1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: ssl_clnt.c,v 1.153 2022/08/17 07:39:19 jsing Exp $ */
272c33676SMaxim Ag /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
372c33676SMaxim Ag * All rights reserved.
472c33676SMaxim Ag *
572c33676SMaxim Ag * This package is an SSL implementation written
672c33676SMaxim Ag * by Eric Young (eay@cryptsoft.com).
772c33676SMaxim Ag * The implementation was written so as to conform with Netscapes SSL.
872c33676SMaxim Ag *
972c33676SMaxim Ag * This library is free for commercial and non-commercial use as long as
1072c33676SMaxim Ag * the following conditions are aheared to. The following conditions
1172c33676SMaxim Ag * apply to all code found in this distribution, be it the RC4, RSA,
1272c33676SMaxim Ag * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1372c33676SMaxim Ag * included with this distribution is covered by the same copyright terms
1472c33676SMaxim Ag * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1572c33676SMaxim Ag *
1672c33676SMaxim Ag * Copyright remains Eric Young's, and as such any Copyright notices in
1772c33676SMaxim Ag * the code are not to be removed.
1872c33676SMaxim Ag * If this package is used in a product, Eric Young should be given attribution
1972c33676SMaxim Ag * as the author of the parts of the library used.
2072c33676SMaxim Ag * This can be in the form of a textual message at program startup or
2172c33676SMaxim Ag * in documentation (online or textual) provided with the package.
2272c33676SMaxim Ag *
2372c33676SMaxim Ag * Redistribution and use in source and binary forms, with or without
2472c33676SMaxim Ag * modification, are permitted provided that the following conditions
2572c33676SMaxim Ag * are met:
2672c33676SMaxim Ag * 1. Redistributions of source code must retain the copyright
2772c33676SMaxim Ag * notice, this list of conditions and the following disclaimer.
2872c33676SMaxim Ag * 2. Redistributions in binary form must reproduce the above copyright
2972c33676SMaxim Ag * notice, this list of conditions and the following disclaimer in the
3072c33676SMaxim Ag * documentation and/or other materials provided with the distribution.
3172c33676SMaxim Ag * 3. All advertising materials mentioning features or use of this software
3272c33676SMaxim Ag * must display the following acknowledgement:
3372c33676SMaxim Ag * "This product includes cryptographic software written by
3472c33676SMaxim Ag * Eric Young (eay@cryptsoft.com)"
3572c33676SMaxim Ag * The word 'cryptographic' can be left out if the rouines from the library
3672c33676SMaxim Ag * being used are not cryptographic related :-).
3772c33676SMaxim Ag * 4. If you include any Windows specific code (or a derivative thereof) from
3872c33676SMaxim Ag * the apps directory (application code) you must include an acknowledgement:
3972c33676SMaxim Ag * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
4072c33676SMaxim Ag *
4172c33676SMaxim Ag * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
4272c33676SMaxim Ag * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4372c33676SMaxim Ag * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4472c33676SMaxim Ag * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
4572c33676SMaxim Ag * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4672c33676SMaxim Ag * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4772c33676SMaxim Ag * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4872c33676SMaxim Ag * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4972c33676SMaxim Ag * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5072c33676SMaxim Ag * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5172c33676SMaxim Ag * SUCH DAMAGE.
5272c33676SMaxim Ag *
5372c33676SMaxim Ag * The licence and distribution terms for any publically available version or
5472c33676SMaxim Ag * derivative of this code cannot be changed. i.e. this code cannot simply be
5572c33676SMaxim Ag * copied and put under another distribution licence
5672c33676SMaxim Ag * [including the GNU Public Licence.]
5772c33676SMaxim Ag */
5872c33676SMaxim Ag /* ====================================================================
5972c33676SMaxim Ag * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
6072c33676SMaxim Ag *
6172c33676SMaxim Ag * Redistribution and use in source and binary forms, with or without
6272c33676SMaxim Ag * modification, are permitted provided that the following conditions
6372c33676SMaxim Ag * are met:
6472c33676SMaxim Ag *
6572c33676SMaxim Ag * 1. Redistributions of source code must retain the above copyright
6672c33676SMaxim Ag * notice, this list of conditions and the following disclaimer.
6772c33676SMaxim Ag *
6872c33676SMaxim Ag * 2. Redistributions in binary form must reproduce the above copyright
6972c33676SMaxim Ag * notice, this list of conditions and the following disclaimer in
7072c33676SMaxim Ag * the documentation and/or other materials provided with the
7172c33676SMaxim Ag * distribution.
7272c33676SMaxim Ag *
7372c33676SMaxim Ag * 3. All advertising materials mentioning features or use of this
7472c33676SMaxim Ag * software must display the following acknowledgment:
7572c33676SMaxim Ag * "This product includes software developed by the OpenSSL Project
7672c33676SMaxim Ag * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
7772c33676SMaxim Ag *
7872c33676SMaxim Ag * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7972c33676SMaxim Ag * endorse or promote products derived from this software without
8072c33676SMaxim Ag * prior written permission. For written permission, please contact
8172c33676SMaxim Ag * openssl-core@openssl.org.
8272c33676SMaxim Ag *
8372c33676SMaxim Ag * 5. Products derived from this software may not be called "OpenSSL"
8472c33676SMaxim Ag * nor may "OpenSSL" appear in their names without prior written
8572c33676SMaxim Ag * permission of the OpenSSL Project.
8672c33676SMaxim Ag *
8772c33676SMaxim Ag * 6. Redistributions of any form whatsoever must retain the following
8872c33676SMaxim Ag * acknowledgment:
8972c33676SMaxim Ag * "This product includes software developed by the OpenSSL Project
9072c33676SMaxim Ag * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9172c33676SMaxim Ag *
9272c33676SMaxim Ag * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9372c33676SMaxim Ag * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9472c33676SMaxim Ag * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9572c33676SMaxim Ag * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9672c33676SMaxim Ag * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9772c33676SMaxim Ag * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9872c33676SMaxim Ag * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9972c33676SMaxim Ag * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10072c33676SMaxim Ag * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10172c33676SMaxim Ag * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10272c33676SMaxim Ag * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10372c33676SMaxim Ag * OF THE POSSIBILITY OF SUCH DAMAGE.
10472c33676SMaxim Ag * ====================================================================
10572c33676SMaxim Ag *
10672c33676SMaxim Ag * This product includes cryptographic software written by Eric Young
10772c33676SMaxim Ag * (eay@cryptsoft.com). This product includes software written by Tim
10872c33676SMaxim Ag * Hudson (tjh@cryptsoft.com).
10972c33676SMaxim Ag *
11072c33676SMaxim Ag */
11172c33676SMaxim Ag /* ====================================================================
11272c33676SMaxim Ag * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
11372c33676SMaxim Ag *
11472c33676SMaxim Ag * Portions of the attached software ("Contribution") are developed by
11572c33676SMaxim Ag * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
11672c33676SMaxim Ag *
11772c33676SMaxim Ag * The Contribution is licensed pursuant to the OpenSSL open source
11872c33676SMaxim Ag * license provided above.
11972c33676SMaxim Ag *
12072c33676SMaxim Ag * ECC cipher suite support in OpenSSL originally written by
12172c33676SMaxim Ag * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
12272c33676SMaxim Ag *
12372c33676SMaxim Ag */
12472c33676SMaxim Ag /* ====================================================================
12572c33676SMaxim Ag * Copyright 2005 Nokia. All rights reserved.
12672c33676SMaxim Ag *
12772c33676SMaxim Ag * The portions of the attached software ("Contribution") is developed by
12872c33676SMaxim Ag * Nokia Corporation and is licensed pursuant to the OpenSSL open source
12972c33676SMaxim Ag * license.
13072c33676SMaxim Ag *
13172c33676SMaxim Ag * The Contribution, originally written by Mika Kousa and Pasi Eronen of
13272c33676SMaxim Ag * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
13372c33676SMaxim Ag * support (see RFC 4279) to OpenSSL.
13472c33676SMaxim Ag *
13572c33676SMaxim Ag * No patent licenses or other rights except those expressly stated in
13672c33676SMaxim Ag * the OpenSSL open source license shall be deemed granted or received
13772c33676SMaxim Ag * expressly, by implication, estoppel, or otherwise.
13872c33676SMaxim Ag *
13972c33676SMaxim Ag * No assurances are provided by Nokia that the Contribution does not
14072c33676SMaxim Ag * infringe the patent or other intellectual property rights of any third
14172c33676SMaxim Ag * party or that the license provides you with all the necessary rights
14272c33676SMaxim Ag * to make use of the Contribution.
14372c33676SMaxim Ag *
14472c33676SMaxim Ag * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
14572c33676SMaxim Ag * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
14672c33676SMaxim Ag * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
14772c33676SMaxim Ag * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
14872c33676SMaxim Ag * OTHERWISE.
14972c33676SMaxim Ag */
15072c33676SMaxim Ag
15172c33676SMaxim Ag #include <limits.h>
15272c33676SMaxim Ag #include <stdint.h>
15372c33676SMaxim Ag #include <stdio.h>
15472c33676SMaxim Ag
15572c33676SMaxim Ag #include <openssl/bn.h>
15672c33676SMaxim Ag #include <openssl/buffer.h>
15772c33676SMaxim Ag #include <openssl/curve25519.h>
15872c33676SMaxim Ag #include <openssl/dh.h>
15972c33676SMaxim Ag #include <openssl/evp.h>
16072c33676SMaxim Ag #include <openssl/md5.h>
16172c33676SMaxim Ag #include <openssl/objects.h>
162*de0e0e4dSAntonio Huete Jimenez #include <openssl/opensslconf.h>
16372c33676SMaxim Ag
16472c33676SMaxim Ag #ifndef OPENSSL_NO_ENGINE
16572c33676SMaxim Ag #include <openssl/engine.h>
16672c33676SMaxim Ag #endif
16772c33676SMaxim Ag #ifndef OPENSSL_NO_GOST
16872c33676SMaxim Ag #include <openssl/gost.h>
16972c33676SMaxim Ag #endif
17072c33676SMaxim Ag
17172c33676SMaxim Ag #include "bytestring.h"
172*de0e0e4dSAntonio Huete Jimenez #include "dtls_locl.h"
173*de0e0e4dSAntonio Huete Jimenez #include "ssl_locl.h"
17472c33676SMaxim Ag #include "ssl_sigalgs.h"
17572c33676SMaxim Ag #include "ssl_tlsext.h"
17672c33676SMaxim Ag
17772c33676SMaxim Ag static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
17872c33676SMaxim Ag
17972c33676SMaxim Ag int
ssl3_connect(SSL * s)18072c33676SMaxim Ag ssl3_connect(SSL *s)
18172c33676SMaxim Ag {
18272c33676SMaxim Ag int new_state, state, skip = 0;
183*de0e0e4dSAntonio Huete Jimenez int ret = -1;
18472c33676SMaxim Ag
18572c33676SMaxim Ag ERR_clear_error();
18672c33676SMaxim Ag errno = 0;
18772c33676SMaxim Ag
18872c33676SMaxim Ag s->internal->in_handshake++;
18972c33676SMaxim Ag if (!SSL_in_init(s) || SSL_in_before(s))
19072c33676SMaxim Ag SSL_clear(s);
19172c33676SMaxim Ag
19272c33676SMaxim Ag for (;;) {
193*de0e0e4dSAntonio Huete Jimenez state = s->s3->hs.state;
19472c33676SMaxim Ag
195*de0e0e4dSAntonio Huete Jimenez switch (s->s3->hs.state) {
19672c33676SMaxim Ag case SSL_ST_RENEGOTIATE:
19772c33676SMaxim Ag s->internal->renegotiate = 1;
198*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL_ST_CONNECT;
19972c33676SMaxim Ag s->ctx->internal->stats.sess_connect_renegotiate++;
20072c33676SMaxim Ag /* break */
20172c33676SMaxim Ag case SSL_ST_BEFORE:
20272c33676SMaxim Ag case SSL_ST_CONNECT:
20372c33676SMaxim Ag case SSL_ST_BEFORE|SSL_ST_CONNECT:
20472c33676SMaxim Ag case SSL_ST_OK|SSL_ST_CONNECT:
20572c33676SMaxim Ag
20672c33676SMaxim Ag s->server = 0;
20772c33676SMaxim Ag
208*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
209*de0e0e4dSAntonio Huete Jimenez
210*de0e0e4dSAntonio Huete Jimenez if (!ssl_legacy_stack_version(s, s->version)) {
21172c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
21272c33676SMaxim Ag ret = -1;
21372c33676SMaxim Ag goto end;
21472c33676SMaxim Ag }
215*de0e0e4dSAntonio Huete Jimenez
216*de0e0e4dSAntonio Huete Jimenez if (!ssl_supported_tls_version_range(s,
217*de0e0e4dSAntonio Huete Jimenez &s->s3->hs.our_min_tls_version,
