Blame - ssl/s3_srvr.c - boringssl.googlesource.com/boringssl

blob: 5a46abc87ae8c1e25416113fa2260b1efa0602c7 [file] [log] [blame]

Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
				2	* All rights reserved.
				3	*
				4	* This package is an SSL implementation written
				5	* by Eric Young (eay@cryptsoft.com).
				6	* The implementation was written so as to conform with Netscapes SSL.
				7	*
				8	* This library is free for commercial and non-commercial use as long as
				9	* the following conditions are aheared to. The following conditions
				10	* apply to all code found in this distribution, be it the RC4, RSA,
				11	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
				12	* included with this distribution is covered by the same copyright terms
				13	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
				14	*
				15	* Copyright remains Eric Young's, and as such any Copyright notices in
				16	* the code are not to be removed.
				17	* If this package is used in a product, Eric Young should be given attribution
				18	* as the author of the parts of the library used.
				19	* This can be in the form of a textual message at program startup or
				20	* in documentation (online or textual) provided with the package.
				21	*
				22	* Redistribution and use in source and binary forms, with or without
				23	* modification, are permitted provided that the following conditions
				24	* are met:
				25	* 1. Redistributions of source code must retain the copyright
				26	* notice, this list of conditions and the following disclaimer.
				27	* 2. Redistributions in binary form must reproduce the above copyright
				28	* notice, this list of conditions and the following disclaimer in the
				29	* documentation and/or other materials provided with the distribution.
				30	* 3. All advertising materials mentioning features or use of this software
				31	* must display the following acknowledgement:
				32	* "This product includes cryptographic software written by
				33	* Eric Young (eay@cryptsoft.com)"
				34	* The word 'cryptographic' can be left out if the rouines from the library
				35	* being used are not cryptographic related :-).
				36	* 4. If you include any Windows specific code (or a derivative thereof) from
				37	* the apps directory (application code) you must include an acknowledgement:
				38	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
				39	*
				40	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
				41	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
				43	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
				44	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
				45	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
				46	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
				48	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
				49	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
				50	* SUCH DAMAGE.
				51	*
				52	* The licence and distribution terms for any publically available version or
				53	* derivative of this code cannot be changed. i.e. this code cannot simply be
				54	* copied and put under another distribution licence
				55	* [including the GNU Public Licence.]
				56	*/
				57	/* ====================================================================
				58	* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
				59	*
				60	* Redistribution and use in source and binary forms, with or without
				61	* modification, are permitted provided that the following conditions
				62	* are met:
				63	*
				64	* 1. Redistributions of source code must retain the above copyright
				65	* notice, this list of conditions and the following disclaimer.
				66	*
				67	* 2. Redistributions in binary form must reproduce the above copyright
				68	* notice, this list of conditions and the following disclaimer in
				69	* the documentation and/or other materials provided with the
				70	* distribution.
				71	*
				72	* 3. All advertising materials mentioning features or use of this
				73	* software must display the following acknowledgment:
				74	* "This product includes software developed by the OpenSSL Project
				75	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
				76	*
				77	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
				78	* endorse or promote products derived from this software without
				79	* prior written permission. For written permission, please contact
				80	* openssl-core@openssl.org.
				81	*
				82	* 5. Products derived from this software may not be called "OpenSSL"
				83	* nor may "OpenSSL" appear in their names without prior written
				84	* permission of the OpenSSL Project.
				85	*
				86	* 6. Redistributions of any form whatsoever must retain the following
				87	* acknowledgment:
				88	* "This product includes software developed by the OpenSSL Project
				89	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
				90	*
				91	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
				92	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				93	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
				94	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
				95	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
				96	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				97	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
				98	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				99	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
				100	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
				101	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
				102	* OF THE POSSIBILITY OF SUCH DAMAGE.
				103	* ====================================================================
				104	*
				105	* This product includes cryptographic software written by Eric Young
				106	* (eay@cryptsoft.com). This product includes software written by Tim
				107	* Hudson (tjh@cryptsoft.com).
				108	*
				109	*/
				110	/* ====================================================================
				111	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
				112	*
				113	* Portions of the attached software ("Contribution") are developed by
				114	* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
				115	*
				116	* The Contribution is licensed pursuant to the OpenSSL open source
				117	* license provided above.
				118	*
				119	* ECC cipher suite support in OpenSSL originally written by
				120	* Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
				121	*
				122	*/
				123	/* ====================================================================
				124	* Copyright 2005 Nokia. All rights reserved.
				125	*
				126	* The portions of the attached software ("Contribution") is developed by
				127	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
				128	* license.
				129	*
				130	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
				131	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
				132	* support (see RFC 4279) to OpenSSL.
				133	*
				134	* No patent licenses or other rights except those expressly stated in
				135	* the OpenSSL open source license shall be deemed granted or received
				136	* expressly, by implication, estoppel, or otherwise.
				137	*
				138	* No assurances are provided by Nokia that the Contribution does not
				139	* infringe the patent or other intellectual property rights of any third
				140	* party or that the license provides you with all the necessary rights
				141	* to make use of the Contribution.
				142	*
				143	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
				144	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
				145	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
				146	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
				147	* OTHERWISE. */
				148
David Benjamin	880b14e	2014-08-25 22:35:07 -0400	[diff] [blame]	149	#include <assert.h>
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	150	#include <stdio.h>
David Benjamin	22f9bcc	2014-07-13 12:29:21 -0400	[diff] [blame]	151	#include <string.h>
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	152
				153	#include <openssl/bn.h>
				154	#include <openssl/buf.h>
David Benjamin	dc72ff7	2014-06-25 12:36:10 -0400	[diff] [blame]	155	#include <openssl/bytestring.h>
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	156	#include <openssl/cipher.h>
				157	#include <openssl/dh.h>
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	158	#include <openssl/ec.h>
				159	#include <openssl/ecdsa.h>
David Benjamin	f0ae170	2015-04-07 23:05:04 -0400	[diff] [blame]	160	#include <openssl/err.h>
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	161	#include <openssl/evp.h>
				162	#include <openssl/hmac.h>
				163	#include <openssl/md5.h>
				164	#include <openssl/mem.h>
				165	#include <openssl/obj.h>
				166	#include <openssl/rand.h>
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	167	#include <openssl/sha.h>
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	168	#include <openssl/x509.h>
				169
David Benjamin	2ee94aa	2015-04-07 22:38:30 -0400	[diff] [blame]	170	#include "internal.h"
Adam Langley	af6e45b	2014-11-03 19:34:49 -0800	[diff] [blame]	171	#include "../crypto/internal.h"
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	172	#include "../crypto/dh/internal.h"
				173
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	174
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	175	int ssl3_accept(SSL *s) {
				176	BUF_MEM *buf = NULL;
David Benjamin	3fa2777	2015-04-17 22:32:19 -0400	[diff] [blame]	177	uint32_t alg_a;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	178	void (cb)(const SSL ssl, int type, int val) = NULL;
				179	int ret = -1;
				180	int new_state, state, skip = 0;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	181
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	182	assert(s->handshake_func == ssl3_accept);
				183	assert(s->server);
				184	assert(!SSL_IS_DTLS(s));
David Benjamin	beb4702	2014-11-30 02:58:52 -0500	[diff] [blame]	185
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	186	ERR_clear_error();
				187	ERR_clear_system_error();
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	188
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	189	if (s->info_callback != NULL) {
				190	cb = s->info_callback;
				191	} else if (s->ctx->info_callback != NULL) {
				192	cb = s->ctx->info_callback;
				193	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	194
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	195	s->in_handshake++;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	196
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	197	if (s->cert == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	198	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	199	return -1;
				200	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	201
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	202	for (;;) {
				203	state = s->state;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	204
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	205	switch (s->state) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	206	case SSL_ST_ACCEPT:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	207	if (cb != NULL) {
				208	cb(s, SSL_CB_HANDSHAKE_START, 1);
				209	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	210
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	211	if (s->init_buf == NULL) {
				212	buf = BUF_MEM_new();
				213	if (!buf \|\| !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
				214	ret = -1;
				215	goto end;
				216	}
				217	s->init_buf = buf;
				218	buf = NULL;
				219	}
				220	s->init_num = 0;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	221
David Benjamin	6a08da2	2015-05-08 22:58:12 -0400	[diff] [blame]	222	/* Enable a write buffer. This groups handshake messages within a flight
				223	* into a single write. */
				224	if (!ssl_init_wbio_buffer(s, 1)) {
				225	ret = -1;
				226	goto end;
				227	}
				228
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	229	if (!ssl3_init_handshake_buffer(s)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	230	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	231	ret = -1;
				232	goto end;
				233	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	234
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	235	if (!s->s3->have_version) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	236	s->state = SSL3_ST_SR_INITIAL_BYTES;
				237	} else {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	238	s->state = SSL3_ST_SR_CLNT_HELLO_A;
				239	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	240	break;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	241
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	242	case SSL3_ST_SR_INITIAL_BYTES:
				243	ret = ssl3_get_initial_bytes(s);
				244	if (ret <= 0) {
				245	goto end;
				246	}
				247	/* ssl3_get_initial_bytes sets s->state to one of
				248	* SSL3_ST_SR_V2_CLIENT_HELLO or SSL3_ST_SR_CLNT_HELLO_A on success. */
				249	break;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	250
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	251	case SSL3_ST_SR_V2_CLIENT_HELLO:
				252	ret = ssl3_get_v2_client_hello(s);
				253	if (ret <= 0) {
				254	goto end;
				255	}
				256	s->state = SSL3_ST_SR_CLNT_HELLO_A;
				257	break;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	258
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	259	case SSL3_ST_SR_CLNT_HELLO_A:
				260	case SSL3_ST_SR_CLNT_HELLO_B:
				261	case SSL3_ST_SR_CLNT_HELLO_C:
				262	case SSL3_ST_SR_CLNT_HELLO_D:
				263	s->shutdown = 0;
				264	ret = ssl3_get_client_hello(s);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	265	if (ret <= 0) {
				266	goto end;
				267	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	268	s->state = SSL3_ST_SW_SRVR_HELLO_A;
				269	s->init_num = 0;
				270	break;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	271
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	272	case SSL3_ST_SW_SRVR_HELLO_A:
				273	case SSL3_ST_SW_SRVR_HELLO_B:
				274	ret = ssl3_send_server_hello(s);
				275	if (ret <= 0) {
				276	goto end;
				277	}
				278	if (s->hit) {
				279	if (s->tlsext_ticket_expected) {
				280	s->state = SSL3_ST_SW_SESSION_TICKET_A;
				281	} else {
				282	s->state = SSL3_ST_SW_CHANGE_A;
				283	}
				284	} else {
				285	s->state = SSL3_ST_SW_CERT_A;
				286	}
				287	s->init_num = 0;
				288	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	289
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	290	case SSL3_ST_SW_CERT_A:
				291	case SSL3_ST_SW_CERT_B:
				292	if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
				293	ret = ssl3_send_server_certificate(s);
				294	if (ret <= 0) {
				295	goto end;
				296	}
				297	if (s->s3->tmp.certificate_status_expected) {
				298	s->state = SSL3_ST_SW_CERT_STATUS_A;
				299	} else {
				300	s->state = SSL3_ST_SW_KEY_EXCH_A;
				301	}
				302	} else {
				303	skip = 1;
				304	s->state = SSL3_ST_SW_KEY_EXCH_A;
				305	}
				306	s->init_num = 0;
				307	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	308
Paul Lietar	aeeff2c	2015-08-12 11:47:11 +0100	[diff] [blame^]	309	case SSL3_ST_SW_CERT_STATUS_A:
				310	case SSL3_ST_SW_CERT_STATUS_B:
				311	ret = ssl3_send_certificate_status(s);
				312	if (ret <= 0) {
				313	goto end;
				314	}
				315	s->state = SSL3_ST_SW_KEY_EXCH_A;
				316	s->init_num = 0;
				317	break;
				318
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	319	case SSL3_ST_SW_KEY_EXCH_A:
				320	case SSL3_ST_SW_KEY_EXCH_B:
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	321	case SSL3_ST_SW_KEY_EXCH_C:
				322	case SSL3_ST_SW_KEY_EXCH_D:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	323	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	324
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	325	/* Send a ServerKeyExchange message if:
				326	* - The key exchange is ephemeral or anonymous
				327	* Diffie-Hellman.
				328	* - There is a PSK identity hint.
