blob: eb6745df0351802f561c50651386610d4e530a6e [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -07001/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 *
113 * Portions of the attached software ("Contribution") are developed by
114 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115 *
116 * The Contribution is licensed pursuant to the OpenSSL open source
117 * license provided above.
118 *
119 * ECC cipher suite support in OpenSSL originally written by
120 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121 *
122 */
123/* ====================================================================
124 * Copyright 2005 Nokia. All rights reserved.
125 *
126 * The portions of the attached software ("Contribution") is developed by
127 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
128 * license.
129 *
130 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132 * support (see RFC 4279) to OpenSSL.
133 *
134 * No patent licenses or other rights except those expressly stated in
135 * the OpenSSL open source license shall be deemed granted or received
136 * expressly, by implication, estoppel, or otherwise.
137 *
138 * No assurances are provided by Nokia that the Contribution does not
139 * infringe the patent or other intellectual property rights of any third
140 * party or that the license provides you with all the necessary rights
141 * to make use of the Contribution.
142 *
143 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147 * OTHERWISE. */
148
David Benjamin9e4e01e2015-09-15 01:48:04 -0400149#include <openssl/ssl.h>
150
David Benjamin880b14e2014-08-25 22:35:07 -0400151#include <assert.h>
David Benjamin22f9bcc2014-07-13 12:29:21 -0400152#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700153
154#include <openssl/bn.h>
155#include <openssl/buf.h>
David Benjamindc72ff72014-06-25 12:36:10 -0400156#include <openssl/bytestring.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700157#include <openssl/cipher.h>
158#include <openssl/dh.h>
Adam Langley1258b6a2014-06-20 12:00:00 -0700159#include <openssl/ec.h>
160#include <openssl/ecdsa.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400161#include <openssl/err.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700162#include <openssl/evp.h>
163#include <openssl/hmac.h>
164#include <openssl/md5.h>
165#include <openssl/mem.h>
David Benjamin98193672016-03-25 18:07:11 -0400166#include <openssl/nid.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700167#include <openssl/rand.h>
168#include <openssl/x509.h>
169
David Benjamin2ee94aa2015-04-07 22:38:30 -0400170#include "internal.h"
Adam Langleyaf6e45b2014-11-03 19:34:49 -0800171#include "../crypto/internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700172
Adam Langleyfcf25832014-12-18 17:42:32 -0800173
David Benjamin59bae5a2017-02-02 23:51:22 -0500174static int ssl3_process_client_hello(SSL_HANDSHAKE *hs);
175static int ssl3_select_certificate(SSL_HANDSHAKE *hs);
176static int ssl3_select_parameters(SSL_HANDSHAKE *hs);
David Benjaminc3c88822016-11-14 10:32:04 +0900177static int ssl3_send_server_hello(SSL_HANDSHAKE *hs);
178static int ssl3_send_server_certificate(SSL_HANDSHAKE *hs);
179static int ssl3_send_certificate_status(SSL_HANDSHAKE *hs);
180static int ssl3_send_server_key_exchange(SSL_HANDSHAKE *hs);
181static int ssl3_send_certificate_request(SSL_HANDSHAKE *hs);
182static int ssl3_send_server_hello_done(SSL_HANDSHAKE *hs);
183static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs);
184static int ssl3_get_client_key_exchange(SSL_HANDSHAKE *hs);
185static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs);
186static int ssl3_get_next_proto(SSL_HANDSHAKE *hs);
187static int ssl3_get_channel_id(SSL_HANDSHAKE *hs);
188static int ssl3_send_new_session_ticket(SSL_HANDSHAKE *hs);
David Benjamindf50eec2016-06-07 16:49:42 -0400189
Steven Valdez258508f2017-01-25 15:47:49 -0500190static struct CRYPTO_STATIC_MUTEX g_v2clienthello_lock =
191 CRYPTO_STATIC_MUTEX_INIT;
192static uint64_t g_v2clienthello_count = 0;
193
194uint64_t SSL_get_v2clienthello_count(void) {
195 CRYPTO_STATIC_MUTEX_lock_read(&g_v2clienthello_lock);
196 uint64_t ret = g_v2clienthello_count;
197 CRYPTO_STATIC_MUTEX_unlock_read(&g_v2clienthello_lock);
198 return ret;
199}
200
David Benjamince8c9d22016-11-14 10:45:16 +0900201int ssl3_accept(SSL_HANDSHAKE *hs) {
202 SSL *const ssl = hs->ssl;
David Benjamin3fa27772015-04-17 22:32:19 -0400203 uint32_t alg_a;
Adam Langleyfcf25832014-12-18 17:42:32 -0800204 int ret = -1;
David Benjamin4e9cc712016-06-01 20:16:03 -0400205 int state, skip = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700206
David Benjamin0d56f882015-12-19 17:05:56 -0500207 assert(ssl->handshake_func == ssl3_accept);
208 assert(ssl->server);
David Benjaminbeb47022014-11-30 02:58:52 -0500209
Adam Langleyfcf25832014-12-18 17:42:32 -0800210 for (;;) {
David Benjamincb0c29f2016-12-12 17:00:50 -0500211 state = hs->state;
Adam Langley95c29f32014-06-20 12:00:00 -0700212
David Benjamincb0c29f2016-12-12 17:00:50 -0500213 switch (hs->state) {
David Benjaminfc0c9d92016-09-01 01:33:33 -0400214 case SSL_ST_INIT:
David Benjamincb0c29f2016-12-12 17:00:50 -0500215 hs->state = SSL_ST_ACCEPT;
David Benjaminfc0c9d92016-09-01 01:33:33 -0400216 skip = 1;
217 break;
218
Adam Langleyfcf25832014-12-18 17:42:32 -0800219 case SSL_ST_ACCEPT:
David Benjamin4e9cc712016-06-01 20:16:03 -0400220 ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
Adam Langley95c29f32014-06-20 12:00:00 -0700221
David Benjamin0d56f882015-12-19 17:05:56 -0500222 if (!ssl3_init_handshake_buffer(ssl)) {
David Benjamin3570d732015-06-29 00:28:17 -0400223 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -0800224 ret = -1;
225 goto end;
226 }
David Benjamin4b755cb2014-12-12 03:58:07 -0500227
David Benjamincb0c29f2016-12-12 17:00:50 -0500228 hs->state = SSL3_ST_SR_CLNT_HELLO_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800229 break;
David Benjamin4b755cb2014-12-12 03:58:07 -0500230
Adam Langleyfcf25832014-12-18 17:42:32 -0800231 case SSL3_ST_SR_CLNT_HELLO_A:
David Benjamin59bae5a2017-02-02 23:51:22 -0500232 ret = ssl->method->ssl_get_message(ssl);
233 if (ret <= 0) {
234 goto end;
Steven Valdez143e8b32016-07-11 13:19:03 -0400235 }
David Benjamin59bae5a2017-02-02 23:51:22 -0500236 hs->state = SSL3_ST_SR_CLNT_HELLO_B;
237 break;
238
239 case SSL3_ST_SR_CLNT_HELLO_B:
240 ret = ssl3_process_client_hello(hs);
241 if (ret <= 0) {
242 goto end;
243 }
244 hs->state = SSL3_ST_SR_CLNT_HELLO_C;
245 break;
246
247 case SSL3_ST_SR_CLNT_HELLO_C:
248 ret = ssl3_select_certificate(hs);
249 if (ret <= 0) {
250 goto end;
251 }
252 if (hs->state != SSL_ST_TLS13) {
253 hs->state = SSL3_ST_SR_CLNT_HELLO_D;
254 }
255 break;
256
257 case SSL3_ST_SR_CLNT_HELLO_D:
258 ret = ssl3_select_parameters(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800259 if (ret <= 0) {
260 goto end;
261 }
David Benjamindf50eec2016-06-07 16:49:42 -0400262 ssl->method->received_flight(ssl);
David Benjamincb0c29f2016-12-12 17:00:50 -0500263 hs->state = SSL3_ST_SW_SRVR_HELLO_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800264 break;
David Benjamin4b755cb2014-12-12 03:58:07 -0500265
Adam Langleyfcf25832014-12-18 17:42:32 -0800266 case SSL3_ST_SW_SRVR_HELLO_A:
David Benjaminc3c88822016-11-14 10:32:04 +0900267 ret = ssl3_send_server_hello(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800268 if (ret <= 0) {
269 goto end;
270 }
Steven Valdez87eab492016-06-27 16:34:59 -0400271 if (ssl->session != NULL) {
David Benjamincb0c29f2016-12-12 17:00:50 -0500272 hs->state = SSL3_ST_SW_SESSION_TICKET_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800273 } else {
David Benjamincb0c29f2016-12-12 17:00:50 -0500274 hs->state = SSL3_ST_SW_CERT_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800275 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800276 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700277
Adam Langleyfcf25832014-12-18 17:42:32 -0800278 case SSL3_ST_SW_CERT_A:
David Benjamin3d458dc2016-09-12 22:40:27 +0000279 if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
David Benjaminc3c88822016-11-14 10:32:04 +0900280 ret = ssl3_send_server_certificate(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800281 if (ret <= 0) {
282 goto end;
283 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800284 } else {
285 skip = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800286 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500287 hs->state = SSL3_ST_SW_CERT_STATUS_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800288 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700289
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100290 case SSL3_ST_SW_CERT_STATUS_A:
David Benjamince8c9d22016-11-14 10:45:16 +0900291 if (hs->certificate_status_expected) {
David Benjaminc3c88822016-11-14 10:32:04 +0900292 ret = ssl3_send_certificate_status(hs);
David Benjamin47749a62016-06-13 13:56:33 -0400293 if (ret <= 0) {
294 goto end;
295 }
296 } else {
297 skip = 1;
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100298 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500299 hs->state = SSL3_ST_SW_KEY_EXCH_A;
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100300 break;
301
Adam Langleyfcf25832014-12-18 17:42:32 -0800302 case SSL3_ST_SW_KEY_EXCH_A:
303 case SSL3_ST_SW_KEY_EXCH_B:
David Benjamin0d56f882015-12-19 17:05:56 -0500304 alg_a = ssl->s3->tmp.new_cipher->algorithm_auth;
Adam Langley95c29f32014-06-20 12:00:00 -0700305
David Benjamindf50eec2016-06-07 16:49:42 -0400306 /* PSK ciphers send ServerKeyExchange if there is an identity hint. */
David Benjamin0d56f882015-12-19 17:05:56 -0500307 if (ssl_cipher_requires_server_key_exchange(ssl->s3->tmp.new_cipher) ||
308 ((alg_a & SSL_aPSK) && ssl->psk_identity_hint)) {
David Benjaminc3c88822016-11-14 10:32:04 +0900309 ret = ssl3_send_server_key_exchange(hs);
David Benjamin6eb000d2015-02-11 01:17:41 -0500310 if (ret <= 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800311 goto end;
David Benjamin6eb000d2015-02-11 01:17:41 -0500312 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800313 } else {
314 skip = 1;
315 }
Adam Langley95c29f32014-06-20 12:00:00 -0700316
David Benjamincb0c29f2016-12-12 17:00:50 -0500317 hs->state = SSL3_ST_SW_CERT_REQ_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800318 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700319
Adam Langleyfcf25832014-12-18 17:42:32 -0800320 case SSL3_ST_SW_CERT_REQ_A:
David Benjamince8c9d22016-11-14 10:45:16 +0900321 if (hs->cert_request) {
David Benjaminc3c88822016-11-14 10:32:04 +0900322 ret = ssl3_send_certificate_request(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800323 if (ret <= 0) {
324 goto end;
325 }
David Benjamin5c1ce292015-05-26 16:59:43 -0400326 } else {
327 skip = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800328 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500329 hs->state = SSL3_ST_SW_SRVR_DONE_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800330 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700331
Adam Langleyfcf25832014-12-18 17:42:32 -0800332 case SSL3_ST_SW_SRVR_DONE_A:
David Benjaminc3c88822016-11-14 10:32:04 +0900333 ret = ssl3_send_server_hello_done(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800334 if (ret <= 0) {
335 goto end;
336 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500337 hs->next_state = SSL3_ST_SR_CERT_A;
338 hs->state = SSL3_ST_SW_FLUSH;
Adam Langleyfcf25832014-12-18 17:42:32 -0800339 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700340
Adam Langleyfcf25832014-12-18 17:42:32 -0800341 case SSL3_ST_SR_CERT_A:
David Benjamince8c9d22016-11-14 10:45:16 +0900342 if (hs->cert_request) {
David Benjaminc3c88822016-11-14 10:32:04 +0900343 ret = ssl3_get_client_certificate(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800344 if (ret <= 0) {
345 goto end;
346 }
347 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500348 hs->state = SSL3_ST_SR_KEY_EXCH_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800349 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700350