218*de0e0e4dSAntonio Huete Jimenez &s->s3->hs.our_max_tls_version)) {
219*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
22072c33676SMaxim Ag ret = -1;
22172c33676SMaxim Ag goto end;
22272c33676SMaxim Ag }
22372c33676SMaxim Ag
224*de0e0e4dSAntonio Huete Jimenez if (!ssl_security_version(s,
225*de0e0e4dSAntonio Huete Jimenez s->s3->hs.our_min_tls_version)) {
226*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_VERSION_TOO_LOW);
227*de0e0e4dSAntonio Huete Jimenez ret = -1;
228*de0e0e4dSAntonio Huete Jimenez goto end;
229*de0e0e4dSAntonio Huete Jimenez }
23072c33676SMaxim Ag
23172c33676SMaxim Ag if (!ssl3_setup_init_buffer(s)) {
23272c33676SMaxim Ag ret = -1;
23372c33676SMaxim Ag goto end;
23472c33676SMaxim Ag }
23572c33676SMaxim Ag if (!ssl3_setup_buffers(s)) {
23672c33676SMaxim Ag ret = -1;
23772c33676SMaxim Ag goto end;
23872c33676SMaxim Ag }
23972c33676SMaxim Ag if (!ssl_init_wbio_buffer(s, 0)) {
24072c33676SMaxim Ag ret = -1;
24172c33676SMaxim Ag goto end;
24272c33676SMaxim Ag }
24372c33676SMaxim Ag
24472c33676SMaxim Ag /* don't push the buffering BIO quite yet */
24572c33676SMaxim Ag
24672c33676SMaxim Ag if (!tls1_transcript_init(s)) {
24772c33676SMaxim Ag ret = -1;
24872c33676SMaxim Ag goto end;
24972c33676SMaxim Ag }
25072c33676SMaxim Ag
251*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
25272c33676SMaxim Ag s->ctx->internal->stats.sess_connect++;
25372c33676SMaxim Ag s->internal->init_num = 0;
25472c33676SMaxim Ag
255*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
25672c33676SMaxim Ag /* mark client_random uninitialized */
25772c33676SMaxim Ag memset(s->s3->client_random, 0,
25872c33676SMaxim Ag sizeof(s->s3->client_random));
259*de0e0e4dSAntonio Huete Jimenez s->d1->send_cookie = 0;
26072c33676SMaxim Ag s->internal->hit = 0;
26172c33676SMaxim Ag }
26272c33676SMaxim Ag break;
26372c33676SMaxim Ag
26472c33676SMaxim Ag case SSL3_ST_CW_CLNT_HELLO_A:
26572c33676SMaxim Ag case SSL3_ST_CW_CLNT_HELLO_B:
26672c33676SMaxim Ag s->internal->shutdown = 0;
26772c33676SMaxim Ag
268*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
26972c33676SMaxim Ag /* every DTLS ClientHello resets Finished MAC */
27072c33676SMaxim Ag tls1_transcript_reset(s);
27172c33676SMaxim Ag
27272c33676SMaxim Ag dtls1_start_timer(s);
27372c33676SMaxim Ag }
27472c33676SMaxim Ag
27572c33676SMaxim Ag ret = ssl3_send_client_hello(s);
27672c33676SMaxim Ag if (ret <= 0)
27772c33676SMaxim Ag goto end;
27872c33676SMaxim Ag
279*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s) && s->d1->send_cookie) {
280*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_FLUSH;
281*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A;
28272c33676SMaxim Ag } else
283*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
28472c33676SMaxim Ag
28572c33676SMaxim Ag s->internal->init_num = 0;
28672c33676SMaxim Ag
28772c33676SMaxim Ag /* turn on buffering for the next lot of output */
28872c33676SMaxim Ag if (s->bbio != s->wbio)
28972c33676SMaxim Ag s->wbio = BIO_push(s->bbio, s->wbio);
29072c33676SMaxim Ag
29172c33676SMaxim Ag break;
29272c33676SMaxim Ag
29372c33676SMaxim Ag case SSL3_ST_CR_SRVR_HELLO_A:
29472c33676SMaxim Ag case SSL3_ST_CR_SRVR_HELLO_B:
29572c33676SMaxim Ag ret = ssl3_get_server_hello(s);
29672c33676SMaxim Ag if (ret <= 0)
29772c33676SMaxim Ag goto end;
29872c33676SMaxim Ag
29972c33676SMaxim Ag if (s->internal->hit) {
300*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
301*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_dtls(s)) {
30272c33676SMaxim Ag if (s->internal->tlsext_ticket_expected) {
30372c33676SMaxim Ag /* receive renewed session ticket */
304*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
30572c33676SMaxim Ag }
30672c33676SMaxim Ag
30772c33676SMaxim Ag /* No client certificate verification. */
30872c33676SMaxim Ag tls1_transcript_free(s);
30972c33676SMaxim Ag }
310*de0e0e4dSAntonio Huete Jimenez } else if (SSL_is_dtls(s)) {
311*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
31272c33676SMaxim Ag } else {
313*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_CERT_A;
31472c33676SMaxim Ag }
31572c33676SMaxim Ag s->internal->init_num = 0;
31672c33676SMaxim Ag break;
31772c33676SMaxim Ag
31872c33676SMaxim Ag case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
31972c33676SMaxim Ag case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
320*de0e0e4dSAntonio Huete Jimenez ret = ssl3_get_dtls_hello_verify(s);
32172c33676SMaxim Ag if (ret <= 0)
32272c33676SMaxim Ag goto end;
32372c33676SMaxim Ag dtls1_stop_timer(s);
324*de0e0e4dSAntonio Huete Jimenez if (s->d1->send_cookie) /* start again, with a cookie */
325*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
32672c33676SMaxim Ag else
327*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_CERT_A;
32872c33676SMaxim Ag s->internal->init_num = 0;
32972c33676SMaxim Ag break;
33072c33676SMaxim Ag
33172c33676SMaxim Ag case SSL3_ST_CR_CERT_A:
33272c33676SMaxim Ag case SSL3_ST_CR_CERT_B:
33372c33676SMaxim Ag ret = ssl3_check_finished(s);
33472c33676SMaxim Ag if (ret <= 0)
33572c33676SMaxim Ag goto end;
33672c33676SMaxim Ag if (ret == 2) {
33772c33676SMaxim Ag s->internal->hit = 1;
33872c33676SMaxim Ag if (s->internal->tlsext_ticket_expected)
339*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
34072c33676SMaxim Ag else
341*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
34272c33676SMaxim Ag s->internal->init_num = 0;
34372c33676SMaxim Ag break;
34472c33676SMaxim Ag }
34572c33676SMaxim Ag /* Check if it is anon DH/ECDH. */
346*de0e0e4dSAntonio Huete Jimenez if (!(s->s3->hs.cipher->algorithm_auth &
34772c33676SMaxim Ag SSL_aNULL)) {
34872c33676SMaxim Ag ret = ssl3_get_server_certificate(s);
34972c33676SMaxim Ag if (ret <= 0)
35072c33676SMaxim Ag goto end;
35172c33676SMaxim Ag if (s->internal->tlsext_status_expected)
352*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A;
35372c33676SMaxim Ag else
354*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
35572c33676SMaxim Ag } else {
35672c33676SMaxim Ag skip = 1;
357*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
35872c33676SMaxim Ag }
35972c33676SMaxim Ag s->internal->init_num = 0;
36072c33676SMaxim Ag break;
36172c33676SMaxim Ag
36272c33676SMaxim Ag case SSL3_ST_CR_KEY_EXCH_A:
36372c33676SMaxim Ag case SSL3_ST_CR_KEY_EXCH_B:
36472c33676SMaxim Ag ret = ssl3_get_server_key_exchange(s);
36572c33676SMaxim Ag if (ret <= 0)
36672c33676SMaxim Ag goto end;
367*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A;
36872c33676SMaxim Ag s->internal->init_num = 0;
36972c33676SMaxim Ag
37072c33676SMaxim Ag /*
37172c33676SMaxim Ag * At this point we check that we have the
37272c33676SMaxim Ag * required stuff from the server.
37372c33676SMaxim Ag */
37472c33676SMaxim Ag if (!ssl3_check_cert_and_algorithm(s)) {
37572c33676SMaxim Ag ret = -1;
37672c33676SMaxim Ag goto end;
37772c33676SMaxim Ag }
37872c33676SMaxim Ag break;
37972c33676SMaxim Ag
38072c33676SMaxim Ag case SSL3_ST_CR_CERT_REQ_A:
38172c33676SMaxim Ag case SSL3_ST_CR_CERT_REQ_B:
38272c33676SMaxim Ag ret = ssl3_get_certificate_request(s);
38372c33676SMaxim Ag if (ret <= 0)
38472c33676SMaxim Ag goto end;
385*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A;
38672c33676SMaxim Ag s->internal->init_num = 0;
38772c33676SMaxim Ag break;
38872c33676SMaxim Ag
38972c33676SMaxim Ag case SSL3_ST_CR_SRVR_DONE_A:
39072c33676SMaxim Ag case SSL3_ST_CR_SRVR_DONE_B:
39172c33676SMaxim Ag ret = ssl3_get_server_done(s);
39272c33676SMaxim Ag if (ret <= 0)
39372c33676SMaxim Ag goto end;
394*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
39572c33676SMaxim Ag dtls1_stop_timer(s);
396*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.cert_request)
397*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_A;
39872c33676SMaxim Ag else
399*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
40072c33676SMaxim Ag s->internal->init_num = 0;
40172c33676SMaxim Ag
40272c33676SMaxim Ag break;
40372c33676SMaxim Ag
40472c33676SMaxim Ag case SSL3_ST_CW_CERT_A:
40572c33676SMaxim Ag case SSL3_ST_CW_CERT_B:
40672c33676SMaxim Ag case SSL3_ST_CW_CERT_C:
40772c33676SMaxim Ag case SSL3_ST_CW_CERT_D:
408*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
40972c33676SMaxim Ag dtls1_start_timer(s);
41072c33676SMaxim Ag ret = ssl3_send_client_certificate(s);
41172c33676SMaxim Ag if (ret <= 0)
41272c33676SMaxim Ag goto end;
413*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
41472c33676SMaxim Ag s->internal->init_num = 0;
41572c33676SMaxim Ag break;
41672c33676SMaxim Ag
41772c33676SMaxim Ag case SSL3_ST_CW_KEY_EXCH_A:
41872c33676SMaxim Ag case SSL3_ST_CW_KEY_EXCH_B:
419*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
42072c33676SMaxim Ag dtls1_start_timer(s);
42172c33676SMaxim Ag ret = ssl3_send_client_key_exchange(s);
42272c33676SMaxim Ag if (ret <= 0)
42372c33676SMaxim Ag goto end;
42472c33676SMaxim Ag /*
42572c33676SMaxim Ag * EAY EAY EAY need to check for DH fix cert
42672c33676SMaxim Ag * sent back
42772c33676SMaxim Ag */
42872c33676SMaxim Ag /*
42972c33676SMaxim Ag * For TLS, cert_req is set to 2, so a cert chain
43072c33676SMaxim Ag * of nothing is sent, but no verify packet is sent
43172c33676SMaxim Ag */
43272c33676SMaxim Ag /*
43372c33676SMaxim Ag * XXX: For now, we do not support client
43472c33676SMaxim Ag * authentication in ECDH cipher suites with
43572c33676SMaxim Ag * ECDH (rather than ECDSA) certificates.
43672c33676SMaxim Ag * We need to skip the certificate verify
43772c33676SMaxim Ag * message when client's ECDH public key is sent
43872c33676SMaxim Ag * inside the client certificate.
43972c33676SMaxim Ag */
440*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.cert_request == 1) {
441*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_A;
44272c33676SMaxim Ag } else {
443*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
444*de0e0e4dSAntonio Huete Jimenez s->s3->change_cipher_spec = 0;
44572c33676SMaxim Ag }
446*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_dtls(s)) {
44772c33676SMaxim Ag if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
448*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
449*de0e0e4dSAntonio Huete Jimenez s->s3->change_cipher_spec = 0;
45072c33676SMaxim Ag }
45172c33676SMaxim Ag }
45272c33676SMaxim Ag
45372c33676SMaxim Ag s->internal->init_num = 0;
45472c33676SMaxim Ag break;
45572c33676SMaxim Ag
45672c33676SMaxim Ag case SSL3_ST_CW_CERT_VRFY_A:
45772c33676SMaxim Ag case SSL3_ST_CW_CERT_VRFY_B:
458*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
45972c33676SMaxim Ag dtls1_start_timer(s);
46072c33676SMaxim Ag ret = ssl3_send_client_verify(s);
46172c33676SMaxim Ag if (ret <= 0)
46272c33676SMaxim Ag goto end;
463*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
46472c33676SMaxim Ag s->internal->init_num = 0;
465*de0e0e4dSAntonio Huete Jimenez s->s3->change_cipher_spec = 0;
46672c33676SMaxim Ag break;
46772c33676SMaxim Ag
46872c33676SMaxim Ag case SSL3_ST_CW_CHANGE_A:
46972c33676SMaxim Ag case SSL3_ST_CW_CHANGE_B:
470*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s) && !s->internal->hit)
47172c33676SMaxim Ag dtls1_start_timer(s);
47272c33676SMaxim Ag ret = ssl3_send_change_cipher_spec(s,
47372c33676SMaxim Ag SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
47472c33676SMaxim Ag if (ret <= 0)
47572c33676SMaxim Ag goto end;
47672c33676SMaxim Ag
477*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
47872c33676SMaxim Ag s->internal->init_num = 0;
479*de0e0e4dSAntonio Huete Jimenez s->session->cipher = s->s3->hs.cipher;
48072c33676SMaxim Ag
48172c33676SMaxim Ag if (!tls1_setup_key_block(s)) {
48272c33676SMaxim Ag ret = -1;
48372c33676SMaxim Ag goto end;
48472c33676SMaxim Ag }
485*de0e0e4dSAntonio Huete Jimenez if (!tls1_change_write_cipher_state(s)) {
48672c33676SMaxim Ag ret = -1;
48772c33676SMaxim Ag goto end;
48872c33676SMaxim Ag }
48972c33676SMaxim Ag break;
49072c33676SMaxim Ag
49172c33676SMaxim Ag case SSL3_ST_CW_FINISHED_A:
49272c33676SMaxim Ag case SSL3_ST_CW_FINISHED_B:
493*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s) && !s->internal->hit)
49472c33676SMaxim Ag dtls1_start_timer(s);
49572c33676SMaxim Ag ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
496*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CW_FINISHED_B);
49772c33676SMaxim Ag if (ret <= 0)
49872c33676SMaxim Ag goto end;
499*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_dtls(s))
50072c33676SMaxim Ag s->s3->flags |= SSL3_FLAGS_CCS_OK;
501*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_FLUSH;
50272c33676SMaxim Ag
50372c33676SMaxim Ag /* clear flags */
50472c33676SMaxim Ag if (s->internal->hit) {
505*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL_ST_OK;
50672c33676SMaxim Ag } else {
50772c33676SMaxim Ag /* Allow NewSessionTicket if ticket expected */
50872c33676SMaxim Ag if (s->internal->tlsext_ticket_expected)
