1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 *
113 * Portions of the attached software ("Contribution") are developed by
114 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115 *
116 * The Contribution is licensed pursuant to the OpenSSL open source
117 * license provided above.
118 *
119 * ECC cipher suite support in OpenSSL originally written by
120 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121 *
122 */
123 /* ====================================================================
124 * Copyright 2005 Nokia. All rights reserved.
125 *
126 * The portions of the attached software ("Contribution") is developed by
127 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
128 * license.
129 *
130 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132 * support (see RFC 4279) to OpenSSL.
133 *
134 * No patent licenses or other rights except those expressly stated in
135 * the OpenSSL open source license shall be deemed granted or received
136 * expressly, by implication, estoppel, or otherwise.
137 *
138 * No assurances are provided by Nokia that the Contribution does not
139 * infringe the patent or other intellectual property rights of any third
140 * party or that the license provides you with all the necessary rights
141 * to make use of the Contribution.
142 *
143 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147 * OTHERWISE. */
148
149 #include <assert.h>
150 #include <stdio.h>
151 #include <string.h>
152
153 #include <openssl/bn.h>
154 #include <openssl/buf.h>
155 #include <openssl/bytestring.h>
156 #include <openssl/cipher.h>
157 #include <openssl/dh.h>
158 #include <openssl/ec.h>
159 #include <openssl/ecdsa.h>
160 #include <openssl/err.h>
161 #include <openssl/evp.h>
162 #include <openssl/hmac.h>
163 #include <openssl/md5.h>
164 #include <openssl/mem.h>
165 #include <openssl/obj.h>
166 #include <openssl/rand.h>
167 #include <openssl/sha.h>
168 #include <openssl/x509.h>
169
170 #include "internal.h"
171 #include "../crypto/internal.h"
172 #include "../crypto/dh/internal.h"
173
174
175 /* INITIAL_SNIFF_BUFFER_SIZE is the number of bytes read in the initial sniff
176 * buffer. */
177 #define INITIAL_SNIFF_BUFFER_SIZE 8
178
ssl3_accept(SSL * s)179 int ssl3_accept(SSL *s) {
180 BUF_MEM *buf = NULL;
181 uint32_t alg_a;
182 void (*cb)(const SSL *ssl, int type, int val) = NULL;
183 int ret = -1;
184 int new_state, state, skip = 0;
185
186 assert(s->handshake_func == ssl3_accept);
187 assert(s->server);
188 assert(!SSL_IS_DTLS(s));
189
190 ERR_clear_error();
191 ERR_clear_system_error();
192
193 if (s->info_callback != NULL) {
194 cb = s->info_callback;
195 } else if (s->ctx->info_callback != NULL) {
196 cb = s->ctx->info_callback;
197 }
198
199 s->in_handshake++;
200
201 if (s->cert == NULL) {
202 OPENSSL_PUT_ERROR(SSL, ssl3_accept, SSL_R_NO_CERTIFICATE_SET);
203 return -1;
204 }
205
206 for (;;) {
207 state = s->state;
208
209 switch (s->state) {
210 case SSL_ST_ACCEPT:
211 if (cb != NULL) {
212 cb(s, SSL_CB_HANDSHAKE_START, 1);
213 }
214
215 if (s->init_buf == NULL) {
216 buf = BUF_MEM_new();
217 if (!buf || !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
218 ret = -1;
219 goto end;
220 }
221 s->init_buf = buf;
222 buf = NULL;
223 }
224 s->init_num = 0;
225
226 /* Enable a write buffer. This groups handshake messages within a flight
227 * into a single write. */
228 if (!ssl_init_wbio_buffer(s, 1)) {
229 ret = -1;
230 goto end;
231 }
232
233 if (!ssl3_init_finished_mac(s)) {
234 OPENSSL_PUT_ERROR(SSL, ssl3_accept, ERR_R_INTERNAL_ERROR);
235 ret = -1;
236 goto end;
237 }
238
239 if (!s->s3->have_version) {
240 s->state = SSL3_ST_SR_INITIAL_BYTES;
241 } else {
242 s->state = SSL3_ST_SR_CLNT_HELLO_A;
243 }
244 break;
245
246 case SSL3_ST_SR_INITIAL_BYTES:
247 ret = ssl3_get_initial_bytes(s);
248 if (ret <= 0) {
249 goto end;
250 }
251 /* ssl3_get_initial_bytes sets s->state to one of
252 * SSL3_ST_SR_V2_CLIENT_HELLO or SSL3_ST_SR_CLNT_HELLO_A on success. */
253 break;
254
255 case SSL3_ST_SR_V2_CLIENT_HELLO:
256 ret = ssl3_get_v2_client_hello(s);
257 if (ret <= 0) {
258 goto end;
259 }
260 s->state = SSL3_ST_SR_CLNT_HELLO_A;
261 break;
262
263 case SSL3_ST_SR_CLNT_HELLO_A:
264 case SSL3_ST_SR_CLNT_HELLO_B:
265 case SSL3_ST_SR_CLNT_HELLO_C:
266 case SSL3_ST_SR_CLNT_HELLO_D:
267 s->shutdown = 0;
268 ret = ssl3_get_client_hello(s);
269 if (ret <= 0) {
270 goto end;
271 }
272 s->state = SSL3_ST_SW_SRVR_HELLO_A;
273 s->init_num = 0;
274 break;
275
276 case SSL3_ST_SW_SRVR_HELLO_A:
277 case SSL3_ST_SW_SRVR_HELLO_B:
278 ret = ssl3_send_server_hello(s);
279 if (ret <= 0) {
280 goto end;
281 }
282 if (s->hit) {
283 if (s->tlsext_ticket_expected) {
284 s->state = SSL3_ST_SW_SESSION_TICKET_A;
285 } else {
286 s->state = SSL3_ST_SW_CHANGE_A;
287 }
288 } else {
289 s->state = SSL3_ST_SW_CERT_A;
290 }
291 s->init_num = 0;
292 break;
293
294 case SSL3_ST_SW_CERT_A:
295 case SSL3_ST_SW_CERT_B:
296 if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
297 ret = ssl3_send_server_certificate(s);
298 if (ret <= 0) {
299 goto end;
300 }
301 if (s->s3->tmp.certificate_status_expected) {
302 s->state = SSL3_ST_SW_CERT_STATUS_A;
303 } else {
304 s->state = SSL3_ST_SW_KEY_EXCH_A;
305 }
306 } else {
307 skip = 1;
308 s->state = SSL3_ST_SW_KEY_EXCH_A;
309 }
310 s->init_num = 0;
311 break;
312
313 case SSL3_ST_SW_KEY_EXCH_A:
314 case SSL3_ST_SW_KEY_EXCH_B:
315 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
316
317 /* Send a ServerKeyExchange message if:
318 * - The key exchange is ephemeral or anonymous
319 * Diffie-Hellman.
320 * - There is a PSK identity hint.
321 *
322 * TODO(davidben): This logic is currently duplicated in d1_srvr.c. Fix
323 * this. In the meantime, keep them in sync. */
324 if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) ||
325 ((alg_a & SSL_aPSK) && s->psk_identity_hint)) {
326 ret = ssl3_send_server_key_exchange(s);
327 if (ret <= 0) {
328 goto end;
329 }
330 } else {
331 skip = 1;
332 }
333
334 s->state = SSL3_ST_SW_CERT_REQ_A;
335 s->init_num = 0;
336 break;
337
338 case SSL3_ST_SW_CERT_REQ_A:
339 case SSL3_ST_SW_CERT_REQ_B:
340 if (s->s3->tmp.cert_request) {
341 ret = ssl3_send_certificate_request(s);
342 if (ret <= 0) {
343 goto end;
344 }
345 } else {
346 skip = 1;
347 }
348 s->state = SSL3_ST_SW_SRVR_DONE_A;
349 s->init_num = 0;
350 break;
351
352 case SSL3_ST_SW_SRVR_DONE_A:
353 case SSL3_ST_SW_SRVR_DONE_B:
354 ret = ssl3_send_server_done(s);
355 if (ret <= 0) {
356 goto end;
357 }
358 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
359 s->state = SSL3_ST_SW_FLUSH;
360 s->init_num = 0;
361 break;
362
363 case SSL3_ST_SW_FLUSH:
364 /* This code originally checked to see if any data was pending using
365 * BIO_CTRL_INFO and then flushed. This caused problems as documented
366 * in PR#1939. The proposed fix doesn't completely resolve this issue
367 * as buggy implementations of BIO_CTRL_PENDING still exist. So instead
368 * we just flush unconditionally. */
369 s->rwstate = SSL_WRITING;
370 if (BIO_flush(s->wbio) <= 0) {
371 ret = -1;
372 goto end;
373 }
374 s->rwstate = SSL_NOTHING;
375
376 s->state = s->s3->tmp.next_state;
377 break;
378
379 case SSL3_ST_SR_CERT_A:
380 case SSL3_ST_SR_CERT_B:
381 if (s->s3->tmp.cert_request) {
382 ret = ssl3_get_client_certificate(s);
383 if (ret <= 0) {
384 goto end;
385 }
386 }
387 s->init_num = 0;
388 s->state = SSL3_ST_SR_KEY_EXCH_A;
389 break;
390
391 case SSL3_ST_SR_KEY_EXCH_A:
392 case SSL3_ST_SR_KEY_EXCH_B:
393 ret = ssl3_get_client_key_exchange(s);
394 if (ret <= 0) {
395 goto end;
396 }
397 s->state = SSL3_ST_SR_CERT_VRFY_A;
398 s->init_num = 0;
399 break;
400
401 case SSL3_ST_SR_CERT_VRFY_A:
402 case SSL3_ST_SR_CERT_VRFY_B:
403 ret = ssl3_get_cert_verify(s);
404 if (ret <= 0) {
405 goto end;
406 }
407
408 s->state = SSL3_ST_SR_CHANGE;
409 s->init_num = 0;
410 break;
411
412 case SSL3_ST_SR_CHANGE: {
413 char next_proto_neg = 0;
414 char channel_id = 0;
415 next_proto_neg = s->s3->next_proto_neg_seen;
416 channel_id = s->s3->tlsext_channel_id_valid;
417
418 /* At this point, the next message must be entirely behind a
419 * ChangeCipherSpec. */
420 if (!ssl3_expect_change_cipher_spec(s)) {
421 ret = -1;
422 goto end;
423 }
424 if (next_proto_neg) {
425 s->state = SSL3_ST_SR_NEXT_PROTO_A;
426 } else if (channel_id) {
427 s->state = SSL3_ST_SR_CHANNEL_ID_A;
428 } else {
429 s->state = SSL3_ST_SR_FINISHED_A;
430 }
431 break;
432 }
433
434 case SSL3_ST_SR_NEXT_PROTO_A:
435 case SSL3_ST_SR_NEXT_PROTO_B:
436 ret = ssl3_get_next_proto(s);
437 if (ret <= 0) {
438 goto end;
439 }
440 s->init_num = 0;
441 if (s->s3->tlsext_channel_id_valid) {
442 s->state = SSL3_ST_SR_CHANNEL_ID_A;
443 } else {
444 s->state = SSL3_ST_SR_FINISHED_A;
445 }
446 break;
447
448 case SSL3_ST_SR_CHANNEL_ID_A:
449 case SSL3_ST_SR_CHANNEL_ID_B:
450 ret = ssl3_get_channel_id(s);
451 if (ret <= 0) {
452 goto end;
453 }
454 s->init_num = 0;
455 s->state = SSL3_ST_SR_FINISHED_A;
456 break;
457
458 case SSL3_ST_SR_FINISHED_A:
459 case SSL3_ST_SR_FINISHED_B:
460 ret =
461 ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B);
462 if (ret <= 0) {
463 goto end;
464 }
465
466 if (s->hit) {
467 s->state = SSL_ST_OK;
468 } else if (s->tlsext_ticket_expected) {
469 s->state = SSL3_ST_SW_SESSION_TICKET_A;
470 } else {
471 s->state = SSL3_ST_SW_CHANGE_A;
472 }
473 /* If this is a full handshake with ChannelID then record the hashshake
474 * hashes in |s->session| in case we need them to verify a ChannelID
475 * signature on a resumption of this session in the future. */
476 if (!s->hit && s->s3->tlsext_channel_id_new) {
477 ret = tls1_record_handshake_hashes_for_channel_id(s);
478 if (ret <= 0) {
479 goto end;
480 }
481 }
482 s->init_num = 0;
483 break;
484
485 case SSL3_ST_SW_SESSION_TICKET_A:
486 case SSL3_ST_SW_SESSION_TICKET_B:
487 ret = ssl3_send_new_session_ticket(s);
488 if (ret <= 0) {
489 goto end;
490 }
491 s->state = SSL3_ST_SW_CHANGE_A;
492 s->init_num = 0;
493 break;
494
495 case SSL3_ST_SW_CHANGE_A:
496 case SSL3_ST_SW_CHANGE_B:
497 s->session->cipher = s->s3->tmp.new_cipher;
498 if (!s->enc_method->setup_key_block(s)) {
499 ret = -1;
500 goto end;
501 }
502
503 ret = ssl3_send_change_cipher_spec(s, SSL3_ST_SW_CHANGE_A,
