Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 2b0aeecabfbf3cf8eadcb7742899898fdaa3acfc / . / ssl / s3_clnt.c
blob: e763d7c36070d8b59f12def820dddf49c38c51db [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* ssl/s3_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <stdio.h>
152
153#include <openssl/buf.h>
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]154#include <openssl/bytestring.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155#include <openssl/rand.h>
156#include <openssl/obj.h>
157#include <openssl/evp.h>
158#include <openssl/mem.h>
159#include <openssl/md5.h>
160#include <openssl/dh.h>
161#include <openssl/bn.h>
162#include <openssl/engine.h>
163#include <openssl/x509.h>
164
165#include "ssl_locl.h"
166#include "../crypto/dh/internal.h"
167
168static const SSL_METHOD *ssl3_get_client_method(int ver);
169
170static const SSL_METHOD *ssl3_get_client_method(int ver)
171 {
172 if (ver == SSL3_VERSION)
173 return(SSLv3_client_method());
174 else
175 return(NULL);
176 }
177
178IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
179 ssl_undefined_function,
180 ssl3_connect,
181 ssl3_get_client_method)
182
183int ssl3_connect(SSL *s)
184 {
185 BUF_MEM *buf=NULL;
186 void (*cb)(const SSL *ssl,int type,int val)=NULL;
187 int ret= -1;
188 int new_state,state,skip=0;
189
190 ERR_clear_error();
191 ERR_clear_system_error();
192
193 if (s->info_callback != NULL)
194 cb=s->info_callback;
195 else if (s->ctx->info_callback != NULL)
196 cb=s->ctx->info_callback;
197
198 s->in_handshake++;
199 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
200
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]201 if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
202 {
203 /* Send app data along with CCS/Finished */
204 s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
205 }
206
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]207 for (;;)
208 {
209 state=s->state;
210
211 switch(s->state)
212 {
213 case SSL_ST_RENEGOTIATE:
214 s->renegotiate=1;
215 s->state=SSL_ST_CONNECT;
216 s->ctx->stats.sess_connect_renegotiate++;
217 /* break */
218 case SSL_ST_BEFORE:
219 case SSL_ST_CONNECT:
220 case SSL_ST_BEFORE|SSL_ST_CONNECT:
221 case SSL_ST_OK|SSL_ST_CONNECT:
222
223 s->server=0;
224 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
225
226 if ((s->version & 0xff00 ) != 0x0300)
227 {
228 OPENSSL_PUT_ERROR(SSL, ssl3_connect, ERR_R_INTERNAL_ERROR);
229 ret = -1;
230 goto end;
231 }
232
233 /* s->version=SSL3_VERSION; */
234 s->type=SSL_ST_CONNECT;
235
236 if (s->init_buf == NULL)
237 {
238 if ((buf=BUF_MEM_new()) == NULL)
239 {
240 ret= -1;
241 goto end;
242 }
243 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
244 {
245 ret= -1;
246 goto end;
247 }
248 s->init_buf=buf;
249 buf=NULL;
250 }
251
252 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
253
254 /* setup buffing BIO */
255 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
256
257 /* don't push the buffering BIO quite yet */
258
259 ssl3_init_finished_mac(s);
260
261 s->state=SSL3_ST_CW_CLNT_HELLO_A;
262 s->ctx->stats.sess_connect++;
263 s->init_num=0;
264 break;
265
266 case SSL3_ST_CW_CLNT_HELLO_A:
267 case SSL3_ST_CW_CLNT_HELLO_B:
268
269 s->shutdown=0;
270 ret=ssl3_client_hello(s);
271 if (ret <= 0) goto end;
272 s->state=SSL3_ST_CR_SRVR_HELLO_A;
273 s->init_num=0;
274
275 /* turn on buffering for the next lot of output */
276 if (s->bbio != s->wbio)
277 s->wbio=BIO_push(s->bbio,s->wbio);
278
279 break;
280
281 case SSL3_ST_CR_SRVR_HELLO_A:
282 case SSL3_ST_CR_SRVR_HELLO_B:
283 ret=ssl3_get_server_hello(s);
284 if (ret <= 0) goto end;
285
286 if (s->hit)
287 {
288 s->state=SSL3_ST_CR_FINISHED_A;
289#ifndef OPENSSL_NO_TLSEXT
290 if (s->tlsext_ticket_expected)
291 {
292 /* receive renewed session ticket */
293 s->state=SSL3_ST_CR_SESSION_TICKET_A;
294 }
295#endif
296 }
297 else
298 {
David Benjamin2b0aeec2014-07-01 00:39:02 -0400[diff] [blame^]299 s->state=SSL3_ST_CR_CERT_A;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]300 }
301 s->init_num=0;
302 break;
David Benjamin2b0aeec2014-07-01 00:39:02 -0400[diff] [blame^]303
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]304 case SSL3_ST_CR_CERT_A:
305 case SSL3_ST_CR_CERT_B:
306#ifndef OPENSSL_NO_TLSEXT
307 ret=ssl3_check_finished(s);
308 if (ret <= 0) goto end;
309 if (ret == 2)
310 {
311 s->hit = 1;
312 if (s->tlsext_ticket_expected)
313 s->state=SSL3_ST_CR_SESSION_TICKET_A;
314 else
315 s->state=SSL3_ST_CR_FINISHED_A;
316 s->init_num=0;
317 break;
318 }
319#endif
320 /* Check if it is anon DH/ECDH */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]321 /* or non-RSA PSK */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]322 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]323 !((s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) &&
324 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]325 {
326 ret=ssl3_get_server_certificate(s);
327 if (ret <= 0) goto end;
328#ifndef OPENSSL_NO_TLSEXT
329 if (s->tlsext_status_expected)
330 s->state=SSL3_ST_CR_CERT_STATUS_A;
331 else
332 s->state=SSL3_ST_CR_KEY_EXCH_A;
333 }
334 else
335 {
336 skip = 1;
337 s->state=SSL3_ST_CR_KEY_EXCH_A;
338 }
339#else
340 }
341 else
342 skip=1;
343
344 s->state=SSL3_ST_CR_KEY_EXCH_A;
345#endif
346 s->init_num=0;
347 break;
348
349 case SSL3_ST_CR_KEY_EXCH_A:
350 case SSL3_ST_CR_KEY_EXCH_B:
351 ret=ssl3_get_key_exchange(s);
352 if (ret <= 0) goto end;
353 s->state=SSL3_ST_CR_CERT_REQ_A;
354 s->init_num=0;
355
356 /* at this point we check that we have the
357 * required stuff from the server */
358 if (!ssl3_check_cert_and_algorithm(s))
359 {
360 ret= -1;
361 goto end;
362 }
363 break;
364
365 case SSL3_ST_CR_CERT_REQ_A:
366 case SSL3_ST_CR_CERT_REQ_B:
367 ret=ssl3_get_certificate_request(s);
368 if (ret <= 0) goto end;
369 s->state=SSL3_ST_CR_SRVR_DONE_A;
370 s->init_num=0;
371 break;
372
373 case SSL3_ST_CR_SRVR_DONE_A:
374 case SSL3_ST_CR_SRVR_DONE_B:
375 ret=ssl3_get_server_done(s);
376 if (ret <= 0) goto end;
377 if (s->s3->tmp.cert_req)
378 s->state=SSL3_ST_CW_CERT_A;
379 else
380 s->state=SSL3_ST_CW_KEY_EXCH_A;
381 s->init_num=0;
382
383 break;
384
385 case SSL3_ST_CW_CERT_A:
386 case SSL3_ST_CW_CERT_B:
387 case SSL3_ST_CW_CERT_C:
388 case SSL3_ST_CW_CERT_D:
389 ret=ssl3_send_client_certificate(s);
390 if (ret <= 0) goto end;
391 s->state=SSL3_ST_CW_KEY_EXCH_A;
392 s->init_num=0;
393 break;
394
395 case SSL3_ST_CW_KEY_EXCH_A:
396 case SSL3_ST_CW_KEY_EXCH_B:
397 ret=ssl3_send_client_key_exchange(s);
398 if (ret <= 0) goto end;
399 /* EAY EAY EAY need to check for DH fix cert
400 * sent back */
401 /* For TLS, cert_req is set to 2, so a cert chain
402 * of nothing is sent, but no verify packet is sent */
403 /* XXX: For now, we do not support client
404 * authentication in ECDH cipher suites with
405 * ECDH (rather than ECDSA) certificates.
406 * We need to skip the certificate verify
407 * message when client's ECDH public key is sent
408 * inside the client certificate.
409 */
410 if (s->s3->tmp.cert_req == 1)
411 {
412 s->state=SSL3_ST_CW_CERT_VRFY_A;
413 }
414 else
415 {
416 s->state=SSL3_ST_CW_CHANGE_A;
417 s->s3->change_cipher_spec=0;
418 }
419 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
420 {
421 s->state=SSL3_ST_CW_CHANGE_A;
422 s->s3->change_cipher_spec=0;
423 }
424
425 s->init_num=0;
426 break;
427
428 case SSL3_ST_CW_CERT_VRFY_A:
429 case SSL3_ST_CW_CERT_VRFY_B:
430 ret=ssl3_send_client_verify(s);
431 if (ret <= 0) goto end;
432 s->state=SSL3_ST_CW_CHANGE_A;
433 s->init_num=0;
434 s->s3->change_cipher_spec=0;
435 break;
436
437 case SSL3_ST_CW_CHANGE_A:
438 case SSL3_ST_CW_CHANGE_B:
439 ret=ssl3_send_change_cipher_spec(s,
440 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
441 if (ret <= 0) goto end;
442
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]443 s->state=SSL3_ST_CW_FINISHED_A;
444#if !defined(OPENSSL_NO_TLSEXT)
445 if (s->s3->tlsext_channel_id_valid)
446 s->state=SSL3_ST_CW_CHANNEL_ID_A;
447# if !defined(OPENSSL_NO_NEXTPROTONEG)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]448 if (s->s3->next_proto_neg_seen)
449 s->state=SSL3_ST_CW_NEXT_PROTO_A;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]450# endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]451#endif
452 s->init_num=0;
453
454 s->session->cipher=s->s3->tmp.new_cipher;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]455 if (!s->method->ssl3_enc->setup_key_block(s))
456 {
457 ret= -1;
458 goto end;
459 }
460
461 if (!s->method->ssl3_enc->change_cipher_state(s,
462 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
463 {
464 ret= -1;
465 goto end;
466 }
467
468 break;
469
470#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
471 case SSL3_ST_CW_NEXT_PROTO_A:
472 case SSL3_ST_CW_NEXT_PROTO_B:
473 ret=ssl3_send_next_proto(s);
474 if (ret <= 0) goto end;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]475 if (s->s3->tlsext_channel_id_valid)
476 s->state=SSL3_ST_CW_CHANNEL_ID_A;
477 else
478 s->state=SSL3_ST_CW_FINISHED_A;
479 break;
480#endif
481
482#if !defined(OPENSSL_NO_TLSEXT)
483 case SSL3_ST_CW_CHANNEL_ID_A:
484 case SSL3_ST_CW_CHANNEL_ID_B:
485 ret=ssl3_send_channel_id(s);
486 if (ret <= 0) goto end;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]487 s->state=SSL3_ST_CW_FINISHED_A;
488 break;
489#endif
490
491 case SSL3_ST_CW_FINISHED_A:
492 case SSL3_ST_CW_FINISHED_B:
493 ret=ssl3_send_finished(s,
494 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
495 s->method->ssl3_enc->client_finished_label,
496 s->method->ssl3_enc->client_finished_label_len);
497 if (ret <= 0) goto end;
Adam Langleya433cbd2014-06-20 12:00:00 -0700[diff] [blame]498 s->s3->flags |= SSL3_FLAGS_CCS_OK;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]499 s->state=SSL3_ST_CW_FLUSH;
500
501 /* clear flags */
502 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
503 if (s->hit)
504 {
505 s->s3->tmp.next_state=SSL_ST_OK;
506 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
507 {
508 s->state=SSL_ST_OK;
509 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
510 s->s3->delay_buf_pop_ret=0;
511 }
512 }
513 else
514 {
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]515 /* This is a non-resumption handshake. If it
516 * involves ChannelID, then record the
517 * handshake hashes at this point in the
518 * session so that any resumption of this
519 * session with ChannelID can sign those
520 * hashes. */
521 if (s->s3->tlsext_channel_id_new)
522 {
523 ret = tls1_record_handshake_hashes_for_channel_id(s);
524 if (ret <= 0)
525 goto end;
526 }
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]527 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
528 && ssl3_can_cutthrough(s)
529 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
530 )
531 {
532 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
533 {
534 s->state=SSL3_ST_CUTTHROUGH_COMPLETE;
535 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
536 s->s3->delay_buf_pop_ret=0;
537 }
538 else
539 {
540 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
541 }
542 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]543 else
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]544 {
545#ifndef OPENSSL_NO_TLSEXT
546 /* Allow NewSessionTicket if ticket expected */
547 if (s->tlsext_ticket_expected)
548 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
549 else
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]550#endif
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]551 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
552 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]553 }
554 s->init_num=0;
555 break;
556
557#ifndef OPENSSL_NO_TLSEXT
558 case SSL3_ST_CR_SESSION_TICKET_A:
559 case SSL3_ST_CR_SESSION_TICKET_B:
560 ret=ssl3_get_new_session_ticket(s);
561 if (ret <= 0) goto end;
562 s->state=SSL3_ST_CR_FINISHED_A;
563 s->init_num=0;
564 break;
565
566 case SSL3_ST_CR_CERT_STATUS_A:
567 case SSL3_ST_CR_CERT_STATUS_B:
568 ret=ssl3_get_cert_status(s);
569 if (ret <= 0) goto end;
570 s->state=SSL3_ST_CR_KEY_EXCH_A;
571 s->init_num=0;
572 break;
573#endif
574
575 case SSL3_ST_CR_FINISHED_A:
576 case SSL3_ST_CR_FINISHED_B:
577
Adam Langleyce7f9ca2014-06-20 12:00:00 -0700[diff] [blame]578 s->s3->flags |= SSL3_FLAGS_CCS_OK;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]579 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
580 SSL3_ST_CR_FINISHED_B);
581 if (ret <= 0) goto end;
582
583 if (s->hit)
584 s->state=SSL3_ST_CW_CHANGE_A;
585 else
586 s->state=SSL_ST_OK;
587 s->init_num=0;
588 break;
589
590 case SSL3_ST_CW_FLUSH:
591 s->rwstate=SSL_WRITING;
592 if (BIO_flush(s->wbio) <= 0)
593 {
594 ret= -1;
595 goto end;
596 }
597 s->rwstate=SSL_NOTHING;
598 s->state=s->s3->tmp.next_state;
599 break;
600
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]601 case SSL3_ST_CUTTHROUGH_COMPLETE:
602#ifndef OPENSSL_NO_TLSEXT
603 /* Allow NewSessionTicket if ticket expected */
604 if (s->tlsext_ticket_expected)
605 s->state=SSL3_ST_CR_SESSION_TICKET_A;
606 else
607#endif
608 s->state=SSL3_ST_CR_FINISHED_A;
609
610 /* SSL_write() will take care of flushing buffered data if
611 * DELAY_CLIENT_FINISHED is set.
