon#ifndef OPENSSL_NO_TLSEXT 3361238405Sjkim/* send a new session ticket (not necessarily for a new session) */ 3362194206Ssimonint ssl3_send_newsession_ticket(SSL *s) 3363296341Sdelphij{ 3364296341Sdelphij unsigned char *senc = NULL; 3365296341Sdelphij EVP_CIPHER_CTX ctx; 3366296341Sdelphij HMAC_CTX hctx; 3367194206Ssimon 3368296341Sdelphij if (s->state == SSL3_ST_SW_SESSION_TICKET_A) { 3369296341Sdelphij unsigned char *p, *macstart; 3370296341Sdelphij const unsigned char *const_p; 3371296341Sdelphij int len, slen_full, slen; 3372296341Sdelphij SSL_SESSION *sess; 3373296341Sdelphij unsigned int hlen; 3374296341Sdelphij SSL_CTX *tctx = s->initial_ctx; 3375296341Sdelphij unsigned char iv[EVP_MAX_IV_LENGTH]; 3376296341Sdelphij unsigned char key_name[16]; 3377238405Sjkim 3378296341Sdelphij /* get session encoding length */ 3379296341Sdelphij slen_full = i2d_SSL_SESSION(s->session, NULL); 3380296341Sdelphij /* 3381296341Sdelphij * Some length values are 16 bits, so forget it if session is too 3382296341Sdelphij * long 3383296341Sdelphij */ 3384296341Sdelphij if (slen_full == 0 || slen_full > 0xFF00) { 3385296341Sdelphij s->state = SSL_ST_ERR; 3386296341Sdelphij return -1; 3387296341Sdelphij } 3388296341Sdelphij senc = OPENSSL_malloc(slen_full); 3389296341Sdelphij if (!senc) { 3390296341Sdelphij s->state = SSL_ST_ERR; 3391296341Sdelphij return -1; 3392296341Sdelphij } 3393238405Sjkim 3394296341Sdelphij EVP_CIPHER_CTX_init(&ctx); 3395296341Sdelphij HMAC_CTX_init(&hctx); 3396238405Sjkim 3397296341Sdelphij p = senc; 3398296341Sdelphij if (!i2d_SSL_SESSION(s->session, &p)) 3399296341Sdelphij goto err; 3400194206Ssimon 3401296341Sdelphij /* 3402296341Sdelphij * create a fresh copy (not shared with other threads) to clean up 3403296341Sdelphij */ 3404296341Sdelphij const_p = senc; 3405296341Sdelphij sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3406296341Sdelphij if (sess == NULL) 3407296341Sdelphij goto err; 3408296341Sdelphij sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3409238405Sjkim 3410296341Sdelphij slen = i2d_SSL_SESSION(sess, NULL); 3411296341Sdelphij if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */ 3412296341Sdelphij SSL_SESSION_free(sess); 3413296341Sdelphij goto err; 3414296341Sdelphij } 3415296341Sdelphij p = senc; 3416296341Sdelphij if (!i2d_SSL_SESSION(sess, &p)) { 3417296341Sdelphij SSL_SESSION_free(sess); 3418296341Sdelphij goto err; 3419296341Sdelphij } 3420296341Sdelphij SSL_SESSION_free(sess); 3421238405Sjkim 3422296341Sdelphij /*- 3423296341Sdelphij * Grow buffer if need be: the length calculation is as 3424296341Sdelphij * follows 1 (size of message name) + 3 (message length 3425296341Sdelphij * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3426296341Sdelphij * 16 (key name) + max_iv_len (iv length) + 3427296341Sdelphij * session_length + max_enc_block_size (max encrypted session 3428296341Sdelphij * length) + max_md_size (HMAC). 3429296341Sdelphij */ 3430296341Sdelphij if (!BUF_MEM_grow(s->init_buf, 3431296341Sdelphij 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3432296341Sdelphij EVP_MAX_MD_SIZE + slen)) 3433296341Sdelphij goto err; 3434194206Ssimon 3435296341Sdelphij p = (unsigned char *)s->init_buf->data; 3436296341Sdelphij /* do the header */ 3437296341Sdelphij *(p++) = SSL3_MT_NEWSESSION_TICKET; 3438296341Sdelphij /* Skip message length for now */ 3439296341Sdelphij p += 3; 3440296341Sdelphij /* 3441296341Sdelphij * Initialize HMAC and cipher contexts. If callback present it does 3442296341Sdelphij * all the work otherwise use generated values from parent ctx. 3443296341Sdelphij */ 3444296341Sdelphij if (tctx->tlsext_ticket_key_cb) { 3445296341Sdelphij if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3446296341Sdelphij &hctx, 1) < 0) 3447296341Sdelphij goto err; 3448296341Sdelphij } else { 3449296341Sdelphij if (RAND_bytes(iv, 16) <= 0) 3450296341Sdelphij goto err; 3451296341Sdelphij if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3452296341Sdelphij tctx->tlsext_tick_aes_key, iv)) 3453296341Sdelphij goto err; 3454296341Sdelphij if (!