504 SSL3_ST_SW_CHANGE_B);
505 if (ret <= 0) {
506 goto end;
507 }
508 s->state = SSL3_ST_SW_FINISHED_A;
509 s->init_num = 0;
510
511 if (!s->enc_method->change_cipher_state(
512 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
513 ret = -1;
514 goto end;
515 }
516 break;
517
518 case SSL3_ST_SW_FINISHED_A:
519 case SSL3_ST_SW_FINISHED_B:
520 ret =
521 ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
522 s->enc_method->server_finished_label,
523 s->enc_method->server_finished_label_len);
524 if (ret <= 0) {
525 goto end;
526 }
527 s->state = SSL3_ST_SW_FLUSH;
528 if (s->hit) {
529 s->s3->tmp.next_state = SSL3_ST_SR_CHANGE;
530 } else {
531 s->s3->tmp.next_state = SSL_ST_OK;
532 }
533 s->init_num = 0;
534 break;
535
536 case SSL_ST_OK:
537 /* clean a few things up */
538 ssl3_cleanup_key_block(s);
539
540 BUF_MEM_free(s->init_buf);
541 s->init_buf = NULL;
542
543 /* remove buffering on output */
544 ssl_free_wbio_buffer(s);
545
546 s->init_num = 0;
547
548 /* If we aren't retaining peer certificates then we can discard it
549 * now. */
550 if (s->ctx->retain_only_sha256_of_client_certs) {
551 X509_free(s->session->peer);
552 s->session->peer = NULL;
553 }
554
555 s->s3->initial_handshake_complete = 1;
556
557 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
558
559 if (cb != NULL) {
560 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
561 }
562
563 ret = 1;
564 goto end;
565
566 default:
567 OPENSSL_PUT_ERROR(SSL, ssl3_accept, SSL_R_UNKNOWN_STATE);
568 ret = -1;
569 goto end;
570 }
571
572 if (!s->s3->tmp.reuse_message && !skip && cb != NULL && s->state != state) {
573 new_state = s->state;
574 s->state = state;
575 cb(s, SSL_CB_ACCEPT_LOOP, 1);
576 s->state = new_state;
577 }
578 skip = 0;
579 }
580
581 end:
582 s->in_handshake--;
583 BUF_MEM_free(buf);
584 if (cb != NULL) {
585 cb(s, SSL_CB_ACCEPT_EXIT, ret);
586 }
587 return ret;
588 }
589
ssl3_read_sniff_buffer(SSL * s,size_t n)590 static int ssl3_read_sniff_buffer(SSL *s, size_t n) {
591 if (s->s3->sniff_buffer == NULL) {
592 s->s3->sniff_buffer = BUF_MEM_new();
593 }
594 if (s->s3->sniff_buffer == NULL || !BUF_MEM_grow(s->s3->sniff_buffer, n)) {
595 return -1;
596 }
597
598 while (s->s3->sniff_buffer_len < n) {
599 int ret;
600
601 s->rwstate = SSL_READING;
602 ret = BIO_read(s->rbio, s->s3->sniff_buffer->data + s->s3->sniff_buffer_len,
603 n - s->s3->sniff_buffer_len);
604 if (ret <= 0) {
605 return ret;
606 }
607 s->rwstate = SSL_NOTHING;
608 s->s3->sniff_buffer_len += ret;
609 }
610
611 return 1;
612 }
613
ssl3_get_initial_bytes(SSL * s)614 int ssl3_get_initial_bytes(SSL *s) {
615 int ret;
616 const uint8_t *p;
617
618 /* Read the first 8 bytes. To recognize a ClientHello or V2ClientHello only
619 * needs the first 6 bytes, but 8 is needed to recognize CONNECT below. */
620 ret = ssl3_read_sniff_buffer(s, INITIAL_SNIFF_BUFFER_SIZE);
621 if (ret <= 0) {
622 return ret;
623 }
624 assert(s->s3->sniff_buffer_len >= INITIAL_SNIFF_BUFFER_SIZE);
625 p = (const uint8_t *)s->s3->sniff_buffer->data;
626
627 /* Some dedicated error codes for protocol mixups should the application wish
628 * to interpret them differently. (These do not overlap with ClientHello or
629 * V2ClientHello.) */
630 if (strncmp("GET ", (const char *)p, 4) == 0 ||
631 strncmp("POST ", (const char *)p, 5) == 0 ||
632 strncmp("HEAD ", (const char *)p, 5) == 0 ||
633 strncmp("PUT ", (const char *)p, 4) == 0) {
634 OPENSSL_PUT_ERROR(SSL, ssl3_get_initial_bytes, SSL_R_HTTP_REQUEST);
635 return -1;
636 }
637 if (strncmp("CONNECT ", (const char *)p, 8) == 0) {
638 OPENSSL_PUT_ERROR(SSL, ssl3_get_initial_bytes, SSL_R_HTTPS_PROXY_REQUEST);
639 return -1;
640 }
641
642 /* Determine if this is a ClientHello or V2ClientHello. */
643 if ((p[0] & 0x80) && p[2] == SSL2_MT_CLIENT_HELLO &&
644 p[3] >= SSL3_VERSION_MAJOR) {
645 /* This is a V2ClientHello. */
646 s->state = SSL3_ST_SR_V2_CLIENT_HELLO;
647 return 1;
648 }
649 if (p[0] == SSL3_RT_HANDSHAKE && p[1] >= SSL3_VERSION_MAJOR &&
650 p[5] == SSL3_MT_CLIENT_HELLO) {
651 /* This is a ClientHello. Initialize the record layer with the already
652 * consumed data and continue the handshake. */
653 if (!ssl3_setup_read_buffer(s)) {
654 return -1;
655 }
656 assert(s->rstate == SSL_ST_READ_HEADER);
657 /* There cannot have already been data in the record layer. */
658 assert(s->s3->rbuf.left == 0);
659 memcpy(s->s3->rbuf.buf, p, s->s3->sniff_buffer_len);
660 s->s3->rbuf.offset = 0;
661 s->s3->rbuf.left = s->s3->sniff_buffer_len;
662 s->packet_length = 0;
663
664 BUF_MEM_free(s->s3->sniff_buffer);
665 s->s3->sniff_buffer = NULL;
666 s->s3->sniff_buffer_len = 0;
667
668 s->state = SSL3_ST_SR_CLNT_HELLO_A;
669 return 1;
670 }
671
672 OPENSSL_PUT_ERROR(SSL, ssl3_get_initial_bytes, SSL_R_UNKNOWN_PROTOCOL);
673 return -1;
674 }
675
ssl3_get_v2_client_hello(SSL * s)676 int ssl3_get_v2_client_hello(SSL *s) {
677 const uint8_t *p;
678 int ret;
679 CBS v2_client_hello, cipher_specs, session_id, challenge;
680 size_t msg_length, rand_len, len;
681 uint8_t msg_type;
682 uint16_t version, cipher_spec_length, session_id_length, challenge_length;
683 CBB client_hello, hello_body, cipher_suites;
684 uint8_t random[SSL3_RANDOM_SIZE];
685
686 /* Read the remainder of the V2ClientHello. We have previously read 8 bytes
687 * in ssl3_get_initial_bytes. */
688 assert(s->s3->sniff_buffer_len >= INITIAL_SNIFF_BUFFER_SIZE);
689 p = (const uint8_t *)s->s3->sniff_buffer->data;
690 msg_length = ((p[0] & 0x7f) << 8) | p[1];
691 if (msg_length > (1024 * 4)) {
692 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello, SSL_R_RECORD_TOO_LARGE);
693 return -1;
694 }
695 if (msg_length < INITIAL_SNIFF_BUFFER_SIZE - 2) {
696 /* Reject lengths that are too short early. We have already read 8 bytes,
697 * so we should not attempt to process an (invalid) V2ClientHello which
698 * would be shorter than that. */
699 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello,
700 SSL_R_RECORD_LENGTH_MISMATCH);
701 return -1;
702 }
703
704 ret = ssl3_read_sniff_buffer(s, msg_length + 2);
705 if (ret <= 0) {
706 return ret;
707 }
708 assert(s->s3->sniff_buffer_len == msg_length + 2);
709 CBS_init(&v2_client_hello, (const uint8_t *)s->s3->sniff_buffer->data + 2,
710 msg_length);
711
712 /* The V2ClientHello without the length is incorporated into the Finished
713 * hash. */
714 if (!ssl3_finish_mac(s, CBS_data(&v2_client_hello),
715 CBS_len(&v2_client_hello))) {
716 return -1;
717 }
718 if (s->msg_callback) {
719 s->msg_callback(0, SSL2_VERSION, 0, CBS_data(&v2_client_hello),
720 CBS_len(&v2_client_hello), s, s->msg_callback_arg);
721 }
722
723 if (!CBS_get_u8(&v2_client_hello, &msg_type) ||
724 !CBS_get_u16(&v2_client_hello, &version) ||
725 !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||
726 !CBS_get_u16(&v2_client_hello, &session_id_length) ||
727 !CBS_get_u16(&v2_client_hello, &challenge_length) ||
728 !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||
729 !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||
730 !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||
731 CBS_len(&v2_client_hello) != 0) {
732 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello, SSL_R_DECODE_ERROR);
733 return -1;
734 }
735
736 /* msg_type has already been checked. */
737 assert(msg_type == SSL2_MT_CLIENT_HELLO);
738
739 /* The client_random is the V2ClientHello challenge. Truncate or
740 * left-pad with zeros as needed. */
741 memset(random, 0, SSL3_RANDOM_SIZE);
742 rand_len = CBS_len(&challenge);
743 if (rand_len > SSL3_RANDOM_SIZE) {
744 rand_len = SSL3_RANDOM_SIZE;
745 }
746 memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
747 rand_len);
748
749 /* Write out an equivalent SSLv3 ClientHello. */
750 if (!CBB_init_fixed(&client_hello, (uint8_t *)s->init_buf->data,
751 s->init_buf->max)) {
752 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello, ERR_R_MALLOC_FAILURE);
753 return -1;
754 }
755 if (!CBB_add_u8(&client_hello, SSL3_MT_CLIENT_HELLO) ||
756 !CBB_add_u24_length_prefixed(&client_hello, &hello_body) ||
757 !CBB_add_u16(&hello_body, version) ||
758 !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
759 /* No session id. */
760 !CBB_add_u8(&hello_body, 0) ||
761 !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
762 CBB_cleanup(&client_hello);
763 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello, ERR_R_INTERNAL_ERROR);
764 return -1;
765 }
766
767 /* Copy the cipher suites. */
768 while (CBS_len(&cipher_specs) > 0) {
769 uint32_t cipher_spec;
770 if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
771 CBB_cleanup(&client_hello);
772 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello, SSL_R_DECODE_ERROR);
773 return -1;
774 }
775
776 /* Skip SSLv2 ciphers. */
777 if ((cipher_spec & 0xff0000) != 0) {
778 continue;
779 }
780 if (!CBB_add_u16(&cipher_suites, cipher_spec)) {
781 CBB_cleanup(&client_hello);
782 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello, ERR_R_INTERNAL_ERROR);
783 return -1;
784 }
785 }
786
787 /* Add the null compression scheme and finish. */
788 if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||
789 !CBB_finish(&client_hello, NULL, &len)) {
790 CBB_cleanup(&client_hello);
791 OPENSSL_PUT_ERROR(SSL, ssl3_get_v2_client_hello, ERR_R_INTERNAL_ERROR);
792 return -1;
793 }
794
795 /* Mark the message for "re"-use by the version-specific method. */
796 s->s3->tmp.reuse_message = 1;
797 s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO;
798 /* The handshake message header is 4 bytes. */
799 s->s3->tmp.message_size = len - 4;
800
801 /* Drop the sniff buffer. */
802 BUF_MEM_free(s->s3->sniff_buffer);
803 s->s3->sniff_buffer = NULL;
804 s->s3->sniff_buffer_len = 0;
805
806 return 1;
807 }
808
ssl3_get_client_hello(SSL * s)809 int ssl3_get_client_hello(SSL *s) {
810 int ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
811 long n;
812 const SSL_CIPHER *c;
813 STACK_OF(SSL_CIPHER) *ciphers = NULL;
814 struct ssl_early_callback_ctx early_ctx;
815 CBS client_hello;
816 uint16_t client_version;
817 CBS client_random, session_id, cipher_suites, compression_methods;
818
819 /* We do this so that we will respond with our native type. If we are TLSv1