612 */
613 if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED))
614 ssl_free_wbio_buffer(s);
615 ret = 1;
616 goto end;
617 /* break; */
618
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]619 case SSL_ST_OK:
620 /* clean a few things up */
621 ssl3_cleanup_key_block(s);
622
623 if (s->init_buf != NULL)
624 {
625 BUF_MEM_free(s->init_buf);
626 s->init_buf=NULL;
627 }
628
629 /* If we are not 'joining' the last two packets,
630 * remove the buffering now */
631 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
632 ssl_free_wbio_buffer(s);
633 /* else do it later in ssl3_write */
634
635 s->init_num=0;
636 s->renegotiate=0;
637 s->new_session=0;
638
639 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
640 if (s->hit) s->ctx->stats.sess_hit++;
641
642 ret=1;
643 /* s->server=0; */
644 s->handshake_func=ssl3_connect;
645 s->ctx->stats.sess_connect_good++;
646
647 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
648
649 goto end;
650 /* break; */
651
652 default:
653 OPENSSL_PUT_ERROR(SSL, ssl3_connect, SSL_R_UNKNOWN_STATE);
654 ret= -1;
655 goto end;
656 /* break; */
657 }
658
659 /* did we do anything */
660 if (!s->s3->tmp.reuse_message && !skip)
661 {
662 if (s->debug)
663 {
664 if ((ret=BIO_flush(s->wbio)) <= 0)
665 goto end;
666 }
667
668 if ((cb != NULL) && (s->state != state))
669 {
670 new_state=s->state;
671 s->state=state;
672 cb(s,SSL_CB_CONNECT_LOOP,1);
673 s->state=new_state;
674 }
675 }
676 skip=0;
677 }
678end:
679 s->in_handshake--;
680 if (buf != NULL)
681 BUF_MEM_free(buf);
682 if (cb != NULL)
683 cb(s,SSL_CB_CONNECT_EXIT,ret);
684 return(ret);
685 }
686
687
688int ssl3_client_hello(SSL *s)
689 {
690 unsigned char *buf;
691 unsigned char *p,*d;
692 int i;
693 unsigned long l;
694
695 buf=(unsigned char *)s->init_buf->data;
696 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
697 {
698 SSL_SESSION *sess = s->session;
699 if ((sess == NULL) ||
700 (sess->ssl_version != s->version) ||
701#ifdef OPENSSL_NO_TLSEXT
702 !sess->session_id_length ||
703#else
704 (!sess->session_id_length && !sess->tlsext_tick) ||
705#endif
706 (sess->not_resumable))
707 {
708 if (!ssl_get_new_session(s,0))
709 goto err;
710 }
711 if (s->method->version == DTLS_ANY_VERSION)
712 {
713 /* Determine which DTLS version to use */
714 int options = s->options;
715 /* If DTLS 1.2 disabled correct the version number */
716 if (options & SSL_OP_NO_DTLSv1_2)
717 {
718 if (tls1_suiteb(s))
719 {
720 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
721 goto err;
722 }
723 /* Disabling all versions is silly: return an
724 * error.
725 */
726 if (options & SSL_OP_NO_DTLSv1)
727 {
728 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_WRONG_SSL_VERSION);
729 goto err;
730 }
731 /* Update method so we don't use any DTLS 1.2
732 * features.
733 */
734 s->method = DTLSv1_client_method();
735 s->version = DTLS1_VERSION;
736 }
737 else
738 {
739 /* We only support one version: update method */
740 if (options & SSL_OP_NO_DTLSv1)
741 s->method = DTLSv1_2_client_method();
742 s->version = DTLS1_2_VERSION;
743 }
744 s->client_version = s->version;
745 }
746 /* else use the pre-loaded session */
747
748 p=s->s3->client_random;
749
750 /* for DTLS if client_random is initialized, reuse it, we are
751 * required to use same upon reply to HelloVerify */
752 if (SSL_IS_DTLS(s))
753 {
754 size_t idx;
755 i = 1;
756 for (idx=0; idx < sizeof(s->s3->client_random); idx++)
757 {
758 if (p[idx])
759 {
760 i = 0;
761 break;
762 }
763 }
764 }
765 else
766 i = 1;
767
768 if (i)
769 ssl_fill_hello_random(s, 0, p,
770 sizeof(s->s3->client_random));
771
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]772 /* Do the message type and length last.
773 * Note: the final argument to ssl_add_clienthello_tlsext below
774 * depends on the size of this prefix. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]775 d=p= ssl_handshake_start(s);
776
777 /* version indicates the negotiated version: for example from
778 * an SSLv2/v3 compatible client hello). The client_version
779 * field is the maximum version we permit and it is also
780 * used in RSA encrypted premaster secrets. Some servers can
781 * choke if we initially report a higher version then
782 * renegotiate to a lower one in the premaster secret. This
783 * didn't happen with TLS 1.0 as most servers supported it
784 * but it can with TLS 1.1 or later if the server only supports
785 * 1.0.
786 *
787 * Possible scenario with previous logic:
788 * 1. Client hello indicates TLS 1.2
789 * 2. Server hello says TLS 1.0
790 * 3. RSA encrypted premaster secret uses 1.2.
791 * 4. Handhaked proceeds using TLS 1.0.
792 * 5. Server sends hello request to renegotiate.
793 * 6. Client hello indicates TLS v1.0 as we now
794 * know that is maximum server supports.
795 * 7. Server chokes on RSA encrypted premaster secret
796 * containing version 1.0.
797 *
798 * For interoperability it should be OK to always use the
799 * maximum version we support in client hello and then rely
800 * on the checking of version to ensure the servers isn't
801 * being inconsistent: for example initially negotiating with
802 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
803 * client_version in client hello and not resetting it to
804 * the negotiated version.
805 */
806#if 0
807 *(p++)=s->version>>8;
808 *(p++)=s->version&0xff;
809 s->client_version=s->version;
810#else
811 *(p++)=s->client_version>>8;
812 *(p++)=s->client_version&0xff;
813#endif
814
815 /* Random stuff */
816 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
817 p+=SSL3_RANDOM_SIZE;
818
819 /* Session ID */
820 if (s->new_session)
821 i=0;
822 else
823 i=s->session->session_id_length;
824 *(p++)=i;
825 if (i != 0)
826 {
827 if (i > (int)sizeof(s->session->session_id))
828 {
829 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
830 goto err;
831 }
832 memcpy(p,s->session->session_id,i);
833 p+=i;
834 }
835
836 /* cookie stuff for DTLS */
837 if (SSL_IS_DTLS(s))
838 {
839 if ( s->d1->cookie_len > sizeof(s->d1->cookie))
840 {
841 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
842 goto err;
843 }
844 *(p++) = s->d1->cookie_len;
845 memcpy(p, s->d1->cookie, s->d1->cookie_len);
846 p += s->d1->cookie_len;
847 }
848
849 /* Ciphers supported */
850 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
851 if (i == 0)
852 {
853 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_NO_CIPHERS_AVAILABLE);
854 goto err;
855 }
856#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
857 /* Some servers hang if client hello > 256 bytes
858 * as hack workaround chop number of supported ciphers
859 * to keep it well below this if we use TLS v1.2
860 */
861 if (TLS1_get_version(s) >= TLS1_2_VERSION
862 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
863 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
864#endif
865 s2n(i,p);
866 p+=i;
867
868 /* COMPRESSION */
869 *(p++)=1;
870 *(p++)=0; /* Add the NULL method */
871
872#ifndef OPENSSL_NO_TLSEXT
873 /* TLS extensions*/
874 if (ssl_prepare_clienthello_tlsext(s) <= 0)
875 {
876 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_CLIENTHELLO_TLSEXT);
877 goto err;
878 }
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]879 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf)) == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]880 {
881 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
882 goto err;
883 }
884#endif
885
886 l= p-d;
887 ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
888 s->state=SSL3_ST_CW_CLNT_HELLO_B;
889 }
890
891 /* SSL3_ST_CW_CLNT_HELLO_B */
892 return ssl_do_write(s);
893err:
894 return(-1);
895 }
896
897int ssl3_get_server_hello(SSL *s)
898 {
899 STACK_OF(SSL_CIPHER) *sk;
900 const SSL_CIPHER *c;
901 CERT *ct = s->cert;
902 unsigned char *p,*d;
903 int al=SSL_AD_INTERNAL_ERROR,ok;
904 unsigned int j;
905 long n;
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]906 CBS cbs;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]907 /* Hello verify request and/or server hello version may not
908 * match so set first packet if we're negotiating version.