				329	*
				330	* TODO(davidben): This logic is currently duplicated in d1_srvr.c. Fix
				331	* this. In the meantime, keep them in sync. */
				332	if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) \|\|
				333	((alg_a & SSL_aPSK) && s->psk_identity_hint)) {
				334	ret = ssl3_send_server_key_exchange(s);
David Benjamin	6eb000d	2015-02-11 01:17:41 -0500	[diff] [blame]	335	if (ret <= 0) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	336	goto end;
David Benjamin	6eb000d	2015-02-11 01:17:41 -0500	[diff] [blame]	337	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	338	} else {
				339	skip = 1;
				340	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	341
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	342	s->state = SSL3_ST_SW_CERT_REQ_A;
				343	s->init_num = 0;
				344	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	345
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	346	case SSL3_ST_SW_CERT_REQ_A:
				347	case SSL3_ST_SW_CERT_REQ_B:
David Benjamin	5c1ce29	2015-05-26 16:59:43 -0400	[diff] [blame]	348	if (s->s3->tmp.cert_request) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	349	ret = ssl3_send_certificate_request(s);
				350	if (ret <= 0) {
				351	goto end;
				352	}
David Benjamin	5c1ce29	2015-05-26 16:59:43 -0400	[diff] [blame]	353	} else {
				354	skip = 1;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	355	}
David Benjamin	5c1ce29	2015-05-26 16:59:43 -0400	[diff] [blame]	356	s->state = SSL3_ST_SW_SRVR_DONE_A;
				357	s->init_num = 0;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	358	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	359
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	360	case SSL3_ST_SW_SRVR_DONE_A:
				361	case SSL3_ST_SW_SRVR_DONE_B:
				362	ret = ssl3_send_server_done(s);
				363	if (ret <= 0) {
				364	goto end;
				365	}
				366	s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
				367	s->state = SSL3_ST_SW_FLUSH;
				368	s->init_num = 0;
				369	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	370
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	371	case SSL3_ST_SW_FLUSH:
				372	/* This code originally checked to see if any data was pending using
				373	* BIO_CTRL_INFO and then flushed. This caused problems as documented
				374	* in PR#1939. The proposed fix doesn't completely resolve this issue
				375	* as buggy implementations of BIO_CTRL_PENDING still exist. So instead
				376	* we just flush unconditionally. */
				377	s->rwstate = SSL_WRITING;
				378	if (BIO_flush(s->wbio) <= 0) {
				379	ret = -1;
				380	goto end;
				381	}
				382	s->rwstate = SSL_NOTHING;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	383
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	384	s->state = s->s3->tmp.next_state;
				385	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	386
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	387	case SSL3_ST_SR_CERT_A:
				388	case SSL3_ST_SR_CERT_B:
				389	if (s->s3->tmp.cert_request) {
				390	ret = ssl3_get_client_certificate(s);
				391	if (ret <= 0) {
				392	goto end;
				393	}
				394	}
				395	s->init_num = 0;
				396	s->state = SSL3_ST_SR_KEY_EXCH_A;
				397	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	398
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	399	case SSL3_ST_SR_KEY_EXCH_A:
				400	case SSL3_ST_SR_KEY_EXCH_B:
				401	ret = ssl3_get_client_key_exchange(s);
				402	if (ret <= 0) {
				403	goto end;
				404	}
				405	s->state = SSL3_ST_SR_CERT_VRFY_A;
				406	s->init_num = 0;
				407	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	408
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	409	case SSL3_ST_SR_CERT_VRFY_A:
				410	case SSL3_ST_SR_CERT_VRFY_B:
				411	ret = ssl3_get_cert_verify(s);
				412	if (ret <= 0) {
				413	goto end;
				414	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	415
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	416	s->state = SSL3_ST_SR_CHANGE;
				417	s->init_num = 0;
				418	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	419
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	420	case SSL3_ST_SR_CHANGE: {
				421	char next_proto_neg = 0;
				422	char channel_id = 0;
				423	next_proto_neg = s->s3->next_proto_neg_seen;
				424	channel_id = s->s3->tlsext_channel_id_valid;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	425
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	426	/* At this point, the next message must be entirely behind a
				427	* ChangeCipherSpec. */
				428	if (!ssl3_expect_change_cipher_spec(s)) {
				429	ret = -1;
				430	goto end;
				431	}
				432	if (next_proto_neg) {
				433	s->state = SSL3_ST_SR_NEXT_PROTO_A;
				434	} else if (channel_id) {
				435	s->state = SSL3_ST_SR_CHANNEL_ID_A;
				436	} else {
				437	s->state = SSL3_ST_SR_FINISHED_A;
				438	}
				439	break;
				440	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	441
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	442	case SSL3_ST_SR_NEXT_PROTO_A:
				443	case SSL3_ST_SR_NEXT_PROTO_B:
				444	ret = ssl3_get_next_proto(s);
				445	if (ret <= 0) {
				446	goto end;
				447	}
				448	s->init_num = 0;
				449	if (s->s3->tlsext_channel_id_valid) {
				450	s->state = SSL3_ST_SR_CHANNEL_ID_A;
				451	} else {
				452	s->state = SSL3_ST_SR_FINISHED_A;
				453	}
				454	break;
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	455
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	456	case SSL3_ST_SR_CHANNEL_ID_A:
				457	case SSL3_ST_SR_CHANNEL_ID_B:
				458	ret = ssl3_get_channel_id(s);
				459	if (ret <= 0) {
				460	goto end;
				461	}
				462	s->init_num = 0;
				463	s->state = SSL3_ST_SR_FINISHED_A;
				464	break;
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	465
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	466	case SSL3_ST_SR_FINISHED_A:
				467	case SSL3_ST_SR_FINISHED_B:
				468	ret =
				469	ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B);
				470	if (ret <= 0) {
				471	goto end;
				472	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	473
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	474	if (s->hit) {
				475	s->state = SSL_ST_OK;
				476	} else if (s->tlsext_ticket_expected) {
				477	s->state = SSL3_ST_SW_SESSION_TICKET_A;
				478	} else {
				479	s->state = SSL3_ST_SW_CHANGE_A;
				480	}
				481	/* If this is a full handshake with ChannelID then record the hashshake
				482	* hashes in \|s->session\| in case we need them to verify a ChannelID
				483	* signature on a resumption of this session in the future. */
Adam Langley	49c7af1	2015-07-10 14:33:46 -0700	[diff] [blame]	484	if (!s->hit) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	485	ret = tls1_record_handshake_hashes_for_channel_id(s);
				486	if (ret <= 0) {
				487	goto end;
				488	}
				489	}
				490	s->init_num = 0;
				491	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	492
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	493	case SSL3_ST_SW_SESSION_TICKET_A:
				494	case SSL3_ST_SW_SESSION_TICKET_B:
				495	ret = ssl3_send_new_session_ticket(s);
				496	if (ret <= 0) {
				497	goto end;
				498	}
				499	s->state = SSL3_ST_SW_CHANGE_A;
				500	s->init_num = 0;
				501	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	502
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	503	case SSL3_ST_SW_CHANGE_A:
				504	case SSL3_ST_SW_CHANGE_B:
				505	s->session->cipher = s->s3->tmp.new_cipher;
				506	if (!s->enc_method->setup_key_block(s)) {
				507	ret = -1;
				508	goto end;
				509	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	510
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	511	ret = ssl3_send_change_cipher_spec(s, SSL3_ST_SW_CHANGE_A,
				512	SSL3_ST_SW_CHANGE_B);
				513	if (ret <= 0) {
				514	goto end;
				515	}
				516	s->state = SSL3_ST_SW_FINISHED_A;
				517	s->init_num = 0;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	518
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	519	if (!s->enc_method->change_cipher_state(
				520	s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
				521	ret = -1;
				522	goto end;
				523	}
				524	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	525
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	526	case SSL3_ST_SW_FINISHED_A:
				527	case SSL3_ST_SW_FINISHED_B:
				528	ret =
				529	ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
				530	s->enc_method->server_finished_label,
				531	s->enc_method->server_finished_label_len);
				532	if (ret <= 0) {
				533	goto end;
				534	}
				535	s->state = SSL3_ST_SW_FLUSH;
				536	if (s->hit) {
				537	s->s3->tmp.next_state = SSL3_ST_SR_CHANGE;
				538	} else {
				539	s->s3->tmp.next_state = SSL_ST_OK;
				540	}
				541	s->init_num = 0;
				542	break;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	543
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	544	case SSL_ST_OK:
				545	/* clean a few things up */
				546	ssl3_cleanup_key_block(s);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	547
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	548	BUF_MEM_free(s->init_buf);
				549	s->init_buf = NULL;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	550
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	551	/* remove buffering on output */
				552	ssl_free_wbio_buffer(s);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	553
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	554	s->init_num = 0;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	555
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	556	/* If we aren't retaining peer certificates then we can discard it
				557	* now. */
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	558	if (s->ctx->retain_only_sha256_of_client_certs) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	559	X509_free(s->session->peer);
				560	s->session->peer = NULL;
				561	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	562
David Benjamin	44d3eed	2015-05-21 01:29:55 -0400	[diff] [blame]	563	s->s3->initial_handshake_complete = 1;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	564
David Benjamin	44d3eed	2015-05-21 01:29:55 -0400	[diff] [blame]	565	ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	566
David Benjamin	44d3eed	2015-05-21 01:29:55 -0400	[diff] [blame]	567	if (cb != NULL) {
				568	cb(s, SSL_CB_HANDSHAKE_DONE, 1);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	569	}
Adam Langley	7587253	2014-06-20 12:00:00 -0700	[diff] [blame]	570
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	571	ret = 1;
				572	goto end;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	573
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	574	default:
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	575	OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	576	ret = -1;
				577	goto end;
				578	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	579
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	580	if (!s->s3->tmp.reuse_message && !skip && cb != NULL && s->state != state) {
				581	new_state = s->state;
				582	s->state = state;
				583	cb(s, SSL_CB_ACCEPT_LOOP, 1);
				584	s->state = new_state;
				585	}
				586	skip = 0;
				587	}
				588
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	589	end:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	590	s->in_handshake--;
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	591	BUF_MEM_free(buf);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	592	if (cb != NULL) {
				593	cb(s, SSL_CB_ACCEPT_EXIT, ret);
				594	}
				595	return ret;
				596	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	597
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	598	int ssl3_get_initial_bytes(SSL *s) {
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	599	/* Read the first 5 bytes, the size of the TLS record header. This is
				600	* sufficient to detect a V2ClientHello and ensures that we never read beyond
				601	* the first record. */
				602	int ret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, 0 /* new packet */);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	603	if (ret <= 0) {
				604	return ret;
				605	}
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	606	assert(s->packet_length == SSL3_RT_HEADER_LENGTH);
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	607	const uint8_t *p = s->packet;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	608
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	609	/* Some dedicated error codes for protocol mixups should the application wish
				610	* to interpret them differently. (These do not overlap with ClientHello or
				611	* V2ClientHello.) */
				612	if (strncmp("GET ", (const char *)p, 4) == 0 \|\|
				613	strncmp("POST ", (const char *)p, 5) == 0 \|\|
				614	strncmp("HEAD ", (const char *)p, 5) == 0 \|\|
				615	strncmp("PUT ", (const char *)p, 4) == 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	616	OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	617	return -1;
				618	}
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	619	if (strncmp("CONNE", (const char *)p, 5) == 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	620	OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	621	return -1;
				622	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	623
David Benjamin	97760d5	2015-07-24 23:02:49 -0400	[diff] [blame]	624	/* Determine if this is a V2ClientHello. */
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	625	if ((p[0] & 0x80) && p[2] == SSL2_MT_CLIENT_HELLO &&
				626	p[3] >= SSL3_VERSION_MAJOR) {
				627	/* This is a V2ClientHello. */
				628	s->state = SSL3_ST_SR_V2_CLIENT_HELLO;
				629	return 1;
				630	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	631
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	632	/* Fall through to the standard logic. Unread what's been read to re-process
				633	* it. */
David Benjamin	97760d5	2015-07-24 23:02:49 -0400	[diff] [blame]	634	assert(s->rstate == SSL_ST_READ_HEADER);
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	635	assert(s->s3->rbuf.offset >= SSL3_RT_HEADER_LENGTH);
				636	s->s3->rbuf.offset -= SSL3_RT_HEADER_LENGTH;
				637	s->s3->rbuf.left += SSL3_RT_HEADER_LENGTH;
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	638	s->packet = NULL;
David Benjamin	97760d5	2015-07-24 23:02:49 -0400	[diff] [blame]	639	s->packet_length = 0;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	640
David Benjamin	97760d5	2015-07-24 23:02:49 -0400	[diff] [blame]	641	s->state = SSL3_ST_SR_CLNT_HELLO_A;
				642	return 1;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	643	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	644
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	645	int ssl3_get_v2_client_hello(SSL *s) {
				646	const uint8_t *p;
				647	int ret;
				648	CBS v2_client_hello, cipher_specs, session_id, challenge;
				649	size_t msg_length, rand_len, len;
				650	uint8_t msg_type;
				651	uint16_t version, cipher_spec_length, session_id_length, challenge_length;
				652	CBB client_hello, hello_body, cipher_suites;
				653	uint8_t random[SSL3_RANDOM_SIZE];
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	654
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	655	/* Determine the length of the V2ClientHello. */
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	656	assert(s->packet_length >= SSL3_RT_HEADER_LENGTH);
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	657	p = (const uint8_t *)s->packet;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	658	msg_length = ((p[0] & 0x7f) << 8) \| p[1];
				659	if (msg_length > (1024 * 4)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	660	OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	661	return -1;
				662	}
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	663	if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	664	/* Reject lengths that are too short early. We have already read
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	665	* \|SSL3_RT_HEADER_LENGTH\| bytes, so we should not attempt to process an
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	666	* (invalid) V2ClientHello which would be shorter than that. */
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	667	OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	668	return -1;
				669	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	670
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	671	/* Read the remainder of the V2ClientHello. We have previously read
David Benjamin	894f48c	2015-07-24 23:48:52 -0400	[diff] [blame]	672	* \|SSL3_RT_HEADER_LENGTH\| bytes in ssl3_get_initial_bytes. */
				673	ret = ssl3_read_n(s, msg_length - (SSL3_RT_HEADER_LENGTH - 2),
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	674	1 /* extend */);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	675	if (ret <= 0) {
				676	return ret;
				677	}
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	678	assert(s->packet_length == msg_length + 2);
				679	CBS_init(&v2_client_hello, (const uint8_t *)s->packet + 2,
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	680	msg_length);
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	681
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	682	/* The V2ClientHello without the length is incorporated into the handshake
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	683	* hash. */
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	684	if (!ssl3_update_handshake_hash(s, CBS_data(&v2_client_hello),
				685	CBS_len(&v2_client_hello))) {
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	686	return -1;
				687	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	688	if (s->msg_callback) {
				689	s->msg_callback(0, SSL2_VERSION, 0, CBS_data(&v2_client_hello),
				690	CBS_len(&v2_client_hello), s, s->msg_callback_arg);
				691	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	692
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	693	if (!CBS_get_u8(&v2_client_hello, &msg_type) \|\|
				694	!CBS_get_u16(&v2_client_hello, &version) \|\|
				695	!CBS_get_u16(&v2_client_hello, &cipher_spec_length) \|\|
				696	!CBS_get_u16(&v2_client_hello, &session_id_length) \|\|
				697	!CBS_get_u16(&v2_client_hello, &challenge_length) \|\|
				698	!CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) \|\|
				699	!CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) \|\|
				700	!CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) \|\|
				701	CBS_len(&v2_client_hello) != 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	702	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	703	return -1;
				704	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	705
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	706	/* msg_type has already been checked. */
				707	assert(msg_type == SSL2_MT_CLIENT_HELLO);
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	708
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	709	/* The client_random is the V2ClientHello challenge. Truncate or
				710	* left-pad with zeros as needed. */
				711	memset(random, 0, SSL3_RANDOM_SIZE);
				712	rand_len = CBS_len(&challenge);
				713	if (rand_len > SSL3_RANDOM_SIZE) {
				714	rand_len = SSL3_RANDOM_SIZE;
				715	}
				716	memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
				717	rand_len);
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	718
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	719	/* Write out an equivalent SSLv3 ClientHello. */
David Benjamin	a865320	2015-06-28 01:26:10 -0400	[diff] [blame]	720	CBB_zero(&client_hello);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	721	if (!CBB_init_fixed(&client_hello, (uint8_t *)s->init_buf->data,
David Benjamin	a865320	2015-06-28 01:26:10 -0400	[diff] [blame]	722	s->init_buf->max) \|\|
				723	!CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) \|\|
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	724	!CBB_add_u24_length_prefixed(&client_hello, &hello_body) \|\|
				725	!CBB_add_u16(&hello_body, version) \|\|