Adam Langleyfcf25832014-12-18 17:42:32 -0800351 case SSL3_ST_SR_KEY_EXCH_A:
352 case SSL3_ST_SR_KEY_EXCH_B:
David Benjaminc3c88822016-11-14 10:32:04 +0900353 ret = ssl3_get_client_key_exchange(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800354 if (ret <= 0) {
355 goto end;
356 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500357 hs->state = SSL3_ST_SR_CERT_VRFY_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800358 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700359
Adam Langleyfcf25832014-12-18 17:42:32 -0800360 case SSL3_ST_SR_CERT_VRFY_A:
David Benjaminc3c88822016-11-14 10:32:04 +0900361 ret = ssl3_get_cert_verify(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800362 if (ret <= 0) {
363 goto end;
364 }
Adam Langley95c29f32014-06-20 12:00:00 -0700365
David Benjamincb0c29f2016-12-12 17:00:50 -0500366 hs->state = SSL3_ST_SR_CHANGE;
Adam Langleyfcf25832014-12-18 17:42:32 -0800367 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700368
David Benjamina41280d2015-11-26 02:16:49 -0500369 case SSL3_ST_SR_CHANGE:
David Benjaminf0ee9072016-06-15 17:44:37 -0400370 ret = ssl->method->read_change_cipher_spec(ssl);
David Benjamina41280d2015-11-26 02:16:49 -0500371 if (ret <= 0) {
372 goto end;
373 }
Adam Langley95c29f32014-06-20 12:00:00 -0700374
David Benjamin67739722016-11-17 17:03:59 +0900375 if (!tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_READ)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800376 ret = -1;
377 goto end;
378 }
David Benjamina41280d2015-11-26 02:16:49 -0500379
David Benjamincb0c29f2016-12-12 17:00:50 -0500380 hs->state = SSL3_ST_SR_NEXT_PROTO_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800381 break;
Adam Langley1258b6a2014-06-20 12:00:00 -0700382
Adam Langleyfcf25832014-12-18 17:42:32 -0800383 case SSL3_ST_SR_NEXT_PROTO_A:
David Benjamince8c9d22016-11-14 10:45:16 +0900384 if (hs->next_proto_neg_seen) {
David Benjaminc3c88822016-11-14 10:32:04 +0900385 ret = ssl3_get_next_proto(hs);
David Benjamin47749a62016-06-13 13:56:33 -0400386 if (ret <= 0) {
387 goto end;
388 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800389 } else {
David Benjamin47749a62016-06-13 13:56:33 -0400390 skip = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800391 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500392 hs->state = SSL3_ST_SR_CHANNEL_ID_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800393 break;
Adam Langley1258b6a2014-06-20 12:00:00 -0700394
Adam Langleyfcf25832014-12-18 17:42:32 -0800395 case SSL3_ST_SR_CHANNEL_ID_A:
David Benjamin47749a62016-06-13 13:56:33 -0400396 if (ssl->s3->tlsext_channel_id_valid) {
David Benjaminc3c88822016-11-14 10:32:04 +0900397 ret = ssl3_get_channel_id(hs);
David Benjamin47749a62016-06-13 13:56:33 -0400398 if (ret <= 0) {
399 goto end;
400 }
401 } else {
402 skip = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800403 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500404 hs->state = SSL3_ST_SR_FINISHED_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800405 break;
Adam Langley1258b6a2014-06-20 12:00:00 -0700406
Adam Langleyfcf25832014-12-18 17:42:32 -0800407 case SSL3_ST_SR_FINISHED_A:
David Benjaminc3c88822016-11-14 10:32:04 +0900408 ret = ssl3_get_finished(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800409 if (ret <= 0) {
410 goto end;
411 }
Adam Langley95c29f32014-06-20 12:00:00 -0700412
David Benjamindf50eec2016-06-07 16:49:42 -0400413 ssl->method->received_flight(ssl);
Steven Valdez87eab492016-06-27 16:34:59 -0400414 if (ssl->session != NULL) {
David Benjamincb0c29f2016-12-12 17:00:50 -0500415 hs->state = SSL_ST_OK;
Adam Langleyfcf25832014-12-18 17:42:32 -0800416 } else {
David Benjamincb0c29f2016-12-12 17:00:50 -0500417 hs->state = SSL3_ST_SW_SESSION_TICKET_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800418 }
David Benjamindf50eec2016-06-07 16:49:42 -0400419
Steven Valdez87eab492016-06-27 16:34:59 -0400420 /* If this is a full handshake with ChannelID then record the handshake
421 * hashes in |ssl->s3->new_session| in case we need them to verify a
422 * ChannelID signature on a resumption of this session in the future. */
423 if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid) {
David Benjamin0d56f882015-12-19 17:05:56 -0500424 ret = tls1_record_handshake_hashes_for_channel_id(ssl);
Adam Langleyfcf25832014-12-18 17:42:32 -0800425 if (ret <= 0) {
426 goto end;
427 }
428 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800429 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700430
Adam Langleyfcf25832014-12-18 17:42:32 -0800431 case SSL3_ST_SW_SESSION_TICKET_A:
David Benjamince8c9d22016-11-14 10:45:16 +0900432 if (hs->ticket_expected) {
David Benjaminc3c88822016-11-14 10:32:04 +0900433 ret = ssl3_send_new_session_ticket(hs);
David Benjamin47749a62016-06-13 13:56:33 -0400434 if (ret <= 0) {
435 goto end;
436 }
437 } else {
438 skip = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800439 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500440 hs->state = SSL3_ST_SW_CHANGE;
Adam Langleyfcf25832014-12-18 17:42:32 -0800441 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700442
David Benjamin352d0a92016-06-28 11:22:02 -0400443 case SSL3_ST_SW_CHANGE:
David Benjamindaf207a2017-01-03 18:37:41 -0500444 if (!ssl->method->add_change_cipher_spec(ssl) ||
445 !tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800446 ret = -1;
447 goto end;
448 }
David Benjamindaf207a2017-01-03 18:37:41 -0500449
450 hs->state = SSL3_ST_SW_FINISHED_A;
Adam Langleyfcf25832014-12-18 17:42:32 -0800451 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700452
Adam Langleyfcf25832014-12-18 17:42:32 -0800453 case SSL3_ST_SW_FINISHED_A:
David Benjamin16315f72017-01-12 20:02:05 -0500454 ret = ssl3_send_finished(hs);
Adam Langleyfcf25832014-12-18 17:42:32 -0800455 if (ret <= 0) {
456 goto end;
457 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500458 hs->state = SSL3_ST_SW_FLUSH;
Steven Valdez87eab492016-06-27 16:34:59 -0400459 if (ssl->session != NULL) {
David Benjamincb0c29f2016-12-12 17:00:50 -0500460 hs->next_state = SSL3_ST_SR_CHANGE;
Adam Langleyfcf25832014-12-18 17:42:32 -0800461 } else {
David Benjamincb0c29f2016-12-12 17:00:50 -0500462 hs->next_state = SSL_ST_OK;
Adam Langleyfcf25832014-12-18 17:42:32 -0800463 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800464 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700465
David Benjamin9f1dc822016-06-07 17:03:46 -0400466 case SSL3_ST_SW_FLUSH:
David Benjamin8d5f9da2017-01-01 17:41:30 -0500467 ret = ssl->method->flush_flight(ssl);
468 if (ret <= 0) {
David Benjamin9f1dc822016-06-07 17:03:46 -0400469 goto end;
470 }
471
David Benjamincb0c29f2016-12-12 17:00:50 -0500472 hs->state = hs->next_state;
473 if (hs->state != SSL_ST_OK) {
David Benjamin9f1dc822016-06-07 17:03:46 -0400474 ssl->method->expect_flight(ssl);
475 }
476 break;
477
Steven Valdez143e8b32016-07-11 13:19:03 -0400478 case SSL_ST_TLS13:
David Benjaminc3c88822016-11-14 10:32:04 +0900479 ret = tls13_handshake(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400480 if (ret <= 0) {
481 goto end;
482 }
David Benjamincb0c29f2016-12-12 17:00:50 -0500483 hs->state = SSL_ST_OK;
Steven Valdez143e8b32016-07-11 13:19:03 -0400484 break;
485
Adam Langleyfcf25832014-12-18 17:42:32 -0800486 case SSL_ST_OK:
David Benjamin4497e582016-07-27 17:51:49 -0400487 ssl->method->release_current_message(ssl, 1 /* free_buffer */);
Adam Langley95c29f32014-06-20 12:00:00 -0700488
Steven Valdez87eab492016-06-27 16:34:59 -0400489 /* If we aren't retaining peer certificates then we can discard it
490 * now. */
491 if (ssl->s3->new_session != NULL &&
David Benjaminbbaf3672016-11-17 10:53:09 +0900492 ssl->retain_only_sha256_of_client_certs) {
Adam Langleyc5ac2b62016-11-07 12:02:35 -0800493 X509_free(ssl->s3->new_session->x509_peer);
494 ssl->s3->new_session->x509_peer = NULL;
495 sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
496 ssl->s3->new_session->x509_chain = NULL;
Steven Valdez87eab492016-06-27 16:34:59 -0400497 }
498
499 SSL_SESSION_free(ssl->s3->established_session);
500 if (ssl->session != NULL) {
David Benjaminb9195402016-08-05 10:51:43 -0400501 SSL_SESSION_up_ref(ssl->session);
502 ssl->s3->established_session = ssl->session;
Steven Valdez87eab492016-06-27 16:34:59 -0400503 } else {
504 ssl->s3->established_session = ssl->s3->new_session;
505 ssl->s3->established_session->not_resumable = 0;
506 ssl->s3->new_session = NULL;
507 }
508
Steven Valdez258508f2017-01-25 15:47:49 -0500509 if (hs->v2_clienthello) {
510 CRYPTO_STATIC_MUTEX_lock_write(&g_v2clienthello_lock);
511 g_v2clienthello_count++;
512 CRYPTO_STATIC_MUTEX_unlock_write(&g_v2clienthello_lock);
513 }
514
David Benjamin78476f62016-11-12 11:20:55 +0900515 ssl->s3->initial_handshake_complete = 1;
David Benjaminf3c8f8d2016-11-17 17:20:47 +0900516 ssl_update_cache(hs, SSL_SESS_CACHE_SERVER);
David Benjamin78476f62016-11-12 11:20:55 +0900517
David Benjamin4e9cc712016-06-01 20:16:03 -0400518 ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_DONE, 1);
Adam Langleyfcf25832014-12-18 17:42:32 -0800519 ret = 1;
520 goto end;
Adam Langley95c29f32014-06-20 12:00:00 -0700521
Adam Langleyfcf25832014-12-18 17:42:32 -0800522 default:
David Benjamin3570d732015-06-29 00:28:17 -0400523 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800524 ret = -1;
525 goto end;
526 }
Adam Langley95c29f32014-06-20 12:00:00 -0700527
David Benjamincb0c29f2016-12-12 17:00:50 -0500528 if (!ssl->s3->tmp.reuse_message && !skip && hs->state != state) {
529 int new_state = hs->state;
530 hs->state = state;
David Benjamin4e9cc712016-06-01 20:16:03 -0400531 ssl_do_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 1);
David Benjamincb0c29f2016-12-12 17:00:50 -0500532 hs->state = new_state;
Adam Langleyfcf25832014-12-18 17:42:32 -0800533 }
534 skip = 0;
535 }
536
Adam Langley95c29f32014-06-20 12:00:00 -0700537end:
David Benjamin4e9cc712016-06-01 20:16:03 -0400538 ssl_do_info_callback(ssl, SSL_CB_ACCEPT_EXIT, ret);
Adam Langleyfcf25832014-12-18 17:42:32 -0800539 return ret;
540}
Adam Langley95c29f32014-06-20 12:00:00 -0700541
David Benjamin731058e2016-12-03 23:15:13 -0500542int ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO *client_hello,
543 uint16_t id) {
David Benjamin1deb41b2016-08-09 19:36:38 -0400544 CBS cipher_suites;
545 CBS_init(&cipher_suites, client_hello->cipher_suites,
546 client_hello->cipher_suites_len);
547
548 while (CBS_len(&cipher_suites) > 0) {
549 uint16_t got_id;
550 if (!CBS_get_u16(&cipher_suites, &got_id)) {
551 return 0;
552 }
553
554 if (got_id == id) {
555 return 1;
556 }
557 }
558
559 return 0;
560}
561
David Benjaminf04c2e92016-12-06 13:35:25 -0500562static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
David Benjamin731058e2016-12-03 23:15:13 -0500563 const SSL_CLIENT_HELLO *client_hello) {
David Benjaminf04c2e92016-12-06 13:35:25 -0500564 SSL *const ssl = hs->ssl;
David Benjamin42bfeb32017-02-02 23:28:14 -0500565 assert(!ssl->s3->have_version);
David Benjamin25fe85b2016-08-09 20:00:32 -0400566 uint16_t min_version, max_version;
567 if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
568 *out_alert = SSL_AD_PROTOCOL_VERSION;
569 return 0;
570 }
571
David Benjamin2dc02042016-09-19 19:57:37 -0400572 uint16_t version = 0;
Steven Valdezfdd10992016-09-15 16:27:05 -0400573 /* Check supported_versions extension if it is present. */
574 CBS supported_versions;
David Benjamin731058e2016-12-03 23:15:13 -0500575 if (ssl_client_hello_get_extension(client_hello, &supported_versions,
576 TLSEXT_TYPE_supported_versions)) {
Steven Valdezfdd10992016-09-15 16:27:05 -0400577 CBS versions;
578 if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) ||
579 CBS_len(&supported_versions) != 0 ||
580 CBS_len(&versions) == 0) {
581 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
582 *out_alert = SSL_AD_DECODE_ERROR;
583 return 0;
584 }
585
Brian Smithf85d3232016-10-28 10:34:06 -1000586 /* Choose the newest commonly-supported version advertised by the client.