909 */
910 if (SSL_IS_DTLS(s))
911 s->first_packet = 1;
912
913 n=s->method->ssl_get_message(s,
914 SSL3_ST_CR_SRVR_HELLO_A,
915 SSL3_ST_CR_SRVR_HELLO_B,
916 -1,
917 20000, /* ?? */
918 &ok);
919
920 if (!ok) return((int)n);
921
922 if (SSL_IS_DTLS(s))
923 {
924 s->first_packet = 0;
925 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
926 {
927 if ( s->d1->send_cookie == 0)
928 {
929 s->s3->tmp.reuse_message = 1;
930 return 1;
931 }
932 else /* already sent a cookie */
933 {
934 al=SSL_AD_UNEXPECTED_MESSAGE;
935 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_MESSAGE_TYPE);
936 goto f_err;
937 }
938 }
939 }
940
941 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
942 {
943 al=SSL_AD_UNEXPECTED_MESSAGE;
944 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_MESSAGE_TYPE);
945 goto f_err;
946 }
947
948 d=p=(unsigned char *)s->init_msg;
949 if (s->method->version == DTLS_ANY_VERSION)
950 {
951 /* Work out correct protocol version to use */
952 int hversion = (p[0] << 8)|p[1];
953 int options = s->options;
954 if (hversion == DTLS1_2_VERSION
955 && !(options & SSL_OP_NO_DTLSv1_2))
956 s->method = DTLSv1_2_client_method();
957 else if (tls1_suiteb(s))
958 {
959 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
960 s->version = hversion;
961 al = SSL_AD_PROTOCOL_VERSION;
962 goto f_err;
963 }
964 else if (hversion == DTLS1_VERSION
965 && !(options & SSL_OP_NO_DTLSv1))
966 s->method = DTLSv1_client_method();
967 else
968 {
969 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
970 s->version = hversion;
971 al = SSL_AD_PROTOCOL_VERSION;
972 goto f_err;
973 }
974 s->version = s->client_version = s->method->version;
975 }
976
977 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
978 {
979 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
980 s->version=(s->version&0xff00)|p[1];
981 al=SSL_AD_PROTOCOL_VERSION;
982 goto f_err;
983 }
984 p+=2;
985
986 /* load the server hello data */
987 /* load the server random */
988 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
989 p+=SSL3_RANDOM_SIZE;
990
991 /* get the session-id */
992 j= *(p++);
993
994 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
995 {
996 al=SSL_AD_ILLEGAL_PARAMETER;
997 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_SSL3_SESSION_ID_TOO_LONG);
998 goto f_err;
999 }
1000
1001#ifndef OPENSSL_NO_TLSEXT
1002 /* check if we want to resume the session based on external pre-shared secret */
1003 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
1004 {
1005 SSL_CIPHER *pref_cipher=NULL;
1006 s->session->master_key_length=sizeof(s->session->master_key);
1007 if (s->tls_session_secret_cb(s, s->session->master_key,
1008 &s->session->master_key_length,
1009 NULL, &pref_cipher,
1010 s->tls_session_secret_cb_arg))
1011 {
1012 s->session->cipher = pref_cipher ?
1013 pref_cipher : ssl_get_cipher_by_char(s, p+j);
Adam Langley6acf4762014-06-20 12:00:00 -0700[diff] [blame]1014 s->s3->flags |= SSL3_FLAGS_CCS_OK;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1015 }
1016 }
1017#endif /* OPENSSL_NO_TLSEXT */
1018
1019 if (j != 0 && j == s->session->session_id_length
1020 && memcmp(p,s->session->session_id,j) == 0)
1021 {
1022 if(s->sid_ctx_length != s->session->sid_ctx_length
1023 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
1024 {
1025 /* actually a client application bug */
1026 al=SSL_AD_ILLEGAL_PARAMETER;
1027 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1028 goto f_err;
1029 }
Adam Langleyce7f9ca2014-06-20 12:00:00 -0700[diff] [blame]1030 s->s3->flags |= SSL3_FLAGS_CCS_OK;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1031 s->hit=1;
1032 }
1033 else /* a miss or crap from the other end */
1034 {
1035 /* If we were trying for session-id reuse, make a new
1036 * SSL_SESSION so we don't stuff up other people */
1037 s->hit=0;
1038 if (s->session->session_id_length > 0)
1039 {
1040 if (!ssl_get_new_session(s,0))
1041 {
1042 goto f_err;
1043 }
1044 }
1045 s->session->session_id_length=j;
1046 memcpy(s->session->session_id,p,j); /* j could be 0 */
1047 }
1048 p+=j;
1049 c=ssl_get_cipher_by_char(s,p);
1050 if (c == NULL)
1051 {
1052 /* unknown cipher */
1053 al=SSL_AD_ILLEGAL_PARAMETER;
1054 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNKNOWN_CIPHER_RETURNED);
1055 goto f_err;
1056 }
1057 /* If it is a disabled cipher we didn't send it in client hello,
1058 * so return an error.
1059 */
1060 if (c->algorithm_ssl & ct->mask_ssl ||
1061 c->algorithm_mkey & ct->mask_k ||
1062 c->algorithm_auth & ct->mask_a)
1063 {
1064 al=SSL_AD_ILLEGAL_PARAMETER;
1065 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
1066 goto f_err;
1067 }
1068 p+=ssl_put_cipher_by_char(s,NULL,NULL);
1069
1070 sk=ssl_get_ciphers_by_id(s);
1071 if (!sk_SSL_CIPHER_find(sk, NULL, c))
1072 {
1073 /* we did not say we would use this cipher */
1074 al=SSL_AD_ILLEGAL_PARAMETER;
1075 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
1076 goto f_err;
1077 }
1078
1079 /* Depending on the session caching (internal/external), the cipher
1080 and/or cipher_id values may not be set. Make sure that
1081 cipher_id is set and use it for comparison. */
1082 if (s->session->cipher)
1083 s->session->cipher_id = s->session->cipher->id;
1084 if (s->hit && (s->session->cipher_id != c->id))
1085 {
1086/* Workaround is now obsolete */
1087#if 0
1088 if (!(s->options &
1089 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
1090#endif
1091 {
1092 al=SSL_AD_ILLEGAL_PARAMETER;
1093 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1094 goto f_err;
1095 }
1096 }
1097 s->s3->tmp.new_cipher=c;
1098 /* Don't digest cached records if no sigalgs: we may need them for
1099 * client authentication.
1100 */
1101 if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s))
1102 goto f_err;
1103 /* lets get the compression algorithm */
1104 /* COMPRESSION */
1105 if (*(p++) != 0)
1106 {
1107 al=SSL_AD_ILLEGAL_PARAMETER;
1108 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1109 goto f_err;
1110 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1111
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]1112 /* TODO(fork): Port the rest of this function to CBS. */
1113 CBS_init(&cbs, p, d + n - p);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1114#ifndef OPENSSL_NO_TLSEXT
1115 /* TLS extensions*/
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]1116 if (!ssl_parse_serverhello_tlsext(s, &cbs))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1117 {
1118 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_PARSE_TLSEXT);
1119 goto err;
1120 }
1121#endif
1122
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]1123 /* There should be nothing left over in the record. */
1124 if (CBS_len(&cbs) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1125 {
1126 /* wrong packet length */
1127 al=SSL_AD_DECODE_ERROR;
1128 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_PACKET_LENGTH);
1129 goto f_err;
1130 }
1131
1132 return(1);
1133f_err:
1134 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1135err:
1136 return(-1);
1137 }
1138
1139int ssl3_get_server_certificate(SSL *s)
1140 {
1141 int al,i,ok,ret= -1;
1142 unsigned long n,nc,llen,l;
1143 X509 *x=NULL;
1144 const unsigned char *q,*p;
1145 unsigned char *d;
1146 STACK_OF(X509) *sk=NULL;
1147 SESS_CERT *sc;
1148 EVP_PKEY *pkey=NULL;
1149 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
1150
1151 n=s->method->ssl_get_message(s,
1152 SSL3_ST_CR_CERT_A,
1153 SSL3_ST_CR_CERT_B,
1154 -1,
1155 s->max_cert_list,
1156 &ok);
1157
1158 if (!ok) return((int)n);
1159
1160 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1161 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1162 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
1163 {
1164 s->s3->tmp.reuse_message=1;
1165 return(1);
1166 }
1167
1168 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1169 {
1170 al=SSL_AD_UNEXPECTED_MESSAGE;
1171 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_BAD_MESSAGE_TYPE);
1172 goto f_err;
1173 }
1174 p=d=(unsigned char *)s->init_msg;
1175
1176 if ((sk=sk_X509_new_null()) == NULL)
1177 {
1178 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1179 goto err;
1180 }
1181
1182 n2l3(p,llen);
1183 if (llen+3 != n)
1184 {
1185 al=SSL_AD_DECODE_ERROR;
1186 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_LENGTH_MISMATCH);
1187 goto f_err;
1188 }
1189 for (nc=0; nc<llen; )
1190 {
1191 n2l3(p,l);
1192 if ((l+nc+3) > llen)
1193 {
1194 al=SSL_AD_DECODE_ERROR;
1195 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1196 goto f_err;
1197 }
1198
1199 q=p;
1200 x=d2i_X509(NULL,&q,l);
1201 if (x == NULL)
1202 {
1203 al=SSL_AD_BAD_CERTIFICATE;
1204 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_ASN1_LIB);
1205 goto f_err;
1206 }
1207 if (q != (p+l))
1208 {
1209 al=SSL_AD_DECODE_ERROR;
1210 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1211 goto f_err;
1212 }
1213 if (!sk_X509_push(sk,x))
1214 {
1215 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1216 goto err;
1217 }
1218 x=NULL;
1219 nc+=l+3;
1220 p=q;
1221 }
1222
1223 i=ssl_verify_cert_chain(s,sk);
1224 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1225 )
1226 {
1227 al=ssl_verify_alarm_type(s->verify_result);
1228 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERTIFICATE_VERIFY_FAILED);
1229 goto f_err;
1230 }
1231 ERR_clear_error(); /* but we keep s->verify_result */
1232
1233 sc=ssl_sess_cert_new();
1234 if (sc == NULL) goto err;
1235
1236 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1237 s->session->sess_cert=sc;
1238
1239 sc->cert_chain=sk;
1240 /* Inconsistency alert: cert_chain does include the peer's
1241 * certificate, which we don't include in s3_srvr.c */
1242 x=sk_X509_value(sk,0);
1243 sk=NULL;
1244 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1245
1246 pkey=X509_get_pubkey(x);
1247
1248 /* VRS: allow null cert if auth == KRB5 */
1249 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1250 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1251 ? 0 : 1;
1252
1253#ifdef KSSL_DEBUG
1254 printf("pkey,x = %p, %p\n", pkey,x);
1255 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1256 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1257 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1258#endif /* KSSL_DEBUG */
1259
1260 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1261 {
1262 x=NULL;
1263 al=SSL3_AL_FATAL;
1264 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1265 goto f_err;
1266 }
1267
1268 i=ssl_cert_type(x,pkey);
1269 if (need_cert && i < 0)
1270 {
1271 x=NULL;
1272 al=SSL3_AL_FATAL;
1273 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1274 goto f_err;
1275 }
1276
1277 if (need_cert)
1278 {
1279 int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1280 if (exp_idx >= 0 && i != exp_idx)
1281 {
1282 x=NULL;
1283 al=SSL_AD_ILLEGAL_PARAMETER;
1284 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
1285 goto f_err;
1286 }
1287 sc->peer_cert_type=i;
1288 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1289 /* Why would the following ever happen?