				726	!CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) \|\|
				727	/* No session id. */
				728	!CBB_add_u8(&hello_body, 0) \|\|
				729	!CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
				730	CBB_cleanup(&client_hello);
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	731	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	732	return -1;
				733	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	734
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	735	/* Copy the cipher suites. */
				736	while (CBS_len(&cipher_specs) > 0) {
				737	uint32_t cipher_spec;
				738	if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
				739	CBB_cleanup(&client_hello);
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	740	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	741	return -1;
				742	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	743
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	744	/* Skip SSLv2 ciphers. */
				745	if ((cipher_spec & 0xff0000) != 0) {
				746	continue;
				747	}
				748	if (!CBB_add_u16(&cipher_suites, cipher_spec)) {
				749	CBB_cleanup(&client_hello);
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	750	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	751	return -1;
				752	}
				753	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	754
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	755	/* Add the null compression scheme and finish. */
				756	if (!CBB_add_u8(&hello_body, 1) \|\| !CBB_add_u8(&hello_body, 0) \|\|
				757	!CBB_finish(&client_hello, NULL, &len)) {
				758	CBB_cleanup(&client_hello);
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	759	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	760	return -1;
				761	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	762
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	763	/* Mark the message for "re"-use by the version-specific method. */
				764	s->s3->tmp.reuse_message = 1;
				765	s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO;
				766	/* The handshake message header is 4 bytes. */
				767	s->s3->tmp.message_size = len - 4;
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	768
David Benjamin	45c6c3e	2015-07-24 23:24:12 -0400	[diff] [blame]	769	/* The V2ClientHello was processed, so it may be released now. */
				770	if (s->s3->rbuf.left == 0) {
				771	ssl3_release_read_buffer(s);
				772	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	773
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	774	return 1;
				775	}
David Benjamin	4b755cb	2014-12-12 03:58:07 -0500	[diff] [blame]	776
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	777	int ssl3_get_client_hello(SSL *s) {
David Benjamin	4b30b28	2015-05-26 16:37:58 -0400	[diff] [blame]	778	int ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	779	long n;
				780	const SSL_CIPHER *c;
				781	STACK_OF(SSL_CIPHER) *ciphers = NULL;
				782	struct ssl_early_callback_ctx early_ctx;
				783	CBS client_hello;
				784	uint16_t client_version;
				785	CBS client_random, session_id, cipher_suites, compression_methods;
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	786	SSL_SESSION *session = NULL;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	787
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	788	/* We do this so that we will respond with our native type. If we are TLSv1
				789	* and we get SSLv3, we will respond with TLSv1, This down switching should
				790	* be handled by a different method. If we are SSLv3, we will respond with
				791	* SSLv3, even if prompted with TLSv1. */
				792	switch (s->state) {
				793	case SSL3_ST_SR_CLNT_HELLO_A:
				794	case SSL3_ST_SR_CLNT_HELLO_B:
				795	n = s->method->ssl_get_message(
				796	s, SSL3_ST_SR_CLNT_HELLO_A, SSL3_ST_SR_CLNT_HELLO_B,
				797	SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH,
David Benjamin	5ca39fb	2015-03-01 23:57:54 -0500	[diff] [blame]	798	ssl_hash_message, &ok);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	799
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	800	if (!ok) {
				801	return n;
				802	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	803
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	804	s->state = SSL3_ST_SR_CLNT_HELLO_C;
				805	/* fallthrough */
				806	case SSL3_ST_SR_CLNT_HELLO_C:
				807	case SSL3_ST_SR_CLNT_HELLO_D:
				808	/* We have previously parsed the ClientHello message, and can't call
				809	* ssl_get_message again without hashing the message into the Finished
				810	* digest again. */
				811	n = s->init_num;
Adam Langley	dc9b141	2014-06-20 12:00:00 -0700	[diff] [blame]	812
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	813	memset(&early_ctx, 0, sizeof(early_ctx));
				814	early_ctx.ssl = s;
				815	early_ctx.client_hello = s->init_msg;
				816	early_ctx.client_hello_len = n;
				817	if (!ssl_early_callback_init(&early_ctx)) {
				818	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	819	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	820	goto f_err;
				821	}
David Benjamin	22f9bcc	2014-07-13 12:29:21 -0400	[diff] [blame]	822
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	823	if (s->state == SSL3_ST_SR_CLNT_HELLO_C &&
				824	s->ctx->select_certificate_cb != NULL) {
				825	s->state = SSL3_ST_SR_CLNT_HELLO_D;
				826	switch (s->ctx->select_certificate_cb(&early_ctx)) {
				827	case 0:
David Benjamin	2fff5bf	2015-02-09 04:32:28 -0500	[diff] [blame]	828	s->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
				829	goto err;
Adam Langley	dc9b141	2014-06-20 12:00:00 -0700	[diff] [blame]	830
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	831	case -1:
				832	/* Connection rejected. */
				833	al = SSL_AD_ACCESS_DENIED;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	834	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	835	goto f_err;
Adam Langley	dc9b141	2014-06-20 12:00:00 -0700	[diff] [blame]	836
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	837	default:
				838	/* fallthrough */;
				839	}
				840	}
				841	s->state = SSL3_ST_SR_CLNT_HELLO_D;
				842	break;
Adam Langley	b2ce058	2014-06-20 12:00:00 -0700	[diff] [blame]	843
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	844	default:
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	845	OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	846	return -1;
				847	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	848
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	849	CBS_init(&client_hello, s->init_msg, n);
				850	if (!CBS_get_u16(&client_hello, &client_version) \|\|
				851	!CBS_get_bytes(&client_hello, &client_random, SSL3_RANDOM_SIZE) \|\|
				852	!CBS_get_u8_length_prefixed(&client_hello, &session_id) \|\|
				853	CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
				854	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	855	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	856	goto f_err;
				857	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	858
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	859	/* use version from inside client hello, not from record header (may differ:
				860	* see RFC 2246, Appendix E, second paragraph) */
				861	s->client_version = client_version;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	862
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	863	/* Load the client random. */
				864	memcpy(s->s3->client_random, CBS_data(&client_random), SSL3_RANDOM_SIZE);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	865
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	866	if (SSL_IS_DTLS(s)) {
				867	CBS cookie;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	868
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	869	if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) \|\|
				870	CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
				871	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	872	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	873	goto f_err;
				874	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	875	}
David Benjamin	8b8c006	2014-11-23 02:47:52 -0500	[diff] [blame]	876
David Benjamin	e6df054	2015-05-12 22:02:08 -0400	[diff] [blame]	877	/* Note: This codepath may run twice if \|ssl_get_prev_session\| completes
				878	* asynchronously.
				879	*
				880	* TODO(davidben): Clean up the order of events around ClientHello
				881	* processing. */
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	882	if (!s->s3->have_version) {
				883	/* Select version to use */
				884	uint16_t version = ssl3_get_mutual_version(s, client_version);
				885	if (version == 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	886	OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	887	s->version = s->client_version;
				888	al = SSL_AD_PROTOCOL_VERSION;
				889	goto f_err;
				890	}
				891	s->version = version;
				892	s->enc_method = ssl3_get_enc_method(version);
				893	assert(s->enc_method != NULL);
				894	/* At this point, the connection's version is known and \|s->version\| is
				895	* fixed. Begin enforcing the record-layer version. */
				896	s->s3->have_version = 1;
				897	} else if (SSL_IS_DTLS(s) ? (s->client_version > s->version)
				898	: (s->client_version < s->version)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	899	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	900	al = SSL_AD_PROTOCOL_VERSION;
				901	goto f_err;
				902	}
David Benjamin	8b8c006	2014-11-23 02:47:52 -0500	[diff] [blame]	903
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	904	s->hit = 0;
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	905	int send_new_ticket = 0;
				906	switch (ssl_get_prev_session(s, &session, &send_new_ticket, &early_ctx)) {
				907	case ssl_session_success:
				908	break;
				909	case ssl_session_error:
				910	goto err;
				911	case ssl_session_retry:
				912	s->rwstate = SSL_PENDING_SESSION;
				913	goto err;
David Benjamin	4b30b28	2015-05-26 16:37:58 -0400	[diff] [blame]	914	}
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	915	s->tlsext_ticket_expected = send_new_ticket;
David Benjamin	4b30b28	2015-05-26 16:37:58 -0400	[diff] [blame]	916
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	917	/* The EMS state is needed when making the resumption decision, but
				918	* extensions are not normally parsed until later. This detects the EMS
				919	* extension for the resumption decision and it's checked against the result
				920	* of the normal parse later in this function. */
				921	const uint8_t *ems_data;
				922	size_t ems_len;
				923	int have_extended_master_secret =
				924	s->version != SSL3_VERSION &&
				925	SSL_early_callback_ctx_extension_get(&early_ctx,
				926	TLSEXT_TYPE_extended_master_secret,
				927	&ems_data, &ems_len) &&
				928	ems_len == 0;
				929
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	930	if (session != NULL) {
				931	if (session->extended_master_secret &&
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	932	!have_extended_master_secret) {
				933	/* A ClientHello without EMS that attempts to resume a session with EMS
				934	* is fatal to the connection. */
				935	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	936	OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	937	goto f_err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	938	}
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	939
				940	s->hit =
				941	/* Only resume if the session's version matches the negotiated version:
				942	* most clients do not accept a mismatch. */
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	943	s->version == session->ssl_version &&
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	944	/* If the client offers the EMS extension, but the previous session
				945	* didn't use it, then negotiate a new session. */
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	946	have_extended_master_secret == session->extended_master_secret;
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	947	}
				948
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	949	if (s->hit) {
				950	/* Use the new session. */
				951	SSL_SESSION_free(s->session);
				952	s->session = session;
				953	session = NULL;
				954
				955	s->verify_result = s->session->verify_result;
				956	} else if (!ssl_get_new_session(s, 1)) {
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	957	goto err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	958	}
David Benjamin	22f9bcc	2014-07-13 12:29:21 -0400	[diff] [blame]	959
Adam Langley	524e717	2015-02-20 16:04:00 -0800	[diff] [blame]	960	if (s->ctx->dos_protection_cb != NULL && s->ctx->dos_protection_cb(&early_ctx) == 0) {
				961	/* Connection rejected for DOS reasons. */
				962	al = SSL_AD_ACCESS_DENIED;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	963	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
Adam Langley	524e717	2015-02-20 16:04:00 -0800	[diff] [blame]	964	goto f_err;
				965	}
				966
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	967	if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) \|\|
David Benjamin	93de5e5	2015-04-17 22:33:25 -0400	[diff] [blame]	968	CBS_len(&cipher_suites) == 0 \|\|
				969	CBS_len(&cipher_suites) % 2 != 0 \|\|
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	970	!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) \|\|
				971	CBS_len(&compression_methods) == 0) {
				972	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	973	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	974	goto f_err;
				975	}
David Benjamin	22f9bcc	2014-07-13 12:29:21 -0400	[diff] [blame]	976
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	977	ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites);
				978	if (ciphers == NULL) {
				979	goto err;
				980	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	981
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	982	/* If it is a hit, check that the cipher is in the list. */
David Benjamin	93de5e5	2015-04-17 22:33:25 -0400	[diff] [blame]	983	if (s->hit) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	984	size_t j;
				985	int found_cipher = 0;
David Benjamin	3fa2777	2015-04-17 22:32:19 -0400	[diff] [blame]	986	uint32_t id = s->session->cipher->id;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	987
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	988	for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) {
				989	c = sk_SSL_CIPHER_value(ciphers, j);
				990	if (c->id == id) {
				991	found_cipher = 1;
				992	break;
				993	}
				994	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	995
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	996	if (!found_cipher) {
				997	/* we need to have the cipher in the cipher list if we are asked to reuse
				998	* it */
				999	al = SSL_AD_ILLEGAL_PARAMETER;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1000	OPENSSL_PUT_ERROR(SSL, SSL_R_REQUIRED_CIPHER_MISSING);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1001	goto f_err;
				1002	}
				1003	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1004
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1005	/* Only null compression is supported. */
				1006	if (memchr(CBS_data(&compression_methods), 0,
				1007	CBS_len(&compression_methods)) == NULL) {
				1008	al = SSL_AD_ILLEGAL_PARAMETER;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1009	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMPRESSION_SPECIFIED);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1010	goto f_err;
				1011	}
David Benjamin	dc72ff7	2014-06-25 12:36:10 -0400	[diff] [blame]	1012
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1013	/* TLS extensions. */
				1014	if (s->version >= SSL3_VERSION &&
				1015	!ssl_parse_clienthello_tlsext(s, &client_hello)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1016	OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1017	goto err;
				1018	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1019
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1020	/* There should be nothing left over in the record. */
				1021	if (CBS_len(&client_hello) != 0) {
				1022	/* wrong packet length */
				1023	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1024	OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1025	goto f_err;
				1026	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1027
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	1028	if (have_extended_master_secret != s->s3->tmp.extended_master_secret) {
				1029	al = SSL_AD_INTERNAL_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1030	OPENSSL_PUT_ERROR(SSL, SSL_R_EMS_STATE_INCONSISTENT);
Adam Langley	ba5934b	2015-06-02 10:50:35 -0700	[diff] [blame]	1031	goto f_err;
				1032	}
				1033
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1034	/* Given ciphers and SSL_get_ciphers, we must pick a cipher */
				1035	if (!s->hit) {
				1036	if (ciphers == NULL) {
				1037	al = SSL_AD_ILLEGAL_PARAMETER;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1038	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_PASSED);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1039	goto f_err;
				1040	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1041
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1042	/* Let cert callback update server certificates if required */
				1043	if (s->cert->cert_cb) {
				1044	int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
				1045	if (rv == 0) {
				1046	al = SSL_AD_INTERNAL_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1047	OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1048	goto f_err;
				1049	}
				1050	if (rv < 0) {
				1051	s->rwstate = SSL_X509_LOOKUP;
				1052	goto err;
				1053	}
				1054	s->rwstate = SSL_NOTHING;
				1055	}
				1056	c = ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
				1057
				1058	if (c == NULL) {
				1059	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1060	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1061	goto f_err;
				1062	}
				1063	s->s3->tmp.new_cipher = c;
David Benjamin	5c1ce29	2015-05-26 16:59:43 -0400	[diff] [blame]	1064
				1065	/* Determine whether to request a client certificate. */
				1066	s->s3->tmp.cert_request = !!(s->verify_mode & SSL_VERIFY_PEER);
				1067	/* Only request a certificate if Channel ID isn't negotiated. */
				1068	if ((s->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
				1069	s->s3->tlsext_channel_id_valid) {
				1070	s->s3->tmp.cert_request = 0;
				1071	}
				1072	/* Plain PSK forbids Certificate and CertificateRequest. */
				1073	if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
				1074	s->s3->tmp.cert_request = 0;
				1075	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1076	} else {
				1077	/* Session-id reuse */
				1078	s->s3->tmp.new_cipher = s->session->cipher;
David Benjamin	5c1ce29	2015-05-26 16:59:43 -0400	[diff] [blame]	1079	s->s3->tmp.cert_request = 0;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1080	}
				1081
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	1082	/* Now that the cipher is known, initialize the handshake hash. */
				1083	if (!ssl3_init_handshake_hash(s)) {
				1084	goto f_err;
				1085	}
				1086
David Benjamin	5c1ce29	2015-05-26 16:59:43 -0400	[diff] [blame]	1087	/* In TLS 1.2, client authentication requires hashing the handshake transcript
				1088	* under a different hash. Otherwise, release the handshake buffer. */
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	1089	if (!SSL_USE_SIGALGS(s) \|\| !s->s3->tmp.cert_request) {
				1090	ssl3_free_handshake_buffer(s);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1091	}
				1092
				1093	/* we now have the following setup;
				1094	* client_random
				1095	* cipher_list - our prefered list of ciphers
				1096	* ciphers - the clients prefered list of ciphers
				1097	* compression - basically ignored right now
				1098	* ssl version is set - sslv3
				1099	* s->session - The ssl session has been setup.