509*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state =
51072c33676SMaxim Ag SSL3_ST_CR_SESSION_TICKET_A;
51172c33676SMaxim Ag else
512*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state =
51372c33676SMaxim Ag SSL3_ST_CR_FINISHED_A;
51472c33676SMaxim Ag }
51572c33676SMaxim Ag s->internal->init_num = 0;
51672c33676SMaxim Ag break;
51772c33676SMaxim Ag
51872c33676SMaxim Ag case SSL3_ST_CR_SESSION_TICKET_A:
51972c33676SMaxim Ag case SSL3_ST_CR_SESSION_TICKET_B:
52072c33676SMaxim Ag ret = ssl3_get_new_session_ticket(s);
52172c33676SMaxim Ag if (ret <= 0)
52272c33676SMaxim Ag goto end;
523*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
52472c33676SMaxim Ag s->internal->init_num = 0;
52572c33676SMaxim Ag break;
52672c33676SMaxim Ag
52772c33676SMaxim Ag case SSL3_ST_CR_CERT_STATUS_A:
52872c33676SMaxim Ag case SSL3_ST_CR_CERT_STATUS_B:
52972c33676SMaxim Ag ret = ssl3_get_cert_status(s);
53072c33676SMaxim Ag if (ret <= 0)
53172c33676SMaxim Ag goto end;
532*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
53372c33676SMaxim Ag s->internal->init_num = 0;
53472c33676SMaxim Ag break;
53572c33676SMaxim Ag
53672c33676SMaxim Ag case SSL3_ST_CR_FINISHED_A:
53772c33676SMaxim Ag case SSL3_ST_CR_FINISHED_B:
538*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
539*de0e0e4dSAntonio Huete Jimenez s->d1->change_cipher_spec_ok = 1;
54072c33676SMaxim Ag else
54172c33676SMaxim Ag s->s3->flags |= SSL3_FLAGS_CCS_OK;
54272c33676SMaxim Ag ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
54372c33676SMaxim Ag SSL3_ST_CR_FINISHED_B);
54472c33676SMaxim Ag if (ret <= 0)
54572c33676SMaxim Ag goto end;
546*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
54772c33676SMaxim Ag dtls1_stop_timer(s);
54872c33676SMaxim Ag
54972c33676SMaxim Ag if (s->internal->hit)
550*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
55172c33676SMaxim Ag else
552*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL_ST_OK;
55372c33676SMaxim Ag s->internal->init_num = 0;
55472c33676SMaxim Ag break;
55572c33676SMaxim Ag
55672c33676SMaxim Ag case SSL3_ST_CW_FLUSH:
55772c33676SMaxim Ag s->internal->rwstate = SSL_WRITING;
55872c33676SMaxim Ag if (BIO_flush(s->wbio) <= 0) {
559*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
56072c33676SMaxim Ag /* If the write error was fatal, stop trying */
56172c33676SMaxim Ag if (!BIO_should_retry(s->wbio)) {
56272c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
563*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = s->s3->hs.tls12.next_state;
56472c33676SMaxim Ag }
56572c33676SMaxim Ag }
56672c33676SMaxim Ag ret = -1;
56772c33676SMaxim Ag goto end;
56872c33676SMaxim Ag }
56972c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
570*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = s->s3->hs.tls12.next_state;
57172c33676SMaxim Ag break;
57272c33676SMaxim Ag
57372c33676SMaxim Ag case SSL_ST_OK:
57472c33676SMaxim Ag /* clean a few things up */
57572c33676SMaxim Ag tls1_cleanup_key_block(s);
57672c33676SMaxim Ag
577*de0e0e4dSAntonio Huete Jimenez if (s->s3->handshake_transcript != NULL) {
57872c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
57972c33676SMaxim Ag ret = -1;
58072c33676SMaxim Ag goto end;
58172c33676SMaxim Ag }
58272c33676SMaxim Ag
583*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_dtls(s))
5848edacedfSDaniel Fojt ssl3_release_init_buffer(s);
58572c33676SMaxim Ag
58672c33676SMaxim Ag ssl_free_wbio_buffer(s);
58772c33676SMaxim Ag
58872c33676SMaxim Ag s->internal->init_num = 0;
58972c33676SMaxim Ag s->internal->renegotiate = 0;
59072c33676SMaxim Ag s->internal->new_session = 0;
59172c33676SMaxim Ag
59272c33676SMaxim Ag ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
59372c33676SMaxim Ag if (s->internal->hit)
59472c33676SMaxim Ag s->ctx->internal->stats.sess_hit++;
59572c33676SMaxim Ag
59672c33676SMaxim Ag ret = 1;
59772c33676SMaxim Ag /* s->server=0; */
59872c33676SMaxim Ag s->internal->handshake_func = ssl3_connect;
59972c33676SMaxim Ag s->ctx->internal->stats.sess_connect_good++;
60072c33676SMaxim Ag
601*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
60272c33676SMaxim Ag
603*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
60472c33676SMaxim Ag /* done with handshaking */
605*de0e0e4dSAntonio Huete Jimenez s->d1->handshake_read_seq = 0;
606*de0e0e4dSAntonio Huete Jimenez s->d1->next_handshake_write_seq = 0;
60772c33676SMaxim Ag }
60872c33676SMaxim Ag
60972c33676SMaxim Ag goto end;
61072c33676SMaxim Ag /* break; */
61172c33676SMaxim Ag
61272c33676SMaxim Ag default:
61372c33676SMaxim Ag SSLerror(s, SSL_R_UNKNOWN_STATE);
61472c33676SMaxim Ag ret = -1;
61572c33676SMaxim Ag goto end;
61672c33676SMaxim Ag /* break; */
61772c33676SMaxim Ag }
61872c33676SMaxim Ag
61972c33676SMaxim Ag /* did we do anything */
620*de0e0e4dSAntonio Huete Jimenez if (!s->s3->hs.tls12.reuse_message && !skip) {
62172c33676SMaxim Ag if (s->internal->debug) {
62272c33676SMaxim Ag if ((ret = BIO_flush(s->wbio)) <= 0)
62372c33676SMaxim Ag goto end;
62472c33676SMaxim Ag }
62572c33676SMaxim Ag
626*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state != state) {
627*de0e0e4dSAntonio Huete Jimenez new_state = s->s3->hs.state;
628*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = state;
629*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1);
630*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = new_state;
63172c33676SMaxim Ag }
63272c33676SMaxim Ag }
63372c33676SMaxim Ag skip = 0;
63472c33676SMaxim Ag }
63572c33676SMaxim Ag
63672c33676SMaxim Ag end:
63772c33676SMaxim Ag s->internal->in_handshake--;
638*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret);
63972c33676SMaxim Ag
64072c33676SMaxim Ag return (ret);
64172c33676SMaxim Ag }
64272c33676SMaxim Ag
64372c33676SMaxim Ag int
ssl3_send_client_hello(SSL * s)64472c33676SMaxim Ag ssl3_send_client_hello(SSL *s)
64572c33676SMaxim Ag {
64672c33676SMaxim Ag CBB cbb, client_hello, session_id, cookie, cipher_suites;
64772c33676SMaxim Ag CBB compression_methods;
64872c33676SMaxim Ag uint16_t max_version;
64972c33676SMaxim Ag size_t sl;
65072c33676SMaxim Ag
65172c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
65272c33676SMaxim Ag
653*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_A) {
65472c33676SMaxim Ag SSL_SESSION *sess = s->session;
65572c33676SMaxim Ag
656*de0e0e4dSAntonio Huete Jimenez if (!ssl_max_supported_version(s, &max_version)) {
65772c33676SMaxim Ag SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
65872c33676SMaxim Ag return (-1);
65972c33676SMaxim Ag }
660*de0e0e4dSAntonio Huete Jimenez s->version = max_version;
66172c33676SMaxim Ag
662*de0e0e4dSAntonio Huete Jimenez if (sess == NULL || sess->ssl_version != s->version ||
663*de0e0e4dSAntonio Huete Jimenez (sess->session_id_length == 0 && sess->tlsext_tick == NULL) ||
664*de0e0e4dSAntonio Huete Jimenez sess->not_resumable) {
66572c33676SMaxim Ag if (!ssl_get_new_session(s, 0))
66672c33676SMaxim Ag goto err;
66772c33676SMaxim Ag }
66872c33676SMaxim Ag /* else use the pre-loaded session */
66972c33676SMaxim Ag
67072c33676SMaxim Ag /*
67172c33676SMaxim Ag * If a DTLS ClientHello message is being resent after a
67272c33676SMaxim Ag * HelloVerifyRequest, we must retain the original client
67372c33676SMaxim Ag * random value.
67472c33676SMaxim Ag */
675*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_dtls(s) || s->d1->send_cookie == 0)
67672c33676SMaxim Ag arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
67772c33676SMaxim Ag
67872c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &client_hello,
67972c33676SMaxim Ag SSL3_MT_CLIENT_HELLO))
68072c33676SMaxim Ag goto err;
68172c33676SMaxim Ag
682*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u16(&client_hello, s->version))
68372c33676SMaxim Ag goto err;
68472c33676SMaxim Ag
68572c33676SMaxim Ag /* Random stuff */
68672c33676SMaxim Ag if (!CBB_add_bytes(&client_hello, s->s3->client_random,
68772c33676SMaxim Ag sizeof(s->s3->client_random)))
68872c33676SMaxim Ag goto err;
68972c33676SMaxim Ag
69072c33676SMaxim Ag /* Session ID */
69172c33676SMaxim Ag if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
69272c33676SMaxim Ag goto err;
69372c33676SMaxim Ag if (!s->internal->new_session &&
69472c33676SMaxim Ag s->session->session_id_length > 0) {
69572c33676SMaxim Ag sl = s->session->session_id_length;
69672c33676SMaxim Ag if (sl > sizeof(s->session->session_id)) {
69772c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
69872c33676SMaxim Ag goto err;
69972c33676SMaxim Ag }
70072c33676SMaxim Ag if (!CBB_add_bytes(&session_id,
70172c33676SMaxim Ag s->session->session_id, sl))
70272c33676SMaxim Ag goto err;
70372c33676SMaxim Ag }
70472c33676SMaxim Ag
70572c33676SMaxim Ag /* DTLS Cookie. */
706*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
707*de0e0e4dSAntonio Huete Jimenez if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
70872c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
70972c33676SMaxim Ag goto err;
71072c33676SMaxim Ag }
71172c33676SMaxim Ag if (!CBB_add_u8_length_prefixed(&client_hello, &cookie))
71272c33676SMaxim Ag goto err;
713*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_bytes(&cookie, s->d1->cookie,
714*de0e0e4dSAntonio Huete Jimenez s->d1->cookie_len))
71572c33676SMaxim Ag goto err;
71672c33676SMaxim Ag }
71772c33676SMaxim Ag
71872c33676SMaxim Ag /* Ciphers supported */
71972c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
72072c33676SMaxim Ag return 0;
72172c33676SMaxim Ag if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s),
72272c33676SMaxim Ag &cipher_suites)) {
72372c33676SMaxim Ag SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
72472c33676SMaxim Ag goto err;
72572c33676SMaxim Ag }
72672c33676SMaxim Ag
72772c33676SMaxim Ag /* Add in compression methods (null) */
72872c33676SMaxim Ag if (!CBB_add_u8_length_prefixed(&client_hello,
72972c33676SMaxim Ag &compression_methods))
73072c33676SMaxim Ag goto err;
73172c33676SMaxim Ag if (!CBB_add_u8(&compression_methods, 0))
73272c33676SMaxim Ag goto err;
73372c33676SMaxim Ag
73472c33676SMaxim Ag /* TLS extensions */
7358edacedfSDaniel Fojt if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) {
73672c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
73772c33676SMaxim Ag goto err;
73872c33676SMaxim Ag }
73972c33676SMaxim Ag
74072c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
74172c33676SMaxim Ag goto err;
74272c33676SMaxim Ag
743*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_B;
74472c33676SMaxim Ag }
74572c33676SMaxim Ag
74672c33676SMaxim Ag /* SSL3_ST_CW_CLNT_HELLO_B */
74772c33676SMaxim Ag return (ssl3_handshake_write(s));
74872c33676SMaxim Ag
74972c33676SMaxim Ag err:
75072c33676SMaxim Ag CBB_cleanup(&cbb);
75172c33676SMaxim Ag
75272c33676SMaxim Ag return (-1);
75372c33676SMaxim Ag }
75472c33676SMaxim Ag
75572c33676SMaxim Ag int
ssl3_get_dtls_hello_verify(SSL * s)756*de0e0e4dSAntonio Huete Jimenez ssl3_get_dtls_hello_verify(SSL *s)
757*de0e0e4dSAntonio Huete Jimenez {
758*de0e0e4dSAntonio Huete Jimenez CBS hello_verify_request, cookie;
759*de0e0e4dSAntonio Huete Jimenez size_t cookie_len;
760*de0e0e4dSAntonio Huete Jimenez uint16_t ssl_version;
761*de0e0e4dSAntonio Huete Jimenez int al, ret;
762*de0e0e4dSAntonio Huete Jimenez
763*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
764*de0e0e4dSAntonio Huete Jimenez DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list)) <= 0)
765*de0e0e4dSAntonio Huete Jimenez return ret;
766*de0e0e4dSAntonio Huete Jimenez
767*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
768*de0e0e4dSAntonio Huete Jimenez s->d1->send_cookie = 0;
769*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
770*de0e0e4dSAntonio Huete Jimenez return (1);
771*de0e0e4dSAntonio Huete Jimenez }
772*de0e0e4dSAntonio Huete Jimenez
773*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
774*de0e0e4dSAntonio Huete Jimenez goto decode_err;
775*de0e0e4dSAntonio Huete Jimenez
776*de0e0e4dSAntonio Huete Jimenez CBS_init(&hello_verify_request, s->internal->init_msg,
777*de0e0e4dSAntonio Huete Jimenez s->internal->init_num);
778*de0e0e4dSAntonio Huete Jimenez
779*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u16(&hello_verify_request, &ssl_version))
780*de0e0e4dSAntonio Huete Jimenez goto decode_err;
781*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))
782*de0e0e4dSAntonio Huete Jimenez goto decode_err;
783*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&hello_verify_request) != 0)
784*de0e0e4dSAntonio Huete Jimenez goto decode_err;
785*de0e0e4dSAntonio Huete Jimenez
786*de0e0e4dSAntonio Huete Jimenez /*
787*de0e0e4dSAntonio Huete Jimenez * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always
788*de0e0e4dSAntonio Huete Jimenez * contain DTLSv1.0 the version that is going to be negotiated.
789*de0e0e4dSAntonio Huete Jimenez * Tolerate DTLSv1.2 just in case.
