Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / cb5abad717d9ef77209071813376fd06b2ede294 / . / ssl / s3_clnt.c
blob: 52d88c69eec92a371075390ead7ccdee8d7a9132 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* ssl/s3_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <stdio.h>
152
153#include <openssl/buf.h>
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]154#include <openssl/bytestring.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155#include <openssl/rand.h>
156#include <openssl/obj.h>
157#include <openssl/evp.h>
158#include <openssl/mem.h>
159#include <openssl/md5.h>
160#include <openssl/dh.h>
161#include <openssl/bn.h>
162#include <openssl/engine.h>
163#include <openssl/x509.h>
164
165#include "ssl_locl.h"
166#include "../crypto/dh/internal.h"
167
168static const SSL_METHOD *ssl3_get_client_method(int ver);
169
170static const SSL_METHOD *ssl3_get_client_method(int ver)
171 {
172 if (ver == SSL3_VERSION)
173 return(SSLv3_client_method());
174 else
175 return(NULL);
176 }
177
178IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
179 ssl_undefined_function,
180 ssl3_connect,
181 ssl3_get_client_method)
182
183int ssl3_connect(SSL *s)
184 {
185 BUF_MEM *buf=NULL;
186 void (*cb)(const SSL *ssl,int type,int val)=NULL;
187 int ret= -1;
188 int new_state,state,skip=0;
189
190 ERR_clear_error();
191 ERR_clear_system_error();
192
193 if (s->info_callback != NULL)
194 cb=s->info_callback;
195 else if (s->ctx->info_callback != NULL)
196 cb=s->ctx->info_callback;
197
198 s->in_handshake++;
199 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
200
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201 for (;;)
202 {
203 state=s->state;
204
205 switch(s->state)
206 {
207 case SSL_ST_RENEGOTIATE:
208 s->renegotiate=1;
209 s->state=SSL_ST_CONNECT;
210 s->ctx->stats.sess_connect_renegotiate++;
211 /* break */
212 case SSL_ST_BEFORE:
213 case SSL_ST_CONNECT:
214 case SSL_ST_BEFORE|SSL_ST_CONNECT:
215 case SSL_ST_OK|SSL_ST_CONNECT:
216
217 s->server=0;
218 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
219
220 if ((s->version & 0xff00 ) != 0x0300)
221 {
222 OPENSSL_PUT_ERROR(SSL, ssl3_connect, ERR_R_INTERNAL_ERROR);
223 ret = -1;
224 goto end;
225 }
226
227 /* s->version=SSL3_VERSION; */
228 s->type=SSL_ST_CONNECT;
229
230 if (s->init_buf == NULL)
231 {
232 if ((buf=BUF_MEM_new()) == NULL)
233 {
234 ret= -1;
235 goto end;
236 }
237 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
238 {
239 ret= -1;
240 goto end;
241 }
242 s->init_buf=buf;
243 buf=NULL;
244 }
245
246 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
247
248 /* setup buffing BIO */
249 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
250
251 /* don't push the buffering BIO quite yet */
252
253 ssl3_init_finished_mac(s);
254
255 s->state=SSL3_ST_CW_CLNT_HELLO_A;
256 s->ctx->stats.sess_connect++;
257 s->init_num=0;
258 break;
259
260 case SSL3_ST_CW_CLNT_HELLO_A:
261 case SSL3_ST_CW_CLNT_HELLO_B:
262
263 s->shutdown=0;
264 ret=ssl3_client_hello(s);
265 if (ret <= 0) goto end;
266 s->state=SSL3_ST_CR_SRVR_HELLO_A;
267 s->init_num=0;
268
269 /* turn on buffering for the next lot of output */
270 if (s->bbio != s->wbio)
271 s->wbio=BIO_push(s->bbio,s->wbio);
272
273 break;
274
275 case SSL3_ST_CR_SRVR_HELLO_A:
276 case SSL3_ST_CR_SRVR_HELLO_B:
277 ret=ssl3_get_server_hello(s);
278 if (ret <= 0) goto end;
279
280 if (s->hit)
281 {
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame^]282 s->state=SSL3_ST_CR_CHANGE;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]283 if (s->tlsext_ticket_expected)
284 {
285 /* receive renewed session ticket */
286 s->state=SSL3_ST_CR_SESSION_TICKET_A;
287 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]288 }
289 else
290 {
David Benjamin2b0aeec2014-07-01 00:39:02 -0400[diff] [blame]291 s->state=SSL3_ST_CR_CERT_A;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]292 }
293 s->init_num=0;
294 break;
David Benjamin2b0aeec2014-07-01 00:39:02 -0400[diff] [blame]295
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]296 case SSL3_ST_CR_CERT_A:
297 case SSL3_ST_CR_CERT_B:
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]298 if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]299 {
300 ret=ssl3_get_server_certificate(s);
301 if (ret <= 0) goto end;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]302 if (s->tlsext_status_expected)
303 s->state=SSL3_ST_CR_CERT_STATUS_A;
304 else
305 s->state=SSL3_ST_CR_KEY_EXCH_A;
306 }
307 else
308 {
309 skip = 1;
310 s->state=SSL3_ST_CR_KEY_EXCH_A;
311 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]312 s->init_num=0;
313 break;
314
315 case SSL3_ST_CR_KEY_EXCH_A:
316 case SSL3_ST_CR_KEY_EXCH_B:
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]317 ret=ssl3_get_server_key_exchange(s);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]318 if (ret <= 0) goto end;
319 s->state=SSL3_ST_CR_CERT_REQ_A;
320 s->init_num=0;
321
322 /* at this point we check that we have the
323 * required stuff from the server */
324 if (!ssl3_check_cert_and_algorithm(s))
325 {
326 ret= -1;
327 goto end;
328 }
329 break;
330
331 case SSL3_ST_CR_CERT_REQ_A:
332 case SSL3_ST_CR_CERT_REQ_B:
333 ret=ssl3_get_certificate_request(s);
334 if (ret <= 0) goto end;
335 s->state=SSL3_ST_CR_SRVR_DONE_A;
336 s->init_num=0;
337 break;
338
339 case SSL3_ST_CR_SRVR_DONE_A:
340 case SSL3_ST_CR_SRVR_DONE_B:
341 ret=ssl3_get_server_done(s);
342 if (ret <= 0) goto end;
343 if (s->s3->tmp.cert_req)
344 s->state=SSL3_ST_CW_CERT_A;
345 else
346 s->state=SSL3_ST_CW_KEY_EXCH_A;
347 s->init_num=0;
348
349 break;
350
351 case SSL3_ST_CW_CERT_A:
352 case SSL3_ST_CW_CERT_B:
353 case SSL3_ST_CW_CERT_C:
354 case SSL3_ST_CW_CERT_D:
355 ret=ssl3_send_client_certificate(s);
356 if (ret <= 0) goto end;
357 s->state=SSL3_ST_CW_KEY_EXCH_A;
358 s->init_num=0;
359 break;
360
361 case SSL3_ST_CW_KEY_EXCH_A:
362 case SSL3_ST_CW_KEY_EXCH_B:
363 ret=ssl3_send_client_key_exchange(s);
364 if (ret <= 0) goto end;
365 /* EAY EAY EAY need to check for DH fix cert
366 * sent back */
367 /* For TLS, cert_req is set to 2, so a cert chain
368 * of nothing is sent, but no verify packet is sent */
369 /* XXX: For now, we do not support client
370 * authentication in ECDH cipher suites with
371 * ECDH (rather than ECDSA) certificates.
372 * We need to skip the certificate verify
373 * message when client's ECDH public key is sent
374 * inside the client certificate.
375 */
376 if (s->s3->tmp.cert_req == 1)
377 {
378 s->state=SSL3_ST_CW_CERT_VRFY_A;
379 }
380 else
381 {
382 s->state=SSL3_ST_CW_CHANGE_A;
383 s->s3->change_cipher_spec=0;
384 }
385 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
386 {
387 s->state=SSL3_ST_CW_CHANGE_A;
388 s->s3->change_cipher_spec=0;
389 }
390
391 s->init_num=0;
392 break;
393
394 case SSL3_ST_CW_CERT_VRFY_A:
395 case SSL3_ST_CW_CERT_VRFY_B:
396 ret=ssl3_send_client_verify(s);
397 if (ret <= 0) goto end;
398 s->state=SSL3_ST_CW_CHANGE_A;
399 s->init_num=0;
400 s->s3->change_cipher_spec=0;
401 break;
402
403 case SSL3_ST_CW_CHANGE_A:
404 case SSL3_ST_CW_CHANGE_B:
405 ret=ssl3_send_change_cipher_spec(s,
406 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
407 if (ret <= 0) goto end;
408
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]409 s->state=SSL3_ST_CW_FINISHED_A;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]410 if (s->s3->tlsext_channel_id_valid)
411 s->state=SSL3_ST_CW_CHANNEL_ID_A;
412# if !defined(OPENSSL_NO_NEXTPROTONEG)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]413 if (s->s3->next_proto_neg_seen)
414 s->state=SSL3_ST_CW_NEXT_PROTO_A;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]415# endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]416 s->init_num=0;
417
418 s->session->cipher=s->s3->tmp.new_cipher;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]419 if (!s->method->ssl3_enc->setup_key_block(s))
420 {
421 ret= -1;
422 goto end;
423 }
424
425 if (!s->method->ssl3_enc->change_cipher_state(s,
426 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
427 {
428 ret= -1;
429 goto end;
430 }
431
432 break;
433
David Benjamin6dbd73d2014-07-03 15:59:49 -0400[diff] [blame]434#if !defined(OPENSSL_NO_NEXTPROTONEG)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]435 case SSL3_ST_CW_NEXT_PROTO_A:
436 case SSL3_ST_CW_NEXT_PROTO_B:
437 ret=ssl3_send_next_proto(s);
438 if (ret <= 0) goto end;
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]439 if (s->s3->tlsext_channel_id_valid)
440 s->state=SSL3_ST_CW_CHANNEL_ID_A;
441 else
442 s->state=SSL3_ST_CW_FINISHED_A;
443 break;
444#endif
445
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]446 case SSL3_ST_CW_CHANNEL_ID_A:
447 case SSL3_ST_CW_CHANNEL_ID_B:
448 ret=ssl3_send_channel_id(s);
449 if (ret <= 0) goto end;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]450 s->state=SSL3_ST_CW_FINISHED_A;
451 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]452
453 case SSL3_ST_CW_FINISHED_A:
454 case SSL3_ST_CW_FINISHED_B:
455 ret=ssl3_send_finished(s,
456 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
457 s->method->ssl3_enc->client_finished_label,
458 s->method->ssl3_enc->client_finished_label_len);
459 if (ret <= 0) goto end;
460 s->state=SSL3_ST_CW_FLUSH;
461
462 /* clear flags */
463 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
464 if (s->hit)
465 {
466 s->s3->tmp.next_state=SSL_ST_OK;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]467 }
468 else
469 {
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]470 /* This is a non-resumption handshake. If it
471 * involves ChannelID, then record the
472 * handshake hashes at this point in the
473 * session so that any resumption of this
474 * session with ChannelID can sign those
475 * hashes. */
476 if (s->s3->tlsext_channel_id_new)
477 {
478 ret = tls1_record_handshake_hashes_for_channel_id(s);
479 if (ret <= 0)
480 goto end;
481 }
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]482 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
483 && ssl3_can_cutthrough(s)
484 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
485 )
486 {
Adam Langley045cc552014-07-16 10:45:57 -0700[diff] [blame]487 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]488 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]489 else
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]490 {
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]491 /* Allow NewSessionTicket if ticket expected */
492 if (s->tlsext_ticket_expected)
493 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
494 else
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame^]495 s->s3->tmp.next_state=SSL3_ST_CR_CHANGE;