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3455296341Sdelphij tlsext_tick_md(), NULL)) 3456296341Sdelphij goto err; 3457296341Sdelphij memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3458296341Sdelphij } 3459194206Ssimon 3460296341Sdelphij /* 3461296341Sdelphij * Ticket lifetime hint (advisory only): We leave this unspecified 3462296341Sdelphij * for resumed session (for simplicity), and guess that tickets for 3463296341Sdelphij * new sessions will live as long as their sessions. 3464296341Sdelphij */ 3465296341Sdelphij l2n(s->hit ? 0 : s->session->timeout, p); 3466194206Ssimon 3467296341Sdelphij /* Skip ticket length for now */ 3468296341Sdelphij p += 2; 3469296341Sdelphij /* Output key name */ 3470296341Sdelphij macstart = p; 3471296341Sdelphij memcpy(p, key_name, 16); 3472296341Sdelphij p += 16; 3473296341Sdelphij /* output IV */ 3474296341Sdelphij memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 3475296341Sdelphij p += EVP_CIPHER_CTX_iv_length(&ctx); 3476296341Sdelphij /* Encrypt session data */ 3477296341Sdelphij if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen)) 3478296341Sdelphij goto err; 3479296341Sdelphij p += len; 3480296341Sdelphij if (!EVP_EncryptFinal(&ctx, p, &len)) 3481296341Sdelphij goto err; 3482296341Sdelphij p += len; 3483194206Ssimon 3484296341Sdelphij if (!HMAC_Update(&hctx, macstart, p - macstart)) 3485296341Sdelphij goto err; 3486296341Sdelphij if (!HMAC_Final(&hctx, p, &hlen)) 3487296341Sdelphij goto err; 3488194206Ssimon 3489296341Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 3490296341Sdelphij HMAC_CTX_cleanup(&hctx); 3491296341Sdelphij 3492296341Sdelphij p += hlen; 3493296341Sdelphij /* Now write out lengths: p points to end of data written */ 3494296341Sdelphij /* Total length */ 3495296341Sdelphij len = p - (unsigned char *)s->init_buf->data; 3496296341Sdelphij p = (unsigned char *)s->init_buf->data + 1; 3497296341Sdelphij l2n3(len - 4, p); /* Message length */ 3498296341Sdelphij p += 4; 3499296341Sdelphij s2n(len - 10, p); /* Ticket length */ 3500296341Sdelphij 3501296341Sdelphij /* number of bytes to write */ 3502296341Sdelphij s->init_num = len; 3503296341Sdelphij s->state = SSL3_ST_SW_SESSION_TICKET_B; 3504296341Sdelphij s->init_off = 0; 3505296341Sdelphij OPENSSL_free(senc); 3506296341Sdelphij } 3507296341Sdelphij 3508296341Sdelphij /* SSL3_ST_SW_SESSION_TICKET_B */ 3509296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 3510296341Sdelphij err: 3511296341Sdelphij if (senc) 3512296341Sdelphij OPENSSL_free(senc); 3513296341Sdelphij EVP_CIPHER_CTX_cleanup(&ctx); 3514296341Sdelphij HMAC_CTX_cleanup(&hctx); 3515296341Sdelphij s->state = SSL_ST_ERR; 3516296341Sdelphij return -1; 3517296341Sdelphij} 3518296341Sdelphij 3519194206Ssimonint ssl3_send_cert_status(SSL *s) 3520296341Sdelphij{ 3521296341Sdelphij if (s->state == SSL3_ST_SW_CERT_STATUS_A) { 3522296341Sdelphij unsigned char *p; 3523296341Sdelphij /*- 3524296341Sdelphij * Grow buffer if need be: the length calculation is as 3525296341Sdelphij * follows 1 (message type) + 3 (message length) + 3526296341Sdelphij * 1 (ocsp response type) + 3 (ocsp response length) 3527296341Sdelphij * + (ocsp response) 3528296341Sdelphij */ 3529296341Sdelphij if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) { 3530296341Sdelphij s->state = SSL_ST_ERR; 3531296341Sdelphij return -1; 3532296341Sdelphij } 3533194206Ssimon 3534296341Sdelphij p = (unsigned char *)s->init_buf->data; 3535194206Ssimon 3536296341Sdelphij /* do the header */ 3537296341Sdelphij *(p++) = SSL3_MT_CERTIFICATE_STATUS; 3538296341Sdelphij /* message length */ 3539296341Sdelphij l2n3(s->tlsext_ocsp_resplen + 4, p); 3540296341Sdelphij /* status type */ 3541296341Sdelphij *(p++) = s->tlsext_status_type; 3542296341Sdelphij /* length of OCSP response */ 3543296341Sdelphij l2n3(s->tlsext_ocsp_resplen, p); 3544296341Sdelphij /* actual response */ 3545296341Sdelphij memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3546296341Sdelphij /* number of bytes to write */ 3547296341Sdelphij s->init_num = 8 + s->tlsext_ocsp_resplen; 3548296341Sdelphij s->state = SSL3_ST_SW_CERT_STATUS_B; 3549296341Sdelphij s->init_off = 0; 3550296341Sdelphij } 3551194206Ssimon 3552296341Sdelphij /* SSL3_ST_SW_CERT_STATUS_B */ 3553296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 3554296341Sdelphij} 3555238405Sjkim 3556238405Sjkim# ifndef OPENSSL_NO_NEXTPROTONEG 3557296341Sdelphij/* 3558296341Sdelphij * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. 3559296341Sdelphij * It sets the next_proto member in s if found 3560296341Sdelphij */ 3561238405Sjkimint ssl3_get_next_proto(SSL *s) 3562296341Sdelphij{ 3563296341Sdelphij int ok; 3564296341Sdelphij int proto_len, padding_len; 3565296341Sdelphij long n; 3566296341Sdelphij const unsigned char *p; 3567238405Sjkim 3568296341Sdelphij /* 3569296341Sdelphij * Clients cannot send a NextProtocol message if we didn't see the 3570296341Sdelphij * extension in their ClientHello 3571296341Sdelphij */ 3572296341Sdelphij if (!s->s3->next_proto_neg_seen) { 3573296341Sdelphij SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, 3574296341Sdelphij SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); 3575296341Sdelphij s->state = SSL_ST_ERR; 3576296341Sdelphij return -1; 3577296341Sdelphij } 3578238405Sjkim 3579296341Sdelphij /* See the payload format below */ 3580296341Sdelphij n = s->method->ssl_get_message(s, 3581296341Sdelphij SSL3_ST_SR_NEXT_PROTO_A, 3582296341Sdelphij SSL3_ST_SR_NEXT_PROTO_B, 3583296341Sdelphij SSL3_MT_NEXT_PROTO, 514, &ok); 3584238405Sjkim 3585296341Sdelphij if (!ok) 3586296341Sdelphij return ((int)n); 3587238405Sjkim 3588296341Sdelphij /* 3589296341Sdelphij * s->state doesn't reflect whether ChangeCipherSpec has been received in 3590296341Sdelphij * this handshake, but s->s3->change_cipher_spec does (will be reset by 3591296341Sdelphij * ssl3_get_finished). 3592296341Sdelphij */ 3593296341Sdelphij if (!s->s3->change_cipher_spec) { 3594296341Sdelphij SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); 3595296341Sdelphij s->state = SSL_ST_ERR; 3596296341Sdelphij return -1; 3597296341Sdelphij } 3598238405Sjkim 3599296341Sdelphij if (n < 2) { 3600296341Sdelphij s->state = SSL_ST_ERR; 3601296341Sdelphij return 0; /* The body must be > 1 bytes long */ 3602296341Sdelphij } 3603238405Sjkim 3604296341Sdelphij p = (unsigned char *)s->init_msg; 3605238405Sjkim 3606296341Sdelphij /*- 3607296341Sdelphij * The payload looks like: 3608296341Sdelphij * uint8 proto_len; 3609296341Sdelphij * uint8 proto[proto_len]; 3610296341Sdelphij * uint8 padding_len; 3611296341Sdelphij * uint8 padding[padding_len]; 3612296341Sdelphij */ 3613296341Sdelphij proto_len = p[0]; 3614296341Sdelphij if (proto_len + 2 > s->init_num) { 3615296341Sdelphij s->state = SSL_ST_ERR; 3616296341Sdelphij return 0; 3617296341Sdelphij } 3618296341Sdelphij padding_len = p[proto_len + 1]; 3619296341Sdelphij if (proto_len + padding_len + 2 != s->init_num) { 3620296341Sdelphij s->state = SSL_ST_ERR; 3621296341Sdelphij return 0; 3622296341Sdelphij } 3623238405Sjkim 3624296341Sdelphij s->next_proto_negotiated = OPENSSL_malloc(proto_len); 3625296341Sdelphij if (!s->next_proto_negotiated) { 3626296341Sdelphij SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); 3627296341Sdelphij s->state = SSL_ST_ERR; 3628296341Sdelphij return 0; 3629296341Sdelphij } 3630296341Sdelphij memcpy(s->next_proto_negotiated, p + 1, proto_len); 3631296341Sdelphij s->next_proto_negotiated_len = proto_len; 3632238405Sjkim 3633296341Sdelphij return 1; 3634296341Sdelphij} 3635238405Sjkim# endif 3636194206Ssimon#endif 3637