Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 457112e1973251a721ae419128d7108844d3c1a3 / . / ssl / s3_clnt.c
blob: 63fbbeb54819fc05f02b618f6eb1aacfa5028ba5 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* ssl/s3_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <stdio.h>
152
153#include <openssl/buf.h>
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]154#include <openssl/bytestring.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155#include <openssl/rand.h>
156#include <openssl/obj.h>
157#include <openssl/evp.h>
158#include <openssl/mem.h>
159#include <openssl/md5.h>
160#include <openssl/dh.h>
161#include <openssl/bn.h>
162#include <openssl/engine.h>
163#include <openssl/x509.h>
164
165#include "ssl_locl.h"
166#include "../crypto/dh/internal.h"
167
168static const SSL_METHOD *ssl3_get_client_method(int ver);
169
170static const SSL_METHOD *ssl3_get_client_method(int ver)
171 {
172 if (ver == SSL3_VERSION)
173 return(SSLv3_client_method());
174 else
175 return(NULL);
176 }
177
178IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
179 ssl_undefined_function,
180 ssl3_connect,
181 ssl3_get_client_method)
182
183int ssl3_connect(SSL *s)
184 {
185 BUF_MEM *buf=NULL;
186 void (*cb)(const SSL *ssl,int type,int val)=NULL;
187 int ret= -1;
188 int new_state,state,skip=0;
189
190 ERR_clear_error();
191 ERR_clear_system_error();
192
193 if (s->info_callback != NULL)
194 cb=s->info_callback;
195 else if (s->ctx->info_callback != NULL)
196 cb=s->ctx->info_callback;
197
198 s->in_handshake++;
199 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
200
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201 for (;;)
202 {
203 state=s->state;
204
205 switch(s->state)
206 {
207 case SSL_ST_RENEGOTIATE:
208 s->renegotiate=1;
209 s->state=SSL_ST_CONNECT;
210 s->ctx->stats.sess_connect_renegotiate++;
211 /* break */
212 case SSL_ST_BEFORE:
213 case SSL_ST_CONNECT:
214 case SSL_ST_BEFORE|SSL_ST_CONNECT:
215 case SSL_ST_OK|SSL_ST_CONNECT:
216
217 s->server=0;
218 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
219
220 if ((s->version & 0xff00 ) != 0x0300)
221 {
222 OPENSSL_PUT_ERROR(SSL, ssl3_connect, ERR_R_INTERNAL_ERROR);
223 ret = -1;
224 goto end;
225 }
226
227 /* s->version=SSL3_VERSION; */
228 s->type=SSL_ST_CONNECT;
229
230 if (s->init_buf == NULL)
231 {
232 if ((buf=BUF_MEM_new()) == NULL)
233 {
234 ret= -1;
235 goto end;
236 }
237 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
238 {
239 ret= -1;
240 goto end;
241 }
242 s->init_buf=buf;
243 buf=NULL;
244 }
245
246 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
247
248 /* setup buffing BIO */
249 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
250
251 /* don't push the buffering BIO quite yet */
252
253 ssl3_init_finished_mac(s);
254
255 s->state=SSL3_ST_CW_CLNT_HELLO_A;
256 s->ctx->stats.sess_connect++;
257 s->init_num=0;
258 break;
259
260 case SSL3_ST_CW_CLNT_HELLO_A:
261 case SSL3_ST_CW_CLNT_HELLO_B:
262
263 s->shutdown=0;
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]264 ret=ssl3_send_client_hello(s);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]265 if (ret <= 0) goto end;
266 s->state=SSL3_ST_CR_SRVR_HELLO_A;
267 s->init_num=0;
268
269 /* turn on buffering for the next lot of output */
270 if (s->bbio != s->wbio)
271 s->wbio=BIO_push(s->bbio,s->wbio);
272
273 break;
274
275 case SSL3_ST_CR_SRVR_HELLO_A:
276 case SSL3_ST_CR_SRVR_HELLO_B:
277 ret=ssl3_get_server_hello(s);
278 if (ret <= 0) goto end;
279
280 if (s->hit)
281 {
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame]282 s->state=SSL3_ST_CR_CHANGE;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]283 if (s->tlsext_ticket_expected)
284 {
285 /* receive renewed session ticket */
286 s->state=SSL3_ST_CR_SESSION_TICKET_A;
287 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]288 }
289 else
290 {
David Benjamin2b0aeec2014-07-01 00:39:02 -0400[diff] [blame]291 s->state=SSL3_ST_CR_CERT_A;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]292 }
293 s->init_num=0;
294 break;
David Benjamin2b0aeec2014-07-01 00:39:02 -0400[diff] [blame]295
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]296 case SSL3_ST_CR_CERT_A:
297 case SSL3_ST_CR_CERT_B:
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]298 if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]299 {
300 ret=ssl3_get_server_certificate(s);
301 if (ret <= 0) goto end;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]302 if (s->tlsext_status_expected)
303 s->state=SSL3_ST_CR_CERT_STATUS_A;
304 else
305 s->state=SSL3_ST_CR_KEY_EXCH_A;
306 }
307 else
308 {
309 skip = 1;
310 s->state=SSL3_ST_CR_KEY_EXCH_A;
311 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]312 s->init_num=0;
313 break;
314
315 case SSL3_ST_CR_KEY_EXCH_A:
316 case SSL3_ST_CR_KEY_EXCH_B:
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]317 ret=ssl3_get_server_key_exchange(s);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]318 if (ret <= 0) goto end;
319 s->state=SSL3_ST_CR_CERT_REQ_A;
320 s->init_num=0;
321
322 /* at this point we check that we have the
323 * required stuff from the server */
324 if (!ssl3_check_cert_and_algorithm(s))
325 {
326 ret= -1;
327 goto end;
328 }
329 break;
330
331 case SSL3_ST_CR_CERT_REQ_A:
332 case SSL3_ST_CR_CERT_REQ_B:
333 ret=ssl3_get_certificate_request(s);
334 if (ret <= 0) goto end;
335 s->state=SSL3_ST_CR_SRVR_DONE_A;
336 s->init_num=0;
337 break;
338
339 case SSL3_ST_CR_SRVR_DONE_A:
340 case SSL3_ST_CR_SRVR_DONE_B:
341 ret=ssl3_get_server_done(s);
342 if (ret <= 0) goto end;
343 if (s->s3->tmp.cert_req)
344 s->state=SSL3_ST_CW_CERT_A;
345 else
346 s->state=SSL3_ST_CW_KEY_EXCH_A;
347 s->init_num=0;
348
349 break;
350
351 case SSL3_ST_CW_CERT_A:
352 case SSL3_ST_CW_CERT_B:
353 case SSL3_ST_CW_CERT_C:
354 case SSL3_ST_CW_CERT_D:
355 ret=ssl3_send_client_certificate(s);
356 if (ret <= 0) goto end;
357 s->state=SSL3_ST_CW_KEY_EXCH_A;
358 s->init_num=0;
359 break;
360
361 case SSL3_ST_CW_KEY_EXCH_A:
362 case SSL3_ST_CW_KEY_EXCH_B:
363 ret=ssl3_send_client_key_exchange(s);
364 if (ret <= 0) goto end;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]365 /* For TLS, cert_req is set to 2, so a cert chain
366 * of nothing is sent, but no verify packet is sent */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]367 if (s->s3->tmp.cert_req == 1)
368 {
369 s->state=SSL3_ST_CW_CERT_VRFY_A;
370 }
371 else
372 {
373 s->state=SSL3_ST_CW_CHANGE_A;
374 s->s3->change_cipher_spec=0;
375 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]376
377 s->init_num=0;
378 break;
379
380 case SSL3_ST_CW_CERT_VRFY_A:
381 case SSL3_ST_CW_CERT_VRFY_B:
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]382 ret=ssl3_send_cert_verify(s);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]383 if (ret <= 0) goto end;
384 s->state=SSL3_ST_CW_CHANGE_A;
385 s->init_num=0;
386 s->s3->change_cipher_spec=0;
387 break;
388
389 case SSL3_ST_CW_CHANGE_A:
390 case SSL3_ST_CW_CHANGE_B:
391 ret=ssl3_send_change_cipher_spec(s,
392 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
393 if (ret <= 0) goto end;
394
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]395 s->state=SSL3_ST_CW_FINISHED_A;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]396 if (s->s3->tlsext_channel_id_valid)
397 s->state=SSL3_ST_CW_CHANNEL_ID_A;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]398 if (s->s3->next_proto_neg_seen)
399 s->state=SSL3_ST_CW_NEXT_PROTO_A;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]400 s->init_num=0;
401
402 s->session->cipher=s->s3->tmp.new_cipher;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]403 if (!s->method->ssl3_enc->setup_key_block(s))
404 {
405 ret= -1;
406 goto end;
407 }
408
409 if (!s->method->ssl3_enc->change_cipher_state(s,
410 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
411 {
412 ret= -1;
413 goto end;
414 }
415
416 break;
417
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]418 case SSL3_ST_CW_NEXT_PROTO_A:
419 case SSL3_ST_CW_NEXT_PROTO_B:
420 ret=ssl3_send_next_proto(s);
421 if (ret <= 0) goto end;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]422 if (s->s3->tlsext_channel_id_valid)
423 s->state=SSL3_ST_CW_CHANNEL_ID_A;
424 else
425 s->state=SSL3_ST_CW_FINISHED_A;
426 break;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]427
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]428 case SSL3_ST_CW_CHANNEL_ID_A:
429 case SSL3_ST_CW_CHANNEL_ID_B:
430 ret=ssl3_send_channel_id(s);
431 if (ret <= 0) goto end;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]432 s->state=SSL3_ST_CW_FINISHED_A;
433 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434
435 case SSL3_ST_CW_FINISHED_A:
436 case SSL3_ST_CW_FINISHED_B:
437 ret=ssl3_send_finished(s,
438 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
439 s->method->ssl3_enc->client_finished_label,
440 s->method->ssl3_enc->client_finished_label_len);
441 if (ret <= 0) goto end;
442 s->state=SSL3_ST_CW_FLUSH;
443
444 /* clear flags */
445 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
446 if (s->hit)
447 {
448 s->s3->tmp.next_state=SSL_ST_OK;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]449 }