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]496 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]497 }
498 s->init_num=0;
499 break;
500
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]501 case SSL3_ST_CR_SESSION_TICKET_A:
502 case SSL3_ST_CR_SESSION_TICKET_B:
503 ret=ssl3_get_new_session_ticket(s);
504 if (ret <= 0) goto end;
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame^]505 s->state=SSL3_ST_CR_CHANGE;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]506 s->init_num=0;
507 break;
508
509 case SSL3_ST_CR_CERT_STATUS_A:
510 case SSL3_ST_CR_CERT_STATUS_B:
511 ret=ssl3_get_cert_status(s);
512 if (ret <= 0) goto end;
513 s->state=SSL3_ST_CR_KEY_EXCH_A;
514 s->init_num=0;
515 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]516
David Benjamincb5abad2014-07-25 12:14:28 -0400[diff] [blame^]517 case SSL3_ST_CR_CHANGE:
518 /* At this point, the next message must be entirely
519 * behind a ChangeCipherSpec. */
520 s->s3->flags |= SSL3_FLAGS_CCS_OK;
521 s->state = SSL3_ST_CR_FINISHED_A;
522 break;
523
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]524 case SSL3_ST_CR_FINISHED_A:
525 case SSL3_ST_CR_FINISHED_B:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]526 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
527 SSL3_ST_CR_FINISHED_B);
528 if (ret <= 0) goto end;
529
530 if (s->hit)
531 s->state=SSL3_ST_CW_CHANGE_A;
532 else
533 s->state=SSL_ST_OK;
534 s->init_num=0;
535 break;
536
537 case SSL3_ST_CW_FLUSH:
538 s->rwstate=SSL_WRITING;
539 if (BIO_flush(s->wbio) <= 0)
540 {
541 ret= -1;
542 goto end;
543 }
544 s->rwstate=SSL_NOTHING;
545 s->state=s->s3->tmp.next_state;
546 break;
547
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]548 case SSL3_ST_CUTTHROUGH_COMPLETE:
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]549 /* Allow NewSessionTicket if ticket expected */
550 if (s->tlsext_ticket_expected)
551 s->state=SSL3_ST_CR_SESSION_TICKET_A;
552 else
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]553 s->state=SSL3_ST_CR_FINISHED_A;
554
Adam Langley045cc552014-07-16 10:45:57 -0700[diff] [blame]555 ssl_free_wbio_buffer(s);
Adam Langleyadb739e2014-06-20 12:00:00 -0700[diff] [blame]556 ret = 1;
557 goto end;
558 /* break; */
559
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]560 case SSL_ST_OK:
561 /* clean a few things up */
562 ssl3_cleanup_key_block(s);
563
564 if (s->init_buf != NULL)
565 {
566 BUF_MEM_free(s->init_buf);
567 s->init_buf=NULL;
568 }
569
570 /* If we are not 'joining' the last two packets,
571 * remove the buffering now */
572 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
573 ssl_free_wbio_buffer(s);
574 /* else do it later in ssl3_write */
575
576 s->init_num=0;
577 s->renegotiate=0;
578 s->new_session=0;
579
580 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
581 if (s->hit) s->ctx->stats.sess_hit++;
582
583 ret=1;
584 /* s->server=0; */
585 s->handshake_func=ssl3_connect;
586 s->ctx->stats.sess_connect_good++;
587
588 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
589
590 goto end;
591 /* break; */
592
593 default:
594 OPENSSL_PUT_ERROR(SSL, ssl3_connect, SSL_R_UNKNOWN_STATE);
595 ret= -1;
596 goto end;
597 /* break; */
598 }
599
600 /* did we do anything */
601 if (!s->s3->tmp.reuse_message && !skip)
602 {
603 if (s->debug)
604 {
605 if ((ret=BIO_flush(s->wbio)) <= 0)
606 goto end;
607 }
608
609 if ((cb != NULL) && (s->state != state))
610 {
611 new_state=s->state;
612 s->state=state;
613 cb(s,SSL_CB_CONNECT_LOOP,1);
614 s->state=new_state;
615 }
616 }
617 skip=0;
618 }
619end:
620 s->in_handshake--;
621 if (buf != NULL)
622 BUF_MEM_free(buf);
623 if (cb != NULL)
624 cb(s,SSL_CB_CONNECT_EXIT,ret);
625 return(ret);
626 }
627
628
629int ssl3_client_hello(SSL *s)
630 {
631 unsigned char *buf;
632 unsigned char *p,*d;
633 int i;
634 unsigned long l;
635
636 buf=(unsigned char *)s->init_buf->data;
637 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
638 {
639 SSL_SESSION *sess = s->session;
David Benjamin407886f2014-07-21 22:23:50 -0400[diff] [blame]640 if (sess == NULL ||
641 sess->ssl_version != s->version ||
642 !sess->session_id_length ||
643 sess->not_resumable)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]644 {
645 if (!ssl_get_new_session(s,0))
646 goto err;
647 }
648 if (s->method->version == DTLS_ANY_VERSION)
649 {
650 /* Determine which DTLS version to use */
651 int options = s->options;
652 /* If DTLS 1.2 disabled correct the version number */
653 if (options & SSL_OP_NO_DTLSv1_2)
654 {
655 if (tls1_suiteb(s))
656 {
657 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
658 goto err;
659 }
660 /* Disabling all versions is silly: return an
661 * error.
662 */
663 if (options & SSL_OP_NO_DTLSv1)
664 {
665 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_WRONG_SSL_VERSION);
666 goto err;
667 }
668 /* Update method so we don't use any DTLS 1.2
669 * features.
670 */
671 s->method = DTLSv1_client_method();
672 s->version = DTLS1_VERSION;
673 }
674 else
675 {
676 /* We only support one version: update method */
677 if (options & SSL_OP_NO_DTLSv1)
678 s->method = DTLSv1_2_client_method();
679 s->version = DTLS1_2_VERSION;
680 }
681 s->client_version = s->version;
682 }
683 /* else use the pre-loaded session */
684
685 p=s->s3->client_random;
686
687 /* for DTLS if client_random is initialized, reuse it, we are
688 * required to use same upon reply to HelloVerify */
689 if (SSL_IS_DTLS(s))
690 {
691 size_t idx;
692 i = 1;
693 for (idx=0; idx < sizeof(s->s3->client_random); idx++)
694 {
695 if (p[idx])
696 {
697 i = 0;
698 break;
699 }
700 }
701 }
702 else
703 i = 1;
704
705 if (i)
706 ssl_fill_hello_random(s, 0, p,
707 sizeof(s->s3->client_random));
708
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]709 /* Do the message type and length last.
710 * Note: the final argument to ssl_add_clienthello_tlsext below
711 * depends on the size of this prefix. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]712 d=p= ssl_handshake_start(s);
713
714 /* version indicates the negotiated version: for example from
715 * an SSLv2/v3 compatible client hello). The client_version
716 * field is the maximum version we permit and it is also
717 * used in RSA encrypted premaster secrets. Some servers can
718 * choke if we initially report a higher version then
719 * renegotiate to a lower one in the premaster secret. This
720 * didn't happen with TLS 1.0 as most servers supported it
721 * but it can with TLS 1.1 or later if the server only supports
722 * 1.0.
723 *
724 * Possible scenario with previous logic:
725 * 1. Client hello indicates TLS 1.2
726 * 2. Server hello says TLS 1.0
727 * 3. RSA encrypted premaster secret uses 1.2.
728 * 4. Handhaked proceeds using TLS 1.0.
729 * 5. Server sends hello request to renegotiate.
730 * 6. Client hello indicates TLS v1.0 as we now
731 * know that is maximum server supports.
732 * 7. Server chokes on RSA encrypted premaster secret
733 * containing version 1.0.
734 *
735 * For interoperability it should be OK to always use the
736 * maximum version we support in client hello and then rely
737 * on the checking of version to ensure the servers isn't
738 * being inconsistent: for example initially negotiating with
739 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
740 * client_version in client hello and not resetting it to
741 * the negotiated version.
742 */
743#if 0
744 *(p++)=s->version>>8;
745 *(p++)=s->version&0xff;
746 s->client_version=s->version;
747#else
748 *(p++)=s->client_version>>8;
749 *(p++)=s->client_version&0xff;
750#endif
751
752 /* Random stuff */
753 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
754 p+=SSL3_RANDOM_SIZE;
755
756 /* Session ID */
757 if (s->new_session)
758 i=0;
759 else
760 i=s->session->session_id_length;
761 *(p++)=i;
762 if (i != 0)
763 {
764 if (i > (int)sizeof(s->session->session_id))
765 {
766 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
767 goto err;
768 }
769 memcpy(p,s->session->session_id,i);
770 p+=i;
771 }
772
773 /* cookie stuff for DTLS */
774 if (SSL_IS_DTLS(s))
775 {
776 if ( s->d1->cookie_len > sizeof(s->d1->cookie))
777 {
778 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
779 goto err;
780 }
781 *(p++) = s->d1->cookie_len;
782 memcpy(p, s->d1->cookie, s->d1->cookie_len);
783 p += s->d1->cookie_len;
784 }
785
786 /* Ciphers supported */
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]787 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]788 if (i == 0)
789 {
790 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_NO_CIPHERS_AVAILABLE);
791 goto err;
792 }
793#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
794 /* Some servers hang if client hello > 256 bytes
795 * as hack workaround chop number of supported ciphers
796 * to keep it well below this if we use TLS v1.2
797 */
798 if (TLS1_get_version(s) >= TLS1_2_VERSION
799 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
800 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
801#endif
802 s2n(i,p);
803 p+=i;
804
805 /* COMPRESSION */
806 *(p++)=1;
807 *(p++)=0; /* Add the NULL method */
808
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]809 /* TLS extensions*/
810 if (ssl_prepare_clienthello_tlsext(s) <= 0)
811 {
812 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_CLIENTHELLO_TLSEXT);
813 goto err;
814 }
Adam Langleyb0c235e2014-06-20 12:00:00 -0700[diff] [blame]815 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf)) == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]816 {
817 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
818 goto err;
819 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]820
821 l= p-d;
822 ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
823 s->state=SSL3_ST_CW_CLNT_HELLO_B;
824 }
825
826 /* SSL3_ST_CW_CLNT_HELLO_B */
827 return ssl_do_write(s);
828err:
829 return(-1);
830 }
831
832int ssl3_get_server_hello(SSL *s)
833 {
834 STACK_OF(SSL_CIPHER) *sk;
835 const SSL_CIPHER *c;
836 CERT *ct = s->cert;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]837 int al=SSL_AD_INTERNAL_ERROR,ok;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838 long n;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]839 CBS server_hello, server_random, session_id;
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]840 uint16_t server_version, cipher_suite;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]841 uint8_t compression_method;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]842 /* Hello verify request and/or server hello version may not
843 * match so set first packet if we're negotiating version.
