s3_srvr.c 124 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678
  1. /* ssl/s3_srvr.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  113. *
  114. * Portions of the attached software ("Contribution") are developed by
  115. * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
  116. *
  117. * The Contribution is licensed pursuant to the OpenSSL open source
  118. * license provided above.
  119. *
  120. * ECC cipher suite support in OpenSSL originally written by
  121. * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
  122. *
  123. */
  124. /* ====================================================================
  125. * Copyright 2005 Nokia. All rights reserved.
  126. *
  127. * The portions of the attached software ("Contribution") is developed by
  128. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  129. * license.
  130. *
  131. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  132. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  133. * support (see RFC 4279) to OpenSSL.
  134. *
  135. * No patent licenses or other rights except those expressly stated in
  136. * the OpenSSL open source license shall be deemed granted or received
  137. * expressly, by implication, estoppel, or otherwise.
  138. *
  139. * No assurances are provided by Nokia that the Contribution does not
  140. * infringe the patent or other intellectual property rights of any third
  141. * party or that the license provides you with all the necessary rights
  142. * to make use of the Contribution.
  143. *
  144. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  145. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  146. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  147. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  148. * OTHERWISE.
  149. */
  150. #define REUSE_CIPHER_BUG
  151. #define NETSCAPE_HANG_BUG
  152. #include <stdio.h>
  153. #include "ssl_locl.h"
  154. #include "kssl_lcl.h"
  155. #include "../crypto/constant_time_locl.h"
  156. #include <openssl/buffer.h>
  157. #include <openssl/rand.h>
  158. #include <openssl/objects.h>
  159. #include <openssl/evp.h>
  160. #include <openssl/hmac.h>
  161. #include <openssl/x509.h>
  162. #ifndef OPENSSL_NO_DH
  163. # include <openssl/dh.h>
  164. #endif
  165. #include <openssl/bn.h>
  166. #ifndef OPENSSL_NO_KRB5
  167. # include <openssl/krb5_asn.h>
  168. #endif
  169. #include <openssl/md5.h>
  170. #ifndef OPENSSL_NO_SSL3_METHOD
  171. static const SSL_METHOD *ssl3_get_server_method(int ver);
  172. static const SSL_METHOD *ssl3_get_server_method(int ver)
  173. {
  174. if (ver == SSL3_VERSION)
  175. return (SSLv3_server_method());
  176. else
  177. return (NULL);
  178. }
  179. IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
  180. ssl3_accept,
  181. ssl_undefined_function, ssl3_get_server_method)
  182. #endif
  183. #ifndef OPENSSL_NO_SRP
  184. static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
  185. {
  186. int ret = SSL_ERROR_NONE;
  187. *al = SSL_AD_UNRECOGNIZED_NAME;
  188. if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  189. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  190. if (s->srp_ctx.login == NULL) {
  191. /*
  192. * RFC 5054 says SHOULD reject, we do so if There is no srp
  193. * login name
  194. */
  195. ret = SSL3_AL_FATAL;
  196. *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
  197. } else {
  198. ret = SSL_srp_server_param_with_username(s, al);
  199. }
  200. }
  201. return ret;
  202. }
  203. #endif
  204. int ssl3_accept(SSL *s)
  205. {
  206. BUF_MEM *buf;
  207. unsigned long alg_k, Time = (unsigned long)time(NULL);
  208. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  209. int ret = -1;
  210. int new_state, state, skip = 0;
  211. RAND_add(&Time, sizeof(Time), 0);
  212. ERR_clear_error();
  213. clear_sys_error();
  214. if (s->info_callback != NULL)
  215. cb = s->info_callback;
  216. else if (s->ctx->info_callback != NULL)
  217. cb = s->ctx->info_callback;
  218. /* init things to blank */
  219. s->in_handshake++;
  220. if (!SSL_in_init(s) || SSL_in_before(s))
  221. SSL_clear(s);
  222. if (s->cert == NULL) {
  223. SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
  224. return (-1);
  225. }
  226. #ifndef OPENSSL_NO_HEARTBEATS
  227. /*
  228. * If we're awaiting a HeartbeatResponse, pretend we already got and
  229. * don't await it anymore, because Heartbeats don't make sense during
  230. * handshakes anyway.
  231. */
  232. if (s->tlsext_hb_pending) {
  233. s->tlsext_hb_pending = 0;
  234. s->tlsext_hb_seq++;
  235. }
  236. #endif
  237. for (;;) {
  238. state = s->state;
  239. switch (s->state) {
  240. case SSL_ST_RENEGOTIATE:
  241. s->renegotiate = 1;
  242. /* s->state=SSL_ST_ACCEPT; */
  243. case SSL_ST_BEFORE:
  244. case SSL_ST_ACCEPT:
  245. case SSL_ST_BEFORE | SSL_ST_ACCEPT:
  246. case SSL_ST_OK | SSL_ST_ACCEPT:
  247. s->server = 1;
  248. if (cb != NULL)
  249. cb(s, SSL_CB_HANDSHAKE_START, 1);
  250. if ((s->version >> 8) != 3) {
  251. SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
  252. s->state = SSL_ST_ERR;
  253. return -1;
  254. }
  255. s->type = SSL_ST_ACCEPT;
  256. if (s->init_buf == NULL) {
  257. if ((buf = BUF_MEM_new()) == NULL) {
  258. ret = -1;
  259. s->state = SSL_ST_ERR;
  260. goto end;
  261. }
  262. if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
  263. BUF_MEM_free(buf);
  264. ret = -1;
  265. s->state = SSL_ST_ERR;
  266. goto end;
  267. }
  268. s->init_buf = buf;
  269. }
  270. if (!ssl3_setup_buffers(s)) {
  271. ret = -1;
  272. s->state = SSL_ST_ERR;
  273. goto end;
  274. }
  275. s->init_num = 0;
  276. s->s3->flags &= ~TLS1_FLAGS_SKIP_CERT_VERIFY;
  277. s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
  278. /*
  279. * Should have been reset by ssl3_get_finished, too.
  280. */
  281. s->s3->change_cipher_spec = 0;
  282. if (s->state != SSL_ST_RENEGOTIATE) {
  283. /*
  284. * Ok, we now need to push on a buffering BIO so that the
  285. * output is sent in a way that TCP likes :-)
  286. */
  287. if (!ssl_init_wbio_buffer(s, 1)) {
  288. ret = -1;
  289. s->state = SSL_ST_ERR;
  290. goto end;
  291. }
  292. if (!ssl3_init_finished_mac(s)) {
  293. ret = -1;
  294. s->state = SSL_ST_ERR;
  295. goto end;
  296. }
  297. s->state = SSL3_ST_SR_CLNT_HELLO_A;
  298. s->ctx->stats.sess_accept++;
  299. } else if (!s->s3->send_connection_binding &&
  300. !(s->options &
  301. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
  302. /*
  303. * Server attempting to renegotiate with client that doesn't
  304. * support secure renegotiation.
  305. */
  306. SSLerr(SSL_F_SSL3_ACCEPT,
  307. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  308. ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
  309. ret = -1;
  310. s->state = SSL_ST_ERR;
  311. goto end;
  312. } else {
  313. /*
  314. * s->state == SSL_ST_RENEGOTIATE, we will just send a
  315. * HelloRequest
  316. */
  317. s->ctx->stats.sess_accept_renegotiate++;
  318. s->state = SSL3_ST_SW_HELLO_REQ_A;
  319. }
  320. break;
  321. case SSL3_ST_SW_HELLO_REQ_A:
  322. case SSL3_ST_SW_HELLO_REQ_B:
  323. s->shutdown = 0;
  324. ret = ssl3_send_hello_request(s);
  325. if (ret <= 0)
  326. goto end;
  327. s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
  328. s->state = SSL3_ST_SW_FLUSH;
  329. s->init_num = 0;
  330. if (!ssl3_init_finished_mac(s)) {
  331. ret = -1;
  332. s->state = SSL_ST_ERR;
  333. goto end;
  334. }
  335. break;
  336. case SSL3_ST_SW_HELLO_REQ_C:
  337. s->state = SSL_ST_OK;
  338. break;
  339. case SSL3_ST_SR_CLNT_HELLO_A:
  340. case SSL3_ST_SR_CLNT_HELLO_B:
  341. case SSL3_ST_SR_CLNT_HELLO_C:
  342. s->shutdown = 0;
  343. ret = ssl3_get_client_hello(s);
  344. if (ret <= 0)
  345. goto end;
  346. #ifndef OPENSSL_NO_SRP
  347. s->state = SSL3_ST_SR_CLNT_HELLO_D;
  348. case SSL3_ST_SR_CLNT_HELLO_D:
  349. {
  350. int al;
  351. if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
  352. /*
  353. * callback indicates firther work to be done
  354. */
  355. s->rwstate = SSL_X509_LOOKUP;
  356. goto end;
  357. }
  358. if (ret != SSL_ERROR_NONE) {
  359. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  360. /*
  361. * This is not really an error but the only means to for
  362. * a client to detect whether srp is supported.
  363. */
  364. if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
  365. SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
  366. ret = -1;
  367. s->state = SSL_ST_ERR;
  368. goto end;
  369. }
  370. }
  371. #endif
  372. s->renegotiate = 2;
  373. s->state = SSL3_ST_SW_SRVR_HELLO_A;
  374. s->init_num = 0;
  375. break;
  376. case SSL3_ST_SW_SRVR_HELLO_A:
  377. case SSL3_ST_SW_SRVR_HELLO_B:
  378. ret = ssl3_send_server_hello(s);
  379. if (ret <= 0)
  380. goto end;
  381. #ifndef OPENSSL_NO_TLSEXT
  382. if (s->hit) {
  383. if (s->tlsext_ticket_expected)
  384. s->state = SSL3_ST_SW_SESSION_TICKET_A;
  385. else
  386. s->state = SSL3_ST_SW_CHANGE_A;
  387. }
  388. #else
  389. if (s->hit)
  390. s->state = SSL3_ST_SW_CHANGE_A;
  391. #endif
  392. else
  393. s->state = SSL3_ST_SW_CERT_A;
  394. s->init_num = 0;
  395. break;
  396. case SSL3_ST_SW_CERT_A:
  397. case SSL3_ST_SW_CERT_B:
  398. /* Check if it is anon DH or anon ECDH, */
  399. /* normal PSK or KRB5 or SRP */
  400. if (!
  401. (s->s3->tmp.
  402. new_cipher->algorithm_auth & (SSL_aNULL | SSL_aKRB5 |
  403. SSL_aSRP))
  404. && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
  405. ret = ssl3_send_server_certificate(s);
  406. if (ret <= 0)
  407. goto end;
  408. #ifndef OPENSSL_NO_TLSEXT
  409. if (s->tlsext_status_expected)
  410. s->state = SSL3_ST_SW_CERT_STATUS_A;
  411. else
  412. s->state = SSL3_ST_SW_KEY_EXCH_A;
  413. } else {
  414. skip = 1;
  415. s->state = SSL3_ST_SW_KEY_EXCH_A;
  416. }
  417. #else
  418. } else
  419. skip = 1;
  420. s->state = SSL3_ST_SW_KEY_EXCH_A;
  421. #endif
  422. s->init_num = 0;
  423. break;
  424. case SSL3_ST_SW_KEY_EXCH_A:
  425. case SSL3_ST_SW_KEY_EXCH_B:
  426. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  427. /*
  428. * clear this, it may get reset by
  429. * send_server_key_exchange
  430. */
  431. s->s3->tmp.use_rsa_tmp = 0;
  432. /*
  433. * only send if a DH key exchange, fortezza or RSA but we have a
  434. * sign only certificate PSK: may send PSK identity hints For
  435. * ECC ciphersuites, we send a serverKeyExchange message only if
  436. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  437. * the server certificate contains the server's public key for
  438. * key exchange.
  439. */
  440. if (0
  441. /*
  442. * PSK: send ServerKeyExchange if PSK identity hint if
  443. * provided
  444. */
  445. #ifndef OPENSSL_NO_PSK
  446. || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
  447. #endif
  448. #ifndef OPENSSL_NO_SRP
  449. /* SRP: send ServerKeyExchange */
  450. || (alg_k & SSL_kSRP)
  451. #endif
  452. || (alg_k & SSL_kEDH)
  453. || (alg_k & SSL_kEECDH)
  454. || ((alg_k & SSL_kRSA)
  455. && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
  456. || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
  457. && EVP_PKEY_size(s->cert->pkeys
  458. [SSL_PKEY_RSA_ENC].privatekey) *
  459. 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
  460. )
  461. )
  462. )
  463. ) {
  464. ret = ssl3_send_server_key_exchange(s);
  465. if (ret <= 0)
  466. goto end;
  467. } else
  468. skip = 1;
  469. s->state = SSL3_ST_SW_CERT_REQ_A;
  470. s->init_num = 0;
  471. break;
  472. case SSL3_ST_SW_CERT_REQ_A:
  473. case SSL3_ST_SW_CERT_REQ_B:
  474. if ( /* don't request cert unless asked for it: */
  475. !(s->verify_mode & SSL_VERIFY_PEER) ||
  476. /*
  477. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  478. * during re-negotiation:
  479. */
  480. (s->s3->tmp.finish_md_len != 0 &&
  481. (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
  482. /*
  483. * never request cert in anonymous ciphersuites (see
  484. * section "Certificate request" in SSL 3 drafts and in
  485. * RFC 2246):
  486. */
  487. ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
  488. /*
  489. * ... except when the application insists on
  490. * verification (against the specs, but s3_clnt.c accepts
  491. * this for SSL 3)
  492. */
  493. !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
  494. /*
  495. * never request cert in Kerberos ciphersuites
  496. */
  497. (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) ||
  498. /* don't request certificate for SRP auth */
  499. (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
  500. /*
  501. * With normal PSK Certificates and Certificate Requests
  502. * are omitted
  503. */
  504. || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
  505. /* no cert request */
  506. skip = 1;
  507. s->s3->tmp.cert_request = 0;
  508. s->state = SSL3_ST_SW_SRVR_DONE_A;
  509. if (s->s3->handshake_buffer) {
  510. if (!ssl3_digest_cached_records(s)) {
  511. s->state = SSL_ST_ERR;
  512. return -1;
  513. }
  514. }
  515. } else {
  516. s->s3->tmp.cert_request = 1;
  517. ret = ssl3_send_certificate_request(s);
  518. if (ret <= 0)
  519. goto end;
  520. #ifndef NETSCAPE_HANG_BUG
  521. s->state = SSL3_ST_SW_SRVR_DONE_A;
  522. #else
  523. s->state = SSL3_ST_SW_FLUSH;
  524. s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
  525. #endif
  526. s->init_num = 0;
  527. }
  528. break;
  529. case SSL3_ST_SW_SRVR_DONE_A:
  530. case SSL3_ST_SW_SRVR_DONE_B:
  531. ret = ssl3_send_server_done(s);
  532. if (ret <= 0)
  533. goto end;
  534. s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
  535. s->state = SSL3_ST_SW_FLUSH;
  536. s->init_num = 0;
  537. break;
  538. case SSL3_ST_SW_FLUSH:
  539. /*
  540. * This code originally checked to see if any data was pending
  541. * using BIO_CTRL_INFO and then flushed. This caused problems as
  542. * documented in PR#1939. The proposed fix doesn't completely
  543. * resolve this issue as buggy implementations of
  544. * BIO_CTRL_PENDING still exist. So instead we just flush
  545. * unconditionally.