450 else
451 {
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]452 /* This is a non-resumption handshake. If it
453 * involves ChannelID, then record the
454 * handshake hashes at this point in the
455 * session so that any resumption of this
456 * session with ChannelID can sign those
457 * hashes. */
458 if (s->s3->tlsext_channel_id_new)
459 {
460 ret = tls1_record_handshake_hashes_for_channel_id(s);
461 if (ret <= 0)
462 goto end;
463 }
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]464 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
465 && ssl3_can_cutthrough(s)
466 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
467 )
468 {
Adam Langley045cc552014-07-16 10:45:57 -0700[diff] [blame]469 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]470 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]471 else
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]472 {
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]473 /* Allow NewSessionTicket if ticket expected */
474 if (s->tlsext_ticket_expected)
475 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
476 else
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame]477 s->s3->tmp.next_state=SSL3_ST_CR_CHANGE;
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]478 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]479 }
480 s->init_num=0;
481 break;
482
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]483 case SSL3_ST_CR_SESSION_TICKET_A:
484 case SSL3_ST_CR_SESSION_TICKET_B:
485 ret=ssl3_get_new_session_ticket(s);
486 if (ret <= 0) goto end;
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame]487 s->state=SSL3_ST_CR_CHANGE;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]488 s->init_num=0;
489 break;
490
491 case SSL3_ST_CR_CERT_STATUS_A:
492 case SSL3_ST_CR_CERT_STATUS_B:
493 ret=ssl3_get_cert_status(s);
494 if (ret <= 0) goto end;
495 s->state=SSL3_ST_CR_KEY_EXCH_A;
496 s->init_num=0;
497 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]498
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame]499 case SSL3_ST_CR_CHANGE:
500 /* At this point, the next message must be entirely
501 * behind a ChangeCipherSpec. */
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]502 if (!ssl3_expect_change_cipher_spec(s))
503 {
504 ret = -1;
505 goto end;
506 }
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame]507 s->state = SSL3_ST_CR_FINISHED_A;
508 break;
509
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]510 case SSL3_ST_CR_FINISHED_A:
511 case SSL3_ST_CR_FINISHED_B:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]512 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
513 SSL3_ST_CR_FINISHED_B);
514 if (ret <= 0) goto end;
515
516 if (s->hit)
517 s->state=SSL3_ST_CW_CHANGE_A;
518 else
519 s->state=SSL_ST_OK;
520 s->init_num=0;
521 break;
522
523 case SSL3_ST_CW_FLUSH:
524 s->rwstate=SSL_WRITING;
525 if (BIO_flush(s->wbio) <= 0)
526 {
527 ret= -1;
528 goto end;
529 }
530 s->rwstate=SSL_NOTHING;
531 s->state=s->s3->tmp.next_state;
532 break;
533
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]534 case SSL3_ST_CUTTHROUGH_COMPLETE:
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]535 /* Allow NewSessionTicket if ticket expected */
536 if (s->tlsext_ticket_expected)
537 s->state=SSL3_ST_CR_SESSION_TICKET_A;
538 else
David Benjamin7e3305e2014-07-28 14:52:32 -0400[diff] [blame]539 s->state=SSL3_ST_CR_CHANGE;
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]540
Adam Langley045cc552014-07-16 10:45:57 -0700[diff] [blame]541 ssl_free_wbio_buffer(s);
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]542 ret = 1;
543 goto end;
544 /* break; */
545
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]546 case SSL_ST_OK:
547 /* clean a few things up */
548 ssl3_cleanup_key_block(s);
549
550 if (s->init_buf != NULL)
551 {
552 BUF_MEM_free(s->init_buf);
553 s->init_buf=NULL;
554 }
555
556 /* If we are not 'joining' the last two packets,
557 * remove the buffering now */
558 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
559 ssl_free_wbio_buffer(s);
560 /* else do it later in ssl3_write */
561
562 s->init_num=0;
563 s->renegotiate=0;
564 s->new_session=0;
565
566 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
567 if (s->hit) s->ctx->stats.sess_hit++;
568
569 ret=1;
570 /* s->server=0; */
571 s->handshake_func=ssl3_connect;
572 s->ctx->stats.sess_connect_good++;
573
574 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
575
576 goto end;
577 /* break; */
578
579 default:
580 OPENSSL_PUT_ERROR(SSL, ssl3_connect, SSL_R_UNKNOWN_STATE);
581 ret= -1;
582 goto end;
583 /* break; */
584 }
585
586 /* did we do anything */
587 if (!s->s3->tmp.reuse_message && !skip)
588 {
589 if (s->debug)
590 {
591 if ((ret=BIO_flush(s->wbio)) <= 0)
592 goto end;
593 }
594
595 if ((cb != NULL) && (s->state != state))
596 {
597 new_state=s->state;
598 s->state=state;
599 cb(s,SSL_CB_CONNECT_LOOP,1);
600 s->state=new_state;
601 }
602 }
603 skip=0;
604 }
605end:
606 s->in_handshake--;
607 if (buf != NULL)
608 BUF_MEM_free(buf);
609 if (cb != NULL)
610 cb(s,SSL_CB_CONNECT_EXIT,ret);
611 return(ret);
612 }
613
614
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]615int ssl3_send_client_hello(SSL *s)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]616 {
617 unsigned char *buf;
618 unsigned char *p,*d;
619 int i;
620 unsigned long l;
621
622 buf=(unsigned char *)s->init_buf->data;
623 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
624 {
625 SSL_SESSION *sess = s->session;
David Benjamin407886f2014-07-21 22:23:50 -0400[diff] [blame]626 if (sess == NULL ||
627 sess->ssl_version != s->version ||
628 !sess->session_id_length ||
629 sess->not_resumable)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]630 {
631 if (!ssl_get_new_session(s,0))
632 goto err;
633 }
634 if (s->method->version == DTLS_ANY_VERSION)
635 {
636 /* Determine which DTLS version to use */
637 int options = s->options;
638 /* If DTLS 1.2 disabled correct the version number */
639 if (options & SSL_OP_NO_DTLSv1_2)
640 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]641 /* Disabling all versions is silly: return an
642 * error.
643 */
644 if (options & SSL_OP_NO_DTLSv1)
645 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]646 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, SSL_R_WRONG_SSL_VERSION);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]647 goto err;
648 }
649 /* Update method so we don't use any DTLS 1.2
650 * features.
651 */
652 s->method = DTLSv1_client_method();
653 s->version = DTLS1_VERSION;
654 }
655 else
656 {
657 /* We only support one version: update method */
658 if (options & SSL_OP_NO_DTLSv1)
659 s->method = DTLSv1_2_client_method();
660 s->version = DTLS1_2_VERSION;
661 }
662 s->client_version = s->version;
663 }
664 /* else use the pre-loaded session */
665
666 p=s->s3->client_random;
667
David Benjaminf2fedef2014-08-16 01:37:34 -0400[diff] [blame]668 /* If resending the ClientHello in DTLS after a
669 * HelloVerifyRequest, don't renegerate the client_random. The
670 * random must be reused. */
671 if (!SSL_IS_DTLS(s) || !s->d1->send_cookie)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]672 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]673 ssl_fill_hello_random(s, 0, p,
674 sizeof(s->s3->client_random));
David Benjaminf2fedef2014-08-16 01:37:34 -0400[diff] [blame]675 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]676
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]677 /* Do the message type and length last.
678 * Note: the final argument to ssl_add_clienthello_tlsext below
679 * depends on the size of this prefix. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]680 d=p= ssl_handshake_start(s);
681
682 /* version indicates the negotiated version: for example from
683 * an SSLv2/v3 compatible client hello). The client_version
684 * field is the maximum version we permit and it is also
685 * used in RSA encrypted premaster secrets. Some servers can
686 * choke if we initially report a higher version then
687 * renegotiate to a lower one in the premaster secret. This
688 * didn't happen with TLS 1.0 as most servers supported it
689 * but it can with TLS 1.1 or later if the server only supports
690 * 1.0.
691 *
692 * Possible scenario with previous logic:
693 * 1. Client hello indicates TLS 1.2
694 * 2. Server hello says TLS 1.0
695 * 3. RSA encrypted premaster secret uses 1.2.
696 * 4. Handhaked proceeds using TLS 1.0.
697 * 5. Server sends hello request to renegotiate.
698 * 6. Client hello indicates TLS v1.0 as we now
699 * know that is maximum server supports.
700 * 7. Server chokes on RSA encrypted premaster secret
701 * containing version 1.0.
702 *
703 * For interoperability it should be OK to always use the
704 * maximum version we support in client hello and then rely
705 * on the checking of version to ensure the servers isn't
706 * being inconsistent: for example initially negotiating with
707 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
708 * client_version in client hello and not resetting it to
709 * the negotiated version.