844 */
845 if (SSL_IS_DTLS(s))
846 s->first_packet = 1;
847
848 n=s->method->ssl_get_message(s,
849 SSL3_ST_CR_SRVR_HELLO_A,
850 SSL3_ST_CR_SRVR_HELLO_B,
851 -1,
852 20000, /* ?? */
853 &ok);
854
855 if (!ok) return((int)n);
856
857 if (SSL_IS_DTLS(s))
858 {
859 s->first_packet = 0;
860 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
861 {
862 if ( s->d1->send_cookie == 0)
863 {
864 s->s3->tmp.reuse_message = 1;
865 return 1;
866 }
867 else /* already sent a cookie */
868 {
869 al=SSL_AD_UNEXPECTED_MESSAGE;
870 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_MESSAGE_TYPE);
871 goto f_err;
872 }
873 }
874 }
875
876 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
877 {
878 al=SSL_AD_UNEXPECTED_MESSAGE;
879 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_MESSAGE_TYPE);
880 goto f_err;
881 }
882
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]883 CBS_init(&server_hello, s->init_msg, n);
884
885 if (!CBS_get_u16(&server_hello, &server_version) ||
886 !CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
887 !CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]888 CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
889 !CBS_get_u16(&server_hello, &cipher_suite) ||
890 !CBS_get_u8(&server_hello, &compression_method))
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]891 {
892 al = SSL_AD_DECODE_ERROR;
893 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_DECODE_ERROR);
894 goto f_err;
895 }
896
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]897 if (s->method->version == DTLS_ANY_VERSION)
898 {
899 /* Work out correct protocol version to use */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]900 int options = s->options;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]901 if (server_version == DTLS1_2_VERSION
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]902 && !(options & SSL_OP_NO_DTLSv1_2))
903 s->method = DTLSv1_2_client_method();
904 else if (tls1_suiteb(s))
905 {
906 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]907 s->version = server_version;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]908 al = SSL_AD_PROTOCOL_VERSION;
909 goto f_err;
910 }
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]911 else if (server_version == DTLS1_VERSION
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]912 && !(options & SSL_OP_NO_DTLSv1))
913 s->method = DTLSv1_client_method();
914 else
915 {
916 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]917 s->version = server_version;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]918 al = SSL_AD_PROTOCOL_VERSION;
919 goto f_err;
920 }
921 s->version = s->client_version = s->method->version;
922 }
923
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]924 if (server_version != s->version)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]925 {
926 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]927 s->version = (s->version & 0xff00) | (server_version & 0xff);
928 al = SSL_AD_PROTOCOL_VERSION;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]929 goto f_err;
930 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]931
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]932 /* Copy over the server random. */
933 memcpy(s->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]934
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]935 s->hit = 0;
936
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]937 /* check if we want to resume the session based on external pre-shared secret */
938 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
939 {
940 SSL_CIPHER *pref_cipher=NULL;
941 s->session->master_key_length=sizeof(s->session->master_key);
942 if (s->tls_session_secret_cb(s, s->session->master_key,
943 &s->session->master_key_length,
944 NULL, &pref_cipher,
945 s->tls_session_secret_cb_arg))
946 {
947 s->session->cipher = pref_cipher ?
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]948 pref_cipher :
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]949 ssl3_get_cipher_by_value(cipher_suite);
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]950 s->hit = 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]951 }
952 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]953
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]954 if (!s->hit && CBS_len(&session_id) != 0 &&
David Benjamin22f9bcc2014-07-13 12:29:21 -0400[diff] [blame]955 CBS_mem_equal(&session_id,
956 s->session->session_id, s->session->session_id_length))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]957 {
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]958 if(s->sid_ctx_length != s->session->sid_ctx_length
959 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length))
960 {
961 /* actually a client application bug */
962 al = SSL_AD_ILLEGAL_PARAMETER;
963 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
964 goto f_err;
965 }
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]966 s->hit = 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]967 }
David Benjamin9eaeef82014-07-21 22:22:02 -0400[diff] [blame]968
969 /* a miss or crap from the other end */
970 if (!s->hit)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]971 {
972 /* If we were trying for session-id reuse, make a new
973 * SSL_SESSION so we don't stuff up other people */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]974 if (s->session->session_id_length > 0)
975 {
976 if (!ssl_get_new_session(s,0))
977 {
978 goto f_err;
979 }
980 }
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]981 /* Note: session_id could be empty. */
982 s->session->session_id_length = CBS_len(&session_id);
983 memcpy(s->session->session_id, CBS_data(&session_id), CBS_len(&session_id));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]984 }
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]985
David Benjamin39482a12014-07-20 13:30:15 -0400[diff] [blame]986 c = ssl3_get_cipher_by_value(cipher_suite);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]987 if (c == NULL)
988 {
989 /* unknown cipher */
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]990 al = SSL_AD_ILLEGAL_PARAMETER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]991 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNKNOWN_CIPHER_RETURNED);
992 goto f_err;
993 }
994 /* If it is a disabled cipher we didn't send it in client hello,
995 * so return an error.
996 */
997 if (c->algorithm_ssl & ct->mask_ssl ||
998 c->algorithm_mkey & ct->mask_k ||
999 c->algorithm_auth & ct->mask_a)
1000 {
1001 al=SSL_AD_ILLEGAL_PARAMETER;
1002 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
1003 goto f_err;
1004 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1005
1006 sk=ssl_get_ciphers_by_id(s);
1007 if (!sk_SSL_CIPHER_find(sk, NULL, c))
1008 {
1009 /* we did not say we would use this cipher */
1010 al=SSL_AD_ILLEGAL_PARAMETER;
1011 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
1012 goto f_err;
1013 }
1014
1015 /* Depending on the session caching (internal/external), the cipher
1016 and/or cipher_id values may not be set. Make sure that
1017 cipher_id is set and use it for comparison. */
1018 if (s->session->cipher)
1019 s->session->cipher_id = s->session->cipher->id;
1020 if (s->hit && (s->session->cipher_id != c->id))
1021 {
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]1022 al = SSL_AD_ILLEGAL_PARAMETER;
1023 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1024 goto f_err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1025 }
1026 s->s3->tmp.new_cipher=c;
1027 /* Don't digest cached records if no sigalgs: we may need them for
1028 * client authentication.
1029 */
1030 if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s))
1031 goto f_err;
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]1032
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]1033 /* Only the NULL compression algorithm is supported. */
1034 if (compression_method != 0)
1035 {
1036 al = SSL_AD_ILLEGAL_PARAMETER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1037 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1038 goto f_err;
1039 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1040
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]1041 /* TLS extensions */
1042 if (!ssl_parse_serverhello_tlsext(s, &server_hello))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1043 {
1044 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_PARSE_TLSEXT);
1045 goto err;
1046 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047
David Benjamin03973092014-06-24 23:27:17 -0400[diff] [blame]1048 /* There should be nothing left over in the record. */
David Benjamina03d95d2014-07-12 19:49:07 -0400[diff] [blame]1049 if (CBS_len(&server_hello) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1050 {
1051 /* wrong packet length */
1052 al=SSL_AD_DECODE_ERROR;
1053 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_PACKET_LENGTH);
1054 goto f_err;
1055 }
1056
1057 return(1);
1058f_err:
1059 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1060err:
1061 return(-1);
1062 }
1063
1064int ssl3_get_server_certificate(SSL *s)
1065 {
1066 int al,i,ok,ret= -1;
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1067 unsigned long n;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1068 X509 *x=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1069 STACK_OF(X509) *sk=NULL;
1070 SESS_CERT *sc;
1071 EVP_PKEY *pkey=NULL;
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1072 CBS cbs, certificate_list;
1073 const uint8_t* data;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1074
1075 n=s->method->ssl_get_message(s,
1076 SSL3_ST_CR_CERT_A,
1077 SSL3_ST_CR_CERT_B,
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]1078 SSL3_MT_CERTIFICATE,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1079 s->max_cert_list,
1080 &ok);
1081
1082 if (!ok) return((int)n);
1083
David Benjamin51b1f742014-07-12 16:31:12 -0400[diff] [blame]1084 CBS_init(&cbs, s->init_msg, n);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1085
1086 if ((sk=sk_X509_new_null()) == NULL)
1087 {
1088 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1089 goto err;
1090 }
1091
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1092 if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list) ||
1093 CBS_len(&cbs) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1094 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1095 al = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1096 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_LENGTH_MISMATCH);
1097 goto f_err;
1098 }
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1099
1100 while (CBS_len(&certificate_list) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1101 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1102 CBS certificate;
1103 if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1105 al = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1106 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1107 goto f_err;
1108 }
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1109 data = CBS_data(&certificate);
1110 x = d2i_X509(NULL, &data, CBS_len(&certificate));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1111 if (x == NULL)
1112 {
1113 al=SSL_AD_BAD_CERTIFICATE;
1114 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_ASN1_LIB);
1115 goto f_err;
1116 }
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1117 if (!CBS_skip(&certificate, data - CBS_data(&certificate)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1118 {
Alex Chernyakhovskyc6318e32014-07-04 22:52:07 -0400[diff] [blame]1119 al = SSL_AD_INTERNAL_ERROR;
1120 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_INTERNAL_ERROR);
1121 goto f_err;
1122 }
1123 if (CBS_len(&certificate) != 0)
1124 {
1125 al = SSL_AD_DECODE_ERROR;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1126 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1127 goto f_err;
1128 }
1129 if (!sk_X509_push(sk,x))
1130 {
1131 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1132 goto err;
1133 }
1134 x=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135 }
1136
1137 i=ssl_verify_cert_chain(s,sk);
1138 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1139 )
1140 {
1141 al=ssl_verify_alarm_type(s->verify_result);
1142 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERTIFICATE_VERIFY_FAILED);
1143 goto f_err;
1144 }
1145 ERR_clear_error(); /* but we keep s->verify_result */
1146
1147 sc=ssl_sess_cert_new();
1148 if (sc == NULL) goto err;
1149
1150 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1151 s->session->sess_cert=sc;
1152
1153 sc->cert_chain=sk;
1154 /* Inconsistency alert: cert_chain does include the peer's
1155 * certificate, which we don't include in s3_srvr.c */
1156 x=sk_X509_value(sk,0);
1157 sk=NULL;
1158 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1159
1160 pkey=X509_get_pubkey(x);
1161
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1162 if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1163 {
1164 x=NULL;
1165 al=SSL3_AL_FATAL;
1166 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1167 goto f_err;
1168 }
1169
1170 i=ssl_cert_type(x,pkey);
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1171 if (i < 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1172 {
1173 x=NULL;
1174 al=SSL3_AL_FATAL;
1175 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1176 goto f_err;
1177 }
1178
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1179 int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1180 if (exp_idx >= 0 && i != exp_idx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1181 {
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1182 x=NULL;
1183 al=SSL_AD_ILLEGAL_PARAMETER;
1184 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
1185 goto f_err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1186 }
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1187 sc->peer_cert_type=i;
1188 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1189 /* Why would the following ever happen?