				1100	* s->hit - session reuse flag
				1101	* s->tmp.new_cipher - the new cipher to use. */
				1102
				1103	if (ret < 0) {
				1104	ret = -ret;
				1105	}
				1106
				1107	if (0) {
				1108	f_err:
				1109	ssl3_send_alert(s, SSL3_AL_FATAL, al);
				1110	}
				1111
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1112	err:
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	1113	sk_SSL_CIPHER_free(ciphers);
David Benjamin	e3aa1d9	2015-06-16 15:34:50 -0400	[diff] [blame]	1114	SSL_SESSION_free(session);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1115	return ret;
				1116	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1117
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1118	int ssl3_send_server_hello(SSL *s) {
				1119	uint8_t *buf;
				1120	uint8_t p, d;
				1121	int sl;
				1122	unsigned long l;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1123
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1124	if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
				1125	/* We only accept ChannelIDs on connections with ECDHE in order to avoid a
				1126	* known attack while we fix ChannelID itself. */
				1127	if (s->s3->tlsext_channel_id_valid &&
David Benjamin	7061e28	2015-03-19 11:10:48 -0400	[diff] [blame]	1128	(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1129	s->s3->tlsext_channel_id_valid = 0;
				1130	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	1131
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1132	/* If this is a resumption and the original handshake didn't support
				1133	* ChannelID then we didn't record the original handshake hashes in the
				1134	* session and so cannot resume with ChannelIDs. */
Adam Langley	49c7af1	2015-07-10 14:33:46 -0700	[diff] [blame]	1135	if (s->hit && s->session->original_handshake_hash_len == 0) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1136	s->s3->tlsext_channel_id_valid = 0;
				1137	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	1138
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1139	buf = (uint8_t *)s->init_buf->data;
				1140	/* Do the message type and length last */
				1141	d = p = ssl_handshake_start(s);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1142
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1143	*(p++) = s->version >> 8;
				1144	*(p++) = s->version & 0xff;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1145
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1146	/* Random stuff */
David Benjamin	74d8bc2	2015-05-21 02:16:53 -0400	[diff] [blame]	1147	if (!ssl_fill_hello_random(s->s3->server_random, SSL3_RANDOM_SIZE,
				1148	1 /* server */)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1149	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1150	return -1;
				1151	}
				1152	memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
				1153	p += SSL3_RANDOM_SIZE;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1154
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1155	/* There are several cases for the session ID to send
				1156	* back in the server hello:
				1157	* - For session reuse from the session cache, we send back the old session
				1158	* ID.
				1159	* - If stateless session reuse (using a session ticket) is successful, we
				1160	* send back the client's "session ID" (which doesn't actually identify
				1161	* the session).
				1162	* - If it is a new session, we send back the new session ID.
				1163	* - However, if we want the new session to be single-use, we send back a
				1164	* 0-length session ID.
				1165	* s->hit is non-zero in either case of session reuse, so the following
				1166	* won't overwrite an ID that we're supposed to send back. */
				1167	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) && !s->hit) {
				1168	s->session->session_id_length = 0;
				1169	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1170
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1171	sl = s->session->session_id_length;
				1172	if (sl > (int)sizeof(s->session->session_id)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1173	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1174	return -1;
				1175	}
				1176	*(p++) = sl;
				1177	memcpy(p, s->session->session_id, sl);
				1178	p += sl;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1179
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1180	/* put the cipher */
David Benjamin	a1c90a5	2015-05-30 17:03:14 -0400	[diff] [blame]	1181	s2n(ssl_cipher_get_value(s->s3->tmp.new_cipher), p);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1182
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1183	/* put the compression method */
				1184	*(p++) = 0;
David Benjamin	821464e	2015-07-21 21:06:39 -0400	[diff] [blame]	1185
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1186	p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH);
				1187	if (p == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1188	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1189	return -1;
				1190	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1191
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1192	/* do the header */
				1193	l = (p - d);
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	1194	if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
				1195	return -1;
				1196	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1197	s->state = SSL3_ST_SW_SRVR_HELLO_B;
				1198	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1199
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1200	/* SSL3_ST_SW_SRVR_HELLO_B */
				1201	return ssl_do_write(s);
				1202	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1203
Paul Lietar	aeeff2c	2015-08-12 11:47:11 +0100	[diff] [blame^]	1204	int ssl3_send_certificate_status(SSL *ssl) {
				1205	if (ssl->state == SSL3_ST_SW_CERT_STATUS_A) {
				1206	CBB out, ocsp_response;
				1207	size_t length;
				1208
				1209	CBB_zero(&out);
				1210	if (!CBB_init_fixed(&out, ssl_handshake_start(ssl),
				1211	ssl->init_buf->max - SSL_HM_HEADER_LENGTH(ssl)) \|\|
				1212	!CBB_add_u8(&out, TLSEXT_STATUSTYPE_ocsp) \|\|
				1213	!CBB_add_u24_length_prefixed(&out, &ocsp_response) \|\|
				1214	!CBB_add_bytes(&ocsp_response, ssl->ctx->ocsp_response,
				1215	ssl->ctx->ocsp_response_length) \|\|
				1216	!CBB_finish(&out, NULL, &length) \|\|
				1217	!ssl_set_handshake_header(ssl, SSL3_MT_CERTIFICATE_STATUS, length)) {
				1218	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
				1219	CBB_cleanup(&out);
				1220	return -1;
				1221	}
				1222
				1223	ssl->state = SSL3_ST_SW_CERT_STATUS_B;
				1224	}
				1225
				1226	/* SSL3_ST_SW_CERT_STATUS_B */
				1227	return ssl_do_write(ssl);
				1228	}
				1229
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1230	int ssl3_send_server_done(SSL *s) {
				1231	if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	1232	if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
				1233	return -1;
				1234	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1235	s->state = SSL3_ST_SW_SRVR_DONE_B;
				1236	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1237
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1238	/* SSL3_ST_SW_SRVR_DONE_B */
				1239	return ssl_do_write(s);
				1240	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1241
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1242	int ssl3_send_server_key_exchange(SSL *s) {
				1243	DH dh = NULL, dhp;
David Benjamin	c0f763b	2015-03-27 02:05:39 -0400	[diff] [blame]	1244	EC_KEY *ecdh = NULL;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1245	uint8_t *encodedPoint = NULL;
				1246	int encodedlen = 0;
David Benjamin	70bd80a	2014-12-27 03:06:46 -0500	[diff] [blame]	1247	uint16_t curve_id = 0;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1248	BN_CTX *bn_ctx = NULL;
				1249	const char *psk_identity_hint = NULL;
				1250	size_t psk_identity_hint_len = 0;
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1251	size_t sig_len;
				1252	size_t max_sig_len;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1253	uint8_t p, d;
				1254	int al, i;
David Benjamin	3fa2777	2015-04-17 22:32:19 -0400	[diff] [blame]	1255	uint32_t alg_k;
				1256	uint32_t alg_a;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1257	int n;
				1258	CERT *cert;
				1259	BIGNUM *r[4];
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1260	int nr[4];
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1261	BUF_MEM *buf;
				1262	EVP_MD_CTX md_ctx;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1263
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1264	if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
				1265	if (!ssl_has_private_key(s)) {
				1266	al = SSL_AD_INTERNAL_ERROR;
				1267	goto f_err;
				1268	}
				1269	max_sig_len = ssl_private_key_max_signature_len(s);
				1270	} else {
				1271	max_sig_len = 0;
				1272	}
				1273
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1274	EVP_MD_CTX_init(&md_ctx);
				1275	if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
				1276	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
				1277	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
				1278	cert = s->cert;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1279
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1280	buf = s->init_buf;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1281
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1282	r[0] = r[1] = r[2] = r[3] = NULL;
				1283	n = 0;
				1284	if (alg_a & SSL_aPSK) {
				1285	/* size for PSK identity hint */
				1286	psk_identity_hint = s->psk_identity_hint;
				1287	if (psk_identity_hint) {
				1288	psk_identity_hint_len = strlen(psk_identity_hint);
				1289	} else {
				1290	psk_identity_hint_len = 0;
				1291	}
				1292	n += 2 + psk_identity_hint_len;
				1293	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1294
David Benjamin	7061e28	2015-03-19 11:10:48 -0400	[diff] [blame]	1295	if (alg_k & SSL_kDHE) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1296	dhp = cert->dh_tmp;
				1297	if (dhp == NULL && s->cert->dh_tmp_cb != NULL) {
				1298	dhp = s->cert->dh_tmp_cb(s, 0, 1024);
				1299	}
				1300	if (dhp == NULL) {
				1301	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1302	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_DH_KEY);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1303	goto f_err;
				1304	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1305
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1306	if (s->s3->tmp.dh != NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1307	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1308	goto err;
				1309	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1310	dh = DHparams_dup(dhp);
				1311	if (dh == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1312	OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1313	goto err;
				1314	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1315	s->s3->tmp.dh = dh;
David Benjamin	9f226a5	2015-04-26 22:12:32 -0400	[diff] [blame]	1316
				1317	if (!DH_generate_key(dh)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1318	OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
David Benjamin	9f226a5	2015-04-26 22:12:32 -0400	[diff] [blame]	1319	goto err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1320	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1321
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1322	r[0] = dh->p;
				1323	r[1] = dh->g;
				1324	r[2] = dh->pub_key;
David Benjamin	7061e28	2015-03-19 11:10:48 -0400	[diff] [blame]	1325	} else if (alg_k & SSL_kECDHE) {
David Benjamin	c0f763b	2015-03-27 02:05:39 -0400	[diff] [blame]	1326	/* Determine the curve to use. */
				1327	int nid = NID_undef;
David Benjamin	dd97878	2015-04-24 15:20:13 -0400	[diff] [blame]	1328	if (cert->ecdh_nid != NID_undef) {
David Benjamin	c0f763b	2015-03-27 02:05:39 -0400	[diff] [blame]	1329	nid = cert->ecdh_nid;
				1330	} else if (cert->ecdh_tmp_cb != NULL) {
				1331	/* Note: \|ecdh_tmp_cb\| does NOT pass ownership of the result
				1332	* to the caller. */
				1333	EC_KEY *template = s->cert->ecdh_tmp_cb(s, 0, 1024);
				1334	if (template != NULL && EC_KEY_get0_group(template) != NULL) {
				1335	nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(template));
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1336	}
David Benjamin	dd97878	2015-04-24 15:20:13 -0400	[diff] [blame]	1337	} else {
				1338	nid = tls1_get_shared_curve(s);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1339	}
David Benjamin	c0f763b	2015-03-27 02:05:39 -0400	[diff] [blame]	1340	if (nid == NID_undef) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1341	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1342	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_ECDH_KEY);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1343	goto f_err;
				1344	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1345
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1346	if (s->s3->tmp.ecdh != NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1347	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1348	goto err;
				1349	}
David Benjamin	c0f763b	2015-03-27 02:05:39 -0400	[diff] [blame]	1350	ecdh = EC_KEY_new_by_curve_name(nid);
				1351	if (ecdh == NULL) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1352	goto err;
				1353	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1354	s->s3->tmp.ecdh = ecdh;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1355
David Benjamin	c0f763b	2015-03-27 02:05:39 -0400	[diff] [blame]	1356	if (!EC_KEY_generate_key(ecdh)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1357	OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1358	goto err;
				1359	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1360
David Benjamin	70bd80a	2014-12-27 03:06:46 -0500	[diff] [blame]	1361	/* We only support ephemeral ECDH keys over named (not generic) curves. */
David Benjamin	c0f763b	2015-03-27 02:05:39 -0400	[diff] [blame]	1362	const EC_GROUP *group = EC_KEY_get0_group(ecdh);
David Benjamin	70bd80a	2014-12-27 03:06:46 -0500	[diff] [blame]	1363	if (!tls1_ec_nid2curve_id(&curve_id, EC_GROUP_get_curve_name(group))) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1364	OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1365	goto err;
				1366	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1367
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1368	/* Encode the public key. First check the size of encoding and allocate
				1369	* memory accordingly. */
				1370	encodedlen =
				1371	EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
				1372	POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1373
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1374	encodedPoint = (uint8_t )OPENSSL_malloc(encodedlen sizeof(uint8_t));
				1375	bn_ctx = BN_CTX_new();
				1376	if (encodedPoint == NULL \|\| bn_ctx == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1377	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1378	goto err;
				1379	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1380
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1381	encodedlen = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
				1382	POINT_CONVERSION_UNCOMPRESSED,
				1383	encodedPoint, encodedlen, bn_ctx);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1384
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1385	if (encodedlen == 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1386	OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1387	goto err;
				1388	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1389
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1390	BN_CTX_free(bn_ctx);
				1391	bn_ctx = NULL;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1392
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1393	/* We only support named (not generic) curves in ECDH ephemeral key
				1394	* exchanges. In this situation, we need four additional bytes to encode
				1395	* the entire ServerECDHParams structure. */
				1396	n += 4 + encodedlen;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1397
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1398	/* We'll generate the serverKeyExchange message explicitly so we can set
				1399	* these to NULLs */
				1400	r[0] = NULL;
				1401	r[1] = NULL;
				1402	r[2] = NULL;
				1403	r[3] = NULL;
				1404	} else if (!(alg_k & SSL_kPSK)) {
				1405	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1406	OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1407	goto f_err;
				1408	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1409