1290 * We just created sc a couple of lines ago. */
1291 if (sc->peer_pkeys[i].x509 != NULL)
1292 X509_free(sc->peer_pkeys[i].x509);
1293 sc->peer_pkeys[i].x509=x;
1294 sc->peer_key= &(sc->peer_pkeys[i]);
1295
1296 if (s->session->peer != NULL)
1297 X509_free(s->session->peer);
1298 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1299 s->session->peer=x;
1300 }
1301 else
1302 {
1303 sc->peer_cert_type=i;
1304 sc->peer_key= NULL;
1305
1306 if (s->session->peer != NULL)
1307 X509_free(s->session->peer);
1308 s->session->peer=NULL;
1309 }
1310 s->session->verify_result = s->verify_result;
1311
1312 x=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1313 ret=1;
1314 if (0)
1315 {
1316f_err:
1317 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1318 }
1319err:
1320 EVP_PKEY_free(pkey);
1321 X509_free(x);
1322 sk_X509_pop_free(sk,X509_free);
1323 return(ret);
1324 }
1325
1326int ssl3_get_key_exchange(SSL *s)
1327 {
1328#ifndef OPENSSL_NO_RSA
1329 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1330#endif
1331 EVP_MD_CTX md_ctx;
1332 unsigned char *param,*p;
1333 int al,i,j,param_len,ok;
1334 long n,alg_k,alg_a;
1335 EVP_PKEY *pkey=NULL;
1336 const EVP_MD *md = NULL;
1337#ifndef OPENSSL_NO_RSA
1338 RSA *rsa=NULL;
1339#endif
1340#ifndef OPENSSL_NO_DH
1341 DH *dh=NULL;
1342#endif
1343#ifndef OPENSSL_NO_ECDH
1344 EC_KEY *ecdh = NULL;
1345 BN_CTX *bn_ctx = NULL;
1346 EC_POINT *srvr_ecpoint = NULL;
1347 int curve_nid = 0;
1348 int encoded_pt_len = 0;
1349#endif
1350
1351 /* use same message size as in ssl3_get_certificate_request()
1352 * as ServerKeyExchange message may be skipped */
1353 n=s->method->ssl_get_message(s,
1354 SSL3_ST_CR_KEY_EXCH_A,
1355 SSL3_ST_CR_KEY_EXCH_B,
1356 -1,
1357 s->max_cert_list,
1358 &ok);
1359 if (!ok) return((int)n);
1360
1361 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1362 {
1363#ifndef OPENSSL_NO_PSK
1364 /* In plain PSK ciphersuite, ServerKeyExchange can be
1365 omitted if no identity hint is sent. Set
1366 session->sess_cert anyway to avoid problems
1367 later.*/
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1368 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_aPSK)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1369 {
1370 s->session->sess_cert=ssl_sess_cert_new();
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1371 if (s->session->psk_identity_hint)
1372 {
1373 OPENSSL_free(s->session->psk_identity_hint);
1374 s->session->psk_identity_hint = NULL;
1375 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1376 }
1377#endif
1378 s->s3->tmp.reuse_message=1;
1379 return(1);
1380 }
1381
1382 param=p=(unsigned char *)s->init_msg;
1383 if (s->session->sess_cert != NULL)
1384 {
1385#ifndef OPENSSL_NO_RSA
1386 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1387 {
1388 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1389 s->session->sess_cert->peer_rsa_tmp=NULL;
1390 }
1391#endif
1392#ifndef OPENSSL_NO_DH
1393 if (s->session->sess_cert->peer_dh_tmp)
1394 {
1395 DH_free(s->session->sess_cert->peer_dh_tmp);
1396 s->session->sess_cert->peer_dh_tmp=NULL;
1397 }
1398#endif
1399#ifndef OPENSSL_NO_ECDH
1400 if (s->session->sess_cert->peer_ecdh_tmp)
1401 {
1402 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1403 s->session->sess_cert->peer_ecdh_tmp=NULL;
1404 }
1405#endif
1406 }
1407 else
1408 {
1409 s->session->sess_cert=ssl_sess_cert_new();
1410 }
1411
1412 param_len=0;
1413 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1414 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1415 EVP_MD_CTX_init(&md_ctx);
1416
1417#ifndef OPENSSL_NO_PSK
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1418 if (alg_a & SSL_aPSK)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1419 {
1420 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1421
1422 al=SSL_AD_HANDSHAKE_FAILURE;
1423 n2s(p,i);
1424 param_len=i+2;
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1425 if (s->session->psk_identity_hint)
1426 {
1427 OPENSSL_free(s->session->psk_identity_hint);
1428 s->session->psk_identity_hint = NULL;
1429 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1430 if (i != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1431 {
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1432 /* Store PSK identity hint for later use, hint is used
1433 * in ssl3_send_client_key_exchange. Assume that the
1434 * maximum length of a PSK identity hint can be as
1435 * long as the maximum length of a PSK identity. */
1436 if (i > PSK_MAX_IDENTITY_LEN)
1437 {
1438 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_DATA_LENGTH_TOO_LONG);
1439 goto f_err;
1440 }
1441 if (param_len > n)
1442 {
1443 al=SSL_AD_DECODE_ERROR;
1444 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1445 goto f_err;
1446 }
1447 /* If received PSK identity hint contains NULL
1448 * characters, the hint is truncated from the first
1449 * NULL. p may not be ending with NULL, so create a
1450 * NULL-terminated string. */
1451 memcpy(tmp_id_hint, p, i);
1452 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1453 s->session->psk_identity_hint = BUF_strdup(tmp_id_hint);
1454 if (s->session->psk_identity_hint == NULL)
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1455 {
1456 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1457 goto f_err;
1458 }
1459 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1460
1461 p+=i;
1462 n-=param_len;
1463 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1464#endif /* !OPENSSL_NO_PSK */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1465
1466 if (0) {}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1467#ifndef OPENSSL_NO_RSA
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1468 else if (alg_k & SSL_kRSA)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1469 {
1470 if ((rsa=RSA_new()) == NULL)
1471 {
1472 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1473 goto err;
1474 }
1475 n2s(p,i);
1476 param_len=i+2;
1477 if (param_len > n)
1478 {
1479 al=SSL_AD_DECODE_ERROR;
1480 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_RSA_MODULUS_LENGTH);
1481 goto f_err;
1482 }
1483 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1484 {
1485 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1486 goto err;
1487 }
1488 p+=i;
1489
1490 n2s(p,i);
1491 param_len+=i+2;
1492 if (param_len > n)
1493 {
1494 al=SSL_AD_DECODE_ERROR;
1495 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_RSA_E_LENGTH);
1496 goto f_err;
1497 }
1498 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1499 {
1500 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1501 goto err;
1502 }
1503 p+=i;
1504 n-=param_len;
1505
1506 /* this should be because we are using an export cipher */
1507 if (alg_a & SSL_aRSA)
1508 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1509 else
1510 {
1511 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_INTERNAL_ERROR);
1512 goto err;
1513 }
1514 s->session->sess_cert->peer_rsa_tmp=rsa;
1515 rsa=NULL;
1516 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1517#endif
1518#ifndef OPENSSL_NO_DH
1519 else if (alg_k & SSL_kEDH)
1520 {
1521 if ((dh=DH_new()) == NULL)
1522 {
1523 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_DH_LIB);
1524 goto err;
1525 }
1526 n2s(p,i);
1527 param_len=i+2;
1528 if (param_len > n)
1529 {
1530 al=SSL_AD_DECODE_ERROR;
1531 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_DH_P_LENGTH);
1532 goto f_err;
1533 }
1534 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1535 {
1536 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1537 goto err;
1538 }
1539 p+=i;
1540
1541 n2s(p,i);
1542 param_len+=i+2;
1543 if (param_len > n)
1544 {
1545 al=SSL_AD_DECODE_ERROR;
1546 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_DH_G_LENGTH);
1547 goto f_err;
1548 }
1549 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1550 {
1551 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1552 goto err;
1553 }
1554 p+=i;
1555
1556 n2s(p,i);
1557 param_len+=i+2;
1558 if (param_len > n)
1559 {
1560 al=SSL_AD_DECODE_ERROR;
1561 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1562 goto f_err;
1563 }
1564 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1565 {
1566 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1567 goto err;
1568 }
1569 p+=i;
1570 n-=param_len;
1571
1572#ifndef OPENSSL_NO_RSA
1573 if (alg_a & SSL_aRSA)
1574 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1575#else
1576 if (0)
1577 ;
1578#endif
1579#ifndef OPENSSL_NO_DSA
1580 else if (alg_a & SSL_aDSS)
1581 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1582#endif
1583 /* else anonymous DH, so no certificate or pkey. */
1584
1585 s->session->sess_cert->peer_dh_tmp=dh;
1586 dh=NULL;
1587 }
1588 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
1589 {
1590 al=SSL_AD_ILLEGAL_PARAMETER;
1591 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1592 goto f_err;
1593 }
1594#endif /* !OPENSSL_NO_DH */
1595
1596#ifndef OPENSSL_NO_ECDH
1597 else if (alg_k & SSL_kEECDH)
1598 {
1599 EC_GROUP *ngroup;
1600 const EC_GROUP *group;
1601
1602 if ((ecdh=EC_KEY_new()) == NULL)
1603 {
1604 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1605 goto err;
1606 }
1607
1608 /* Extract elliptic curve parameters and the
1609 * server's ephemeral ECDH public key.
1610 * Keep accumulating lengths of various components in
1611 * param_len and make sure it never exceeds n.
1612 */
1613
1614 /* XXX: For now we only support named (not generic) curves
1615 * and the ECParameters in this case is just three bytes.
1616 */
1617 param_len=3;
1618 /* Check curve is one of our prefrences, if not server has
1619 * sent an invalid curve.
1620 */
1621 if (!tls1_check_curve(s, p, param_len))
1622 {
1623 al=SSL_AD_DECODE_ERROR;
1624 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_WRONG_CURVE);
1625 goto f_err;
1626 }
1627
1628 if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)
1629 {
1630 al=SSL_AD_INTERNAL_ERROR;
1631 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1632 goto f_err;
1633 }
1634
1635 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1636 if (ngroup == NULL)
1637 {
1638 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_EC_LIB);
1639 goto err;
1640 }
1641 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1642 {
1643 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_EC_LIB);
1644 goto err;
1645 }
1646 EC_GROUP_free(ngroup);
1647
1648 group = EC_KEY_get0_group(ecdh);
1649
1650 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1651 (EC_GROUP_get_degree(group) > 163))
1652 {
1653 al=SSL_AD_EXPORT_RESTRICTION;
1654 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1655 goto f_err;
1656 }
1657
1658 p+=3;
1659
1660 /* Next, get the encoded ECPoint */
1661 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1662 ((bn_ctx = BN_CTX_new()) == NULL))
1663 {
1664 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1665 goto err;
1666 }
1667
1668 encoded_pt_len = *p; /* length of encoded point */
1669 p+=1;
1670 param_len += (1 + encoded_pt_len);
1671 if ((param_len > n) ||
1672 (EC_POINT_oct2point(group, srvr_ecpoint,
1673 p, encoded_pt_len, bn_ctx) == 0))
1674 {
1675 al=SSL_AD_DECODE_ERROR;
1676 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_ECPOINT);
1677 goto f_err;
1678 }
1679
1680 n-=param_len;
1681 p+=encoded_pt_len;
1682
1683 /* The ECC/TLS specification does not mention
1684 * the use of DSA to sign ECParameters in the server
1685 * key exchange message. We do support RSA and ECDSA.