820 * and we get SSLv3, we will respond with TLSv1, This down switching should
821 * be handled by a different method. If we are SSLv3, we will respond with
822 * SSLv3, even if prompted with TLSv1. */
823 switch (s->state) {
824 case SSL3_ST_SR_CLNT_HELLO_A:
825 case SSL3_ST_SR_CLNT_HELLO_B:
826 n = s->method->ssl_get_message(
827 s, SSL3_ST_SR_CLNT_HELLO_A, SSL3_ST_SR_CLNT_HELLO_B,
828 SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH,
829 ssl_hash_message, &ok);
830
831 if (!ok) {
832 return n;
833 }
834
835 s->state = SSL3_ST_SR_CLNT_HELLO_C;
836 /* fallthrough */
837 case SSL3_ST_SR_CLNT_HELLO_C:
838 case SSL3_ST_SR_CLNT_HELLO_D:
839 /* We have previously parsed the ClientHello message, and can't call
840 * ssl_get_message again without hashing the message into the Finished
841 * digest again. */
842 n = s->init_num;
843
844 memset(&early_ctx, 0, sizeof(early_ctx));
845 early_ctx.ssl = s;
846 early_ctx.client_hello = s->init_msg;
847 early_ctx.client_hello_len = n;
848 if (!ssl_early_callback_init(&early_ctx)) {
849 al = SSL_AD_DECODE_ERROR;
850 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello,
851 SSL_R_CLIENTHELLO_PARSE_FAILED);
852 goto f_err;
853 }
854
855 if (s->state == SSL3_ST_SR_CLNT_HELLO_C &&
856 s->ctx->select_certificate_cb != NULL) {
857 s->state = SSL3_ST_SR_CLNT_HELLO_D;
858 switch (s->ctx->select_certificate_cb(&early_ctx)) {
859 case 0:
860 s->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
861 goto err;
862
863 case -1:
864 /* Connection rejected. */
865 al = SSL_AD_ACCESS_DENIED;
866 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello,
867 SSL_R_CONNECTION_REJECTED);
868 goto f_err;
869
870 default:
871 /* fallthrough */;
872 }
873 }
874 s->state = SSL3_ST_SR_CLNT_HELLO_D;
875 break;
876
877 default:
878 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_UNKNOWN_STATE);
879 return -1;
880 }
881
882 CBS_init(&client_hello, s->init_msg, n);
883 if (!CBS_get_u16(&client_hello, &client_version) ||
884 !CBS_get_bytes(&client_hello, &client_random, SSL3_RANDOM_SIZE) ||
885 !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
886 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
887 al = SSL_AD_DECODE_ERROR;
888 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_DECODE_ERROR);
889 goto f_err;
890 }
891
892 /* use version from inside client hello, not from record header (may differ:
893 * see RFC 2246, Appendix E, second paragraph) */
894 s->client_version = client_version;
895
896 /* Load the client random. */
897 memcpy(s->s3->client_random, CBS_data(&client_random), SSL3_RANDOM_SIZE);
898
899 if (SSL_IS_DTLS(s)) {
900 CBS cookie;
901
902 if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
903 CBS_len(&cookie) > DTLS1_COOKIE_LENGTH) {
904 al = SSL_AD_DECODE_ERROR;
905 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_DECODE_ERROR);
906 goto f_err;
907 }
908 }
909
910 /* Note: This codepath may run twice if |ssl_get_prev_session| completes
911 * asynchronously.
912 *
913 * TODO(davidben): Clean up the order of events around ClientHello
914 * processing. */
915 if (!s->s3->have_version) {
916 /* Select version to use */
917 uint16_t version = ssl3_get_mutual_version(s, client_version);
918 if (version == 0) {
919 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_UNSUPPORTED_PROTOCOL);
920 s->version = s->client_version;
921 al = SSL_AD_PROTOCOL_VERSION;
922 goto f_err;
923 }
924 s->version = version;
925 s->enc_method = ssl3_get_enc_method(version);
926 assert(s->enc_method != NULL);
927 /* At this point, the connection's version is known and |s->version| is
928 * fixed. Begin enforcing the record-layer version. */
929 s->s3->have_version = 1;
930 } else if (SSL_IS_DTLS(s) ? (s->client_version > s->version)
931 : (s->client_version < s->version)) {
932 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_WRONG_VERSION_NUMBER);
933 al = SSL_AD_PROTOCOL_VERSION;
934 goto f_err;
935 }
936
937 s->hit = 0;
938 int session_ret = ssl_get_prev_session(s, &early_ctx);
939 if (session_ret == PENDING_SESSION) {
940 s->rwstate = SSL_PENDING_SESSION;
941 goto err;
942 } else if (session_ret == -1) {
943 goto err;
944 }
945
946 /* The EMS state is needed when making the resumption decision, but
947 * extensions are not normally parsed until later. This detects the EMS
948 * extension for the resumption decision and it's checked against the result
949 * of the normal parse later in this function. */
950 const uint8_t *ems_data;
951 size_t ems_len;
952 int have_extended_master_secret =
953 s->version != SSL3_VERSION &&
954 SSL_early_callback_ctx_extension_get(&early_ctx,
955 TLSEXT_TYPE_extended_master_secret,
956 &ems_data, &ems_len) &&
957 ems_len == 0;
958
959 if (session_ret == 1) {
960 if (s->session->extended_master_secret &&
961 !have_extended_master_secret) {
962 /* A ClientHello without EMS that attempts to resume a session with EMS
963 * is fatal to the connection. */
964 al = SSL_AD_HANDSHAKE_FAILURE;
965 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello,
966 SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
967 goto f_err;
968 }
969
970 s->hit =
971 /* Only resume if the session's version matches the negotiated version:
972 * most clients do not accept a mismatch. */
973 s->version == s->session->ssl_version &&
974 /* If the client offers the EMS extension, but the previous session
975 * didn't use it, then negotiate a new session. */
976 have_extended_master_secret == s->session->extended_master_secret;
977 }
978
979 if (!s->hit && !ssl_get_new_session(s, 1)) {
980 goto err;
981 }
982
983 if (s->ctx->dos_protection_cb != NULL && s->ctx->dos_protection_cb(&early_ctx) == 0) {
984 /* Connection rejected for DOS reasons. */
985 al = SSL_AD_ACCESS_DENIED;
986 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_CONNECTION_REJECTED);
987 goto f_err;
988 }
989
990 if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
991 CBS_len(&cipher_suites) == 0 ||
992 CBS_len(&cipher_suites) % 2 != 0 ||
993 !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
994 CBS_len(&compression_methods) == 0) {
995 al = SSL_AD_DECODE_ERROR;
996 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_DECODE_ERROR);
997 goto f_err;
998 }
999
1000 ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites);
1001 if (ciphers == NULL) {
1002 goto err;
1003 }
1004
1005 /* If it is a hit, check that the cipher is in the list. */
1006 if (s->hit) {
1007 size_t j;
1008 int found_cipher = 0;
1009 uint32_t id = s->session->cipher->id;
1010
1011 for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) {
1012 c = sk_SSL_CIPHER_value(ciphers, j);
1013 if (c->id == id) {
1014 found_cipher = 1;
1015 break;
1016 }
1017 }
1018
1019 if (!found_cipher) {
1020 /* we need to have the cipher in the cipher list if we are asked to reuse
1021 * it */
1022 al = SSL_AD_ILLEGAL_PARAMETER;
1023 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello,
1024 SSL_R_REQUIRED_CIPHER_MISSING);
1025 goto f_err;
1026 }
1027 }
1028
1029 /* Only null compression is supported. */
1030 if (memchr(CBS_data(&compression_methods), 0,
1031 CBS_len(&compression_methods)) == NULL) {
1032 al = SSL_AD_ILLEGAL_PARAMETER;
1033 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello,
1034 SSL_R_NO_COMPRESSION_SPECIFIED);
1035 goto f_err;
1036 }
1037
1038 /* TLS extensions. */
1039 if (s->version >= SSL3_VERSION &&
1040 !ssl_parse_clienthello_tlsext(s, &client_hello)) {
1041 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_PARSE_TLSEXT);
1042 goto err;
1043 }
1044
1045 /* There should be nothing left over in the record. */
1046 if (CBS_len(&client_hello) != 0) {
1047 /* wrong packet length */
1048 al = SSL_AD_DECODE_ERROR;
1049 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_BAD_PACKET_LENGTH);
1050 goto f_err;
1051 }
1052
1053 if (have_extended_master_secret != s->s3->tmp.extended_master_secret) {
1054 al = SSL_AD_INTERNAL_ERROR;
1055 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_EMS_STATE_INCONSISTENT);
1056 goto f_err;
1057 }
1058
1059 /* Given ciphers and SSL_get_ciphers, we must pick a cipher */
1060 if (!s->hit) {
1061 if (ciphers == NULL) {
1062 al = SSL_AD_ILLEGAL_PARAMETER;
1063 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_NO_CIPHERS_PASSED);
1064 goto f_err;
1065 }
1066
1067 /* Let cert callback update server certificates if required */
1068 if (s->cert->cert_cb) {
1069 int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
1070 if (rv == 0) {
1071 al = SSL_AD_INTERNAL_ERROR;
1072 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_CERT_CB_ERROR);
1073 goto f_err;
1074 }
1075 if (rv < 0) {
1076 s->rwstate = SSL_X509_LOOKUP;
1077 goto err;
1078 }
1079 s->rwstate = SSL_NOTHING;
1080 }
1081 c = ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
1082
1083 if (c == NULL) {
1084 al = SSL_AD_HANDSHAKE_FAILURE;
1085 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_NO_SHARED_CIPHER);
1086 goto f_err;
1087 }
1088 s->s3->tmp.new_cipher = c;
1089
1090 /* Determine whether to request a client certificate. */
1091 s->s3->tmp.cert_request = !!(s->verify_mode & SSL_VERIFY_PEER);
1092 /* Only request a certificate if Channel ID isn't negotiated. */
1093 if ((s->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
1094 s->s3->tlsext_channel_id_valid) {
1095 s->s3->tmp.cert_request = 0;
1096 }
1097 /* Plain PSK forbids Certificate and CertificateRequest. */
1098 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
1099 s->s3->tmp.cert_request = 0;
1100 }
1101 } else {
1102 /* Session-id reuse */
1103 s->s3->tmp.new_cipher = s->session->cipher;
1104 s->s3->tmp.cert_request = 0;
1105 }
1106
1107 /* In TLS 1.2, client authentication requires hashing the handshake transcript
1108 * under a different hash. Otherwise, release the handshake buffer. */
1109 if ((!SSL_USE_SIGALGS(s) || !s->s3->tmp.cert_request) &&
1110 !ssl3_digest_cached_records(s, free_handshake_buffer)) {
1111 goto f_err;
1112 }
1113
1114 /* we now have the following setup;
1115 * client_random
1116 * cipher_list - our prefered list of ciphers
1117 * ciphers - the clients prefered list of ciphers
1118 * compression - basically ignored right now
1119 * ssl version is set - sslv3
1120 * s->session - The ssl session has been setup.