  546. */
  547. s->rwstate = SSL_WRITING;
  548. if (BIO_flush(s->wbio) <= 0) {
  549. ret = -1;
  550. goto end;
  551. }
  552. s->rwstate = SSL_NOTHING;
  553. s->state = s->s3->tmp.next_state;
  554. break;
  555. case SSL3_ST_SR_CERT_A:
  556. case SSL3_ST_SR_CERT_B:
  557. if (s->s3->tmp.cert_request) {
  558. ret = ssl3_get_client_certificate(s);
  559. if (ret <= 0)
  560. goto end;
  561. }
  562. s->init_num = 0;
  563. s->state = SSL3_ST_SR_KEY_EXCH_A;
  564. break;
  565. case SSL3_ST_SR_KEY_EXCH_A:
  566. case SSL3_ST_SR_KEY_EXCH_B:
  567. ret = ssl3_get_client_key_exchange(s);
  568. if (ret <= 0)
  569. goto end;
  570. if (ret == 2) {
  571. /*
  572. * For the ECDH ciphersuites when the client sends its ECDH
  573. * pub key in a certificate, the CertificateVerify message is
  574. * not sent. Also for GOST ciphersuites when the client uses
  575. * its key from the certificate for key exchange.
  576. */
  577. #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
  578. s->state = SSL3_ST_SR_FINISHED_A;
  579. #else
  580. if (s->s3->next_proto_neg_seen)
  581. s->state = SSL3_ST_SR_NEXT_PROTO_A;
  582. else
  583. s->state = SSL3_ST_SR_FINISHED_A;
  584. #endif
  585. s->init_num = 0;
  586. } else if (SSL_USE_SIGALGS(s)) {
  587. s->state = SSL3_ST_SR_CERT_VRFY_A;
  588. s->init_num = 0;
  589. if (!s->session->peer)
  590. break;
  591. /*
  592. * For sigalgs freeze the handshake buffer at this point and
  593. * digest cached records.
  594. */
  595. if (!s->s3->handshake_buffer) {
  596. SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
  597. s->state = SSL_ST_ERR;
  598. return -1;
  599. }
  600. s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
  601. if (!ssl3_digest_cached_records(s)) {
  602. s->state = SSL_ST_ERR;
  603. return -1;
  604. }
  605. } else {
  606. int offset = 0;
  607. int dgst_num;
  608. s->state = SSL3_ST_SR_CERT_VRFY_A;
  609. s->init_num = 0;
  610. /*
  611. * We need to get hashes here so if there is a client cert,
  612. * it can be verified FIXME - digest processing for
  613. * CertificateVerify should be generalized. But it is next
  614. * step
  615. */
  616. if (s->s3->handshake_buffer) {
  617. if (!ssl3_digest_cached_records(s)) {
  618. s->state = SSL_ST_ERR;
  619. return -1;
  620. }
  621. }
  622. for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
  623. if (s->s3->handshake_dgst[dgst_num]) {
  624. int dgst_size;
  625. s->method->ssl3_enc->cert_verify_mac(s,
  626. EVP_MD_CTX_type
  627. (s->
  628. s3->handshake_dgst
  629. [dgst_num]),
  630. &(s->s3->
  631. tmp.cert_verify_md
  632. [offset]));
  633. dgst_size =
  634. EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
  635. if (dgst_size < 0) {
  636. s->state = SSL_ST_ERR;
  637. ret = -1;
  638. goto end;
  639. }
  640. offset += dgst_size;
  641. }
  642. }
  643. break;
  644. case SSL3_ST_SR_CERT_VRFY_A:
  645. case SSL3_ST_SR_CERT_VRFY_B:
  646. ret = ssl3_get_cert_verify(s);
  647. if (ret <= 0)
  648. goto end;
  649. #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
  650. s->state = SSL3_ST_SR_FINISHED_A;
  651. #else
  652. if (s->s3->next_proto_neg_seen)
  653. s->state = SSL3_ST_SR_NEXT_PROTO_A;
  654. else
  655. s->state = SSL3_ST_SR_FINISHED_A;
  656. #endif
  657. s->init_num = 0;
  658. break;
  659. #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
  660. case SSL3_ST_SR_NEXT_PROTO_A:
  661. case SSL3_ST_SR_NEXT_PROTO_B:
  662. /*
  663. * Enable CCS for NPN. Receiving a CCS clears the flag, so make
  664. * sure not to re-enable it to ban duplicates. This *should* be the
  665. * first time we have received one - but we check anyway to be
  666. * cautious.
  667. * s->s3->change_cipher_spec is set when a CCS is
  668. * processed in s3_pkt.c, and remains set until
  669. * the client's Finished message is read.
  670. */
  671. if (!s->s3->change_cipher_spec)
  672. s->s3->flags |= SSL3_FLAGS_CCS_OK;
  673. ret = ssl3_get_next_proto(s);
  674. if (ret <= 0)
  675. goto end;
  676. s->init_num = 0;
  677. s->state = SSL3_ST_SR_FINISHED_A;
  678. break;
  679. #endif
  680. case SSL3_ST_SR_FINISHED_A:
  681. case SSL3_ST_SR_FINISHED_B:
  682. /*
  683. * Enable CCS for handshakes without NPN. In NPN the CCS flag has
  684. * already been set. Receiving a CCS clears the flag, so make
  685. * sure not to re-enable it to ban duplicates.
  686. * s->s3->change_cipher_spec is set when a CCS is
  687. * processed in s3_pkt.c, and remains set until
  688. * the client's Finished message is read.
  689. */
  690. if (!s->s3->change_cipher_spec)
  691. s->s3->flags |= SSL3_FLAGS_CCS_OK;
  692. ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
  693. SSL3_ST_SR_FINISHED_B);
  694. if (ret <= 0)
  695. goto end;
  696. if (s->hit)
  697. s->state = SSL_ST_OK;
  698. #ifndef OPENSSL_NO_TLSEXT
  699. else if (s->tlsext_ticket_expected)
  700. s->state = SSL3_ST_SW_SESSION_TICKET_A;
  701. #endif
  702. else
  703. s->state = SSL3_ST_SW_CHANGE_A;
  704. s->init_num = 0;
  705. break;
  706. #ifndef OPENSSL_NO_TLSEXT
  707. case SSL3_ST_SW_SESSION_TICKET_A:
  708. case SSL3_ST_SW_SESSION_TICKET_B:
  709. ret = ssl3_send_newsession_ticket(s);
  710. if (ret <= 0)
  711. goto end;
  712. s->state = SSL3_ST_SW_CHANGE_A;
  713. s->init_num = 0;
  714. break;
  715. case SSL3_ST_SW_CERT_STATUS_A:
  716. case SSL3_ST_SW_CERT_STATUS_B:
  717. ret = ssl3_send_cert_status(s);
  718. if (ret <= 0)
  719. goto end;
  720. s->state = SSL3_ST_SW_KEY_EXCH_A;
  721. s->init_num = 0;
  722. break;
  723. #endif
  724. case SSL3_ST_SW_CHANGE_A:
  725. case SSL3_ST_SW_CHANGE_B:
  726. s->session->cipher = s->s3->tmp.new_cipher;
  727. if (!s->method->ssl3_enc->setup_key_block(s)) {
  728. ret = -1;
  729. s->state = SSL_ST_ERR;
  730. goto end;
  731. }
  732. ret = ssl3_send_change_cipher_spec(s,
  733. SSL3_ST_SW_CHANGE_A,
  734. SSL3_ST_SW_CHANGE_B);
  735. if (ret <= 0)
  736. goto end;
  737. s->state = SSL3_ST_SW_FINISHED_A;
  738. s->init_num = 0;
  739. if (!s->method->ssl3_enc->change_cipher_state(s,
  740. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  741. {
  742. ret = -1;
  743. s->state = SSL_ST_ERR;
  744. goto end;
  745. }
  746. break;
  747. case SSL3_ST_SW_FINISHED_A:
  748. case SSL3_ST_SW_FINISHED_B:
  749. ret = ssl3_send_finished(s,
  750. SSL3_ST_SW_FINISHED_A,
  751. SSL3_ST_SW_FINISHED_B,
  752. s->method->
  753. ssl3_enc->server_finished_label,
  754. s->method->
  755. ssl3_enc->server_finished_label_len);
  756. if (ret <= 0)
  757. goto end;
  758. s->state = SSL3_ST_SW_FLUSH;
  759. if (s->hit) {
  760. #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
  761. s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
  762. #else
  763. if (s->s3->next_proto_neg_seen) {
  764. s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A;
  765. } else
  766. s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
  767. #endif
  768. } else
  769. s->s3->tmp.next_state = SSL_ST_OK;
  770. s->init_num = 0;
  771. break;
  772. case SSL_ST_OK:
  773. /* clean a few things up */
  774. ssl3_cleanup_key_block(s);
  775. BUF_MEM_free(s->init_buf);
  776. s->init_buf = NULL;
  777. /* remove buffering on output */
  778. ssl_free_wbio_buffer(s);
  779. s->init_num = 0;
  780. if (s->renegotiate == 2) { /* skipped if we just sent a
  781. * HelloRequest */
  782. s->renegotiate = 0;
  783. s->new_session = 0;
  784. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  785. s->ctx->stats.sess_accept_good++;
  786. /* s->server=1; */
  787. s->handshake_func = ssl3_accept;
  788. if (cb != NULL)
  789. cb(s, SSL_CB_HANDSHAKE_DONE, 1);
  790. }
  791. ret = 1;
  792. goto end;
  793. /* break; */
  794. case SSL_ST_ERR:
  795. default:
  796. SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
  797. ret = -1;
  798. goto end;
  799. /* break; */
  800. }
  801. if (!s->s3->tmp.reuse_message && !skip) {
  802. if (s->debug) {
  803. if ((ret = BIO_flush(s->wbio)) <= 0)
  804. goto end;
  805. }
  806. if ((cb != NULL) && (s->state != state)) {
  807. new_state = s->state;
  808. s->state = state;
  809. cb(s, SSL_CB_ACCEPT_LOOP, 1);
  810. s->state = new_state;
  811. }
  812. }
  813. skip = 0;
  814. }
  815. end:
  816. /* BIO_flush(s->wbio); */
  817. s->in_handshake--;
  818. if (cb != NULL)
  819. cb(s, SSL_CB_ACCEPT_EXIT, ret);
  820. return (ret);
  821. }
  822. int ssl3_send_hello_request(SSL *s)
  823. {
  824. if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
  825. ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0);
  826. s->state = SSL3_ST_SW_HELLO_REQ_B;
  827. }
  828. /* SSL3_ST_SW_HELLO_REQ_B */
  829. return ssl_do_write(s);
  830. }
  831. int ssl3_get_client_hello(SSL *s)
  832. {
  833. int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1, cookie_valid = 0;
  834. unsigned int cookie_len;
  835. long n;
  836. unsigned long id;
  837. unsigned char *p, *d;
  838. SSL_CIPHER *c;
  839. #ifndef OPENSSL_NO_COMP
  840. unsigned char *q;
  841. SSL_COMP *comp = NULL;
  842. #endif
  843. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  844. if (s->state == SSL3_ST_SR_CLNT_HELLO_C && !s->first_packet)
  845. goto retry_cert;
  846. /*
  847. * We do this so that we will respond with our native type. If we are
  848. * TLSv1 and we get SSLv3, we will respond with TLSv1, This down
  849. * switching should be handled by a different method. If we are SSLv3, we
  850. * will respond with SSLv3, even if prompted with TLSv1.
  851. */
  852. if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
  853. s->state = SSL3_ST_SR_CLNT_HELLO_B;
  854. }
  855. s->first_packet = 1;
  856. n = s->method->ssl_get_message(s,
  857. SSL3_ST_SR_CLNT_HELLO_B,
  858. SSL3_ST_SR_CLNT_HELLO_C,
  859. SSL3_MT_CLIENT_HELLO,
  860. SSL3_RT_MAX_PLAIN_LENGTH, &ok);
  861. if (!ok)
  862. return ((int)n);
  863. s->first_packet = 0;
  864. d = p = (unsigned char *)s->init_msg;
  865. /*
  866. * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte
  867. * for session id length
  868. */
  869. if (n < 2 + SSL3_RANDOM_SIZE + 1) {
  870. al = SSL_AD_DECODE_ERROR;
  871. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
  872. goto f_err;
  873. }
  874. /*
  875. * use version from inside client hello, not from record header (may
  876. * differ: see RFC 2246, Appendix E, second paragraph)
  877. */
  878. s->client_version = (((int)p[0]) << 8) | (int)p[1];
  879. p += 2;
  880. if (SSL_IS_DTLS(s) ? (s->client_version > s->version &&
  881. s->method->version != DTLS_ANY_VERSION)
  882. : (s->client_version < s->version)) {
  883. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
  884. if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
  885. !s->enc_write_ctx && !s->write_hash) {
  886. /*
  887. * similar to ssl3_get_record, send alert using remote version
  888. * number
  889. */
  890. s->version = s->client_version;
  891. }
  892. al = SSL_AD_PROTOCOL_VERSION;
  893. goto f_err;
  894. }
  895. /*
  896. * If we require cookies and this ClientHello doesn't contain one, just
  897. * return since we do not want to allocate any memory yet. So check
  898. * cookie length...
  899. */
  900. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  901. unsigned int session_length, cookie_length;
  902. session_length = *(p + SSL3_RANDOM_SIZE);
  903. if (SSL3_RANDOM_SIZE + session_length + 1
  904. >= (unsigned int)((d + n) - p)) {
  905. al = SSL_AD_DECODE_ERROR;
  906. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
  907. goto f_err;
  908. }
  909. cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
  910. if (cookie_length == 0)
  911. return 1;
  912. }
  913. /* load the client random */
  914. memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
  915. p += SSL3_RANDOM_SIZE;
  916. /* get the session-id */
  917. j = *(p++);
  918. if ((d + n) - p < j) {
  919. al = SSL_AD_DECODE_ERROR;
  920. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
  921. goto f_err;
  922. }
  923. if ((j < 0) || (j > SSL_MAX_SSL_SESSION_ID_LENGTH)) {
  924. al = SSL_AD_DECODE_ERROR;
  925. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  926. goto f_err;
  927. }
  928. s->hit = 0;
  929. /*
  930. * Versions before 0.9.7 always allow clients to resume sessions in
  931. * renegotiation. 0.9.7 and later allow this by default, but optionally
  932. * ignore resumption requests with flag
  933. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  934. * than a change to default behavior so that applications relying on this
  935. * for security won't even compile against older library versions).