1686 */
1687 if (0) ;
1688#ifndef OPENSSL_NO_RSA
1689 else if (alg_a & SSL_aRSA)
1690 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1691#endif
1692#ifndef OPENSSL_NO_ECDSA
1693 else if (alg_a & SSL_aECDSA)
1694 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1695#endif
1696 /* else anonymous ECDH, so no certificate or pkey. */
1697 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1698 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1699 ecdh=NULL;
1700 BN_CTX_free(bn_ctx);
1701 bn_ctx = NULL;
1702 EC_POINT_free(srvr_ecpoint);
1703 srvr_ecpoint = NULL;
1704 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1705#endif /* !OPENSSL_NO_ECDH */
1706
1707 else if (!(alg_k & SSL_kPSK))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1708 {
1709 al=SSL_AD_UNEXPECTED_MESSAGE;
1710 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
1711 goto f_err;
1712 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1713
1714 /* p points to the next byte, there are 'n' bytes left */
1715
1716 /* if it was signed, check the signature */
1717 if (pkey != NULL)
1718 {
1719 if (SSL_USE_SIGALGS(s))
1720 {
1721 int rv = tls12_check_peer_sigalg(&md, s, p, pkey);
1722 if (rv == -1)
1723 goto err;
1724 else if (rv == 0)
1725 {
1726 al = SSL_AD_DECODE_ERROR;
1727 goto f_err;
1728 }
1729#ifdef SSL_DEBUG
1730fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1731#endif
1732 p += 2;
1733 n -= 2;
1734 }
1735 else
1736 md = EVP_sha1();
1737
1738 n2s(p,i);
1739 n-=2;
1740 j=EVP_PKEY_size(pkey);
1741
1742 if ((i != n) || (n > j) || (n <= 0))
1743 {
1744 /* wrong packet length */
1745 al=SSL_AD_DECODE_ERROR;
1746 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_WRONG_SIGNATURE_LENGTH);
1747 goto f_err;
1748 }
1749
1750#ifndef OPENSSL_NO_RSA
1751 if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s))
1752 {
1753 int num;
1754
1755 j=0;
1756 q=md_buf;
1757 for (num=2; num > 0; num--)
1758 {
1759 EVP_DigestInit_ex(&md_ctx,(num == 2)
1760 ?s->ctx->md5:s->ctx->sha1, NULL);
1761 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1762 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1763 EVP_DigestUpdate(&md_ctx,param,param_len);
1764 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1765 q+=i;
1766 j+=i;
1767 }
1768 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1769 pkey->pkey.rsa);
1770 if (i < 0)
1771 {
1772 al=SSL_AD_DECRYPT_ERROR;
1773 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_RSA_DECRYPT);
1774 goto f_err;
1775 }
1776 if (i == 0)
1777 {
1778 /* bad signature */
1779 al=SSL_AD_DECRYPT_ERROR;
1780 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_SIGNATURE);
1781 goto f_err;
1782 }
1783 }
1784 else
1785#endif
1786 {
1787 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1788 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1789 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1790 EVP_VerifyUpdate(&md_ctx,param,param_len);
1791 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1792 {
1793 /* bad signature */
1794 al=SSL_AD_DECRYPT_ERROR;
1795 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_SIGNATURE);
1796 goto f_err;
1797 }
1798 }
1799 }
1800 else
1801 {
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1802 if (!(alg_a & SSL_aNULL) &&
1803 /* Among PSK ciphers only RSA_PSK needs a public key */
1804 !((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1805 {
1806 /* Might be wrong key type, check it */
1807 if (ssl3_check_cert_and_algorithm(s))
1808 /* Otherwise this shouldn't happen */
1809 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_INTERNAL_ERROR);
1810 goto err;
1811 }
1812 /* still data left over */
1813 if (n != 0)
1814 {
1815 al=SSL_AD_DECODE_ERROR;
1816 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_EXTRA_DATA_IN_MESSAGE);
1817 goto f_err;
1818 }
1819 }
1820 EVP_PKEY_free(pkey);
1821 EVP_MD_CTX_cleanup(&md_ctx);
1822 return(1);
1823f_err:
1824 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1825err:
1826 EVP_PKEY_free(pkey);
1827#ifndef OPENSSL_NO_RSA
1828 if (rsa != NULL)
1829 RSA_free(rsa);
1830#endif
1831#ifndef OPENSSL_NO_DH
1832 if (dh != NULL)
1833 DH_free(dh);
1834#endif
1835#ifndef OPENSSL_NO_ECDH
1836 BN_CTX_free(bn_ctx);
1837 EC_POINT_free(srvr_ecpoint);
1838 if (ecdh != NULL)
1839 EC_KEY_free(ecdh);
1840#endif
1841 EVP_MD_CTX_cleanup(&md_ctx);
1842 return(-1);
1843 }
1844
1845static int ca_dn_cmp(const X509_NAME **a, const X509_NAME **b)
1846 {
1847 return(X509_NAME_cmp(*a,*b));
1848 }
1849
1850int ssl3_get_certificate_request(SSL *s)
1851 {
1852 int ok,ret=0;
1853 unsigned long n,nc,l;
1854 unsigned int llen, ctype_num,i;
1855 X509_NAME *xn=NULL;
1856 const unsigned char *p,*q;
1857 unsigned char *d;
1858 STACK_OF(X509_NAME) *ca_sk=NULL;
1859
1860 n=s->method->ssl_get_message(s,
1861 SSL3_ST_CR_CERT_REQ_A,
1862 SSL3_ST_CR_CERT_REQ_B,
1863 -1,
1864 s->max_cert_list,
1865 &ok);
1866
1867 if (!ok) return((int)n);
1868
1869 s->s3->tmp.cert_req=0;
1870
1871 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1872 {
1873 s->s3->tmp.reuse_message=1;
1874 /* If we get here we don't need any cached handshake records
1875 * as we wont be doing client auth.
1876 */
1877 if (s->s3->handshake_buffer)
1878 {
1879 if (!ssl3_digest_cached_records(s))
1880 goto err;
1881 }
1882 return(1);
1883 }
1884
1885 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1886 {
1887 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1888 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_WRONG_MESSAGE_TYPE);
1889 goto err;
1890 }
1891
1892 /* TLS does not like anon-DH with client cert */
1893 if (s->version > SSL3_VERSION)
1894 {
1895 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1896 {
1897 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1898 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1899 goto err;
1900 }
1901 }
1902
1903 p=d=(unsigned char *)s->init_msg;
1904
1905 ca_sk = sk_X509_NAME_new(ca_dn_cmp);
1906 if (ca_sk == NULL)
1907 {
1908 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1909 goto err;
1910 }
1911
1912 /* get the certificate types */
1913 ctype_num= *(p++);
1914 if (s->cert->ctypes)
1915 {
1916 OPENSSL_free(s->cert->ctypes);
1917 s->cert->ctypes = NULL;
1918 }
1919 if (ctype_num > SSL3_CT_NUMBER)
1920 {
1921 /* If we exceed static buffer copy all to cert structure */
1922 s->cert->ctypes = OPENSSL_malloc(ctype_num);
1923 memcpy(s->cert->ctypes, p, ctype_num);
1924 s->cert->ctype_num = (size_t)ctype_num;
1925 ctype_num=SSL3_CT_NUMBER;
1926 }
1927 for (i=0; i<ctype_num; i++)
1928 s->s3->tmp.ctype[i]= p[i];
1929 p+=p[-1];
1930 if (SSL_USE_SIGALGS(s))
1931 {
1932 n2s(p, llen);
1933 /* Check we have enough room for signature algorithms and
1934 * following length value.
1935 */
1936 if ((unsigned long)(p - d + llen + 2) > n)
1937 {
1938 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1939 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DATA_LENGTH_TOO_LONG);
1940 goto err;
1941 }
1942 /* Clear certificate digests and validity flags */
1943 for (i = 0; i < SSL_PKEY_NUM; i++)
1944 {
1945 s->cert->pkeys[i].digest = NULL;
1946 s->cert->pkeys[i].valid_flags = 0;
1947 }
1948 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen))
1949 {
1950 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1951 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1952 goto err;
1953 }
1954 p += llen;
1955 }
1956
1957 /* get the CA RDNs */
1958 n2s(p,llen);
1959#if 0
1960{
1961FILE *out;
1962out=fopen("/tmp/vsign.der","w");
1963fwrite(p,1,llen,out);
1964fclose(out);
1965}
1966#endif
1967
1968 if ((unsigned long)(p - d + llen) != n)
1969 {
1970 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1971 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_LENGTH_MISMATCH);
1972 goto err;
1973 }
1974
1975 for (nc=0; nc<llen; )
1976 {
1977 n2s(p,l);
1978 if ((l+nc+2) > llen)
1979 {
1980 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1981 goto cont; /* netscape bugs */
1982 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1983 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_TOO_LONG);
1984 goto err;
1985 }
1986
1987 q=p;
1988
1989 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1990 {
1991 /* If netscape tolerance is on, ignore errors */
1992 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1993 goto cont;
1994 else
1995 {
1996 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1997 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_ASN1_LIB);
1998 goto err;
1999 }
2000 }
2001
2002 if (q != (p+l))
2003 {
2004 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
2005 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_LENGTH_MISMATCH);
2006 goto err;
2007 }
2008 if (!sk_X509_NAME_push(ca_sk,xn))
2009 {
2010 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
2011 goto err;
2012 }
2013
2014 p+=l;
2015 nc+=l+2;
2016 }
2017
2018 if (0)
2019 {
2020cont:
2021 ERR_clear_error();
2022 }
2023
2024 /* we should setup a certificate to return.... */
2025 s->s3->tmp.cert_req=1;
2026 s->s3->tmp.ctype_num=ctype_num;
2027 if (s->s3->tmp.ca_names != NULL)
2028 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
2029 s->s3->tmp.ca_names=ca_sk;
2030 ca_sk=NULL;
2031
2032 ret=1;
2033err:
2034 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
2035 return(ret);
2036 }
2037
2038#ifndef OPENSSL_NO_TLSEXT
2039int ssl3_get_new_session_ticket(SSL *s)
2040 {
2041 int ok,al,ret=0, ticklen;
2042 long n;
2043 const unsigned char *p;
2044 unsigned char *d;
2045
2046 n=s->method->ssl_get_message(s,
2047 SSL3_ST_CR_SESSION_TICKET_A,
2048 SSL3_ST_CR_SESSION_TICKET_B,
2049 -1,
2050 16384,
2051 &ok);
2052
2053 if (!ok)
2054 return((int)n);
2055
2056 if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
2057 {
2058 s->s3->tmp.reuse_message=1;
2059 return(1);
2060 }
2061 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
2062 {
2063 al=SSL_AD_UNEXPECTED_MESSAGE;
2064 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_BAD_MESSAGE_TYPE);
2065 goto f_err;
2066 }
2067 if (n < 6)
2068 {
2069 /* need at least ticket_lifetime_hint + ticket length */
2070 al = SSL_AD_DECODE_ERROR;
2071 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_LENGTH_MISMATCH);
2072 goto f_err;
2073 }
2074
2075 p=d=(unsigned char *)s->init_msg;
2076 n2l(p, s->session->tlsext_tick_lifetime_hint);
2077 n2s(p, ticklen);
2078 /* ticket_lifetime_hint + ticket_length + ticket */
2079 if (ticklen + 6 != n)
2080 {
2081 al = SSL_AD_DECODE_ERROR;
2082 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_LENGTH_MISMATCH);
2083 goto f_err;
2084 }
2085 if (s->session->tlsext_tick)
2086 {
2087 OPENSSL_free(s->session->tlsext_tick);
2088 s->session->tlsext_ticklen = 0;
2089 }
2090 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2091 if (!s->session->tlsext_tick)
2092 {
2093 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, ERR_R_MALLOC_FAILURE);
2094 goto err;
2095 }
2096 memcpy(s->session->tlsext_tick, p, ticklen);
2097 s->session->tlsext_ticklen = ticklen;
2098 /* There are two ways to detect a resumed ticket sesion.
2099 * One is to set an appropriate session ID and then the server
2100 * must return a match in ServerHello. This allows the normal
2101 * client session ID matching to work and we know much
2102 * earlier that the ticket has been accepted.
2103 *
2104 * The other way is to set zero length session ID when the
2105 * ticket is presented and rely on the handshake to determine
2106 * session resumption.
2107 *
2108 * We choose the former approach because this fits in with
2109 * assumptions elsewhere in OpenSSL. The session ID is set
2110 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
2111 * ticket.