587 * The client orders the versions according to its preferences, but we're
588 * not required to honor the client's preferences. */
Steven Valdezfdd10992016-09-15 16:27:05 -0400589 int found_version = 0;
590 while (CBS_len(&versions) != 0) {
591 uint16_t ext_version;
592 if (!CBS_get_u16(&versions, &ext_version)) {
593 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
594 *out_alert = SSL_AD_DECODE_ERROR;
595 return 0;
596 }
597 if (!ssl->method->version_from_wire(&ext_version, ext_version)) {
598 continue;
599 }
600 if (min_version <= ext_version &&
Brian Smithf85d3232016-10-28 10:34:06 -1000601 ext_version <= max_version &&
602 (!found_version || version < ext_version)) {
Steven Valdezfdd10992016-09-15 16:27:05 -0400603 version = ext_version;
604 found_version = 1;
Steven Valdezfdd10992016-09-15 16:27:05 -0400605 }
606 }
607
608 if (!found_version) {
609 goto unsupported_protocol;
David Benjamin2dc02042016-09-19 19:57:37 -0400610 }
611 } else {
Steven Valdezfdd10992016-09-15 16:27:05 -0400612 /* Process ClientHello.version instead. Note that versions beyond (D)TLS 1.2
613 * do not use this mechanism. */
614 if (SSL_is_dtls(ssl)) {
615 if (client_hello->version <= DTLS1_2_VERSION) {
616 version = TLS1_2_VERSION;
617 } else if (client_hello->version <= DTLS1_VERSION) {
618 version = TLS1_1_VERSION;
619 } else {
620 goto unsupported_protocol;
621 }
622 } else {
623 if (client_hello->version >= TLS1_2_VERSION) {
624 version = TLS1_2_VERSION;
625 } else if (client_hello->version >= TLS1_1_VERSION) {
626 version = TLS1_1_VERSION;
627 } else if (client_hello->version >= TLS1_VERSION) {
628 version = TLS1_VERSION;
629 } else if (client_hello->version >= SSL3_VERSION) {
630 version = SSL3_VERSION;
631 } else {
632 goto unsupported_protocol;
633 }
David Benjamin2dc02042016-09-19 19:57:37 -0400634 }
David Benjamin25fe85b2016-08-09 20:00:32 -0400635
Steven Valdezfdd10992016-09-15 16:27:05 -0400636 /* Apply our minimum and maximum version. */
637 if (version > max_version) {
638 version = max_version;
639 }
David Benjamin25fe85b2016-08-09 20:00:32 -0400640
Steven Valdezfdd10992016-09-15 16:27:05 -0400641 if (version < min_version) {
642 goto unsupported_protocol;
643 }
David Benjamin25fe85b2016-08-09 20:00:32 -0400644 }
645
646 /* Handle FALLBACK_SCSV. */
647 if (ssl_client_cipher_list_contains_cipher(client_hello,
648 SSL3_CK_FALLBACK_SCSV & 0xffff) &&
649 version < max_version) {
650 OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
651 *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;
652 return 0;
653 }
654
David Benjaminf04c2e92016-12-06 13:35:25 -0500655 hs->client_version = client_hello->version;
David Benjamin25fe85b2016-08-09 20:00:32 -0400656 ssl->version = ssl->method->version_to_wire(version);
657 ssl->s3->enc_method = ssl3_get_enc_method(version);
658 assert(ssl->s3->enc_method != NULL);
659
660 /* At this point, the connection's version is known and |ssl->version| is
661 * fixed. Begin enforcing the record-layer version. */
662 ssl->s3->have_version = 1;
663
664 return 1;
Steven Valdezfdd10992016-09-15 16:27:05 -0400665
666unsupported_protocol:
667 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
668 *out_alert = SSL_AD_PROTOCOL_VERSION;
669 return 0;
David Benjamin25fe85b2016-08-09 20:00:32 -0400670}
671
David Benjamin2578b292016-12-03 23:19:55 -0500672static STACK_OF(SSL_CIPHER) *
673 ssl_parse_client_cipher_list(const SSL_CLIENT_HELLO *client_hello) {
674 CBS cipher_suites;
675 CBS_init(&cipher_suites, client_hello->cipher_suites,
676 client_hello->cipher_suites_len);
677
678 STACK_OF(SSL_CIPHER) *sk = sk_SSL_CIPHER_new_null();
679 if (sk == NULL) {
680 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
681 goto err;
682 }
683
684 while (CBS_len(&cipher_suites) > 0) {
685 uint16_t cipher_suite;
686
687 if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
688 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
689 goto err;
690 }
691
692 const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite);
693 if (c != NULL && !sk_SSL_CIPHER_push(sk, c)) {
694 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
695 goto err;
696 }
697 }
698
699 return sk;
700
701err:
702 sk_SSL_CIPHER_free(sk);
703 return NULL;
704}
705
706/* ssl_get_compatible_server_ciphers determines the key exchange and
707 * authentication cipher suite masks compatible with the server configuration
708 * and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
709 * exchange mask and |*out_mask_a| to the authentication mask. */
710static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs,
711 uint32_t *out_mask_k,
712 uint32_t *out_mask_a) {
713 SSL *const ssl = hs->ssl;
714 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
715 *out_mask_k = SSL_kGENERIC;
716 *out_mask_a = SSL_aGENERIC;
717 return;
718 }
719
720 uint32_t mask_k = 0;
721 uint32_t mask_a = 0;
722
Adam Langley3a2b47a2017-01-24 13:59:42 -0800723 if (ssl_has_certificate(ssl)) {
David Benjamin2578b292016-12-03 23:19:55 -0500724 int type = ssl_private_key_type(ssl);
725 if (type == NID_rsaEncryption) {
726 mask_k |= SSL_kRSA;
727 mask_a |= SSL_aRSA;
728 } else if (ssl_is_ecdsa_key_type(type)) {
729 mask_a |= SSL_aECDSA;
730 }
731 }
732
733 if (ssl->cert->dh_tmp != NULL || ssl->cert->dh_tmp_cb != NULL) {
734 mask_k |= SSL_kDHE;
735 }
736
737 /* Check for a shared group to consider ECDHE ciphers. */
738 uint16_t unused;
739 if (tls1_get_shared_group(hs, &unused)) {
740 mask_k |= SSL_kECDHE;
741 }
742
David Benjamin2578b292016-12-03 23:19:55 -0500743 /* PSK requires a server callback. */
744 if (ssl->psk_server_callback != NULL) {
745 mask_k |= SSL_kPSK;
746 mask_a |= SSL_aPSK;
747 }
748
749 *out_mask_k = mask_k;
750 *out_mask_a = mask_a;
751}
752
753static const SSL_CIPHER *ssl3_choose_cipher(
754 SSL_HANDSHAKE *hs, const SSL_CLIENT_HELLO *client_hello,
755 const struct ssl_cipher_preference_list_st *server_pref) {
756 SSL *const ssl = hs->ssl;
757 const SSL_CIPHER *c, *ret = NULL;
758 STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
759 int ok;
760 size_t cipher_index;
761 uint32_t alg_k, alg_a, mask_k, mask_a;
762 /* in_group_flags will either be NULL, or will point to an array of bytes
763 * which indicate equal-preference groups in the |prio| stack. See the
764 * comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
765 * struct. */
766 const uint8_t *in_group_flags;
767 /* group_min contains the minimal index so far found in a group, or -1 if no
768 * such value exists yet. */
769 int group_min = -1;
770
771 STACK_OF(SSL_CIPHER) *clnt = ssl_parse_client_cipher_list(client_hello);
772 if (clnt == NULL) {
773 return NULL;
774 }
775
776 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
777 prio = srvr;
778 in_group_flags = server_pref->in_group_flags;
779 allow = clnt;
780 } else {
781 prio = clnt;
782 in_group_flags = NULL;
783 allow = srvr;
784 }
785
786 ssl_get_compatible_server_ciphers(hs, &mask_k, &mask_a);
787
788 for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
789 c = sk_SSL_CIPHER_value(prio, i);
790
791 ok = 1;
792
793 /* Check the TLS version. */
794 if (SSL_CIPHER_get_min_version(c) > ssl3_protocol_version(ssl) ||
795 SSL_CIPHER_get_max_version(c) < ssl3_protocol_version(ssl)) {
796 ok = 0;
797 }
798
799 alg_k = c->algorithm_mkey;
800 alg_a = c->algorithm_auth;
801
802 ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
803
804 if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
805 if (in_group_flags != NULL && in_group_flags[i] == 1) {
806 /* This element of |prio| is in a group. Update the minimum index found
807 * so far and continue looking. */
808 if (group_min == -1 || (size_t)group_min > cipher_index) {
809 group_min = cipher_index;
810 }
811 } else {
812 if (group_min != -1 && (size_t)group_min < cipher_index) {
813 cipher_index = group_min;
814 }
815 ret = sk_SSL_CIPHER_value(allow, cipher_index);
816 break;
817 }
818 }
819
820 if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) {
821 /* We are about to leave a group, but we found a match in it, so that's
822 * our answer. */
823 ret = sk_SSL_CIPHER_value(allow, group_min);
824 break;
825 }
826 }
827
828 sk_SSL_CIPHER_free(clnt);
829 return ret;
830}
831
David Benjamin59bae5a2017-02-02 23:51:22 -0500832static int ssl3_process_client_hello(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900833 SSL *const ssl = hs->ssl;
David Benjamin59bae5a2017-02-02 23:51:22 -0500834 if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
835 return -1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800836 }
Adam Langley95c29f32014-06-20 12:00:00 -0700837
David Benjamin731058e2016-12-03 23:15:13 -0500838 SSL_CLIENT_HELLO client_hello;
839 if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
840 ssl->init_num)) {
David Benjamin3570d732015-06-29 00:28:17 -0400841 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
David Benjamin59bae5a2017-02-02 23:51:22 -0500842 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
843 return -1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800844 }
Adam Langley95c29f32014-06-20 12:00:00 -0700845
David Benjamin59bae5a2017-02-02 23:51:22 -0500846 /* Run the early callback. */
847 if (ssl->ctx->select_certificate_cb != NULL) {
848 switch (ssl->ctx->select_certificate_cb(&client_hello)) {
849 case 0:
850 ssl->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
851 return -1;
David Benjamine14ff062016-08-09 16:21:24 -0400852
David Benjamin59bae5a2017-02-02 23:51:22 -0500853 case -1:
854 /* Connection rejected. */
855 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
856 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
857 return -1;
David Benjamine14ff062016-08-09 16:21:24 -0400858
David Benjamin59bae5a2017-02-02 23:51:22 -0500859 default:
860 /* fallthrough */;
David Benjamine14ff062016-08-09 16:21:24 -0400861 }
David Benjamin59bae5a2017-02-02 23:51:22 -0500862 }
David Benjamine14ff062016-08-09 16:21:24 -0400863
David Benjamin59bae5a2017-02-02 23:51:22 -0500864 uint8_t alert;
865 if (!negotiate_version(hs, &alert, &client_hello)) {
866 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
867 return -1;
868 }
David Benjamin1deb41b2016-08-09 19:36:38 -0400869
David Benjamin59bae5a2017-02-02 23:51:22 -0500870 /* Load the client random. */
871 if (client_hello.random_len != SSL3_RANDOM_SIZE) {
872 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
873 return -1;
874 }
875 OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
876 client_hello.random_len);
877
878 /* Only null compression is supported. TLS 1.3 further requires the peer
879 * advertise no other compression. */
880 if (OPENSSL_memchr(client_hello.compression_methods, 0,
881 client_hello.compression_methods_len) == NULL ||
882 (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
883 client_hello.compression_methods_len != 1)) {
884 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
885 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
886 return -1;
887 }
888
889 /* TLS extensions. */
890 if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {
891 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
892 return -1;
893 }
894
895 return 1;
896}
897
898static int ssl3_select_certificate(SSL_HANDSHAKE *hs) {
899 SSL *const ssl = hs->ssl;
900 /* Call |cert_cb| to update server certificates if required. */
901 if (ssl->cert->cert_cb != NULL) {
902 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
903 if (rv == 0) {
904 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
905 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
David Benjamin25fe85b2016-08-09 20:00:32 -0400906 return -1;
907 }
David Benjamin59bae5a2017-02-02 23:51:22 -0500908 if (rv < 0) {
909 ssl->rwstate = SSL_X509_LOOKUP;
910 return -1;
David Benjamin4eb95cc2016-11-16 17:08:23 +0900911 }
David Benjamin4eb95cc2016-11-16 17:08:23 +0900912 }
913
David Benjamin59bae5a2017-02-02 23:51:22 -0500914 if (!ssl_auto_chain_if_needed(ssl)) {
915 return -1;
David Benjamin34202b92016-11-16 19:07:53 +0900916 }
917
David Benjamin59bae5a2017-02-02 23:51:22 -0500918 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
919 /* Jump to the TLS 1.3 state machine. */
920 hs->state = SSL_ST_TLS13;
921 hs->do_tls13_handshake = tls13_server_handshake;