1121 * s->hit - session reuse flag
1122 * s->tmp.new_cipher - the new cipher to use. */
1123
1124 if (ret < 0) {
1125 ret = -ret;
1126 }
1127
1128 if (0) {
1129 f_err:
1130 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1131 }
1132
1133 err:
1134 sk_SSL_CIPHER_free(ciphers);
1135 return ret;
1136 }
1137
ssl3_send_server_hello(SSL * s)1138 int ssl3_send_server_hello(SSL *s) {
1139 uint8_t *buf;
1140 uint8_t *p, *d;
1141 int sl;
1142 unsigned long l;
1143
1144 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1145 /* We only accept ChannelIDs on connections with ECDHE in order to avoid a
1146 * known attack while we fix ChannelID itself. */
1147 if (s->s3->tlsext_channel_id_valid &&
1148 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
1149 s->s3->tlsext_channel_id_valid = 0;
1150 }
1151
1152 /* If this is a resumption and the original handshake didn't support
1153 * ChannelID then we didn't record the original handshake hashes in the
1154 * session and so cannot resume with ChannelIDs. */
1155 if (s->hit && s->s3->tlsext_channel_id_new &&
1156 s->session->original_handshake_hash_len == 0) {
1157 s->s3->tlsext_channel_id_valid = 0;
1158 }
1159
1160 buf = (uint8_t *)s->init_buf->data;
1161 /* Do the message type and length last */
1162 d = p = ssl_handshake_start(s);
1163
1164 *(p++) = s->version >> 8;
1165 *(p++) = s->version & 0xff;
1166
1167 /* Random stuff */
1168 if (!ssl_fill_hello_random(s->s3->server_random, SSL3_RANDOM_SIZE,
1169 1 /* server */)) {
1170 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_hello, ERR_R_INTERNAL_ERROR);
1171 return -1;
1172 }
1173 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1174 p += SSL3_RANDOM_SIZE;
1175
1176 /* There are several cases for the session ID to send
1177 * back in the server hello:
1178 * - For session reuse from the session cache, we send back the old session
1179 * ID.
1180 * - If stateless session reuse (using a session ticket) is successful, we
1181 * send back the client's "session ID" (which doesn't actually identify
1182 * the session).
1183 * - If it is a new session, we send back the new session ID.
1184 * - However, if we want the new session to be single-use, we send back a
1185 * 0-length session ID.
1186 * s->hit is non-zero in either case of session reuse, so the following
1187 * won't overwrite an ID that we're supposed to send back. */
1188 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) && !s->hit) {
1189 s->session->session_id_length = 0;
1190 }
1191
1192 sl = s->session->session_id_length;
1193 if (sl > (int)sizeof(s->session->session_id)) {
1194 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_hello, ERR_R_INTERNAL_ERROR);
1195 return -1;
1196 }
1197 *(p++) = sl;
1198 memcpy(p, s->session->session_id, sl);
1199 p += sl;
1200
1201 /* put the cipher */
1202 s2n(ssl_cipher_get_value(s->s3->tmp.new_cipher), p);
1203
1204 /* put the compression method */
1205 *(p++) = 0;
1206 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1207 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_hello, SSL_R_SERVERHELLO_TLSEXT);
1208 return -1;
1209 }
1210 p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH);
1211 if (p == NULL) {
1212 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_hello, ERR_R_INTERNAL_ERROR);
1213 return -1;
1214 }
1215
1216 /* do the header */
1217 l = (p - d);
1218 if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
1219 return -1;
1220 }
1221 s->state = SSL3_ST_SW_SRVR_HELLO_B;
1222 }
1223
1224 /* SSL3_ST_SW_SRVR_HELLO_B */
1225 return ssl_do_write(s);
1226 }
1227
ssl3_send_server_done(SSL * s)1228 int ssl3_send_server_done(SSL *s) {
1229 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1230 if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
1231 return -1;
1232 }
1233 s->state = SSL3_ST_SW_SRVR_DONE_B;
1234 }
1235
1236 /* SSL3_ST_SW_SRVR_DONE_B */
1237 return ssl_do_write(s);
1238 }
1239
ssl3_send_server_key_exchange(SSL * s)1240 int ssl3_send_server_key_exchange(SSL *s) {
1241 DH *dh = NULL, *dhp;
1242 EC_KEY *ecdh = NULL;
1243 uint8_t *encodedPoint = NULL;
1244 int encodedlen = 0;
1245 uint16_t curve_id = 0;
1246 BN_CTX *bn_ctx = NULL;
1247 const char *psk_identity_hint = NULL;
1248 size_t psk_identity_hint_len = 0;
1249 EVP_PKEY *pkey;
1250 uint8_t *p, *d;
1251 int al, i;
1252 uint32_t alg_k;
1253 uint32_t alg_a;
1254 int n;
1255 CERT *cert;
1256 BIGNUM *r[4];
1257 int nr[4], kn;
1258 BUF_MEM *buf;
1259 EVP_MD_CTX md_ctx;
1260
1261 EVP_MD_CTX_init(&md_ctx);
1262 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1263 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1264 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1265 cert = s->cert;
1266
1267 buf = s->init_buf;
1268
1269 r[0] = r[1] = r[2] = r[3] = NULL;
1270 n = 0;
1271 if (alg_a & SSL_aPSK) {
1272 /* size for PSK identity hint */
1273 psk_identity_hint = s->psk_identity_hint;
1274 if (psk_identity_hint) {
1275 psk_identity_hint_len = strlen(psk_identity_hint);
1276 } else {
1277 psk_identity_hint_len = 0;
1278 }
1279 n += 2 + psk_identity_hint_len;
1280 }
1281
1282 if (alg_k & SSL_kDHE) {
1283 dhp = cert->dh_tmp;
1284 if (dhp == NULL && s->cert->dh_tmp_cb != NULL) {
1285 dhp = s->cert->dh_tmp_cb(s, 0, 1024);
1286 }
1287 if (dhp == NULL) {
1288 al = SSL_AD_HANDSHAKE_FAILURE;
1289 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1290 SSL_R_MISSING_TMP_DH_KEY);
1291 goto f_err;
1292 }
1293
1294 if (s->s3->tmp.dh != NULL) {
1295 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1296 ERR_R_INTERNAL_ERROR);
1297 goto err;
1298 }
1299 dh = DHparams_dup(dhp);
1300 if (dh == NULL) {
1301 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
1302 goto err;
1303 }
1304 s->s3->tmp.dh = dh;
1305
1306 if (!DH_generate_key(dh)) {
1307 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
1308 goto err;
1309 }
1310
1311 r[0] = dh->p;
1312 r[1] = dh->g;
1313 r[2] = dh->pub_key;
1314 } else if (alg_k & SSL_kECDHE) {
1315 /* Determine the curve to use. */
1316 int nid = NID_undef;
1317 if (cert->ecdh_nid != NID_undef) {
1318 nid = cert->ecdh_nid;
1319 } else if (cert->ecdh_tmp_cb != NULL) {
1320 /* Note: |ecdh_tmp_cb| does NOT pass ownership of the result
1321 * to the caller. */
1322 EC_KEY *template = s->cert->ecdh_tmp_cb(s, 0, 1024);
1323 if (template != NULL && EC_KEY_get0_group(template) != NULL) {
1324 nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(template));
1325 }
1326 } else {
1327 nid = tls1_get_shared_curve(s);
1328 }
1329 if (nid == NID_undef) {
1330 al = SSL_AD_HANDSHAKE_FAILURE;
1331 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1332 SSL_R_MISSING_TMP_ECDH_KEY);
1333 goto f_err;
1334 }
1335
1336 if (s->s3->tmp.ecdh != NULL) {
1337 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1338 ERR_R_INTERNAL_ERROR);
1339 goto err;
1340 }
1341 ecdh = EC_KEY_new_by_curve_name(nid);
1342 if (ecdh == NULL) {
1343 goto err;
1344 }
1345 s->s3->tmp.ecdh = ecdh;
1346
1347 if (!EC_KEY_generate_key(ecdh)) {
1348 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
1349 goto err;
1350 }
1351
1352 /* We only support ephemeral ECDH keys over named (not generic) curves. */
1353 const EC_GROUP *group = EC_KEY_get0_group(ecdh);
1354 if (!tls1_ec_nid2curve_id(&curve_id, EC_GROUP_get_curve_name(group))) {
1355 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1356 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1357 goto err;
1358 }
1359
1360 /* Encode the public key. First check the size of encoding and allocate
1361 * memory accordingly. */
1362 encodedlen =
1363 EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
1364 POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
1365
1366 encodedPoint = (uint8_t *)OPENSSL_malloc(encodedlen * sizeof(uint8_t));
1367 bn_ctx = BN_CTX_new();
1368 if (encodedPoint == NULL || bn_ctx == NULL) {
1369 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1370 ERR_R_MALLOC_FAILURE);
1371 goto err;
1372 }
1373
1374 encodedlen = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
1375 POINT_CONVERSION_UNCOMPRESSED,
1376 encodedPoint, encodedlen, bn_ctx);
1377
1378 if (encodedlen == 0) {
1379 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
1380 goto err;
1381 }
1382
1383 BN_CTX_free(bn_ctx);
1384 bn_ctx = NULL;
1385
1386 /* We only support named (not generic) curves in ECDH ephemeral key
1387 * exchanges. In this situation, we need four additional bytes to encode
1388 * the entire ServerECDHParams structure. */
1389 n += 4 + encodedlen;
1390
1391 /* We'll generate the serverKeyExchange message explicitly so we can set
1392 * these to NULLs */
1393 r[0] = NULL;
1394 r[1] = NULL;
1395 r[2] = NULL;
1396 r[3] = NULL;
1397 } else if (!(alg_k & SSL_kPSK)) {
1398 al = SSL_AD_HANDSHAKE_FAILURE;
1399 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1400 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1401 goto f_err;
1402 }
1403
1404 for (i = 0; i < 4 && r[i] != NULL; i++) {
1405 nr[i] = BN_num_bytes(r[i]);
1406 n += 2 + nr[i];
1407 }
1408
1409 if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
1410 pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher);
1411 if (pkey == NULL) {
1412 al = SSL_AD_DECODE_ERROR;
1413 goto f_err;
1414 }
1415 kn = EVP_PKEY_size(pkey);
1416 } else {
1417 pkey = NULL;
1418 kn = 0;
1419 }
1420
1421 if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