2112 */
2113 EVP_Digest(p, ticklen,
2114 s->session->session_id, &s->session->session_id_length,
2115#ifndef OPENSSL_NO_SHA256
2116 EVP_sha256(), NULL);
2117#else
2118 EVP_sha1(), NULL);
2119#endif
2120 ret=1;
2121 return(ret);
2122f_err:
2123 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2124err:
2125 return(-1);
2126 }
2127
2128int ssl3_get_cert_status(SSL *s)
2129 {
2130 int ok, al;
2131 unsigned long resplen,n;
2132 const unsigned char *p;
2133
2134 n=s->method->ssl_get_message(s,
2135 SSL3_ST_CR_CERT_STATUS_A,
2136 SSL3_ST_CR_CERT_STATUS_B,
2137 SSL3_MT_CERTIFICATE_STATUS,
2138 16384,
2139 &ok);
2140
2141 if (!ok) return((int)n);
2142 if (n < 4)
2143 {
2144 /* need at least status type + length */
2145 al = SSL_AD_DECODE_ERROR;
2146 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_LENGTH_MISMATCH);
2147 goto f_err;
2148 }
2149 p = (unsigned char *)s->init_msg;
2150 if (*p++ != TLSEXT_STATUSTYPE_ocsp)
2151 {
2152 al = SSL_AD_DECODE_ERROR;
2153 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_UNSUPPORTED_STATUS_TYPE);
2154 goto f_err;
2155 }
2156 n2l3(p, resplen);
2157 if (resplen + 4 != n)
2158 {
2159 al = SSL_AD_DECODE_ERROR;
2160 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_LENGTH_MISMATCH);
2161 goto f_err;
2162 }
2163 if (s->tlsext_ocsp_resp)
2164 OPENSSL_free(s->tlsext_ocsp_resp);
2165 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
2166 if (!s->tlsext_ocsp_resp)
2167 {
2168 al = SSL_AD_INTERNAL_ERROR;
2169 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
2170 goto f_err;
2171 }
2172 s->tlsext_ocsp_resplen = resplen;
2173 if (s->ctx->tlsext_status_cb)
2174 {
2175 int ret;
2176 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2177 if (ret == 0)
2178 {
2179 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2180 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_INVALID_STATUS_RESPONSE);
2181 goto f_err;
2182 }
2183 if (ret < 0)
2184 {
2185 al = SSL_AD_INTERNAL_ERROR;
2186 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
2187 goto f_err;
2188 }
2189 }
2190 return 1;
2191f_err:
2192 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2193 return(-1);
2194 }
2195#endif
2196
2197int ssl3_get_server_done(SSL *s)
2198 {
2199 int ok,ret=0;
2200 long n;
2201
2202 n=s->method->ssl_get_message(s,
2203 SSL3_ST_CR_SRVR_DONE_A,
2204 SSL3_ST_CR_SRVR_DONE_B,
2205 SSL3_MT_SERVER_DONE,
2206 30, /* should be very small, like 0 :-) */
2207 &ok);
2208
2209 if (!ok) return((int)n);
2210 if (n > 0)
2211 {
2212 /* should contain no data */
2213 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
2214 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_done, SSL_R_LENGTH_MISMATCH);
2215 return -1;
2216 }
2217 ret=1;
2218 return(ret);
2219 }
2220
2221
2222int ssl3_send_client_key_exchange(SSL *s)
2223 {
2224 unsigned char *p;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2225 int n = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2226 unsigned long alg_k;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2227 unsigned long alg_a;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2228#ifndef OPENSSL_NO_RSA
2229 unsigned char *q;
2230 EVP_PKEY *pkey=NULL;
2231#endif
2232#ifndef OPENSSL_NO_ECDH
2233 EC_KEY *clnt_ecdh = NULL;
2234 const EC_POINT *srvr_ecpoint = NULL;
2235 EVP_PKEY *srvr_pub_pkey = NULL;
2236 unsigned char *encodedPoint = NULL;
2237 int encoded_pt_len = 0;
2238 BN_CTX * bn_ctx = NULL;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2239#ifndef OPENSSL_NO_PSK
2240 unsigned int psk_len = 0;
2241 unsigned char psk[PSK_MAX_PSK_LEN];
2242#endif /* OPENSSL_NO_PSK */
2243#endif /* OPENSSL_NO_ECDH */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2244
2245 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
2246 {
2247 p = ssl_handshake_start(s);
2248
2249 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2250 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
2251
2252#ifndef OPENSSL_NO_PSK
2253 if (alg_a & SSL_aPSK)
2254 {
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2255 char identity[PSK_MAX_IDENTITY_LEN + 1];
2256 size_t identity_len;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2257 unsigned char *t = NULL;
2258 unsigned char pre_ms[PSK_MAX_PSK_LEN*2+4];
2259 unsigned int pre_ms_len = 0;
2260 int psk_err = 1;
2261
2262 n = 0;
2263 if (s->psk_client_callback == NULL)
2264 {
2265 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_NO_CLIENT_CB);
2266 goto err;
2267 }
2268
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2269 memset(identity, 0, sizeof(identity));
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]2270 psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2271 identity, sizeof(identity), psk, sizeof(psk));
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2272 if (psk_len > PSK_MAX_PSK_LEN)
2273 {
2274 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2275 goto psk_err;
2276 }
2277 else if (psk_len == 0)
2278 {
2279 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_IDENTITY_NOT_FOUND);
2280 goto psk_err;
2281 }
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2282 identity_len = OPENSSL_strnlen(identity, sizeof(identity));
2283 if (identity_len > PSK_MAX_IDENTITY_LEN)
2284 {
2285 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2286 goto psk_err;
2287 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2288
2289 if (!(alg_k & SSL_kEECDH))
2290 {
2291 /* Create the shared secret now if we're not using ECDHE-PSK.*/
2292 pre_ms_len = 2+psk_len+2+psk_len;
2293 t = pre_ms;
2294 s2n(psk_len, t);
2295 memset(t, 0, psk_len);
2296 t+=psk_len;
2297 s2n(psk_len, t);
2298 memcpy(t, psk, psk_len);
2299
2300 s->session->master_key_length =
2301 s->method->ssl3_enc->generate_master_secret(s,
2302 s->session->master_key,
2303 pre_ms, pre_ms_len);
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2304 s2n(identity_len, p);
2305 memcpy(p, identity, identity_len);
2306 n = 2 + identity_len;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2307 }
2308
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2309 if (s->session->psk_identity != NULL)
2310 OPENSSL_free(s->session->psk_identity);
2311 s->session->psk_identity = BUF_strdup(identity);
2312 if (s->session->psk_identity == NULL)
2313 {
2314 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2315 goto psk_err;
2316 }
2317 psk_err = 0;
2318 psk_err:
2319 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2320 OPENSSL_cleanse(pre_ms, sizeof(pre_ms));
2321 if (psk_err != 0)
2322 {
2323 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2324 goto err;
2325 }
2326 }
2327#endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2328
2329 /* Fool emacs indentation */
2330 if (0) {}
2331#ifndef OPENSSL_NO_RSA
2332 else if (alg_k & SSL_kRSA)
2333 {
2334 RSA *rsa;
2335 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2336
2337 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2338 rsa=s->session->sess_cert->peer_rsa_tmp;
2339 else
2340 {
2341 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2342 if ((pkey == NULL) ||
2343 (pkey->type != EVP_PKEY_RSA) ||
2344 (pkey->pkey.rsa == NULL))
2345 {
2346 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2347 goto err;
2348 }
2349 rsa=pkey->pkey.rsa;
2350 EVP_PKEY_free(pkey);
2351 }
2352
2353 tmp_buf[0]=s->client_version>>8;
2354 tmp_buf[1]=s->client_version&0xff;
2355 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2356 goto err;
2357
2358 s->session->master_key_length=sizeof tmp_buf;
2359
2360 q=p;
2361 /* Fix buf for TLS and beyond */
2362 if (s->version > SSL3_VERSION)
2363 p+=2;
2364 n=RSA_public_encrypt(sizeof tmp_buf,
2365 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
2366#ifdef PKCS1_CHECK
2367 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
2368 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
2369#endif
2370 if (n <= 0)
2371 {
2372 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_RSA_ENCRYPT);
2373 goto err;
2374 }
2375
2376 /* Fix buf for TLS and beyond */
2377 if (s->version > SSL3_VERSION)
2378 {
2379 s2n(n,q);
2380 n+=2;
2381 }
2382
2383 s->session->master_key_length=
2384 s->method->ssl3_enc->generate_master_secret(s,
2385 s->session->master_key,
2386 tmp_buf,sizeof tmp_buf);
2387 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2388 }
2389#endif
2390#ifndef OPENSSL_NO_DH
2391 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2392 {
2393 DH *dh_srvr,*dh_clnt;
2394 SESS_CERT *scert = s->session->sess_cert;
2395
2396 if (scert == NULL)
2397 {
2398 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2399 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
2400 goto err;
2401 }
2402
2403 if (scert->peer_dh_tmp != NULL)
2404 dh_srvr=scert->peer_dh_tmp;
2405 else
2406 {
2407 /* we get them from the cert */
2408 int idx = scert->peer_cert_type;
2409 EVP_PKEY *spkey = NULL;
2410 dh_srvr = NULL;
2411 if (idx >= 0)
2412 spkey = X509_get_pubkey(
2413 scert->peer_pkeys[idx].x509);
2414 if (spkey)
2415 {
2416 dh_srvr = EVP_PKEY_get1_DH(spkey);
2417 EVP_PKEY_free(spkey);
2418 }
2419 if (dh_srvr == NULL)
2420 {
2421 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2422 goto err;
2423 }
2424 }
2425 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
2426 {
2427 /* Use client certificate key */
2428 EVP_PKEY *clkey = s->cert->key->privatekey;
2429 dh_clnt = NULL;
2430 if (clkey)
2431 dh_clnt = EVP_PKEY_get1_DH(clkey);
2432 if (dh_clnt == NULL)
2433 {
2434 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2435 goto err;
2436 }
2437 }
2438 else
2439 {
2440 /* generate a new random key */
2441 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2442 {
2443 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2444 goto err;
2445 }
2446 if (!DH_generate_key(dh_clnt))
2447 {
2448 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2449 DH_free(dh_clnt);
2450 goto err;
2451 }
2452 }
2453
2454 /* use the 'p' output buffer for the DH key, but
2455 * make sure to clear it out afterwards */
2456
2457 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2458 if (scert->peer_dh_tmp == NULL)
2459 DH_free(dh_srvr);
2460
2461 if (n <= 0)
2462 {
2463 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2464 DH_free(dh_clnt);
2465 goto err;
2466 }
2467
2468 /* generate master key from the result */
2469 s->session->master_key_length=
2470 s->method->ssl3_enc->generate_master_secret(s,
2471 s->session->master_key,p,n);
2472 /* clean up */
2473 memset(p,0,n);
2474
2475 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
2476 n = 0;
2477 else
2478 {
2479 /* send off the data */
2480 n=BN_num_bytes(dh_clnt->pub_key);
2481 s2n(n,p);
2482 BN_bn2bin(dh_clnt->pub_key,p);
2483 n+=2;
2484 }
2485
2486 DH_free(dh_clnt);
2487
2488 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2489 }
2490#endif
2491
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2492#ifndef OPENSSL_NO_ECDH
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2493 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2494 {
2495 const EC_GROUP *srvr_group = NULL;
2496 EC_KEY *tkey;
2497 int ecdh_clnt_cert = 0;
2498 int field_size = 0;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2499#ifndef OPENSSL_NO_PSK
2500 unsigned char *pre_ms;
2501 unsigned char *t;
2502 unsigned int pre_ms_len;
2503 unsigned int i;
2504#endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2505
Adam Langleyd06eddd2014-06-20 12:00:00 -0700[diff] [blame]2506 if (s->session->sess_cert == NULL)
2507 {
2508 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2509 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
2510 goto err;
2511 }
2512
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2513 /* Did we send out the client's
2514 * ECDH share for use in premaster
2515 * computation as part of client certificate?
2516 * If so, set ecdh_clnt_cert to 1.
2517 */
2518 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
2519 {
2520 /* XXX: For now, we do not support client
2521 * authentication using ECDH certificates.
2522 * To add such support, one needs to add
2523 * code that checks for appropriate
2524 * conditions and sets ecdh_clnt_cert to 1.
2525 * For example, the cert have an ECC
2526 * key on the same curve as the server's
2527 * and the key should be authorized for
2528 * key agreement.
2529 *
2530 * One also needs to add code in ssl3_connect
2531 * to skip sending the certificate verify
2532 * message.
2533 *
2534 * if ((s->cert->key->privatekey != NULL) &&
2535 * (s->cert->key->privatekey->type ==
2536 * EVP_PKEY_EC) && ...)