  936. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  937. * request renegotiation but not a new session (s->new_session remains
  938. * unset): for servers, this essentially just means that the
  939. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be ignored.
  940. */
  941. if ((s->new_session
  942. && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  943. if (!ssl_get_new_session(s, 1))
  944. goto err;
  945. } else {
  946. i = ssl_get_prev_session(s, p, j, d + n);
  947. /*
  948. * Only resume if the session's version matches the negotiated
  949. * version.
  950. * RFC 5246 does not provide much useful advice on resumption
  951. * with a different protocol version. It doesn't forbid it but
  952. * the sanity of such behaviour would be questionable.
  953. * In practice, clients do not accept a version mismatch and
  954. * will abort the handshake with an error.
  955. */
  956. if (i == 1 && s->version == s->session->ssl_version) { /* previous
  957. * session */
  958. s->hit = 1;
  959. } else if (i == -1)
  960. goto err;
  961. else { /* i == 0 */
  962. if (!ssl_get_new_session(s, 1))
  963. goto err;
  964. }
  965. }
  966. p += j;
  967. if (SSL_IS_DTLS(s)) {
  968. /* cookie stuff */
  969. if ((d + n) - p < 1) {
  970. al = SSL_AD_DECODE_ERROR;
  971. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
  972. goto f_err;
  973. }
  974. cookie_len = *(p++);
  975. if ((unsigned int)((d + n ) - p) < cookie_len) {
  976. al = SSL_AD_DECODE_ERROR;
  977. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
  978. goto f_err;
  979. }
  980. /*
  981. * The ClientHello may contain a cookie even if the
  982. * HelloVerify message has not been sent--make sure that it
  983. * does not cause an overflow.
  984. */
  985. if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
  986. /* too much data */
  987. al = SSL_AD_DECODE_ERROR;
  988. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
  989. goto f_err;
  990. }
  991. /* verify the cookie if appropriate option is set. */
  992. if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && cookie_len > 0) {
  993. memcpy(s->d1->rcvd_cookie, p, cookie_len);
  994. if (s->ctx->app_verify_cookie_cb != NULL) {
  995. if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
  996. cookie_len) == 0) {
  997. al = SSL_AD_HANDSHAKE_FAILURE;
  998. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  999. SSL_R_COOKIE_MISMATCH);
  1000. goto f_err;
  1001. }
  1002. /* else cookie verification succeeded */
  1003. }
  1004. /* default verification */
  1005. else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
  1006. s->d1->cookie_len) != 0) {
  1007. al = SSL_AD_HANDSHAKE_FAILURE;
  1008. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
  1009. goto f_err;
  1010. }
  1011. cookie_valid = 1;
  1012. }
  1013. p += cookie_len;
  1014. if (s->method->version == DTLS_ANY_VERSION) {
  1015. /* Select version to use */
  1016. if (s->client_version <= DTLS1_2_VERSION &&
  1017. !(s->options & SSL_OP_NO_DTLSv1_2)) {
  1018. s->version = DTLS1_2_VERSION;
  1019. s->method = DTLSv1_2_server_method();
  1020. } else if (tls1_suiteb(s)) {
  1021. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  1022. SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
  1023. s->version = s->client_version;
  1024. al = SSL_AD_PROTOCOL_VERSION;
  1025. goto f_err;
  1026. } else if (s->client_version <= DTLS1_VERSION &&
  1027. !(s->options & SSL_OP_NO_DTLSv1)) {
  1028. s->version = DTLS1_VERSION;
  1029. s->method = DTLSv1_server_method();
  1030. } else {
  1031. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  1032. SSL_R_WRONG_VERSION_NUMBER);
  1033. s->version = s->client_version;
  1034. al = SSL_AD_PROTOCOL_VERSION;
  1035. goto f_err;
  1036. }
  1037. s->session->ssl_version = s->version;
  1038. }
  1039. }
  1040. if ((d + n ) - p < 2) {
  1041. al = SSL_AD_DECODE_ERROR;
  1042. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
  1043. goto f_err;
  1044. }
  1045. n2s(p, i);
  1046. if (i == 0) {
  1047. al = SSL_AD_ILLEGAL_PARAMETER;
  1048. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
  1049. goto f_err;
  1050. }
  1051. /* i bytes of cipher data + 1 byte for compression length later */
  1052. if ((d + n) - p < i + 1) {
  1053. /* not enough data */
  1054. al = SSL_AD_DECODE_ERROR;
  1055. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  1056. goto f_err;
  1057. }
  1058. if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) {
  1059. goto err;
  1060. }
  1061. p += i;
  1062. /* If it is a hit, check that the cipher is in the list */
  1063. if (s->hit) {
  1064. j = 0;
  1065. id = s->session->cipher->id;
  1066. #ifdef CIPHER_DEBUG
  1067. fprintf(stderr, "client sent %d ciphers\n",
  1068. sk_SSL_CIPHER_num(ciphers));
  1069. #endif
  1070. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1071. c = sk_SSL_CIPHER_value(ciphers, i);
  1072. #ifdef CIPHER_DEBUG
  1073. fprintf(stderr, "client [%2d of %2d]:%s\n",
  1074. i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1075. #endif
  1076. if (c->id == id) {
  1077. j = 1;
  1078. break;
  1079. }
  1080. }
  1081. /*
  1082. * Disabled because it can be used in a ciphersuite downgrade attack:
  1083. * CVE-2010-4180.
  1084. */
  1085. #if 0
  1086. if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
  1087. && (sk_SSL_CIPHER_num(ciphers) == 1)) {
  1088. /*
  1089. * Special case as client bug workaround: the previously used
  1090. * cipher may not be in the current list, the client instead
  1091. * might be trying to continue using a cipher that before wasn't
  1092. * chosen due to server preferences. We'll have to reject the
  1093. * connection if the cipher is not enabled, though.
  1094. */
  1095. c = sk_SSL_CIPHER_value(ciphers, 0);
  1096. if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
  1097. s->session->cipher = c;
  1098. j = 1;
  1099. }
  1100. }
  1101. #endif
  1102. if (j == 0) {
  1103. /*
  1104. * we need to have the cipher in the cipher list if we are asked
  1105. * to reuse it
  1106. */
  1107. al = SSL_AD_ILLEGAL_PARAMETER;
  1108. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  1109. SSL_R_REQUIRED_CIPHER_MISSING);
  1110. goto f_err;
  1111. }
  1112. }
  1113. /* compression */
  1114. i = *(p++);
  1115. if ((d + n) - p < i) {
  1116. /* not enough data */
  1117. al = SSL_AD_DECODE_ERROR;
  1118. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  1119. goto f_err;
  1120. }
  1121. #ifndef OPENSSL_NO_COMP
  1122. q = p;
  1123. #endif
  1124. for (j = 0; j < i; j++) {
  1125. if (p[j] == 0)
  1126. break;
  1127. }
  1128. p += i;
  1129. if (j >= i) {
  1130. /* no compress */
  1131. al = SSL_AD_DECODE_ERROR;
  1132. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
  1133. goto f_err;
  1134. }
  1135. #ifndef OPENSSL_NO_TLSEXT
  1136. /* TLS extensions */
  1137. if (s->version >= SSL3_VERSION) {
  1138. if (!ssl_parse_clienthello_tlsext(s, &p, d + n)) {
  1139. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
  1140. goto err;
  1141. }
  1142. }
  1143. /*
  1144. * Check if we want to use external pre-shared secret for this handshake
  1145. * for not reused session only. We need to generate server_random before
  1146. * calling tls_session_secret_cb in order to allow SessionTicket
  1147. * processing to use it in key derivation.
  1148. */
  1149. {
  1150. unsigned char *pos;
  1151. pos = s->s3->server_random;
  1152. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
  1153. goto f_err;
  1154. }
  1155. }
  1156. if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
  1157. SSL_CIPHER *pref_cipher = NULL;
  1158. s->session->master_key_length = sizeof(s->session->master_key);
  1159. if (s->tls_session_secret_cb(s, s->session->master_key,
  1160. &s->session->master_key_length, ciphers,
  1161. &pref_cipher,
  1162. s->tls_session_secret_cb_arg)) {
  1163. s->hit = 1;
  1164. s->session->ciphers = ciphers;
  1165. s->session->verify_result = X509_V_OK;
  1166. ciphers = NULL;
  1167. /* check if some cipher was preferred by call back */
  1168. pref_cipher =
  1169. pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
  1170. s->
  1171. session->ciphers,
  1172. SSL_get_ciphers
  1173. (s));
  1174. if (pref_cipher == NULL) {
  1175. al = SSL_AD_HANDSHAKE_FAILURE;
  1176. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
  1177. goto f_err;
  1178. }
  1179. s->session->cipher = pref_cipher;
  1180. if (s->cipher_list)
  1181. sk_SSL_CIPHER_free(s->cipher_list);
  1182. if (s->cipher_list_by_id)
  1183. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1184. s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
  1185. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
  1186. }
  1187. }
  1188. #endif
  1189. /*
  1190. * Worst case, we will use the NULL compression, but if we have other
  1191. * options, we will now look for them. We have i-1 compression
  1192. * algorithms from the client, starting at q.
  1193. */
  1194. s->s3->tmp.new_compression = NULL;
  1195. #ifndef OPENSSL_NO_COMP
  1196. /* This only happens if we have a cache hit */
  1197. if (s->session->compress_meth != 0) {
  1198. int m, comp_id = s->session->compress_meth;
  1199. /* Perform sanity checks on resumed compression algorithm */
  1200. /* Can't disable compression */
  1201. if (s->options & SSL_OP_NO_COMPRESSION) {
  1202. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  1203. SSL_R_INCONSISTENT_COMPRESSION);
  1204. goto f_err;
  1205. }
  1206. /* Look for resumed compression method */
  1207. for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
  1208. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1209. if (comp_id == comp->id) {
  1210. s->s3->tmp.new_compression = comp;
  1211. break;
  1212. }
  1213. }
  1214. if (s->s3->tmp.new_compression == NULL) {
  1215. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  1216. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1217. goto f_err;
  1218. }
  1219. /* Look for resumed method in compression list */
  1220. for (m = 0; m < i; m++) {
  1221. if (q[m] == comp_id)
  1222. break;
  1223. }
  1224. if (m >= i) {
  1225. al = SSL_AD_ILLEGAL_PARAMETER;
  1226. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  1227. SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
  1228. goto f_err;
  1229. }
  1230. } else if (s->hit)
  1231. comp = NULL;
  1232. else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) {
  1233. /* See if we have a match */
  1234. int m, nn, o, v, done = 0;
  1235. nn = sk_SSL_COMP_num(s->ctx->comp_methods);
  1236. for (m = 0; m < nn; m++) {
  1237. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1238. v = comp->id;
  1239. for (o = 0; o < i; o++) {
  1240. if (v == q[o]) {
  1241. done = 1;
  1242. break;
  1243. }
  1244. }
  1245. if (done)
  1246. break;
  1247. }
  1248. if (done)
  1249. s->s3->tmp.new_compression = comp;
  1250. else
  1251. comp = NULL;
  1252. }
  1253. #else
  1254. /*
  1255. * If compression is disabled we'd better not try to resume a session
  1256. * using compression.
  1257. */
  1258. if (s->session->compress_meth != 0) {
  1259. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
  1260. goto f_err;
  1261. }
  1262. #endif
  1263. /*
  1264. * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
  1265. */
  1266. if (!s->hit) {
  1267. #ifdef OPENSSL_NO_COMP
  1268. s->session->compress_meth = 0;
  1269. #else
  1270. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1271. #endif
  1272. if (s->session->ciphers != NULL)
  1273. sk_SSL_CIPHER_free(s->session->ciphers);
  1274. s->session->ciphers = ciphers;
  1275. if (ciphers == NULL) {
  1276. al = SSL_AD_INTERNAL_ERROR;
  1277. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  1278. goto f_err;
  1279. }
  1280. ciphers = NULL;
  1281. if (!tls1_set_server_sigalgs(s)) {
  1282. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
  1283. goto err;
  1284. }
  1285. /* Let cert callback update server certificates if required */
  1286. retry_cert:
  1287. if (s->cert->cert_cb) {
  1288. int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
  1289. if (rv == 0) {
  1290. al = SSL_AD_INTERNAL_ERROR;
  1291. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
  1292. goto f_err;
  1293. }
  1294. if (rv < 0) {
  1295. s->rwstate = SSL_X509_LOOKUP;
  1296. return -1;
  1297. }
  1298. s->rwstate = SSL_NOTHING;
  1299. }
  1300. c = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
  1301. if (c == NULL) {
  1302. al = SSL_AD_HANDSHAKE_FAILURE;
  1303. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
  1304. goto f_err;
  1305. }
  1306. s->s3->tmp.new_cipher = c;
  1307. } else {
  1308. /* Session-id reuse */
  1309. #ifdef REUSE_CIPHER_BUG
  1310. STACK_OF(SSL_CIPHER) *sk;
  1311. SSL_CIPHER *nc = NULL;
  1312. SSL_CIPHER *ec = NULL;
  1313. if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
  1314. sk = s->session->ciphers;
  1315. for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
  1316. c = sk_SSL_CIPHER_value(sk, i);
  1317. if (c->algorithm_enc & SSL_eNULL)
  1318. nc = c;
  1319. if (SSL_C_IS_EXPORT(c))
  1320. ec = c;
  1321. }
  1322. if (nc != NULL)
  1323. s->s3->tmp.new_cipher = nc;
  1324. else if (ec != NULL)
  1325. s->s3->tmp.new_cipher = ec;
  1326. else
  1327. s->s3->tmp.new_cipher = s->session->cipher;
  1328. } else
  1329. #endif
  1330. s->s3->tmp.new_cipher = s->session->cipher;
  1331. }
  1332. if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {
  1333. if (!ssl3_digest_cached_records(s))
  1334. goto f_err;
  1335. }
  1336. /*-
  1337. * we now have the following setup.
  1338. * client_random
  1339. * cipher_list - our prefered list of ciphers
  1340. * ciphers - the clients prefered list of ciphers
  1341. * compression - basically ignored right now
  1342. * ssl version is set - sslv3
  1343. * s->session - The ssl session has been setup.
  1344. * s->hit - session reuse flag
  1345. * s->tmp.new_cipher - the new cipher to use.