1422 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_LIB_BUF);
1423 goto err;
1424 }
1425 d = p = ssl_handshake_start(s);
1426
1427 for (i = 0; i < 4 && r[i] != NULL; i++) {
1428 s2n(nr[i], p);
1429 BN_bn2bin(r[i], p);
1430 p += nr[i];
1431 }
1432
1433 /* Note: ECDHE PSK ciphersuites use SSL_kECDHE and SSL_aPSK. When one of
1434 * them is used, the server key exchange record needs to have both the
1435 * psk_identity_hint and the ServerECDHParams. */
1436 if (alg_a & SSL_aPSK) {
1437 /* copy PSK identity hint (if provided) */
1438 s2n(psk_identity_hint_len, p);
1439 if (psk_identity_hint_len > 0) {
1440 memcpy(p, psk_identity_hint, psk_identity_hint_len);
1441 p += psk_identity_hint_len;
1442 }
1443 }
1444
1445 if (alg_k & SSL_kECDHE) {
1446 /* We only support named (not generic) curves. In this situation, the
1447 * serverKeyExchange message has:
1448 * [1 byte CurveType], [2 byte CurveName]
1449 * [1 byte length of encoded point], followed by
1450 * the actual encoded point itself. */
1451 *(p++) = NAMED_CURVE_TYPE;
1452 *(p++) = (uint8_t)(curve_id >> 8);
1453 *(p++) = (uint8_t)(curve_id & 0xff);
1454 *(p++) = encodedlen;
1455 memcpy(p, encodedPoint, encodedlen);
1456 p += encodedlen;
1457 OPENSSL_free(encodedPoint);
1458 encodedPoint = NULL;
1459 }
1460
1461 /* not anonymous */
1462 if (pkey != NULL) {
1463 /* n is the length of the params, they start at &(d[4]) and p points to
1464 * the space at the end. */
1465 const EVP_MD *md;
1466 size_t sig_len = EVP_PKEY_size(pkey);
1467
1468 /* Determine signature algorithm. */
1469 if (SSL_USE_SIGALGS(s)) {
1470 md = tls1_choose_signing_digest(s, pkey);
1471 if (!tls12_get_sigandhash(p, pkey, md)) {
1472 /* Should never happen */
1473 al = SSL_AD_INTERNAL_ERROR;
1474 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
1475 ERR_R_INTERNAL_ERROR);
1476 goto f_err;
1477 }
1478 p += 2;
1479 } else if (pkey->type == EVP_PKEY_RSA) {
1480 md = EVP_md5_sha1();
1481 } else {
1482 md = EVP_sha1();
1483 }
1484
1485 if (!EVP_DigestSignInit(&md_ctx, NULL, md, NULL, pkey) ||
1486 !EVP_DigestSignUpdate(&md_ctx, s->s3->client_random,
1487 SSL3_RANDOM_SIZE) ||
1488 !EVP_DigestSignUpdate(&md_ctx, s->s3->server_random,
1489 SSL3_RANDOM_SIZE) ||
1490 !EVP_DigestSignUpdate(&md_ctx, d, n) ||
1491 !EVP_DigestSignFinal(&md_ctx, &p[2], &sig_len)) {
1492 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_LIB_EVP);
1493 goto err;
1494 }
1495
1496 s2n(sig_len, p);
1497 n += sig_len + 2;
1498 if (SSL_USE_SIGALGS(s)) {
1499 n += 2;
1500 }
1501 }
1502
1503 if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
1504 goto err;
1505 }
1506 }
1507
1508 s->state = SSL3_ST_SW_KEY_EXCH_B;
1509 EVP_MD_CTX_cleanup(&md_ctx);
1510 return ssl_do_write(s);
1511
1512 f_err:
1513 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1514 err:
1515 OPENSSL_free(encodedPoint);
1516 BN_CTX_free(bn_ctx);
1517 EVP_MD_CTX_cleanup(&md_ctx);
1518 return -1;
1519 }
1520
ssl3_send_certificate_request(SSL * s)1521 int ssl3_send_certificate_request(SSL *s) {
1522 uint8_t *p, *d;
1523 size_t i;
1524 int j, nl, off, n;
1525 STACK_OF(X509_NAME) *sk = NULL;
1526 X509_NAME *name;
1527 BUF_MEM *buf;
1528
1529 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
1530 buf = s->init_buf;
1531
1532 d = p = ssl_handshake_start(s);
1533
1534 /* get the list of acceptable cert types */
1535 p++;
1536 n = ssl3_get_req_cert_type(s, p);
1537 d[0] = n;
1538 p += n;
1539 n++;
1540
1541 if (SSL_USE_SIGALGS(s)) {
1542 const uint8_t *psigs;
1543 nl = tls12_get_psigalgs(s, &psigs);
1544 s2n(nl, p);
1545 memcpy(p, psigs, nl);
1546 p += nl;
1547 n += nl + 2;
1548 }
1549
1550 off = n;
1551 p += 2;
1552 n += 2;
1553
1554 sk = SSL_get_client_CA_list(s);
1555 nl = 0;
1556 if (sk != NULL) {
1557 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1558 name = sk_X509_NAME_value(sk, i);
1559 j = i2d_X509_NAME(name, NULL);
1560 if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
1561 OPENSSL_PUT_ERROR(SSL, ssl3_send_certificate_request, ERR_R_BUF_LIB);
1562 goto err;
1563 }
1564 p = ssl_handshake_start(s) + n;
1565 s2n(j, p);
1566 i2d_X509_NAME(name, &p);
1567 n += 2 + j;
1568 nl += 2 + j;
1569 }
1570 }
1571
1572 /* else no CA names */
1573 p = ssl_handshake_start(s) + off;
1574 s2n(nl, p);
1575
1576 if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
1577 goto err;
1578 }
1579 s->state = SSL3_ST_SW_CERT_REQ_B;
1580 }
1581
1582 /* SSL3_ST_SW_CERT_REQ_B */
1583 return ssl_do_write(s);
1584
1585 err:
1586 return -1;
1587 }
1588
ssl3_get_client_key_exchange(SSL * s)1589 int ssl3_get_client_key_exchange(SSL *s) {
1590 int al, ok;
1591 long n;
1592 CBS client_key_exchange;
1593 uint32_t alg_k;
1594 uint32_t alg_a;
1595 uint8_t *premaster_secret = NULL;
1596 size_t premaster_secret_len = 0;
1597 RSA *rsa = NULL;
1598 uint8_t *decrypt_buf = NULL;
1599 EVP_PKEY *pkey = NULL;
1600 BIGNUM *pub = NULL;
1601 DH *dh_srvr;
1602
1603 EC_KEY *srvr_ecdh = NULL;
1604 EVP_PKEY *clnt_pub_pkey = NULL;
1605 EC_POINT *clnt_ecpoint = NULL;
1606 BN_CTX *bn_ctx = NULL;
1607 unsigned int psk_len = 0;
1608 uint8_t psk[PSK_MAX_PSK_LEN];
1609
1610 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1611 SSL3_ST_SR_KEY_EXCH_B,
1612 SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, /* ??? */
1613 ssl_hash_message, &ok);
1614
1615 if (!ok) {
1616 return n;
1617 }
1618
1619 CBS_init(&client_key_exchange, s->init_msg, n);
1620
1621 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1622 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1623
1624 /* If using a PSK key exchange, prepare the pre-shared key. */
1625 if (alg_a & SSL_aPSK) {
1626 CBS psk_identity;
1627
1628 /* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
1629 * then this is the only field in the message. */
1630 if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
1631 ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
1632 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, SSL_R_DECODE_ERROR);
1633 al = SSL_AD_DECODE_ERROR;
1634 goto f_err;
1635 }
1636
1637 if (s->psk_server_callback == NULL) {
1638 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1639 SSL_R_PSK_NO_SERVER_CB);
1640 al = SSL_AD_INTERNAL_ERROR;
1641 goto f_err;
1642 }
1643
1644 if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN ||
1645 CBS_contains_zero_byte(&psk_identity)) {
1646 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1647 SSL_R_DATA_LENGTH_TOO_LONG);
1648 al = SSL_AD_ILLEGAL_PARAMETER;
1649 goto f_err;
1650 }
1651
1652 if (!CBS_strdup(&psk_identity, &s->session->psk_identity)) {
1653 al = SSL_AD_INTERNAL_ERROR;
1654 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1655 ERR_R_MALLOC_FAILURE);
1656 goto f_err;
1657 }
1658
1659 /* Look up the key for the identity. */
1660 psk_len =
1661 s->psk_server_callback(s, s->session->psk_identity, psk, sizeof(psk));
1662 if (psk_len > PSK_MAX_PSK_LEN) {
1663 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1664 ERR_R_INTERNAL_ERROR);
1665 al = SSL_AD_INTERNAL_ERROR;
1666 goto f_err;
1667 } else if (psk_len == 0) {
1668 /* PSK related to the given identity not found */
1669 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1670 SSL_R_PSK_IDENTITY_NOT_FOUND);
1671 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
1672 goto f_err;
1673 }
1674 }
1675
1676 /* Depending on the key exchange method, compute |premaster_secret| and
1677 * |premaster_secret_len|. */
1678 if (alg_k & SSL_kRSA) {
1679 CBS encrypted_premaster_secret;
1680 uint8_t rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
1681 uint8_t good;
1682 size_t rsa_size, decrypt_len, premaster_index, j;
1683
1684 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1685 if (pkey == NULL || pkey->type != EVP_PKEY_RSA || pkey->pkey.rsa == NULL) {
1686 al = SSL_AD_HANDSHAKE_FAILURE;
1687 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1688 SSL_R_MISSING_RSA_CERTIFICATE);
1689 goto f_err;
1690 }
1691 rsa = pkey->pkey.rsa;
1692
1693 /* TLS and [incidentally] DTLS{0xFEFF} */
1694 if (s->version > SSL3_VERSION) {
1695 CBS copy = client_key_exchange;
1696 if (!CBS_get_u16_length_prefixed(&client_key_exchange,
1697 &encrypted_premaster_secret) ||
1698 CBS_len(&client_key_exchange) != 0) {
1699 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
1700 al = SSL_AD_DECODE_ERROR;
1701 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1702 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1703 goto f_err;
1704 } else {
1705 encrypted_premaster_secret = copy;
1706 }
1707 }
1708 } else {
1709 encrypted_premaster_secret = client_key_exchange;
1710 }
1711
1712 /* Reject overly short RSA keys because we want to be sure that the buffer
1713 * size makes it safe to iterate over the entire size of a premaster secret
1714 * (SSL_MAX_MASTER_KEY_LENGTH). The actual expected size is larger due to
1715 * RSA padding, but the bound is sufficient to be safe. */
1716 rsa_size = RSA_size(rsa);
1717 if (rsa_size < SSL_MAX_MASTER_KEY_LENGTH) {
1718 al = SSL_AD_DECRYPT_ERROR;
1719 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1720 SSL_R_DECRYPTION_FAILED);
1721 goto f_err;
1722 }
1723
1724 /* We must not leak whether a decryption failure occurs because of
1725 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
1726 * section 7.4.7.1). The code follows that advice of the TLS RFC and
1727 * generates a random premaster secret for the case that the decrypt fails.