922 return 1;
923 }
924
925 SSL_CLIENT_HELLO client_hello;
926 if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
927 ssl->init_num)) {
928 return -1;
929 }
930
931 /* Negotiate the cipher suite. This must be done after |cert_cb| so the
932 * certificate is finalized. */
933 ssl->s3->tmp.new_cipher =
934 ssl3_choose_cipher(hs, &client_hello, ssl_get_cipher_preferences(ssl));
935 if (ssl->s3->tmp.new_cipher == NULL) {
936 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
937 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
938 return -1;
939 }
940
941 return 1;
942}
943
944static int ssl3_select_parameters(SSL_HANDSHAKE *hs) {
945 SSL *const ssl = hs->ssl;
946 uint8_t al = SSL_AD_INTERNAL_ERROR;
947 int ret = -1;
948 SSL_SESSION *session = NULL;
949
950 SSL_CLIENT_HELLO client_hello;
951 if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
952 ssl->init_num)) {
953 return -1;
954 }
David Benjamin34202b92016-11-16 19:07:53 +0900955
956 /* Determine whether we are doing session resumption. */
957 int tickets_supported = 0, renew_ticket = 0;
958 switch (ssl_get_prev_session(ssl, &session, &tickets_supported, &renew_ticket,
959 &client_hello)) {
960 case ssl_session_success:
961 break;
962 case ssl_session_error:
963 goto err;
964 case ssl_session_retry:
965 ssl->rwstate = SSL_PENDING_SESSION;
966 goto err;
967 }
968
969 if (session != NULL) {
970 if (session->extended_master_secret &&
971 !ssl->s3->tmp.extended_master_secret) {
972 /* A ClientHello without EMS that attempts to resume a session with EMS
973 * is fatal to the connection. */
974 al = SSL_AD_HANDSHAKE_FAILURE;
975 OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
976 goto f_err;
977 }
978
979 if (!ssl_session_is_resumable(ssl, session) ||
980 /* If the client offers the EMS extension, but the previous session
981 * didn't use it, then negotiate a new session. */
982 ssl->s3->tmp.extended_master_secret !=
983 session->extended_master_secret) {
984 SSL_SESSION_free(session);
985 session = NULL;
986 }
987 }
988
989 if (session != NULL) {
990 /* Use the old session. */
David Benjaminc3c88822016-11-14 10:32:04 +0900991 hs->ticket_expected = renew_ticket;
David Benjamin34202b92016-11-16 19:07:53 +0900992 ssl->session = session;
993 session = NULL;
994 ssl->s3->session_reused = 1;
995 } else {
David Benjaminc3c88822016-11-14 10:32:04 +0900996 hs->ticket_expected = tickets_supported;
David Benjamin34202b92016-11-16 19:07:53 +0900997 ssl_set_session(ssl, NULL);
David Benjaminf3c8f8d2016-11-17 17:20:47 +0900998 if (!ssl_get_new_session(hs, 1 /* server */)) {
David Benjamin34202b92016-11-16 19:07:53 +0900999 goto err;
1000 }
1001
1002 /* Clear the session ID if we want the session to be single-use. */
1003 if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
1004 ssl->s3->new_session->session_id_length = 0;
1005 }
1006 }
1007
1008 if (ssl->ctx->dos_protection_cb != NULL &&
1009 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
1010 /* Connection rejected for DOS reasons. */
1011 al = SSL_AD_INTERNAL_ERROR;
1012 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
1013 goto f_err;
1014 }
1015
David Benjaminf01f42a2016-11-16 19:05:33 +09001016 if (ssl->session == NULL) {
1017 ssl->s3->new_session->cipher = ssl->s3->tmp.new_cipher;
David Benjamin5c1ce292015-05-26 16:59:43 -04001018
David Benjamin4eb95cc2016-11-16 17:08:23 +09001019 /* On new sessions, stash the SNI value in the session. */
David Benjaminc3c88822016-11-14 10:32:04 +09001020 if (hs->hostname != NULL) {
Steven Valdez2f82a0e2017-02-06 12:06:01 -05001021 OPENSSL_free(ssl->s3->new_session->tlsext_hostname);
David Benjaminc3c88822016-11-14 10:32:04 +09001022 ssl->s3->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
David Benjamin4eb95cc2016-11-16 17:08:23 +09001023 if (ssl->s3->new_session->tlsext_hostname == NULL) {
1024 al = SSL_AD_INTERNAL_ERROR;
1025 goto f_err;
1026 }
1027 }
1028
David Benjamin5c1ce292015-05-26 16:59:43 -04001029 /* Determine whether to request a client certificate. */
David Benjaminc3c88822016-11-14 10:32:04 +09001030 hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
David Benjamin5c1ce292015-05-26 16:59:43 -04001031 /* Only request a certificate if Channel ID isn't negotiated. */
David Benjamin0d56f882015-12-19 17:05:56 -05001032 if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
1033 ssl->s3->tlsext_channel_id_valid) {
David Benjaminc3c88822016-11-14 10:32:04 +09001034 hs->cert_request = 0;
David Benjamin5c1ce292015-05-26 16:59:43 -04001035 }
David Benjaminc032dfa2016-05-12 14:54:57 -04001036 /* CertificateRequest may only be sent in certificate-based ciphers. */
David Benjamin3d458dc2016-09-12 22:40:27 +00001037 if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
David Benjaminc3c88822016-11-14 10:32:04 +09001038 hs->cert_request = 0;
David Benjamin5c1ce292015-05-26 16:59:43 -04001039 }
Adam Langley37646832016-08-01 16:16:46 -07001040
David Benjaminc3c88822016-11-14 10:32:04 +09001041 if (!hs->cert_request) {
Adam Langley37646832016-08-01 16:16:46 -07001042 /* OpenSSL returns X509_V_OK when no certificates are requested. This is
David Benjamindd634eb2016-08-18 16:40:28 -04001043 * classed by them as a bug, but it's assumed by at least NGINX. */
Adam Langley37646832016-08-01 16:16:46 -07001044 ssl->s3->new_session->verify_result = X509_V_OK;
1045 }
Adam Langleyfcf25832014-12-18 17:42:32 -08001046 }
1047
David Benjaminf01f42a2016-11-16 19:05:33 +09001048 /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
1049 * deferred. Complete it now. */
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001050 if (!ssl_negotiate_alpn(hs, &al, &client_hello)) {
David Benjamin9ef31f02016-10-31 18:01:13 -04001051 goto f_err;
1052 }
1053
David Benjaminf71036e2017-01-21 14:49:39 -05001054 /* Now that all parameters are known, initialize the handshake hash and hash
1055 * the ClientHello. */
1056 if (!ssl3_init_handshake_hash(ssl) ||
1057 !ssl_hash_current_message(ssl)) {
David Benjamin9550c3a2015-08-05 08:50:34 -04001058 goto f_err;
1059 }
1060
Steven Valdez2b8415e2016-06-30 13:27:23 -04001061 /* Release the handshake buffer if client authentication isn't required. */
David Benjaminc3c88822016-11-14 10:32:04 +09001062 if (!hs->cert_request) {
David Benjamin0d56f882015-12-19 17:05:56 -05001063 ssl3_free_handshake_buffer(ssl);
Adam Langleyfcf25832014-12-18 17:42:32 -08001064 }
1065
David Benjamin0bd71eb2015-12-01 14:14:40 -05001066 ret = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -08001067
1068 if (0) {
1069 f_err:
David Benjamin0d56f882015-12-19 17:05:56 -05001070 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
Adam Langleyfcf25832014-12-18 17:42:32 -08001071 }
1072
Adam Langley95c29f32014-06-20 12:00:00 -07001073err:
David Benjamine3aa1d92015-06-16 15:34:50 -04001074 SSL_SESSION_free(session);
Adam Langleyfcf25832014-12-18 17:42:32 -08001075 return ret;
1076}
Adam Langley95c29f32014-06-20 12:00:00 -07001077
David Benjaminc3c88822016-11-14 10:32:04 +09001078static int ssl3_send_server_hello(SSL_HANDSHAKE *hs) {
1079 SSL *const ssl = hs->ssl;
David Benjamin56380462015-10-10 14:59:09 -04001080
1081 /* We only accept ChannelIDs on connections with ECDHE in order to avoid a
1082 * known attack while we fix ChannelID itself. */
1083 if (ssl->s3->tlsext_channel_id_valid &&
1084 (ssl->s3->tmp.new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
1085 ssl->s3->tlsext_channel_id_valid = 0;
1086 }
1087
1088 /* If this is a resumption and the original handshake didn't support
1089 * ChannelID then we didn't record the original handshake hashes in the
1090 * session and so cannot resume with ChannelIDs. */
Steven Valdez87eab492016-06-27 16:34:59 -04001091 if (ssl->session != NULL &&
1092 ssl->session->original_handshake_hash_len == 0) {
David Benjamin56380462015-10-10 14:59:09 -04001093 ssl->s3->tlsext_channel_id_valid = 0;
1094 }
1095
David Benjamin721e8b72016-08-03 13:13:17 -04001096 struct timeval now;
1097 ssl_get_current_time(ssl, &now);
1098 ssl->s3->server_random[0] = now.tv_sec >> 24;
1099 ssl->s3->server_random[1] = now.tv_sec >> 16;
1100 ssl->s3->server_random[2] = now.tv_sec >> 8;
1101 ssl->s3->server_random[3] = now.tv_sec;
David Benjamin1f61f0d2016-07-10 12:20:35 -04001102 if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) {
David Benjamin56380462015-10-10 14:59:09 -04001103 return -1;
1104 }
1105
David Benjamin55108632016-08-11 22:01:18 -04001106 /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
1107 * 1.3 is finalized and we are not implementing a draft version. */
David Benjamin1f61f0d2016-07-10 12:20:35 -04001108
Steven Valdez87eab492016-06-27 16:34:59 -04001109 const SSL_SESSION *session = ssl->s3->new_session;
1110 if (ssl->session != NULL) {
1111 session = ssl->session;
1112 }
1113
David Benjamin75836432016-06-17 18:48:29 -04001114 CBB cbb, body, session_id;
1115 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
1116 !CBB_add_u16(&body, ssl->version) ||
1117 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
1118 !CBB_add_u8_length_prefixed(&body, &session_id) ||
Steven Valdez87eab492016-06-27 16:34:59 -04001119 !CBB_add_bytes(&session_id, session->session_id,
1120 session->session_id_length) ||
David Benjamin75836432016-06-17 18:48:29 -04001121 !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
1122 !CBB_add_u8(&body, 0 /* no compression */) ||
David Benjamin8c880a22016-12-03 02:20:34 -05001123 !ssl_add_serverhello_tlsext(hs, &body) ||
David Benjamindaf207a2017-01-03 18:37:41 -05001124 !ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin56380462015-10-10 14:59:09 -04001125 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1126 CBB_cleanup(&cbb);
1127 return -1;
1128 }
1129
David Benjamin16315f72017-01-12 20:02:05 -05001130 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -08001131}
Adam Langley95c29f32014-06-20 12:00:00 -07001132
David Benjaminc3c88822016-11-14 10:32:04 +09001133static int ssl3_send_server_certificate(SSL_HANDSHAKE *hs) {
1134 SSL *const ssl = hs->ssl;
David Benjamin32a66d52016-07-13 22:03:11 -04001135 if (!ssl_has_certificate(ssl)) {
1136 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
David Benjamin16315f72017-01-12 20:02:05 -05001137 return -1;
David Benjamin32a66d52016-07-13 22:03:11 -04001138 }
1139
David Benjamin75836432016-06-17 18:48:29 -04001140 if (!ssl3_output_cert_chain(ssl)) {
David Benjamin16315f72017-01-12 20:02:05 -05001141 return -1;
David Benjamin75836432016-06-17 18:48:29 -04001142 }
David Benjamin16315f72017-01-12 20:02:05 -05001143 return 1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001144}
1145
David Benjaminc3c88822016-11-14 10:32:04 +09001146static int ssl3_send_certificate_status(SSL_HANDSHAKE *hs) {
1147 SSL *const ssl = hs->ssl;
David Benjamin75836432016-06-17 18:48:29 -04001148 CBB cbb, body, ocsp_response;
1149 if (!ssl->method->init_message(ssl, &cbb, &body,
1150 SSL3_MT_CERTIFICATE_STATUS) ||
1151 !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) ||
1152 !CBB_add_u24_length_prefixed(&body, &ocsp_response) ||
Alessandro Ghedini559f0642016-12-07 12:55:32 +00001153 !CBB_add_bytes(&ocsp_response, CRYPTO_BUFFER_data(ssl->ocsp_response),
1154 CRYPTO_BUFFER_len(ssl->ocsp_response)) ||
David Benjamindaf207a2017-01-03 18:37:41 -05001155 !ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin75836432016-06-17 18:48:29 -04001156 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1157 CBB_cleanup(&cbb);
1158 return -1;
1159 }
1160
David Benjamin16315f72017-01-12 20:02:05 -05001161 return 1;
Paul Lietaraeeff2c2015-08-12 11:47:11 +01001162}
1163
David Benjaminc3c88822016-11-14 10:32:04 +09001164static int ssl3_send_server_key_exchange(SSL_HANDSHAKE *hs) {
1165 SSL *const ssl = hs->ssl;
David Benjamin2a0b3912015-12-18 01:01:21 -05001166 CBB cbb, child;
David Benjaminc42acee2016-06-17 17:47:58 -04001167 CBB_zero(&cbb);
nagendra modadugu601448a2015-07-24 09:31:31 -07001168
David Benjaminc42acee2016-06-17 17:47:58 -04001169 /* Put together the parameters. */
David Benjamincb0c29f2016-12-12 17:00:50 -05001170 if (hs->state == SSL3_ST_SW_KEY_EXCH_A) {
David Benjamin2a0b3912015-12-18 01:01:21 -05001171 uint32_t alg_k = ssl->s3->tmp.new_cipher->algorithm_mkey;
1172 uint32_t alg_a = ssl->s3->tmp.new_cipher->algorithm_auth;