790*de0e0e4dSAntonio Huete Jimenez */
791*de0e0e4dSAntonio Huete Jimenez if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) {
792*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_WRONG_SSL_VERSION);
793*de0e0e4dSAntonio Huete Jimenez s->version = (s->version & 0xff00) | (ssl_version & 0xff);
794*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_PROTOCOL_VERSION;
795*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
796*de0e0e4dSAntonio Huete Jimenez }
797*de0e0e4dSAntonio Huete Jimenez
798*de0e0e4dSAntonio Huete Jimenez if (!CBS_write_bytes(&cookie, s->d1->cookie,
799*de0e0e4dSAntonio Huete Jimenez sizeof(s->d1->cookie), &cookie_len)) {
800*de0e0e4dSAntonio Huete Jimenez s->d1->cookie_len = 0;
801*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_ILLEGAL_PARAMETER;
802*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
803*de0e0e4dSAntonio Huete Jimenez }
804*de0e0e4dSAntonio Huete Jimenez s->d1->cookie_len = cookie_len;
805*de0e0e4dSAntonio Huete Jimenez s->d1->send_cookie = 1;
806*de0e0e4dSAntonio Huete Jimenez
807*de0e0e4dSAntonio Huete Jimenez return 1;
808*de0e0e4dSAntonio Huete Jimenez
809*de0e0e4dSAntonio Huete Jimenez decode_err:
810*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_DECODE_ERROR;
811*de0e0e4dSAntonio Huete Jimenez fatal_err:
812*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, al);
813*de0e0e4dSAntonio Huete Jimenez return -1;
814*de0e0e4dSAntonio Huete Jimenez }
815*de0e0e4dSAntonio Huete Jimenez
816*de0e0e4dSAntonio Huete Jimenez int
ssl3_get_server_hello(SSL * s)81772c33676SMaxim Ag ssl3_get_server_hello(SSL *s)
81872c33676SMaxim Ag {
81972c33676SMaxim Ag CBS cbs, server_random, session_id;
82072c33676SMaxim Ag uint16_t server_version, cipher_suite;
82172c33676SMaxim Ag uint8_t compression_method;
82272c33676SMaxim Ag const SSL_CIPHER *cipher;
82372c33676SMaxim Ag const SSL_METHOD *method;
82472c33676SMaxim Ag unsigned long alg_k;
825*de0e0e4dSAntonio Huete Jimenez int al, ret;
82672c33676SMaxim Ag
82772c33676SMaxim Ag s->internal->first_packet = 1;
828*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
829*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CR_SRVR_HELLO_B, -1, 20000 /* ?? */)) <= 0)
830*de0e0e4dSAntonio Huete Jimenez return ret;
83172c33676SMaxim Ag s->internal->first_packet = 0;
83272c33676SMaxim Ag
833*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
834*de0e0e4dSAntonio Huete Jimenez goto decode_err;
83572c33676SMaxim Ag
836*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
83772c33676SMaxim Ag
838*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
839*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
840*de0e0e4dSAntonio Huete Jimenez if (s->d1->send_cookie == 0) {
841*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
84272c33676SMaxim Ag return (1);
84372c33676SMaxim Ag } else {
84472c33676SMaxim Ag /* Already sent a cookie. */
84572c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
84672c33676SMaxim Ag SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
847*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
84872c33676SMaxim Ag }
84972c33676SMaxim Ag }
85072c33676SMaxim Ag }
85172c33676SMaxim Ag
852*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) {
85372c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
85472c33676SMaxim Ag SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
855*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
85672c33676SMaxim Ag }
85772c33676SMaxim Ag
85872c33676SMaxim Ag if (!CBS_get_u16(&cbs, &server_version))
859*de0e0e4dSAntonio Huete Jimenez goto decode_err;
86072c33676SMaxim Ag
861*de0e0e4dSAntonio Huete Jimenez if (!ssl_check_version_from_server(s, server_version)) {
86272c33676SMaxim Ag SSLerror(s, SSL_R_WRONG_SSL_VERSION);
86372c33676SMaxim Ag s->version = (s->version & 0xff00) | (server_version & 0xff);
86472c33676SMaxim Ag al = SSL_AD_PROTOCOL_VERSION;
865*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
86672c33676SMaxim Ag }
867*de0e0e4dSAntonio Huete Jimenez s->s3->hs.peer_legacy_version = server_version;
86872c33676SMaxim Ag s->version = server_version;
86972c33676SMaxim Ag
870*de0e0e4dSAntonio Huete Jimenez s->s3->hs.negotiated_tls_version = ssl_tls_version(server_version);
871*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.negotiated_tls_version == 0) {
872*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_INTERNAL_ERROR);
873*de0e0e4dSAntonio Huete Jimenez goto err;
874*de0e0e4dSAntonio Huete Jimenez }
875*de0e0e4dSAntonio Huete Jimenez
876*de0e0e4dSAntonio Huete Jimenez if ((method = ssl_get_method(server_version)) == NULL) {
87772c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
87872c33676SMaxim Ag goto err;
87972c33676SMaxim Ag }
88072c33676SMaxim Ag s->method = method;
88172c33676SMaxim Ag
88272c33676SMaxim Ag /* Server random. */
88372c33676SMaxim Ag if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE))
884*de0e0e4dSAntonio Huete Jimenez goto decode_err;
88572c33676SMaxim Ag if (!CBS_write_bytes(&server_random, s->s3->server_random,
88672c33676SMaxim Ag sizeof(s->s3->server_random), NULL))
88772c33676SMaxim Ag goto err;
88872c33676SMaxim Ag
889*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
890*de0e0e4dSAntonio Huete Jimenez s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
891cca6fc52SDaniel Fojt /*
892cca6fc52SDaniel Fojt * RFC 8446 section 4.1.3. We must not downgrade if the server
893cca6fc52SDaniel Fojt * random value contains the TLS 1.2 or TLS 1.1 magical value.
894cca6fc52SDaniel Fojt */
895cca6fc52SDaniel Fojt if (!CBS_skip(&server_random,
896cca6fc52SDaniel Fojt CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
897cca6fc52SDaniel Fojt goto err;
898*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION &&
899cca6fc52SDaniel Fojt CBS_mem_equal(&server_random, tls13_downgrade_12,
900cca6fc52SDaniel Fojt sizeof(tls13_downgrade_12))) {
901cca6fc52SDaniel Fojt al = SSL_AD_ILLEGAL_PARAMETER;
902cca6fc52SDaniel Fojt SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
903*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
904cca6fc52SDaniel Fojt }
905cca6fc52SDaniel Fojt if (CBS_mem_equal(&server_random, tls13_downgrade_11,
906cca6fc52SDaniel Fojt sizeof(tls13_downgrade_11))) {
907cca6fc52SDaniel Fojt al = SSL_AD_ILLEGAL_PARAMETER;
908cca6fc52SDaniel Fojt SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
909*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
910cca6fc52SDaniel Fojt }
911cca6fc52SDaniel Fojt }
912cca6fc52SDaniel Fojt
91372c33676SMaxim Ag /* Session ID. */
91472c33676SMaxim Ag if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
915*de0e0e4dSAntonio Huete Jimenez goto decode_err;
91672c33676SMaxim Ag
9178edacedfSDaniel Fojt if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) {
91872c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
91972c33676SMaxim Ag SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
920*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
92172c33676SMaxim Ag }
92272c33676SMaxim Ag
92372c33676SMaxim Ag /* Cipher suite. */
92472c33676SMaxim Ag if (!CBS_get_u16(&cbs, &cipher_suite))
925*de0e0e4dSAntonio Huete Jimenez goto decode_err;
92672c33676SMaxim Ag
92772c33676SMaxim Ag /*
92872c33676SMaxim Ag * Check if we want to resume the session based on external
92972c33676SMaxim Ag * pre-shared secret.
93072c33676SMaxim Ag */
931*de0e0e4dSAntonio Huete Jimenez if (s->internal->tls_session_secret_cb != NULL) {
93272c33676SMaxim Ag SSL_CIPHER *pref_cipher = NULL;
933*de0e0e4dSAntonio Huete Jimenez int master_key_length = sizeof(s->session->master_key);
934*de0e0e4dSAntonio Huete Jimenez
935*de0e0e4dSAntonio Huete Jimenez if (!s->internal->tls_session_secret_cb(s,
936*de0e0e4dSAntonio Huete Jimenez s->session->master_key, &master_key_length, NULL,
937*de0e0e4dSAntonio Huete Jimenez &pref_cipher, s->internal->tls_session_secret_cb_arg)) {
938*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_INTERNAL_ERROR);
939*de0e0e4dSAntonio Huete Jimenez goto err;
940*de0e0e4dSAntonio Huete Jimenez }
941*de0e0e4dSAntonio Huete Jimenez if (master_key_length <= 0) {
942*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_INTERNAL_ERROR);
943*de0e0e4dSAntonio Huete Jimenez goto err;
944*de0e0e4dSAntonio Huete Jimenez }
945*de0e0e4dSAntonio Huete Jimenez s->session->master_key_length = master_key_length;
946*de0e0e4dSAntonio Huete Jimenez
947*de0e0e4dSAntonio Huete Jimenez if ((s->session->cipher = pref_cipher) == NULL)
948*de0e0e4dSAntonio Huete Jimenez s->session->cipher =
94972c33676SMaxim Ag ssl3_get_cipher_by_value(cipher_suite);
95072c33676SMaxim Ag s->s3->flags |= SSL3_FLAGS_CCS_OK;
95172c33676SMaxim Ag }
95272c33676SMaxim Ag
95372c33676SMaxim Ag if (s->session->session_id_length != 0 &&
95472c33676SMaxim Ag CBS_mem_equal(&session_id, s->session->session_id,
95572c33676SMaxim Ag s->session->session_id_length)) {
95672c33676SMaxim Ag if (s->sid_ctx_length != s->session->sid_ctx_length ||
95772c33676SMaxim Ag timingsafe_memcmp(s->session->sid_ctx,
95872c33676SMaxim Ag s->sid_ctx, s->sid_ctx_length) != 0) {
95972c33676SMaxim Ag /* actually a client application bug */
96072c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
96172c33676SMaxim Ag SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
962*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
96372c33676SMaxim Ag }
96472c33676SMaxim Ag s->s3->flags |= SSL3_FLAGS_CCS_OK;
96572c33676SMaxim Ag s->internal->hit = 1;
96672c33676SMaxim Ag } else {
96772c33676SMaxim Ag /* a miss or crap from the other end */
96872c33676SMaxim Ag
96972c33676SMaxim Ag /* If we were trying for session-id reuse, make a new
97072c33676SMaxim Ag * SSL_SESSION so we don't stuff up other people */
97172c33676SMaxim Ag s->internal->hit = 0;
97272c33676SMaxim Ag if (s->session->session_id_length > 0) {
97372c33676SMaxim Ag if (!ssl_get_new_session(s, 0)) {
97472c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
975*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
97672c33676SMaxim Ag }
97772c33676SMaxim Ag }
97872c33676SMaxim Ag
97972c33676SMaxim Ag /*
98072c33676SMaxim Ag * XXX - improve the handling for the case where there is a
98172c33676SMaxim Ag * zero length session identifier.
98272c33676SMaxim Ag */
98372c33676SMaxim Ag if (!CBS_write_bytes(&session_id, s->session->session_id,
984*de0e0e4dSAntonio Huete Jimenez sizeof(s->session->session_id),
985*de0e0e4dSAntonio Huete Jimenez &s->session->session_id_length))
98672c33676SMaxim Ag goto err;
98772c33676SMaxim Ag
98872c33676SMaxim Ag s->session->ssl_version = s->version;
98972c33676SMaxim Ag }
99072c33676SMaxim Ag
99172c33676SMaxim Ag if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
99272c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
99372c33676SMaxim Ag SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED);
994*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
99572c33676SMaxim Ag }
99672c33676SMaxim Ag
99772c33676SMaxim Ag /* TLS v1.2 only ciphersuites require v1.2 or later. */
99872c33676SMaxim Ag if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
999*de0e0e4dSAntonio Huete Jimenez s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) {
100072c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
100172c33676SMaxim Ag SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1002*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
100372c33676SMaxim Ag }
100472c33676SMaxim Ag
10058edacedfSDaniel Fojt if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
100672c33676SMaxim Ag /* we did not say we would use this cipher */
100772c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
100872c33676SMaxim Ag SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1009*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
101072c33676SMaxim Ag }
101172c33676SMaxim Ag
101272c33676SMaxim Ag /*
101372c33676SMaxim Ag * Depending on the session caching (internal/external), the cipher
101472c33676SMaxim Ag * and/or cipher_id values may not be set. Make sure that
101572c33676SMaxim Ag * cipher_id is set and use it for comparison.
101672c33676SMaxim Ag */
101772c33676SMaxim Ag if (s->session->cipher)
101872c33676SMaxim Ag s->session->cipher_id = s->session->cipher->id;
101972c33676SMaxim Ag if (s->internal->hit && (s->session->cipher_id != cipher->id)) {
102072c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
102172c33676SMaxim Ag SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1022*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
102372c33676SMaxim Ag }
1024*de0e0e4dSAntonio Huete Jimenez s->s3->hs.cipher = cipher;
102572c33676SMaxim Ag
102672c33676SMaxim Ag if (!tls1_transcript_hash_init(s))
102772c33676SMaxim Ag goto err;
102872c33676SMaxim Ag
102972c33676SMaxim Ag /*
103072c33676SMaxim Ag * Don't digest cached records if no sigalgs: we may need them for
103172c33676SMaxim Ag * client authentication.
103272c33676SMaxim Ag */
1033*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
103472c33676SMaxim Ag if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)))
103572c33676SMaxim Ag tls1_transcript_free(s);
103672c33676SMaxim Ag
103772c33676SMaxim Ag if (!CBS_get_u8(&cbs, &compression_method))
1038*de0e0e4dSAntonio Huete Jimenez goto decode_err;
103972c33676SMaxim Ag
104072c33676SMaxim Ag if (compression_method != 0) {
104172c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
104272c33676SMaxim Ag SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1043*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
104472c33676SMaxim Ag }
104572c33676SMaxim Ag
10468edacedfSDaniel Fojt if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) {
104772c33676SMaxim Ag SSLerror(s, SSL_R_PARSE_TLSEXT);
1048*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
104972c33676SMaxim Ag }
105072c33676SMaxim Ag
1051*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&cbs) != 0)
1052*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1053*de0e0e4dSAntonio Huete Jimenez
105472c33676SMaxim Ag /*
105572c33676SMaxim Ag * Determine if we need to see RI. Strictly speaking if we want to
105672c33676SMaxim Ag * avoid an attack we should *always* see RI even on initial server
105772c33676SMaxim Ag * hello because the client doesn't see any renegotiation during an
105872c33676SMaxim Ag * attack. However this would mean we could not connect to any server
105972c33676SMaxim Ag * which doesn't support RI so for the immediate future tolerate RI
106072c33676SMaxim Ag * absence on initial connect only.