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1410	for (i = 0; i < 4 && r[i] != NULL; i++) {
				1411	nr[i] = BN_num_bytes(r[i]);
				1412	n += 2 + nr[i];
				1413	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1414
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1415	if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + max_sig_len)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1416	OPENSSL_PUT_ERROR(SSL, ERR_LIB_BUF);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1417	goto err;
				1418	}
				1419	d = p = ssl_handshake_start(s);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1420
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1421	for (i = 0; i < 4 && r[i] != NULL; i++) {
				1422	s2n(nr[i], p);
				1423	BN_bn2bin(r[i], p);
				1424	p += nr[i];
				1425	}
David Benjamin	00505ec	2014-11-26 16:38:00 -0500	[diff] [blame]	1426
David Benjamin	7061e28	2015-03-19 11:10:48 -0400	[diff] [blame]	1427	/* Note: ECDHE PSK ciphersuites use SSL_kECDHE and SSL_aPSK. When one of
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1428	* them is used, the server key exchange record needs to have both the
				1429	* psk_identity_hint and the ServerECDHParams. */
				1430	if (alg_a & SSL_aPSK) {
				1431	/* copy PSK identity hint (if provided) */
				1432	s2n(psk_identity_hint_len, p);
				1433	if (psk_identity_hint_len > 0) {
				1434	memcpy(p, psk_identity_hint, psk_identity_hint_len);
				1435	p += psk_identity_hint_len;
				1436	}
				1437	}
David Benjamin	00505ec	2014-11-26 16:38:00 -0500	[diff] [blame]	1438
David Benjamin	7061e28	2015-03-19 11:10:48 -0400	[diff] [blame]	1439	if (alg_k & SSL_kECDHE) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1440	/* We only support named (not generic) curves. In this situation, the
				1441	* serverKeyExchange message has:
				1442	* [1 byte CurveType], [2 byte CurveName]
				1443	* [1 byte length of encoded point], followed by
				1444	* the actual encoded point itself. */
David Benjamin	70bd80a	2014-12-27 03:06:46 -0500	[diff] [blame]	1445	*(p++) = NAMED_CURVE_TYPE;
				1446	*(p++) = (uint8_t)(curve_id >> 8);
				1447	*(p++) = (uint8_t)(curve_id & 0xff);
				1448	*(p++) = encodedlen;
				1449	memcpy(p, encodedPoint, encodedlen);
				1450	p += encodedlen;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1451	OPENSSL_free(encodedPoint);
				1452	encodedPoint = NULL;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1453	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1454
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1455	/* not anonymous */
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1456	if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
				1457	/* n is the length of the params, they start at d and p points to
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1458	* the space at the end. */
				1459	const EVP_MD *md;
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1460	uint8_t digest[EVP_MAX_MD_SIZE];
				1461	unsigned int digest_length;
				1462
				1463	const int pkey_type = ssl_private_key_type(s);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1464
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1465	/* Determine signature algorithm. */
				1466	if (SSL_USE_SIGALGS(s)) {
David Benjamin	d1d8078	2015-07-05 11:54:09 -0400	[diff] [blame]	1467	md = tls1_choose_signing_digest(s);
				1468	if (!tls12_get_sigandhash(s, p, md)) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1469	/* Should never happen */
				1470	al = SSL_AD_INTERNAL_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1471	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1472	goto f_err;
				1473	}
				1474	p += 2;
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1475	} else if (pkey_type == EVP_PKEY_RSA) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1476	md = EVP_md5_sha1();
				1477	} else {
				1478	md = EVP_sha1();
				1479	}
				1480
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1481	if (!EVP_DigestInit_ex(&md_ctx, md, NULL) \|\|
				1482	!EVP_DigestUpdate(&md_ctx, s->s3->client_random, SSL3_RANDOM_SIZE) \|\|
				1483	!EVP_DigestUpdate(&md_ctx, s->s3->server_random, SSL3_RANDOM_SIZE) \|\|
				1484	!EVP_DigestUpdate(&md_ctx, d, n) \|\|
				1485	!EVP_DigestFinal_ex(&md_ctx, digest, &digest_length)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1486	OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1487	goto err;
				1488	}
				1489
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1490	const enum ssl_private_key_result_t sign_result = ssl_private_key_sign(
				1491	s, &p[2], &sig_len, max_sig_len, EVP_MD_CTX_md(&md_ctx),
				1492	digest, digest_length);
				1493	if (sign_result == ssl_private_key_retry) {
				1494	s->rwstate = SSL_PRIVATE_KEY_OPERATION;
				1495	/* Stash away \|p\|. */
				1496	s->init_num = p - ssl_handshake_start(s) + SSL_HM_HEADER_LENGTH(s);
				1497	s->state = SSL3_ST_SW_KEY_EXCH_B;
				1498	goto err;
				1499	} else if (sign_result != ssl_private_key_success) {
				1500	goto err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1501	}
				1502	}
				1503
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1504	s->state = SSL3_ST_SW_KEY_EXCH_C;
				1505	} else if (s->state == SSL3_ST_SW_KEY_EXCH_B) {
				1506	/* Complete async sign. */
				1507	/* Restore \|p\|. */
				1508	p = ssl_handshake_start(s) + s->init_num - SSL_HM_HEADER_LENGTH(s);
				1509	const enum ssl_private_key_result_t sign_result =
				1510	ssl_private_key_sign_complete(s, &p[2], &sig_len, max_sig_len);
				1511	if (sign_result == ssl_private_key_retry) {
				1512	s->rwstate = SSL_PRIVATE_KEY_OPERATION;
				1513	goto err;
				1514	} else if (sign_result != ssl_private_key_success) {
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	1515	goto err;
				1516	}
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1517
				1518	s->rwstate = SSL_NOTHING;
				1519	s->state = SSL3_ST_SW_KEY_EXCH_C;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1520	}
				1521
nagendra modadugu	601448a	2015-07-24 09:31:31 -0700	[diff] [blame]	1522	if (s->state == SSL3_ST_SW_KEY_EXCH_C) {
				1523	if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
				1524	s2n(sig_len, p);
				1525	p += sig_len;
				1526	}
				1527	if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE,
				1528	p - ssl_handshake_start(s))) {
				1529	goto err;
				1530	}
				1531	s->state = SSL3_ST_SW_KEY_EXCH_D;
				1532	}
				1533
				1534	/* state SSL3_ST_SW_KEY_EXCH_D */
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1535	EVP_MD_CTX_cleanup(&md_ctx);
				1536	return ssl_do_write(s);
				1537
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1538	f_err:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1539	ssl3_send_alert(s, SSL3_AL_FATAL, al);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1540	err:
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	1541	OPENSSL_free(encodedPoint);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1542	BN_CTX_free(bn_ctx);
				1543	EVP_MD_CTX_cleanup(&md_ctx);
				1544	return -1;
				1545	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1546
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1547	int ssl3_send_certificate_request(SSL *s) {
				1548	uint8_t p, d;
				1549	size_t i;
				1550	int j, nl, off, n;
				1551	STACK_OF(X509_NAME) *sk = NULL;
				1552	X509_NAME *name;
				1553	BUF_MEM *buf;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1554
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1555	if (s->state == SSL3_ST_SW_CERT_REQ_A) {
				1556	buf = s->init_buf;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1557
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1558	d = p = ssl_handshake_start(s);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1559
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1560	/* get the list of acceptable cert types */
				1561	p++;
				1562	n = ssl3_get_req_cert_type(s, p);
				1563	d[0] = n;
				1564	p += n;
				1565	n++;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1566
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1567	if (SSL_USE_SIGALGS(s)) {
				1568	const uint8_t *psigs;
				1569	nl = tls12_get_psigalgs(s, &psigs);
				1570	s2n(nl, p);
				1571	memcpy(p, psigs, nl);
				1572	p += nl;
				1573	n += nl + 2;
				1574	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1575
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1576	off = n;
				1577	p += 2;
				1578	n += 2;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1579
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1580	sk = SSL_get_client_CA_list(s);
				1581	nl = 0;
				1582	if (sk != NULL) {
				1583	for (i = 0; i < sk_X509_NAME_num(sk); i++) {
				1584	name = sk_X509_NAME_value(sk, i);
				1585	j = i2d_X509_NAME(name, NULL);
				1586	if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1587	OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1588	goto err;
				1589	}
				1590	p = ssl_handshake_start(s) + n;
				1591	s2n(j, p);
				1592	i2d_X509_NAME(name, &p);
				1593	n += 2 + j;
				1594	nl += 2 + j;
				1595	}
				1596	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1597
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1598	/* else no CA names */
				1599	p = ssl_handshake_start(s) + off;
				1600	s2n(nl, p);
				1601
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	1602	if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
				1603	goto err;
				1604	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1605	s->state = SSL3_ST_SW_CERT_REQ_B;
				1606	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1607
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1608	/* SSL3_ST_SW_CERT_REQ_B */
				1609	return ssl_do_write(s);
				1610
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1611	err:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1612	return -1;
				1613	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1614
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1615	int ssl3_get_client_key_exchange(SSL *s) {
				1616	int al, ok;
				1617	long n;
				1618	CBS client_key_exchange;
David Benjamin	3fa2777	2015-04-17 22:32:19 -0400	[diff] [blame]	1619	uint32_t alg_k;
				1620	uint32_t alg_a;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1621	uint8_t *premaster_secret = NULL;
				1622	size_t premaster_secret_len = 0;
				1623	RSA *rsa = NULL;
				1624	uint8_t *decrypt_buf = NULL;
				1625	EVP_PKEY *pkey = NULL;
				1626	BIGNUM *pub = NULL;
				1627	DH *dh_srvr;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1628
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1629	EC_KEY *srvr_ecdh = NULL;
				1630	EVP_PKEY *clnt_pub_pkey = NULL;
				1631	EC_POINT *clnt_ecpoint = NULL;
				1632	BN_CTX *bn_ctx = NULL;
				1633	unsigned int psk_len = 0;
				1634	uint8_t psk[PSK_MAX_PSK_LEN];
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1635
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1636	n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
				1637	SSL3_ST_SR_KEY_EXCH_B,
				1638	SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, /* ??? */
David Benjamin	5ca39fb	2015-03-01 23:57:54 -0500	[diff] [blame]	1639	ssl_hash_message, &ok);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1640
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1641	if (!ok) {
				1642	return n;
				1643	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1644
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1645	CBS_init(&client_key_exchange, s->init_msg, n);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1646
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1647	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
				1648	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
Adam Langley	c26c802	2014-06-20 12:00:00 -0700	[diff] [blame]	1649
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1650	/* If using a PSK key exchange, prepare the pre-shared key. */
				1651	if (alg_a & SSL_aPSK) {
				1652	CBS psk_identity;
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1653
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1654	/* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
				1655	* then this is the only field in the message. */
				1656	if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) \|\|
				1657	((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1658	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1659	al = SSL_AD_DECODE_ERROR;
				1660	goto f_err;
				1661	}
Adam Langley	c26c802	2014-06-20 12:00:00 -0700	[diff] [blame]	1662
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1663	if (s->psk_server_callback == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1664	OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_NO_SERVER_CB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1665	al = SSL_AD_INTERNAL_ERROR;
				1666	goto f_err;
				1667	}
Adam Langley	c26c802	2014-06-20 12:00:00 -0700	[diff] [blame]	1668
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1669	if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN \|\|
				1670	CBS_contains_zero_byte(&psk_identity)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1671	OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1672	al = SSL_AD_ILLEGAL_PARAMETER;
				1673	goto f_err;
				1674	}
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1675
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1676	if (!CBS_strdup(&psk_identity, &s->session->psk_identity)) {
				1677	al = SSL_AD_INTERNAL_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1678	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1679	goto f_err;
				1680	}
Adam Langley	c26c802	2014-06-20 12:00:00 -0700	[diff] [blame]	1681
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1682	/* Look up the key for the identity. */
				1683	psk_len =
				1684	s->psk_server_callback(s, s->session->psk_identity, psk, sizeof(psk));
				1685	if (psk_len > PSK_MAX_PSK_LEN) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1686	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1687	al = SSL_AD_INTERNAL_ERROR;
				1688	goto f_err;
				1689	} else if (psk_len == 0) {
				1690	/* PSK related to the given identity not found */
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1691	OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1692	al = SSL_AD_UNKNOWN_PSK_IDENTITY;
				1693	goto f_err;
				1694	}
				1695	}
Adam Langley	acff73f	2014-06-20 12:00:00 -0700	[diff] [blame]	1696
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1697	/* Depending on the key exchange method, compute \|premaster_secret\| and
				1698	* \|premaster_secret_len\|. */
				1699	if (alg_k & SSL_kRSA) {
				1700	CBS encrypted_premaster_secret;
				1701	uint8_t rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
				1702	uint8_t good;
				1703	size_t rsa_size, decrypt_len, premaster_index, j;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1704
David Benjamin	d1d8078	2015-07-05 11:54:09 -0400	[diff] [blame]	1705	pkey = s->cert->privatekey;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1706	if (pkey == NULL \|\| pkey->type != EVP_PKEY_RSA \|\| pkey->pkey.rsa == NULL) {
				1707	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1708	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_RSA_CERTIFICATE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1709	goto f_err;
				1710	}
				1711	rsa = pkey->pkey.rsa;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1712
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1713	/* TLS and [incidentally] DTLS{0xFEFF} */
				1714	if (s->version > SSL3_VERSION) {
				1715	CBS copy = client_key_exchange;
				1716	if (!CBS_get_u16_length_prefixed(&client_key_exchange,
				1717	&encrypted_premaster_secret) \|\|
				1718	CBS_len(&client_key_exchange) != 0) {
				1719	if (!(s->options & SSL_OP_TLS_D5_BUG)) {
				1720	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1721	OPENSSL_PUT_ERROR(SSL, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1722	goto f_err;
				1723	} else {
				1724	encrypted_premaster_secret = copy;
				1725	}
				1726	}
				1727	} else {
				1728	encrypted_premaster_secret = client_key_exchange;
				1729	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1730
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1731	/* Reject overly short RSA keys because we want to be sure that the buffer
				1732	* size makes it safe to iterate over the entire size of a premaster secret
				1733	* (SSL_MAX_MASTER_KEY_LENGTH). The actual expected size is larger due to
				1734	* RSA padding, but the bound is sufficient to be safe. */
				1735	rsa_size = RSA_size(rsa);
				1736	if (rsa_size < SSL_MAX_MASTER_KEY_LENGTH) {