710 */
711#if 0
712 *(p++)=s->version>>8;
713 *(p++)=s->version&0xff;
714 s->client_version=s->version;
715#else
716 *(p++)=s->client_version>>8;
717 *(p++)=s->client_version&0xff;
718#endif
719
720 /* Random stuff */
721 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
722 p+=SSL3_RANDOM_SIZE;
723
724 /* Session ID */
725 if (s->new_session)
726 i=0;
727 else
728 i=s->session->session_id_length;
729 *(p++)=i;
730 if (i != 0)
731 {
732 if (i > (int)sizeof(s->session->session_id))
733 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]734 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]735 goto err;
736 }
737 memcpy(p,s->session->session_id,i);
738 p+=i;
739 }
740
741 /* cookie stuff for DTLS */
742 if (SSL_IS_DTLS(s))
743 {
744 if ( s->d1->cookie_len > sizeof(s->d1->cookie))
745 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]746 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]747 goto err;
748 }
749 *(p++) = s->d1->cookie_len;
750 memcpy(p, s->d1->cookie, s->d1->cookie_len);
751 p += s->d1->cookie_len;
752 }
753
754 /* Ciphers supported */
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]755 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]756 if (i == 0)
757 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]758 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, SSL_R_NO_CIPHERS_AVAILABLE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]759 goto err;
760 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]761 s2n(i,p);
762 p+=i;
763
764 /* COMPRESSION */
765 *(p++)=1;
766 *(p++)=0; /* Add the NULL method */
767
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]768 /* TLS extensions*/
769 if (ssl_prepare_clienthello_tlsext(s) <= 0)
770 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]771 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, SSL_R_CLIENTHELLO_TLSEXT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]772 goto err;
773 }
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]774 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf)) == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]775 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]776 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]777 goto err;
778 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]779
780 l= p-d;
781 ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
782 s->state=SSL3_ST_CW_CLNT_HELLO_B;
783 }
784
785 /* SSL3_ST_CW_CLNT_HELLO_B */
786 return ssl_do_write(s);
787err:
788 return(-1);
789 }
790
791int ssl3_get_server_hello(SSL *s)
792 {
793 STACK_OF(SSL_CIPHER) *sk;
794 const SSL_CIPHER *c;
795 CERT *ct = s->cert;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]796 int al=SSL_AD_INTERNAL_ERROR,ok;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]797 long n;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]798 CBS server_hello, server_random, session_id;
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]799 uint16_t server_version, cipher_suite;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]800 uint8_t compression_method;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]801
802 n=s->method->ssl_get_message(s,
803 SSL3_ST_CR_SRVR_HELLO_A,
804 SSL3_ST_CR_SRVR_HELLO_B,
David Benjaminf2fedef2014-08-16 01:37:34 -0400[diff] [blame]805 SSL3_MT_SERVER_HELLO,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]806 20000, /* ?? */
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]807 SSL_GET_MESSAGE_HASH_MESSAGE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]808 &ok);
809
810 if (!ok) return((int)n);
811
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]812 CBS_init(&server_hello, s->init_msg, n);
813
814 if (!CBS_get_u16(&server_hello, &server_version) ||
815 !CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
816 !CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]817 CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
818 !CBS_get_u16(&server_hello, &cipher_suite) ||
819 !CBS_get_u8(&server_hello, &compression_method))
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]820 {
821 al = SSL_AD_DECODE_ERROR;
822 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_DECODE_ERROR);
823 goto f_err;
824 }
825
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]826 if (s->method->version == DTLS_ANY_VERSION)
827 {
828 /* Work out correct protocol version to use */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]829 int options = s->options;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]830 if (server_version == DTLS1_2_VERSION
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]831 && !(options & SSL_OP_NO_DTLSv1_2))
832 s->method = DTLSv1_2_client_method();
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]833 else if (server_version == DTLS1_VERSION
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]834 && !(options & SSL_OP_NO_DTLSv1))
835 s->method = DTLSv1_client_method();
836 else
837 {
838 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]839 s->version = server_version;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]840 al = SSL_AD_PROTOCOL_VERSION;
841 goto f_err;
842 }
843 s->version = s->client_version = s->method->version;
844 }
845
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]846 if (server_version != s->version)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]847 {
848 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]849 s->version = (s->version & 0xff00) | (server_version & 0xff);
850 al = SSL_AD_PROTOCOL_VERSION;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]851 goto f_err;
852 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]853
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]854 /* Copy over the server random. */
855 memcpy(s->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]856
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]857 s->hit = 0;
858
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]859 /* check if we want to resume the session based on external pre-shared secret */
860 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
861 {
David Benjamin6f260012014-08-15 13:49:12 -0400[diff] [blame]862 const SSL_CIPHER *pref_cipher=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]863 s->session->master_key_length=sizeof(s->session->master_key);
864 if (s->tls_session_secret_cb(s, s->session->master_key,
865 &s->session->master_key_length,
866 NULL, &pref_cipher,
867 s->tls_session_secret_cb_arg))
868 {
869 s->session->cipher = pref_cipher ?
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]870 pref_cipher :
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]871 ssl3_get_cipher_by_value(cipher_suite);
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]872 s->hit = 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]873 }
874 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]875
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]876 if (!s->hit && CBS_len(&session_id) != 0 &&
David Benjamin22f9bcc2014-07-13 12:29:21 -0400[diff] [blame]877 CBS_mem_equal(&session_id,
878 s->session->session_id, s->session->session_id_length))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]879 {
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]880 if(s->sid_ctx_length != s->session->sid_ctx_length
881 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length))
882 {
883 /* actually a client application bug */
884 al = SSL_AD_ILLEGAL_PARAMETER;
885 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
886 goto f_err;
887 }
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]888 s->hit = 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]889 }
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]890
891 /* a miss or crap from the other end */
892 if (!s->hit)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]893 {
894 /* If we were trying for session-id reuse, make a new
895 * SSL_SESSION so we don't stuff up other people */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]896 if (s->session->session_id_length > 0)
897 {
898 if (!ssl_get_new_session(s,0))
899 {
900 goto f_err;
901 }
902 }
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]903 /* Note: session_id could be empty. */
904 s->session->session_id_length = CBS_len(&session_id);
905 memcpy(s->session->session_id, CBS_data(&session_id), CBS_len(&session_id));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]906 }
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]907
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]908 c = ssl3_get_cipher_by_value(cipher_suite);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]909 if (c == NULL)
910 {
911 /* unknown cipher */
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]912 al = SSL_AD_ILLEGAL_PARAMETER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]913 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNKNOWN_CIPHER_RETURNED);
914 goto f_err;
915 }
916 /* If it is a disabled cipher we didn't send it in client hello,
917 * so return an error.
918 */
919 if (c->algorithm_ssl & ct->mask_ssl ||
920 c->algorithm_mkey & ct->mask_k ||
921 c->algorithm_auth & ct->mask_a)
922 {
923 al=SSL_AD_ILLEGAL_PARAMETER;
924 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
925 goto f_err;
926 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]927
928 sk=ssl_get_ciphers_by_id(s);
929 if (!sk_SSL_CIPHER_find(sk, NULL, c))
930 {
931 /* we did not say we would use this cipher */
932 al=SSL_AD_ILLEGAL_PARAMETER;
933 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
934 goto f_err;
935 }
936
937 /* Depending on the session caching (internal/external), the cipher
938 and/or cipher_id values may not be set. Make sure that
939 cipher_id is set and use it for comparison. */
940 if (s->session->cipher)
941 s->session->cipher_id = s->session->cipher->id;
942 if (s->hit && (s->session->cipher_id != c->id))
943 {
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]944 al = SSL_AD_ILLEGAL_PARAMETER;
945 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
946 goto f_err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]947 }
948 s->s3->tmp.new_cipher=c;
949 /* Don't digest cached records if no sigalgs: we may need them for
950 * client authentication.
951 */
952 if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s))
953 goto f_err;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]954
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]955 /* Only the NULL compression algorithm is supported. */
956 if (compression_method != 0)
957 {
958 al = SSL_AD_ILLEGAL_PARAMETER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]959 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
960 goto f_err;
961 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]962
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]963 /* TLS extensions */
964 if (!ssl_parse_serverhello_tlsext(s, &server_hello))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]965 {
966 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_PARSE_TLSEXT);
967 goto err;
968 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]969
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]970 /* There should be nothing left over in the record. */
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]971 if (CBS_len(&server_hello) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]972 {
973 /* wrong packet length */
974 al=SSL_AD_DECODE_ERROR;
975 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_PACKET_LENGTH);
976 goto f_err;
977 }
978
979 return(1);
980f_err:
981 ssl3_send_alert(s,SSL3_AL_FATAL,al);
982err:
983 return(-1);
984 }
985
986int ssl3_get_server_certificate(SSL *s)
987 {
988 int al,i,ok,ret= -1;
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]989 unsigned long n;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]990 X509 *x=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]991 STACK_OF(X509) *sk=NULL;
992 SESS_CERT *sc;
993 EVP_PKEY *pkey=NULL;
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]994 CBS cbs, certificate_list;
995 const uint8_t* data;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]996
997 n=s->method->ssl_get_message(s,
998 SSL3_ST_CR_CERT_A,
999 SSL3_ST_CR_CERT_B,
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]1000 SSL3_MT_CERTIFICATE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1001 s->max_cert_list,
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]1002 SSL_GET_MESSAGE_HASH_MESSAGE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1003 &ok);
1004
1005 if (!ok) return((int)n);
1006
David Benjamin51b1f742014-07-12 16:31:12 -0400[diff] [blame]1007 CBS_init(&cbs, s->init_msg, n);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008
1009 if ((sk=sk_X509_new_null()) == NULL)
1010 {
1011 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1012 goto err;
1013 }
1014
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1015 if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list) ||
1016 CBS_len(&cbs) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1017 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1018 al = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1019 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_LENGTH_MISMATCH);
1020 goto f_err;
1021 }
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1022
1023 while (CBS_len(&certificate_list) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1024 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1025 CBS certificate;
1026 if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1027 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1028 al = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1029 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1030 goto f_err;
1031 }
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1032 data = CBS_data(&certificate);
1033 x = d2i_X509(NULL, &data, CBS_len(&certificate));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1034 if (x == NULL)
1035 {
1036 al=SSL_AD_BAD_CERTIFICATE;
1037 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_ASN1_LIB);
1038 goto f_err;
1039 }
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1040 if (!CBS_skip(&certificate, data - CBS_data(&certificate)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1041 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1042 al = SSL_AD_INTERNAL_ERROR;
1043 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_INTERNAL_ERROR);
1044 goto f_err;
1045 }
1046 if (CBS_len(&certificate) != 0)
1047 {
1048 al = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1049 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1050 goto f_err;
1051 }
1052 if (!sk_X509_push(sk,x))
1053 {
1054 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1055 goto err;
1056 }
1057 x=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1058 }
1059
1060 i=ssl_verify_cert_chain(s,sk);
1061 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1062 )
1063 {
1064 al=ssl_verify_alarm_type(s->verify_result);
1065 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERTIFICATE_VERIFY_FAILED);
1066 goto f_err;
1067 }
1068 ERR_clear_error(); /* but we keep s->verify_result */
1069
1070 sc=ssl_sess_cert_new();
1071 if (sc == NULL) goto err;
1072
1073 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1074 s->session->sess_cert=sc;
1075
1076 sc->cert_chain=sk;
1077 /* Inconsistency alert: cert_chain does include the peer's
1078 * certificate, which we don't include in s3_srvr.c */
1079 x=sk_X509_value(sk,0);
1080 sk=NULL;
1081 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1082
1083 pkey=X509_get_pubkey(x);
1084
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1085 if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1086 {
1087 x=NULL;
1088 al=SSL3_AL_FATAL;
1089 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1090 goto f_err;
1091 }
1092
1093 i=ssl_cert_type(x,pkey);
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1094 if (i < 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1095 {
1096 x=NULL;
1097 al=SSL3_AL_FATAL;
1098 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1099 goto f_err;
1100 }
1101
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1102 int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1103 if (exp_idx >= 0 && i != exp_idx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104 {
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1105 x=NULL;
1106 al=SSL_AD_ILLEGAL_PARAMETER;
1107 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
1108 goto f_err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1109 }
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1110 sc->peer_cert_type=i;
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1111 /* Why would the following ever happen?