106172c33676SMaxim Ag */
1062*de0e0e4dSAntonio Huete Jimenez if (!s->s3->renegotiate_seen &&
106372c33676SMaxim Ag !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
106472c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
106572c33676SMaxim Ag SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1066*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
106772c33676SMaxim Ag }
106872c33676SMaxim Ag
106972c33676SMaxim Ag if (ssl_check_serverhello_tlsext(s) <= 0) {
107072c33676SMaxim Ag SSLerror(s, SSL_R_SERVERHELLO_TLSEXT);
107172c33676SMaxim Ag goto err;
107272c33676SMaxim Ag }
107372c33676SMaxim Ag
107472c33676SMaxim Ag return (1);
107572c33676SMaxim Ag
1076*de0e0e4dSAntonio Huete Jimenez decode_err:
107772c33676SMaxim Ag /* wrong packet length */
107872c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
107972c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1080*de0e0e4dSAntonio Huete Jimenez fatal_err:
108172c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
108272c33676SMaxim Ag err:
108372c33676SMaxim Ag return (-1);
108472c33676SMaxim Ag }
108572c33676SMaxim Ag
108672c33676SMaxim Ag int
ssl3_get_server_certificate(SSL * s)108772c33676SMaxim Ag ssl3_get_server_certificate(SSL *s)
108872c33676SMaxim Ag {
1089*de0e0e4dSAntonio Huete Jimenez CBS cbs, cert_list, cert_data;
1090*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *certs = NULL;
1091*de0e0e4dSAntonio Huete Jimenez X509 *cert = NULL;
1092*de0e0e4dSAntonio Huete Jimenez const uint8_t *p;
1093*de0e0e4dSAntonio Huete Jimenez int al, ret;
109472c33676SMaxim Ag
1095*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
1096*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0)
1097*de0e0e4dSAntonio Huete Jimenez return ret;
109872c33676SMaxim Ag
1099*de0e0e4dSAntonio Huete Jimenez ret = -1;
1100*de0e0e4dSAntonio Huete Jimenez
1101*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1102*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
110372c33676SMaxim Ag return (1);
110472c33676SMaxim Ag }
110572c33676SMaxim Ag
1106*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
110772c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
110872c33676SMaxim Ag SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1109*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
111072c33676SMaxim Ag }
111172c33676SMaxim Ag
1112*de0e0e4dSAntonio Huete Jimenez if ((certs = sk_X509_new_null()) == NULL) {
111372c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
111472c33676SMaxim Ag goto err;
111572c33676SMaxim Ag }
111672c33676SMaxim Ag
1117*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
1118*de0e0e4dSAntonio Huete Jimenez goto decode_err;
111972c33676SMaxim Ag
1120*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
112172c33676SMaxim Ag
1122*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
1123*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1124*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&cbs) != 0)
1125*de0e0e4dSAntonio Huete Jimenez goto decode_err;
112672c33676SMaxim Ag
112772c33676SMaxim Ag while (CBS_len(&cert_list) > 0) {
1128*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
1129*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1130*de0e0e4dSAntonio Huete Jimenez p = CBS_data(&cert_data);
1131*de0e0e4dSAntonio Huete Jimenez if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) {
113272c33676SMaxim Ag al = SSL_AD_BAD_CERTIFICATE;
113372c33676SMaxim Ag SSLerror(s, ERR_R_ASN1_LIB);
1134*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
113572c33676SMaxim Ag }
1136*de0e0e4dSAntonio Huete Jimenez if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
1137*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1138*de0e0e4dSAntonio Huete Jimenez if (!sk_X509_push(certs, cert)) {
113972c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
114072c33676SMaxim Ag goto err;
114172c33676SMaxim Ag }
1142*de0e0e4dSAntonio Huete Jimenez cert = NULL;
114372c33676SMaxim Ag }
114472c33676SMaxim Ag
1145*de0e0e4dSAntonio Huete Jimenez /* A server must always provide a non-empty certificate list. */
1146*de0e0e4dSAntonio Huete Jimenez if (sk_X509_num(certs) < 1) {
1147*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1148*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1149*de0e0e4dSAntonio Huete Jimenez }
1150*de0e0e4dSAntonio Huete Jimenez
1151*de0e0e4dSAntonio Huete Jimenez if (ssl_verify_cert_chain(s, certs) <= 0 &&
1152*de0e0e4dSAntonio Huete Jimenez s->verify_mode != SSL_VERIFY_NONE) {
115372c33676SMaxim Ag al = ssl_verify_alarm_type(s->verify_result);
115472c33676SMaxim Ag SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
1155*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
115672c33676SMaxim Ag }
115772c33676SMaxim Ag s->session->verify_result = s->verify_result;
1158*de0e0e4dSAntonio Huete Jimenez ERR_clear_error();
115972c33676SMaxim Ag
1160*de0e0e4dSAntonio Huete Jimenez if (!tls_process_peer_certs(s, certs))
1161*de0e0e4dSAntonio Huete Jimenez goto err;
1162*de0e0e4dSAntonio Huete Jimenez
116372c33676SMaxim Ag ret = 1;
116472c33676SMaxim Ag
116572c33676SMaxim Ag if (0) {
1166*de0e0e4dSAntonio Huete Jimenez decode_err:
116772c33676SMaxim Ag /* wrong packet length */
116872c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
116972c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1170*de0e0e4dSAntonio Huete Jimenez fatal_err:
117172c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
117272c33676SMaxim Ag }
117372c33676SMaxim Ag err:
1174*de0e0e4dSAntonio Huete Jimenez sk_X509_pop_free(certs, X509_free);
1175*de0e0e4dSAntonio Huete Jimenez X509_free(cert);
117672c33676SMaxim Ag
117772c33676SMaxim Ag return (ret);
117872c33676SMaxim Ag }
117972c33676SMaxim Ag
118072c33676SMaxim Ag static int
ssl3_get_server_kex_dhe(SSL * s,CBS * cbs)1181*de0e0e4dSAntonio Huete Jimenez ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
118272c33676SMaxim Ag {
1183*de0e0e4dSAntonio Huete Jimenez int decode_error, invalid_params, invalid_key;
1184*de0e0e4dSAntonio Huete Jimenez int nid = NID_dhKeyAgreement;
118572c33676SMaxim Ag
1186*de0e0e4dSAntonio Huete Jimenez tls_key_share_free(s->s3->hs.key_share);
1187*de0e0e4dSAntonio Huete Jimenez if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
118872c33676SMaxim Ag goto err;
118972c33676SMaxim Ag
1190*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_params(s->s3->hs.key_share, cbs,
1191*de0e0e4dSAntonio Huete Jimenez &decode_error, &invalid_params)) {
1192*de0e0e4dSAntonio Huete Jimenez if (decode_error) {
119372c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
119472c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1195*de0e0e4dSAntonio Huete Jimenez }
119672c33676SMaxim Ag goto err;
119772c33676SMaxim Ag }
1198*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1199*de0e0e4dSAntonio Huete Jimenez &decode_error, &invalid_key)) {
1200*de0e0e4dSAntonio Huete Jimenez if (decode_error) {
1201*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
120272c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1203*de0e0e4dSAntonio Huete Jimenez }
120472c33676SMaxim Ag goto err;
120572c33676SMaxim Ag }
120672c33676SMaxim Ag
1207*de0e0e4dSAntonio Huete Jimenez if (invalid_params) {
1208*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
1209*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1210*de0e0e4dSAntonio Huete Jimenez goto err;
1211*de0e0e4dSAntonio Huete Jimenez }
1212*de0e0e4dSAntonio Huete Jimenez if (invalid_key) {
1213*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1214*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
121572c33676SMaxim Ag goto err;
121672c33676SMaxim Ag }
121772c33676SMaxim Ag
1218*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1219*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1220*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1221*de0e0e4dSAntonio Huete Jimenez return 0;
1222*de0e0e4dSAntonio Huete Jimenez }
1223*de0e0e4dSAntonio Huete Jimenez
1224*de0e0e4dSAntonio Huete Jimenez return 1;
122572c33676SMaxim Ag
122672c33676SMaxim Ag err:
1227*de0e0e4dSAntonio Huete Jimenez return 0;
122872c33676SMaxim Ag }
122972c33676SMaxim Ag
123072c33676SMaxim Ag static int
ssl3_get_server_kex_ecdhe(SSL * s,CBS * cbs)1231*de0e0e4dSAntonio Huete Jimenez ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
123272c33676SMaxim Ag {
123372c33676SMaxim Ag uint8_t curve_type;
1234*de0e0e4dSAntonio Huete Jimenez uint16_t group_id;
1235*de0e0e4dSAntonio Huete Jimenez int decode_error;
1236*de0e0e4dSAntonio Huete Jimenez CBS public;
123772c33676SMaxim Ag
1238*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u8(cbs, &curve_type))
1239*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1240*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u16(cbs, &group_id))
1241*de0e0e4dSAntonio Huete Jimenez goto decode_err;
124272c33676SMaxim Ag
124372c33676SMaxim Ag /* Only named curves are supported. */
1244*de0e0e4dSAntonio Huete Jimenez if (curve_type != NAMED_CURVE_TYPE) {
1245*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1246*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1247*de0e0e4dSAntonio Huete Jimenez goto err;
124872c33676SMaxim Ag }
124972c33676SMaxim Ag
125072c33676SMaxim Ag if (!CBS_get_u8_length_prefixed(cbs, &public))
1251*de0e0e4dSAntonio Huete Jimenez goto decode_err;
125272c33676SMaxim Ag
1253*de0e0e4dSAntonio Huete Jimenez /*
1254*de0e0e4dSAntonio Huete Jimenez * Check that the group is one of our preferences - if it is not,
1255*de0e0e4dSAntonio Huete Jimenez * the server has sent us an invalid group.
1256*de0e0e4dSAntonio Huete Jimenez */
1257*de0e0e4dSAntonio Huete Jimenez if (!tls1_check_group(s, group_id)) {
1258*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_WRONG_CURVE);
1259*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
126072c33676SMaxim Ag goto err;
126172c33676SMaxim Ag }
126272c33676SMaxim Ag
1263*de0e0e4dSAntonio Huete Jimenez tls_key_share_free(s->s3->hs.key_share);
1264*de0e0e4dSAntonio Huete Jimenez if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
1265*de0e0e4dSAntonio Huete Jimenez goto err;
126672c33676SMaxim Ag
1267*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1268*de0e0e4dSAntonio Huete Jimenez &decode_error, NULL)) {
1269*de0e0e4dSAntonio Huete Jimenez if (decode_error)
1270*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1271*de0e0e4dSAntonio Huete Jimenez goto err;
1272*de0e0e4dSAntonio Huete Jimenez }
127372c33676SMaxim Ag
1274*de0e0e4dSAntonio Huete Jimenez return 1;
1275*de0e0e4dSAntonio Huete Jimenez
1276*de0e0e4dSAntonio Huete Jimenez decode_err:
127772c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1278*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
127972c33676SMaxim Ag err:
1280*de0e0e4dSAntonio Huete Jimenez return 0;
128172c33676SMaxim Ag }
128272c33676SMaxim Ag
128372c33676SMaxim Ag int
ssl3_get_server_key_exchange(SSL * s)128472c33676SMaxim Ag ssl3_get_server_key_exchange(SSL *s)
128572c33676SMaxim Ag {
128672c33676SMaxim Ag CBS cbs, signature;
1287*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX *md_ctx;
128872c33676SMaxim Ag const unsigned char *param;
128972c33676SMaxim Ag size_t param_len;
1290*de0e0e4dSAntonio Huete Jimenez long alg_k, alg_a;
1291*de0e0e4dSAntonio Huete Jimenez int al, ret;
129272c33676SMaxim Ag
1293*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
1294*de0e0e4dSAntonio Huete Jimenez alg_a = s->s3->hs.cipher->algorithm_auth;
129572c33676SMaxim Ag
129672c33676SMaxim Ag /*
129772c33676SMaxim Ag * Use same message size as in ssl3_get_certificate_request()
129872c33676SMaxim Ag * as ServerKeyExchange message may be skipped.
129972c33676SMaxim Ag */
1300*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1301*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list)) <= 0)
1302*de0e0e4dSAntonio Huete Jimenez return ret;
130372c33676SMaxim Ag
1304*de0e0e4dSAntonio Huete Jimenez if ((md_ctx = EVP_MD_CTX_new()) == NULL)
130572c33676SMaxim Ag goto err;
130672c33676SMaxim Ag
1307*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
1308*de0e0e4dSAntonio Huete Jimenez goto err;
130972c33676SMaxim Ag
1310*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1311*de0e0e4dSAntonio Huete Jimenez
1312*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
131372c33676SMaxim Ag /*
131472c33676SMaxim Ag * Do not skip server key exchange if this cipher suite uses
131572c33676SMaxim Ag * ephemeral keys.