  1346. */
  1347. /* Handles TLS extensions that we couldn't check earlier */
  1348. if (s->version >= SSL3_VERSION) {
  1349. if (!ssl_check_clienthello_tlsext_late(s, &al)) {
  1350. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
  1351. goto f_err;
  1352. }
  1353. }
  1354. ret = cookie_valid ? 2 : 1;
  1355. if (0) {
  1356. f_err:
  1357. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  1358. err:
  1359. s->state = SSL_ST_ERR;
  1360. }
  1361. if (ciphers != NULL)
  1362. sk_SSL_CIPHER_free(ciphers);
  1363. return ret;
  1364. }
  1365. int ssl3_send_server_hello(SSL *s)
  1366. {
  1367. unsigned char *buf;
  1368. unsigned char *p, *d;
  1369. int i, sl;
  1370. int al = 0;
  1371. unsigned long l;
  1372. if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
  1373. buf = (unsigned char *)s->init_buf->data;
  1374. #ifdef OPENSSL_NO_TLSEXT
  1375. p = s->s3->server_random;
  1376. if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) {
  1377. s->state = SSL_ST_ERR;
  1378. return -1;
  1379. }
  1380. #endif
  1381. /* Do the message type and length last */
  1382. d = p = ssl_handshake_start(s);
  1383. *(p++) = s->version >> 8;
  1384. *(p++) = s->version & 0xff;
  1385. /* Random stuff */
  1386. memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
  1387. p += SSL3_RANDOM_SIZE;
  1388. /*-
  1389. * There are several cases for the session ID to send
  1390. * back in the server hello:
  1391. * - For session reuse from the session cache,
  1392. * we send back the old session ID.
  1393. * - If stateless session reuse (using a session ticket)
  1394. * is successful, we send back the client's "session ID"
  1395. * (which doesn't actually identify the session).
  1396. * - If it is a new session, we send back the new
  1397. * session ID.
  1398. * - However, if we want the new session to be single-use,
  1399. * we send back a 0-length session ID.
  1400. * s->hit is non-zero in either case of session reuse,
  1401. * so the following won't overwrite an ID that we're supposed
  1402. * to send back.
  1403. */
  1404. if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
  1405. && !s->hit)
  1406. s->session->session_id_length = 0;
  1407. sl = s->session->session_id_length;
  1408. if (sl > (int)sizeof(s->session->session_id)) {
  1409. SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
  1410. s->state = SSL_ST_ERR;
  1411. return -1;
  1412. }
  1413. *(p++) = sl;
  1414. memcpy(p, s->session->session_id, sl);
  1415. p += sl;
  1416. /* put the cipher */
  1417. i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
  1418. p += i;
  1419. /* put the compression method */
  1420. #ifdef OPENSSL_NO_COMP
  1421. *(p++) = 0;
  1422. #else
  1423. if (s->s3->tmp.new_compression == NULL)
  1424. *(p++) = 0;
  1425. else
  1426. *(p++) = s->s3->tmp.new_compression->id;
  1427. #endif
  1428. #ifndef OPENSSL_NO_TLSEXT
  1429. if (ssl_prepare_serverhello_tlsext(s) <= 0) {
  1430. SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
  1431. s->state = SSL_ST_ERR;
  1432. return -1;
  1433. }
  1434. if ((p =
  1435. ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
  1436. &al)) == NULL) {
  1437. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  1438. SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
  1439. s->state = SSL_ST_ERR;
  1440. return -1;
  1441. }
  1442. #endif
  1443. /* do the header */
  1444. l = (p - d);
  1445. ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l);
  1446. s->state = SSL3_ST_SW_SRVR_HELLO_B;
  1447. }
  1448. /* SSL3_ST_SW_SRVR_HELLO_B */
  1449. return ssl_do_write(s);
  1450. }
  1451. int ssl3_send_server_done(SSL *s)
  1452. {
  1453. if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
  1454. ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0);
  1455. s->state = SSL3_ST_SW_SRVR_DONE_B;
  1456. }
  1457. /* SSL3_ST_SW_SRVR_DONE_B */
  1458. return ssl_do_write(s);
  1459. }
  1460. int ssl3_send_server_key_exchange(SSL *s)
  1461. {
  1462. #ifndef OPENSSL_NO_RSA
  1463. unsigned char *q;
  1464. int j, num;
  1465. RSA *rsa;
  1466. unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
  1467. unsigned int u;
  1468. #endif
  1469. #ifndef OPENSSL_NO_DH
  1470. # ifdef OPENSSL_NO_RSA
  1471. int j;
  1472. # endif
  1473. DH *dh = NULL, *dhp;
  1474. #endif
  1475. #ifndef OPENSSL_NO_ECDH
  1476. EC_KEY *ecdh = NULL, *ecdhp;
  1477. unsigned char *encodedPoint = NULL;
  1478. int encodedlen = 0;
  1479. int curve_id = 0;
  1480. BN_CTX *bn_ctx = NULL;
  1481. #endif
  1482. EVP_PKEY *pkey;
  1483. const EVP_MD *md = NULL;
  1484. unsigned char *p, *d;
  1485. int al, i;
  1486. unsigned long type;
  1487. int n;
  1488. CERT *cert;
  1489. BIGNUM *r[4];
  1490. int nr[4], kn;
  1491. BUF_MEM *buf;
  1492. EVP_MD_CTX md_ctx;
  1493. EVP_MD_CTX_init(&md_ctx);
  1494. if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
  1495. type = s->s3->tmp.new_cipher->algorithm_mkey;
  1496. cert = s->cert;
  1497. buf = s->init_buf;
  1498. r[0] = r[1] = r[2] = r[3] = NULL;
  1499. n = 0;
  1500. #ifndef OPENSSL_NO_RSA
  1501. if (type & SSL_kRSA) {
  1502. rsa = cert->rsa_tmp;
  1503. if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
  1504. rsa = s->cert->rsa_tmp_cb(s,
  1505. SSL_C_IS_EXPORT(s->s3->
  1506. tmp.new_cipher),
  1507. SSL_C_EXPORT_PKEYLENGTH(s->s3->
  1508. tmp.new_cipher));
  1509. if (rsa == NULL) {
  1510. al = SSL_AD_HANDSHAKE_FAILURE;
  1511. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1512. SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
  1513. goto f_err;
  1514. }
  1515. RSA_up_ref(rsa);
  1516. cert->rsa_tmp = rsa;
  1517. }
  1518. if (rsa == NULL) {
  1519. al = SSL_AD_HANDSHAKE_FAILURE;
  1520. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1521. SSL_R_MISSING_TMP_RSA_KEY);
  1522. goto f_err;
  1523. }
  1524. r[0] = rsa->n;
  1525. r[1] = rsa->e;
  1526. s->s3->tmp.use_rsa_tmp = 1;
  1527. } else
  1528. #endif
  1529. #ifndef OPENSSL_NO_DH
  1530. if (type & SSL_kEDH) {
  1531. dhp = cert->dh_tmp;
  1532. if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
  1533. dhp = s->cert->dh_tmp_cb(s,
  1534. SSL_C_IS_EXPORT(s->s3->
  1535. tmp.new_cipher),
  1536. SSL_C_EXPORT_PKEYLENGTH(s->s3->
  1537. tmp.new_cipher));
  1538. if (dhp == NULL) {
  1539. al = SSL_AD_HANDSHAKE_FAILURE;
  1540. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1541. SSL_R_MISSING_TMP_DH_KEY);
  1542. goto f_err;
  1543. }
  1544. if (s->s3->tmp.dh != NULL) {
  1545. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1546. ERR_R_INTERNAL_ERROR);
  1547. goto err;
  1548. }
  1549. if ((dh = DHparams_dup(dhp)) == NULL) {
  1550. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
  1551. goto err;
  1552. }
  1553. s->s3->tmp.dh = dh;
  1554. if (!DH_generate_key(dh)) {
  1555. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
  1556. goto err;
  1557. }
  1558. r[0] = dh->p;
  1559. r[1] = dh->g;
  1560. r[2] = dh->pub_key;
  1561. } else
  1562. #endif
  1563. #ifndef OPENSSL_NO_ECDH
  1564. if (type & SSL_kEECDH) {
  1565. const EC_GROUP *group;
  1566. if (s->s3->tmp.ecdh != NULL) {
  1567. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1568. ERR_R_INTERNAL_ERROR);
  1569. goto err;
  1570. }
  1571. ecdhp = cert->ecdh_tmp;
  1572. if (s->cert->ecdh_tmp_auto) {
  1573. /* Get NID of appropriate shared curve */
  1574. int nid = tls1_shared_curve(s, -2);
  1575. if (nid != NID_undef)
  1576. ecdhp = EC_KEY_new_by_curve_name(nid);
  1577. } else if ((ecdhp == NULL) && s->cert->ecdh_tmp_cb) {
  1578. ecdhp = s->cert->ecdh_tmp_cb(s,
  1579. SSL_C_IS_EXPORT(s->s3->
  1580. tmp.new_cipher),
  1581. SSL_C_EXPORT_PKEYLENGTH(s->
  1582. s3->tmp.new_cipher));
  1583. }
  1584. if (ecdhp == NULL) {
  1585. al = SSL_AD_HANDSHAKE_FAILURE;
  1586. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1587. SSL_R_MISSING_TMP_ECDH_KEY);
  1588. goto f_err;
  1589. }
  1590. /* Duplicate the ECDH structure. */
  1591. if (s->cert->ecdh_tmp_auto)
  1592. ecdh = ecdhp;
  1593. else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
  1594. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
  1595. goto err;
  1596. }
  1597. s->s3->tmp.ecdh = ecdh;
  1598. if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
  1599. (EC_KEY_get0_private_key(ecdh) == NULL) ||
  1600. (s->options & SSL_OP_SINGLE_ECDH_USE)) {
  1601. if (!EC_KEY_generate_key(ecdh)) {
  1602. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1603. ERR_R_ECDH_LIB);
  1604. goto err;
  1605. }
  1606. }
  1607. if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
  1608. (EC_KEY_get0_public_key(ecdh) == NULL) ||
  1609. (EC_KEY_get0_private_key(ecdh) == NULL)) {
  1610. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
  1611. goto err;
  1612. }
  1613. if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
  1614. (EC_GROUP_get_degree(group) > 163)) {
  1615. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1616. SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
  1617. goto err;
  1618. }
  1619. /*
  1620. * XXX: For now, we only support ephemeral ECDH keys over named
  1621. * (not generic) curves. For supported named curves, curve_id is
  1622. * non-zero.
  1623. */
  1624. if ((curve_id =
  1625. tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
  1626. == 0) {
  1627. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1628. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  1629. goto err;
  1630. }
  1631. /*
  1632. * Encode the public key. First check the size of encoding and
  1633. * allocate memory accordingly.
  1634. */
  1635. encodedlen = EC_POINT_point2oct(group,
  1636. EC_KEY_get0_public_key(ecdh),
  1637. POINT_CONVERSION_UNCOMPRESSED,
  1638. NULL, 0, NULL);
  1639. encodedPoint = (unsigned char *)
  1640. OPENSSL_malloc(encodedlen * sizeof(unsigned char));
  1641. bn_ctx = BN_CTX_new();
  1642. if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
  1643. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1644. ERR_R_MALLOC_FAILURE);
  1645. goto err;
  1646. }
  1647. encodedlen = EC_POINT_point2oct(group,
  1648. EC_KEY_get0_public_key(ecdh),
  1649. POINT_CONVERSION_UNCOMPRESSED,
  1650. encodedPoint, encodedlen, bn_ctx);
  1651. if (encodedlen == 0) {
  1652. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
  1653. goto err;
  1654. }
  1655. BN_CTX_free(bn_ctx);
  1656. bn_ctx = NULL;
  1657. /*
  1658. * XXX: For now, we only support named (not generic) curves in
  1659. * ECDH ephemeral key exchanges. In this situation, we need four
  1660. * additional bytes to encode the entire ServerECDHParams
  1661. * structure.
  1662. */
  1663. n = 4 + encodedlen;
  1664. /*
  1665. * We'll generate the serverKeyExchange message explicitly so we
  1666. * can set these to NULLs
  1667. */
  1668. r[0] = NULL;
  1669. r[1] = NULL;
  1670. r[2] = NULL;
  1671. r[3] = NULL;
  1672. } else
  1673. #endif /* !OPENSSL_NO_ECDH */
  1674. #ifndef OPENSSL_NO_PSK
  1675. if (type & SSL_kPSK) {
  1676. /*
  1677. * reserve size for record length and PSK identity hint
  1678. */
  1679. n += 2 + strlen(s->ctx->psk_identity_hint);
  1680. } else
  1681. #endif /* !OPENSSL_NO_PSK */
  1682. #ifndef OPENSSL_NO_SRP
  1683. if (type & SSL_kSRP) {
  1684. if ((s->srp_ctx.N == NULL) ||
  1685. (s->srp_ctx.g == NULL) ||
  1686. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  1687. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1688. SSL_R_MISSING_SRP_PARAM);
  1689. goto err;
  1690. }
  1691. r[0] = s->srp_ctx.N;
  1692. r[1] = s->srp_ctx.g;
  1693. r[2] = s->srp_ctx.s;
  1694. r[3] = s->srp_ctx.B;
  1695. } else
  1696. #endif
  1697. {
  1698. al = SSL_AD_HANDSHAKE_FAILURE;
  1699. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1700. SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  1701. goto f_err;
  1702. }
  1703. for (i = 0; i < 4 && r[i] != NULL; i++) {
  1704. nr[i] = BN_num_bytes(r[i]);
  1705. #ifndef OPENSSL_NO_SRP
  1706. if ((i == 2) && (type & SSL_kSRP))
  1707. n += 1 + nr[i];
  1708. else
  1709. #endif
  1710. #ifndef OPENSSL_NO_DH
  1711. /*
  1712. * for interoperability with some versions of the Microsoft TLS
  1713. * stack, we need to zero pad the DHE pub key to the same length
  1714. * as the prime, so use the length of the prime here
  1715. */
  1716. if ((i == 2) && (type & (SSL_kEDH)))
  1717. n += 2 + nr[0];
  1718. else
  1719. #endif
  1720. n += 2 + nr[i];
  1721. }
  1722. if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
  1723. && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
  1724. if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
  1725. == NULL) {
  1726. al = SSL_AD_DECODE_ERROR;
  1727. goto f_err;
  1728. }
  1729. kn = EVP_PKEY_size(pkey);
  1730. /* Allow space for signature algorithm */
  1731. if (SSL_USE_SIGALGS(s))
  1732. kn += 2;
  1733. /* Allow space for signature length */
  1734. kn += 2;
  1735. } else {
  1736. pkey = NULL;
  1737. kn = 0;
  1738. }
  1739. if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
  1740. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
  1741. goto err;
  1742. }
  1743. d = p = ssl_handshake_start(s);
  1744. for (i = 0; i < 4 && r[i] != NULL; i++) {
  1745. #ifndef OPENSSL_NO_SRP
  1746. if ((i == 2) && (type & SSL_kSRP)) {
  1747. *p = nr[i];
  1748. p++;
  1749. } else
  1750. #endif
  1751. #ifndef OPENSSL_NO_DH
  1752. /*
  1753. * for interoperability with some versions of the Microsoft TLS
  1754. * stack, we need to zero pad the DHE pub key to the same length
  1755. * as the prime
  1756. */
  1757. if ((i == 2) && (type & (SSL_kEDH))) {
  1758. s2n(nr[0], p);
  1759. for (j = 0; j < (nr[0] - nr[2]); ++j) {
  1760. *p = 0;
  1761. ++p;
  1762. }
  1763. } else
  1764. #endif
  1765. s2n(nr[i], p);
  1766. BN_bn2bin(r[i], p);
  1767. p += nr[i];
  1768. }
  1769. #ifndef OPENSSL_NO_ECDH
  1770. if (type & SSL_kEECDH) {
  1771. /*
  1772. * XXX: For now, we only support named (not generic) curves. In
  1773. * this situation, the serverKeyExchange message has: [1 byte
  1774. * CurveType], [2 byte CurveName] [1 byte length of encoded
  1775. * point], followed by the actual encoded point itself
  1776. */
  1777. *p = NAMED_CURVE_TYPE;
  1778. p += 1;
  1779. *p = 0;
  1780. p += 1;
  1781. *p = curve_id;
  1782. p += 1;
  1783. *p = encodedlen;
  1784. p += 1;
  1785. memcpy((unsigned char *)p,
  1786. (unsigned char *)encodedPoint, encodedlen);
  1787. OPENSSL_free(encodedPoint);
  1788. encodedPoint = NULL;
  1789. p += encodedlen;
  1790. }
  1791. #endif
  1792. #ifndef OPENSSL_NO_PSK
  1793. if (type & SSL_kPSK) {
  1794. /* copy PSK identity hint */
  1795. s2n(strlen(s->ctx->psk_identity_hint), p);
  1796. strncpy((char *)p, s->ctx->psk_identity_hint,
  1797. strlen(s->ctx->psk_identity_hint));
  1798. p += strlen(s->ctx->psk_identity_hint);
  1799. }
  1800. #endif
  1801. /* not anonymous */
  1802. if (pkey != NULL) {
  1803. /*
  1804. * n is the length of the params, they start at &(d[4]) and p
  1805. * points to the space at the end.