Adam Langley95c29f32014-06-20 12:00:00 -07001173
David Benjaminc42acee2016-06-17 17:47:58 -04001174 /* Pre-allocate enough room to comfortably fit an ECDHE public key. */
1175 if (!CBB_init(&cbb, 128)) {
1176 goto err;
1177 }
1178
David Benjamin2a0b3912015-12-18 01:01:21 -05001179 /* PSK ciphers begin with an identity hint. */
Adam Langleyfcf25832014-12-18 17:42:32 -08001180 if (alg_a & SSL_aPSK) {
David Benjamin2a0b3912015-12-18 01:01:21 -05001181 size_t len =
1182 (ssl->psk_identity_hint == NULL) ? 0 : strlen(ssl->psk_identity_hint);
1183 if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
1184 !CBB_add_bytes(&child, (const uint8_t *)ssl->psk_identity_hint,
1185 len)) {
1186 goto err;
Adam Langleyfcf25832014-12-18 17:42:32 -08001187 }
Adam Langleyfcf25832014-12-18 17:42:32 -08001188 }
Adam Langley95c29f32014-06-20 12:00:00 -07001189
David Benjamin7061e282015-03-19 11:10:48 -04001190 if (alg_k & SSL_kDHE) {
David Benjamin2a0b3912015-12-18 01:01:21 -05001191 /* Determine the group to use. */
1192 DH *params = ssl->cert->dh_tmp;
1193 if (params == NULL && ssl->cert->dh_tmp_cb != NULL) {
1194 params = ssl->cert->dh_tmp_cb(ssl, 0, 1024);
Adam Langleyfcf25832014-12-18 17:42:32 -08001195 }
David Benjamin2a0b3912015-12-18 01:01:21 -05001196 if (params == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -04001197 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_DH_KEY);
David Benjamin2a0b3912015-12-18 01:01:21 -05001198 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001199 goto err;
1200 }
David Benjamin2a0b3912015-12-18 01:01:21 -05001201
David Benjamin974c7ba2015-12-19 16:58:04 -05001202 /* Set up DH, generate a key, and emit the public half. */
David Benjamin2a0b3912015-12-18 01:01:21 -05001203 DH *dh = DHparams_dup(params);
David Benjamin974c7ba2015-12-19 16:58:04 -05001204 if (dh == NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001205 goto err;
1206 }
David Benjamin9f226a52015-04-26 22:12:32 -04001207
David Benjaminc3c88822016-11-14 10:32:04 +09001208 SSL_ECDH_CTX_init_for_dhe(&hs->ecdh_ctx, dh);
David Benjamin2a0b3912015-12-18 01:01:21 -05001209 if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
David Benjamin974c7ba2015-12-19 16:58:04 -05001210 !BN_bn2cbb_padded(&child, BN_num_bytes(params->p), params->p) ||
David Benjamin2a0b3912015-12-18 01:01:21 -05001211 !CBB_add_u16_length_prefixed(&cbb, &child) ||
David Benjamin974c7ba2015-12-19 16:58:04 -05001212 !BN_bn2cbb_padded(&child, BN_num_bytes(params->g), params->g) ||
Matt Braithwaite053931e2016-05-25 12:06:05 -07001213 !CBB_add_u16_length_prefixed(&cbb, &child) ||
David Benjaminc3c88822016-11-14 10:32:04 +09001214 !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) {
David Benjamin9f226a52015-04-26 22:12:32 -04001215 goto err;
Adam Langleyfcf25832014-12-18 17:42:32 -08001216 }
David Benjamin7061e282015-03-19 11:10:48 -04001217 } else if (alg_k & SSL_kECDHE) {
Steven Valdezce902a92016-05-17 11:47:53 -04001218 /* Determine the group to use. */
1219 uint16_t group_id;
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001220 if (!tls1_get_shared_group(hs, &group_id)) {
David Benjamin3570d732015-06-29 00:28:17 -04001221 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_ECDH_KEY);
David Benjamin2a0b3912015-12-18 01:01:21 -05001222 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001223 goto err;
1224 }
David Benjamin4882a6c2016-12-11 02:48:12 -05001225 ssl->s3->new_session->group_id = group_id;
Adam Langley95c29f32014-06-20 12:00:00 -07001226
David Benjamin4298d772015-12-19 00:18:25 -05001227 /* Set up ECDH, generate a key, and emit the public half. */
David Benjaminc3c88822016-11-14 10:32:04 +09001228 if (!SSL_ECDH_CTX_init(&hs->ecdh_ctx, group_id) ||
David Benjamin2a0b3912015-12-18 01:01:21 -05001229 !CBB_add_u8(&cbb, NAMED_CURVE_TYPE) ||
Steven Valdezce902a92016-05-17 11:47:53 -04001230 !CBB_add_u16(&cbb, group_id) ||
Matt Braithwaite053931e2016-05-25 12:06:05 -07001231 !CBB_add_u8_length_prefixed(&cbb, &child) ||
David Benjaminc3c88822016-11-14 10:32:04 +09001232 !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) {
Matt Braithwaite053931e2016-05-25 12:06:05 -07001233 goto err;
1234 }
David Benjamin2a0b3912015-12-18 01:01:21 -05001235 } else {
1236 assert(alg_k & SSL_kPSK);
Adam Langleyfcf25832014-12-18 17:42:32 -08001237 }
Adam Langley95c29f32014-06-20 12:00:00 -07001238
David Benjaminc3c88822016-11-14 10:32:04 +09001239 if (!CBB_finish(&cbb, &hs->server_params, &hs->server_params_len)) {
David Benjaminc42acee2016-06-17 17:47:58 -04001240 goto err;
1241 }
David Benjaminc42acee2016-06-17 17:47:58 -04001242 }
1243
1244 /* Assemble the message. */
David Benjamin75836432016-06-17 18:48:29 -04001245 CBB body;
1246 if (!ssl->method->init_message(ssl, &cbb, &body,
1247 SSL3_MT_SERVER_KEY_EXCHANGE) ||
David Benjaminc3c88822016-11-14 10:32:04 +09001248 !CBB_add_bytes(&body, hs->server_params, hs->server_params_len)) {
David Benjamin2a0b3912015-12-18 01:01:21 -05001249 goto err;
1250 }
Adam Langley95c29f32014-06-20 12:00:00 -07001251
David Benjamin2a0b3912015-12-18 01:01:21 -05001252 /* Add a signature. */
David Benjamin3d458dc2016-09-12 22:40:27 +00001253 if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
David Benjamin2a0b3912015-12-18 01:01:21 -05001254 if (!ssl_has_private_key(ssl)) {
1255 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -08001256 goto err;
1257 }
Adam Langley95c29f32014-06-20 12:00:00 -07001258
David Benjaminc42acee2016-06-17 17:47:58 -04001259 /* Determine the signature algorithm. */
David Benjaminea9a0d52016-07-08 15:52:59 -07001260 uint16_t signature_algorithm;
David Benjaminf3c8f8d2016-11-17 17:20:47 +09001261 if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
David Benjaminea9a0d52016-07-08 15:52:59 -07001262 goto err;
1263 }
David Benjaminc42acee2016-06-17 17:47:58 -04001264 if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
Steven Valdezf0451ca2016-06-29 13:16:27 -04001265 if (!CBB_add_u16(&body, signature_algorithm)) {
David Benjaminc42acee2016-06-17 17:47:58 -04001266 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1267 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1268 goto err;
1269 }
David Benjaminc42acee2016-06-17 17:47:58 -04001270 }
1271
1272 /* Add space for the signature. */
David Benjamin2a0b3912015-12-18 01:01:21 -05001273 const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
David Benjaminc42acee2016-06-17 17:47:58 -04001274 uint8_t *ptr;
David Benjamin75836432016-06-17 18:48:29 -04001275 if (!CBB_add_u16_length_prefixed(&body, &child) ||
David Benjaminc42acee2016-06-17 17:47:58 -04001276 !CBB_reserve(&child, &ptr, max_sig_len)) {
1277 goto err;
1278 }
1279
David Benjamin2a0b3912015-12-18 01:01:21 -05001280 size_t sig_len;
1281 enum ssl_private_key_result_t sign_result;
David Benjamincb0c29f2016-12-12 17:00:50 -05001282 if (hs->state == SSL3_ST_SW_KEY_EXCH_A) {
Steven Valdez2b8415e2016-06-30 13:27:23 -04001283 CBB transcript;
1284 uint8_t *transcript_data;
1285 size_t transcript_len;
1286 if (!CBB_init(&transcript,
David Benjaminc3c88822016-11-14 10:32:04 +09001287 2 * SSL3_RANDOM_SIZE + hs->server_params_len) ||
1288 !CBB_add_bytes(&transcript, ssl->s3->client_random,
1289 SSL3_RANDOM_SIZE) ||
1290 !CBB_add_bytes(&transcript, ssl->s3->server_random,
1291 SSL3_RANDOM_SIZE) ||
1292 !CBB_add_bytes(&transcript, hs->server_params,
1293 hs->server_params_len) ||
Steven Valdez2b8415e2016-06-30 13:27:23 -04001294 !CBB_finish(&transcript, &transcript_data, &transcript_len)) {
1295 CBB_cleanup(&transcript);
1296 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1297 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdezf0451ca2016-06-29 13:16:27 -04001298 goto err;
1299 }
1300
Steven Valdezf0451ca2016-06-29 13:16:27 -04001301 sign_result = ssl_private_key_sign(ssl, ptr, &sig_len, max_sig_len,
Steven Valdez2b8415e2016-06-30 13:27:23 -04001302 signature_algorithm, transcript_data,
1303 transcript_len);
1304 OPENSSL_free(transcript_data);
David Benjamin1f9f9c42015-08-28 16:17:59 -04001305 } else {
David Benjamincb0c29f2016-12-12 17:00:50 -05001306 assert(hs->state == SSL3_ST_SW_KEY_EXCH_B);
David Benjamind3440b42016-07-14 14:52:41 -04001307 sign_result = ssl_private_key_complete(ssl, ptr, &sig_len, max_sig_len);
Adam Langleyfcf25832014-12-18 17:42:32 -08001308 }
David Benjamin2a0b3912015-12-18 01:01:21 -05001309
1310 switch (sign_result) {
1311 case ssl_private_key_success:
David Benjamin2a0b3912015-12-18 01:01:21 -05001312 if (!CBB_did_write(&child, sig_len)) {
1313 goto err;
1314 }
1315 break;
1316 case ssl_private_key_failure:
David Benjamin2a0b3912015-12-18 01:01:21 -05001317 goto err;
1318 case ssl_private_key_retry:
David Benjamin2a0b3912015-12-18 01:01:21 -05001319 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
David Benjamincb0c29f2016-12-12 17:00:50 -05001320 hs->state = SSL3_ST_SW_KEY_EXCH_B;
David Benjamin2a0b3912015-12-18 01:01:21 -05001321 goto err;
1322 }
David Benjamin1f9f9c42015-08-28 16:17:59 -04001323 }
1324
David Benjamindaf207a2017-01-03 18:37:41 -05001325 if (!ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin1f9f9c42015-08-28 16:17:59 -04001326 goto err;
1327 }
David Benjaminc42acee2016-06-17 17:47:58 -04001328
David Benjaminc3c88822016-11-14 10:32:04 +09001329 OPENSSL_free(hs->server_params);
1330 hs->server_params = NULL;
1331 hs->server_params_len = 0;
David Benjaminc42acee2016-06-17 17:47:58 -04001332
David Benjamin16315f72017-01-12 20:02:05 -05001333 return 1;
nagendra modadugu601448a2015-07-24 09:31:31 -07001334
Adam Langley95c29f32014-06-20 12:00:00 -07001335err:
David Benjamin2a0b3912015-12-18 01:01:21 -05001336 CBB_cleanup(&cbb);
Adam Langleyfcf25832014-12-18 17:42:32 -08001337 return -1;
1338}
Adam Langley95c29f32014-06-20 12:00:00 -07001339
David Benjamin75836432016-06-17 18:48:29 -04001340static int add_cert_types(SSL *ssl, CBB *cbb) {
1341 /* Get configured signature algorithms. */
1342 int have_rsa_sign = 0;
1343 int have_ecdsa_sign = 0;
Steven Valdez02563852016-06-23 13:33:05 -04001344 const uint16_t *sig_algs;
David Benjamin3ef76972016-10-17 17:59:54 -04001345 size_t num_sig_algs = tls12_get_verify_sigalgs(ssl, &sig_algs);
1346 for (size_t i = 0; i < num_sig_algs; i++) {
Steven Valdez02563852016-06-23 13:33:05 -04001347 switch (sig_algs[i]) {
1348 case SSL_SIGN_RSA_PKCS1_SHA512:
1349 case SSL_SIGN_RSA_PKCS1_SHA384:
1350 case SSL_SIGN_RSA_PKCS1_SHA256:
1351 case SSL_SIGN_RSA_PKCS1_SHA1:
David Benjamin75836432016-06-17 18:48:29 -04001352 have_rsa_sign = 1;
1353 break;
Adam Langley95c29f32014-06-20 12:00:00 -07001354
Steven Valdez02563852016-06-23 13:33:05 -04001355 case SSL_SIGN_ECDSA_SECP521R1_SHA512:
1356 case SSL_SIGN_ECDSA_SECP384R1_SHA384:
1357 case SSL_SIGN_ECDSA_SECP256R1_SHA256:
1358 case SSL_SIGN_ECDSA_SHA1:
David Benjamin75836432016-06-17 18:48:29 -04001359 have_ecdsa_sign = 1;
1360 break;
Adam Langleyfcf25832014-12-18 17:42:32 -08001361 }
Adam Langleyfcf25832014-12-18 17:42:32 -08001362 }
Adam Langley95c29f32014-06-20 12:00:00 -07001363
David Benjamin75836432016-06-17 18:48:29 -04001364 if (have_rsa_sign && !CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) {
1365 return 0;
1366 }
1367
1368 /* ECDSA certs can be used with RSA cipher suites as well so we don't need to
1369 * check for SSL_kECDH or SSL_kECDHE. */
1370 if (ssl->version >= TLS1_VERSION && have_ecdsa_sign &&
1371 !CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN)) {
1372 return 0;
1373 }
1374
1375 return 1;
1376}
1377
David Benjaminc3c88822016-11-14 10:32:04 +09001378static int ssl3_send_certificate_request(SSL_HANDSHAKE *hs) {
1379 SSL *const ssl = hs->ssl;
David Benjamin32a66d52016-07-13 22:03:11 -04001380 CBB cbb, body, cert_types, sigalgs_cbb;
David Benjamin75836432016-06-17 18:48:29 -04001381 if (!ssl->method->init_message(ssl, &cbb, &body,
1382 SSL3_MT_CERTIFICATE_REQUEST) ||
1383 !CBB_add_u8_length_prefixed(&body, &cert_types) ||
1384 !add_cert_types(ssl, &cert_types)) {
1385 goto err;
1386 }
1387
1388 if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
Steven Valdez02563852016-06-23 13:33:05 -04001389 const uint16_t *sigalgs;
David Benjamin3ef76972016-10-17 17:59:54 -04001390 size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