				1737	al = SSL_AD_DECRYPT_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1738	OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1739	goto f_err;
				1740	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1741
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1742	/* We must not leak whether a decryption failure occurs because of
				1743	* Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
				1744	* section 7.4.7.1). The code follows that advice of the TLS RFC and
				1745	* generates a random premaster secret for the case that the decrypt fails.
				1746	* See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */
				1747	if (!RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret))) {
				1748	goto err;
				1749	}
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1750
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1751	/* Allocate a buffer large enough for an RSA decryption. */
				1752	decrypt_buf = OPENSSL_malloc(rsa_size);
				1753	if (decrypt_buf == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1754	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1755	goto err;
				1756	}
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1757
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1758	/* Decrypt with no padding. PKCS#1 padding will be removed as part of the
				1759	* timing-sensitive code below. */
				1760	if (!RSA_decrypt(rsa, &decrypt_len, decrypt_buf, rsa_size,
				1761	CBS_data(&encrypted_premaster_secret),
				1762	CBS_len(&encrypted_premaster_secret), RSA_NO_PADDING)) {
				1763	goto err;
				1764	}
				1765	if (decrypt_len != rsa_size) {
				1766	/* This should never happen, but do a check so we do not read
				1767	* uninitialized memory. */
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1768	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1769	goto err;
				1770	}
Adam Langley	acff73f	2014-06-20 12:00:00 -0700	[diff] [blame]	1771
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1772	/* Remove the PKCS#1 padding and adjust \|decrypt_len\| as appropriate.
				1773	* \|good\| will be 0xff if the premaster is acceptable and zero otherwise.
				1774	* */
				1775	good =
				1776	constant_time_eq_int_8(RSA_message_index_PKCS1_type_2(
				1777	decrypt_buf, decrypt_len, &premaster_index),
				1778	1);
				1779	decrypt_len = decrypt_len - premaster_index;
David Benjamin	0aa0767	2014-07-24 15:34:14 -0400	[diff] [blame]	1780
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1781	/* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. */
				1782	good &= constant_time_eq_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
Adam Langley	acff73f	2014-06-20 12:00:00 -0700	[diff] [blame]	1783
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1784	/* Copy over the unpadded premaster. Whatever the value of
				1785	* \|decrypt_good_mask\|, copy as if the premaster were the right length. It
				1786	* is important the memory access pattern be constant. */
				1787	premaster_secret =
				1788	BUF_memdup(decrypt_buf + (rsa_size - SSL_MAX_MASTER_KEY_LENGTH),
				1789	SSL_MAX_MASTER_KEY_LENGTH);
				1790	if (premaster_secret == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1791	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1792	goto err;
				1793	}
				1794	OPENSSL_free(decrypt_buf);
				1795	decrypt_buf = NULL;
Adam Langley	acff73f	2014-06-20 12:00:00 -0700	[diff] [blame]	1796
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1797	/* If the version in the decrypted pre-master secret is correct then
				1798	* version_good will be 0xff, otherwise it'll be zero. The
				1799	* Klima-Pokorny-Rosa extension of Bleichenbacher's attack
				1800	* (http://eprint.iacr.org/2003/052/) exploits the version number check as
				1801	* a "bad version oracle". Thus version checks are done in constant time
				1802	* and are treated like any other decryption error. */
				1803	good &= constant_time_eq_8(premaster_secret[0],
				1804	(unsigned)(s->client_version >> 8));
				1805	good &= constant_time_eq_8(premaster_secret[1],
				1806	(unsigned)(s->client_version & 0xff));
Adam Langley	acff73f	2014-06-20 12:00:00 -0700	[diff] [blame]	1807
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1808	/* Now copy rand_premaster_secret over premaster_secret using
				1809	* decrypt_good_mask. */
				1810	for (j = 0; j < sizeof(rand_premaster_secret); j++) {
				1811	premaster_secret[j] = constant_time_select_8(good, premaster_secret[j],
				1812	rand_premaster_secret[j]);
				1813	}
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1814
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1815	premaster_secret_len = sizeof(rand_premaster_secret);
David Benjamin	7061e28	2015-03-19 11:10:48 -0400	[diff] [blame]	1816	} else if (alg_k & SSL_kDHE) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1817	CBS dh_Yc;
				1818	int dh_len;
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1819
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1820	if (!CBS_get_u16_length_prefixed(&client_key_exchange, &dh_Yc) \|\|
				1821	CBS_len(&dh_Yc) == 0 \|\| CBS_len(&client_key_exchange) != 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1822	OPENSSL_PUT_ERROR(SSL, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1823	al = SSL_R_DECODE_ERROR;
				1824	goto f_err;
				1825	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1826
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1827	if (s->s3->tmp.dh == NULL) {
				1828	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1829	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_DH_KEY);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1830	goto f_err;
				1831	}
				1832	dh_srvr = s->s3->tmp.dh;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1833
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1834	pub = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL);
				1835	if (pub == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1836	OPENSSL_PUT_ERROR(SSL, SSL_R_BN_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1837	goto err;
				1838	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1839
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1840	/* Allocate a buffer for the premaster secret. */
				1841	premaster_secret = OPENSSL_malloc(DH_size(dh_srvr));
				1842	if (premaster_secret == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1843	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
David Benjamin	c35fb01	2015-02-12 00:48:45 -0500	[diff] [blame]	1844	BN_clear_free(pub);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1845	goto err;
				1846	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1847
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1848	dh_len = DH_compute_key(premaster_secret, pub, dh_srvr);
				1849	if (dh_len <= 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1850	OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1851	BN_clear_free(pub);
				1852	goto err;
				1853	}
David Benjamin	14c83e7	2014-07-13 04:54:57 -0400	[diff] [blame]	1854
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1855	DH_free(s->s3->tmp.dh);
				1856	s->s3->tmp.dh = NULL;
				1857	BN_clear_free(pub);
				1858	pub = NULL;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1859
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1860	premaster_secret_len = dh_len;
David Benjamin	7061e28	2015-03-19 11:10:48 -0400	[diff] [blame]	1861	} else if (alg_k & SSL_kECDHE) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1862	int field_size = 0, ecdh_len;
				1863	const EC_KEY *tkey;
				1864	const EC_GROUP *group;
				1865	const BIGNUM *priv_key;
				1866	CBS ecdh_Yc;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1867
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1868	/* initialize structures for server's ECDH key pair */
				1869	srvr_ecdh = EC_KEY_new();
				1870	if (srvr_ecdh == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1871	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1872	goto err;
				1873	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1874
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1875	/* Use the ephermeral values we saved when generating the ServerKeyExchange
				1876	* msg. */
				1877	tkey = s->s3->tmp.ecdh;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1878
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1879	group = EC_KEY_get0_group(tkey);
				1880	priv_key = EC_KEY_get0_private_key(tkey);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1881
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1882	if (!EC_KEY_set_group(srvr_ecdh, group) \|\|
				1883	!EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1884	OPENSSL_PUT_ERROR(SSL, ERR_R_EC_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1885	goto err;
				1886	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1887
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1888	/* Let's get client's public key */
				1889	clnt_ecpoint = EC_POINT_new(group);
				1890	if (clnt_ecpoint == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1891	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1892	goto err;
				1893	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1894
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1895	/* Get client's public key from encoded point in the ClientKeyExchange
				1896	* message. */
				1897	if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ecdh_Yc) \|\|
				1898	CBS_len(&client_key_exchange) != 0) {
				1899	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1900	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1901	goto f_err;
				1902	}
David Benjamin	bd30f8e	2014-08-19 16:02:38 -0400	[diff] [blame]	1903
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1904	bn_ctx = BN_CTX_new();
				1905	if (bn_ctx == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1906	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1907	goto err;
				1908	}
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1909
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1910	if (!EC_POINT_oct2point(group, clnt_ecpoint, CBS_data(&ecdh_Yc),
				1911	CBS_len(&ecdh_Yc), bn_ctx)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1912	OPENSSL_PUT_ERROR(SSL, ERR_R_EC_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1913	goto err;
				1914	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1915
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1916	/* Allocate a buffer for both the secret and the PSK. */
				1917	field_size = EC_GROUP_get_degree(group);
				1918	if (field_size <= 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1919	OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1920	goto err;
				1921	}
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1922
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1923	ecdh_len = (field_size + 7) / 8;
				1924	premaster_secret = OPENSSL_malloc(ecdh_len);
				1925	if (premaster_secret == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1926	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1927	goto err;
				1928	}
David Benjamin	35c0230	2014-07-13 04:14:59 -0400	[diff] [blame]	1929
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1930	/* Compute the shared pre-master secret */
				1931	ecdh_len = ECDH_compute_key(premaster_secret, ecdh_len, clnt_ecpoint,
				1932	srvr_ecdh, NULL);
				1933	if (ecdh_len <= 0) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1934	OPENSSL_PUT_ERROR(SSL, ERR_R_ECDH_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1935	goto err;
				1936	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1937
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1938	EVP_PKEY_free(clnt_pub_pkey);
				1939	clnt_pub_pkey = NULL;
				1940	EC_POINT_free(clnt_ecpoint);
				1941	clnt_ecpoint = NULL;
				1942	EC_KEY_free(srvr_ecdh);
				1943	srvr_ecdh = NULL;
				1944	BN_CTX_free(bn_ctx);
				1945	bn_ctx = NULL;
				1946	EC_KEY_free(s->s3->tmp.ecdh);
				1947	s->s3->tmp.ecdh = NULL;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1948
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1949	premaster_secret_len = ecdh_len;
				1950	} else if (alg_k & SSL_kPSK) {
				1951	/* For plain PSK, other_secret is a block of 0s with the same length as the
				1952	* pre-shared key. */
				1953	premaster_secret_len = psk_len;
				1954	premaster_secret = OPENSSL_malloc(premaster_secret_len);
				1955	if (premaster_secret == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1956	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1957	goto err;
				1958	}
				1959	memset(premaster_secret, 0, premaster_secret_len);
				1960	} else {
				1961	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1962	OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_TYPE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1963	goto f_err;
				1964	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	1965
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1966	/* For a PSK cipher suite, the actual pre-master secret is combined with the
				1967	* pre-shared key. */
				1968	if (alg_a & SSL_aPSK) {
				1969	CBB new_premaster, child;
				1970	uint8_t *new_data;
				1971	size_t new_len;
David Benjamin	14c83e7	2014-07-13 04:54:57 -0400	[diff] [blame]	1972
David Benjamin	a865320	2015-06-28 01:26:10 -0400	[diff] [blame]	1973	CBB_zero(&new_premaster);
				1974	if (!CBB_init(&new_premaster, 2 + psk_len + 2 + premaster_secret_len) \|\|
				1975	!CBB_add_u16_length_prefixed(&new_premaster, &child) \|\|
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1976	!CBB_add_bytes(&child, premaster_secret, premaster_secret_len) \|\|
				1977	!CBB_add_u16_length_prefixed(&new_premaster, &child) \|\|
				1978	!CBB_add_bytes(&child, psk, psk_len) \|\|
				1979	!CBB_finish(&new_premaster, &new_data, &new_len)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	1980	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1981	CBB_cleanup(&new_premaster);
				1982	goto err;
				1983	}
David Benjamin	14c83e7	2014-07-13 04:54:57 -0400	[diff] [blame]	1984
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1985	OPENSSL_cleanse(premaster_secret, premaster_secret_len);
				1986	OPENSSL_free(premaster_secret);
				1987	premaster_secret = new_data;
				1988	premaster_secret_len = new_len;
				1989	}
David Benjamin	14c83e7	2014-07-13 04:54:57 -0400	[diff] [blame]	1990
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1991	/* Compute the master secret */
				1992	s->session->master_key_length = s->enc_method->generate_master_secret(
				1993	s, s->session->master_key, premaster_secret, premaster_secret_len);
				1994	if (s->session->master_key_length == 0) {
				1995	goto err;
				1996	}
				1997	s->session->extended_master_secret = s->s3->tmp.extended_master_secret;
David Benjamin	14c83e7	2014-07-13 04:54:57 -0400	[diff] [blame]	1998
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	1999	OPENSSL_cleanse(premaster_secret, premaster_secret_len);
				2000	OPENSSL_free(premaster_secret);
				2001	return 1;
				2002
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2003	f_err:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2004	ssl3_send_alert(s, SSL3_AL_FATAL, al);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2005	err:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2006	if (premaster_secret) {
				2007	if (premaster_secret_len) {
				2008	OPENSSL_cleanse(premaster_secret, premaster_secret_len);
				2009	}
				2010	OPENSSL_free(premaster_secret);
				2011	}
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	2012	OPENSSL_free(decrypt_buf);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2013	EVP_PKEY_free(clnt_pub_pkey);
				2014	EC_POINT_free(clnt_ecpoint);
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	2015	EC_KEY_free(srvr_ecdh);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2016	BN_CTX_free(bn_ctx);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2017
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2018	return -1;
				2019	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2020
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2021	int ssl3_get_cert_verify(SSL *s) {
				2022	int al, ok, ret = 0;
				2023	long n;
				2024	CBS certificate_verify, signature;
				2025	X509 *peer = s->session->peer;
				2026	EVP_PKEY *pkey = NULL;
				2027	const EVP_MD *md = NULL;
				2028	uint8_t digest[EVP_MAX_MD_SIZE];
				2029	size_t digest_length;
				2030	EVP_PKEY_CTX *pctx = NULL;
David Benjamin	6553b37	2014-07-22 14:11:30 -0400	[diff] [blame]	2031
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2032	/* Only RSA and ECDSA client certificates are supported, so a
				2033	* CertificateVerify is required if and only if there's a client certificate.