  1806. */
  1807. #ifndef OPENSSL_NO_RSA
  1808. if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
  1809. q = md_buf;
  1810. j = 0;
  1811. for (num = 2; num > 0; num--) {
  1812. EVP_MD_CTX_set_flags(&md_ctx,
  1813. EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  1814. if (EVP_DigestInit_ex(&md_ctx,
  1815. (num == 2) ? s->ctx->md5
  1816. : s->ctx->sha1,
  1817. NULL) <= 0
  1818. || EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
  1819. SSL3_RANDOM_SIZE) <= 0
  1820. || EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
  1821. SSL3_RANDOM_SIZE) <= 0
  1822. || EVP_DigestUpdate(&md_ctx, d, n) <= 0
  1823. || EVP_DigestFinal_ex(&md_ctx, q,
  1824. (unsigned int *)&i) <= 0) {
  1825. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1826. ERR_LIB_EVP);
  1827. al = SSL_AD_INTERNAL_ERROR;
  1828. goto f_err;
  1829. }
  1830. q += i;
  1831. j += i;
  1832. }
  1833. if (RSA_sign(NID_md5_sha1, md_buf, j,
  1834. &(p[2]), &u, pkey->pkey.rsa) <= 0) {
  1835. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
  1836. goto err;
  1837. }
  1838. s2n(u, p);
  1839. n += u + 2;
  1840. } else
  1841. #endif
  1842. if (md) {
  1843. /* send signature algorithm */
  1844. if (SSL_USE_SIGALGS(s)) {
  1845. if (!tls12_get_sigandhash(p, pkey, md)) {
  1846. /* Should never happen */
  1847. al = SSL_AD_INTERNAL_ERROR;
  1848. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1849. ERR_R_INTERNAL_ERROR);
  1850. goto f_err;
  1851. }
  1852. p += 2;
  1853. }
  1854. #ifdef SSL_DEBUG
  1855. fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
  1856. #endif
  1857. if (EVP_SignInit_ex(&md_ctx, md, NULL) <= 0
  1858. || EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]),
  1859. SSL3_RANDOM_SIZE) <= 0
  1860. || EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]),
  1861. SSL3_RANDOM_SIZE) <= 0
  1862. || EVP_SignUpdate(&md_ctx, d, n) <= 0
  1863. || EVP_SignFinal(&md_ctx, &(p[2]),
  1864. (unsigned int *)&i, pkey) <= 0) {
  1865. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
  1866. al = SSL_AD_INTERNAL_ERROR;
  1867. goto f_err;
  1868. }
  1869. s2n(i, p);
  1870. n += i + 2;
  1871. if (SSL_USE_SIGALGS(s))
  1872. n += 2;
  1873. } else {
  1874. /* Is this error check actually needed? */
  1875. al = SSL_AD_HANDSHAKE_FAILURE;
  1876. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1877. SSL_R_UNKNOWN_PKEY_TYPE);
  1878. goto f_err;
  1879. }
  1880. }
  1881. ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n);
  1882. }
  1883. s->state = SSL3_ST_SW_KEY_EXCH_B;
  1884. EVP_MD_CTX_cleanup(&md_ctx);
  1885. return ssl_do_write(s);
  1886. f_err:
  1887. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  1888. err:
  1889. #ifndef OPENSSL_NO_ECDH
  1890. if (encodedPoint != NULL)
  1891. OPENSSL_free(encodedPoint);
  1892. BN_CTX_free(bn_ctx);
  1893. #endif
  1894. EVP_MD_CTX_cleanup(&md_ctx);
  1895. s->state = SSL_ST_ERR;
  1896. return (-1);
  1897. }
  1898. int ssl3_send_certificate_request(SSL *s)
  1899. {
  1900. unsigned char *p, *d;
  1901. int i, j, nl, off, n;
  1902. STACK_OF(X509_NAME) *sk = NULL;
  1903. X509_NAME *name;
  1904. BUF_MEM *buf;
  1905. if (s->state == SSL3_ST_SW_CERT_REQ_A) {
  1906. buf = s->init_buf;
  1907. d = p = ssl_handshake_start(s);
  1908. /* get the list of acceptable cert types */
  1909. p++;
  1910. n = ssl3_get_req_cert_type(s, p);
  1911. d[0] = n;
  1912. p += n;
  1913. n++;
  1914. if (SSL_USE_SIGALGS(s)) {
  1915. const unsigned char *psigs;
  1916. nl = tls12_get_psigalgs(s, 1, &psigs);
  1917. s2n(nl, p);
  1918. memcpy(p, psigs, nl);
  1919. p += nl;
  1920. n += nl + 2;
  1921. }
  1922. off = n;
  1923. p += 2;
  1924. n += 2;
  1925. sk = SSL_get_client_CA_list(s);
  1926. nl = 0;
  1927. if (sk != NULL) {
  1928. for (i = 0; i < sk_X509_NAME_num(sk); i++) {
  1929. name = sk_X509_NAME_value(sk, i);
  1930. j = i2d_X509_NAME(name, NULL);
  1931. if (!BUF_MEM_grow_clean
  1932. (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
  1933. SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
  1934. ERR_R_BUF_LIB);
  1935. goto err;
  1936. }
  1937. p = ssl_handshake_start(s) + n;
  1938. if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
  1939. s2n(j, p);
  1940. i2d_X509_NAME(name, &p);
  1941. n += 2 + j;
  1942. nl += 2 + j;
  1943. } else {
  1944. d = p;
  1945. i2d_X509_NAME(name, &p);
  1946. j -= 2;
  1947. s2n(j, d);
  1948. j += 2;
  1949. n += j;
  1950. nl += j;
  1951. }
  1952. }
  1953. }
  1954. /* else no CA names */
  1955. p = ssl_handshake_start(s) + off;
  1956. s2n(nl, p);
  1957. ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n);
  1958. #ifdef NETSCAPE_HANG_BUG
  1959. if (!SSL_IS_DTLS(s)) {
  1960. if (!BUF_MEM_grow_clean(buf, s->init_num + 4)) {
  1961. SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB);
  1962. goto err;
  1963. }
  1964. p = (unsigned char *)s->init_buf->data + s->init_num;
  1965. /* do the header */
  1966. *(p++) = SSL3_MT_SERVER_DONE;
  1967. *(p++) = 0;
  1968. *(p++) = 0;
  1969. *(p++) = 0;
  1970. s->init_num += 4;
  1971. }
  1972. #endif
  1973. s->state = SSL3_ST_SW_CERT_REQ_B;
  1974. }
  1975. /* SSL3_ST_SW_CERT_REQ_B */
  1976. return ssl_do_write(s);
  1977. err:
  1978. s->state = SSL_ST_ERR;
  1979. return (-1);
  1980. }
  1981. int ssl3_get_client_key_exchange(SSL *s)
  1982. {
  1983. int i, al, ok;
  1984. long n;
  1985. unsigned long alg_k;
  1986. unsigned char *p;
  1987. #ifndef OPENSSL_NO_RSA
  1988. RSA *rsa = NULL;
  1989. EVP_PKEY *pkey = NULL;
  1990. #endif
  1991. #ifndef OPENSSL_NO_DH
  1992. BIGNUM *pub = NULL;
  1993. DH *dh_srvr, *dh_clnt = NULL;
  1994. #endif
  1995. #ifndef OPENSSL_NO_KRB5
  1996. KSSL_ERR kssl_err;
  1997. #endif /* OPENSSL_NO_KRB5 */
  1998. #ifndef OPENSSL_NO_ECDH
  1999. EC_KEY *srvr_ecdh = NULL;
  2000. EVP_PKEY *clnt_pub_pkey = NULL;
  2001. EC_POINT *clnt_ecpoint = NULL;
  2002. BN_CTX *bn_ctx = NULL;
  2003. #endif
  2004. n = s->method->ssl_get_message(s,
  2005. SSL3_ST_SR_KEY_EXCH_A,
  2006. SSL3_ST_SR_KEY_EXCH_B,
  2007. SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
  2008. if (!ok)
  2009. return ((int)n);
  2010. p = (unsigned char *)s->init_msg;
  2011. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  2012. #ifndef OPENSSL_NO_RSA
  2013. if (alg_k & SSL_kRSA) {
  2014. unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
  2015. int decrypt_len;
  2016. unsigned char decrypt_good, version_good;
  2017. size_t j;
  2018. /* FIX THIS UP EAY EAY EAY EAY */
  2019. if (s->s3->tmp.use_rsa_tmp) {
  2020. if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
  2021. rsa = s->cert->rsa_tmp;
  2022. /*
  2023. * Don't do a callback because rsa_tmp should be sent already
  2024. */
  2025. if (rsa == NULL) {
  2026. al = SSL_AD_HANDSHAKE_FAILURE;
  2027. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2028. SSL_R_MISSING_TMP_RSA_PKEY);
  2029. goto f_err;
  2030. }
  2031. } else {
  2032. pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
  2033. if ((pkey == NULL) ||
  2034. (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
  2035. al = SSL_AD_HANDSHAKE_FAILURE;
  2036. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2037. SSL_R_MISSING_RSA_CERTIFICATE);
  2038. goto f_err;
  2039. }
  2040. rsa = pkey->pkey.rsa;
  2041. }
  2042. /* TLS and [incidentally] DTLS{0xFEFF} */
  2043. if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
  2044. n2s(p, i);
  2045. if (n != i + 2) {
  2046. if (!(s->options & SSL_OP_TLS_D5_BUG)) {
  2047. al = SSL_AD_DECODE_ERROR;
  2048. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2049. SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
  2050. goto f_err;
  2051. } else
  2052. p -= 2;
  2053. } else
  2054. n = i;
  2055. }
  2056. /*
  2057. * Reject overly short RSA ciphertext because we want to be sure
  2058. * that the buffer size makes it safe to iterate over the entire
  2059. * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
  2060. * actual expected size is larger due to RSA padding, but the
  2061. * bound is sufficient to be safe.
  2062. */
  2063. if (n < SSL_MAX_MASTER_KEY_LENGTH) {
  2064. al = SSL_AD_DECRYPT_ERROR;
  2065. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2066. SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
  2067. goto f_err;
  2068. }
  2069. /*
  2070. * We must not leak whether a decryption failure occurs because of
  2071. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2072. * section 7.4.7.1). The code follows that advice of the TLS RFC and
  2073. * generates a random premaster secret for the case that the decrypt
  2074. * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2075. */
  2076. if (RAND_bytes(rand_premaster_secret,
  2077. sizeof(rand_premaster_secret)) <= 0)
  2078. goto err;
  2079. decrypt_len =
  2080. RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
  2081. ERR_clear_error();
  2082. /*
  2083. * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
  2084. * be 0xff if so and zero otherwise.
  2085. */
  2086. decrypt_good =
  2087. constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
  2088. /*
  2089. * If the version in the decrypted pre-master secret is correct then
  2090. * version_good will be 0xff, otherwise it'll be zero. The
  2091. * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
  2092. * (http://eprint.iacr.org/2003/052/) exploits the version number
  2093. * check as a "bad version oracle". Thus version checks are done in
  2094. * constant time and are treated like any other decryption error.
  2095. */
  2096. version_good =
  2097. constant_time_eq_8(p[0], (unsigned)(s->client_version >> 8));
  2098. version_good &=
  2099. constant_time_eq_8(p[1], (unsigned)(s->client_version & 0xff));
  2100. /*
  2101. * The premaster secret must contain the same version number as the
  2102. * ClientHello to detect version rollback attacks (strangely, the
  2103. * protocol does not offer such protection for DH ciphersuites).
  2104. * However, buggy clients exist that send the negotiated protocol
  2105. * version instead if the server does not support the requested
  2106. * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
  2107. * clients.
  2108. */
  2109. if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
  2110. unsigned char workaround_good;
  2111. workaround_good =
  2112. constant_time_eq_8(p[0], (unsigned)(s->version >> 8));
  2113. workaround_good &=
  2114. constant_time_eq_8(p[1], (unsigned)(s->version & 0xff));
  2115. version_good |= workaround_good;
  2116. }
  2117. /*
  2118. * Both decryption and version must be good for decrypt_good to
  2119. * remain non-zero (0xff).
  2120. */
  2121. decrypt_good &= version_good;
  2122. /*
  2123. * Now copy rand_premaster_secret over from p using
  2124. * decrypt_good_mask. If decryption failed, then p does not
  2125. * contain valid plaintext, however, a check above guarantees
  2126. * it is still sufficiently large to read from.