1728 * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */
1729 if (!RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret))) {
1730 goto err;
1731 }
1732
1733 /* Allocate a buffer large enough for an RSA decryption. */
1734 decrypt_buf = OPENSSL_malloc(rsa_size);
1735 if (decrypt_buf == NULL) {
1736 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1737 ERR_R_MALLOC_FAILURE);
1738 goto err;
1739 }
1740
1741 /* Decrypt with no padding. PKCS#1 padding will be removed as part of the
1742 * timing-sensitive code below. */
1743 if (!RSA_decrypt(rsa, &decrypt_len, decrypt_buf, rsa_size,
1744 CBS_data(&encrypted_premaster_secret),
1745 CBS_len(&encrypted_premaster_secret), RSA_NO_PADDING)) {
1746 goto err;
1747 }
1748 if (decrypt_len != rsa_size) {
1749 /* This should never happen, but do a check so we do not read
1750 * uninitialized memory. */
1751 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1752 ERR_R_INTERNAL_ERROR);
1753 goto err;
1754 }
1755
1756 /* Remove the PKCS#1 padding and adjust |decrypt_len| as appropriate.
1757 * |good| will be 0xff if the premaster is acceptable and zero otherwise.
1758 * */
1759 good =
1760 constant_time_eq_int_8(RSA_message_index_PKCS1_type_2(
1761 decrypt_buf, decrypt_len, &premaster_index),
1762 1);
1763 decrypt_len = decrypt_len - premaster_index;
1764
1765 /* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. */
1766 good &= constant_time_eq_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
1767
1768 /* Copy over the unpadded premaster. Whatever the value of
1769 * |decrypt_good_mask|, copy as if the premaster were the right length. It
1770 * is important the memory access pattern be constant. */
1771 premaster_secret =
1772 BUF_memdup(decrypt_buf + (rsa_size - SSL_MAX_MASTER_KEY_LENGTH),
1773 SSL_MAX_MASTER_KEY_LENGTH);
1774 if (premaster_secret == NULL) {
1775 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1776 ERR_R_MALLOC_FAILURE);
1777 goto err;
1778 }
1779 OPENSSL_free(decrypt_buf);
1780 decrypt_buf = NULL;
1781
1782 /* If the version in the decrypted pre-master secret is correct then
1783 * version_good will be 0xff, otherwise it'll be zero. The
1784 * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
1785 * (http://eprint.iacr.org/2003/052/) exploits the version number check as
1786 * a "bad version oracle". Thus version checks are done in constant time
1787 * and are treated like any other decryption error. */
1788 good &= constant_time_eq_8(premaster_secret[0],
1789 (unsigned)(s->client_version >> 8));
1790 good &= constant_time_eq_8(premaster_secret[1],
1791 (unsigned)(s->client_version & 0xff));
1792
1793 /* Now copy rand_premaster_secret over premaster_secret using
1794 * decrypt_good_mask. */
1795 for (j = 0; j < sizeof(rand_premaster_secret); j++) {
1796 premaster_secret[j] = constant_time_select_8(good, premaster_secret[j],
1797 rand_premaster_secret[j]);
1798 }
1799
1800 premaster_secret_len = sizeof(rand_premaster_secret);
1801 } else if (alg_k & SSL_kDHE) {
1802 CBS dh_Yc;
1803 int dh_len;
1804
1805 if (!CBS_get_u16_length_prefixed(&client_key_exchange, &dh_Yc) ||
1806 CBS_len(&dh_Yc) == 0 || CBS_len(&client_key_exchange) != 0) {
1807 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1808 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1809 al = SSL_R_DECODE_ERROR;
1810 goto f_err;
1811 }
1812
1813 if (s->s3->tmp.dh == NULL) {
1814 al = SSL_AD_HANDSHAKE_FAILURE;
1815 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1816 SSL_R_MISSING_TMP_DH_KEY);
1817 goto f_err;
1818 }
1819 dh_srvr = s->s3->tmp.dh;
1820
1821 pub = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL);
1822 if (pub == NULL) {
1823 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, SSL_R_BN_LIB);
1824 goto err;
1825 }
1826
1827 /* Allocate a buffer for the premaster secret. */
1828 premaster_secret = OPENSSL_malloc(DH_size(dh_srvr));
1829 if (premaster_secret == NULL) {
1830 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1831 ERR_R_MALLOC_FAILURE);
1832 BN_clear_free(pub);
1833 goto err;
1834 }
1835
1836 dh_len = DH_compute_key(premaster_secret, pub, dh_srvr);
1837 if (dh_len <= 0) {
1838 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, ERR_R_DH_LIB);
1839 BN_clear_free(pub);
1840 goto err;
1841 }
1842
1843 DH_free(s->s3->tmp.dh);
1844 s->s3->tmp.dh = NULL;
1845 BN_clear_free(pub);
1846 pub = NULL;
1847
1848 premaster_secret_len = dh_len;
1849 } else if (alg_k & SSL_kECDHE) {
1850 int field_size = 0, ecdh_len;
1851 const EC_KEY *tkey;
1852 const EC_GROUP *group;
1853 const BIGNUM *priv_key;
1854 CBS ecdh_Yc;
1855
1856 /* initialize structures for server's ECDH key pair */
1857 srvr_ecdh = EC_KEY_new();
1858 if (srvr_ecdh == NULL) {
1859 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1860 ERR_R_MALLOC_FAILURE);
1861 goto err;
1862 }
1863
1864 /* Use the ephermeral values we saved when generating the ServerKeyExchange
1865 * msg. */
1866 tkey = s->s3->tmp.ecdh;
1867
1868 group = EC_KEY_get0_group(tkey);
1869 priv_key = EC_KEY_get0_private_key(tkey);
1870
1871 if (!EC_KEY_set_group(srvr_ecdh, group) ||
1872 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
1873 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, ERR_R_EC_LIB);
1874 goto err;
1875 }
1876
1877 /* Let's get client's public key */
1878 clnt_ecpoint = EC_POINT_new(group);
1879 if (clnt_ecpoint == NULL) {
1880 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1881 ERR_R_MALLOC_FAILURE);
1882 goto err;
1883 }
1884
1885 /* Get client's public key from encoded point in the ClientKeyExchange
1886 * message. */
1887 if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ecdh_Yc) ||
1888 CBS_len(&client_key_exchange) != 0) {
1889 al = SSL_AD_DECODE_ERROR;
1890 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, SSL_R_DECODE_ERROR);
1891 goto f_err;
1892 }
1893
1894 bn_ctx = BN_CTX_new();
1895 if (bn_ctx == NULL) {
1896 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1897 ERR_R_MALLOC_FAILURE);
1898 goto err;
1899 }
1900
1901 if (!EC_POINT_oct2point(group, clnt_ecpoint, CBS_data(&ecdh_Yc),
1902 CBS_len(&ecdh_Yc), bn_ctx)) {
1903 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, ERR_R_EC_LIB);
1904 goto err;
1905 }
1906
1907 /* Allocate a buffer for both the secret and the PSK. */
1908 field_size = EC_GROUP_get_degree(group);
1909 if (field_size <= 0) {
1910 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, ERR_R_ECDH_LIB);
1911 goto err;
1912 }
1913
1914 ecdh_len = (field_size + 7) / 8;
1915 premaster_secret = OPENSSL_malloc(ecdh_len);
1916 if (premaster_secret == NULL) {
1917 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1918 ERR_R_MALLOC_FAILURE);
1919 goto err;
1920 }
1921
1922 /* Compute the shared pre-master secret */
1923 ecdh_len = ECDH_compute_key(premaster_secret, ecdh_len, clnt_ecpoint,
1924 srvr_ecdh, NULL);
1925 if (ecdh_len <= 0) {
1926 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, ERR_R_ECDH_LIB);
1927 goto err;
1928 }
1929
1930 EVP_PKEY_free(clnt_pub_pkey);
1931 clnt_pub_pkey = NULL;
1932 EC_POINT_free(clnt_ecpoint);
1933 clnt_ecpoint = NULL;
1934 EC_KEY_free(srvr_ecdh);
1935 srvr_ecdh = NULL;
1936 BN_CTX_free(bn_ctx);
1937 bn_ctx = NULL;
1938 EC_KEY_free(s->s3->tmp.ecdh);
1939 s->s3->tmp.ecdh = NULL;
1940
1941 premaster_secret_len = ecdh_len;
1942 } else if (alg_k & SSL_kPSK) {
1943 /* For plain PSK, other_secret is a block of 0s with the same length as the
1944 * pre-shared key. */
1945 premaster_secret_len = psk_len;
1946 premaster_secret = OPENSSL_malloc(premaster_secret_len);
1947 if (premaster_secret == NULL) {
1948 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1949 ERR_R_MALLOC_FAILURE);
1950 goto err;
1951 }
1952 memset(premaster_secret, 0, premaster_secret_len);
1953 } else {
1954 al = SSL_AD_HANDSHAKE_FAILURE;
1955 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1956 SSL_R_UNKNOWN_CIPHER_TYPE);
1957 goto f_err;
1958 }
1959
1960 /* For a PSK cipher suite, the actual pre-master secret is combined with the
1961 * pre-shared key. */
1962 if (alg_a & SSL_aPSK) {
1963 CBB new_premaster, child;
1964 uint8_t *new_data;
1965 size_t new_len;
1966
1967 if (!CBB_init(&new_premaster, 2 + psk_len + 2 + premaster_secret_len)) {
1968 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1969 ERR_R_MALLOC_FAILURE);
1970 goto err;
1971 }
1972 if (!CBB_add_u16_length_prefixed(&new_premaster, &child) ||
1973 !CBB_add_bytes(&child, premaster_secret, premaster_secret_len) ||
1974 !CBB_add_u16_length_prefixed(&new_premaster, &child) ||
1975 !CBB_add_bytes(&child, psk, psk_len) ||
1976 !CBB_finish(&new_premaster, &new_data, &new_len)) {
1977 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
1978 ERR_R_INTERNAL_ERROR);
1979 CBB_cleanup(&new_premaster);
1980 goto err;
1981 }
1982
1983 OPENSSL_cleanse(premaster_secret, premaster_secret_len);
1984 OPENSSL_free(premaster_secret);
1985 premaster_secret = new_data;
1986 premaster_secret_len = new_len;
1987 }
1988
1989 /* Compute the master secret */
1990 s->session->master_key_length = s->enc_method->generate_master_secret(
1991 s, s->session->master_key, premaster_secret, premaster_secret_len);
1992 if (s->session->master_key_length == 0) {
1993 goto err;
1994 }
1995 s->session->extended_master_secret = s->s3->tmp.extended_master_secret;
1996
1997 OPENSSL_cleanse(premaster_secret, premaster_secret_len);
1998 OPENSSL_free(premaster_secret);
1999 return 1;
2000
2001 f_err:
2002 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2003 err:
2004 if (premaster_secret) {
2005 if (premaster_secret_len) {
2006 OPENSSL_cleanse(premaster_secret, premaster_secret_len);
2007 }
2008 OPENSSL_free(premaster_secret);
2009 }
2010 OPENSSL_free(decrypt_buf);
2011 EVP_PKEY_free(clnt_pub_pkey);
2012 EC_POINT_free(clnt_ecpoint);
2013 EC_KEY_free(srvr_ecdh);
2014 BN_CTX_free(bn_ctx);
2015
2016 return -1;
2017 }
2018
ssl3_get_cert_verify(SSL * s)2019 int ssl3_get_cert_verify(SSL *s) {
2020 int al, ok, ret = 0;
2021 long n;
2022 CBS certificate_verify, signature;
2023 X509 *peer = s->session->peer;
2024 EVP_PKEY *pkey = NULL;
2025 const EVP_MD *md = NULL;
2026 uint8_t digest[EVP_MAX_MD_SIZE];
2027 size_t digest_length;
2028 EVP_PKEY_CTX *pctx = NULL;
2029
2030 /* Only RSA and ECDSA client certificates are supported, so a
2031 * CertificateVerify is required if and only if there's a client certificate.