				2034	* */
				2035	if (peer == NULL) {
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	2036	ssl3_free_handshake_buffer(s);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2037	return 1;
				2038	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2039
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2040	n = s->method->ssl_get_message(
				2041	s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B,
				2042	SSL3_MT_CERTIFICATE_VERIFY, SSL3_RT_MAX_PLAIN_LENGTH,
David Benjamin	5ca39fb	2015-03-01 23:57:54 -0500	[diff] [blame]	2043	ssl_dont_hash_message, &ok);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2044
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2045	if (!ok) {
				2046	return n;
				2047	}
David Benjamin	ef86550	2014-08-24 02:48:34 -0400	[diff] [blame]	2048
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2049	/* Filter out unsupported certificate types. */
				2050	pkey = X509_get_pubkey(peer);
David Benjamin	9d0847a	2015-02-16 03:57:55 -0500	[diff] [blame]	2051	if (pkey == NULL) {
				2052	goto err;
				2053	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2054	if (!(X509_certificate_type(peer, pkey) & EVP_PKT_SIGN) \|\|
				2055	(pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_EC)) {
				2056	al = SSL_AD_UNSUPPORTED_CERTIFICATE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2057	OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2058	goto f_err;
				2059	}
David Benjamin	6897dbe	2014-07-12 20:18:28 -0400	[diff] [blame]	2060
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2061	CBS_init(&certificate_verify, s->init_msg, n);
David Benjamin	6897dbe	2014-07-12 20:18:28 -0400	[diff] [blame]	2062
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2063	/* Determine the digest type if needbe. */
				2064	if (SSL_USE_SIGALGS(s) &&
				2065	!tls12_check_peer_sigalg(&md, &al, s, &certificate_verify, pkey)) {
				2066	goto f_err;
				2067	}
David Benjamin	854dd65	2014-08-26 00:32:30 -0400	[diff] [blame]	2068
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2069	/* Compute the digest. */
David Benjamin	396a441	2015-07-05 01:38:09 -0400	[diff] [blame]	2070	if (!ssl3_cert_verify_hash(s, digest, &digest_length, &md, pkey->type)) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2071	goto err;
				2072	}
David Benjamin	854dd65	2014-08-26 00:32:30 -0400	[diff] [blame]	2073
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2074	/* The handshake buffer is no longer necessary, and we may hash the current
				2075	* message.*/
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	2076	ssl3_free_handshake_buffer(s);
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	2077	if (!ssl3_hash_current_message(s)) {
				2078	goto err;
				2079	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2080
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2081	/* Parse and verify the signature. */
				2082	if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) \|\|
				2083	CBS_len(&certificate_verify) != 0) {
				2084	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2085	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2086	goto f_err;
				2087	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2088
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2089	pctx = EVP_PKEY_CTX_new(pkey, NULL);
				2090	if (pctx == NULL) {
				2091	goto err;
				2092	}
				2093	if (!EVP_PKEY_verify_init(pctx) \|\|
				2094	!EVP_PKEY_CTX_set_signature_md(pctx, md) \|\|
				2095	!EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature), digest,
				2096	digest_length)) {
				2097	al = SSL_AD_DECRYPT_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2098	OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2099	goto f_err;
				2100	}
				2101
				2102	ret = 1;
				2103
				2104	if (0) {
				2105	f_err:
				2106	ssl3_send_alert(s, SSL3_AL_FATAL, al);
				2107	}
				2108
David Benjamin	854dd65	2014-08-26 00:32:30 -0400	[diff] [blame]	2109	err:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2110	EVP_PKEY_CTX_free(pctx);
				2111	EVP_PKEY_free(pkey);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2112
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2113	return ret;
				2114	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2115
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2116	int ssl3_get_client_certificate(SSL *s) {
				2117	int i, ok, al, ret = -1;
				2118	X509 *x = NULL;
				2119	unsigned long n;
				2120	STACK_OF(X509) *sk = NULL;
				2121	SHA256_CTX sha256;
				2122	CBS certificate_msg, certificate_list;
				2123	int is_first_certificate = 1;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2124
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2125	n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1,
David Benjamin	1d0a194	2015-04-26 15:35:35 -0400	[diff] [blame]	2126	(long)s->max_cert_list, ssl_hash_message, &ok);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2127
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2128	if (!ok) {
				2129	return n;
				2130	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2131
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2132	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
				2133	if ((s->verify_mode & SSL_VERIFY_PEER) &&
				2134	(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2135	OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2136	al = SSL_AD_HANDSHAKE_FAILURE;
				2137	goto f_err;
				2138	}
David Benjamin	d5b1f84	2014-07-11 23:43:48 -0400	[diff] [blame]	2139
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2140	/* If tls asked for a client cert, the client must return a 0 list */
				2141	if (s->version > SSL3_VERSION && s->s3->tmp.cert_request) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2142	OPENSSL_PUT_ERROR(SSL,
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2143	SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
				2144	al = SSL_AD_UNEXPECTED_MESSAGE;
				2145	goto f_err;
				2146	}
				2147	s->s3->tmp.reuse_message = 1;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2148
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2149	return 1;
				2150	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2151
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2152	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
				2153	al = SSL_AD_UNEXPECTED_MESSAGE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2154	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_MESSAGE_TYPE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2155	goto f_err;
				2156	}
David Benjamin	d5b1f84	2014-07-11 23:43:48 -0400	[diff] [blame]	2157
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2158	CBS_init(&certificate_msg, s->init_msg, n);
David Benjamin	d5b1f84	2014-07-11 23:43:48 -0400	[diff] [blame]	2159
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2160	sk = sk_X509_new_null();
				2161	if (sk == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2162	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2163	goto err;
				2164	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2165
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2166	if (!CBS_get_u24_length_prefixed(&certificate_msg, &certificate_list) \|\|
				2167	CBS_len(&certificate_msg) != 0) {
				2168	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2169	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2170	goto f_err;
				2171	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2172
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2173	while (CBS_len(&certificate_list) > 0) {
				2174	CBS certificate;
				2175	const uint8_t *data;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2176
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2177	if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate)) {
				2178	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2179	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2180	goto f_err;
				2181	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2182
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2183	if (is_first_certificate && s->ctx->retain_only_sha256_of_client_certs) {
				2184	/* If this is the first certificate, and we don't want to keep peer
				2185	* certificates in memory, then we hash it right away. */
				2186	SHA256_Init(&sha256);
				2187	SHA256_Update(&sha256, CBS_data(&certificate), CBS_len(&certificate));
				2188	SHA256_Final(s->session->peer_sha256, &sha256);
				2189	s->session->peer_sha256_valid = 1;
				2190	}
				2191	is_first_certificate = 0;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2192
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2193	data = CBS_data(&certificate);
				2194	x = d2i_X509(NULL, &data, CBS_len(&certificate));
				2195	if (x == NULL) {
				2196	al = SSL_AD_BAD_CERTIFICATE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2197	OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2198	goto f_err;
				2199	}
				2200	if (data != CBS_data(&certificate) + CBS_len(&certificate)) {
				2201	al = SSL_AD_DECODE_ERROR;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2202	OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2203	goto f_err;
				2204	}
				2205	if (!sk_X509_push(sk, x)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2206	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2207	goto err;
				2208	}
				2209	x = NULL;
				2210	}
				2211
				2212	if (sk_X509_num(sk) <= 0) {
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	2213	/* No client certificate so the handshake buffer may be discarded. */
				2214	ssl3_free_handshake_buffer(s);
				2215
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2216	/* TLS does not mind 0 certs returned */
				2217	if (s->version == SSL3_VERSION) {
				2218	al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2219	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2220	goto f_err;
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	2221	} else if ((s->verify_mode & SSL_VERIFY_PEER) &&
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2222	(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
David Benjamin	9550c3a	2015-08-05 08:50:34 -0400	[diff] [blame]	2223	/* Fail for TLS only if we required a certificate */
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2224	OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2225	al = SSL_AD_HANDSHAKE_FAILURE;
				2226	goto f_err;
				2227	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2228	} else {
				2229	i = ssl_verify_cert_chain(s, sk);
				2230	if (i <= 0) {
				2231	al = ssl_verify_alarm_type(s->verify_result);
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2232	OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2233	goto f_err;
				2234	}
				2235	}
				2236
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	2237	X509_free(s->session->peer);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2238	s->session->peer = sk_X509_shift(sk);
				2239	s->session->verify_result = s->verify_result;
				2240
				2241	/* With the current implementation, sess_cert will always be NULL when we
				2242	* arrive here. */
				2243	if (s->session->sess_cert == NULL) {
				2244	s->session->sess_cert = ssl_sess_cert_new();
				2245	if (s->session->sess_cert == NULL) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2246	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2247	goto err;
				2248	}
				2249	}
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	2250	sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2251	s->session->sess_cert->cert_chain = sk;
				2252	/* Inconsistency alert: cert_chain does not include the peer's own
				2253	* certificate, while we do include it in s3_clnt.c */
				2254
				2255	sk = NULL;
				2256
				2257	ret = 1;
				2258
				2259	if (0) {
				2260	f_err:
				2261	ssl3_send_alert(s, SSL3_AL_FATAL, al);
				2262	}
				2263
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2264	err:
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	2265	X509_free(x);
				2266	sk_X509_pop_free(sk, X509_free);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2267	return ret;
				2268	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2269
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2270	int ssl3_send_server_certificate(SSL *s) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2271	if (s->state == SSL3_ST_SW_CERT_A) {
David Benjamin	d1d8078	2015-07-05 11:54:09 -0400	[diff] [blame]	2272	if (!ssl3_output_cert_chain(s)) {
David Benjamin	9d0847a	2015-02-16 03:57:55 -0500	[diff] [blame]	2273	return 0;
				2274	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2275	s->state = SSL3_ST_SW_CERT_B;
				2276	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2277
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2278	/* SSL3_ST_SW_CERT_B */
				2279	return ssl_do_write(s);
				2280	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2281
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2282	/* send a new session ticket (not necessarily for a new session) */
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2283	int ssl3_send_new_session_ticket(SSL *s) {
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2284	int ret = -1;
				2285	uint8_t *session = NULL;
				2286	size_t session_len;
				2287	EVP_CIPHER_CTX ctx;
				2288	HMAC_CTX hctx;
				2289
				2290	EVP_CIPHER_CTX_init(&ctx);
				2291	HMAC_CTX_init(&hctx);
				2292
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2293	if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2294	uint8_t p, macstart;
				2295	int len;
				2296	unsigned int hlen;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2297	SSL_CTX *tctx = s->initial_ctx;
				2298	uint8_t iv[EVP_MAX_IV_LENGTH];
				2299	uint8_t key_name[16];
				2300	/* The maximum overhead of encrypting the session is 16 (key name) + IV +
				2301	* one block of encryption overhead + HMAC. */
				2302	const size_t max_ticket_overhead =
				2303	16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2304
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2305	/* Serialize the SSL_SESSION to be encoded into the ticket. */
				2306	if (!SSL_SESSION_to_bytes_for_ticket(s->session, &session, &session_len)) {
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2307	goto err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2308	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2309
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2310	/* If the session is too long, emit a dummy value rather than abort the
				2311	* connection. */
				2312	if (session_len > 0xFFFF - max_ticket_overhead) {
				2313	static const char kTicketPlaceholder[] = "TICKET TOO LARGE";
				2314	const size_t placeholder_len = strlen(kTicketPlaceholder);
David Benjamin	3cac450	2014-10-21 01:46:30 -0400	[diff] [blame]	2315
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2316	OPENSSL_free(session);