2537 * ecdh_clnt_cert = 1;
2538 */
2539 }
2540
2541 if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2542 {
2543 tkey = s->session->sess_cert->peer_ecdh_tmp;
2544 }
2545 else
2546 {
2547 /* Get the Server Public Key from Cert */
2548 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2549 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2550 if ((srvr_pub_pkey == NULL) ||
2551 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2552 (srvr_pub_pkey->pkey.ec == NULL))
2553 {
2554 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2555 goto err;
2556 }
2557
2558 tkey = srvr_pub_pkey->pkey.ec;
2559 }
2560
2561 srvr_group = EC_KEY_get0_group(tkey);
2562 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2563
2564 if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2565 {
2566 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2567 goto err;
2568 }
2569
2570 if ((clnt_ecdh=EC_KEY_new()) == NULL)
2571 {
2572 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2573 goto err;
2574 }
2575
2576 if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2577 {
2578 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
2579 goto err;
2580 }
2581 if (ecdh_clnt_cert)
2582 {
2583 /* Reuse key info from our certificate
2584 * We only need our private key to perform
2585 * the ECDH computation.
2586 */
2587 const BIGNUM *priv_key;
2588 tkey = s->cert->key->privatekey->pkey.ec;
2589 priv_key = EC_KEY_get0_private_key(tkey);
2590 if (priv_key == NULL)
2591 {
2592 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2593 goto err;
2594 }
2595 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2596 {
2597 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
2598 goto err;
2599 }
2600 }
2601 else
2602 {
2603 /* Generate a new ECDH key pair */
2604 if (!(EC_KEY_generate_key(clnt_ecdh)))
2605 {
2606 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2607 goto err;
2608 }
2609 }
2610
2611 /* use the 'p' output buffer for the ECDH key, but
2612 * make sure to clear it out afterwards
2613 */
2614
2615 field_size = EC_GROUP_get_degree(srvr_group);
2616 if (field_size <= 0)
2617 {
2618 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2619 goto err;
2620 }
2621 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2622 if (n <= 0)
2623 {
2624 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2625 goto err;
2626 }
2627
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2628#ifndef OPENSSL_NO_PSK
2629 /* ECDHE PSK ciphersuites from RFC 5489 */
2630 if ((alg_a & SSL_aPSK) && psk_len != 0)
2631 {
2632 pre_ms_len = 2+psk_len+2+n;
2633 pre_ms = OPENSSL_malloc(pre_ms_len);
2634 if (pre_ms == NULL)
2635 {
2636 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2637 goto err;
2638 }
2639 memset(pre_ms, 0, pre_ms_len);
2640 t = pre_ms;
2641 s2n(psk_len, t);
2642 memcpy(t, psk, psk_len);
2643 t += psk_len;
2644 s2n(n, t);
2645 memcpy(t, p, n);
2646 s->session->master_key_length = s->method->ssl3_enc \
2647 -> generate_master_secret(s,
2648 s->session->master_key, pre_ms, pre_ms_len);
2649 OPENSSL_cleanse(pre_ms, pre_ms_len);
2650 OPENSSL_free(pre_ms);
2651 }
2652#endif /* OPENSSL_NO_PSK */
2653 if (!(alg_a & SSL_aPSK))
2654 {
2655 /* generate master key from the result */
2656 s->session->master_key_length = s->method->ssl3_enc \
2657 -> generate_master_secret(s,
2658 s->session->master_key, p, n);
2659 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2660 memset(p, 0, n); /* clean up */
2661
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2662 if (ecdh_clnt_cert)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2663 {
2664 /* Send empty client key exch message */
2665 n = 0;
2666 }
2667 else
2668 {
2669 /* First check the size of encoding and
2670 * allocate memory accordingly.
2671 */
2672 encoded_pt_len =
2673 EC_POINT_point2oct(srvr_group,
2674 EC_KEY_get0_public_key(clnt_ecdh),
2675 POINT_CONVERSION_UNCOMPRESSED,
2676 NULL, 0, NULL);
2677
2678 encodedPoint = (unsigned char *)
2679 OPENSSL_malloc(encoded_pt_len *
2680 sizeof(unsigned char));
2681 bn_ctx = BN_CTX_new();
2682 if ((encodedPoint == NULL) ||
2683 (bn_ctx == NULL))
2684 {
2685 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2686 goto err;
2687 }
2688
2689 /* Encode the public key */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2690 encoded_pt_len = EC_POINT_point2oct(srvr_group,
2691 EC_KEY_get0_public_key(clnt_ecdh),
2692 POINT_CONVERSION_UNCOMPRESSED,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2693 encodedPoint, encoded_pt_len, bn_ctx);
2694
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2695 n = 0;
2696#ifndef OPENSSL_NO_PSK
2697 if ((alg_a & SSL_aPSK) && psk_len != 0)
2698 {
2699 i = strlen(s->session->psk_identity);
2700 s2n(i, p);
2701 memcpy(p, s->session->psk_identity, i);
2702 p += i;
2703 n = i + 2;
2704 }
2705#endif
2706
2707 *p = encoded_pt_len; /* length of encoded point */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2708 /* Encoded point will be copied here */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2709 p += 1;
2710 n += 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2711 /* copy the point */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2712 memcpy((unsigned char *)p, encodedPoint, encoded_pt_len);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2713 /* increment n to account for length field */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2714 n += encoded_pt_len;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2715 }
2716
2717 /* Free allocated memory */
2718 BN_CTX_free(bn_ctx);
2719 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2720 if (clnt_ecdh != NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2721 EC_KEY_free(clnt_ecdh);
2722 EVP_PKEY_free(srvr_pub_pkey);
2723 }
2724#endif /* !OPENSSL_NO_ECDH */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2725 else if (alg_k & SSL_kGOST)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2726 {
2727 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_GOST_NOT_SUPPORTED);
2728 goto err;
2729 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2730 else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2731 {
2732 ssl3_send_alert(s, SSL3_AL_FATAL,
2733 SSL_AD_HANDSHAKE_FAILURE);
2734 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2735 goto err;
2736 }
2737
2738 ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
2739 s->state=SSL3_ST_CW_KEY_EXCH_B;
2740 }
2741
2742 /* SSL3_ST_CW_KEY_EXCH_B */
2743 return ssl_do_write(s);
2744err:
2745#ifndef OPENSSL_NO_ECDH
2746 BN_CTX_free(bn_ctx);
2747 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2748 if (clnt_ecdh != NULL)
2749 EC_KEY_free(clnt_ecdh);
2750 EVP_PKEY_free(srvr_pub_pkey);
2751#endif
2752 return(-1);
2753 }
2754
2755int ssl3_send_client_verify(SSL *s)
2756 {
2757 unsigned char *p;
2758 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2759 EVP_PKEY *pkey;
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2760 EVP_PKEY_CTX *pctx = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2761 EVP_MD_CTX mctx;
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2762 unsigned signature_length = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2763 unsigned long n;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2764
2765 EVP_MD_CTX_init(&mctx);
2766
2767 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2768 {
2769 p= ssl_handshake_start(s);
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2770 pkey = s->cert->key->privatekey;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2771 /* For TLS v1.2 send signature algorithm and signature
2772 * using agreed digest and cached handshake records.
2773 */
2774 if (SSL_USE_SIGALGS(s))
2775 {
2776 long hdatalen = 0;
2777 char *hdata;
2778 const EVP_MD *md = s->cert->key->digest;
2779 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2780 &hdata);
2781 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md))
2782 {
2783 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
2784 goto err;
2785 }
2786 p += 2;
2787#ifdef SSL_DEBUG
2788 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2789 EVP_MD_name(md));
2790#endif
2791 if (!EVP_SignInit_ex(&mctx, md, NULL)
2792 || !EVP_SignUpdate(&mctx, hdata, hdatalen)
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2793 || !EVP_SignFinal(&mctx, p + 2,
2794 &signature_length, pkey))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2795 {
2796 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_EVP_LIB);
2797 goto err;
2798 }
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2799 s2n(signature_length, p);
2800 n = signature_length + 4;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2801 if (!ssl3_digest_cached_records(s))
2802 goto err;
2803 }
2804 else
2805#ifndef OPENSSL_NO_RSA
2806 if (pkey->type == EVP_PKEY_RSA)
2807 {
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2808 s->method->ssl3_enc->cert_verify_mac(s, NID_md5, data);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2809 s->method->ssl3_enc->cert_verify_mac(s,
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2810 NID_sha1, &data[MD5_DIGEST_LENGTH]);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2811 if (RSA_sign(NID_md5_sha1, data,
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2812 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2813 &p[2], &signature_length, pkey->pkey.rsa) <= 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2814 {
2815 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_RSA_LIB);
2816 goto err;
2817 }
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2818 s2n(signature_length, p);
2819 n = signature_length + 2;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2820 }
2821 else
2822#endif
2823#ifndef OPENSSL_NO_DSA
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2824 if (pkey->type == EVP_PKEY_DSA)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2825 {
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2826 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data);
2827 if (!DSA_sign(pkey->save_type, data,
2828 SHA_DIGEST_LENGTH, &(p[2]),
2829 &signature_length, pkey->pkey.dsa))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2830 {
2831 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_DSA_LIB);
2832 goto err;
2833 }
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2834 s2n(signature_length, p);
2835 n = signature_length + 2;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2836 }
2837 else
2838#endif
2839#ifndef OPENSSL_NO_ECDSA
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2840 if (pkey->type == EVP_PKEY_EC)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2841 {
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2842 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, data);
2843 if (!ECDSA_sign(pkey->save_type, data,
2844 SHA_DIGEST_LENGTH, &(p[2]),
2845 &signature_length, pkey->pkey.ec))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2846 {
2847 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_ECDSA_LIB);
2848 goto err;
2849 }
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2850 s2n(signature_length, p);
2851 n = signature_length + 2;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2852 }
2853 else
2854#endif
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2855 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2856 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
2857 goto err;
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2858 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2859 ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
2860 s->state=SSL3_ST_CW_CERT_VRFY_B;
2861 }
2862 EVP_MD_CTX_cleanup(&mctx);
2863 EVP_PKEY_CTX_free(pctx);
2864 return ssl_do_write(s);
2865err:
2866 EVP_MD_CTX_cleanup(&mctx);
2867 EVP_PKEY_CTX_free(pctx);
2868 return(-1);
2869 }
2870
2871/* Check a certificate can be used for client authentication. Currently
2872 * check cert exists, if we have a suitable digest for TLS 1.2 if
2873 * static DH client certificates can be used and optionally checks
2874 * suitability for Suite B.
2875 */
2876static int ssl3_check_client_certificate(SSL *s)
2877 {
2878 unsigned long alg_k;
2879 if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
2880 return 0;
2881 /* If no suitable signature algorithm can't use certificate */
2882 if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
2883 return 0;
2884 /* If strict mode check suitability of chain before using it.
2885 * This also adjusts suite B digest if necessary.