1190 * We just created sc a couple of lines ago. */
1191 if (sc->peer_pkeys[i].x509 != NULL)
1192 X509_free(sc->peer_pkeys[i].x509);
1193 sc->peer_pkeys[i].x509=x;
1194 sc->peer_key= &(sc->peer_pkeys[i]);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1195
David Benjamind26aea62014-07-12 00:13:56 -0400[diff] [blame]1196 if (s->session->peer != NULL)
1197 X509_free(s->session->peer);
1198 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1199 s->session->peer=x;
1200
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1201 s->session->verify_result = s->verify_result;
1202
1203 x=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1204 ret=1;
1205 if (0)
1206 {
1207f_err:
1208 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1209 }
1210err:
1211 EVP_PKEY_free(pkey);
1212 X509_free(x);
1213 sk_X509_pop_free(sk,X509_free);
1214 return(ret);
1215 }
1216
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1217int ssl3_get_server_key_exchange(SSL *s)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1218 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1219 EVP_MD_CTX md_ctx;
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1220 int al,ok;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1221 long n,alg_k,alg_a;
1222 EVP_PKEY *pkey=NULL;
1223 const EVP_MD *md = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1224 RSA *rsa=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1225#ifndef OPENSSL_NO_DH
1226 DH *dh=NULL;
1227#endif
1228#ifndef OPENSSL_NO_ECDH
1229 EC_KEY *ecdh = NULL;
1230 BN_CTX *bn_ctx = NULL;
1231 EC_POINT *srvr_ecpoint = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1232#endif
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1233 CBS server_key_exchange, server_key_exchange_orig, parameter;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1234
1235 /* use same message size as in ssl3_get_certificate_request()
1236 * as ServerKeyExchange message may be skipped */
1237 n=s->method->ssl_get_message(s,
1238 SSL3_ST_CR_KEY_EXCH_A,
1239 SSL3_ST_CR_KEY_EXCH_B,
1240 -1,
1241 s->max_cert_list,
1242 &ok);
1243 if (!ok) return((int)n);
1244
1245 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1246 {
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]1247 if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher))
1248 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1249 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]1250 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1251 return -1;
1252 }
1253
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1254 /* In plain PSK ciphersuite, ServerKeyExchange can be
1255 omitted if no identity hint is sent. Set
1256 session->sess_cert anyway to avoid problems
1257 later.*/
David Benjamin5235f742014-07-12 13:11:24 -0400[diff] [blame]1258 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1259 {
David Benjamin0c49ec92014-07-12 13:16:51 -0400[diff] [blame]1260 /* PSK ciphersuites that also send a
1261 * Certificate would have already initialized
1262 * |sess_cert|. */
1263 if (s->session->sess_cert == NULL)
1264 s->session->sess_cert = ssl_sess_cert_new();
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1265 if (s->session->psk_identity_hint)
1266 {
1267 OPENSSL_free(s->session->psk_identity_hint);
1268 s->session->psk_identity_hint = NULL;
1269 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1270 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1271 s->s3->tmp.reuse_message=1;
1272 return(1);
1273 }
1274
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1275 /* Retain a copy of the original CBS to compute the signature
1276 * over. */
1277 CBS_init(&server_key_exchange, s->init_msg, n);
1278 server_key_exchange_orig = server_key_exchange;
1279
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1280 if (s->session->sess_cert != NULL)
1281 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1282 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1283 {
1284 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1285 s->session->sess_cert->peer_rsa_tmp=NULL;
1286 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1287#ifndef OPENSSL_NO_DH
1288 if (s->session->sess_cert->peer_dh_tmp)
1289 {
1290 DH_free(s->session->sess_cert->peer_dh_tmp);
1291 s->session->sess_cert->peer_dh_tmp=NULL;
1292 }
1293#endif
1294#ifndef OPENSSL_NO_ECDH
1295 if (s->session->sess_cert->peer_ecdh_tmp)
1296 {
1297 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1298 s->session->sess_cert->peer_ecdh_tmp=NULL;
1299 }
1300#endif
1301 }
1302 else
1303 {
1304 s->session->sess_cert=ssl_sess_cert_new();
1305 }
1306
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1307 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1308 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1309 EVP_MD_CTX_init(&md_ctx);
1310
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1311 if (alg_a & SSL_aPSK)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1312 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1313 CBS psk_identity_hint;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1314
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1315 /* Each of the PSK key exchanges begins with a
1316 * psk_identity_hint. */
1317 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &psk_identity_hint))
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]1318 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1319 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1320 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1321 goto f_err;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1322 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1323
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1324 /* Store PSK identity hint for later use, hint is used in
1325 * ssl3_send_client_key_exchange. Assume that the maximum
1326 * length of a PSK identity hint can be as long as the maximum
1327 * length of a PSK identity. Also do not allow NULL
1328 * characters; identities are saved as C strings.
1329 *
1330 * TODO(davidben): Should invalid hints be ignored? It's a hint
1331 * rather than a specific identity. */
1332 if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
1333 CBS_contains_zero_byte(&psk_identity_hint))
1334 {
1335 al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1336 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DATA_LENGTH_TOO_LONG);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1337 goto f_err;
1338 }
1339
1340 /* Save the identity hint as a C string. */
1341 if (!CBS_strdup(&psk_identity_hint, &s->session->psk_identity_hint))
1342 {
1343 al = SSL_AD_HANDSHAKE_FAILURE;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1344 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1345 goto f_err;
1346 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1347 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1348
1349 if (0) {}
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1350 else if (alg_k & SSL_kRSA)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1351 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1352 CBS rsa_modulus, rsa_exponent;
1353
1354 /* TODO(davidben): This was originally for export
1355 * reasons. Do we still need to support it? */
1356
1357 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_modulus) ||
1358 CBS_len(&rsa_modulus) == 0 ||
1359 !CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_exponent) ||
1360 CBS_len(&rsa_exponent) == 0)
1361 {
1362 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1363 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1364 goto f_err;
1365 }
1366
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1367 if ((rsa=RSA_new()) == NULL)
1368 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1369 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1370 goto err;
1371 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1372
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1373 if (!(rsa->n = BN_bin2bn(CBS_data(&rsa_modulus),
1374 CBS_len(&rsa_modulus), rsa->n)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1375 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1376 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1377 goto err;
1378 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1379
1380 if (!(rsa->e = BN_bin2bn(CBS_data(&rsa_exponent),
1381 CBS_len(&rsa_exponent), rsa->e)))
1382 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1383 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1384 goto err;
1385 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1386
1387 /* this should be because we are using an export cipher */
1388 if (alg_a & SSL_aRSA)
1389 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1390 else
1391 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1392 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1393 goto err;
1394 }
1395 s->session->sess_cert->peer_rsa_tmp=rsa;
1396 rsa=NULL;
1397 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1398#ifndef OPENSSL_NO_DH
1399 else if (alg_k & SSL_kEDH)
1400 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1401 CBS dh_p, dh_g, dh_Ys;
1402
1403 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &dh_p) ||
1404 CBS_len(&dh_p) == 0 ||
1405 !CBS_get_u16_length_prefixed(&server_key_exchange, &dh_g) ||
1406 CBS_len(&dh_g) == 0 ||
1407 !CBS_get_u16_length_prefixed(&server_key_exchange, &dh_Ys) ||
1408 CBS_len(&dh_Ys) == 0)
1409 {
1410 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1411 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1412 goto f_err;
1413 }
1414
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1415 if ((dh=DH_new()) == NULL)
1416 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1417 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_DH_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1418 goto err;
1419 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1420
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1421 if (!(dh->p = BN_bin2bn(CBS_data(&dh_p), CBS_len(&dh_p), NULL)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1422 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1423 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1424 goto err;
1425 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1426 if (!(dh->g=BN_bin2bn(CBS_data(&dh_g), CBS_len(&dh_g), NULL)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1427 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1428 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1429 goto err;
1430 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1431 if (!(dh->pub_key = BN_bin2bn(CBS_data(&dh_Ys), CBS_len(&dh_Ys), NULL)))
1432 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1433 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1434 goto err;
1435 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1436
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1437 if (alg_a & SSL_aRSA)
1438 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1439#ifndef OPENSSL_NO_DSA
1440 else if (alg_a & SSL_aDSS)
1441 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1442#endif
1443 /* else anonymous DH, so no certificate or pkey. */
1444
1445 s->session->sess_cert->peer_dh_tmp=dh;
1446 dh=NULL;
1447 }
1448 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
1449 {
1450 al=SSL_AD_ILLEGAL_PARAMETER;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1451 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1452 goto f_err;
1453 }
1454#endif /* !OPENSSL_NO_DH */
1455
1456#ifndef OPENSSL_NO_ECDH
1457 else if (alg_k & SSL_kEECDH)
1458 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1459 uint16_t curve_id;
1460 int curve_nid = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1461 EC_GROUP *ngroup;
1462 const EC_GROUP *group;
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1463 CBS point;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1464
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1465 /* Extract elliptic curve parameters and the server's
1466 * ephemeral ECDH public key. Check curve is one of
1467 * our preferences, if not server has sent an invalid
1468 * curve.
1469 */
1470 if (!tls1_check_curve(s, &server_key_exchange, &curve_id))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1471 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1472 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1473 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_WRONG_CURVE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1474 goto f_err;
1475 }
1476
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1477 if ((curve_nid = tls1_ec_curve_id2nid(curve_id)) == 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1478 {
1479 al=SSL_AD_INTERNAL_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1480 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1481 goto f_err;
1482 }
1483
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1484 if ((ecdh=EC_KEY_new()) == NULL)
1485 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1486 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1487 goto err;
1488 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1489 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1490 if (ngroup == NULL)
1491 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1492 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_EC_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1493 goto err;
1494 }
1495 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1496 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1497 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_EC_LIB);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1498 goto err;
1499 }
1500 EC_GROUP_free(ngroup);
1501
1502 group = EC_KEY_get0_group(ecdh);
1503
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1504 /* Next, get the encoded ECPoint */
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1505 if (!CBS_get_u8_length_prefixed(&server_key_exchange, &point))
1506 {
1507 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1508 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1509 goto f_err;
1510 }
1511
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1512 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1513 ((bn_ctx = BN_CTX_new()) == NULL))
1514 {
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1515 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1516 goto err;
1517 }
1518
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1519 if (!EC_POINT_oct2point(group, srvr_ecpoint,
1520 CBS_data(&point), CBS_len(&point), bn_ctx))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1521 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1522 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1523 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_ECPOINT);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1524 goto f_err;
1525 }
1526
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1527 /* The ECC/TLS specification does not mention
1528 * the use of DSA to sign ECParameters in the server
1529 * key exchange message. We do support RSA and ECDSA.