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2317	session = NULL;
David Benjamin	3cac450	2014-10-21 01:46:30 -0400	[diff] [blame]	2318
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2319	p = ssl_handshake_start(s);
				2320	/* Emit ticket_lifetime_hint. */
				2321	l2n(0, p);
				2322	/* Emit ticket. */
				2323	s2n(placeholder_len, p);
				2324	memcpy(p, kTicketPlaceholder, placeholder_len);
				2325	p += placeholder_len;
David Benjamin	3cac450	2014-10-21 01:46:30 -0400	[diff] [blame]	2326
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2327	len = p - ssl_handshake_start(s);
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	2328	if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2329	goto err;
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	2330	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2331	s->state = SSL3_ST_SW_SESSION_TICKET_B;
				2332	return ssl_do_write(s);
				2333	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2334
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2335	/* Grow buffer if need be: the length calculation is as follows:
				2336	* handshake_header_length + 4 (ticket lifetime hint) + 2 (ticket length) +
				2337	* max_ticket_overhead + * session_length */
				2338	if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + 6 +
				2339	max_ticket_overhead + session_len)) {
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2340	goto err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2341	}
				2342	p = ssl_handshake_start(s);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2343	/* Initialize HMAC and cipher contexts. If callback present it does all the
				2344	* work otherwise use generated values from parent ctx. */
				2345	if (tctx->tlsext_ticket_key_cb) {
David Benjamin	adcc395	2015-04-26 13:07:57 -0400	[diff] [blame]	2346	if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx,
				2347	1 /* encrypt */) < 0) {
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2348	goto err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2349	}
				2350	} else {
				2351	if (!RAND_bytes(iv, 16) \|\|
				2352	!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
				2353	tctx->tlsext_tick_aes_key, iv) \|\|
				2354	!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(),
				2355	NULL)) {
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2356	goto err;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2357	}
				2358	memcpy(key_name, tctx->tlsext_tick_key_name, 16);
				2359	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2360
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2361	/* Ticket lifetime hint (advisory only): We leave this unspecified for
				2362	* resumed session (for simplicity), and guess that tickets for new
				2363	* sessions will live as long as their sessions. */
				2364	l2n(s->hit ? 0 : s->session->timeout, p);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2365
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2366	/* Skip ticket length for now */
				2367	p += 2;
				2368	/* Output key name */
				2369	macstart = p;
				2370	memcpy(p, key_name, 16);
				2371	p += 16;
				2372	/* output IV */
				2373	memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
				2374	p += EVP_CIPHER_CTX_iv_length(&ctx);
				2375	/* Encrypt session data */
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2376	if (!EVP_EncryptUpdate(&ctx, p, &len, session, session_len)) {
				2377	goto err;
				2378	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2379	p += len;
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2380	if (!EVP_EncryptFinal_ex(&ctx, p, &len)) {
				2381	goto err;
				2382	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2383	p += len;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2384
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2385	if (!HMAC_Update(&hctx, macstart, p - macstart) \|\|
				2386	!HMAC_Final(&hctx, p, &hlen)) {
				2387	goto err;
				2388	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2389
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2390	p += hlen;
				2391	/* Now write out lengths: p points to end of data written */
				2392	/* Total length */
				2393	len = p - ssl_handshake_start(s);
				2394	/* Skip ticket lifetime hint */
				2395	p = ssl_handshake_start(s) + 4;
				2396	s2n(len - 6, p);
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	2397	if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2398	goto err;
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	2399	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2400	s->state = SSL3_ST_SW_SESSION_TICKET_B;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2401	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2402
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2403	/* SSL3_ST_SW_SESSION_TICKET_B */
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2404	ret = ssl_do_write(s);
				2405
				2406	err:
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	2407	OPENSSL_free(session);
David Benjamin	bcd3745	2015-03-09 14:48:28 -0400	[diff] [blame]	2408	EVP_CIPHER_CTX_cleanup(&ctx);
				2409	HMAC_CTX_cleanup(&hctx);
				2410	return ret;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2411	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2412
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2413	/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
				2414	* sets the next_proto member in s if found */
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2415	int ssl3_get_next_proto(SSL *s) {
				2416	int ok;
				2417	long n;
				2418	CBS next_protocol, selected_protocol, padding;
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2419
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2420	/* Clients cannot send a NextProtocol message if we didn't see the extension
				2421	* in their ClientHello */
				2422	if (!s->s3->next_proto_neg_seen) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2423	OPENSSL_PUT_ERROR(SSL, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2424	return -1;
				2425	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2426
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2427	n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
				2428	SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
				2429	514, /* See the payload format below */
David Benjamin	5ca39fb	2015-03-01 23:57:54 -0500	[diff] [blame]	2430	ssl_hash_message, &ok);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2431
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2432	if (!ok) {
				2433	return n;
				2434	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2435
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2436	/* s->state doesn't reflect whether ChangeCipherSpec has been received in
				2437	* this handshake, but s->s3->change_cipher_spec does (will be reset by
				2438	* ssl3_get_finished).
				2439	*
				2440	* TODO(davidben): Is this check now redundant with
				2441	* SSL3_FLAGS_EXPECT_CCS? */
				2442	if (!s->s3->change_cipher_spec) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2443	OPENSSL_PUT_ERROR(SSL, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2444	return -1;
				2445	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2446
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2447	CBS_init(&next_protocol, s->init_msg, n);
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2448
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2449	/* The payload looks like:
				2450	* uint8 proto_len;
				2451	* uint8 proto[proto_len];
				2452	* uint8 padding_len;
				2453	* uint8 padding[padding_len]; */
				2454	if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) \|\|
				2455	!CBS_get_u8_length_prefixed(&next_protocol, &padding) \|\|
				2456	CBS_len(&next_protocol) != 0 \|\|
				2457	!CBS_stow(&selected_protocol, &s->next_proto_negotiated,
				2458	&s->next_proto_negotiated_len)) {
				2459	return 0;
				2460	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2461
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2462	return 1;
				2463	}
Adam Langley	95c29f3	2014-06-20 12:00:00 -0700	[diff] [blame]	2464
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2465	/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2466	int ssl3_get_channel_id(SSL *s) {
				2467	int ret = -1, ok;
				2468	long n;
David Benjamin	d6a4ae9	2015-08-06 11:10:51 -0400	[diff] [blame]	2469	uint8_t channel_id_hash[EVP_MAX_MD_SIZE];
				2470	size_t channel_id_hash_len;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2471	const uint8_t *p;
Adam Langley	49c7af1	2015-07-10 14:33:46 -0700	[diff] [blame]	2472	uint16_t extension_type;
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2473	EC_GROUP *p256 = NULL;
				2474	EC_KEY *key = NULL;
				2475	EC_POINT *point = NULL;
				2476	ECDSA_SIG sig;
				2477	BIGNUM x, y;
				2478	CBS encrypted_extensions, extension;
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2479
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2480	n = s->method->ssl_get_message(
				2481	s, SSL3_ST_SR_CHANNEL_ID_A, SSL3_ST_SR_CHANNEL_ID_B,
				2482	SSL3_MT_ENCRYPTED_EXTENSIONS, 2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
David Benjamin	5ca39fb	2015-03-01 23:57:54 -0500	[diff] [blame]	2483	ssl_dont_hash_message, &ok);
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2484
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2485	if (!ok) {
				2486	return n;
				2487	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2488
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2489	/* Before incorporating the EncryptedExtensions message to the handshake
				2490	* hash, compute the hash that should have been signed. */
David Benjamin	d6a4ae9	2015-08-06 11:10:51 -0400	[diff] [blame]	2491	if (!tls1_channel_id_hash(s, channel_id_hash, &channel_id_hash_len)) {
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2492	return -1;
				2493	}
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2494	assert(channel_id_hash_len == SHA256_DIGEST_LENGTH);
David Benjamin	880b14e	2014-08-25 22:35:07 -0400	[diff] [blame]	2495
David Benjamin	fbdfefb	2015-02-16 19:33:53 -0500	[diff] [blame]	2496	if (!ssl3_hash_current_message(s)) {
				2497	return -1;
				2498	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2499
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2500	/* s->state doesn't reflect whether ChangeCipherSpec has been received in
				2501	* this handshake, but s->s3->change_cipher_spec does (will be reset by
				2502	* ssl3_get_finished).
				2503	*
				2504	* TODO(davidben): Is this check now redundant with SSL3_FLAGS_EXPECT_CCS? */
				2505	if (!s->s3->change_cipher_spec) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2506	OPENSSL_PUT_ERROR(SSL, SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2507	return -1;
				2508	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2509
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2510	CBS_init(&encrypted_extensions, s->init_msg, n);
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2511
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2512	/* EncryptedExtensions could include multiple extensions, but the only
				2513	* extension that could be negotiated is ChannelID, so there can only be one
				2514	* entry.
				2515	*
				2516	* The payload looks like:
				2517	* uint16 extension_type
				2518	* uint16 extension_len;
				2519	* uint8 x[32];
				2520	* uint8 y[32];
				2521	* uint8 r[32];
				2522	* uint8 s[32]; */
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2523
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2524	if (!CBS_get_u16(&encrypted_extensions, &extension_type) \|\|
				2525	!CBS_get_u16_length_prefixed(&encrypted_extensions, &extension) \|\|
				2526	CBS_len(&encrypted_extensions) != 0 \|\|
Adam Langley	49c7af1	2015-07-10 14:33:46 -0700	[diff] [blame]	2527	extension_type != TLSEXT_TYPE_channel_id \|\|
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2528	CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2529	OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_MESSAGE);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2530	return -1;
				2531	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2532
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2533	p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
				2534	if (!p256) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2535	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2536	return -1;
				2537	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2538
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2539	BN_init(&x);
				2540	BN_init(&y);
				2541	sig.r = BN_new();
				2542	sig.s = BN_new();
David Benjamin	9d0847a	2015-02-16 03:57:55 -0500	[diff] [blame]	2543	if (sig.r == NULL \|\| sig.s == NULL) {
				2544	goto err;
				2545	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2546
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2547	p = CBS_data(&extension);
				2548	if (BN_bin2bn(p + 0, 32, &x) == NULL \|\|
				2549	BN_bin2bn(p + 32, 32, &y) == NULL \|\|
				2550	BN_bin2bn(p + 64, 32, sig.r) == NULL \|\|
				2551	BN_bin2bn(p + 96, 32, sig.s) == NULL) {
				2552	goto err;
				2553	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2554
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2555	point = EC_POINT_new(p256);
				2556	if (!point \|\| !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) {
				2557	goto err;
				2558	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2559
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2560	key = EC_KEY_new();
				2561	if (!key \|\| !EC_KEY_set_group(key, p256) \|\|
				2562	!EC_KEY_set_public_key(key, point)) {
				2563	goto err;
				2564	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2565
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2566	/* We stored the handshake hash in \|tlsext_channel_id\| the first time that we
				2567	* were called. */
				2568	if (!ECDSA_do_verify(channel_id_hash, channel_id_hash_len, &sig, key)) {
David Benjamin	3570d73	2015-06-29 00:28:17 -0400	[diff] [blame]	2569	OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2570	s->s3->tlsext_channel_id_valid = 0;
				2571	goto err;
				2572	}
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2573
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2574	memcpy(s->s3->tlsext_channel_id, p, 64);
				2575	ret = 1;
Adam Langley	1258b6a	2014-06-20 12:00:00 -0700	[diff] [blame]	2576
				2577	err:
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2578	BN_free(&x);
				2579	BN_free(&y);
				2580	BN_free(sig.r);
				2581	BN_free(sig.s);
David Benjamin	2755a3e	2015-04-22 16:17:58 -0400	[diff] [blame]	2582	EC_KEY_free(key);
				2583	EC_POINT_free(point);
				2584	EC_GROUP_free(p256);
Adam Langley	fcf2583	2014-12-18 17:42:32 -0800	[diff] [blame]	2585	return ret;
				2586	}