2032 * */
2033 if (peer == NULL) {
2034 if (s->s3->handshake_buffer &&
2035 !ssl3_digest_cached_records(s, free_handshake_buffer)) {
2036 return -1;
2037 }
2038 return 1;
2039 }
2040
2041 n = s->method->ssl_get_message(
2042 s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B,
2043 SSL3_MT_CERTIFICATE_VERIFY, SSL3_RT_MAX_PLAIN_LENGTH,
2044 ssl_dont_hash_message, &ok);
2045
2046 if (!ok) {
2047 return n;
2048 }
2049
2050 /* Filter out unsupported certificate types. */
2051 pkey = X509_get_pubkey(peer);
2052 if (pkey == NULL) {
2053 goto err;
2054 }
2055 if (!(X509_certificate_type(peer, pkey) & EVP_PKT_SIGN) ||
2056 (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_EC)) {
2057 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
2058 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_verify,
2059 SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
2060 goto f_err;
2061 }
2062
2063 CBS_init(&certificate_verify, s->init_msg, n);
2064
2065 /* Determine the digest type if needbe. */
2066 if (SSL_USE_SIGALGS(s) &&
2067 !tls12_check_peer_sigalg(&md, &al, s, &certificate_verify, pkey)) {
2068 goto f_err;
2069 }
2070
2071 /* Compute the digest. */
2072 if (!ssl3_cert_verify_hash(s, digest, &digest_length, &md, pkey)) {
2073 goto err;
2074 }
2075
2076 /* The handshake buffer is no longer necessary, and we may hash the current
2077 * message.*/
2078 if (s->s3->handshake_buffer &&
2079 !ssl3_digest_cached_records(s, free_handshake_buffer)) {
2080 goto err;
2081 }
2082 if (!ssl3_hash_current_message(s)) {
2083 goto err;
2084 }
2085
2086 /* Parse and verify the signature. */
2087 if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
2088 CBS_len(&certificate_verify) != 0) {
2089 al = SSL_AD_DECODE_ERROR;
2090 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_verify, SSL_R_DECODE_ERROR);
2091 goto f_err;
2092 }
2093
2094 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2095 if (pctx == NULL) {
2096 goto err;
2097 }
2098 if (!EVP_PKEY_verify_init(pctx) ||
2099 !EVP_PKEY_CTX_set_signature_md(pctx, md) ||
2100 !EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature), digest,
2101 digest_length)) {
2102 al = SSL_AD_DECRYPT_ERROR;
2103 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_verify, SSL_R_BAD_SIGNATURE);
2104 goto f_err;
2105 }
2106
2107 ret = 1;
2108
2109 if (0) {
2110 f_err:
2111 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2112 }
2113
2114 err:
2115 EVP_PKEY_CTX_free(pctx);
2116 EVP_PKEY_free(pkey);
2117
2118 return ret;
2119 }
2120
ssl3_get_client_certificate(SSL * s)2121 int ssl3_get_client_certificate(SSL *s) {
2122 int i, ok, al, ret = -1;
2123 X509 *x = NULL;
2124 unsigned long n;
2125 STACK_OF(X509) *sk = NULL;
2126 SHA256_CTX sha256;
2127 CBS certificate_msg, certificate_list;
2128 int is_first_certificate = 1;
2129
2130 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1,
2131 (long)s->max_cert_list, ssl_hash_message, &ok);
2132
2133 if (!ok) {
2134 return n;
2135 }
2136
2137 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2138 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2139 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2140 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate,
2141 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2142 al = SSL_AD_HANDSHAKE_FAILURE;
2143 goto f_err;
2144 }
2145
2146 /* If tls asked for a client cert, the client must return a 0 list */
2147 if (s->version > SSL3_VERSION && s->s3->tmp.cert_request) {
2148 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate,
2149 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
2150 al = SSL_AD_UNEXPECTED_MESSAGE;
2151 goto f_err;
2152 }
2153 s->s3->tmp.reuse_message = 1;
2154
2155 return 1;
2156 }
2157
2158 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
2159 al = SSL_AD_UNEXPECTED_MESSAGE;
2160 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate,
2161 SSL_R_WRONG_MESSAGE_TYPE);
2162 goto f_err;
2163 }
2164
2165 CBS_init(&certificate_msg, s->init_msg, n);
2166
2167 sk = sk_X509_new_null();
2168 if (sk == NULL) {
2169 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate, ERR_R_MALLOC_FAILURE);
2170 goto err;
2171 }
2172
2173 if (!CBS_get_u24_length_prefixed(&certificate_msg, &certificate_list) ||
2174 CBS_len(&certificate_msg) != 0) {
2175 al = SSL_AD_DECODE_ERROR;
2176 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate, SSL_R_DECODE_ERROR);
2177 goto f_err;
2178 }
2179
2180 while (CBS_len(&certificate_list) > 0) {
2181 CBS certificate;
2182 const uint8_t *data;
2183
2184 if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate)) {
2185 al = SSL_AD_DECODE_ERROR;
2186 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate, SSL_R_DECODE_ERROR);
2187 goto f_err;
2188 }
2189
2190 if (is_first_certificate && s->ctx->retain_only_sha256_of_client_certs) {
2191 /* If this is the first certificate, and we don't want to keep peer
2192 * certificates in memory, then we hash it right away. */
2193 SHA256_Init(&sha256);
2194 SHA256_Update(&sha256, CBS_data(&certificate), CBS_len(&certificate));
2195 SHA256_Final(s->session->peer_sha256, &sha256);
2196 s->session->peer_sha256_valid = 1;
2197 }
2198 is_first_certificate = 0;
2199
2200 data = CBS_data(&certificate);
2201 x = d2i_X509(NULL, &data, CBS_len(&certificate));
2202 if (x == NULL) {
2203 al = SSL_AD_BAD_CERTIFICATE;
2204 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate, ERR_R_ASN1_LIB);
2205 goto f_err;
2206 }
2207 if (data != CBS_data(&certificate) + CBS_len(&certificate)) {
2208 al = SSL_AD_DECODE_ERROR;
2209 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate,
2210 SSL_R_CERT_LENGTH_MISMATCH);
2211 goto f_err;
2212 }
2213 if (!sk_X509_push(sk, x)) {
2214 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate, ERR_R_MALLOC_FAILURE);
2215 goto err;
2216 }
2217 x = NULL;
2218 }
2219
2220 if (sk_X509_num(sk) <= 0) {
2221 /* TLS does not mind 0 certs returned */
2222 if (s->version == SSL3_VERSION) {
2223 al = SSL_AD_HANDSHAKE_FAILURE;
2224 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate,
2225 SSL_R_NO_CERTIFICATES_RETURNED);
2226 goto f_err;
2227 }
2228 /* Fail for TLS only if we required a certificate */
2229 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
2230 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2231 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate,
2232 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2233 al = SSL_AD_HANDSHAKE_FAILURE;
2234 goto f_err;
2235 }
2236 /* No client certificate so digest cached records */
2237 if (s->s3->handshake_buffer &&
2238 !ssl3_digest_cached_records(s, free_handshake_buffer)) {
2239 al = SSL_AD_INTERNAL_ERROR;
2240 goto f_err;
2241 }
2242 } else {
2243 i = ssl_verify_cert_chain(s, sk);
2244 if (i <= 0) {
2245 al = ssl_verify_alarm_type(s->verify_result);
2246 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate,
2247 SSL_R_CERTIFICATE_VERIFY_FAILED);
2248 goto f_err;
2249 }
2250 }
2251
2252 X509_free(s->session->peer);
2253 s->session->peer = sk_X509_shift(sk);
2254 s->session->verify_result = s->verify_result;
2255
2256 /* With the current implementation, sess_cert will always be NULL when we
2257 * arrive here. */
2258 if (s->session->sess_cert == NULL) {
2259 s->session->sess_cert = ssl_sess_cert_new();
2260 if (s->session->sess_cert == NULL) {
2261 OPENSSL_PUT_ERROR(SSL, ssl3_get_client_certificate, ERR_R_MALLOC_FAILURE);
2262 goto err;
2263 }
2264 }
2265 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
2266 s->session->sess_cert->cert_chain = sk;
2267 /* Inconsistency alert: cert_chain does *not* include the peer's own
2268 * certificate, while we do include it in s3_clnt.c */
2269
2270 sk = NULL;
2271
2272 ret = 1;
2273
2274 if (0) {
2275 f_err:
2276 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2277 }
2278
2279 err:
2280 X509_free(x);
2281 sk_X509_pop_free(sk, X509_free);
2282 return ret;
2283 }
2284
ssl3_send_server_certificate(SSL * s)2285 int ssl3_send_server_certificate(SSL *s) {
2286 CERT_PKEY *cpk;
2287
2288 if (s->state == SSL3_ST_SW_CERT_A) {
2289 cpk = ssl_get_server_send_pkey(s);
2290 if (cpk == NULL) {
2291 OPENSSL_PUT_ERROR(SSL, ssl3_send_server_certificate,
2292 ERR_R_INTERNAL_ERROR);
2293 return 0;
2294 }
2295
2296 if (!ssl3_output_cert_chain(s, cpk)) {
2297 return 0;
2298 }
2299 s->state = SSL3_ST_SW_CERT_B;
2300 }
2301
2302 /* SSL3_ST_SW_CERT_B */
2303 return ssl_do_write(s);
2304 }
2305
2306 /* send a new session ticket (not necessarily for a new session) */
ssl3_send_new_session_ticket(SSL * s)2307 int ssl3_send_new_session_ticket(SSL *s) {
2308 int ret = -1;
2309 uint8_t *session = NULL;
2310 size_t session_len;
2311 EVP_CIPHER_CTX ctx;
2312 HMAC_CTX hctx;
2313
2314 EVP_CIPHER_CTX_init(&ctx);
2315 HMAC_CTX_init(&hctx);
2316
2317 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
2318 uint8_t *p, *macstart;
2319 int len;
2320 unsigned int hlen;
2321 SSL_CTX *tctx = s->initial_ctx;
2322 uint8_t iv[EVP_MAX_IV_LENGTH];
2323 uint8_t key_name[16];
2324 /* The maximum overhead of encrypting the session is 16 (key name) + IV +
2325 * one block of encryption overhead + HMAC. */
2326 const size_t max_ticket_overhead =
2327 16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;
2328
2329 /* Serialize the SSL_SESSION to be encoded into the ticket. */
2330 if (!SSL_SESSION_to_bytes_for_ticket(s->session, &session, &session_len)) {