Steven Valdez02563852016-06-23 13:33:05 -04001391 if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
David Benjamin75836432016-06-17 18:48:29 -04001392 goto err;
1393 }
Steven Valdez02563852016-06-23 13:33:05 -04001394
David Benjamin0fc37ef2016-08-17 15:29:46 -04001395 for (size_t i = 0; i < num_sigalgs; i++) {
Steven Valdez02563852016-06-23 13:33:05 -04001396 if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
1397 goto err;
1398 }
1399 }
David Benjamin75836432016-06-17 18:48:29 -04001400 }
1401
David Benjamin32a66d52016-07-13 22:03:11 -04001402 if (!ssl_add_client_CA_list(ssl, &body) ||
David Benjamindaf207a2017-01-03 18:37:41 -05001403 !ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin75836432016-06-17 18:48:29 -04001404 goto err;
1405 }
1406
David Benjamin16315f72017-01-12 20:02:05 -05001407 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -08001408
Adam Langley95c29f32014-06-20 12:00:00 -07001409err:
David Benjamin75836432016-06-17 18:48:29 -04001410 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1411 CBB_cleanup(&cbb);
Adam Langleyfcf25832014-12-18 17:42:32 -08001412 return -1;
1413}
Adam Langley95c29f32014-06-20 12:00:00 -07001414
David Benjaminc3c88822016-11-14 10:32:04 +09001415static int ssl3_send_server_hello_done(SSL_HANDSHAKE *hs) {
1416 SSL *const ssl = hs->ssl;
David Benjamin75836432016-06-17 18:48:29 -04001417 CBB cbb, body;
1418 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO_DONE) ||
David Benjamindaf207a2017-01-03 18:37:41 -05001419 !ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin75836432016-06-17 18:48:29 -04001420 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1421 CBB_cleanup(&cbb);
1422 return -1;
1423 }
1424
David Benjamin16315f72017-01-12 20:02:05 -05001425 return 1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001426}
1427
David Benjaminc3c88822016-11-14 10:32:04 +09001428static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs) {
1429 SSL *const ssl = hs->ssl;
1430 assert(hs->cert_request);
David Benjamin9f1dc822016-06-07 17:03:46 -04001431
David Benjaminf71036e2017-01-21 14:49:39 -05001432 int msg_ret = ssl->method->ssl_get_message(ssl);
David Benjamin09eb6552016-07-08 14:32:11 -07001433 if (msg_ret <= 0) {
1434 return msg_ret;
David Benjamin9f1dc822016-06-07 17:03:46 -04001435 }
1436
1437 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
1438 if (ssl->version == SSL3_VERSION &&
1439 ssl->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
Adam Langley37646832016-08-01 16:16:46 -07001440 /* In SSL 3.0, the Certificate message is omitted to signal no
1441 * certificate. */
David Benjaminda2630c2016-08-01 19:57:43 -04001442 if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
David Benjamin9f1dc822016-06-07 17:03:46 -04001443 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
David Benjamin5c900c82016-07-13 23:03:26 -04001444 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1445 return -1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001446 }
1447
Adam Langley37646832016-08-01 16:16:46 -07001448 /* OpenSSL returns X509_V_OK when no certificates are received. This is
David Benjamindd634eb2016-08-18 16:40:28 -04001449 * classed by them as a bug, but it's assumed by at least NGINX. */
Adam Langley37646832016-08-01 16:16:46 -07001450 ssl->s3->new_session->verify_result = X509_V_OK;
David Benjamin9f1dc822016-06-07 17:03:46 -04001451 ssl->s3->tmp.reuse_message = 1;
1452 return 1;
1453 }
1454
David Benjamin9f1dc822016-06-07 17:03:46 -04001455 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
David Benjamin5c900c82016-07-13 23:03:26 -04001456 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1457 return -1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001458 }
1459
David Benjaminf71036e2017-01-21 14:49:39 -05001460 if (!ssl_hash_current_message(ssl)) {
1461 return -1;
1462 }
1463
David Benjamin5c900c82016-07-13 23:03:26 -04001464 CBS certificate_msg;
David Benjamin09eb6552016-07-08 14:32:11 -07001465 CBS_init(&certificate_msg, ssl->init_msg, ssl->init_num);
Adam Langley68e71242016-12-12 11:06:16 -08001466
1467 sk_CRYPTO_BUFFER_pop_free(ssl->s3->new_session->certs, CRYPTO_BUFFER_free);
Adam Langleyd5157222016-12-12 11:37:43 -08001468 EVP_PKEY_free(hs->peer_pubkey);
1469 hs->peer_pubkey = NULL;
David Benjamin5c900c82016-07-13 23:03:26 -04001470 uint8_t alert;
Adam Langley68e71242016-12-12 11:06:16 -08001471 ssl->s3->new_session->certs =
Adam Langleyd5157222016-12-12 11:37:43 -08001472 ssl_parse_cert_chain(&alert, &hs->peer_pubkey,
1473 ssl->retain_only_sha256_of_client_certs
1474 ? ssl->s3->new_session->peer_sha256
1475 : NULL,
Adam Langleyd519bf62016-12-12 11:16:44 -08001476 &certificate_msg, ssl->ctx->pool);
Adam Langley68e71242016-12-12 11:06:16 -08001477 if (ssl->s3->new_session->certs == NULL) {
David Benjamin5c900c82016-07-13 23:03:26 -04001478 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
Adam Langley68e71242016-12-12 11:06:16 -08001479 return -1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001480 }
1481
Adam Langley68e71242016-12-12 11:06:16 -08001482 if (CBS_len(&certificate_msg) != 0 ||
1483 !ssl_session_x509_cache_objects(ssl->s3->new_session)) {
David Benjamin9f1dc822016-06-07 17:03:46 -04001484 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
David Benjamin5c900c82016-07-13 23:03:26 -04001485 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Adam Langley68e71242016-12-12 11:06:16 -08001486 return -1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001487 }
1488
Adam Langley68e71242016-12-12 11:06:16 -08001489 if (sk_CRYPTO_BUFFER_num(ssl->s3->new_session->certs) == 0) {
David Benjamin9f1dc822016-06-07 17:03:46 -04001490 /* No client certificate so the handshake buffer may be discarded. */
1491 ssl3_free_handshake_buffer(ssl);
1492
David Benjamine455e512016-08-01 20:11:13 -04001493 /* In SSL 3.0, sending no certificate is signaled by omitting the
1494 * Certificate message. */
David Benjamin9f1dc822016-06-07 17:03:46 -04001495 if (ssl->version == SSL3_VERSION) {
David Benjamin9f1dc822016-06-07 17:03:46 -04001496 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
David Benjamin5c900c82016-07-13 23:03:26 -04001497 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
Adam Langley68e71242016-12-12 11:06:16 -08001498 return -1;
David Benjamine455e512016-08-01 20:11:13 -04001499 }
1500
1501 if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
David Benjamin9f1dc822016-06-07 17:03:46 -04001502 /* Fail for TLS only if we required a certificate */
1503 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
David Benjamin5c900c82016-07-13 23:03:26 -04001504 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
Adam Langley68e71242016-12-12 11:06:16 -08001505 return -1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001506 }
Adam Langley37646832016-08-01 16:16:46 -07001507
1508 /* OpenSSL returns X509_V_OK when no certificates are received. This is
David Benjamindd634eb2016-08-18 16:40:28 -04001509 * classed by them as a bug, but it's assumed by at least NGINX. */
David Benjamin7aa31d62016-08-08 21:38:32 -04001510 ssl->s3->new_session->verify_result = X509_V_OK;
Adam Langley68e71242016-12-12 11:06:16 -08001511 return 1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001512 }
1513
Adam Langley68e71242016-12-12 11:06:16 -08001514 /* The hash will have been filled in. */
1515 if (ssl->retain_only_sha256_of_client_certs) {
1516 ssl->s3->new_session->peer_sha256_valid = 1;
Adam Langley364f7a62016-12-12 10:51:00 -08001517 }
David Benjamin9f1dc822016-06-07 17:03:46 -04001518
Adam Langley68e71242016-12-12 11:06:16 -08001519 if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result,
1520 ssl->s3->new_session->x509_chain)) {
1521 return -1;
1522 }
David Benjamin5c900c82016-07-13 23:03:26 -04001523 return 1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001524}
1525
David Benjaminc3c88822016-11-14 10:32:04 +09001526static int ssl3_get_client_key_exchange(SSL_HANDSHAKE *hs) {
1527 SSL *const ssl = hs->ssl;
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001528 int al;
Adam Langleyfcf25832014-12-18 17:42:32 -08001529 CBS client_key_exchange;
David Benjamin3fa27772015-04-17 22:32:19 -04001530 uint32_t alg_k;
1531 uint32_t alg_a;
Adam Langleyfcf25832014-12-18 17:42:32 -08001532 uint8_t *premaster_secret = NULL;
1533 size_t premaster_secret_len = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -08001534 uint8_t *decrypt_buf = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -07001535
David Benjamin4298d772015-12-19 00:18:25 -05001536 unsigned psk_len = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -08001537 uint8_t psk[PSK_MAX_PSK_LEN];
Adam Langley95c29f32014-06-20 12:00:00 -07001538
David Benjamincb0c29f2016-12-12 17:00:50 -05001539 if (hs->state == SSL3_ST_SR_KEY_EXCH_A) {
David Benjaminf71036e2017-01-21 14:49:39 -05001540 int ret = ssl->method->ssl_get_message(ssl);
David Benjamin09eb6552016-07-08 14:32:11 -07001541 if (ret <= 0) {
1542 return ret;
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001543 }
David Benjamin276b7e82017-01-21 14:13:39 -05001544
David Benjaminf71036e2017-01-21 14:49:39 -05001545 if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE) ||
1546 !ssl_hash_current_message(ssl)) {
David Benjamin276b7e82017-01-21 14:13:39 -05001547 return -1;
1548 }
Adam Langleyfcf25832014-12-18 17:42:32 -08001549 }
Adam Langley95c29f32014-06-20 12:00:00 -07001550
David Benjamin0d56f882015-12-19 17:05:56 -05001551 CBS_init(&client_key_exchange, ssl->init_msg, ssl->init_num);
1552 alg_k = ssl->s3->tmp.new_cipher->algorithm_mkey;
1553 alg_a = ssl->s3->tmp.new_cipher->algorithm_auth;
Adam Langleyc26c8022014-06-20 12:00:00 -07001554
Adam Langleyfcf25832014-12-18 17:42:32 -08001555 /* If using a PSK key exchange, prepare the pre-shared key. */
1556 if (alg_a & SSL_aPSK) {
1557 CBS psk_identity;
David Benjamin35c02302014-07-13 04:14:59 -04001558
Adam Langleyfcf25832014-12-18 17:42:32 -08001559 /* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
1560 * then this is the only field in the message. */
1561 if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
1562 ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
David Benjamin3570d732015-06-29 00:28:17 -04001563 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -08001564 al = SSL_AD_DECODE_ERROR;
1565 goto f_err;
1566 }
Adam Langleyc26c8022014-06-20 12:00:00 -07001567
David Benjamin0d56f882015-12-19 17:05:56 -05001568 if (ssl->psk_server_callback == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -04001569 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_NO_SERVER_CB);
Adam Langleyfcf25832014-12-18 17:42:32 -08001570 al = SSL_AD_INTERNAL_ERROR;
1571 goto f_err;
1572 }
Adam Langleyc26c8022014-06-20 12:00:00 -07001573
Adam Langleyfcf25832014-12-18 17:42:32 -08001574 if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN ||
1575 CBS_contains_zero_byte(&psk_identity)) {
David Benjamin3570d732015-06-29 00:28:17 -04001576 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
Adam Langleyfcf25832014-12-18 17:42:32 -08001577 al = SSL_AD_ILLEGAL_PARAMETER;
1578 goto f_err;
1579 }
David Benjamin35c02302014-07-13 04:14:59 -04001580
Steven Valdez87eab492016-06-27 16:34:59 -04001581 if (!CBS_strdup(&psk_identity, &ssl->s3->new_session->psk_identity)) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001582 al = SSL_AD_INTERNAL_ERROR;
David Benjamin3570d732015-06-29 00:28:17 -04001583 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001584 goto f_err;
1585 }
Adam Langleyc26c8022014-06-20 12:00:00 -07001586
Adam Langleyfcf25832014-12-18 17:42:32 -08001587 /* Look up the key for the identity. */
Steven Valdez87eab492016-06-27 16:34:59 -04001588 psk_len = ssl->psk_server_callback(ssl, ssl->s3->new_session->psk_identity,
1589 psk, sizeof(psk));
Adam Langleyfcf25832014-12-18 17:42:32 -08001590 if (psk_len > PSK_MAX_PSK_LEN) {
David Benjamin3570d732015-06-29 00:28:17 -04001591 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -08001592 al = SSL_AD_INTERNAL_ERROR;
1593 goto f_err;
1594 } else if (psk_len == 0) {
1595 /* PSK related to the given identity not found */
David Benjamin3570d732015-06-29 00:28:17 -04001596 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