  2127. */
  2128. for (j = 0; j < sizeof(rand_premaster_secret); j++) {
  2129. p[j] = constant_time_select_8(decrypt_good, p[j],
  2130. rand_premaster_secret[j]);
  2131. }
  2132. s->session->master_key_length =
  2133. s->method->ssl3_enc->generate_master_secret(s,
  2134. s->
  2135. session->master_key,
  2136. p,
  2137. sizeof
  2138. (rand_premaster_secret));
  2139. OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
  2140. } else
  2141. #endif
  2142. #ifndef OPENSSL_NO_DH
  2143. if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) {
  2144. int idx = -1;
  2145. EVP_PKEY *skey = NULL;
  2146. if (n > 1) {
  2147. n2s(p, i);
  2148. } else {
  2149. if (alg_k & SSL_kDHE) {
  2150. al = SSL_AD_HANDSHAKE_FAILURE;
  2151. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2152. SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2153. goto f_err;
  2154. }
  2155. i = 0;
  2156. }
  2157. if (n && n != i + 2) {
  2158. if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
  2159. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2160. SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2161. al = SSL_AD_HANDSHAKE_FAILURE;
  2162. goto f_err;
  2163. } else {
  2164. p -= 2;
  2165. i = (int)n;
  2166. }
  2167. }
  2168. if (alg_k & SSL_kDHr)
  2169. idx = SSL_PKEY_DH_RSA;
  2170. else if (alg_k & SSL_kDHd)
  2171. idx = SSL_PKEY_DH_DSA;
  2172. if (idx >= 0) {
  2173. skey = s->cert->pkeys[idx].privatekey;
  2174. if ((skey == NULL) ||
  2175. (skey->type != EVP_PKEY_DH) || (skey->pkey.dh == NULL)) {
  2176. al = SSL_AD_HANDSHAKE_FAILURE;
  2177. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2178. SSL_R_MISSING_RSA_CERTIFICATE);
  2179. goto f_err;
  2180. }
  2181. dh_srvr = skey->pkey.dh;
  2182. } else if (s->s3->tmp.dh == NULL) {
  2183. al = SSL_AD_HANDSHAKE_FAILURE;
  2184. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2185. SSL_R_MISSING_TMP_DH_KEY);
  2186. goto f_err;
  2187. } else
  2188. dh_srvr = s->s3->tmp.dh;
  2189. if (n == 0L) {
  2190. /* Get pubkey from cert */
  2191. EVP_PKEY *clkey = X509_get_pubkey(s->session->peer);
  2192. if (clkey) {
  2193. if (EVP_PKEY_cmp_parameters(clkey, skey) == 1)
  2194. dh_clnt = EVP_PKEY_get1_DH(clkey);
  2195. }
  2196. if (dh_clnt == NULL) {
  2197. al = SSL_AD_HANDSHAKE_FAILURE;
  2198. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2199. SSL_R_MISSING_TMP_DH_KEY);
  2200. goto f_err;
  2201. }
  2202. EVP_PKEY_free(clkey);
  2203. pub = dh_clnt->pub_key;
  2204. } else
  2205. pub = BN_bin2bn(p, i, NULL);
  2206. if (pub == NULL) {
  2207. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
  2208. goto err;
  2209. }
  2210. i = DH_compute_key(p, pub, dh_srvr);
  2211. if (i <= 0) {
  2212. al = SSL_AD_HANDSHAKE_FAILURE;
  2213. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
  2214. BN_clear_free(pub);
  2215. goto f_err;
  2216. }
  2217. DH_free(s->s3->tmp.dh);
  2218. s->s3->tmp.dh = NULL;
  2219. if (dh_clnt)
  2220. DH_free(dh_clnt);
  2221. else
  2222. BN_clear_free(pub);
  2223. pub = NULL;
  2224. s->session->master_key_length =
  2225. s->method->ssl3_enc->generate_master_secret(s,
  2226. s->
  2227. session->master_key,
  2228. p, i);
  2229. OPENSSL_cleanse(p, i);
  2230. if (dh_clnt)
  2231. return 2;
  2232. } else
  2233. #endif
  2234. #ifndef OPENSSL_NO_KRB5
  2235. if (alg_k & SSL_kKRB5) {
  2236. krb5_error_code krb5rc;
  2237. krb5_data enc_ticket;
  2238. krb5_data authenticator;
  2239. krb5_data enc_pms;
  2240. KSSL_CTX *kssl_ctx = s->kssl_ctx;
  2241. EVP_CIPHER_CTX ciph_ctx;
  2242. const EVP_CIPHER *enc = NULL;
  2243. unsigned char iv[EVP_MAX_IV_LENGTH];
  2244. unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_BLOCK_LENGTH];
  2245. int padl, outl;
  2246. krb5_timestamp authtime = 0;
  2247. krb5_ticket_times ttimes;
  2248. int kerr = 0;
  2249. EVP_CIPHER_CTX_init(&ciph_ctx);
  2250. if (!kssl_ctx)
  2251. kssl_ctx = kssl_ctx_new();
  2252. n2s(p, i);
  2253. enc_ticket.length = i;
  2254. if (n < (long)(enc_ticket.length + 6)) {
  2255. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2256. SSL_R_DATA_LENGTH_TOO_LONG);
  2257. goto err;
  2258. }
  2259. enc_ticket.data = (char *)p;
  2260. p += enc_ticket.length;
  2261. n2s(p, i);
  2262. authenticator.length = i;
  2263. if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
  2264. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2265. SSL_R_DATA_LENGTH_TOO_LONG);
  2266. goto err;
  2267. }
  2268. authenticator.data = (char *)p;
  2269. p += authenticator.length;
  2270. n2s(p, i);
  2271. enc_pms.length = i;
  2272. enc_pms.data = (char *)p;
  2273. p += enc_pms.length;
  2274. /*
  2275. * Note that the length is checked again below, ** after decryption
  2276. */
  2277. if (enc_pms.length > sizeof pms) {
  2278. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2279. SSL_R_DATA_LENGTH_TOO_LONG);
  2280. goto err;
  2281. }
  2282. if (n != (long)(enc_ticket.length + authenticator.length +
  2283. enc_pms.length + 6)) {
  2284. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2285. SSL_R_DATA_LENGTH_TOO_LONG);
  2286. goto err;
  2287. }
  2288. if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
  2289. &kssl_err)) != 0) {
  2290. # ifdef KSSL_DEBUG
  2291. fprintf(stderr, "kssl_sget_tkt rtn %d [%d]\n",
  2292. krb5rc, kssl_err.reason);
  2293. if (kssl_err.text)
  2294. fprintf(stderr, "kssl_err text= %s\n", kssl_err.text);
  2295. # endif /* KSSL_DEBUG */
  2296. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason);
  2297. goto err;
  2298. }
  2299. /*
  2300. * Note: no authenticator is not considered an error, ** but will
  2301. * return authtime == 0.
  2302. */
  2303. if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
  2304. &authtime, &kssl_err)) != 0) {
  2305. # ifdef KSSL_DEBUG
  2306. fprintf(stderr, "kssl_check_authent rtn %d [%d]\n",
  2307. krb5rc, kssl_err.reason);
  2308. if (kssl_err.text)
  2309. fprintf(stderr, "kssl_err text= %s\n", kssl_err.text);
  2310. # endif /* KSSL_DEBUG */
  2311. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason);
  2312. goto err;
  2313. }
  2314. if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
  2315. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
  2316. goto err;
  2317. }
  2318. # ifdef KSSL_DEBUG
  2319. kssl_ctx_show(kssl_ctx);
  2320. # endif /* KSSL_DEBUG */
  2321. enc = kssl_map_enc(kssl_ctx->enctype);
  2322. if (enc == NULL)
  2323. goto err;
  2324. memset(iv, 0, sizeof iv); /* per RFC 1510 */
  2325. if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) {
  2326. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2327. SSL_R_DECRYPTION_FAILED);
  2328. goto err;
  2329. }
  2330. if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
  2331. (unsigned char *)enc_pms.data, enc_pms.length))
  2332. {
  2333. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2334. SSL_R_DECRYPTION_FAILED);
  2335. kerr = 1;
  2336. goto kclean;
  2337. }
  2338. if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
  2339. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2340. SSL_R_DATA_LENGTH_TOO_LONG);
  2341. kerr = 1;
  2342. goto kclean;
  2343. }
  2344. if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
  2345. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2346. SSL_R_DECRYPTION_FAILED);
  2347. kerr = 1;
  2348. goto kclean;
  2349. }
  2350. outl += padl;
  2351. if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
  2352. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2353. SSL_R_DATA_LENGTH_TOO_LONG);
  2354. kerr = 1;
  2355. goto kclean;
  2356. }
  2357. if (!((pms[0] == (s->client_version >> 8))
  2358. && (pms[1] == (s->client_version & 0xff)))) {
  2359. /*
  2360. * The premaster secret must contain the same version number as
  2361. * the ClientHello to detect version rollback attacks (strangely,
  2362. * the protocol does not offer such protection for DH
  2363. * ciphersuites). However, buggy clients exist that send random
  2364. * bytes instead of the protocol version. If
  2365. * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
  2366. * (Perhaps we should have a separate BUG value for the Kerberos
  2367. * cipher)
  2368. */
  2369. if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
  2370. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2371. SSL_AD_DECODE_ERROR);
  2372. kerr = 1;
  2373. goto kclean;
  2374. }
  2375. }
  2376. EVP_CIPHER_CTX_cleanup(&ciph_ctx);
  2377. s->session->master_key_length =
  2378. s->method->ssl3_enc->generate_master_secret(s,
  2379. s->
  2380. session->master_key,
  2381. pms, outl);
  2382. if (kssl_ctx->client_princ) {
  2383. size_t len = strlen(kssl_ctx->client_princ);
  2384. if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH) {
  2385. s->session->krb5_client_princ_len = len;
  2386. memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ,
  2387. len);
  2388. }
  2389. }
  2390. /*- Was doing kssl_ctx_free() here,
  2391. * but it caused problems for apache.
  2392. * kssl_ctx = kssl_ctx_free(kssl_ctx);
  2393. * if (s->kssl_ctx) s->kssl_ctx = NULL;
  2394. */
  2395. kclean:
  2396. OPENSSL_cleanse(pms, sizeof(pms));
  2397. if (kerr)
  2398. goto err;
  2399. } else
  2400. #endif /* OPENSSL_NO_KRB5 */
  2401. #ifndef OPENSSL_NO_ECDH
  2402. if (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) {
  2403. int ret = 1;
  2404. int field_size = 0;
  2405. const EC_KEY *tkey;
  2406. const EC_GROUP *group;
  2407. const BIGNUM *priv_key;
  2408. /* initialize structures for server's ECDH key pair */
  2409. if ((srvr_ecdh = EC_KEY_new()) == NULL) {
  2410. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2411. goto err;
  2412. }
  2413. /* Let's get server private key and group information */
  2414. if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
  2415. /* use the certificate */
  2416. tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
  2417. } else {
  2418. /*
  2419. * use the ephermeral values we saved when generating the
  2420. * ServerKeyExchange msg.
  2421. */
  2422. tkey = s->s3->tmp.ecdh;
  2423. }
  2424. group = EC_KEY_get0_group(tkey);
  2425. priv_key = EC_KEY_get0_private_key(tkey);
  2426. if (!EC_KEY_set_group(srvr_ecdh, group) ||
  2427. !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
  2428. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
  2429. goto err;
  2430. }
  2431. /* Let's get client's public key */
  2432. if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
  2433. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2434. goto err;
  2435. }
  2436. if (n == 0L) {
  2437. /* Client Publickey was in Client Certificate */
  2438. if (alg_k & SSL_kEECDH) {
  2439. al = SSL_AD_HANDSHAKE_FAILURE;
  2440. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2441. SSL_R_MISSING_TMP_ECDH_KEY);
  2442. goto f_err;
  2443. }
  2444. if (((clnt_pub_pkey = X509_get_pubkey(s->session->peer))
  2445. == NULL) || (clnt_pub_pkey->type != EVP_PKEY_EC)) {
  2446. /*
  2447. * XXX: For now, we do not support client authentication
  2448. * using ECDH certificates so this branch (n == 0L) of the
  2449. * code is never executed. When that support is added, we
  2450. * ought to ensure the key received in the certificate is
  2451. * authorized for key agreement. ECDH_compute_key implicitly
  2452. * checks that the two ECDH shares are for the same group.
  2453. */
  2454. al = SSL_AD_HANDSHAKE_FAILURE;
  2455. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2456. SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
  2457. goto f_err;
  2458. }
  2459. if (EC_POINT_copy(clnt_ecpoint,
  2460. EC_KEY_get0_public_key(clnt_pub_pkey->
  2461. pkey.ec)) == 0) {
  2462. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
  2463. goto err;
  2464. }
  2465. ret = 2; /* Skip certificate verify processing */
  2466. } else {
  2467. /*
  2468. * Get client's public key from encoded point in the
  2469. * ClientKeyExchange message.