1530 */
1531 if (0) ;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1532 else if (alg_a & SSL_aRSA)
1533 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1534#ifndef OPENSSL_NO_ECDSA
1535 else if (alg_a & SSL_aECDSA)
1536 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1537#endif
1538 /* else anonymous ECDH, so no certificate or pkey. */
1539 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1540 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1541 ecdh=NULL;
1542 BN_CTX_free(bn_ctx);
1543 bn_ctx = NULL;
1544 EC_POINT_free(srvr_ecpoint);
1545 srvr_ecpoint = NULL;
1546 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1547#endif /* !OPENSSL_NO_ECDH */
1548
1549 else if (!(alg_k & SSL_kPSK))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1550 {
1551 al=SSL_AD_UNEXPECTED_MESSAGE;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1552 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1553 goto f_err;
1554 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1555
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1556 /* At this point, |server_key_exchange| contains the
1557 * signature, if any, while |server_key_exchange_orig|
1558 * contains the entire message. From that, derive a CBS
1559 * containing just the parameter. */
1560 CBS_init(&parameter, CBS_data(&server_key_exchange_orig),
1561 CBS_len(&server_key_exchange_orig) -
1562 CBS_len(&server_key_exchange));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1563
1564 /* if it was signed, check the signature */
1565 if (pkey != NULL)
1566 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1567 CBS signature;
1568
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1569 if (SSL_USE_SIGALGS(s))
1570 {
David Benjamin05da6e12014-07-12 20:42:55 -0400[diff] [blame]1571 if (!tls12_check_peer_sigalg(&md, &al, s, &server_key_exchange, pkey))
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1572 goto f_err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1573 }
1574 else
1575 md = EVP_sha1();
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1576
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1577 /* The last field in |server_key_exchange| is the
1578 * signature. */
1579 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||
1580 CBS_len(&server_key_exchange) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1581 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1582 al = SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1583 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1584 goto f_err;
1585 }
1586
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1587 if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s))
1588 {
1589 int num;
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1590 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1591 size_t md_len = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1592
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1593 q=md_buf;
1594 for (num=2; num > 0; num--)
1595 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1596 unsigned int digest_len;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1597 EVP_DigestInit_ex(&md_ctx,(num == 2)
1598 ?s->ctx->md5:s->ctx->sha1, NULL);
1599 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1600 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1601 EVP_DigestUpdate(&md_ctx, CBS_data(&parameter), CBS_len(&parameter));
1602 EVP_DigestFinal_ex(&md_ctx, q, &digest_len);
1603 q += digest_len;
1604 md_len += digest_len;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1605 }
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1606 if (!RSA_verify(NID_md5_sha1, md_buf, md_len,
1607 CBS_data(&signature), CBS_len(&signature),
1608 pkey->pkey.rsa))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1609 {
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1610 al = SSL_AD_DECRYPT_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1611 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_SIGNATURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1612 goto f_err;
1613 }
1614 }
1615 else
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1616 {
1617 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1618 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1619 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1620 EVP_VerifyUpdate(&md_ctx, CBS_data(&parameter), CBS_len(&parameter));
1621 if (EVP_VerifyFinal(&md_ctx, CBS_data(&signature), CBS_len(&signature), pkey) <= 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1622 {
1623 /* bad signature */
1624 al=SSL_AD_DECRYPT_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1625 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_SIGNATURE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1626 goto f_err;
1627 }
1628 }
1629 }
1630 else
1631 {
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]1632 if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1633 {
1634 /* Might be wrong key type, check it */
1635 if (ssl3_check_cert_and_algorithm(s))
1636 /* Otherwise this shouldn't happen */
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1637 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1638 goto err;
1639 }
1640 /* still data left over */
David Benjamined439582014-07-14 19:13:02 -0400[diff] [blame]1641 if (CBS_len(&server_key_exchange) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1642 {
1643 al=SSL_AD_DECODE_ERROR;
David Benjamin8f8040d2014-07-14 19:14:46 -0400[diff] [blame]1644 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_EXTRA_DATA_IN_MESSAGE);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1645 goto f_err;
1646 }
1647 }
1648 EVP_PKEY_free(pkey);
1649 EVP_MD_CTX_cleanup(&md_ctx);
1650 return(1);
1651f_err:
1652 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1653err:
1654 EVP_PKEY_free(pkey);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1655 if (rsa != NULL)
1656 RSA_free(rsa);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1657#ifndef OPENSSL_NO_DH
1658 if (dh != NULL)
1659 DH_free(dh);
1660#endif
1661#ifndef OPENSSL_NO_ECDH
1662 BN_CTX_free(bn_ctx);
1663 EC_POINT_free(srvr_ecpoint);
1664 if (ecdh != NULL)
1665 EC_KEY_free(ecdh);
1666#endif
1667 EVP_MD_CTX_cleanup(&md_ctx);
1668 return(-1);
1669 }
1670
1671static int ca_dn_cmp(const X509_NAME **a, const X509_NAME **b)
1672 {
1673 return(X509_NAME_cmp(*a,*b));
1674 }
1675
1676int ssl3_get_certificate_request(SSL *s)
1677 {
1678 int ok,ret=0;
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1679 unsigned long n;
1680 unsigned int i;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1681 X509_NAME *xn=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1682 STACK_OF(X509_NAME) *ca_sk=NULL;
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1683 CBS cbs;
1684 CBS certificate_types;
1685 CBS certificate_authorities;
1686 const uint8_t *data;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1687
1688 n=s->method->ssl_get_message(s,
1689 SSL3_ST_CR_CERT_REQ_A,
1690 SSL3_ST_CR_CERT_REQ_B,
1691 -1,
1692 s->max_cert_list,
1693 &ok);
1694
1695 if (!ok) return((int)n);
1696
1697 s->s3->tmp.cert_req=0;
1698
1699 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1700 {
1701 s->s3->tmp.reuse_message=1;
1702 /* If we get here we don't need any cached handshake records
1703 * as we wont be doing client auth.
1704 */
1705 if (s->s3->handshake_buffer)
1706 {
1707 if (!ssl3_digest_cached_records(s))
1708 goto err;
1709 }
1710 return(1);
1711 }
1712
1713 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1714 {
1715 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1716 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_WRONG_MESSAGE_TYPE);
1717 goto err;
1718 }
1719
1720 /* TLS does not like anon-DH with client cert */
1721 if (s->version > SSL3_VERSION)
1722 {
1723 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1724 {
1725 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1726 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1727 goto err;
1728 }
1729 }
1730
David Benjamin51b1f742014-07-12 16:31:12 -0400[diff] [blame]1731 CBS_init(&cbs, s->init_msg, n);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1732
1733 ca_sk = sk_X509_NAME_new(ca_dn_cmp);
1734 if (ca_sk == NULL)
1735 {
1736 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1737 goto err;
1738 }
1739
1740 /* get the certificate types */
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1741 if (!CBS_get_u8_length_prefixed(&cbs, &certificate_types))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1742 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1743 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1744 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DECODE_ERROR);
1745 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1746 }
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]1747 if (!CBS_stow(&certificate_types,
1748 &s->s3->tmp.certificate_types,
1749 &s->s3->tmp.num_certificate_types))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1750 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1751 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1752 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1753 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1754 if (SSL_USE_SIGALGS(s))
1755 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1756 CBS supported_signature_algorithms;
1757 if (!CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1758 {
1759 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1760 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1761 goto err;
1762 }
1763 /* Clear certificate digests and validity flags */
1764 for (i = 0; i < SSL_PKEY_NUM; i++)
1765 {
1766 s->cert->pkeys[i].digest = NULL;
1767 s->cert->pkeys[i].valid_flags = 0;
1768 }
David Benjamincd996942014-07-20 16:23:51 -0400[diff] [blame]1769 if (!tls1_process_sigalgs(s, &supported_signature_algorithms))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1770 {
1771 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1772 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1773 goto err;
1774 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1775 }
1776
1777 /* get the CA RDNs */
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1778 if (!CBS_get_u16_length_prefixed(&cbs, &certificate_authorities))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1779 {
1780 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1781 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_LENGTH_MISMATCH);
1782 goto err;
1783 }
1784
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1785 while (CBS_len(&certificate_authorities) > 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1786 {
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1787 CBS distinguished_name;
1788 if (!CBS_get_u16_length_prefixed(&certificate_authorities, &distinguished_name))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1789 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1790 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1791 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_TOO_LONG);
1792 goto err;
1793 }
1794
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1795 data = CBS_data(&distinguished_name);
1796 if ((xn=d2i_X509_NAME(NULL, &data, CBS_len(&distinguished_name))) == NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1797 {
Alex Chernyakhovsky9c890d42014-07-05 00:53:11 -0400[diff] [blame]1798 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1799 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_ASN1_LIB);
1800 goto err;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1801 }
1802
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]1803 if (!CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name)))
Alex Chernyakhovsky31955f92014-07-05 01:12:34 -0400[diff] [blame]1804 {
1805 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1806 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_INTERNAL_ERROR);
1807 goto err;
1808 }
1809 if (CBS_len(&distinguished_name) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1810 {
1811 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1812 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_LENGTH_MISMATCH);
1813 goto err;
1814 }
1815 if (!sk_X509_NAME_push(ca_sk,xn))
1816 {
1817 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1818 goto err;
1819 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1820 }
1821
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1822 /* we should setup a certificate to return.... */
1823 s->s3->tmp.cert_req=1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1824 if (s->s3->tmp.ca_names != NULL)
1825 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1826 s->s3->tmp.ca_names=ca_sk;
1827 ca_sk=NULL;
1828
1829 ret=1;
1830err:
1831 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1832 return(ret);
1833 }
1834
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1835int ssl3_get_new_session_ticket(SSL *s)
1836 {
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1837 int ok,al,ret=0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1838 long n;
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1839 CBS new_session_ticket, ticket;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1840
1841 n=s->method->ssl_get_message(s,
1842 SSL3_ST_CR_SESSION_TICKET_A,
1843 SSL3_ST_CR_SESSION_TICKET_B,
David Benjamin64442872014-07-21 17:43:45 -0400[diff] [blame]1844 SSL3_MT_NEWSESSION_TICKET,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1845 16384,
1846 &ok);
1847
1848 if (!ok)
1849 return((int)n);
1850
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1851 CBS_init(&new_session_ticket, s->init_msg, n);
1852
1853 if (!CBS_get_u32(&new_session_ticket, &s->session->tlsext_tick_lifetime_hint) ||
1854 !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||
1855 CBS_len(&new_session_ticket) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1856 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1857 al = SSL_AD_DECODE_ERROR;
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1858 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1859 goto f_err;
1860 }
1861
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1862 if (!CBS_stow(&ticket, &s->session->tlsext_tick, &s->session->tlsext_ticklen))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1863 {
1864 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, ERR_R_MALLOC_FAILURE);
1865 goto err;
1866 }
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1867
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1868 /* There are two ways to detect a resumed ticket sesion.
1869 * One is to set an appropriate session ID and then the server
1870 * must return a match in ServerHello. This allows the normal
1871 * client session ID matching to work and we know much
1872 * earlier that the ticket has been accepted.
1873 *
1874 * The other way is to set zero length session ID when the
1875 * ticket is presented and rely on the handshake to determine
1876 * session resumption.
1877 *
1878 * We choose the former approach because this fits in with
1879 * assumptions elsewhere in OpenSSL. The session ID is set
1880 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
1881 * ticket.