131672c33676SMaxim Ag */
131772c33676SMaxim Ag if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
131872c33676SMaxim Ag SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
131972c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
1320*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
132172c33676SMaxim Ag }
132272c33676SMaxim Ag
1323*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
1324*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(md_ctx);
132572c33676SMaxim Ag return (1);
132672c33676SMaxim Ag }
132772c33676SMaxim Ag
132872c33676SMaxim Ag param = CBS_data(&cbs);
132972c33676SMaxim Ag param_len = CBS_len(&cbs);
133072c33676SMaxim Ag
133172c33676SMaxim Ag if (alg_k & SSL_kDHE) {
1332*de0e0e4dSAntonio Huete Jimenez if (!ssl3_get_server_kex_dhe(s, &cbs))
133372c33676SMaxim Ag goto err;
133472c33676SMaxim Ag } else if (alg_k & SSL_kECDHE) {
1335*de0e0e4dSAntonio Huete Jimenez if (!ssl3_get_server_kex_ecdhe(s, &cbs))
133672c33676SMaxim Ag goto err;
133772c33676SMaxim Ag } else if (alg_k != 0) {
133872c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
133972c33676SMaxim Ag SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1340*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
134172c33676SMaxim Ag }
134272c33676SMaxim Ag
134372c33676SMaxim Ag param_len -= CBS_len(&cbs);
134472c33676SMaxim Ag
134572c33676SMaxim Ag /* if it was signed, check the signature */
1346*de0e0e4dSAntonio Huete Jimenez if ((alg_a & SSL_aNULL) == 0) {
1347*de0e0e4dSAntonio Huete Jimenez uint16_t sigalg_value = SIGALG_NONE;
134872c33676SMaxim Ag const struct ssl_sigalg *sigalg;
1349*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_CTX *pctx;
1350*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *pkey = NULL;
1351*de0e0e4dSAntonio Huete Jimenez
1352*de0e0e4dSAntonio Huete Jimenez if ((alg_a & SSL_aRSA) != 0 &&
1353*de0e0e4dSAntonio Huete Jimenez s->session->peer_cert_type == SSL_PKEY_RSA) {
1354*de0e0e4dSAntonio Huete Jimenez pkey = X509_get0_pubkey(s->session->peer_cert);
1355*de0e0e4dSAntonio Huete Jimenez } else if ((alg_a & SSL_aECDSA) != 0 &&
1356*de0e0e4dSAntonio Huete Jimenez s->session->peer_cert_type == SSL_PKEY_ECC) {
1357*de0e0e4dSAntonio Huete Jimenez pkey = X509_get0_pubkey(s->session->peer_cert);
1358*de0e0e4dSAntonio Huete Jimenez }
1359*de0e0e4dSAntonio Huete Jimenez if (pkey == NULL) {
1360*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_ILLEGAL_PARAMETER;
1361*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1362*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
1363*de0e0e4dSAntonio Huete Jimenez }
136472c33676SMaxim Ag
136572c33676SMaxim Ag if (SSL_USE_SIGALGS(s)) {
136672c33676SMaxim Ag if (!CBS_get_u16(&cbs, &sigalg_value))
1367*de0e0e4dSAntonio Huete Jimenez goto decode_err;
136872c33676SMaxim Ag }
136972c33676SMaxim Ag if (!CBS_get_u16_length_prefixed(&cbs, &signature))
1370*de0e0e4dSAntonio Huete Jimenez goto decode_err;
137172c33676SMaxim Ag if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
137272c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
137372c33676SMaxim Ag SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);
1374*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
137572c33676SMaxim Ag }
137672c33676SMaxim Ag
1377*de0e0e4dSAntonio Huete Jimenez if ((sigalg = ssl_sigalg_for_peer(s, pkey,
1378*de0e0e4dSAntonio Huete Jimenez sigalg_value)) == NULL) {
1379*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_DECODE_ERROR;
1380*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
1381*de0e0e4dSAntonio Huete Jimenez }
1382*de0e0e4dSAntonio Huete Jimenez s->s3->hs.peer_sigalg = sigalg;
1383*de0e0e4dSAntonio Huete Jimenez
1384*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(),
1385*de0e0e4dSAntonio Huete Jimenez NULL, pkey))
138672c33676SMaxim Ag goto err;
1387*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->client_random,
138872c33676SMaxim Ag SSL3_RANDOM_SIZE))
138972c33676SMaxim Ag goto err;
139072c33676SMaxim Ag if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
139172c33676SMaxim Ag (!EVP_PKEY_CTX_set_rsa_padding(pctx,
139272c33676SMaxim Ag RSA_PKCS1_PSS_PADDING) ||
139372c33676SMaxim Ag !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)))
139472c33676SMaxim Ag goto err;
1395*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->server_random,
139672c33676SMaxim Ag SSL3_RANDOM_SIZE))
139772c33676SMaxim Ag goto err;
1398*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestVerifyUpdate(md_ctx, param, param_len))
139972c33676SMaxim Ag goto err;
1400*de0e0e4dSAntonio Huete Jimenez if (EVP_DigestVerifyFinal(md_ctx, CBS_data(&signature),
140172c33676SMaxim Ag CBS_len(&signature)) <= 0) {
140272c33676SMaxim Ag al = SSL_AD_DECRYPT_ERROR;
140372c33676SMaxim Ag SSLerror(s, SSL_R_BAD_SIGNATURE);
1404*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
140572c33676SMaxim Ag }
140672c33676SMaxim Ag }
140772c33676SMaxim Ag
140872c33676SMaxim Ag if (CBS_len(&cbs) != 0) {
140972c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
141072c33676SMaxim Ag SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1411*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
141272c33676SMaxim Ag }
141372c33676SMaxim Ag
1414*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(md_ctx);
141572c33676SMaxim Ag
141672c33676SMaxim Ag return (1);
141772c33676SMaxim Ag
1418*de0e0e4dSAntonio Huete Jimenez decode_err:
141972c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
142072c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
142172c33676SMaxim Ag
1422*de0e0e4dSAntonio Huete Jimenez fatal_err:
142372c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
142472c33676SMaxim Ag
142572c33676SMaxim Ag err:
1426*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(md_ctx);
142772c33676SMaxim Ag
142872c33676SMaxim Ag return (-1);
142972c33676SMaxim Ag }
143072c33676SMaxim Ag
143172c33676SMaxim Ag int
ssl3_get_certificate_request(SSL * s)143272c33676SMaxim Ag ssl3_get_certificate_request(SSL *s)
143372c33676SMaxim Ag {
1434*de0e0e4dSAntonio Huete Jimenez CBS cert_request, cert_types, rdn_list;
143572c33676SMaxim Ag X509_NAME *xn = NULL;
143672c33676SMaxim Ag const unsigned char *q;
143772c33676SMaxim Ag STACK_OF(X509_NAME) *ca_sk = NULL;
1438*de0e0e4dSAntonio Huete Jimenez int ret;
143972c33676SMaxim Ag
1440*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1441*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list)) <= 0)
1442*de0e0e4dSAntonio Huete Jimenez return ret;
144372c33676SMaxim Ag
1444*de0e0e4dSAntonio Huete Jimenez ret = 0;
144572c33676SMaxim Ag
1446*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.cert_request = 0;
1447*de0e0e4dSAntonio Huete Jimenez
1448*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_DONE) {
1449*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
145072c33676SMaxim Ag /*
145172c33676SMaxim Ag * If we get here we don't need any cached handshake records
145272c33676SMaxim Ag * as we wont be doing client auth.
145372c33676SMaxim Ag */
145472c33676SMaxim Ag tls1_transcript_free(s);
145572c33676SMaxim Ag return (1);
145672c33676SMaxim Ag }
145772c33676SMaxim Ag
1458*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
145972c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
146072c33676SMaxim Ag SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
146172c33676SMaxim Ag goto err;
146272c33676SMaxim Ag }
146372c33676SMaxim Ag
146472c33676SMaxim Ag /* TLS does not like anon-DH with client cert */
1465*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
146672c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
146772c33676SMaxim Ag SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
146872c33676SMaxim Ag goto err;
146972c33676SMaxim Ag }
147072c33676SMaxim Ag
1471*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
1472*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1473*de0e0e4dSAntonio Huete Jimenez CBS_init(&cert_request, s->internal->init_msg, s->internal->init_num);
147472c33676SMaxim Ag
147572c33676SMaxim Ag if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
147672c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
147772c33676SMaxim Ag goto err;
147872c33676SMaxim Ag }
147972c33676SMaxim Ag
1480*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types))
1481*de0e0e4dSAntonio Huete Jimenez goto decode_err;
148272c33676SMaxim Ag
148372c33676SMaxim Ag if (SSL_USE_SIGALGS(s)) {
148472c33676SMaxim Ag CBS sigalgs;
148572c33676SMaxim Ag
148672c33676SMaxim Ag if (CBS_len(&cert_request) < 2) {
148772c33676SMaxim Ag SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
148872c33676SMaxim Ag goto err;
148972c33676SMaxim Ag }
149072c33676SMaxim Ag if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {
149172c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
149272c33676SMaxim Ag SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
149372c33676SMaxim Ag goto err;
149472c33676SMaxim Ag }
149572c33676SMaxim Ag if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) {
149672c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
149772c33676SMaxim Ag SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
149872c33676SMaxim Ag goto err;
149972c33676SMaxim Ag }
1500*de0e0e4dSAntonio Huete Jimenez if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs,
1501*de0e0e4dSAntonio Huete Jimenez &s->s3->hs.sigalgs_len))
150272c33676SMaxim Ag goto err;
150372c33676SMaxim Ag }
150472c33676SMaxim Ag
150572c33676SMaxim Ag /* get the CA RDNs */
150672c33676SMaxim Ag if (CBS_len(&cert_request) < 2) {
150772c33676SMaxim Ag SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
150872c33676SMaxim Ag goto err;
150972c33676SMaxim Ag }
151072c33676SMaxim Ag
151172c33676SMaxim Ag if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) ||
151272c33676SMaxim Ag CBS_len(&cert_request) != 0) {
151372c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
151472c33676SMaxim Ag SSLerror(s, SSL_R_LENGTH_MISMATCH);
151572c33676SMaxim Ag goto err;
151672c33676SMaxim Ag }
151772c33676SMaxim Ag
151872c33676SMaxim Ag while (CBS_len(&rdn_list) > 0) {
151972c33676SMaxim Ag CBS rdn;
152072c33676SMaxim Ag
152172c33676SMaxim Ag if (CBS_len(&rdn_list) < 2) {
152272c33676SMaxim Ag SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
152372c33676SMaxim Ag goto err;
152472c33676SMaxim Ag }
152572c33676SMaxim Ag
152672c33676SMaxim Ag if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {
152772c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
152872c33676SMaxim Ag SSLerror(s, SSL_R_CA_DN_TOO_LONG);
152972c33676SMaxim Ag goto err;
153072c33676SMaxim Ag }
153172c33676SMaxim Ag
153272c33676SMaxim Ag q = CBS_data(&rdn);
153372c33676SMaxim Ag if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) {
153472c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL,
153572c33676SMaxim Ag SSL_AD_DECODE_ERROR);
153672c33676SMaxim Ag SSLerror(s, ERR_R_ASN1_LIB);
153772c33676SMaxim Ag goto err;
153872c33676SMaxim Ag }
153972c33676SMaxim Ag
154072c33676SMaxim Ag if (q != CBS_data(&rdn) + CBS_len(&rdn)) {
154172c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
154272c33676SMaxim Ag SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH);
154372c33676SMaxim Ag goto err;
154472c33676SMaxim Ag }
154572c33676SMaxim Ag if (!sk_X509_NAME_push(ca_sk, xn)) {
154672c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
154772c33676SMaxim Ag goto err;
154872c33676SMaxim Ag }
154972c33676SMaxim Ag xn = NULL; /* avoid free in err block */
155072c33676SMaxim Ag }
155172c33676SMaxim Ag
155272c33676SMaxim Ag /* we should setup a certificate to return.... */
1553*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.cert_request = 1;
1554*de0e0e4dSAntonio Huete Jimenez sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1555*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.ca_names = ca_sk;
155672c33676SMaxim Ag ca_sk = NULL;
155772c33676SMaxim Ag
155872c33676SMaxim Ag ret = 1;
155972c33676SMaxim Ag if (0) {
1560*de0e0e4dSAntonio Huete Jimenez decode_err:
156172c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
156272c33676SMaxim Ag }
156372c33676SMaxim Ag err:
156472c33676SMaxim Ag X509_NAME_free(xn);
156572c33676SMaxim Ag sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
156672c33676SMaxim Ag return (ret);
156772c33676SMaxim Ag }
156872c33676SMaxim Ag
156972c33676SMaxim Ag static int
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)157072c33676SMaxim Ag ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
157172c33676SMaxim Ag {
157272c33676SMaxim Ag return (X509_NAME_cmp(*a, *b));
157372c33676SMaxim Ag }
157472c33676SMaxim Ag
157572c33676SMaxim Ag int
ssl3_get_new_session_ticket(SSL * s)157672c33676SMaxim Ag ssl3_get_new_session_ticket(SSL *s)
157772c33676SMaxim Ag {
157872c33676SMaxim Ag uint32_t lifetime_hint;
157972c33676SMaxim Ag CBS cbs, session_ticket;
1580*de0e0e4dSAntonio Huete Jimenez unsigned int session_id_length = 0;
1581*de0e0e4dSAntonio Huete Jimenez int al, ret;
158272c33676SMaxim Ag
1583*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
1584*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CR_SESSION_TICKET_B, -1, 16384)) <= 0)
1585*de0e0e4dSAntonio Huete Jimenez return ret;
158672c33676SMaxim Ag
1587*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) {
1588*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
158972c33676SMaxim Ag return (1);
159072c33676SMaxim Ag }
1591*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) {
159272c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
159372c33676SMaxim Ag SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1594*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
159572c33676SMaxim Ag }
159672c33676SMaxim Ag
1597*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0) {
159872c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
159972c33676SMaxim Ag SSLerror(s, SSL_R_LENGTH_MISMATCH);
1600*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
160172c33676SMaxim Ag }
160272c33676SMaxim Ag
1603*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
160472c33676SMaxim Ag if (!CBS_get_u32(&cbs, &lifetime_hint) ||
160572c33676SMaxim Ag !CBS_get_u16_length_prefixed(&cbs, &session_ticket) ||
160672c33676SMaxim Ag CBS_len(&cbs) != 0) {
160772c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
160872c33676SMaxim Ag SSLerror(s, SSL_R_LENGTH_MISMATCH);
1609*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
161072c33676SMaxim Ag }
1611*de0e0e4dSAntonio Huete Jimenez s->session->tlsext_tick_lifetime_hint = lifetime_hint;
161272c33676SMaxim Ag
161372c33676SMaxim Ag if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
161472c33676SMaxim Ag &s->session->tlsext_ticklen)) {
161572c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
161672c33676SMaxim Ag goto err;
161772c33676SMaxim Ag }
161872c33676SMaxim Ag
161972c33676SMaxim Ag /*
162072c33676SMaxim Ag * There are two ways to detect a resumed ticket sesion.
162172c33676SMaxim Ag * One is to set an appropriate session ID and then the server
162272c33676SMaxim Ag * must return a match in ServerHello. This allows the normal
162372c33676SMaxim Ag * client session ID matching to work and we know much
162472c33676SMaxim Ag * earlier that the ticket has been accepted.
162572c33676SMaxim Ag *
162672c33676SMaxim Ag * The other way is to set zero length session ID when the
162772c33676SMaxim Ag * ticket is presented and rely on the handshake to determine
162872c33676SMaxim Ag * session resumption.
162972c33676SMaxim Ag *
163072c33676SMaxim Ag * We choose the former approach because this fits in with
163172c33676SMaxim Ag * assumptions elsewhere in OpenSSL. The session ID is set
1632*de0e0e4dSAntonio Huete Jimenez * to the SHA256 hash of the ticket.
163372c33676SMaxim Ag */
1634*de0e0e4dSAntonio Huete Jimenez if (!EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket),
1635*de0e0e4dSAntonio Huete Jimenez s->session->session_id, &session_id_length, EVP_sha256(), NULL)) {
1636*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_INTERNAL_ERROR;
1637*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_EVP_LIB);
1638*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
1639*de0e0e4dSAntonio Huete Jimenez }
1640*de0e0e4dSAntonio Huete Jimenez s->session->session_id_length = session_id_length;
1641*de0e0e4dSAntonio Huete Jimenez
1642*de0e0e4dSAntonio Huete Jimenez return (1);
1643*de0e0e4dSAntonio Huete Jimenez
1644*de0e0e4dSAntonio Huete Jimenez fatal_err:
164572c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
164672c33676SMaxim Ag err:
164772c33676SMaxim Ag return (-1);
164872c33676SMaxim Ag }
164972c33676SMaxim Ag
165072c33676SMaxim Ag int
ssl3_get_cert_status(SSL * s)165172c33676SMaxim Ag ssl3_get_cert_status(SSL *s)
165272c33676SMaxim Ag {
165372c33676SMaxim Ag CBS cert_status, response;
165472c33676SMaxim Ag uint8_t status_type;
1655*de0e0e4dSAntonio Huete Jimenez int al, ret;
165672c33676SMaxim Ag
1657*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1658*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CR_CERT_STATUS_B, -1, 16384)) <= 0)
1659*de0e0e4dSAntonio Huete Jimenez return ret;
166072c33676SMaxim Ag
1661*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1662*de0e0e4dSAntonio Huete Jimenez /*
1663*de0e0e4dSAntonio Huete Jimenez * Tell the callback the server did not send us an OSCP
1664*de0e0e4dSAntonio Huete Jimenez * response, and has decided to head directly to key exchange.