1112 * We just created sc a couple of lines ago. */
1113 if (sc->peer_pkeys[i].x509 != NULL)
1114 X509_free(sc->peer_pkeys[i].x509);
David Benjamin150c6172014-08-05 22:22:49 -0400[diff] [blame]1115 sc->peer_pkeys[i].x509 = X509_up_ref(x);
1116 sc->peer_key = &(sc->peer_pkeys[i]);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1117
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1118 if (s->session->peer != NULL)
1119 X509_free(s->session->peer);
David Benjamin150c6172014-08-05 22:22:49 -0400[diff] [blame]1120 s->session->peer = X509_up_ref(x);
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1121
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1122 s->session->verify_result = s->verify_result;
1123
1124 x=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1125 ret=1;
1126 if (0)
1127 {
1128f_err:
1129 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1130 }
1131err:
1132 EVP_PKEY_free(pkey);
1133 X509_free(x);
1134 sk_X509_pop_free(sk,X509_free);
1135 return(ret);
1136 }
1137
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1138int ssl3_get_server_key_exchange(SSL *s)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1139 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1140 EVP_MD_CTX md_ctx;
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1141 int al,ok;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1142 long n,alg_k,alg_a;
1143 EVP_PKEY *pkey=NULL;
1144 const EVP_MD *md = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1145 RSA *rsa=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1146 DH *dh=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1147 EC_KEY *ecdh = NULL;
1148 BN_CTX *bn_ctx = NULL;
1149 EC_POINT *srvr_ecpoint = NULL;
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1150 CBS server_key_exchange, server_key_exchange_orig, parameter;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1151
1152 /* use same message size as in ssl3_get_certificate_request()
1153 * as ServerKeyExchange message may be skipped */
1154 n=s->method->ssl_get_message(s,
1155 SSL3_ST_CR_KEY_EXCH_A,
1156 SSL3_ST_CR_KEY_EXCH_B,
1157 -1,
1158 s->max_cert_list,
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]1159 SSL_GET_MESSAGE_HASH_MESSAGE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1160 &ok);
1161 if (!ok) return((int)n);
1162
1163 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1164 {
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]1165 if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher))
1166 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1167 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]1168 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1169 return -1;
1170 }
1171
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1172 /* In plain PSK ciphersuite, ServerKeyExchange can be
1173 omitted if no identity hint is sent. Set
1174 session->sess_cert anyway to avoid problems
1175 later.*/
David Benjamin5235f742014-07-12 13:11:24 -0400[diff] [blame]1176 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1177 {
David Benjamin0c49ec92014-07-12 13:16:51 -0400[diff] [blame]1178 /* PSK ciphersuites that also send a
1179 * Certificate would have already initialized
1180 * |sess_cert|. */
1181 if (s->session->sess_cert == NULL)
1182 s->session->sess_cert = ssl_sess_cert_new();
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1183 if (s->session->psk_identity_hint)
1184 {
1185 OPENSSL_free(s->session->psk_identity_hint);
1186 s->session->psk_identity_hint = NULL;
1187 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1188 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1189 s->s3->tmp.reuse_message=1;
1190 return(1);
1191 }
1192
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1193 /* Retain a copy of the original CBS to compute the signature
1194 * over. */
1195 CBS_init(&server_key_exchange, s->init_msg, n);
1196 server_key_exchange_orig = server_key_exchange;
1197
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1198 if (s->session->sess_cert != NULL)
1199 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1200 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1201 {
1202 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1203 s->session->sess_cert->peer_rsa_tmp=NULL;
1204 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1205 if (s->session->sess_cert->peer_dh_tmp)
1206 {
1207 DH_free(s->session->sess_cert->peer_dh_tmp);
1208 s->session->sess_cert->peer_dh_tmp=NULL;
1209 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1210 if (s->session->sess_cert->peer_ecdh_tmp)
1211 {
1212 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1213 s->session->sess_cert->peer_ecdh_tmp=NULL;
1214 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1215 }
1216 else
1217 {
1218 s->session->sess_cert=ssl_sess_cert_new();
1219 }
1220
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1221 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1222 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1223 EVP_MD_CTX_init(&md_ctx);
1224
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1225 if (alg_a & SSL_aPSK)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1226 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1227 CBS psk_identity_hint;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1228
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1229 /* Each of the PSK key exchanges begins with a
1230 * psk_identity_hint. */
1231 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &psk_identity_hint))
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1232 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1233 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1234 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1235 goto f_err;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1236 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1237
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1238 /* Store PSK identity hint for later use, hint is used in
1239 * ssl3_send_client_key_exchange. Assume that the maximum
1240 * length of a PSK identity hint can be as long as the maximum
1241 * length of a PSK identity. Also do not allow NULL
1242 * characters; identities are saved as C strings.
1243 *
1244 * TODO(davidben): Should invalid hints be ignored? It's a hint
1245 * rather than a specific identity. */
1246 if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
1247 CBS_contains_zero_byte(&psk_identity_hint))
1248 {
1249 al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1250 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DATA_LENGTH_TOO_LONG);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1251 goto f_err;
1252 }
1253
1254 /* Save the identity hint as a C string. */
1255 if (!CBS_strdup(&psk_identity_hint, &s->session->psk_identity_hint))
1256 {
1257 al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1258 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1259 goto f_err;
1260 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1261 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1262
David Benjamin457112e2014-08-27 14:35:09 -0400[diff] [blame^]1263 if (alg_k & SSL_kRSA)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1264 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1265 CBS rsa_modulus, rsa_exponent;
1266
1267 /* TODO(davidben): This was originally for export
1268 * reasons. Do we still need to support it? */
1269
1270 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_modulus) ||
1271 CBS_len(&rsa_modulus) == 0 ||
1272 !CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_exponent) ||
1273 CBS_len(&rsa_exponent) == 0)
1274 {
1275 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1276 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1277 goto f_err;
1278 }
1279
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1280 if ((rsa=RSA_new()) == NULL)
1281 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1282 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1283 goto err;
1284 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1285
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1286 if (!(rsa->n = BN_bin2bn(CBS_data(&rsa_modulus),
1287 CBS_len(&rsa_modulus), rsa->n)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1288 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1289 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1290 goto err;
1291 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1292
1293 if (!(rsa->e = BN_bin2bn(CBS_data(&rsa_exponent),
1294 CBS_len(&rsa_exponent), rsa->e)))
1295 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1296 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1297 goto err;
1298 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1299
1300 /* this should be because we are using an export cipher */
1301 if (alg_a & SSL_aRSA)
1302 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1303 else
1304 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1305 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1306 goto err;
1307 }
1308 s->session->sess_cert->peer_rsa_tmp=rsa;
1309 rsa=NULL;
1310 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1311 else if (alg_k & SSL_kEDH)
1312 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1313 CBS dh_p, dh_g, dh_Ys;
1314
1315 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &dh_p) ||
1316 CBS_len(&dh_p) == 0 ||
1317 !CBS_get_u16_length_prefixed(&server_key_exchange, &dh_g) ||
1318 CBS_len(&dh_g) == 0 ||
1319 !CBS_get_u16_length_prefixed(&server_key_exchange, &dh_Ys) ||
1320 CBS_len(&dh_Ys) == 0)
1321 {
1322 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1323 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1324 goto f_err;
1325 }
1326
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1327 if ((dh=DH_new()) == NULL)
1328 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1329 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_DH_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1330 goto err;
1331 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1332
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1333 if (!(dh->p = BN_bin2bn(CBS_data(&dh_p), CBS_len(&dh_p), NULL)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1334 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1335 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1336 goto err;
1337 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1338 if (!(dh->g=BN_bin2bn(CBS_data(&dh_g), CBS_len(&dh_g), NULL)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1339 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1340 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1341 goto err;
1342 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1343 if (!(dh->pub_key = BN_bin2bn(CBS_data(&dh_Ys), CBS_len(&dh_Ys), NULL)))
1344 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1345 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1346 goto err;
1347 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1348
HÃ¥vard Molland16c623b2014-08-12 11:29:57 +0200[diff] [blame]1349 if (DH_size(dh) < 512/8)
1350 {
1351 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_DH_P_LENGTH);
1352 goto err;
1353 }
1354
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1355 if (alg_a & SSL_aRSA)
1356 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1357 /* else anonymous DH, so no certificate or pkey. */
1358
1359 s->session->sess_cert->peer_dh_tmp=dh;
1360 dh=NULL;
1361 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1362
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1363 else if (alg_k & SSL_kEECDH)
1364 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1365 uint16_t curve_id;
1366 int curve_nid = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1367 EC_GROUP *ngroup;
1368 const EC_GROUP *group;
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1369 CBS point;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1370
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1371 /* Extract elliptic curve parameters and the server's
1372 * ephemeral ECDH public key. Check curve is one of
1373 * our preferences, if not server has sent an invalid
1374 * curve.