1882 */
David Benjamine044c3d2014-07-14 19:14:12 -0400[diff] [blame]1883 EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1884 s->session->session_id, &s->session->session_id_length,
1885#ifndef OPENSSL_NO_SHA256
1886 EVP_sha256(), NULL);
1887#else
1888 EVP_sha1(), NULL);
1889#endif
1890 ret=1;
1891 return(ret);
1892f_err:
1893 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1894err:
1895 return(-1);
1896 }
1897
1898int ssl3_get_cert_status(SSL *s)
1899 {
1900 int ok, al;
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1901 long n;
1902 CBS certificate_status, ocsp_response;
1903 uint8_t status_type;
1904 size_t resplen;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1905
1906 n=s->method->ssl_get_message(s,
1907 SSL3_ST_CR_CERT_STATUS_A,
1908 SSL3_ST_CR_CERT_STATUS_B,
1909 SSL3_MT_CERTIFICATE_STATUS,
1910 16384,
1911 &ok);
1912
1913 if (!ok) return((int)n);
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1914
1915 CBS_init(&certificate_status, s->init_msg, n);
1916 if (!CBS_get_u8(&certificate_status, &status_type) ||
1917 status_type != TLSEXT_STATUSTYPE_ocsp ||
1918 !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
1919 CBS_len(&ocsp_response) == 0 ||
1920 CBS_len(&certificate_status) != 0)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1921 {
1922 al = SSL_AD_DECODE_ERROR;
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1923 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_DECODE_ERROR);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1924 goto f_err;
1925 }
David Benjamin46062682014-07-14 19:14:32 -0400[diff] [blame]1926
1927 /* TODO(davidben): Make tlsext_ocsp_resplen a
1928 * size_t. Currently it uses -1 to signal no response. The
1929 * spec does not allow ocsp_response to be zero-length, so
1930 * using 0 should be fine. */
1931 if (!CBS_stow(&ocsp_response, &s->tlsext_ocsp_resp, &resplen))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1932 {
1933 al = SSL_AD_INTERNAL_ERROR;
1934 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
1935 goto f_err;
1936 }
1937 s->tlsext_ocsp_resplen = resplen;
1938 if (s->ctx->tlsext_status_cb)
1939 {
1940 int ret;
1941 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1942 if (ret == 0)
1943 {
1944 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1945 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_INVALID_STATUS_RESPONSE);
1946 goto f_err;
1947 }
1948 if (ret < 0)
1949 {
1950 al = SSL_AD_INTERNAL_ERROR;
1951 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
1952 goto f_err;
1953 }
1954 }
1955 return 1;
1956f_err:
1957 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1958 return(-1);
1959 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1960
1961int ssl3_get_server_done(SSL *s)
1962 {
1963 int ok,ret=0;
1964 long n;
1965
1966 n=s->method->ssl_get_message(s,
1967 SSL3_ST_CR_SRVR_DONE_A,
1968 SSL3_ST_CR_SRVR_DONE_B,
1969 SSL3_MT_SERVER_DONE,
1970 30, /* should be very small, like 0 :-) */
1971 &ok);
1972
1973 if (!ok) return((int)n);
1974 if (n > 0)
1975 {
1976 /* should contain no data */
1977 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1978 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_done, SSL_R_LENGTH_MISMATCH);
1979 return -1;
1980 }
1981 ret=1;
1982 return(ret);
1983 }
1984
1985
1986int ssl3_send_client_key_exchange(SSL *s)
1987 {
1988 unsigned char *p;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1989 int n = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1990 unsigned long alg_k;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]1991 unsigned long alg_a;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1992 unsigned char *q;
1993 EVP_PKEY *pkey=NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1994#ifndef OPENSSL_NO_ECDH
1995 EC_KEY *clnt_ecdh = NULL;
1996 const EC_POINT *srvr_ecpoint = NULL;
1997 EVP_PKEY *srvr_pub_pkey = NULL;
1998 unsigned char *encodedPoint = NULL;
1999 int encoded_pt_len = 0;
2000 BN_CTX * bn_ctx = NULL;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2001 unsigned int psk_len = 0;
2002 unsigned char psk[PSK_MAX_PSK_LEN];
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2003#endif /* OPENSSL_NO_ECDH */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2004
2005 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
2006 {
2007 p = ssl_handshake_start(s);
2008
2009 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2010 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
2011
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2012 if (alg_a & SSL_aPSK)
2013 {
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2014 char identity[PSK_MAX_IDENTITY_LEN + 1];
2015 size_t identity_len;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2016 unsigned char *t = NULL;
2017 unsigned char pre_ms[PSK_MAX_PSK_LEN*2+4];
2018 unsigned int pre_ms_len = 0;
2019 int psk_err = 1;
2020
2021 n = 0;
2022 if (s->psk_client_callback == NULL)
2023 {
2024 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_NO_CLIENT_CB);
2025 goto err;
2026 }
2027
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2028 memset(identity, 0, sizeof(identity));
Adam Langley0289c732014-06-20 12:00:00 -0700[diff] [blame]2029 psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2030 identity, sizeof(identity), psk, sizeof(psk));
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2031 if (psk_len > PSK_MAX_PSK_LEN)
2032 {
2033 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2034 goto psk_err;
2035 }
2036 else if (psk_len == 0)
2037 {
2038 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_IDENTITY_NOT_FOUND);
2039 goto psk_err;
2040 }
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2041 identity_len = OPENSSL_strnlen(identity, sizeof(identity));
2042 if (identity_len > PSK_MAX_IDENTITY_LEN)
2043 {
2044 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2045 goto psk_err;
2046 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2047
2048 if (!(alg_k & SSL_kEECDH))
2049 {
David Benjamin14c83e72014-07-13 04:54:57 -0400[diff] [blame]2050 /* Create the shared secret now if we're not using ECDHE-PSK.
2051 * TODO(davidben): Refactor this logic similarly
2052 * to ssl3_get_client_key_exchange. */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2053 pre_ms_len = 2+psk_len+2+psk_len;
2054 t = pre_ms;
2055 s2n(psk_len, t);
2056 memset(t, 0, psk_len);
2057 t+=psk_len;
2058 s2n(psk_len, t);
2059 memcpy(t, psk, psk_len);
2060
2061 s->session->master_key_length =
2062 s->method->ssl3_enc->generate_master_secret(s,
2063 s->session->master_key,
2064 pre_ms, pre_ms_len);
Adam Langley01797e32014-06-20 12:00:00 -0700[diff] [blame]2065 s2n(identity_len, p);
2066 memcpy(p, identity, identity_len);
2067 n = 2 + identity_len;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2068 }
2069
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2070 if (s->session->psk_identity != NULL)
2071 OPENSSL_free(s->session->psk_identity);
2072 s->session->psk_identity = BUF_strdup(identity);
2073 if (s->session->psk_identity == NULL)
2074 {
2075 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2076 goto psk_err;
2077 }
2078 psk_err = 0;
2079 psk_err:
2080 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2081 OPENSSL_cleanse(pre_ms, sizeof(pre_ms));
2082 if (psk_err != 0)
2083 {
2084 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2085 goto err;
2086 }
2087 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2088
2089 /* Fool emacs indentation */
2090 if (0) {}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2091 else if (alg_k & SSL_kRSA)
2092 {
2093 RSA *rsa;
2094 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2095
2096 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2097 rsa=s->session->sess_cert->peer_rsa_tmp;
2098 else
2099 {
2100 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2101 if ((pkey == NULL) ||
2102 (pkey->type != EVP_PKEY_RSA) ||
2103 (pkey->pkey.rsa == NULL))
2104 {
2105 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2106 goto err;
2107 }
2108 rsa=pkey->pkey.rsa;
2109 EVP_PKEY_free(pkey);
2110 }
2111
2112 tmp_buf[0]=s->client_version>>8;
2113 tmp_buf[1]=s->client_version&0xff;
2114 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2115 goto err;
2116
2117 s->session->master_key_length=sizeof tmp_buf;
2118
2119 q=p;
2120 /* Fix buf for TLS and beyond */
2121 if (s->version > SSL3_VERSION)
2122 p+=2;
2123 n=RSA_public_encrypt(sizeof tmp_buf,
2124 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
2125#ifdef PKCS1_CHECK
2126 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
2127 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
2128#endif
2129 if (n <= 0)
2130 {
2131 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_RSA_ENCRYPT);
2132 goto err;
2133 }
2134
2135 /* Fix buf for TLS and beyond */
2136 if (s->version > SSL3_VERSION)
2137 {
2138 s2n(n,q);
2139 n+=2;
2140 }
2141
2142 s->session->master_key_length=
2143 s->method->ssl3_enc->generate_master_secret(s,
2144 s->session->master_key,
2145 tmp_buf,sizeof tmp_buf);
2146 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2147 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2148#ifndef OPENSSL_NO_DH
2149 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2150 {
2151 DH *dh_srvr,*dh_clnt;
2152 SESS_CERT *scert = s->session->sess_cert;
2153
2154 if (scert == NULL)
2155 {
2156 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2157 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
2158 goto err;
2159 }
2160
2161 if (scert->peer_dh_tmp != NULL)
2162 dh_srvr=scert->peer_dh_tmp;
2163 else
2164 {
2165 /* we get them from the cert */
2166 int idx = scert->peer_cert_type;
2167 EVP_PKEY *spkey = NULL;
2168 dh_srvr = NULL;
2169 if (idx >= 0)
2170 spkey = X509_get_pubkey(
2171 scert->peer_pkeys[idx].x509);
2172 if (spkey)
2173 {
2174 dh_srvr = EVP_PKEY_get1_DH(spkey);
2175 EVP_PKEY_free(spkey);
2176 }
2177 if (dh_srvr == NULL)
2178 {
2179 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2180 goto err;
2181 }
2182 }
2183 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
2184 {
2185 /* Use client certificate key */
2186 EVP_PKEY *clkey = s->cert->key->privatekey;
2187 dh_clnt = NULL;
2188 if (clkey)
2189 dh_clnt = EVP_PKEY_get1_DH(clkey);
2190 if (dh_clnt == NULL)
2191 {
2192 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2193 goto err;
2194 }
2195 }
2196 else
2197 {
2198 /* generate a new random key */
2199 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2200 {
2201 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2202 goto err;
2203 }
2204 if (!DH_generate_key(dh_clnt))
2205 {
2206 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2207 DH_free(dh_clnt);
2208 goto err;
2209 }
2210 }
2211
2212 /* use the 'p' output buffer for the DH key, but
2213 * make sure to clear it out afterwards */
2214
2215 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2216 if (scert->peer_dh_tmp == NULL)
2217 DH_free(dh_srvr);
2218
2219 if (n <= 0)
2220 {
2221 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2222 DH_free(dh_clnt);
2223 goto err;
2224 }
2225
2226 /* generate master key from the result */
2227 s->session->master_key_length=
2228 s->method->ssl3_enc->generate_master_secret(s,
2229 s->session->master_key,p,n);
2230 /* clean up */
2231 memset(p,0,n);
2232
2233 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
2234 n = 0;
2235 else
2236 {
2237 /* send off the data */
2238 n=BN_num_bytes(dh_clnt->pub_key);
2239 s2n(n,p);
2240 BN_bn2bin(dh_clnt->pub_key,p);
2241 n+=2;
2242 }
2243
2244 DH_free(dh_clnt);
2245
2246 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2247 }
2248#endif
2249
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2250#ifndef OPENSSL_NO_ECDH
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2251 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2252 {
2253 const EC_GROUP *srvr_group = NULL;
2254 EC_KEY *tkey;
2255 int ecdh_clnt_cert = 0;
2256 int field_size = 0;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2257 unsigned char *pre_ms;
2258 unsigned char *t;
2259 unsigned int pre_ms_len;
2260 unsigned int i;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2261
Adam Langleyd06eddd2014-06-20 12:00:00 -0700[diff] [blame]2262 if (s->session->sess_cert == NULL)
2263 {
2264 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2265 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
2266 goto err;
2267 }
2268
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2269 /* Did we send out the client's
2270 * ECDH share for use in premaster
2271 * computation as part of client certificate?
2272 * If so, set ecdh_clnt_cert to 1.
2273 */
2274 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
2275 {
2276 /* XXX: For now, we do not support client
2277 * authentication using ECDH certificates.
2278 * To add such support, one needs to add
2279 * code that checks for appropriate
2280 * conditions and sets ecdh_clnt_cert to 1.
2281 * For example, the cert have an ECC
2282 * key on the same curve as the server's
2283 * and the key should be authorized for
2284 * key agreement.
2285 *
2286 * One also needs to add code in ssl3_connect
2287 * to skip sending the certificate verify
2288 * message.
2289 *
2290 * if ((s->cert->key->privatekey != NULL) &&
2291 * (s->cert->key->privatekey->type ==
2292 * EVP_PKEY_EC) && ...)