Adam Langleyfcf25832014-12-18 17:42:32 -08001597 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
1598 goto f_err;
1599 }
1600 }
Adam Langleyacff73f2014-06-20 12:00:00 -07001601
Adam Langleyfcf25832014-12-18 17:42:32 -08001602 /* Depending on the key exchange method, compute |premaster_secret| and
1603 * |premaster_secret_len|. */
1604 if (alg_k & SSL_kRSA) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001605 /* Allocate a buffer large enough for an RSA decryption. */
David Benjamin0d56f882015-12-19 17:05:56 -05001606 const size_t rsa_size = ssl_private_key_max_signature_len(ssl);
Adam Langleyfcf25832014-12-18 17:42:32 -08001607 decrypt_buf = OPENSSL_malloc(rsa_size);
1608 if (decrypt_buf == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -04001609 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001610 goto err;
1611 }
David Benjamin35c02302014-07-13 04:14:59 -04001612
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001613 enum ssl_private_key_result_t decrypt_result;
David Benjamin3f5b43d2015-12-01 19:31:24 -05001614 size_t decrypt_len;
David Benjamincb0c29f2016-12-12 17:00:50 -05001615 if (hs->state == SSL3_ST_SR_KEY_EXCH_A) {
David Benjamin0d56f882015-12-19 17:05:56 -05001616 if (!ssl_has_private_key(ssl) ||
David Benjamin0c0b7e12016-07-14 13:47:55 -04001617 ssl_private_key_type(ssl) != NID_rsaEncryption) {
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001618 al = SSL_AD_HANDSHAKE_FAILURE;
1619 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_RSA_CERTIFICATE);
1620 goto f_err;
1621 }
David Benjamin3f5b43d2015-12-01 19:31:24 -05001622 CBS encrypted_premaster_secret;
David Benjamin0d56f882015-12-19 17:05:56 -05001623 if (ssl->version > SSL3_VERSION) {
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001624 if (!CBS_get_u16_length_prefixed(&client_key_exchange,
1625 &encrypted_premaster_secret) ||
1626 CBS_len(&client_key_exchange) != 0) {
David Benjaminef5e5152015-11-18 20:35:31 -05001627 al = SSL_AD_DECODE_ERROR;
1628 OPENSSL_PUT_ERROR(SSL,
1629 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1630 goto f_err;
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001631 }
1632 } else {
1633 encrypted_premaster_secret = client_key_exchange;
1634 }
1635
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001636 /* Decrypt with no padding. PKCS#1 padding will be removed as part of the
1637 * timing-sensitive code below. */
1638 decrypt_result = ssl_private_key_decrypt(
David Benjamin0d56f882015-12-19 17:05:56 -05001639 ssl, decrypt_buf, &decrypt_len, rsa_size,
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001640 CBS_data(&encrypted_premaster_secret),
1641 CBS_len(&encrypted_premaster_secret));
1642 } else {
David Benjamincb0c29f2016-12-12 17:00:50 -05001643 assert(hs->state == SSL3_ST_SR_KEY_EXCH_B);
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001644 /* Complete async decrypt. */
David Benjamind3440b42016-07-14 14:52:41 -04001645 decrypt_result =
1646 ssl_private_key_complete(ssl, decrypt_buf, &decrypt_len, rsa_size);
Adam Langleyfcf25832014-12-18 17:42:32 -08001647 }
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001648
1649 switch (decrypt_result) {
1650 case ssl_private_key_success:
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001651 break;
1652 case ssl_private_key_failure:
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001653 goto err;
1654 case ssl_private_key_retry:
David Benjamin0d56f882015-12-19 17:05:56 -05001655 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
David Benjamincb0c29f2016-12-12 17:00:50 -05001656 hs->state = SSL3_ST_SR_KEY_EXCH_B;
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001657 goto err;
1658 }
1659
Daniel Bathgate4365c3f2016-04-14 17:18:02 -04001660 if (decrypt_len != rsa_size) {
1661 al = SSL_AD_DECRYPT_ERROR;
1662 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1663 goto f_err;
1664 }
Adam Langleyacff73f2014-06-20 12:00:00 -07001665
David Benjamin3f5b43d2015-12-01 19:31:24 -05001666 /* Prepare a random premaster, to be used on invalid padding. See RFC 5246,
1667 * section 7.4.7.1. */
1668 premaster_secret_len = SSL_MAX_MASTER_KEY_LENGTH;
1669 premaster_secret = OPENSSL_malloc(premaster_secret_len);
Adam Langleyfcf25832014-12-18 17:42:32 -08001670 if (premaster_secret == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -04001671 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001672 goto err;
1673 }
David Benjamin3f5b43d2015-12-01 19:31:24 -05001674 if (!RAND_bytes(premaster_secret, premaster_secret_len)) {
nagendra modadugu3398dbf2015-08-07 14:07:52 -07001675 goto err;
1676 }
1677
David Benjamin3f5b43d2015-12-01 19:31:24 -05001678 /* The smallest padded premaster is 11 bytes of overhead. Small keys are
1679 * publicly invalid. */
1680 if (decrypt_len < 11 + premaster_secret_len) {
1681 al = SSL_AD_DECRYPT_ERROR;
1682 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1683 goto f_err;
Adam Langleyfcf25832014-12-18 17:42:32 -08001684 }
David Benjamin35c02302014-07-13 04:14:59 -04001685
David Benjamin3f5b43d2015-12-01 19:31:24 -05001686 /* Check the padding. See RFC 3447, section 7.2.2. */
1687 size_t padding_len = decrypt_len - premaster_secret_len;
1688 uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
1689 constant_time_eq_int_8(decrypt_buf[1], 2);
David Benjamin54091232016-09-05 12:47:25 -04001690 for (size_t i = 2; i < padding_len - 1; i++) {
David Benjamin3f5b43d2015-12-01 19:31:24 -05001691 good &= ~constant_time_is_zero_8(decrypt_buf[i]);
1692 }
1693 good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);
1694
1695 /* The premaster secret must begin with |client_version|. This too must be
1696 * checked in constant time (http://eprint.iacr.org/2003/052/). */
1697 good &= constant_time_eq_8(decrypt_buf[padding_len],
David Benjaminf04c2e92016-12-06 13:35:25 -05001698 (unsigned)(hs->client_version >> 8));
David Benjamin3f5b43d2015-12-01 19:31:24 -05001699 good &= constant_time_eq_8(decrypt_buf[padding_len + 1],
David Benjaminf04c2e92016-12-06 13:35:25 -05001700 (unsigned)(hs->client_version & 0xff));
David Benjamin3f5b43d2015-12-01 19:31:24 -05001701
1702 /* Select, in constant time, either the decrypted premaster or the random
1703 * premaster based on |good|. */
David Benjamin54091232016-09-05 12:47:25 -04001704 for (size_t i = 0; i < premaster_secret_len; i++) {
David Benjamin3f5b43d2015-12-01 19:31:24 -05001705 premaster_secret[i] = constant_time_select_8(
1706 good, decrypt_buf[padding_len + i], premaster_secret[i]);
1707 }
1708
1709 OPENSSL_free(decrypt_buf);
1710 decrypt_buf = NULL;
Matthew Braithwaite651aaef2016-12-08 16:14:36 -08001711 } else if (alg_k & (SSL_kECDHE|SSL_kDHE)) {
Matt Braithwaitee25775b2016-05-16 16:31:05 -07001712 /* Parse the ClientKeyExchange. */
David Benjamin974c7ba2015-12-19 16:58:04 -05001713 CBS peer_key;
David Benjaminc3c88822016-11-14 10:32:04 +09001714 if (!SSL_ECDH_CTX_get_key(&hs->ecdh_ctx, &client_key_exchange, &peer_key) ||
Matt Braithwaitee25775b2016-05-16 16:31:05 -07001715 CBS_len(&client_key_exchange) != 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001716 al = SSL_AD_DECODE_ERROR;
David Benjamin3570d732015-06-29 00:28:17 -04001717 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -08001718 goto f_err;
1719 }
David Benjaminbd30f8e2014-08-19 16:02:38 -04001720
David Benjamin4298d772015-12-19 00:18:25 -05001721 /* Compute the premaster. */
1722 uint8_t alert;
David Benjaminc3c88822016-11-14 10:32:04 +09001723 if (!SSL_ECDH_CTX_finish(&hs->ecdh_ctx, &premaster_secret,
Matt Braithwaitef4ce8e52016-05-16 14:27:14 -07001724 &premaster_secret_len, &alert, CBS_data(&peer_key),
1725 CBS_len(&peer_key))) {
David Benjamin4298d772015-12-19 00:18:25 -05001726 al = alert;
1727 goto f_err;
Adam Langleyfcf25832014-12-18 17:42:32 -08001728 }
Adam Langley95c29f32014-06-20 12:00:00 -07001729
David Benjamin4298d772015-12-19 00:18:25 -05001730 /* The key exchange state may now be discarded. */
David Benjaminc3c88822016-11-14 10:32:04 +09001731 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
Adam Langleyfcf25832014-12-18 17:42:32 -08001732 } else if (alg_k & SSL_kPSK) {
1733 /* For plain PSK, other_secret is a block of 0s with the same length as the
1734 * pre-shared key. */
1735 premaster_secret_len = psk_len;
1736 premaster_secret = OPENSSL_malloc(premaster_secret_len);
1737 if (premaster_secret == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -04001738 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001739 goto err;
1740 }
David Benjamin17cf2cb2016-12-13 01:07:13 -05001741 OPENSSL_memset(premaster_secret, 0, premaster_secret_len);
Adam Langleyfcf25832014-12-18 17:42:32 -08001742 } else {
1743 al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin3570d732015-06-29 00:28:17 -04001744 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_TYPE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001745 goto f_err;
1746 }
Adam Langley95c29f32014-06-20 12:00:00 -07001747
Adam Langleyfcf25832014-12-18 17:42:32 -08001748 /* For a PSK cipher suite, the actual pre-master secret is combined with the
1749 * pre-shared key. */
1750 if (alg_a & SSL_aPSK) {
1751 CBB new_premaster, child;
1752 uint8_t *new_data;
1753 size_t new_len;
David Benjamin14c83e72014-07-13 04:54:57 -04001754
David Benjamina8653202015-06-28 01:26:10 -04001755 CBB_zero(&new_premaster);
1756 if (!CBB_init(&new_premaster, 2 + psk_len + 2 + premaster_secret_len) ||
1757 !CBB_add_u16_length_prefixed(&new_premaster, &child) ||
Adam Langleyfcf25832014-12-18 17:42:32 -08001758 !CBB_add_bytes(&child, premaster_secret, premaster_secret_len) ||
1759 !CBB_add_u16_length_prefixed(&new_premaster, &child) ||
1760 !CBB_add_bytes(&child, psk, psk_len) ||
1761 !CBB_finish(&new_premaster, &new_data, &new_len)) {
David Benjamin3570d732015-06-29 00:28:17 -04001762 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001763 CBB_cleanup(&new_premaster);
1764 goto err;
1765 }
David Benjamin14c83e72014-07-13 04:54:57 -04001766
Adam Langleyfcf25832014-12-18 17:42:32 -08001767 OPENSSL_cleanse(premaster_secret, premaster_secret_len);
1768 OPENSSL_free(premaster_secret);
1769 premaster_secret = new_data;
1770 premaster_secret_len = new_len;
1771 }
David Benjamin14c83e72014-07-13 04:54:57 -04001772
Adam Langleyfcf25832014-12-18 17:42:32 -08001773 /* Compute the master secret */
Steven Valdez87eab492016-06-27 16:34:59 -04001774 ssl->s3->new_session->master_key_length = tls1_generate_master_secret(
1775 ssl, ssl->s3->new_session->master_key, premaster_secret,
1776 premaster_secret_len);
1777 if (ssl->s3->new_session->master_key_length == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001778 goto err;
1779 }
Steven Valdez87eab492016-06-27 16:34:59 -04001780 ssl->s3->new_session->extended_master_secret =
1781 ssl->s3->tmp.extended_master_secret;
David Benjamin14c83e72014-07-13 04:54:57 -04001782
Adam Langleyfcf25832014-12-18 17:42:32 -08001783 OPENSSL_cleanse(premaster_secret, premaster_secret_len);
1784 OPENSSL_free(premaster_secret);
1785 return 1;
1786
Adam Langley95c29f32014-06-20 12:00:00 -07001787f_err:
David Benjamin0d56f882015-12-19 17:05:56 -05001788 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
Adam Langley95c29f32014-06-20 12:00:00 -07001789err:
David Benjamin4298d772015-12-19 00:18:25 -05001790 if (premaster_secret != NULL) {
1791 OPENSSL_cleanse(premaster_secret, premaster_secret_len);
Adam Langleyfcf25832014-12-18 17:42:32 -08001792 OPENSSL_free(premaster_secret);
1793 }
David Benjamin2755a3e2015-04-22 16:17:58 -04001794 OPENSSL_free(decrypt_buf);
Adam Langley95c29f32014-06-20 12:00:00 -07001795
Adam Langleyfcf25832014-12-18 17:42:32 -08001796 return -1;
1797}
Adam Langley95c29f32014-06-20 12:00:00 -07001798
David Benjaminc3c88822016-11-14 10:32:04 +09001799static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs) {
1800 SSL *const ssl = hs->ssl;
Adam Langleyd5157222016-12-12 11:37:43 -08001801 int al;
Adam Langleyfcf25832014-12-18 17:42:32 -08001802 CBS certificate_verify, signature;
David Benjamin6553b372014-07-22 14:11:30 -04001803
Adam Langleyfcf25832014-12-18 17:42:32 -08001804 /* Only RSA and ECDSA client certificates are supported, so a
1805 * CertificateVerify is required if and only if there's a client certificate.