1665*de0e0e4dSAntonio Huete Jimenez */
1666*de0e0e4dSAntonio Huete Jimenez if (s->ctx->internal->tlsext_status_cb) {
1667*de0e0e4dSAntonio Huete Jimenez free(s->internal->tlsext_ocsp_resp);
1668*de0e0e4dSAntonio Huete Jimenez s->internal->tlsext_ocsp_resp = NULL;
1669*de0e0e4dSAntonio Huete Jimenez s->internal->tlsext_ocsp_resp_len = 0;
1670*de0e0e4dSAntonio Huete Jimenez
1671*de0e0e4dSAntonio Huete Jimenez ret = s->ctx->internal->tlsext_status_cb(s,
1672*de0e0e4dSAntonio Huete Jimenez s->ctx->internal->tlsext_status_arg);
1673*de0e0e4dSAntonio Huete Jimenez if (ret == 0) {
1674*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1675*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1676*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
1677*de0e0e4dSAntonio Huete Jimenez }
1678*de0e0e4dSAntonio Huete Jimenez if (ret < 0) {
1679*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_INTERNAL_ERROR;
1680*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_MALLOC_FAILURE);
1681*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
1682*de0e0e4dSAntonio Huete Jimenez }
1683*de0e0e4dSAntonio Huete Jimenez }
1684*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
1685*de0e0e4dSAntonio Huete Jimenez return (1);
1686*de0e0e4dSAntonio Huete Jimenez }
1687*de0e0e4dSAntonio Huete Jimenez
1688*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
1689*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
1690*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_UNEXPECTED_MESSAGE;
1691*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1692*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
1693*de0e0e4dSAntonio Huete Jimenez }
1694*de0e0e4dSAntonio Huete Jimenez
1695*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0) {
169672c33676SMaxim Ag /* need at least status type + length */
169772c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
169872c33676SMaxim Ag SSLerror(s, SSL_R_LENGTH_MISMATCH);
1699*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
170072c33676SMaxim Ag }
170172c33676SMaxim Ag
1702*de0e0e4dSAntonio Huete Jimenez CBS_init(&cert_status, s->internal->init_msg, s->internal->init_num);
170372c33676SMaxim Ag if (!CBS_get_u8(&cert_status, &status_type) ||
170472c33676SMaxim Ag CBS_len(&cert_status) < 3) {
170572c33676SMaxim Ag /* need at least status type + length */
170672c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
170772c33676SMaxim Ag SSLerror(s, SSL_R_LENGTH_MISMATCH);
1708*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
170972c33676SMaxim Ag }
171072c33676SMaxim Ag
171172c33676SMaxim Ag if (status_type != TLSEXT_STATUSTYPE_ocsp) {
171272c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
171372c33676SMaxim Ag SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1714*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
171572c33676SMaxim Ag }
171672c33676SMaxim Ag
171772c33676SMaxim Ag if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
171872c33676SMaxim Ag CBS_len(&cert_status) != 0) {
171972c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
172072c33676SMaxim Ag SSLerror(s, SSL_R_LENGTH_MISMATCH);
1721*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
172272c33676SMaxim Ag }
172372c33676SMaxim Ag
172472c33676SMaxim Ag if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
17258edacedfSDaniel Fojt &s->internal->tlsext_ocsp_resp_len)) {
172672c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
172772c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
1728*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
172972c33676SMaxim Ag }
173072c33676SMaxim Ag
173172c33676SMaxim Ag if (s->ctx->internal->tlsext_status_cb) {
173272c33676SMaxim Ag ret = s->ctx->internal->tlsext_status_cb(s,
173372c33676SMaxim Ag s->ctx->internal->tlsext_status_arg);
173472c33676SMaxim Ag if (ret == 0) {
173572c33676SMaxim Ag al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
173672c33676SMaxim Ag SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1737*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
173872c33676SMaxim Ag }
173972c33676SMaxim Ag if (ret < 0) {
174072c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
174172c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
1742*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
174372c33676SMaxim Ag }
174472c33676SMaxim Ag }
174572c33676SMaxim Ag return (1);
1746*de0e0e4dSAntonio Huete Jimenez fatal_err:
174772c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
174872c33676SMaxim Ag return (-1);
174972c33676SMaxim Ag }
175072c33676SMaxim Ag
175172c33676SMaxim Ag int
ssl3_get_server_done(SSL * s)175272c33676SMaxim Ag ssl3_get_server_done(SSL *s)
175372c33676SMaxim Ag {
1754*de0e0e4dSAntonio Huete Jimenez int ret;
175572c33676SMaxim Ag
1756*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
175772c33676SMaxim Ag SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
1758*de0e0e4dSAntonio Huete Jimenez 30 /* should be very small, like 0 :-) */)) <= 0)
1759*de0e0e4dSAntonio Huete Jimenez return ret;
1760cca6fc52SDaniel Fojt
1761*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num != 0) {
176272c33676SMaxim Ag /* should contain no data */
176372c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
176472c33676SMaxim Ag SSLerror(s, SSL_R_LENGTH_MISMATCH);
1765*de0e0e4dSAntonio Huete Jimenez return -1;
176672c33676SMaxim Ag }
1767*de0e0e4dSAntonio Huete Jimenez
1768*de0e0e4dSAntonio Huete Jimenez return 1;
176972c33676SMaxim Ag }
177072c33676SMaxim Ag
177172c33676SMaxim Ag static int
ssl3_send_client_kex_rsa(SSL * s,CBB * cbb)1772*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_kex_rsa(SSL *s, CBB *cbb)
177372c33676SMaxim Ag {
177472c33676SMaxim Ag unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];
177572c33676SMaxim Ag unsigned char *enc_pms = NULL;
1776*de0e0e4dSAntonio Huete Jimenez uint16_t max_legacy_version;
1777*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *pkey;
1778*de0e0e4dSAntonio Huete Jimenez RSA *rsa;
1779*de0e0e4dSAntonio Huete Jimenez int ret = 0;
178072c33676SMaxim Ag int enc_len;
178172c33676SMaxim Ag CBB epms;
178272c33676SMaxim Ag
178372c33676SMaxim Ag /*
178472c33676SMaxim Ag * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1.
178572c33676SMaxim Ag */
178672c33676SMaxim Ag
1787*de0e0e4dSAntonio Huete Jimenez pkey = X509_get0_pubkey(s->session->peer_cert);
1788*de0e0e4dSAntonio Huete Jimenez if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
178972c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
179072c33676SMaxim Ag goto err;
179172c33676SMaxim Ag }
179272c33676SMaxim Ag
1793*de0e0e4dSAntonio Huete Jimenez /*
1794*de0e0e4dSAntonio Huete Jimenez * Our maximum legacy protocol version - while RFC 5246 section 7.4.7.1
1795*de0e0e4dSAntonio Huete Jimenez * says "The latest (newest) version supported by the client", if we're
1796*de0e0e4dSAntonio Huete Jimenez * doing RSA key exchange then we have to presume that we're talking to
1797*de0e0e4dSAntonio Huete Jimenez * a server that does not understand the supported versions extension
1798*de0e0e4dSAntonio Huete Jimenez * and therefore our maximum version is that sent in the ClientHello.
1799*de0e0e4dSAntonio Huete Jimenez */
1800*de0e0e4dSAntonio Huete Jimenez if (!ssl_max_legacy_version(s, &max_legacy_version))
1801*de0e0e4dSAntonio Huete Jimenez goto err;
1802*de0e0e4dSAntonio Huete Jimenez pms[0] = max_legacy_version >> 8;
1803*de0e0e4dSAntonio Huete Jimenez pms[1] = max_legacy_version & 0xff;
180472c33676SMaxim Ag arc4random_buf(&pms[2], sizeof(pms) - 2);
180572c33676SMaxim Ag
1806*de0e0e4dSAntonio Huete Jimenez if ((enc_pms = malloc(RSA_size(rsa))) == NULL) {
180772c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
180872c33676SMaxim Ag goto err;
180972c33676SMaxim Ag }
181072c33676SMaxim Ag
1811*de0e0e4dSAntonio Huete Jimenez enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
181272c33676SMaxim Ag RSA_PKCS1_PADDING);
181372c33676SMaxim Ag if (enc_len <= 0) {
181472c33676SMaxim Ag SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
181572c33676SMaxim Ag goto err;
181672c33676SMaxim Ag }
181772c33676SMaxim Ag
181872c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(cbb, &epms))
181972c33676SMaxim Ag goto err;
182072c33676SMaxim Ag if (!CBB_add_bytes(&epms, enc_pms, enc_len))
182172c33676SMaxim Ag goto err;
182272c33676SMaxim Ag if (!CBB_flush(cbb))
182372c33676SMaxim Ag goto err;
182472c33676SMaxim Ag
1825*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
1826*de0e0e4dSAntonio Huete Jimenez goto err;
182772c33676SMaxim Ag
182872c33676SMaxim Ag ret = 1;
182972c33676SMaxim Ag
183072c33676SMaxim Ag err:
183172c33676SMaxim Ag explicit_bzero(pms, sizeof(pms));
183272c33676SMaxim Ag free(enc_pms);
183372c33676SMaxim Ag
1834*de0e0e4dSAntonio Huete Jimenez return ret;
183572c33676SMaxim Ag }
183672c33676SMaxim Ag
183772c33676SMaxim Ag static int
ssl3_send_client_kex_dhe(SSL * s,CBB * cbb)1838*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
183972c33676SMaxim Ag {
1840*de0e0e4dSAntonio Huete Jimenez uint8_t *key = NULL;
1841*de0e0e4dSAntonio Huete Jimenez size_t key_len = 0;
1842*de0e0e4dSAntonio Huete Jimenez int ret = 0;
184372c33676SMaxim Ag
1844*de0e0e4dSAntonio Huete Jimenez /* Ensure that we have an ephemeral key from the server for DHE. */
1845*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.key_share == NULL) {
184672c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
184772c33676SMaxim Ag SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
184872c33676SMaxim Ag goto err;
184972c33676SMaxim Ag }
185072c33676SMaxim Ag
1851*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_generate(s->s3->hs.key_share))
185272c33676SMaxim Ag goto err;
1853*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_public(s->s3->hs.key_share, cbb))
185472c33676SMaxim Ag goto err;
1855*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
185672c33676SMaxim Ag goto err;
1857*de0e0e4dSAntonio Huete Jimenez
1858*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1859*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1860*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1861*de0e0e4dSAntonio Huete Jimenez return 0;
186272c33676SMaxim Ag }
186372c33676SMaxim Ag
1864*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, key, key_len))
186572c33676SMaxim Ag goto err;
1866cca6fc52SDaniel Fojt
186772c33676SMaxim Ag ret = 1;
186872c33676SMaxim Ag
186972c33676SMaxim Ag err:
1870cca6fc52SDaniel Fojt freezero(key, key_len);
187172c33676SMaxim Ag
1872*de0e0e4dSAntonio Huete Jimenez return ret;
187372c33676SMaxim Ag }
187472c33676SMaxim Ag
187572c33676SMaxim Ag static int
ssl3_send_client_kex_ecdhe(SSL * s,CBB * cbb)1876*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
187772c33676SMaxim Ag {
1878*de0e0e4dSAntonio Huete Jimenez uint8_t *key = NULL;
1879*de0e0e4dSAntonio Huete Jimenez size_t key_len = 0;
1880*de0e0e4dSAntonio Huete Jimenez CBB public;
1881*de0e0e4dSAntonio Huete Jimenez int ret = 0;
188272c33676SMaxim Ag
1883*de0e0e4dSAntonio Huete Jimenez /* Ensure that we have an ephemeral key for ECDHE. */
1884*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.key_share == NULL) {
188572c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
188672c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
188772c33676SMaxim Ag goto err;
188872c33676SMaxim Ag }
188972c33676SMaxim Ag
1890*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_generate(s->s3->hs.key_share))
1891*de0e0e4dSAntonio Huete Jimenez goto err;
1892*de0e0e4dSAntonio Huete Jimenez
1893*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u8_length_prefixed(cbb, &public))
1894*de0e0e4dSAntonio Huete Jimenez return 0;
1895*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_public(s->s3->hs.key_share, &public))
1896*de0e0e4dSAntonio Huete Jimenez goto err;
1897*de0e0e4dSAntonio Huete Jimenez if (!CBB_flush(cbb))
1898*de0e0e4dSAntonio Huete Jimenez goto err;
1899*de0e0e4dSAntonio Huete Jimenez
1900*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1901*de0e0e4dSAntonio Huete Jimenez goto err;
1902*de0e0e4dSAntonio Huete Jimenez
1903*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, key, key_len))
1904*de0e0e4dSAntonio Huete Jimenez goto err;
1905*de0e0e4dSAntonio Huete Jimenez
1906*de0e0e4dSAntonio Huete Jimenez ret = 1;
190772c33676SMaxim Ag
190872c33676SMaxim Ag err:
1909*de0e0e4dSAntonio Huete Jimenez freezero(key, key_len);
1910*de0e0e4dSAntonio Huete Jimenez
1911*de0e0e4dSAntonio Huete Jimenez return ret;
191272c33676SMaxim Ag }
191372c33676SMaxim Ag
191472c33676SMaxim Ag static int
ssl3_send_client_kex_gost(SSL * s,CBB * cbb)1915*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
191672c33676SMaxim Ag {
191772c33676SMaxim Ag unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
1918*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_CTX *pkey_ctx = NULL;
1919*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX *ukm_hash = NULL;
1920*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *pkey;
192172c33676SMaxim Ag size_t msglen;
192272c33676SMaxim Ag unsigned int md_len;
192372c33676SMaxim Ag CBB gostblob;
1924*de0e0e4dSAntonio Huete Jimenez int nid;
1925*de0e0e4dSAntonio Huete Jimenez int ret = 0;
192672c33676SMaxim Ag
192772c33676SMaxim Ag /* Get server sertificate PKEY and create ctx from it */
1928*de0e0e4dSAntonio Huete Jimenez pkey = X509_get0_pubkey(s->session->peer_cert);
1929*de0e0e4dSAntonio Huete Jimenez if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
193072c33676SMaxim Ag SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
193172c33676SMaxim Ag goto err;
193272c33676SMaxim Ag }
1933*de0e0e4dSAntonio Huete Jimenez if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
1934*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_MALLOC_FAILURE);
1935*de0e0e4dSAntonio Huete Jimenez goto err;
1936*de0e0e4dSAntonio Huete Jimenez }
193772c33676SMaxim Ag
193872c33676SMaxim Ag /*
193972c33676SMaxim Ag * If we have send a certificate, and certificate key parameters match
194072c33676SMaxim Ag * those of server certificate, use certificate key for key exchange.
194172c33676SMaxim Ag * Otherwise, generate ephemeral key pair.
194272c33676SMaxim Ag */
1943*de0e0e4dSAntonio Huete Jimenez if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
1944*de0e0e4dSAntonio Huete Jimenez goto err;
194572c33676SMaxim Ag
194672c33676SMaxim Ag /* Generate session key. */
1947*de0e0e4dSAntonio Huete Jimenez arc4random_buf(premaster_secret, sizeof(premaster_secret));
194872c33676SMaxim Ag
194972c33676SMaxim Ag /*
195072c33676SMaxim Ag * If we have client certificate, use its secret as peer key.