2293 * ecdh_clnt_cert = 1;
2294 */
2295 }
2296
2297 if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2298 {
2299 tkey = s->session->sess_cert->peer_ecdh_tmp;
2300 }
2301 else
2302 {
2303 /* Get the Server Public Key from Cert */
2304 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2305 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2306 if ((srvr_pub_pkey == NULL) ||
2307 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2308 (srvr_pub_pkey->pkey.ec == NULL))
2309 {
2310 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2311 goto err;
2312 }
2313
2314 tkey = srvr_pub_pkey->pkey.ec;
2315 }
2316
2317 srvr_group = EC_KEY_get0_group(tkey);
2318 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2319
2320 if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2321 {
2322 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2323 goto err;
2324 }
2325
2326 if ((clnt_ecdh=EC_KEY_new()) == NULL)
2327 {
2328 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2329 goto err;
2330 }
2331
2332 if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2333 {
2334 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
2335 goto err;
2336 }
2337 if (ecdh_clnt_cert)
2338 {
2339 /* Reuse key info from our certificate
2340 * We only need our private key to perform
2341 * the ECDH computation.
2342 */
2343 const BIGNUM *priv_key;
2344 tkey = s->cert->key->privatekey->pkey.ec;
2345 priv_key = EC_KEY_get0_private_key(tkey);
2346 if (priv_key == NULL)
2347 {
2348 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2349 goto err;
2350 }
2351 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2352 {
2353 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
2354 goto err;
2355 }
2356 }
2357 else
2358 {
2359 /* Generate a new ECDH key pair */
2360 if (!(EC_KEY_generate_key(clnt_ecdh)))
2361 {
2362 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2363 goto err;
2364 }
2365 }
2366
2367 /* use the 'p' output buffer for the ECDH key, but
2368 * make sure to clear it out afterwards
2369 */
2370
2371 field_size = EC_GROUP_get_degree(srvr_group);
2372 if (field_size <= 0)
2373 {
2374 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2375 goto err;
2376 }
2377 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2378 if (n <= 0)
2379 {
2380 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2381 goto err;
2382 }
2383
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2384 /* ECDHE PSK ciphersuites from RFC 5489 */
2385 if ((alg_a & SSL_aPSK) && psk_len != 0)
2386 {
2387 pre_ms_len = 2+psk_len+2+n;
2388 pre_ms = OPENSSL_malloc(pre_ms_len);
2389 if (pre_ms == NULL)
2390 {
2391 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2392 goto err;
2393 }
2394 memset(pre_ms, 0, pre_ms_len);
2395 t = pre_ms;
2396 s2n(psk_len, t);
2397 memcpy(t, psk, psk_len);
2398 t += psk_len;
2399 s2n(n, t);
2400 memcpy(t, p, n);
2401 s->session->master_key_length = s->method->ssl3_enc \
2402 -> generate_master_secret(s,
2403 s->session->master_key, pre_ms, pre_ms_len);
2404 OPENSSL_cleanse(pre_ms, pre_ms_len);
2405 OPENSSL_free(pre_ms);
2406 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2407 if (!(alg_a & SSL_aPSK))
2408 {
2409 /* generate master key from the result */
2410 s->session->master_key_length = s->method->ssl3_enc \
2411 -> generate_master_secret(s,
2412 s->session->master_key, p, n);
2413 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2414 memset(p, 0, n); /* clean up */
2415
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2416 if (ecdh_clnt_cert)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2417 {
2418 /* Send empty client key exch message */
2419 n = 0;
2420 }
2421 else
2422 {
2423 /* First check the size of encoding and
2424 * allocate memory accordingly.
2425 */
2426 encoded_pt_len =
2427 EC_POINT_point2oct(srvr_group,
2428 EC_KEY_get0_public_key(clnt_ecdh),
2429 POINT_CONVERSION_UNCOMPRESSED,
2430 NULL, 0, NULL);
2431
2432 encodedPoint = (unsigned char *)
2433 OPENSSL_malloc(encoded_pt_len *
2434 sizeof(unsigned char));
2435 bn_ctx = BN_CTX_new();
2436 if ((encodedPoint == NULL) ||
2437 (bn_ctx == NULL))
2438 {
2439 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2440 goto err;
2441 }
2442
2443 /* Encode the public key */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2444 encoded_pt_len = EC_POINT_point2oct(srvr_group,
2445 EC_KEY_get0_public_key(clnt_ecdh),
2446 POINT_CONVERSION_UNCOMPRESSED,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2447 encodedPoint, encoded_pt_len, bn_ctx);
2448
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2449 n = 0;
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2450 if ((alg_a & SSL_aPSK) && psk_len != 0)
2451 {
2452 i = strlen(s->session->psk_identity);
2453 s2n(i, p);
2454 memcpy(p, s->session->psk_identity, i);
2455 p += i;
2456 n = i + 2;
2457 }
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2458
2459 *p = encoded_pt_len; /* length of encoded point */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2460 /* Encoded point will be copied here */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2461 p += 1;
2462 n += 1;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2463 /* copy the point */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2464 memcpy((unsigned char *)p, encodedPoint, encoded_pt_len);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2465 /* increment n to account for length field */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2466 n += encoded_pt_len;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2467 }
2468
2469 /* Free allocated memory */
2470 BN_CTX_free(bn_ctx);
2471 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2472 if (clnt_ecdh != NULL)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2473 EC_KEY_free(clnt_ecdh);
2474 EVP_PKEY_free(srvr_pub_pkey);
2475 }
2476#endif /* !OPENSSL_NO_ECDH */
Adam Langleyc26c8022014-06-20 12:00:00 -0700[diff] [blame]2477 else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK)))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2478 {
2479 ssl3_send_alert(s, SSL3_AL_FATAL,
2480 SSL_AD_HANDSHAKE_FAILURE);
2481 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2482 goto err;
2483 }
2484
2485 ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
2486 s->state=SSL3_ST_CW_KEY_EXCH_B;
2487 }
2488
2489 /* SSL3_ST_CW_KEY_EXCH_B */
2490 return ssl_do_write(s);
2491err:
2492#ifndef OPENSSL_NO_ECDH
2493 BN_CTX_free(bn_ctx);
2494 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2495 if (clnt_ecdh != NULL)
2496 EC_KEY_free(clnt_ecdh);
2497 EVP_PKEY_free(srvr_pub_pkey);
2498#endif
2499 return(-1);
2500 }
2501
2502int ssl3_send_client_verify(SSL *s)
2503 {
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2504 unsigned char *buf, *p;
2505 const EVP_MD *md;
2506 uint8_t digest[EVP_MAX_MD_SIZE];
2507 unsigned digest_length;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2508 EVP_PKEY *pkey;
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2509 EVP_PKEY_CTX *pctx = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2510 EVP_MD_CTX mctx;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2511 size_t signature_length = 0;
2512 unsigned long n = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2513
2514 EVP_MD_CTX_init(&mctx);
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2515 buf=(unsigned char *)s->init_buf->data;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2516
2517 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2518 {
2519 p= ssl_handshake_start(s);
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2520 pkey = s->cert->key->privatekey;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2521 /* For TLS v1.2 send signature algorithm and signature using
2522 * agreed digest and cached handshake records. Otherwise, use
2523 * SHA1 or MD5 + SHA1 depending on key type.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2524 */
2525 if (SSL_USE_SIGALGS(s))
2526 {
Adam Langley37a623c2014-07-18 09:28:40 -0700[diff] [blame]2527 const uint8_t *hdata;
2528 size_t hdatalen;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2529 md = s->cert->key->digest;
Adam Langley37a623c2014-07-18 09:28:40 -0700[diff] [blame]2530 if (!BIO_mem_contents(s->s3->handshake_buffer, &hdata, &hdatalen) ||
2531 !tls12_get_sigandhash(p, pkey, md))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2532 {
2533 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
2534 goto err;
2535 }
2536 p += 2;
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2537 n += 2;
2538 if (!EVP_DigestInit_ex(&mctx, md, NULL)
2539 || !EVP_DigestUpdate(&mctx, hdata, hdatalen)
2540 || !EVP_DigestFinal(&mctx, digest, &digest_length))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2541 {
2542 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_EVP_LIB);
2543 goto err;
2544 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2545 }
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2546 else if (pkey->type == EVP_PKEY_RSA)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2547 {
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2548 s->method->ssl3_enc->cert_verify_mac(s, NID_md5, digest);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2549 s->method->ssl3_enc->cert_verify_mac(s,
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2550 NID_sha1, &digest[MD5_DIGEST_LENGTH]);
2551 digest_length = MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH;
2552 /* Using a NULL signature MD makes EVP_PKEY_sign perform
2553 * a raw RSA signature, rather than wrapping in a
2554 * DigestInfo. */
2555 md = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2556 }
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2557 else if (pkey->type == EVP_PKEY_DSA || pkey->type == EVP_PKEY_EC)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2558 {
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2559 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, digest);
2560 digest_length = SHA_DIGEST_LENGTH;
2561 md = EVP_sha1();
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2562 }
2563 else
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2564 {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2565 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
2566 goto err;
Adam Langleyaed23062014-06-20 12:00:00 -0700[diff] [blame]2567 }
David Benjamin0e2908a2014-07-09 15:22:43 -0400[diff] [blame]2568
2569 /* Sign the digest. */
2570 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2571 if (pctx == NULL)
2572 goto err;
2573
2574 /* Initialize the EVP_PKEY_CTX and determine the size of the signature. */
2575 if (EVP_PKEY_sign_init(pctx) != 1 ||
2576 EVP_PKEY_CTX_set_signature_md(pctx, md) != 1 ||
2577 EVP_PKEY_sign(pctx, NULL, &signature_length,
2578 digest, digest_length) != 1)
2579 {
2580 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_EVP_LIB);
2581 goto err;
2582 }
2583
2584 if (p + 2 + signature_length > buf + SSL3_RT_MAX_PLAIN_LENGTH)
2585 {
2586 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, SSL_R_DATA_LENGTH_TOO_LONG);
2587 goto err;
2588 }
2589
2590 if (EVP_PKEY_sign(pctx, &p[2], &signature_length,
2591 digest, digest_length) != 1)
2592 {
2593 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_EVP_LIB);
2594 goto err;
2595 }
2596
2597 s2n(signature_length, p);
2598 n += signature_length + 2;
2599
2600 /* Now that client auth is completed, we no longer need cached
2601 * handshake records and can digest them. */
2602 if (SSL_USE_SIGALGS(s))
2603 {
2604 if (!ssl3_digest_cached_records(s))
2605 goto err;
2606 }
2607
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2608 ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
2609 s->state=SSL3_ST_CW_CERT_VRFY_B;
2610 }
2611 EVP_MD_CTX_cleanup(&mctx);
2612 EVP_PKEY_CTX_free(pctx);
2613 return ssl_do_write(s);
2614err:
2615 EVP_MD_CTX_cleanup(&mctx);
2616 EVP_PKEY_CTX_free(pctx);
2617 return(-1);
2618 }
2619
2620/* Check a certificate can be used for client authentication. Currently
2621 * check cert exists, if we have a suitable digest for TLS 1.2 if
2622 * static DH client certificates can be used and optionally checks
2623 * suitability for Suite B.
2624 */
2625static int ssl3_check_client_certificate(SSL *s)
2626 {
2627 unsigned long alg_k;
2628 if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
2629 return 0;
2630 /* If no suitable signature algorithm can't use certificate */
2631 if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
2632 return 0;
2633 /* If strict mode check suitability of chain before using it.
2634 * This also adjusts suite B digest if necessary.