1806 * */
Adam Langleyd5157222016-12-12 11:37:43 -08001807 if (hs->peer_pubkey == NULL) {
David Benjamin0d56f882015-12-19 17:05:56 -05001808 ssl3_free_handshake_buffer(ssl);
Adam Langleyfcf25832014-12-18 17:42:32 -08001809 return 1;
1810 }
Adam Langley95c29f32014-06-20 12:00:00 -07001811
David Benjaminf71036e2017-01-21 14:49:39 -05001812 int msg_ret = ssl->method->ssl_get_message(ssl);
David Benjamin09eb6552016-07-08 14:32:11 -07001813 if (msg_ret <= 0) {
1814 return msg_ret;
Adam Langleyfcf25832014-12-18 17:42:32 -08001815 }
David Benjaminef865502014-08-24 02:48:34 -04001816
David Benjamin276b7e82017-01-21 14:13:39 -05001817 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY)) {
1818 return -1;
1819 }
1820
David Benjamin09eb6552016-07-08 14:32:11 -07001821 CBS_init(&certificate_verify, ssl->init_msg, ssl->init_num);
David Benjamin6897dbe2014-07-12 20:18:28 -04001822
Adam Langleyfcf25832014-12-18 17:42:32 -08001823 /* Determine the digest type if needbe. */
Steven Valdezf0451ca2016-06-29 13:16:27 -04001824 uint16_t signature_algorithm = 0;
David Benjamina1e9cab2015-12-30 00:08:49 -05001825 if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
Steven Valdez02563852016-06-23 13:33:05 -04001826 if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
David Benjamin6e807652015-11-02 12:02:20 -05001827 al = SSL_AD_DECODE_ERROR;
1828 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1829 goto f_err;
1830 }
David Benjamin887c3002016-07-08 16:15:32 -07001831 if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
David Benjamin6e807652015-11-02 12:02:20 -05001832 goto f_err;
1833 }
David Benjaminf1050fd2016-12-13 20:05:36 -05001834 ssl->s3->new_session->peer_signature_algorithm = signature_algorithm;
Adam Langleyd5157222016-12-12 11:37:43 -08001835 } else if (hs->peer_pubkey->type == EVP_PKEY_RSA) {
Steven Valdezf0451ca2016-06-29 13:16:27 -04001836 signature_algorithm = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
Adam Langleyd5157222016-12-12 11:37:43 -08001837 } else if (hs->peer_pubkey->type == EVP_PKEY_EC) {
Steven Valdezf0451ca2016-06-29 13:16:27 -04001838 signature_algorithm = SSL_SIGN_ECDSA_SHA1;
David Benjamin49ec9bb2016-07-14 00:11:26 -04001839 } else {
1840 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
1841 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
1842 goto f_err;
Adam Langleyfcf25832014-12-18 17:42:32 -08001843 }
David Benjamin854dd652014-08-26 00:32:30 -04001844
Adam Langleyfcf25832014-12-18 17:42:32 -08001845 /* Parse and verify the signature. */
1846 if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
1847 CBS_len(&certificate_verify) != 0) {
1848 al = SSL_AD_DECODE_ERROR;
David Benjamin3570d732015-06-29 00:28:17 -04001849 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langleyfcf25832014-12-18 17:42:32 -08001850 goto f_err;
1851 }
Adam Langley95c29f32014-06-20 12:00:00 -07001852
Steven Valdez2b8415e2016-06-30 13:27:23 -04001853 int sig_ok;
1854 /* The SSL3 construction for CertificateVerify does not decompose into a
1855 * single final digest and signature, and must be special-cased. */
1856 if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
David Benjamin0aa25bd2016-07-08 14:44:56 -07001857 const EVP_MD *md;
Steven Valdez2b8415e2016-06-30 13:27:23 -04001858 uint8_t digest[EVP_MAX_MD_SIZE];
1859 size_t digest_len;
David Benjamin0aa25bd2016-07-08 14:44:56 -07001860 if (!ssl3_cert_verify_hash(ssl, &md, digest, &digest_len,
Steven Valdez2b8415e2016-06-30 13:27:23 -04001861 signature_algorithm)) {
1862 goto err;
1863 }
1864
Adam Langleyd5157222016-12-12 11:37:43 -08001865 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(hs->peer_pubkey, NULL);
Steven Valdez2b8415e2016-06-30 13:27:23 -04001866 sig_ok = pctx != NULL &&
1867 EVP_PKEY_verify_init(pctx) &&
1868 EVP_PKEY_CTX_set_signature_md(pctx, md) &&
1869 EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature),
1870 digest, digest_len);
Steven Valdez2b8415e2016-06-30 13:27:23 -04001871 EVP_PKEY_CTX_free(pctx);
1872 } else {
1873 sig_ok = ssl_public_key_verify(
1874 ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm,
Adam Langleyd5157222016-12-12 11:37:43 -08001875 hs->peer_pubkey, (const uint8_t *)ssl->s3->handshake_buffer->data,
Steven Valdez2b8415e2016-06-30 13:27:23 -04001876 ssl->s3->handshake_buffer->length);
Adam Langleyfcf25832014-12-18 17:42:32 -08001877 }
Steven Valdezf0451ca2016-06-29 13:16:27 -04001878
David Benjaminbf82aed2016-03-01 22:57:40 -05001879#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
1880 sig_ok = 1;
1881 ERR_clear_error();
1882#endif
1883 if (!sig_ok) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001884 al = SSL_AD_DECRYPT_ERROR;
David Benjamin3570d732015-06-29 00:28:17 -04001885 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
Adam Langleyfcf25832014-12-18 17:42:32 -08001886 goto f_err;
1887 }
1888
Steven Valdez2b8415e2016-06-30 13:27:23 -04001889 /* The handshake buffer is no longer necessary, and we may hash the current
1890 * message.*/
1891 ssl3_free_handshake_buffer(ssl);
David Benjaminced94792016-11-14 17:12:11 +09001892 if (!ssl_hash_current_message(ssl)) {
Steven Valdez2b8415e2016-06-30 13:27:23 -04001893 goto err;
1894 }
1895
Adam Langleyd5157222016-12-12 11:37:43 -08001896 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -08001897
Adam Langleyd5157222016-12-12 11:37:43 -08001898f_err:
1899 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
David Benjamin854dd652014-08-26 00:32:30 -04001900err:
Adam Langleyd5157222016-12-12 11:37:43 -08001901 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -08001902}
Adam Langley95c29f32014-06-20 12:00:00 -07001903
Adam Langley95c29f32014-06-20 12:00:00 -07001904/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
1905 * sets the next_proto member in s if found */
David Benjaminc3c88822016-11-14 10:32:04 +09001906static int ssl3_get_next_proto(SSL_HANDSHAKE *hs) {
1907 SSL *const ssl = hs->ssl;
David Benjaminf71036e2017-01-21 14:49:39 -05001908 int ret = ssl->method->ssl_get_message(ssl);
David Benjamin09eb6552016-07-08 14:32:11 -07001909 if (ret <= 0) {
1910 return ret;
Adam Langleyfcf25832014-12-18 17:42:32 -08001911 }
Adam Langley95c29f32014-06-20 12:00:00 -07001912
David Benjaminf71036e2017-01-21 14:49:39 -05001913 if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO) ||
1914 !ssl_hash_current_message(ssl)) {
David Benjamin276b7e82017-01-21 14:13:39 -05001915 return -1;
1916 }
1917
David Benjamin09eb6552016-07-08 14:32:11 -07001918 CBS next_protocol, selected_protocol, padding;
1919 CBS_init(&next_protocol, ssl->init_msg, ssl->init_num);
Adam Langleyfcf25832014-12-18 17:42:32 -08001920 if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
1921 !CBS_get_u8_length_prefixed(&next_protocol, &padding) ||
David Benjamin639846e2016-09-09 11:41:18 -04001922 CBS_len(&next_protocol) != 0) {
1923 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1924 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1925 return 0;
1926 }
1927
1928 if (!CBS_stow(&selected_protocol, &ssl->s3->next_proto_negotiated,
David Benjamin79978df2015-12-25 15:56:49 -05001929 &ssl->s3->next_proto_negotiated_len)) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001930 return 0;
1931 }
Adam Langley95c29f32014-06-20 12:00:00 -07001932
Adam Langleyfcf25832014-12-18 17:42:32 -08001933 return 1;
1934}
Adam Langley95c29f32014-06-20 12:00:00 -07001935
Adam Langley1258b6a2014-06-20 12:00:00 -07001936/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
David Benjaminc3c88822016-11-14 10:32:04 +09001937static int ssl3_get_channel_id(SSL_HANDSHAKE *hs) {
1938 SSL *const ssl = hs->ssl;
David Benjaminf71036e2017-01-21 14:49:39 -05001939 int msg_ret = ssl->method->ssl_get_message(ssl);
David Benjamin09eb6552016-07-08 14:32:11 -07001940 if (msg_ret <= 0) {
1941 return msg_ret;
Adam Langleyfcf25832014-12-18 17:42:32 -08001942 }
Adam Langley1258b6a2014-06-20 12:00:00 -07001943
David Benjamin276b7e82017-01-21 14:13:39 -05001944 if (!ssl_check_message_type(ssl, SSL3_MT_CHANNEL_ID) ||
1945 !tls1_verify_channel_id(ssl) ||
David Benjaminced94792016-11-14 17:12:11 +09001946 !ssl_hash_current_message(ssl)) {
Adam Langleyfcf25832014-12-18 17:42:32 -08001947 return -1;
1948 }
Nick Harper60a85cb2016-09-23 16:25:11 -07001949 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -08001950}
David Benjamin9f1dc822016-06-07 17:03:46 -04001951
David Benjaminc3c88822016-11-14 10:32:04 +09001952static int ssl3_send_new_session_ticket(SSL_HANDSHAKE *hs) {
1953 SSL *const ssl = hs->ssl;
David Benjamin123db572016-11-03 16:59:25 -04001954 const SSL_SESSION *session;
1955 SSL_SESSION *session_copy = NULL;
1956 if (ssl->session == NULL) {
1957 /* Fix the timeout to measure from the ticket issuance time. */
David Benjamin17b30832017-01-28 14:00:32 -05001958 ssl_session_rebase_time(ssl, ssl->s3->new_session);
David Benjamin123db572016-11-03 16:59:25 -04001959 session = ssl->s3->new_session;
1960 } else {
1961 /* We are renewing an existing session. Duplicate the session to adjust the
1962 * timeout. */
1963 session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
1964 if (session_copy == NULL) {
1965 return -1;
1966 }
1967
David Benjamin17b30832017-01-28 14:00:32 -05001968 ssl_session_rebase_time(ssl, session_copy);
David Benjamin123db572016-11-03 16:59:25 -04001969 session = session_copy;
1970 }
1971
David Benjamin75836432016-06-17 18:48:29 -04001972 CBB cbb, body, ticket;
David Benjamin123db572016-11-03 16:59:25 -04001973 int ok =
1974 ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_NEW_SESSION_TICKET) &&
1975 CBB_add_u32(&body, session->timeout) &&
1976 CBB_add_u16_length_prefixed(&body, &ticket) &&
1977 ssl_encrypt_ticket(ssl, &ticket, session) &&
David Benjamindaf207a2017-01-03 18:37:41 -05001978 ssl_add_message_cbb(ssl, &cbb);
David Benjamin123db572016-11-03 16:59:25 -04001979
1980 SSL_SESSION_free(session_copy);
1981 CBB_cleanup(&cbb);
1982
1983 if (!ok) {
David Benjamine75cc272016-11-03 18:06:27 -04001984 return -1;
David Benjamin75836432016-06-17 18:48:29 -04001985 }
1986
David Benjamin16315f72017-01-12 20:02:05 -05001987 return 1;
David Benjamin9f1dc822016-06-07 17:03:46 -04001988}