  2470. */
  2471. if ((bn_ctx = BN_CTX_new()) == NULL) {
  2472. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2473. ERR_R_MALLOC_FAILURE);
  2474. goto err;
  2475. }
  2476. /* Get encoded point length */
  2477. i = *p;
  2478. p += 1;
  2479. if (n != 1 + i) {
  2480. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
  2481. al = SSL_AD_DECODE_ERROR;
  2482. goto f_err;
  2483. }
  2484. if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) {
  2485. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
  2486. al = SSL_AD_HANDSHAKE_FAILURE;
  2487. goto f_err;
  2488. }
  2489. /*
  2490. * p is pointing to somewhere in the buffer currently, so set it
  2491. * to the start
  2492. */
  2493. p = (unsigned char *)s->init_buf->data;
  2494. }
  2495. /* Compute the shared pre-master secret */
  2496. field_size = EC_GROUP_get_degree(group);
  2497. if (field_size <= 0) {
  2498. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
  2499. goto err;
  2500. }
  2501. i = ECDH_compute_key(p, (field_size + 7) / 8, clnt_ecpoint, srvr_ecdh,
  2502. NULL);
  2503. if (i <= 0) {
  2504. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
  2505. goto err;
  2506. }
  2507. EVP_PKEY_free(clnt_pub_pkey);
  2508. EC_POINT_free(clnt_ecpoint);
  2509. EC_KEY_free(srvr_ecdh);
  2510. BN_CTX_free(bn_ctx);
  2511. EC_KEY_free(s->s3->tmp.ecdh);
  2512. s->s3->tmp.ecdh = NULL;
  2513. /* Compute the master secret */
  2514. s->session->master_key_length =
  2515. s->method->ssl3_enc->generate_master_secret(s,
  2516. s->
  2517. session->master_key,
  2518. p, i);
  2519. OPENSSL_cleanse(p, i);
  2520. return (ret);
  2521. } else
  2522. #endif
  2523. #ifndef OPENSSL_NO_PSK
  2524. if (alg_k & SSL_kPSK) {
  2525. unsigned char *t = NULL;
  2526. unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN * 2 + 4];
  2527. unsigned int pre_ms_len = 0, psk_len = 0;
  2528. int psk_err = 1;
  2529. char tmp_id[PSK_MAX_IDENTITY_LEN + 1];
  2530. al = SSL_AD_HANDSHAKE_FAILURE;
  2531. n2s(p, i);
  2532. if (n != i + 2) {
  2533. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
  2534. goto psk_err;
  2535. }
  2536. if (i > PSK_MAX_IDENTITY_LEN) {
  2537. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2538. SSL_R_DATA_LENGTH_TOO_LONG);
  2539. goto psk_err;
  2540. }
  2541. if (s->psk_server_callback == NULL) {
  2542. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2543. SSL_R_PSK_NO_SERVER_CB);
  2544. goto psk_err;
  2545. }
  2546. /*
  2547. * Create guaranteed NULL-terminated identity string for the callback
  2548. */
  2549. memcpy(tmp_id, p, i);
  2550. memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
  2551. psk_len = s->psk_server_callback(s, tmp_id,
  2552. psk_or_pre_ms,
  2553. sizeof(psk_or_pre_ms));
  2554. OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
  2555. if (psk_len > PSK_MAX_PSK_LEN) {
  2556. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2557. goto psk_err;
  2558. } else if (psk_len == 0) {
  2559. /*
  2560. * PSK related to the given identity not found
  2561. */
  2562. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2563. SSL_R_PSK_IDENTITY_NOT_FOUND);
  2564. al = SSL_AD_UNKNOWN_PSK_IDENTITY;
  2565. goto psk_err;
  2566. }
  2567. /* create PSK pre_master_secret */
  2568. pre_ms_len = 2 + psk_len + 2 + psk_len;
  2569. t = psk_or_pre_ms;
  2570. memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
  2571. s2n(psk_len, t);
  2572. memset(t, 0, psk_len);
  2573. t += psk_len;
  2574. s2n(psk_len, t);
  2575. if (s->session->psk_identity != NULL)
  2576. OPENSSL_free(s->session->psk_identity);
  2577. s->session->psk_identity = BUF_strndup((char *)p, i);
  2578. if (s->session->psk_identity == NULL) {
  2579. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2580. goto psk_err;
  2581. }
  2582. if (s->session->psk_identity_hint != NULL)
  2583. OPENSSL_free(s->session->psk_identity_hint);
  2584. s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
  2585. if (s->ctx->psk_identity_hint != NULL &&
  2586. s->session->psk_identity_hint == NULL) {
  2587. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2588. goto psk_err;
  2589. }
  2590. s->session->master_key_length =
  2591. s->method->ssl3_enc->generate_master_secret(s,
  2592. s->
  2593. session->master_key,
  2594. psk_or_pre_ms,
  2595. pre_ms_len);
  2596. psk_err = 0;
  2597. psk_err:
  2598. OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
  2599. if (psk_err != 0)
  2600. goto f_err;
  2601. } else
  2602. #endif
  2603. #ifndef OPENSSL_NO_SRP
  2604. if (alg_k & SSL_kSRP) {
  2605. int param_len;
  2606. n2s(p, i);
  2607. param_len = i + 2;
  2608. if (param_len > n) {
  2609. al = SSL_AD_DECODE_ERROR;
  2610. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2611. SSL_R_BAD_SRP_A_LENGTH);
  2612. goto f_err;
  2613. }
  2614. if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
  2615. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
  2616. goto err;
  2617. }
  2618. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
  2619. || BN_is_zero(s->srp_ctx.A)) {
  2620. al = SSL_AD_ILLEGAL_PARAMETER;
  2621. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2622. SSL_R_BAD_SRP_PARAMETERS);
  2623. goto f_err;
  2624. }
  2625. if (s->session->srp_username != NULL)
  2626. OPENSSL_free(s->session->srp_username);
  2627. s->session->srp_username = BUF_strdup(s->srp_ctx.login);
  2628. if (s->session->srp_username == NULL) {
  2629. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2630. goto err;
  2631. }
  2632. if ((s->session->master_key_length =
  2633. SRP_generate_server_master_secret(s,
  2634. s->session->master_key)) < 0) {
  2635. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2636. goto err;
  2637. }
  2638. p += i;
  2639. } else
  2640. #endif /* OPENSSL_NO_SRP */
  2641. if (alg_k & SSL_kGOST) {
  2642. int ret = 0;
  2643. EVP_PKEY_CTX *pkey_ctx;
  2644. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  2645. unsigned char premaster_secret[32], *start;
  2646. size_t outlen = 32, inlen;
  2647. unsigned long alg_a;
  2648. int Ttag, Tclass;
  2649. long Tlen;
  2650. /* Get our certificate private key */
  2651. alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  2652. if (alg_a & SSL_aGOST94)
  2653. pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
  2654. else if (alg_a & SSL_aGOST01)
  2655. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2656. pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
  2657. if (pkey_ctx == NULL) {
  2658. al = SSL_AD_INTERNAL_ERROR;
  2659. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2660. goto f_err;
  2661. }
  2662. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2663. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2664. goto gerr;
  2665. }
  2666. /*
  2667. * If client certificate is present and is of the same type, maybe
  2668. * use it for key exchange. Don't mind errors from
  2669. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  2670. * client certificate for authorization only.
  2671. */
  2672. client_pub_pkey = X509_get_pubkey(s->session->peer);
  2673. if (client_pub_pkey) {
  2674. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  2675. ERR_clear_error();
  2676. }
  2677. /* Decrypt session key */
  2678. if (ASN1_get_object
  2679. ((const unsigned char **)&p, &Tlen, &Ttag, &Tclass,
  2680. n) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE
  2681. || Tclass != V_ASN1_UNIVERSAL) {
  2682. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2683. SSL_R_DECRYPTION_FAILED);
  2684. goto gerr;
  2685. }
  2686. start = p;
  2687. inlen = Tlen;
  2688. if (EVP_PKEY_decrypt
  2689. (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
  2690. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2691. SSL_R_DECRYPTION_FAILED);
  2692. goto gerr;
  2693. }
  2694. /* Generate master secret */
  2695. s->session->master_key_length =
  2696. s->method->ssl3_enc->generate_master_secret(s,
  2697. s->
  2698. session->master_key,
  2699. premaster_secret, 32);
  2700. OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret));
  2701. /* Check if pubkey from client certificate was used */
  2702. if (EVP_PKEY_CTX_ctrl
  2703. (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
  2704. ret = 2;
  2705. else
  2706. ret = 1;
  2707. gerr:
  2708. EVP_PKEY_free(client_pub_pkey);
  2709. EVP_PKEY_CTX_free(pkey_ctx);
  2710. if (ret)
  2711. return ret;
  2712. else
  2713. goto err;
  2714. } else {
  2715. al = SSL_AD_HANDSHAKE_FAILURE;
  2716. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
  2717. goto f_err;
  2718. }
  2719. return (1);
  2720. f_err:
  2721. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  2722. #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
  2723. err:
  2724. #endif
  2725. #ifndef OPENSSL_NO_ECDH
  2726. EVP_PKEY_free(clnt_pub_pkey);
  2727. EC_POINT_free(clnt_ecpoint);
  2728. if (srvr_ecdh != NULL)
  2729. EC_KEY_free(srvr_ecdh);
  2730. BN_CTX_free(bn_ctx);
  2731. #endif
  2732. s->state = SSL_ST_ERR;
  2733. return (-1);
  2734. }
  2735. int ssl3_get_cert_verify(SSL *s)
  2736. {
  2737. EVP_PKEY *pkey = NULL;
  2738. unsigned char *p;
  2739. int al, ok, ret = 0;
  2740. long n;
  2741. int type = 0, i, j;
  2742. X509 *peer;
  2743. const EVP_MD *md = NULL;
  2744. EVP_MD_CTX mctx;
  2745. EVP_MD_CTX_init(&mctx);
  2746. /*
  2747. * We should only process a CertificateVerify message if we have received
  2748. * a Certificate from the client. If so then |s->session->peer| will be non
  2749. * NULL. In some instances a CertificateVerify message is not required even
  2750. * if the peer has sent a Certificate (e.g. such as in the case of static
  2751. * DH). In that case the ClientKeyExchange processing will skip the
  2752. * CertificateVerify state so we should not arrive here.
  2753. */
  2754. if (s->session->peer == NULL) {
  2755. ret = 1;
  2756. goto end;
  2757. }
  2758. n = s->method->ssl_get_message(s,
  2759. SSL3_ST_SR_CERT_VRFY_A,
  2760. SSL3_ST_SR_CERT_VRFY_B,
  2761. SSL3_MT_CERTIFICATE_VERIFY,
  2762. SSL3_RT_MAX_PLAIN_LENGTH, &ok);
  2763. if (!ok)
  2764. return ((int)n);
  2765. peer = s->session->peer;
  2766. pkey = X509_get_pubkey(peer);
  2767. if (pkey == NULL) {
  2768. al = SSL_AD_INTERNAL_ERROR;
  2769. goto f_err;
  2770. }
  2771. type = X509_certificate_type(peer, pkey);
  2772. if (!(type & EVP_PKT_SIGN)) {
  2773. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
  2774. SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
  2775. al = SSL_AD_ILLEGAL_PARAMETER;
  2776. goto f_err;
  2777. }
  2778. /* we now have a signature that we need to verify */
  2779. p = (unsigned char *)s->init_msg;
  2780. /* Check for broken implementations of GOST ciphersuites */
  2781. /*
  2782. * If key is GOST and n is exactly 64, it is bare signature without
  2783. * length field
  2784. */
  2785. if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
  2786. pkey->type == NID_id_GostR3410_2001)) {
  2787. i = 64;
  2788. } else {
  2789. if (SSL_USE_SIGALGS(s)) {
  2790. int rv = tls12_check_peer_sigalg(&md, s, p, pkey);
  2791. if (rv == -1) {
  2792. al = SSL_AD_INTERNAL_ERROR;
  2793. goto f_err;
  2794. } else if (rv == 0) {
  2795. al = SSL_AD_DECODE_ERROR;
  2796. goto f_err;
  2797. }
  2798. #ifdef SSL_DEBUG
  2799. fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
  2800. #endif
  2801. p += 2;
  2802. n -= 2;
  2803. }
  2804. n2s(p, i);
  2805. n -= 2;
  2806. if (i > n) {
  2807. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
  2808. al = SSL_AD_DECODE_ERROR;
  2809. goto f_err;
  2810. }
  2811. }
  2812. j = EVP_PKEY_size(pkey);
  2813. if ((i > j) || (n > j) || (n <= 0)) {
  2814. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
  2815. al = SSL_AD_DECODE_ERROR;
  2816. goto f_err;
  2817. }
  2818. if (SSL_USE_SIGALGS(s)) {
  2819. long hdatalen = 0;
  2820. void *hdata;
  2821. hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
  2822. if (hdatalen <= 0) {
  2823. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
  2824. al = SSL_AD_INTERNAL_ERROR;
  2825. goto f_err;
  2826. }
  2827. #ifdef SSL_DEBUG
  2828. fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
  2829. EVP_MD_name(md));
  2830. #endif
  2831. if (!EVP_VerifyInit_ex(&mctx, md, NULL)
  2832. || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
  2833. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
  2834. al = SSL_AD_INTERNAL_ERROR;
  2835. goto f_err;
  2836. }
  2837. if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) {
  2838. al = SSL_AD_DECRYPT_ERROR;
  2839. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
  2840. goto f_err;
  2841. }
  2842. } else
  2843. #ifndef OPENSSL_NO_RSA
  2844. if (pkey->type == EVP_PKEY_RSA) {
  2845. i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
  2846. MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
  2847. pkey->pkey.rsa);
  2848. if (i < 0) {
  2849. al = SSL_AD_DECRYPT_ERROR;
  2850. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
  2851. goto f_err;
  2852. }
  2853. if (i == 0) {
  2854. al = SSL_AD_DECRYPT_ERROR;
  2855. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
  2856. goto f_err;
  2857. }
  2858. } else
  2859. #endif
  2860. #ifndef OPENSSL_NO_DSA
  2861. if (pkey->type == EVP_PKEY_DSA) {
  2862. j = DSA_verify(pkey->save_type,
  2863. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
  2864. SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
  2865. if (j <= 0) {
  2866. /* bad signature */
  2867. al = SSL_AD_DECRYPT_ERROR;
  2868. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
  2869. goto f_err;
  2870. }
  2871. } else
  2872. #endif
  2873. #ifndef OPENSSL_NO_ECDSA
  2874. if (pkey->type == EVP_PKEY_EC) {
  2875. j = ECDSA_verify(pkey->save_type,
  2876. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
  2877. SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
  2878. if (j <= 0) {
  2879. /* bad signature */
  2880. al = SSL_AD_DECRYPT_ERROR;
  2881. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE);
  2882. goto f_err;
  2883. }
  2884. } else
  2885. #endif
  2886. if (pkey->type == NID_id_GostR3410_94
  2887. || pkey->type == NID_id_GostR3410_2001) {
  2888. unsigned char signature[64];
  2889. int idx;
  2890. EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
  2891. if (pctx == NULL) {
  2892. al = SSL_AD_INTERNAL_ERROR;
  2893. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
  2894. goto f_err;
  2895. }
  2896. if (EVP_PKEY_verify_init(pctx) <= 0) {
  2897. EVP_PKEY_CTX_free(pctx);
  2898. al = SSL_AD_INTERNAL_ERROR;
  2899. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
  2900. goto f_err;
  2901. }
  2902. if (i != 64) {
  2903. #ifdef SSL_DEBUG
  2904. fprintf(stderr, "GOST signature length is %d", i);
  2905. #endif
  2906. }
  2907. for (idx = 0; idx < 64; idx++) {
  2908. signature[63 - idx] = p[idx];
  2909. }
  2910. j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md,
  2911. 32);
  2912. EVP_PKEY_CTX_free(pctx);
  2913. if (j <= 0) {
  2914. al = SSL_AD_DECRYPT_ERROR;
  2915. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE);
  2916. goto f_err;
  2917. }
  2918. } else {
  2919. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
  2920. al = SSL_AD_UNSUPPORTED_CERTIFICATE;
  2921. goto f_err;
  2922. }
  2923. ret = 1;
  2924. if (0) {
  2925. f_err:
  2926. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  2927. s->state = SSL_ST_ERR;
  2928. }
  2929. end:
  2930. if (s->s3->handshake_buffer) {
  2931. BIO_free(s->s3->handshake_buffer);
  2932. s->s3->handshake_buffer = NULL;
  2933. s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
  2934. }
  2935. EVP_MD_CTX_cleanup(&mctx);
  2936. EVP_PKEY_free(pkey);
  2937. return (ret);
  2938. }
  2939. int ssl3_get_client_certificate(SSL *s)
  2940. {
  2941. int i, ok, al, ret = -1;
  2942. X509 *x = NULL;
  2943. unsigned long l, nc, llen, n;
  2944. const unsigned char *p, *q;
  2945. unsigned char *d;
  2946. STACK_OF(X509) *sk = NULL;
  2947. n = s->method->ssl_get_message(s,
  2948. SSL3_ST_SR_CERT_A,
  2949. SSL3_ST_SR_CERT_B,
  2950. -1, s->max_cert_list, &ok);
  2951. if (!ok)
  2952. return ((int)n);
  2953. if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  2954. if ((s->verify_mode & SSL_VERIFY_PEER) &&
  2955. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  2956. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  2957. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  2958. al = SSL_AD_HANDSHAKE_FAILURE;
  2959. goto f_err;
  2960. }
  2961. /*
  2962. * If tls asked for a client cert, the client must return a 0 list
  2963. */
  2964. if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
  2965. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  2966. SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
  2967. al = SSL_AD_UNEXPECTED_MESSAGE;
  2968. goto f_err;
  2969. }
  2970. s->s3->tmp.reuse_message = 1;
  2971. return (1);
  2972. }
  2973. if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
  2974. al = SSL_AD_UNEXPECTED_MESSAGE;
  2975. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
  2976. goto f_err;
  2977. }
  2978. p = d = (unsigned char *)s->init_msg;
  2979. if ((sk = sk_X509_new_null()) == NULL) {
  2980. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  2981. goto err;
  2982. }
  2983. n2l3(p, llen);
  2984. if (llen + 3 != n) {
  2985. al = SSL_AD_DECODE_ERROR;
  2986. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
  2987. goto f_err;
  2988. }
  2989. for (nc = 0; nc < llen;) {
  2990. if (nc + 3 > llen) {
  2991. al = SSL_AD_DECODE_ERROR;
  2992. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  2993. SSL_R_CERT_LENGTH_MISMATCH);
  2994. goto f_err;
  2995. }
  2996. n2l3(p, l);
  2997. if ((l + nc + 3) > llen) {
  2998. al = SSL_AD_DECODE_ERROR;
  2999. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  3000. SSL_R_CERT_LENGTH_MISMATCH);
  3001. goto f_err;
  3002. }
  3003. q = p;
  3004. x = d2i_X509(NULL, &p, l);
  3005. if (x == NULL) {
  3006. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
  3007. goto err;
  3008. }
  3009. if (p != (q + l)) {
  3010. al = SSL_AD_DECODE_ERROR;
  3011. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  3012. SSL_R_CERT_LENGTH_MISMATCH);
  3013. goto f_err;
  3014. }
  3015. if (!sk_X509_push(sk, x)) {
  3016. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  3017. goto err;
  3018. }
  3019. x = NULL;
  3020. nc += l + 3;
  3021. }
  3022. if (sk_X509_num(sk) <= 0) {
  3023. /* TLS does not mind 0 certs returned */
  3024. if (s->version == SSL3_VERSION) {
  3025. al = SSL_AD_HANDSHAKE_FAILURE;
  3026. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  3027. SSL_R_NO_CERTIFICATES_RETURNED);
  3028. goto f_err;
  3029. }
  3030. /* Fail for TLS only if we required a certificate */
  3031. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3032. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3033. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  3034. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3035. al = SSL_AD_HANDSHAKE_FAILURE;
  3036. goto f_err;
  3037. }
  3038. /* No client certificate so digest cached records */
  3039. if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
  3040. al = SSL_AD_INTERNAL_ERROR;
  3041. goto f_err;
  3042. }
  3043. } else {
  3044. i = ssl_verify_cert_chain(s, sk);
  3045. if (i <= 0) {
  3046. al = ssl_verify_alarm_type(s->verify_result);
  3047. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
  3048. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3049. goto f_err;
  3050. }
  3051. }
  3052. if (s->session->peer != NULL) /* This should not be needed */
  3053. X509_free(s->session->peer);
  3054. s->session->peer = sk_X509_shift(sk);
  3055. s->session->verify_result = s->verify_result;
  3056. /*
  3057. * With the current implementation, sess_cert will always be NULL when we
  3058. * arrive here.