2635 */
2636 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
2637 !tls1_check_chain(s, NULL, NULL, NULL, -2))
2638 return 0;
2639 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2640 /* See if we can use client certificate for fixed DH */
2641 if (alg_k & (SSL_kDHr|SSL_kDHd))
2642 {
2643 SESS_CERT *scert = s->session->sess_cert;
2644 int i = scert->peer_cert_type;
2645 EVP_PKEY *clkey = NULL, *spkey = NULL;
2646 clkey = s->cert->key->privatekey;
2647 /* If client key not DH assume it can be used */
2648 if (EVP_PKEY_id(clkey) != EVP_PKEY_DH)
2649 return 1;
2650 if (i >= 0)
2651 spkey = X509_get_pubkey(scert->peer_pkeys[i].x509);
2652 if (spkey)
2653 {
2654 /* Compare server and client parameters */
2655 i = EVP_PKEY_cmp_parameters(clkey, spkey);
2656 EVP_PKEY_free(spkey);
2657 if (i != 1)
2658 return 0;
2659 }
2660 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2661 }
2662 return 1;
2663 }
2664
2665int ssl3_send_client_certificate(SSL *s)
2666 {
2667 X509 *x509=NULL;
2668 EVP_PKEY *pkey=NULL;
2669 int i;
2670
2671 if (s->state == SSL3_ST_CW_CERT_A)
2672 {
2673 /* Let cert callback update client certificates if required */
2674 if (s->cert->cert_cb)
2675 {
2676 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2677 if (i < 0)
2678 {
2679 s->rwstate=SSL_X509_LOOKUP;
2680 return -1;
2681 }
2682 if (i == 0)
2683 {
2684 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
2685 return 0;
2686 }
2687 s->rwstate=SSL_NOTHING;
2688 }
2689 if (ssl3_check_client_certificate(s))
2690 s->state=SSL3_ST_CW_CERT_C;
2691 else
2692 s->state=SSL3_ST_CW_CERT_B;
2693 }
2694
2695 /* We need to get a client cert */
2696 if (s->state == SSL3_ST_CW_CERT_B)
2697 {
2698 /* If we get an error, we need to
2699 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2700 * We then get retied later */
2701 i=0;
2702 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2703 if (i < 0)
2704 {
2705 s->rwstate=SSL_X509_LOOKUP;
2706 return(-1);
2707 }
2708 s->rwstate=SSL_NOTHING;
2709 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2710 {
2711 s->state=SSL3_ST_CW_CERT_B;
2712 if ( !SSL_use_certificate(s,x509) ||
2713 !SSL_use_PrivateKey(s,pkey))
2714 i=0;
2715 }
2716 else if (i == 1)
2717 {
2718 i=0;
2719 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2720 }
2721
2722 if (x509 != NULL) X509_free(x509);
2723 if (pkey != NULL) EVP_PKEY_free(pkey);
2724 if (i && !ssl3_check_client_certificate(s))
2725 i = 0;
2726 if (i == 0)
2727 {
2728 if (s->version == SSL3_VERSION)
2729 {
2730 s->s3->tmp.cert_req=0;
2731 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2732 return(1);
2733 }
2734 else
2735 {
2736 s->s3->tmp.cert_req=2;
2737 }
2738 }
2739
2740 /* Ok, we have a cert */
2741 s->state=SSL3_ST_CW_CERT_C;
2742 }
2743
2744 if (s->state == SSL3_ST_CW_CERT_C)
2745 {
2746 s->state=SSL3_ST_CW_CERT_D;
2747 ssl3_output_cert_chain(s,
2748 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
2749 }
2750 /* SSL3_ST_CW_CERT_D */
2751 return ssl_do_write(s);
2752 }
2753
2754#define has_bits(i,m) (((i)&(m)) == (m))
2755
2756int ssl3_check_cert_and_algorithm(SSL *s)
2757 {
2758 int i,idx;
2759 long alg_k,alg_a;
2760 EVP_PKEY *pkey=NULL;
2761 SESS_CERT *sc;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2762 RSA *rsa;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2763#ifndef OPENSSL_NO_DH
2764 DH *dh;
2765#endif
2766
David Benjamine8f3d662014-07-12 01:10:19 -0400[diff] [blame]2767 /* we don't have a certificate */
2768 if (!ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher))
2769 return 1;
2770
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2771 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2772 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
2773
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2774 sc=s->session->sess_cert;
2775 if (sc == NULL)
2776 {
2777 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2778 goto err;
2779 }
2780
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2781 rsa=s->session->sess_cert->peer_rsa_tmp;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2782#ifndef OPENSSL_NO_DH
2783 dh=s->session->sess_cert->peer_dh_tmp;
2784#endif
2785
2786 /* This is the passed certificate */
2787
2788 idx=sc->peer_cert_type;
2789#ifndef OPENSSL_NO_ECDH
2790 if (idx == SSL_PKEY_ECC)
2791 {
2792 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2793 s) == 0)
2794 { /* check failed */
2795 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_ECC_CERT);
2796 goto f_err;
2797 }
2798 else
2799 {
2800 return 1;
2801 }
2802 }
2803 else if (alg_a & SSL_aECDSA)
2804 {
2805 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_ECDSA_SIGNING_CERT);
2806 goto f_err;
2807 }
2808 else if (alg_k & (SSL_kECDHr|SSL_kECDHe))
2809 {
2810 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_ECDH_CERT);
2811 goto f_err;
2812 }
2813#endif
2814 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2815 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2816 EVP_PKEY_free(pkey);
2817
2818
2819 /* Check that we have a certificate if we require one */
2820 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2821 {
2822 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_RSA_SIGNING_CERT);
2823 goto f_err;
2824 }
2825#ifndef OPENSSL_NO_DSA
2826 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2827 {
2828 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DSA_SIGNING_CERT);
2829 goto f_err;
2830 }
2831#endif
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2832 if ((alg_k & SSL_kRSA) &&
2833 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2834 {
2835 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2836 goto f_err;
2837 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2838#ifndef OPENSSL_NO_DH
2839 if ((alg_k & SSL_kEDH) &&
2840 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2841 {
2842 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_KEY);
2843 goto f_err;
2844 }
2845 else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
2846 !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
2847 {
2848 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_RSA_CERT);
2849 goto f_err;
2850 }
2851#ifndef OPENSSL_NO_DSA
2852 else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
2853 !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
2854 {
2855 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_DSA_CERT);
2856 goto f_err;
2857 }
2858#endif
2859#endif
2860
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2861 return(1);
2862f_err:
2863 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2864err:
2865 return(0);
2866 }
2867
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2868# if !defined(OPENSSL_NO_NEXTPROTONEG)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2869int ssl3_send_next_proto(SSL *s)
2870 {
2871 unsigned int len, padding_len;
2872 unsigned char *d;
2873
2874 if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
2875 {
2876 len = s->next_proto_negotiated_len;
2877 padding_len = 32 - ((len + 2) % 32);
2878 d = (unsigned char *)s->init_buf->data;
2879 d[4] = len;
2880 memcpy(d + 5, s->next_proto_negotiated, len);
2881 d[5 + len] = padding_len;
2882 memset(d + 6 + len, 0, padding_len);
2883 *(d++)=SSL3_MT_NEXT_PROTO;
2884 l2n3(2 + len + padding_len, d);
2885 s->state = SSL3_ST_CW_NEXT_PROTO_B;
2886 s->init_num = 4 + 2 + len + padding_len;
2887 s->init_off = 0;
2888 }
2889
2890 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
2891}
Adam Langley1258b6a2014-06-20 12:00:00 -0700[diff] [blame]2892
2893# endif /* !OPENSSL_NO_NEXTPROTONEG */
2894
2895int ssl3_send_channel_id(SSL *s)
2896 {
2897 unsigned char *d;
2898 int ret = -1, public_key_len;
2899 EVP_MD_CTX md_ctx;
2900 size_t sig_len;
2901 ECDSA_SIG *sig = NULL;
2902 unsigned char *public_key = NULL, *derp, *der_sig = NULL;
2903
2904 if (s->state != SSL3_ST_CW_CHANNEL_ID_A)
2905 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
2906
2907 if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb)
2908 {
2909 EVP_PKEY *key = NULL;
2910 s->ctx->channel_id_cb(s, &key);
2911 if (key != NULL)
2912 {
2913 s->tlsext_channel_id_private = key;
2914 }
2915 }
2916 if (!s->tlsext_channel_id_private)
2917 {
2918 s->rwstate=SSL_CHANNEL_ID_LOOKUP;
2919 return (-1);
2920 }
2921 s->rwstate=SSL_NOTHING;
2922
2923 d = (unsigned char *)s->init_buf->data;
2924 *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS;
2925 l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d);
2926 if (s->s3->tlsext_channel_id_new)
2927 s2n(TLSEXT_TYPE_channel_id_new, d);
2928 else
2929 s2n(TLSEXT_TYPE_channel_id, d);
2930 s2n(TLSEXT_CHANNEL_ID_SIZE, d);
2931
2932 EVP_MD_CTX_init(&md_ctx);
2933
2934 public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL);
2935 if (public_key_len <= 0)
2936 {
2937 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY);
2938 goto err;
2939 }
2940 /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a
2941 * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y
2942 * field elements as 32-byte, big-endian numbers. */
2943 if (public_key_len != 65)
2944 {
2945 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_CHANNEL_ID_NOT_P256);
2946 goto err;
2947 }
2948 public_key = OPENSSL_malloc(public_key_len);
2949 if (!public_key)
2950 {
2951 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
2952 goto err;
2953 }
2954
2955 derp = public_key;
2956 i2d_PublicKey(s->tlsext_channel_id_private, &derp);
2957
2958 if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL,
2959 s->tlsext_channel_id_private) != 1)
2960 {
2961 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNINIT_FAILED);
2962 goto err;
2963 }
2964
2965 if (!tls1_channel_id_hash(&md_ctx, s))
2966 goto err;
2967
2968 if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len))
2969 {
2970 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
2971 goto err;
2972 }
2973
2974 der_sig = OPENSSL_malloc(sig_len);
2975 if (!der_sig)
2976 {
2977 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
2978 goto err;
2979 }
2980
2981 if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len))
2982 {
2983 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
2984 goto err;
2985 }
2986
2987 derp = der_sig;
2988 sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len);
2989 if (sig == NULL)
2990 {
2991 OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_D2I_ECDSA_SIG);
2992 goto err;
2993 }
2994
2995 /* The first byte of public_key will be 0x4, denoting an uncompressed key. */
2996 memcpy(d, public_key + 1, 64);
2997 d += 64;
2998 memset(d, 0, 2 * 32);
2999 BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r));
3000 d += 32;
3001 BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s));
3002 d += 32;
3003
3004 s->state = SSL3_ST_CW_CHANNEL_ID_B;
3005 s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE;
3006 s->init_off = 0;
3007
3008 ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3009
3010err:
3011 EVP_MD_CTX_cleanup(&md_ctx);
3012 if (public_key)
3013 OPENSSL_free(public_key);
3014 if (der_sig)
3015 OPENSSL_free(der_sig);
3016 if (sig)
3017 ECDSA_SIG_free(sig);
3018
3019 return ret;
3020 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3021
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]3022int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3023 {
3024 int i = 0;
3025 /* TODO(fork): remove */
3026#if 0
3027#ifndef OPENSSL_NO_ENGINE
3028 if (s->ctx->client_cert_engine)
3029 {
3030 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3031 SSL_get_client_CA_list(s),
3032 px509, ppkey, NULL, NULL, NULL);
3033 if (i != 0)
3034 return i;
3035 }
3036#endif
3037#endif
3038 if (s->ctx->client_cert_cb)
3039 i = s->ctx->client_cert_cb(s,px509,ppkey);
3040 return i;
3041 }