1375 */
1376 if (!tls1_check_curve(s, &server_key_exchange, &curve_id))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1377 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1378 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1379 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_WRONG_CURVE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1380 goto f_err;
1381 }
1382
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1383 if ((curve_nid = tls1_ec_curve_id2nid(curve_id)) == 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1384 {
1385 al=SSL_AD_INTERNAL_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1386 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1387 goto f_err;
1388 }
1389
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1390 if ((ecdh=EC_KEY_new()) == NULL)
1391 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1392 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1393 goto err;
1394 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1395 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1396 if (ngroup == NULL)
1397 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1398 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_EC_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1399 goto err;
1400 }
1401 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1402 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1403 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_EC_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1404 goto err;
1405 }
1406 EC_GROUP_free(ngroup);
1407
1408 group = EC_KEY_get0_group(ecdh);
1409
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1410 /* Next, get the encoded ECPoint */
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1411 if (!CBS_get_u8_length_prefixed(&server_key_exchange, &point))
1412 {
1413 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1414 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1415 goto f_err;
1416 }
1417
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1418 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1419 ((bn_ctx = BN_CTX_new()) == NULL))
1420 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1421 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1422 goto err;
1423 }
1424
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1425 if (!EC_POINT_oct2point(group, srvr_ecpoint,
1426 CBS_data(&point), CBS_len(&point), bn_ctx))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1427 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1428 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1429 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_ECPOINT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1430 goto f_err;
1431 }
1432
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1433 /* The ECC/TLS specification does not mention
1434 * the use of DSA to sign ECParameters in the server
1435 * key exchange message. We do support RSA and ECDSA.
1436 */
1437 if (0) ;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1438 else if (alg_a & SSL_aRSA)
1439 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1440 else if (alg_a & SSL_aECDSA)
1441 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1442 /* else anonymous ECDH, so no certificate or pkey. */
1443 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1444 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1445 ecdh=NULL;
1446 BN_CTX_free(bn_ctx);
1447 bn_ctx = NULL;
1448 EC_POINT_free(srvr_ecpoint);
1449 srvr_ecpoint = NULL;
1450 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1451
1452 else if (!(alg_k & SSL_kPSK))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1453 {
1454 al=SSL_AD_UNEXPECTED_MESSAGE;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1455 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1456 goto f_err;
1457 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1458
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1459 /* At this point, |server_key_exchange| contains the
1460 * signature, if any, while |server_key_exchange_orig|
1461 * contains the entire message. From that, derive a CBS
1462 * containing just the parameter. */
1463 CBS_init(&parameter, CBS_data(&server_key_exchange_orig),
1464 CBS_len(&server_key_exchange_orig) -
1465 CBS_len(&server_key_exchange));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1466
1467 /* if it was signed, check the signature */
1468 if (pkey != NULL)
1469 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1470 CBS signature;
1471
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1472 if (SSL_USE_SIGALGS(s))
1473 {
David Benjamin05da6e12014-07-12 20:42:55 -0400[diff] [blame]1474 if (!tls12_check_peer_sigalg(&md, &al, s, &server_key_exchange, pkey))
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1475 goto f_err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1476 }
1477 else
1478 md = EVP_sha1();
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1479
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1480 /* The last field in |server_key_exchange| is the
1481 * signature. */
1482 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||
1483 CBS_len(&server_key_exchange) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1484 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1485 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1486 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1487 goto f_err;
1488 }
1489
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1490 if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s))
1491 {
1492 int num;
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1493 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1494 size_t md_len = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1495
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1496 q=md_buf;
1497 for (num=2; num > 0; num--)
1498 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1499 unsigned int digest_len;
David Benjamine7127782014-08-18 23:15:29 -0400[diff] [blame]1500 EVP_DigestInit_ex(&md_ctx,
1501 (num == 2) ? EVP_md5() : EVP_sha1(), NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1502 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1503 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1504 EVP_DigestUpdate(&md_ctx, CBS_data(&parameter), CBS_len(&parameter));
1505 EVP_DigestFinal_ex(&md_ctx, q, &digest_len);
1506 q += digest_len;
1507 md_len += digest_len;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1508 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1509 if (!RSA_verify(NID_md5_sha1, md_buf, md_len,
1510 CBS_data(&signature), CBS_len(&signature),
1511 pkey->pkey.rsa))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1512 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1513 al = SSL_AD_DECRYPT_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1514 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_SIGNATURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1515 goto f_err;
1516 }
1517 }
1518 else
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1519 {
1520 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1521 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1522 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1523 EVP_VerifyUpdate(&md_ctx, CBS_data(&parameter), CBS_len(&parameter));
1524 if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature), CBS_len(&signature), pkey) <= 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1525 {
1526 /* bad signature */
1527 al=SSL_AD_DECRYPT_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1528 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_SIGNATURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1529 goto f_err;
1530 }
1531 }
1532 }
1533 else
1534 {
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]1535 if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1536 {
1537 /* Might be wrong key type, check it */
1538 if (ssl3_check_cert_and_algorithm(s))
1539 /* Otherwise this shouldn't happen */
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1540 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1541 goto err;
1542 }
1543 /* still data left over */
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1544 if (CBS_len(&server_key_exchange) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1545 {
1546 al=SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1547 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_EXTRA_DATA_IN_MESSAGE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1548 goto f_err;
1549 }
1550 }
1551 EVP_PKEY_free(pkey);
1552 EVP_MD_CTX_cleanup(&md_ctx);
1553 return(1);
1554f_err:
1555 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1556err:
1557 EVP_PKEY_free(pkey);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1558 if (rsa != NULL)
1559 RSA_free(rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1560 if (dh != NULL)
1561 DH_free(dh);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1562 BN_CTX_free(bn_ctx);
1563 EC_POINT_free(srvr_ecpoint);
1564 if (ecdh != NULL)
1565 EC_KEY_free(ecdh);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1566 EVP_MD_CTX_cleanup(&md_ctx);
1567 return(-1);
1568 }
1569
1570static int ca_dn_cmp(const X509_NAME **a, const X509_NAME **b)
1571 {
1572 return(X509_NAME_cmp(*a,*b));
1573 }
1574
1575int ssl3_get_certificate_request(SSL *s)
1576 {
1577 int ok,ret=0;
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1578 unsigned long n;
1579 unsigned int i;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1580 X509_NAME *xn=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1581 STACK_OF(X509_NAME) *ca_sk=NULL;
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1582 CBS cbs;
1583 CBS certificate_types;
1584 CBS certificate_authorities;
1585 const uint8_t *data;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1586
1587 n=s->method->ssl_get_message(s,
1588 SSL3_ST_CR_CERT_REQ_A,
1589 SSL3_ST_CR_CERT_REQ_B,
1590 -1,
1591 s->max_cert_list,
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]1592 SSL_GET_MESSAGE_HASH_MESSAGE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1593 &ok);
1594
1595 if (!ok) return((int)n);
1596
1597 s->s3->tmp.cert_req=0;
1598
1599 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1600 {
1601 s->s3->tmp.reuse_message=1;
1602 /* If we get here we don't need any cached handshake records
1603 * as we wont be doing client auth.
1604 */
1605 if (s->s3->handshake_buffer)
1606 {
1607 if (!ssl3_digest_cached_records(s))
1608 goto err;
1609 }
1610 return(1);
1611 }
1612
1613 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1614 {
1615 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1616 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_WRONG_MESSAGE_TYPE);
1617 goto err;
1618 }
1619
1620 /* TLS does not like anon-DH with client cert */
1621 if (s->version > SSL3_VERSION)
1622 {
1623 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1624 {
1625 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1626 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1627 goto err;
1628 }
1629 }
1630
David Benjamin51b1f742014-07-12 16:31:12 -0400[diff] [blame]1631 CBS_init(&cbs, s->init_msg, n);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1632
1633 ca_sk = sk_X509_NAME_new(ca_dn_cmp);
1634 if (ca_sk == NULL)
1635 {
1636 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1637 goto err;
1638 }
1639
1640 /* get the certificate types */
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1641 if (!CBS_get_u8_length_prefixed(&cbs, &certificate_types))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1642 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1643 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1644 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DECODE_ERROR);
1645 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1646 }
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]1647 if (!CBS_stow(&certificate_types,
1648 &s->s3->tmp.certificate_types,
1649 &s->s3->tmp.num_certificate_types))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1650 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1651 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1652 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1653 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1654 if (SSL_USE_SIGALGS(s))
1655 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1656 CBS supported_signature_algorithms;
1657 if (!CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1658 {
1659 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1660 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1661 goto err;
1662 }
1663 /* Clear certificate digests and validity flags */
1664 for (i = 0; i < SSL_PKEY_NUM; i++)
1665 {
1666 s->cert->pkeys[i].digest = NULL;
1667 s->cert->pkeys[i].valid_flags = 0;
1668 }
David Benjamincd996942014-07-20 16:23:51 -0400[diff] [blame]1669 if (!tls1_process_sigalgs(s, &supported_signature_algorithms))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1670 {
1671 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1672 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1673 goto err;
1674 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1675 }
1676
1677 /* get the CA RDNs */
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1678 if (!CBS_get_u16_length_prefixed(&cbs, &certificate_authorities))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1679 {
1680 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1681 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_LENGTH_MISMATCH);
1682 goto err;
1683 }
1684
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1685 while (CBS_len(&certificate_authorities) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1686 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1687 CBS distinguished_name;
1688 if (!CBS_get_u16_length_prefixed(&certificate_authorities, &distinguished_name))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1689 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1690 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1691 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_TOO_LONG);
1692 goto err;
1693 }
1694
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1695 data = CBS_data(&distinguished_name);
1696 if ((xn=d2i_X509_NAME(NULL, &data, CBS_len(&distinguished_name))) == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1697 {
Alex Chernyakhovsky9c890d42014-07-05 00:53:11 -0400[diff] [blame]1698 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1699 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_ASN1_LIB);
1700 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1701 }
1702
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]1703 if (!CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name)))
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1704 {
1705 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1706 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_INTERNAL_ERROR);
1707 goto err;
1708 }
1709 if (CBS_len(&distinguished_name) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1710 {
1711 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1712 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_LENGTH_MISMATCH);
1713 goto err;
1714 }
1715 if (!sk_X509_NAME_push(ca_sk,xn))
1716 {
1717 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1718 goto err;
1719 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1720 }
1721
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1722 /* we should setup a certificate to return.... */
1723 s->s3->tmp.cert_req=1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1724 if (s->s3->tmp.ca_names != NULL)
1725 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1726 s->s3->tmp.ca_names=ca_sk;
1727 ca_sk=NULL;
1728
1729 ret=1;
1730err:
1731 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1732 return(ret);
1733 }
1734
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1735int ssl3_get_new_session_ticket(SSL *s)
1736 {
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1737 int ok,al,ret=0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1738 long n;
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1739 CBS new_session_ticket, ticket;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1740
1741 n=s->method->ssl_get_message(s,
1742 SSL3_ST_CR_SESSION_TICKET_A,
1743 SSL3_ST_CR_SESSION_TICKET_B,
David Benjamin64442872014-07-21 17:43:45 -0400[diff] [blame]1744 SSL3_MT_NEWSESSION_TICKET,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1745 16384,
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]1746 SSL_GET_MESSAGE_HASH_MESSAGE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1747 &ok);
1748
1749 if (!ok)
1750 return((int)n);
1751
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1752 CBS_init(&new_session_ticket, s->init_msg, n);
1753
1754 if (!CBS_get_u32(&new_session_ticket, &s->session->tlsext_tick_lifetime_hint) ||
1755 !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||
1756 CBS_len(&new_session_ticket) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1757 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1758 al = SSL_AD_DECODE_ERROR;
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1759 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1760 goto f_err;
1761 }
1762
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1763 if (!CBS_stow(&ticket, &s->session->tlsext_tick, &s->session->tlsext_ticklen))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1764 {
1765 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, ERR_R_MALLOC_FAILURE);
1766 goto err;
1767 }
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1768
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1769 /* There are two ways to detect a resumed ticket sesion.