2331 goto err;
2332 }
2333
2334 /* If the session is too long, emit a dummy value rather than abort the
2335 * connection. */
2336 if (session_len > 0xFFFF - max_ticket_overhead) {
2337 static const char kTicketPlaceholder[] = "TICKET TOO LARGE";
2338 const size_t placeholder_len = strlen(kTicketPlaceholder);
2339
2340 OPENSSL_free(session);
2341 session = NULL;
2342
2343 p = ssl_handshake_start(s);
2344 /* Emit ticket_lifetime_hint. */
2345 l2n(0, p);
2346 /* Emit ticket. */
2347 s2n(placeholder_len, p);
2348 memcpy(p, kTicketPlaceholder, placeholder_len);
2349 p += placeholder_len;
2350
2351 len = p - ssl_handshake_start(s);
2352 if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
2353 goto err;
2354 }
2355 s->state = SSL3_ST_SW_SESSION_TICKET_B;
2356 return ssl_do_write(s);
2357 }
2358
2359 /* Grow buffer if need be: the length calculation is as follows:
2360 * handshake_header_length + 4 (ticket lifetime hint) + 2 (ticket length) +
2361 * max_ticket_overhead + * session_length */
2362 if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + 6 +
2363 max_ticket_overhead + session_len)) {
2364 goto err;
2365 }
2366 p = ssl_handshake_start(s);
2367 /* Initialize HMAC and cipher contexts. If callback present it does all the
2368 * work otherwise use generated values from parent ctx. */
2369 if (tctx->tlsext_ticket_key_cb) {
2370 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx,
2371 1 /* encrypt */) < 0) {
2372 goto err;
2373 }
2374 } else {
2375 if (!RAND_bytes(iv, 16) ||
2376 !EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2377 tctx->tlsext_tick_aes_key, iv) ||
2378 !HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(),
2379 NULL)) {
2380 goto err;
2381 }
2382 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
2383 }
2384
2385 /* Ticket lifetime hint (advisory only): We leave this unspecified for
2386 * resumed session (for simplicity), and guess that tickets for new
2387 * sessions will live as long as their sessions. */
2388 l2n(s->hit ? 0 : s->session->timeout, p);
2389
2390 /* Skip ticket length for now */
2391 p += 2;
2392 /* Output key name */
2393 macstart = p;
2394 memcpy(p, key_name, 16);
2395 p += 16;
2396 /* output IV */
2397 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
2398 p += EVP_CIPHER_CTX_iv_length(&ctx);
2399 /* Encrypt session data */
2400 if (!EVP_EncryptUpdate(&ctx, p, &len, session, session_len)) {
2401 goto err;
2402 }
2403 p += len;
2404 if (!EVP_EncryptFinal_ex(&ctx, p, &len)) {
2405 goto err;
2406 }
2407 p += len;
2408
2409 if (!HMAC_Update(&hctx, macstart, p - macstart) ||
2410 !HMAC_Final(&hctx, p, &hlen)) {
2411 goto err;
2412 }
2413
2414 p += hlen;
2415 /* Now write out lengths: p points to end of data written */
2416 /* Total length */
2417 len = p - ssl_handshake_start(s);
2418 /* Skip ticket lifetime hint */
2419 p = ssl_handshake_start(s) + 4;
2420 s2n(len - 6, p);
2421 if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
2422 goto err;
2423 }
2424 s->state = SSL3_ST_SW_SESSION_TICKET_B;
2425 }
2426
2427 /* SSL3_ST_SW_SESSION_TICKET_B */
2428 ret = ssl_do_write(s);
2429
2430 err:
2431 OPENSSL_free(session);
2432 EVP_CIPHER_CTX_cleanup(&ctx);
2433 HMAC_CTX_cleanup(&hctx);
2434 return ret;
2435 }
2436
2437 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
2438 * sets the next_proto member in s if found */
ssl3_get_next_proto(SSL * s)2439 int ssl3_get_next_proto(SSL *s) {
2440 int ok;
2441 long n;
2442 CBS next_protocol, selected_protocol, padding;
2443
2444 /* Clients cannot send a NextProtocol message if we didn't see the extension
2445 * in their ClientHello */
2446 if (!s->s3->next_proto_neg_seen) {
2447 OPENSSL_PUT_ERROR(SSL, ssl3_get_next_proto,
2448 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
2449 return -1;
2450 }
2451
2452 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
2453 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
2454 514, /* See the payload format below */
2455 ssl_hash_message, &ok);
2456
2457 if (!ok) {
2458 return n;
2459 }
2460
2461 /* s->state doesn't reflect whether ChangeCipherSpec has been received in
2462 * this handshake, but s->s3->change_cipher_spec does (will be reset by
2463 * ssl3_get_finished).
2464 *
2465 * TODO(davidben): Is this check now redundant with
2466 * SSL3_FLAGS_EXPECT_CCS? */
2467 if (!s->s3->change_cipher_spec) {
2468 OPENSSL_PUT_ERROR(SSL, ssl3_get_next_proto,
2469 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
2470 return -1;
2471 }
2472
2473 CBS_init(&next_protocol, s->init_msg, n);
2474
2475 /* The payload looks like:
2476 * uint8 proto_len;
2477 * uint8 proto[proto_len];
2478 * uint8 padding_len;
2479 * uint8 padding[padding_len]; */
2480 if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
2481 !CBS_get_u8_length_prefixed(&next_protocol, &padding) ||
2482 CBS_len(&next_protocol) != 0 ||
2483 !CBS_stow(&selected_protocol, &s->next_proto_negotiated,
2484 &s->next_proto_negotiated_len)) {
2485 return 0;
2486 }
2487
2488 return 1;
2489 }
2490
2491 /* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
ssl3_get_channel_id(SSL * s)2492 int ssl3_get_channel_id(SSL *s) {
2493 int ret = -1, ok;
2494 long n;
2495 EVP_MD_CTX md_ctx;
2496 uint8_t channel_id_hash[SHA256_DIGEST_LENGTH];
2497 unsigned int channel_id_hash_len;
2498 const uint8_t *p;
2499 uint16_t extension_type, expected_extension_type;
2500 EC_GROUP *p256 = NULL;
2501 EC_KEY *key = NULL;
2502 EC_POINT *point = NULL;
2503 ECDSA_SIG sig;
2504 BIGNUM x, y;
2505 CBS encrypted_extensions, extension;
2506
2507 n = s->method->ssl_get_message(
2508 s, SSL3_ST_SR_CHANNEL_ID_A, SSL3_ST_SR_CHANNEL_ID_B,
2509 SSL3_MT_ENCRYPTED_EXTENSIONS, 2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
2510 ssl_dont_hash_message, &ok);
2511
2512 if (!ok) {
2513 return n;
2514 }
2515
2516 /* Before incorporating the EncryptedExtensions message to the handshake
2517 * hash, compute the hash that should have been signed. */
2518 channel_id_hash_len = sizeof(channel_id_hash);
2519 EVP_MD_CTX_init(&md_ctx);
2520 if (!EVP_DigestInit_ex(&md_ctx, EVP_sha256(), NULL) ||
2521 !tls1_channel_id_hash(&md_ctx, s) ||
2522 !EVP_DigestFinal(&md_ctx, channel_id_hash, &channel_id_hash_len)) {
2523 EVP_MD_CTX_cleanup(&md_ctx);
2524 return -1;
2525 }
2526 EVP_MD_CTX_cleanup(&md_ctx);
2527 assert(channel_id_hash_len == SHA256_DIGEST_LENGTH);
2528
2529 if (!ssl3_hash_current_message(s)) {
2530 return -1;
2531 }
2532
2533 /* s->state doesn't reflect whether ChangeCipherSpec has been received in
2534 * this handshake, but s->s3->change_cipher_spec does (will be reset by
2535 * ssl3_get_finished).
2536 *
2537 * TODO(davidben): Is this check now redundant with SSL3_FLAGS_EXPECT_CCS? */
2538 if (!s->s3->change_cipher_spec) {
2539 OPENSSL_PUT_ERROR(SSL, ssl3_get_channel_id,
2540 SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS);
2541 return -1;
2542 }
2543
2544 CBS_init(&encrypted_extensions, s->init_msg, n);
2545
2546 /* EncryptedExtensions could include multiple extensions, but the only
2547 * extension that could be negotiated is ChannelID, so there can only be one
2548 * entry.
2549 *
2550 * The payload looks like:
2551 * uint16 extension_type
2552 * uint16 extension_len;
2553 * uint8 x[32];
2554 * uint8 y[32];
2555 * uint8 r[32];
2556 * uint8 s[32]; */
2557 expected_extension_type = TLSEXT_TYPE_channel_id;
2558 if (s->s3->tlsext_channel_id_new) {
2559 expected_extension_type = TLSEXT_TYPE_channel_id_new;
2560 }
2561
2562 if (!CBS_get_u16(&encrypted_extensions, &extension_type) ||
2563 !CBS_get_u16_length_prefixed(&encrypted_extensions, &extension) ||
2564 CBS_len(&encrypted_extensions) != 0 ||
2565 extension_type != expected_extension_type ||
2566 CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
2567 OPENSSL_PUT_ERROR(SSL, ssl3_get_channel_id, SSL_R_INVALID_MESSAGE);
2568 return -1;
2569 }
2570
2571 p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
2572 if (!p256) {
2573 OPENSSL_PUT_ERROR(SSL, ssl3_get_channel_id, SSL_R_NO_P256_SUPPORT);
2574 return -1;
2575 }
2576
2577 BN_init(&x);
2578 BN_init(&y);
2579 sig.r = BN_new();
2580 sig.s = BN_new();
2581 if (sig.r == NULL || sig.s == NULL) {
2582 goto err;
2583 }
2584
2585 p = CBS_data(&extension);
2586 if (BN_bin2bn(p + 0, 32, &x) == NULL ||
2587 BN_bin2bn(p + 32, 32, &y) == NULL ||
2588 BN_bin2bn(p + 64, 32, sig.r) == NULL ||
2589 BN_bin2bn(p + 96, 32, sig.s) == NULL) {
2590 goto err;
2591 }
2592
2593 point = EC_POINT_new(p256);
2594 if (!point || !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) {
2595 goto err;
2596 }
2597
2598 key = EC_KEY_new();
2599 if (!key || !EC_KEY_set_group(key, p256) ||
2600 !EC_KEY_set_public_key(key, point)) {
2601 goto err;
2602 }
2603
2604 /* We stored the handshake hash in |tlsext_channel_id| the first time that we
2605 * were called. */
2606 if (!ECDSA_do_verify(channel_id_hash, channel_id_hash_len, &sig, key)) {
2607 OPENSSL_PUT_ERROR(SSL, ssl3_get_channel_id,
2608 SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
2609 s->s3->tlsext_channel_id_valid = 0;
2610 goto err;
2611 }
2612
2613 memcpy(s->s3->tlsext_channel_id, p, 64);
2614 ret = 1;
2615
2616 err:
2617 BN_free(&x);
2618 BN_free(&y);
2619 BN_free(sig.r);
2620 BN_free(sig.s);
2621 EC_KEY_free(key);
2622 EC_POINT_free(point);
2623 EC_GROUP_free(p256);
2624 return ret;
2625 }
2626