  3059. */
  3060. if (s->session->sess_cert == NULL) {
  3061. s->session->sess_cert = ssl_sess_cert_new();
  3062. if (s->session->sess_cert == NULL) {
  3063. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  3064. goto err;
  3065. }
  3066. }
  3067. if (s->session->sess_cert->cert_chain != NULL)
  3068. sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
  3069. s->session->sess_cert->cert_chain = sk;
  3070. /*
  3071. * Inconsistency alert: cert_chain does *not* include the peer's own
  3072. * certificate, while we do include it in s3_clnt.c
  3073. */
  3074. sk = NULL;
  3075. ret = 1;
  3076. if (0) {
  3077. f_err:
  3078. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  3079. err:
  3080. s->state = SSL_ST_ERR;
  3081. }
  3082. if (x != NULL)
  3083. X509_free(x);
  3084. if (sk != NULL)
  3085. sk_X509_pop_free(sk, X509_free);
  3086. return (ret);
  3087. }
  3088. int ssl3_send_server_certificate(SSL *s)
  3089. {
  3090. CERT_PKEY *cpk;
  3091. if (s->state == SSL3_ST_SW_CERT_A) {
  3092. cpk = ssl_get_server_send_pkey(s);
  3093. if (cpk == NULL) {
  3094. /* VRS: allow null cert if auth == KRB5 */
  3095. if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
  3096. (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) {
  3097. SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
  3098. ERR_R_INTERNAL_ERROR);
  3099. s->state = SSL_ST_ERR;
  3100. return (0);
  3101. }
  3102. }
  3103. if (!ssl3_output_cert_chain(s, cpk)) {
  3104. SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3105. s->state = SSL_ST_ERR;
  3106. return (0);
  3107. }
  3108. s->state = SSL3_ST_SW_CERT_B;
  3109. }
  3110. /* SSL3_ST_SW_CERT_B */
  3111. return ssl_do_write(s);
  3112. }
  3113. #ifndef OPENSSL_NO_TLSEXT
  3114. /* send a new session ticket (not necessarily for a new session) */
  3115. int ssl3_send_newsession_ticket(SSL *s)
  3116. {
  3117. unsigned char *senc = NULL;
  3118. EVP_CIPHER_CTX ctx;
  3119. HMAC_CTX hctx;
  3120. if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
  3121. unsigned char *p, *macstart;
  3122. const unsigned char *const_p;
  3123. int len, slen_full, slen;
  3124. SSL_SESSION *sess;
  3125. unsigned int hlen;
  3126. SSL_CTX *tctx = s->initial_ctx;
  3127. unsigned char iv[EVP_MAX_IV_LENGTH];
  3128. unsigned char key_name[16];
  3129. /* get session encoding length */
  3130. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3131. /*
  3132. * Some length values are 16 bits, so forget it if session is too
  3133. * long
  3134. */
  3135. if (slen_full == 0 || slen_full > 0xFF00) {
  3136. s->state = SSL_ST_ERR;
  3137. return -1;
  3138. }
  3139. senc = OPENSSL_malloc(slen_full);
  3140. if (!senc) {
  3141. s->state = SSL_ST_ERR;
  3142. return -1;
  3143. }
  3144. EVP_CIPHER_CTX_init(&ctx);
  3145. HMAC_CTX_init(&hctx);
  3146. p = senc;
  3147. if (!i2d_SSL_SESSION(s->session, &p))
  3148. goto err;
  3149. /*
  3150. * create a fresh copy (not shared with other threads) to clean up
  3151. */
  3152. const_p = senc;
  3153. sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
  3154. if (sess == NULL)
  3155. goto err;
  3156. sess->session_id_length = 0; /* ID is irrelevant for the ticket */
  3157. slen = i2d_SSL_SESSION(sess, NULL);
  3158. if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
  3159. SSL_SESSION_free(sess);
  3160. goto err;
  3161. }
  3162. p = senc;
  3163. if (!i2d_SSL_SESSION(sess, &p)) {
  3164. SSL_SESSION_free(sess);
  3165. goto err;
  3166. }
  3167. SSL_SESSION_free(sess);
  3168. /*-
  3169. * Grow buffer if need be: the length calculation is as
  3170. * follows handshake_header_length +
  3171. * 4 (ticket lifetime hint) + 2 (ticket length) +
  3172. * 16 (key name) + max_iv_len (iv length) +
  3173. * session_length + max_enc_block_size (max encrypted session
  3174. * length) + max_md_size (HMAC).
  3175. */
  3176. if (!BUF_MEM_grow(s->init_buf,
  3177. SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
  3178. EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
  3179. goto err;
  3180. p = ssl_handshake_start(s);
  3181. /*
  3182. * Initialize HMAC and cipher contexts. If callback present it does
  3183. * all the work otherwise use generated values from parent ctx.
  3184. */
  3185. if (tctx->tlsext_ticket_key_cb) {
  3186. /* if 0 is returned, write en empty ticket */
  3187. int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
  3188. &hctx, 1);
  3189. if (ret == 0) {
  3190. l2n(0, p); /* timeout */
  3191. s2n(0, p); /* length */
  3192. ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET,
  3193. p - ssl_handshake_start(s));
  3194. s->state = SSL3_ST_SW_SESSION_TICKET_B;
  3195. OPENSSL_free(senc);
  3196. EVP_CIPHER_CTX_cleanup(&ctx);
  3197. HMAC_CTX_cleanup(&hctx);
  3198. return ssl_do_write(s);
  3199. }
  3200. if (ret < 0)
  3201. goto err;
  3202. } else {
  3203. if (RAND_bytes(iv, 16) <= 0)
  3204. goto err;
  3205. if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
  3206. tctx->tlsext_tick_aes_key, iv))
  3207. goto err;
  3208. if (!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
  3209. tlsext_tick_md(), NULL))
  3210. goto err;
  3211. memcpy(key_name, tctx->tlsext_tick_key_name, 16);
  3212. }
  3213. /*
  3214. * Ticket lifetime hint (advisory only): We leave this unspecified
  3215. * for resumed session (for simplicity), and guess that tickets for
  3216. * new sessions will live as long as their sessions.
  3217. */
  3218. l2n(s->hit ? 0 : s->session->timeout, p);
  3219. /* Skip ticket length for now */
  3220. p += 2;
  3221. /* Output key name */
  3222. macstart = p;
  3223. memcpy(p, key_name, 16);
  3224. p += 16;
  3225. /* output IV */
  3226. memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
  3227. p += EVP_CIPHER_CTX_iv_length(&ctx);
  3228. /* Encrypt session data */
  3229. if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen))
  3230. goto err;
  3231. p += len;
  3232. if (!EVP_EncryptFinal(&ctx, p, &len))
  3233. goto err;
  3234. p += len;
  3235. if (!HMAC_Update(&hctx, macstart, p - macstart))
  3236. goto err;
  3237. if (!HMAC_Final(&hctx, p, &hlen))
  3238. goto err;
  3239. EVP_CIPHER_CTX_cleanup(&ctx);
  3240. HMAC_CTX_cleanup(&hctx);
  3241. p += hlen;
  3242. /* Now write out lengths: p points to end of data written */
  3243. /* Total length */
  3244. len = p - ssl_handshake_start(s);
  3245. /* Skip ticket lifetime hint */
  3246. p = ssl_handshake_start(s) + 4;
  3247. s2n(len - 6, p);
  3248. ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
  3249. s->state = SSL3_ST_SW_SESSION_TICKET_B;
  3250. OPENSSL_free(senc);
  3251. }
  3252. /* SSL3_ST_SW_SESSION_TICKET_B */
  3253. return ssl_do_write(s);
  3254. err:
  3255. if (senc)
  3256. OPENSSL_free(senc);
  3257. EVP_CIPHER_CTX_cleanup(&ctx);
  3258. HMAC_CTX_cleanup(&hctx);
  3259. s->state = SSL_ST_ERR;
  3260. return -1;
  3261. }
  3262. int ssl3_send_cert_status(SSL *s)
  3263. {
  3264. if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
  3265. unsigned char *p;
  3266. size_t msglen;
  3267. /*-
  3268. * Grow buffer if need be: the length calculation is as
  3269. * follows handshake_header_length +
  3270. * 1 (ocsp response type) + 3 (ocsp response length)
  3271. * + (ocsp response)
  3272. */
  3273. msglen = 4 + s->tlsext_ocsp_resplen;
  3274. if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen)) {
  3275. s->state = SSL_ST_ERR;
  3276. return -1;
  3277. }
  3278. p = ssl_handshake_start(s);
  3279. /* status type */
  3280. *(p++) = s->tlsext_status_type;
  3281. /* length of OCSP response */
  3282. l2n3(s->tlsext_ocsp_resplen, p);
  3283. /* actual response */
  3284. memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
  3285. ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_STATUS, msglen);
  3286. }
  3287. /* SSL3_ST_SW_CERT_STATUS_B */
  3288. return (ssl_do_write(s));
  3289. }
  3290. # ifndef OPENSSL_NO_NEXTPROTONEG
  3291. /*
  3292. * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
  3293. * It sets the next_proto member in s if found
  3294. */
  3295. int ssl3_get_next_proto(SSL *s)
  3296. {
  3297. int ok;
  3298. int proto_len, padding_len;
  3299. long n;
  3300. const unsigned char *p;
  3301. /*
  3302. * Clients cannot send a NextProtocol message if we didn't see the
  3303. * extension in their ClientHello
  3304. */
  3305. if (!s->s3->next_proto_neg_seen) {
  3306. SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
  3307. SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
  3308. s->state = SSL_ST_ERR;
  3309. return -1;
  3310. }
  3311. /* See the payload format below */
  3312. n = s->method->ssl_get_message(s,
  3313. SSL3_ST_SR_NEXT_PROTO_A,
  3314. SSL3_ST_SR_NEXT_PROTO_B,
  3315. SSL3_MT_NEXT_PROTO, 514, &ok);
  3316. if (!ok)
  3317. return ((int)n);
  3318. /*
  3319. * s->state doesn't reflect whether ChangeCipherSpec has been received in
  3320. * this handshake, but s->s3->change_cipher_spec does (will be reset by
  3321. * ssl3_get_finished).
  3322. */
  3323. if (!s->s3->change_cipher_spec) {
  3324. SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
  3325. s->state = SSL_ST_ERR;
  3326. return -1;
  3327. }
  3328. if (n < 2) {
  3329. s->state = SSL_ST_ERR;
  3330. return 0; /* The body must be > 1 bytes long */
  3331. }
  3332. p = (unsigned char *)s->init_msg;
  3333. /*-
  3334. * The payload looks like:
  3335. * uint8 proto_len;
  3336. * uint8 proto[proto_len];
  3337. * uint8 padding_len;
  3338. * uint8 padding[padding_len];
  3339. */
  3340. proto_len = p[0];
  3341. if (proto_len + 2 > s->init_num) {
  3342. s->state = SSL_ST_ERR;
  3343. return 0;
  3344. }
  3345. padding_len = p[proto_len + 1];
  3346. if (proto_len + padding_len + 2 != s->init_num) {
  3347. s->state = SSL_ST_ERR;
  3348. return 0;
  3349. }
  3350. s->next_proto_negotiated = OPENSSL_malloc(proto_len);
  3351. if (!s->next_proto_negotiated) {
  3352. SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE);
  3353. s->state = SSL_ST_ERR;
  3354. return 0;
  3355. }
  3356. memcpy(s->next_proto_negotiated, p + 1, proto_len);
  3357. s->next_proto_negotiated_len = proto_len;
  3358. return 1;
  3359. }
  3360. # endif
  3361. #endif