1770 * One is to set an appropriate session ID and then the server
1771 * must return a match in ServerHello. This allows the normal
1772 * client session ID matching to work and we know much
1773 * earlier that the ticket has been accepted.
1774 *
1775 * The other way is to set zero length session ID when the
1776 * ticket is presented and rely on the handshake to determine
1777 * session resumption.
1778 *
1779 * We choose the former approach because this fits in with
1780 * assumptions elsewhere in OpenSSL. The session ID is set
1781 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
1782 * ticket.
1783 */
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1784 EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1785 s->session->session_id, &s->session->session_id_length,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1786 EVP_sha256(), NULL);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1787 ret=1;
1788 return(ret);
1789f_err:
1790 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1791err:
1792 return(-1);
1793 }
1794
1795int ssl3_get_cert_status(SSL *s)
1796 {
1797 int ok, al;
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1798 long n;
1799 CBS certificate_status, ocsp_response;
1800 uint8_t status_type;
1801 size_t resplen;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1802
1803 n=s->method->ssl_get_message(s,
1804 SSL3_ST_CR_CERT_STATUS_A,
1805 SSL3_ST_CR_CERT_STATUS_B,
1806 SSL3_MT_CERTIFICATE_STATUS,
1807 16384,
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]1808 SSL_GET_MESSAGE_HASH_MESSAGE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1809 &ok);
1810
1811 if (!ok) return((int)n);
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1812
1813 CBS_init(&certificate_status, s->init_msg, n);
1814 if (!CBS_get_u8(&certificate_status, &status_type) ||
1815 status_type != TLSEXT_STATUSTYPE_ocsp ||
1816 !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
1817 CBS_len(&ocsp_response) == 0 ||
1818 CBS_len(&certificate_status) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1819 {
1820 al = SSL_AD_DECODE_ERROR;
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1821 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1822 goto f_err;
1823 }
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1824
1825 /* TODO(davidben): Make tlsext_ocsp_resplen a
1826 * size_t. Currently it uses -1 to signal no response. The
1827 * spec does not allow ocsp_response to be zero-length, so
1828 * using 0 should be fine. */
1829 if (!CBS_stow(&ocsp_response, &s->tlsext_ocsp_resp, &resplen))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1830 {
1831 al = SSL_AD_INTERNAL_ERROR;
1832 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
1833 goto f_err;
1834 }
1835 s->tlsext_ocsp_resplen = resplen;
1836 if (s->ctx->tlsext_status_cb)
1837 {
1838 int ret;
1839 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1840 if (ret == 0)
1841 {
1842 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1843 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_INVALID_STATUS_RESPONSE);
1844 goto f_err;
1845 }
1846 if (ret < 0)
1847 {
1848 al = SSL_AD_INTERNAL_ERROR;
1849 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
1850 goto f_err;
1851 }
1852 }
1853 return 1;
1854f_err:
1855 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1856 return(-1);
1857 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1858
1859int ssl3_get_server_done(SSL *s)
1860 {
1861 int ok,ret=0;
1862 long n;
1863
1864 n=s->method->ssl_get_message(s,
1865 SSL3_ST_CR_SRVR_DONE_A,
1866 SSL3_ST_CR_SRVR_DONE_B,
1867 SSL3_MT_SERVER_DONE,
1868 30, /* should be very small, like 0 :-) */
David Benjamin590cbe92014-08-25 21:34:56 -0400[diff] [blame]1869 SSL_GET_MESSAGE_HASH_MESSAGE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1870 &ok);
1871
1872 if (!ok) return((int)n);
1873 if (n > 0)
1874 {
1875 /* should contain no data */
1876 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1877 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_done, SSL_R_LENGTH_MISMATCH);
1878 return -1;
1879 }
1880 ret=1;
1881 return(ret);
1882 }
1883
1884
1885int ssl3_send_client_key_exchange(SSL *s)
1886 {
1887 unsigned char *p;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1888 int n = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1889 unsigned long alg_k;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1890 unsigned long alg_a;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1891 unsigned char *q;
1892 EVP_PKEY *pkey=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1893 EC_KEY *clnt_ecdh = NULL;
1894 const EC_POINT *srvr_ecpoint = NULL;
1895 EVP_PKEY *srvr_pub_pkey = NULL;
1896 unsigned char *encodedPoint = NULL;
1897 int encoded_pt_len = 0;
1898 BN_CTX * bn_ctx = NULL;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1899 unsigned int psk_len = 0;
1900 unsigned char psk[PSK_MAX_PSK_LEN];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1901
1902 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1903 {
1904 p = ssl_handshake_start(s);
1905
1906 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1907 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1908
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1909 if (alg_a & SSL_aPSK)
1910 {
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]1911 char identity[PSK_MAX_IDENTITY_LEN + 1];
1912 size_t identity_len;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1913 unsigned char *t = NULL;
1914 unsigned char pre_ms[PSK_MAX_PSK_LEN*2+4];
1915 unsigned int pre_ms_len = 0;
1916 int psk_err = 1;
1917
1918 n = 0;
1919 if (s->psk_client_callback == NULL)
1920 {
1921 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_NO_CLIENT_CB);
1922 goto err;
1923 }
1924
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]1925 memset(identity, 0, sizeof(identity));
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1926 psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]1927 identity, sizeof(identity), psk, sizeof(psk));
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1928 if (psk_len > PSK_MAX_PSK_LEN)
1929 {
1930 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
1931 goto psk_err;
1932 }
1933 else if (psk_len == 0)
1934 {
1935 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_IDENTITY_NOT_FOUND);
1936 goto psk_err;
1937 }
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]1938 identity_len = OPENSSL_strnlen(identity, sizeof(identity));
1939 if (identity_len > PSK_MAX_IDENTITY_LEN)
1940 {
1941 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
1942 goto psk_err;
1943 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1944
1945 if (!(alg_k & SSL_kEECDH))
1946 {
David Benjamin14c83e72014-07-13 04:54:57 -0400[diff] [blame]1947 /* Create the shared secret now if we're not using ECDHE-PSK.
1948 * TODO(davidben): Refactor this logic similarly
1949 * to ssl3_get_client_key_exchange. */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1950 pre_ms_len = 2+psk_len+2+psk_len;
1951 t = pre_ms;
1952 s2n(psk_len, t);
1953 memset(t, 0, psk_len);
1954 t+=psk_len;
1955 s2n(psk_len, t);
1956 memcpy(t, psk, psk_len);
1957
1958 s->session->master_key_length =
1959 s->method->ssl3_enc->generate_master_secret(s,
1960 s->session->master_key,
1961 pre_ms, pre_ms_len);
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]1962 s2n(identity_len, p);
1963 memcpy(p, identity, identity_len);
1964 n = 2 + identity_len;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1965 }
1966
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1967 if (s->session->psk_identity != NULL)
1968 OPENSSL_free(s->session->psk_identity);
1969 s->session->psk_identity = BUF_strdup(identity);
1970 if (s->session->psk_identity == NULL)
1971 {
1972 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
1973 goto psk_err;
1974 }
1975 psk_err = 0;
1976 psk_err:
1977 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
1978 OPENSSL_cleanse(pre_ms, sizeof(pre_ms));
1979 if (psk_err != 0)
1980 {
1981 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1982 goto err;
1983 }
1984 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1985
David Benjamin457112e2014-08-27 14:35:09 -0400[diff] [blame^]1986 if (alg_k & SSL_kRSA)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1987 {
1988 RSA *rsa;
1989 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1990
Emilia Käsperc3d79602014-07-24 22:15:29 +0200[diff] [blame]1991 if (s->session->sess_cert == NULL)
1992 {
1993 /* We should always have a server certificate with SSL_kRSA. */
1994 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
1995 goto err;
1996 }
1997
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1998 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1999 rsa=s->session->sess_cert->peer_rsa_tmp;
2000 else
2001 {
2002 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2003 if ((pkey == NULL) ||
2004 (pkey->type != EVP_PKEY_RSA) ||
2005 (pkey->pkey.rsa == NULL))
2006 {
2007 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2008 goto err;
2009 }
2010 rsa=pkey->pkey.rsa;
2011 EVP_PKEY_free(pkey);
2012 }
2013
2014 tmp_buf[0]=s->client_version>>8;
2015 tmp_buf[1]=s->client_version&0xff;
2016 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2017 goto err;
2018
2019 s->session->master_key_length=sizeof tmp_buf;
2020
2021 q=p;
2022 /* Fix buf for TLS and beyond */
2023 if (s->version > SSL3_VERSION)
2024 p+=2;
2025 n=RSA_public_encrypt(sizeof tmp_buf,
2026 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2027 if (n <= 0)
2028 {
2029 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_RSA_ENCRYPT);
2030 goto err;
2031 }
2032
2033 /* Fix buf for TLS and beyond */
2034 if (s->version > SSL3_VERSION)
2035 {
2036 s2n(n,q);
2037 n+=2;
2038 }
2039
2040 s->session->master_key_length=
2041 s->method->ssl3_enc->generate_master_secret(s,
2042 s->session->master_key,
2043 tmp_buf,sizeof tmp_buf);
2044 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2045 }
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2046 else if (alg_k & SSL_kEDH)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2047 {
2048 DH *dh_srvr,*dh_clnt;
2049 SESS_CERT *scert = s->session->sess_cert;
2050
2051 if (scert == NULL)
2052 {
2053 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2054 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
2055 goto err;
2056 }
2057
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2058 if (scert->peer_dh_tmp == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2059 {
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2060 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2061 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2062 }
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2063 dh_srvr=scert->peer_dh_tmp;
2064
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2065 /* generate a new random key */
2066 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2067 {
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2068 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2069 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2070 }
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2071 if (!DH_generate_key(dh_clnt))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2072 {
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2073 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2074 DH_free(dh_clnt);
2075 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2076 }
2077