2886 */
2887 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
2888 !tls1_check_chain(s, NULL, NULL, NULL, -2))
2889 return 0;
2890 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2891 /* See if we can use client certificate for fixed DH */
2892 if (alg_k & (SSL_kDHr|SSL_kDHd))
2893 {
2894 SESS_CERT *scert = s->session->sess_cert;
2895 int i = scert->peer_cert_type;
2896 EVP_PKEY *clkey = NULL, *spkey = NULL;
2897 clkey = s->cert->key->privatekey;
2898 /* If client key not DH assume it can be used */
2899 if (EVP_PKEY_id(clkey) != EVP_PKEY_DH)
2900 return 1;
2901 if (i >= 0)
2902 spkey = X509_get_pubkey(scert->peer_pkeys[i].x509);
2903 if (spkey)
2904 {
2905 /* Compare server and client parameters */
2906 i = EVP_PKEY_cmp_parameters(clkey, spkey);
2907 EVP_PKEY_free(spkey);
2908 if (i != 1)
2909 return 0;
2910 }
2911 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2912 }
2913 return 1;
2914 }
2915
2916int ssl3_send_client_certificate(SSL *s)
2917 {
2918 X509 *x509=NULL;
2919 EVP_PKEY *pkey=NULL;
2920 int i;
2921
2922 if (s->state == SSL3_ST_CW_CERT_A)
2923 {
2924 /* Let cert callback update client certificates if required */
2925 if (s->cert->cert_cb)
2926 {
2927 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2928 if (i < 0)
2929 {
2930 s->rwstate=SSL_X509_LOOKUP;
2931 return -1;
2932 }
2933 if (i == 0)
2934 {
2935 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
2936 return 0;
2937 }
2938 s->rwstate=SSL_NOTHING;
2939 }
2940 if (ssl3_check_client_certificate(s))
2941 s->state=SSL3_ST_CW_CERT_C;
2942 else
2943 s->state=SSL3_ST_CW_CERT_B;
2944 }
2945
2946 /* We need to get a client cert */
2947 if (s->state == SSL3_ST_CW_CERT_B)
2948 {
2949 /* If we get an error, we need to
2950 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2951 * We then get retied later */
2952 i=0;
2953 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2954 if (i < 0)
2955 {
2956 s->rwstate=SSL_X509_LOOKUP;
2957 return(-1);
2958 }
2959 s->rwstate=SSL_NOTHING;
2960 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2961 {
2962 s->state=SSL3_ST_CW_CERT_B;
2963 if ( !SSL_use_certificate(s,x509) ||
2964 !SSL_use_PrivateKey(s,pkey))
2965 i=0;
2966 }
2967 else if (i == 1)
2968 {
2969 i=0;
2970 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2971 }
2972
2973 if (x509 != NULL) X509_free(x509);
2974 if (pkey != NULL) EVP_PKEY_free(pkey);
2975 if (i && !ssl3_check_client_certificate(s))
2976 i = 0;
2977 if (i == 0)
2978 {
2979 if (s->version == SSL3_VERSION)
2980 {
2981 s->s3->tmp.cert_req=0;
2982 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2983 return(1);
2984 }
2985 else
2986 {
2987 s->s3->tmp.cert_req=2;
2988 }
2989 }
2990
2991 /* Ok, we have a cert */
2992 s->state=SSL3_ST_CW_CERT_C;
2993 }
2994
2995 if (s->state == SSL3_ST_CW_CERT_C)
2996 {
2997 s->state=SSL3_ST_CW_CERT_D;
2998 ssl3_output_cert_chain(s,
2999 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
3000 }
3001 /* SSL3_ST_CW_CERT_D */
3002 return ssl_do_write(s);
3003 }
3004
3005#define has_bits(i,m) (((i)&(m)) == (m))
3006
3007int ssl3_check_cert_and_algorithm(SSL *s)
3008 {
3009 int i,idx;
3010 long alg_k,alg_a;
3011 EVP_PKEY *pkey=NULL;
3012 SESS_CERT *sc;
3013#ifndef OPENSSL_NO_RSA
3014 RSA *rsa;
3015#endif
3016#ifndef OPENSSL_NO_DH
3017 DH *dh;
3018#endif
3019
3020 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
3021 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
3022
3023 /* we don't have a certificate */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]3024 if ((alg_a & (SSL_aNULL|SSL_aKRB5)) || ((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3025 return(1);
3026
3027 sc=s->session->sess_cert;
3028 if (sc == NULL)
3029 {
3030 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
3031 goto err;
3032 }
3033
3034#ifndef OPENSSL_NO_RSA
3035 rsa=s->session->sess_cert->peer_rsa_tmp;
3036#endif
3037#ifndef OPENSSL_NO_DH
3038 dh=s->session->sess_cert->peer_dh_tmp;
3039#endif
3040
3041 /* This is the passed certificate */
3042
3043 idx=sc->peer_cert_type;
3044#ifndef OPENSSL_NO_ECDH
3045 if (idx == SSL_PKEY_ECC)
3046 {
3047 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
3048 s) == 0)
3049 { /* check failed */
3050 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_ECC_CERT);
3051 goto f_err;
3052 }
3053 else
3054 {
3055 return 1;
3056 }
3057 }
3058 else if (alg_a & SSL_aECDSA)
3059 {
3060 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_ECDSA_SIGNING_CERT);
3061 goto f_err;
3062 }
3063 else if (alg_k & (SSL_kECDHr|SSL_kECDHe))
3064 {
3065 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_ECDH_CERT);
3066 goto f_err;
3067 }
3068#endif
3069 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
3070 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
3071 EVP_PKEY_free(pkey);
3072
3073
3074 /* Check that we have a certificate if we require one */
3075 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
3076 {
3077 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_RSA_SIGNING_CERT);
3078 goto f_err;
3079 }
3080#ifndef OPENSSL_NO_DSA
3081 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
3082 {
3083 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DSA_SIGNING_CERT);
3084 goto f_err;
3085 }
3086#endif
3087#ifndef OPENSSL_NO_RSA
3088 if ((alg_k & SSL_kRSA) &&
3089 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
3090 {
3091 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3092 goto f_err;
3093 }
3094#endif
3095#ifndef OPENSSL_NO_DH
3096 if ((alg_k & SSL_kEDH) &&
3097 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
3098 {
3099 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_KEY);
3100 goto f_err;
3101 }
3102 else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
3103 !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
3104 {
3105 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_RSA_CERT);
3106 goto f_err;
3107 }
3108#ifndef OPENSSL_NO_DSA
3109 else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
3110 !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
3111 {
3112 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_DSA_CERT);
3113 goto f_err;
3114 }
3115#endif
3116#endif
3117
3118 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
3119 {
3120#ifndef OPENSSL_NO_RSA
3121 if (alg_k & SSL_kRSA)
3122 {
3123 if (rsa == NULL
3124 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
3125 {
3126 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3127 goto f_err;
3128 }
3129 }
3130 else
3131#endif
3132#ifndef OPENSSL_NO_DH
3133 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
3134 {
3135 if (dh == NULL
3136 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
3137 {
3138 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3139 goto f_err;
3140 }
3141 }
3142 else
3143#endif
3144 {
3145 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3146 goto f_err;
3147 }
3148 }
3149 return(1);
3150f_err:
3151 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
3152err:
3153 return(0);
3154 }
3155
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]3156#if !defined(OPENSSL_NO_TLSEXT)
3157# if !defined(OPENSSL_NO_NEXTPROTONEG)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3158int ssl3_send_next_proto(SSL *s)
3159 {
3160 unsigned int len, padding_len;
3161 unsigned char *d;
3162
3163 if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
3164 {
3165 len = s->next_proto_negotiated_len;
3166 padding_len = 32 - ((len + 2) % 32);
3167 d = (unsigned char *)s->init_buf->data;
3168 d[4] = len;
3169 memcpy(d + 5, s->next_proto_negotiated, len);
3170 d[5 + len] = padding_len;
3171 memset(d + 6 + len, 0, padding_len);
3172 *(d++)=SSL3_MT_NEXT_PROTO;
3173 l2n3(2 + len + padding_len, d);
3174 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3175 s->init_num = 4 + 2 + len + padding_len;
3176 s->init_off = 0;
3177 }
3178
3179 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3180}
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]3181
3182# endif /* !OPENSSL_NO_NEXTPROTONEG */
3183
3184int ssl3_send_channel_id(SSL *s)
3185 {
3186 unsigned char *d;
3187 int ret = -1, public_key_len;
3188 EVP_MD_CTX md_ctx;
3189 size_t sig_len;
3190 ECDSA_SIG *sig = NULL;
3191 unsigned char *public_key = NULL, *derp, *der_sig = NULL;
3192
3193 if (s->state != SSL3_ST_CW_CHANNEL_ID_A)
3194 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3195
3196 if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb)
3197 {
3198 EVP_PKEY *key = NULL;
3199 s->ctx->channel_id_cb(s, &key);
3200 if (key != NULL)
3201 {
3202 s->tlsext_channel_id_private = key;
3203 }
3204 }
3205 if (!s->tlsext_channel_id_private)
3206 {
3207 s->rwstate=SSL_CHANNEL_ID_LOOKUP;
3208 return (-1);
3209 }
3210 s->rwstate=SSL_NOTHING;
3211
3212 d = (unsigned char *)s->init_buf->data;
3213 *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS;
3214 l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d);
3215 if (s->s3->tlsext_channel_id_new)
3216 s2n(TLSEXT_TYPE_channel_id_new, d);
3217 else
3218 s2n(TLSEXT_TYPE_channel_id, d);
3219 s2n(TLSEXT_CHANNEL_ID_SIZE, d);
3220
3221 EVP_MD_CTX_init(&md_ctx);
3222
3223 public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL);
3224 if (public_key_len <= 0)
3225 {
3226 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY);
3227 goto err;
3228 }
3229 /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a
3230 * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y
3231 * field elements as 32-byte, big-endian numbers. */
3232 if (public_key_len != 65)
3233 {
3234 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_CHANNEL_ID_NOT_P256);
3235 goto err;
3236 }
3237 public_key = OPENSSL_malloc(public_key_len);
3238 if (!public_key)
3239 {
3240 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
3241 goto err;
3242 }
3243
3244 derp = public_key;
3245 i2d_PublicKey(s->tlsext_channel_id_private, &derp);
3246
3247 if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL,
3248 s->tlsext_channel_id_private) != 1)
3249 {
3250 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNINIT_FAILED);
3251 goto err;
3252 }
3253
3254 if (!tls1_channel_id_hash(&md_ctx, s))
3255 goto err;
3256
3257 if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len))
3258 {
3259 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
3260 goto err;
3261 }
3262
3263 der_sig = OPENSSL_malloc(sig_len);
3264 if (!der_sig)
3265 {
3266 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
3267 goto err;
3268 }
3269
3270 if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len))
3271 {
3272 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
3273 goto err;
3274 }
3275
3276 derp = der_sig;
3277 sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len);
3278 if (sig == NULL)
3279 {
3280 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_D2I_ECDSA_SIG);
3281 goto err;
3282 }
3283
3284 /* The first byte of public_key will be 0x4, denoting an uncompressed key. */
3285 memcpy(d, public_key + 1, 64);
3286 d += 64;
3287 memset(d, 0, 2 * 32);
3288 BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r));
3289 d += 32;
3290 BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s));
3291 d += 32;
3292
3293 s->state = SSL3_ST_CW_CHANNEL_ID_B;
3294 s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE;
3295 s->init_off = 0;
3296
3297 ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3298
3299err:
3300 EVP_MD_CTX_cleanup(&md_ctx);
3301 if (public_key)
3302 OPENSSL_free(public_key);
3303 if (der_sig)
3304 OPENSSL_free(der_sig);
3305 if (sig)
3306 ECDSA_SIG_free(sig);
3307
3308 return ret;
3309 }
3310#endif /* !OPENSSL_NO_TLSEXT */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3311
3312/* Check to see if handshake is full or resumed. Usually this is just a
3313 * case of checking to see if a cache hit has occurred. In the case of
3314 * session tickets we have to check the next message to be sure.
3315 */
3316
3317#ifndef OPENSSL_NO_TLSEXT
3318int ssl3_check_finished(SSL *s)
3319 {
3320 int ok;
3321 long n;
3322 /* If we have no ticket it cannot be a resumed session. */
3323 if (!s->session->tlsext_tick)
3324 return 1;
3325 /* this function is called when we really expect a Certificate
3326 * message, so permit appropriate message length */
3327 n=s->method->ssl_get_message(s,
3328 SSL3_ST_CR_CERT_A,
3329 SSL3_ST_CR_CERT_B,
3330 -1,
3331 s->max_cert_list,
3332 &ok);
3333 if (!ok) return((int)n);
3334 s->s3->tmp.reuse_message = 1;
3335 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
3336 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3337 return 2;
3338
3339 return 1;
3340 }
3341#endif
3342
3343int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3344 {
3345 int i = 0;
3346 /* TODO(fork): remove */
3347#if 0
3348#ifndef OPENSSL_NO_ENGINE
3349 if (s->ctx->client_cert_engine)
3350 {
3351 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3352 SSL_get_client_CA_list(s),
3353 px509, ppkey, NULL, NULL, NULL);
3354 if (i != 0)
3355 return i;
3356 }
3357#endif
3358#endif
3359 if (s->ctx->client_cert_cb)
3360 i = s->ctx->client_cert_cb(s,px509,ppkey);
3361 return i;
3362 }