2078 /* use the 'p' output buffer for the DH key, but
2079 * make sure to clear it out afterwards */
2080
2081 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2082 if (n <= 0)
2083 {
2084 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2085 DH_free(dh_clnt);
2086 goto err;
2087 }
2088
2089 /* generate master key from the result */
2090 s->session->master_key_length=
2091 s->method->ssl3_enc->generate_master_secret(s,
2092 s->session->master_key,p,n);
2093 /* clean up */
2094 memset(p,0,n);
2095
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2096 /* send off the data */
2097 n=BN_num_bytes(dh_clnt->pub_key);
2098 s2n(n,p);
2099 BN_bn2bin(dh_clnt->pub_key,p);
2100 n+=2;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2101
2102 DH_free(dh_clnt);
2103
2104 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2105 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2106
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2107 else if (alg_k & SSL_kEECDH)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2108 {
2109 const EC_GROUP *srvr_group = NULL;
2110 EC_KEY *tkey;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2111 int field_size = 0;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2112 unsigned char *pre_ms;
2113 unsigned char *t;
2114 unsigned int pre_ms_len;
2115 unsigned int i;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2116
Adam Langleyd06eddd2014-06-20 12:00:00 -0700[diff] [blame]2117 if (s->session->sess_cert == NULL)
2118 {
2119 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2120 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
2121 goto err;
2122 }
2123
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2124 if (s->session->sess_cert->peer_ecdh_tmp == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2125 {
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2126 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2127 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2128 }
David Benjamin0da0e182014-08-19 16:20:28 -0400[diff] [blame]2129 tkey = s->session->sess_cert->peer_ecdh_tmp;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2130
2131 srvr_group = EC_KEY_get0_group(tkey);
2132 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2133
2134 if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2135 {
2136 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2137 goto err;
2138 }
2139
2140 if ((clnt_ecdh=EC_KEY_new()) == NULL)
2141 {
2142 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2143 goto err;
2144 }
2145
2146 if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2147 {
2148 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
2149 goto err;
2150 }
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2151 /* Generate a new ECDH key pair */
2152 if (!(EC_KEY_generate_key(clnt_ecdh)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2153 {
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2154 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2155 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2156 }
2157
2158 /* use the 'p' output buffer for the ECDH key, but
2159 * make sure to clear it out afterwards
2160 */
2161
2162 field_size = EC_GROUP_get_degree(srvr_group);
2163 if (field_size <= 0)
2164 {
2165 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2166 goto err;
2167 }
2168 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2169 if (n <= 0)
2170 {
2171 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2172 goto err;
2173 }
2174
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2175 /* ECDHE PSK ciphersuites from RFC 5489 */
2176 if ((alg_a & SSL_aPSK) && psk_len != 0)
2177 {
2178 pre_ms_len = 2+psk_len+2+n;
2179 pre_ms = OPENSSL_malloc(pre_ms_len);
2180 if (pre_ms == NULL)
2181 {
2182 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2183 goto err;
2184 }
2185 memset(pre_ms, 0, pre_ms_len);
2186 t = pre_ms;
2187 s2n(psk_len, t);
2188 memcpy(t, psk, psk_len);
2189 t += psk_len;
2190 s2n(n, t);
2191 memcpy(t, p, n);
2192 s->session->master_key_length = s->method->ssl3_enc \
2193 -> generate_master_secret(s,
2194 s->session->master_key, pre_ms, pre_ms_len);
2195 OPENSSL_cleanse(pre_ms, pre_ms_len);
2196 OPENSSL_free(pre_ms);
2197 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2198 if (!(alg_a & SSL_aPSK))
2199 {
2200 /* generate master key from the result */
2201 s->session->master_key_length = s->method->ssl3_enc \
2202 -> generate_master_secret(s,
2203 s->session->master_key, p, n);
2204 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2205 memset(p, 0, n); /* clean up */
2206
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2207 /* First check the size of encoding and
2208 * allocate memory accordingly.
2209 */
2210 encoded_pt_len =
2211 EC_POINT_point2oct(srvr_group,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2212 EC_KEY_get0_public_key(clnt_ecdh),
2213 POINT_CONVERSION_UNCOMPRESSED,
2214 NULL, 0, NULL);
2215
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2216 encodedPoint = (unsigned char *)
2217 OPENSSL_malloc(encoded_pt_len *
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2218 sizeof(unsigned char));
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2219 bn_ctx = BN_CTX_new();
2220 if ((encodedPoint == NULL) ||
2221 (bn_ctx == NULL))
2222 {
2223 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2224 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2225 }
2226
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2227 /* Encode the public key */
2228 encoded_pt_len = EC_POINT_point2oct(srvr_group,
2229 EC_KEY_get0_public_key(clnt_ecdh),
2230 POINT_CONVERSION_UNCOMPRESSED,
2231 encodedPoint, encoded_pt_len, bn_ctx);
2232
2233 n = 0;
2234 if ((alg_a & SSL_aPSK) && psk_len != 0)
2235 {
2236 i = strlen(s->session->psk_identity);
2237 s2n(i, p);
2238 memcpy(p, s->session->psk_identity, i);
2239 p += i;
2240 n = i + 2;
2241 }
2242
2243 *p = encoded_pt_len; /* length of encoded point */
2244 /* Encoded point will be copied here */
2245 p += 1;
2246 n += 1;
2247 /* copy the point */
2248 memcpy((unsigned char *)p, encodedPoint, encoded_pt_len);
2249 /* increment n to account for length field */
2250 n += encoded_pt_len;
2251
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2252 /* Free allocated memory */
2253 BN_CTX_free(bn_ctx);
2254 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2255 if (clnt_ecdh != NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2256 EC_KEY_free(clnt_ecdh);
2257 EVP_PKEY_free(srvr_pub_pkey);
2258 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2259 else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2260 {
2261 ssl3_send_alert(s, SSL3_AL_FATAL,
2262 SSL_AD_HANDSHAKE_FAILURE);
2263 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2264 goto err;
2265 }
2266
2267 ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
2268 s->state=SSL3_ST_CW_KEY_EXCH_B;
2269 }
2270
2271 /* SSL3_ST_CW_KEY_EXCH_B */
2272 return ssl_do_write(s);
2273err:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2274 BN_CTX_free(bn_ctx);
2275 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2276 if (clnt_ecdh != NULL)
2277 EC_KEY_free(clnt_ecdh);
2278 EVP_PKEY_free(srvr_pub_pkey);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2279 return(-1);
2280 }
2281
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]2282int ssl3_send_cert_verify(SSL *s)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2283 {
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2284 unsigned char *buf, *p;
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2285 const EVP_MD *md = NULL;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2286 uint8_t digest[EVP_MAX_MD_SIZE];
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2287 size_t digest_length;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2288 EVP_PKEY *pkey;
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2289 EVP_PKEY_CTX *pctx = NULL;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2290 size_t signature_length = 0;
2291 unsigned long n = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2292
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2293 buf=(unsigned char *)s->init_buf->data;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2294
2295 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2296 {
2297 p= ssl_handshake_start(s);
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2298 pkey = s->cert->key->privatekey;
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2299
2300 /* Write out the digest type if needbe. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2301 if (SSL_USE_SIGALGS(s))
2302 {
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2303 md = s->cert->key->digest;
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2304 if (!tls12_get_sigandhash(p, pkey, md))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2305 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]2306 OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2307 goto err;
2308 }
2309 p += 2;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2310 n += 2;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2311 }
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2312
2313 /* Compute the digest. */
2314 if (!ssl3_cert_verify_hash(s, digest, &digest_length, &md, pkey))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2315 goto err;
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2316
2317 /* The handshake buffer is no longer necessary. */
2318 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s))
2319 goto err;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2320
2321 /* Sign the digest. */
2322 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2323 if (pctx == NULL)
2324 goto err;
2325
2326 /* Initialize the EVP_PKEY_CTX and determine the size of the signature. */
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2327 if (!EVP_PKEY_sign_init(pctx) ||
2328 !EVP_PKEY_CTX_set_signature_md(pctx, md) ||
2329 !EVP_PKEY_sign(pctx, NULL, &signature_length,
2330 digest, digest_length))
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2331 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]2332 OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, ERR_R_EVP_LIB);
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2333 goto err;
2334 }
2335
2336 if (p + 2 + signature_length > buf + SSL3_RT_MAX_PLAIN_LENGTH)
2337 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]2338 OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, SSL_R_DATA_LENGTH_TOO_LONG);
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2339 goto err;
2340 }
2341
David Benjamin854dd652014-08-26 00:32:30 -0400[diff] [blame]2342 if (!EVP_PKEY_sign(pctx, &p[2], &signature_length,
2343 digest, digest_length))
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2344 {
David Benjamin8da99062014-08-24 12:03:09 -0400[diff] [blame]2345 OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, ERR_R_EVP_LIB);
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2346 goto err;
2347 }
2348
2349 s2n(signature_length, p);
2350 n += signature_length + 2;
2351
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2352 ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
2353 s->state=SSL3_ST_CW_CERT_VRFY_B;
2354 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2355 EVP_PKEY_CTX_free(pctx);
2356 return ssl_do_write(s);
2357err:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2358 EVP_PKEY_CTX_free(pctx);
2359 return(-1);
2360 }
2361
2362/* Check a certificate can be used for client authentication. Currently
David Benjaminbd30f8e2014-08-19 16:02:38 -0400[diff] [blame]2363 * check the cert exists and if we have a suitable digest for TLS 1.2.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2364 */
2365static int ssl3_check_client_certificate(SSL *s)
2366 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2367 if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
2368 return 0;
2369 /* If no suitable signature algorithm can't use certificate */
2370 if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
2371 return 0;
2372 /* If strict mode check suitability of chain before using it.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2373 */
2374 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
2375 !tls1_check_chain(s, NULL, NULL, NULL, -2))
2376 return 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2377 return 1;
2378 }
2379
2380int ssl3_send_client_certificate(SSL *s)
2381 {
2382 X509 *x509=NULL;
2383 EVP_PKEY *pkey=NULL;
2384 int i;
2385
2386 if (s->state == SSL3_ST_CW_CERT_A)
2387 {
2388 /* Let cert callback update client certificates if required */
2389 if (s->cert->cert_cb)
2390 {
2391 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2392 if (i < 0)
2393 {
2394 s->rwstate=SSL_X509_LOOKUP;
2395 return -1;
2396 }
2397 if (i == 0)
2398 {
2399 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
2400 return 0;
2401 }
2402 s->rwstate=SSL_NOTHING;
2403 }
2404 if (ssl3_check_client_certificate(s))
2405 s->state=SSL3_ST_CW_CERT_C;
2406 else
2407 s->state=SSL3_ST_CW_CERT_B;
2408 }
2409
2410 /* We need to get a client cert */
2411 if (s->state == SSL3_ST_CW_CERT_B)
2412 {
2413 /* If we get an error, we need to
2414 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
David Benjamin7bbeead2014-07-25 03:56:20 -0400[diff] [blame]2415 * We then get retried later */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2416 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2417 if (i < 0)
2418 {
2419 s->rwstate=SSL_X509_LOOKUP;
2420 return(-1);
2421 }
2422 s->rwstate=SSL_NOTHING;
2423 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2424 {
2425 s->state=SSL3_ST_CW_CERT_B;
2426 if ( !SSL_use_certificate(s,x509) ||
2427 !SSL_use_PrivateKey(s,pkey))
2428 i=0;
2429 }
2430 else if (i == 1)
2431 {
2432 i=0;
HÃ¥vard Molland90974e72014-08-11 15:50:54 +0200[diff] [blame]2433 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_certificate, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2434 }
2435
2436 if (x509 != NULL) X509_free(x509);
2437 if (pkey != NULL) EVP_PKEY_free(pkey);
2438 if (i && !ssl3_check_client_certificate(s))
2439 i = 0;
2440 if (i == 0)
2441 {
2442 if (s->version == SSL3_VERSION)
2443 {
2444 s->s3->tmp.cert_req=0;
2445 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2446 return(1);
2447 }
2448 else
2449 {
2450 s->s3->tmp.cert_req=2;
2451 }
2452 }
2453
2454 /* Ok, we have a cert */
2455 s->state=SSL3_ST_CW_CERT_C;
2456 }
2457
2458 if (s->state == SSL3_ST_CW_CERT_C)
2459 {
2460 s->state=SSL3_ST_CW_CERT_D;
2461 ssl3_output_cert_chain(s,
2462 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
2463 }
2464 /* SSL3_ST_CW_CERT_D */
2465 return ssl_do_write(s);
2466 }
2467
2468#define has_bits(i,m) (((i)&(m)) == (m))
2469
2470int ssl3_check_cert_and_algorithm(SSL *s)
2471 {
2472 int i,idx;
2473 long alg_k,alg_a;
2474 EVP_PKEY *pkey=NULL;
2475 SESS_CERT *sc;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2476 RSA *rsa;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2477 DH *dh;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2478
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]2479 /* we don't have a certificate */
2480 if (!ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher))
2481 return 1;
2482
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2483 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2484 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
2485
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2486 sc=s->session->sess_cert;
2487 if (sc == NULL)
2488 {
HÃ¥vard Molland90974e72014-08-11 15:50:54 +0200[diff] [blame]2489 OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2490 goto err;
2491 }
2492
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2493 rsa=s->session->sess_cert->peer_rsa_tmp;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2494 dh=s->session->sess_cert->peer_dh_tmp;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2495
2496 /* This is the passed certificate */
2497
2498 idx=sc->peer_cert_type;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2499 if (idx == SSL_PKEY_ECC)
2500 {
2501 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2502 s) == 0)
2503 { /* check failed */
HÃ¥vard Molland90974e72014-08-11 15:50:54 +0200[diff] [blame]2504 OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_BAD_ECC_CERT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2505 goto f_err;
2506 }
2507 else
2508 {
2509 return 1;
2510 }
2511 }
2512 else if (alg_a & SSL_aECDSA)
2513 {
HÃ¥vard Molland90974e72014-08-11 15:50:54 +0200[diff] [blame]2514 OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_ECDSA_SIGNING_CERT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2515 goto f_err;
2516 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2517 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2518 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2519 EVP_PKEY_free(pkey);
2520
2521
2522 /* Check that we have a certificate if we require one */
2523 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2524 {
HÃ¥vard Molland90974e72014-08-11 15:50:54 +0200[diff] [blame]2525 OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_SIGNING_CERT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2526 goto f_err;
2527 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2528 if ((alg_k & SSL_kRSA) &&
2529 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2530 {
HÃ¥vard Molland90974e72014-08-11 15:50:54 +0200[diff] [blame]2531 OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2532 goto f_err;
2533 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2534 if ((alg_k & SSL_kEDH) &&
2535 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2536 {
HÃ¥vard Molland90974e72014-08-11 15:50:54 +0200[diff] [blame]2537 OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DH_KEY);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2538 goto f_err;
2539 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2540
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2541 return(1);
2542f_err:
2543 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2544err:
2545 return(0);
2546 }
2547
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2548int ssl3_send_next_proto(SSL *s)
2549 {
2550 unsigned int len, padding_len;
2551 unsigned char *d;
2552
2553 if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
2554 {
2555 len = s->next_proto_negotiated_len;
2556 padding_len = 32 - ((len + 2) % 32);
2557 d = (unsigned char *)s->init_buf->data;
2558 d[4] = len;
2559 memcpy(d + 5, s->next_proto_negotiated, len);
2560 d[5 + len] = padding_len;
2561 memset(d + 6 + len, 0, padding_len);
2562 *(d++)=SSL3_MT_NEXT_PROTO;
2563 l2n3(2 + len + padding_len, d);
2564 s->state = SSL3_ST_CW_NEXT_PROTO_B;
2565 s->init_num = 4 + 2 + len + padding_len;
2566 s->init_off = 0;
2567 }
2568
2569 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
2570}
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2571
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2572
2573int ssl3_send_channel_id(SSL *s)
2574 {
2575 unsigned char *d;
2576 int ret = -1, public_key_len;
2577 EVP_MD_CTX md_ctx;
2578 size_t sig_len;
2579 ECDSA_SIG *sig = NULL;
2580 unsigned char *public_key = NULL, *derp, *der_sig = NULL;
2581
2582 if (s->state != SSL3_ST_CW_CHANNEL_ID_A)
2583 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
2584
2585 if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb)
2586 {
2587 EVP_PKEY *key = NULL;
2588 s->ctx->channel_id_cb(s, &key);
2589 if (key != NULL)
2590 {
2591 s->tlsext_channel_id_private = key;
2592 }
2593 }
2594 if (!s->tlsext_channel_id_private)
2595 {
2596 s->rwstate=SSL_CHANNEL_ID_LOOKUP;
2597 return (-1);
2598 }
2599 s->rwstate=SSL_NOTHING;
2600
2601 d = (unsigned char *)s->init_buf->data;
2602 *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS;
2603 l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d);
2604 if (s->s3->tlsext_channel_id_new)
2605 s2n(TLSEXT_TYPE_channel_id_new, d);
2606 else
2607 s2n(TLSEXT_TYPE_channel_id, d);
2608 s2n(TLSEXT_CHANNEL_ID_SIZE, d);
2609
2610 EVP_MD_CTX_init(&md_ctx);
2611
2612 public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL);
2613 if (public_key_len <= 0)
2614 {
2615 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY);
2616 goto err;
2617 }
2618 /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a
2619 * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y
2620 * field elements as 32-byte, big-endian numbers. */
2621 if (public_key_len != 65)
2622 {
2623 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_CHANNEL_ID_NOT_P256);
2624 goto err;
2625 }
2626 public_key = OPENSSL_malloc(public_key_len);
2627 if (!public_key)
2628 {
2629 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
2630 goto err;
2631 }
2632
2633 derp = public_key;
2634 i2d_PublicKey(s->tlsext_channel_id_private, &derp);
2635
2636 if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL,
2637 s->tlsext_channel_id_private) != 1)
2638 {
2639 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNINIT_FAILED);
2640 goto err;
2641 }
2642
2643 if (!tls1_channel_id_hash(&md_ctx, s))
2644 goto err;
2645
2646 if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len))
2647 {
2648 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
2649 goto err;
2650 }
2651
2652 der_sig = OPENSSL_malloc(sig_len);
2653 if (!der_sig)
2654 {
2655 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
2656 goto err;
2657 }
2658
2659 if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len))
2660 {
2661 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
2662 goto err;
2663 }
2664
2665 derp = der_sig;
2666 sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len);
2667 if (sig == NULL)
2668 {
2669 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_D2I_ECDSA_SIG);
2670 goto err;
2671 }
2672
2673 /* The first byte of public_key will be 0x4, denoting an uncompressed key. */
2674 memcpy(d, public_key + 1, 64);
2675 d += 64;
2676 memset(d, 0, 2 * 32);
2677 BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r));
2678 d += 32;
2679 BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s));
2680 d += 32;
2681
2682 s->state = SSL3_ST_CW_CHANNEL_ID_B;
2683 s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE;
2684 s->init_off = 0;
2685
2686 ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE);
2687
2688err:
2689 EVP_MD_CTX_cleanup(&md_ctx);
2690 if (public_key)
2691 OPENSSL_free(public_key);
2692 if (der_sig)
2693 OPENSSL_free(der_sig);
2694 if (sig)
2695 ECDSA_SIG_free(sig);
2696
2697 return ret;
2698 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2699
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2700int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2701 {
2702 int i = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2703 if (s->ctx->client_cert_cb)
2704 i = s->ctx->client_cert_cb(s,px509,ppkey);
2705 return i;
2706 }