1951*de0e0e4dSAntonio Huete Jimenez * XXX - this presumably lacks PFS.
195272c33676SMaxim Ag */
1953*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.cert_request != 0 &&
1954*de0e0e4dSAntonio Huete Jimenez s->cert->key->privatekey != NULL) {
195572c33676SMaxim Ag if (EVP_PKEY_derive_set_peer(pkey_ctx,
195672c33676SMaxim Ag s->cert->key->privatekey) <=0) {
195772c33676SMaxim Ag /*
195872c33676SMaxim Ag * If there was an error - just ignore it.
195972c33676SMaxim Ag * Ephemeral key would be used.
196072c33676SMaxim Ag */
196172c33676SMaxim Ag ERR_clear_error();
196272c33676SMaxim Ag }
196372c33676SMaxim Ag }
196472c33676SMaxim Ag
196572c33676SMaxim Ag /*
196672c33676SMaxim Ag * Compute shared IV and store it in algorithm-specific context data.
196772c33676SMaxim Ag */
1968*de0e0e4dSAntonio Huete Jimenez if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
196972c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
197072c33676SMaxim Ag goto err;
197172c33676SMaxim Ag }
197272c33676SMaxim Ag
1973*de0e0e4dSAntonio Huete Jimenez /* XXX check handshake hash instead. */
1974*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
197572c33676SMaxim Ag nid = NID_id_GostR3411_94;
197672c33676SMaxim Ag else
197772c33676SMaxim Ag nid = NID_id_tc26_gost3411_2012_256;
197872c33676SMaxim Ag if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
197972c33676SMaxim Ag goto err;
1980*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
1981*de0e0e4dSAntonio Huete Jimenez goto err;
1982*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
1983*de0e0e4dSAntonio Huete Jimenez goto err;
1984*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
1985*de0e0e4dSAntonio Huete Jimenez goto err;
198672c33676SMaxim Ag if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
198772c33676SMaxim Ag EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
198872c33676SMaxim Ag SSLerror(s, SSL_R_LIBRARY_BUG);
198972c33676SMaxim Ag goto err;
199072c33676SMaxim Ag }
199172c33676SMaxim Ag
199272c33676SMaxim Ag /*
199372c33676SMaxim Ag * Make GOST keytransport blob message, encapsulate it into sequence.
199472c33676SMaxim Ag */
199572c33676SMaxim Ag msglen = 255;
199672c33676SMaxim Ag if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
1997*de0e0e4dSAntonio Huete Jimenez sizeof(premaster_secret)) < 0) {
199872c33676SMaxim Ag SSLerror(s, SSL_R_LIBRARY_BUG);
199972c33676SMaxim Ag goto err;
200072c33676SMaxim Ag }
200172c33676SMaxim Ag
200272c33676SMaxim Ag if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
200372c33676SMaxim Ag goto err;
200472c33676SMaxim Ag if (!CBB_add_bytes(&gostblob, tmp, msglen))
200572c33676SMaxim Ag goto err;
200672c33676SMaxim Ag if (!CBB_flush(cbb))
200772c33676SMaxim Ag goto err;
200872c33676SMaxim Ag
200972c33676SMaxim Ag /* Check if pubkey from client certificate was used. */
201072c33676SMaxim Ag if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
2011*de0e0e4dSAntonio Huete Jimenez NULL) > 0)
201272c33676SMaxim Ag s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2013*de0e0e4dSAntonio Huete Jimenez
2014*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, premaster_secret, 32))
2015*de0e0e4dSAntonio Huete Jimenez goto err;
201672c33676SMaxim Ag
201772c33676SMaxim Ag ret = 1;
201872c33676SMaxim Ag
201972c33676SMaxim Ag err:
202072c33676SMaxim Ag explicit_bzero(premaster_secret, sizeof(premaster_secret));
2021*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_CTX_free(pkey_ctx);
2022*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(ukm_hash);
202372c33676SMaxim Ag
2024*de0e0e4dSAntonio Huete Jimenez return ret;
202572c33676SMaxim Ag }
202672c33676SMaxim Ag
202772c33676SMaxim Ag int
ssl3_send_client_key_exchange(SSL * s)202872c33676SMaxim Ag ssl3_send_client_key_exchange(SSL *s)
202972c33676SMaxim Ag {
203072c33676SMaxim Ag unsigned long alg_k;
203172c33676SMaxim Ag CBB cbb, kex;
203272c33676SMaxim Ag
203372c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
203472c33676SMaxim Ag
2035*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_CW_KEY_EXCH_A) {
2036*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
203772c33676SMaxim Ag
203872c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &kex,
203972c33676SMaxim Ag SSL3_MT_CLIENT_KEY_EXCHANGE))
204072c33676SMaxim Ag goto err;
204172c33676SMaxim Ag
204272c33676SMaxim Ag if (alg_k & SSL_kRSA) {
2043*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_kex_rsa(s, &kex))
204472c33676SMaxim Ag goto err;
204572c33676SMaxim Ag } else if (alg_k & SSL_kDHE) {
2046*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_kex_dhe(s, &kex))
204772c33676SMaxim Ag goto err;
204872c33676SMaxim Ag } else if (alg_k & SSL_kECDHE) {
2049*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_kex_ecdhe(s, &kex))
205072c33676SMaxim Ag goto err;
205172c33676SMaxim Ag } else if (alg_k & SSL_kGOST) {
2052*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_kex_gost(s, &kex))
205372c33676SMaxim Ag goto err;
205472c33676SMaxim Ag } else {
205572c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL,
205672c33676SMaxim Ag SSL_AD_HANDSHAKE_FAILURE);
205772c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
205872c33676SMaxim Ag goto err;
205972c33676SMaxim Ag }
206072c33676SMaxim Ag
206172c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
206272c33676SMaxim Ag goto err;
206372c33676SMaxim Ag
2064*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_B;
206572c33676SMaxim Ag }
206672c33676SMaxim Ag
206772c33676SMaxim Ag /* SSL3_ST_CW_KEY_EXCH_B */
206872c33676SMaxim Ag return (ssl3_handshake_write(s));
206972c33676SMaxim Ag
207072c33676SMaxim Ag err:
207172c33676SMaxim Ag CBB_cleanup(&cbb);
207272c33676SMaxim Ag
207372c33676SMaxim Ag return (-1);
207472c33676SMaxim Ag }
207572c33676SMaxim Ag
207672c33676SMaxim Ag static int
ssl3_send_client_verify_sigalgs(SSL * s,EVP_PKEY * pkey,const struct ssl_sigalg * sigalg,CBB * cert_verify)2077*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
2078*de0e0e4dSAntonio Huete Jimenez const struct ssl_sigalg *sigalg, CBB *cert_verify)
207972c33676SMaxim Ag {
208072c33676SMaxim Ag CBB cbb_signature;
208172c33676SMaxim Ag EVP_PKEY_CTX *pctx = NULL;
2082*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX *mctx = NULL;
208372c33676SMaxim Ag const unsigned char *hdata;
208472c33676SMaxim Ag unsigned char *signature = NULL;
208572c33676SMaxim Ag size_t signature_len, hdata_len;
208672c33676SMaxim Ag int ret = 0;
208772c33676SMaxim Ag
2088*de0e0e4dSAntonio Huete Jimenez if ((mctx = EVP_MD_CTX_new()) == NULL)
208972c33676SMaxim Ag goto err;
209072c33676SMaxim Ag
209172c33676SMaxim Ag if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
209272c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
209372c33676SMaxim Ag goto err;
209472c33676SMaxim Ag }
2095*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignInit(mctx, &pctx, sigalg->md(), NULL, pkey)) {
209672c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
209772c33676SMaxim Ag goto err;
209872c33676SMaxim Ag }
20998edacedfSDaniel Fojt if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
21008edacedfSDaniel Fojt EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
21018edacedfSDaniel Fojt EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
21028edacedfSDaniel Fojt SSLerror(s, ERR_R_EVP_LIB);
21038edacedfSDaniel Fojt goto err;
21048edacedfSDaniel Fojt }
210572c33676SMaxim Ag if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
210672c33676SMaxim Ag (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
210772c33676SMaxim Ag !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
210872c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
210972c33676SMaxim Ag goto err;
211072c33676SMaxim Ag }
2111*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) {
211272c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
211372c33676SMaxim Ag goto err;
211472c33676SMaxim Ag }
2115*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) ||
211672c33676SMaxim Ag signature_len == 0) {
211772c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
211872c33676SMaxim Ag goto err;
211972c33676SMaxim Ag }
212072c33676SMaxim Ag if ((signature = calloc(1, signature_len)) == NULL) {
212172c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
212272c33676SMaxim Ag goto err;
212372c33676SMaxim Ag }
2124*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
212572c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
212672c33676SMaxim Ag goto err;
212772c33676SMaxim Ag }
212872c33676SMaxim Ag
212972c33676SMaxim Ag if (!CBB_add_u16(cert_verify, sigalg->value))
213072c33676SMaxim Ag goto err;
213172c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
213272c33676SMaxim Ag goto err;
213372c33676SMaxim Ag if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
213472c33676SMaxim Ag goto err;
213572c33676SMaxim Ag if (!CBB_flush(cert_verify))
213672c33676SMaxim Ag goto err;
213772c33676SMaxim Ag
213872c33676SMaxim Ag ret = 1;
213972c33676SMaxim Ag
214072c33676SMaxim Ag err:
2141*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(mctx);
214272c33676SMaxim Ag free(signature);
214372c33676SMaxim Ag return ret;
214472c33676SMaxim Ag }
214572c33676SMaxim Ag
214672c33676SMaxim Ag static int
ssl3_send_client_verify_rsa(SSL * s,EVP_PKEY * pkey,CBB * cert_verify)2147*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
214872c33676SMaxim Ag {
214972c33676SMaxim Ag CBB cbb_signature;
2150*de0e0e4dSAntonio Huete Jimenez RSA *rsa;
215172c33676SMaxim Ag unsigned char data[EVP_MAX_MD_SIZE];
215272c33676SMaxim Ag unsigned char *signature = NULL;
215372c33676SMaxim Ag unsigned int signature_len;
215472c33676SMaxim Ag size_t data_len;
215572c33676SMaxim Ag int ret = 0;
215672c33676SMaxim Ag
215772c33676SMaxim Ag if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len))
215872c33676SMaxim Ag goto err;
215972c33676SMaxim Ag if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
216072c33676SMaxim Ag goto err;
2161*de0e0e4dSAntonio Huete Jimenez if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
2162*de0e0e4dSAntonio Huete Jimenez goto err;
2163*de0e0e4dSAntonio Huete Jimenez if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len,
2164*de0e0e4dSAntonio Huete Jimenez rsa) <= 0 ) {
216572c33676SMaxim Ag SSLerror(s, ERR_R_RSA_LIB);
216672c33676SMaxim Ag goto err;
216772c33676SMaxim Ag }
216872c33676SMaxim Ag
216972c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
217072c33676SMaxim Ag goto err;
217172c33676SMaxim Ag if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
217272c33676SMaxim Ag goto err;
217372c33676SMaxim Ag if (!CBB_flush(cert_verify))
217472c33676SMaxim Ag goto err;
217572c33676SMaxim Ag
217672c33676SMaxim Ag ret = 1;
217772c33676SMaxim Ag err:
217872c33676SMaxim Ag free(signature);
217972c33676SMaxim Ag return ret;
218072c33676SMaxim Ag }
218172c33676SMaxim Ag
218272c33676SMaxim Ag static int
ssl3_send_client_verify_ec(SSL * s,EVP_PKEY * pkey,CBB * cert_verify)2183*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
218472c33676SMaxim Ag {
218572c33676SMaxim Ag CBB cbb_signature;
2186*de0e0e4dSAntonio Huete Jimenez EC_KEY *eckey;
218772c33676SMaxim Ag unsigned char data[EVP_MAX_MD_SIZE];
218872c33676SMaxim Ag unsigned char *signature = NULL;
218972c33676SMaxim Ag unsigned int signature_len;
219072c33676SMaxim Ag int ret = 0;
219172c33676SMaxim Ag
219272c33676SMaxim Ag if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL))
219372c33676SMaxim Ag goto err;
219472c33676SMaxim Ag if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
219572c33676SMaxim Ag goto err;
2196*de0e0e4dSAntonio Huete Jimenez if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
2197*de0e0e4dSAntonio Huete Jimenez goto err;
2198*de0e0e4dSAntonio Huete Jimenez if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2199*de0e0e4dSAntonio Huete Jimenez signature, &signature_len, eckey)) {
220072c33676SMaxim Ag SSLerror(s, ERR_R_ECDSA_LIB);
220172c33676SMaxim Ag goto err;
220272c33676SMaxim Ag }
220372c33676SMaxim Ag
220472c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
220572c33676SMaxim Ag goto err;
220672c33676SMaxim Ag if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
220772c33676SMaxim Ag goto err;
220872c33676SMaxim Ag if (!CBB_flush(cert_verify))
220972c33676SMaxim Ag goto err;
221072c33676SMaxim Ag
221172c33676SMaxim Ag ret = 1;
221272c33676SMaxim Ag err:
221372c33676SMaxim Ag free(signature);
221472c33676SMaxim Ag return ret;
221572c33676SMaxim Ag }
221672c33676SMaxim Ag
221772c33676SMaxim Ag #ifndef OPENSSL_NO_GOST
221872c33676SMaxim Ag static int
ssl3_send_client_verify_gost(SSL * s,EVP_PKEY * pkey,CBB * cert_verify)2219*de0e0e4dSAntonio Huete Jimenez ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
222072c33676SMaxim Ag {
222172c33676SMaxim Ag CBB cbb_signature;
2222*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX *mctx;
222372c33676SMaxim Ag EVP_PKEY_CTX *pctx;
222472c33676SMaxim Ag const EVP_MD *md;
222572c33676SMaxim Ag const unsigned char *hdata;
222672c33676SMaxim Ag unsigned char *signature = NULL;
222772c33676SMaxim Ag size_t signature_len;
222872c33676SMaxim Ag size_t hdata_len;
222972c33676SMaxim Ag int nid;
223072c33676SMaxim Ag int ret = 0;
223172c33676SMaxim Ag
2232*de0e0e4dSAntonio Huete Jimenez if ((mctx = EVP_MD_CTX_new()) == NULL)
2233*de0e0e4dSAntonio Huete Jimenez goto err;
223472c33676SMaxim Ag
223572c33676SMaxim Ag if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
223672c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
223772c33676SMaxim Ag goto err;
223872c33676SMaxim Ag }
223972c33676SMaxim Ag if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
224072c33676SMaxim Ag (md = EVP_get_digestbynid(nid)) == NULL) {
224172c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
224272c33676SMaxim Ag goto err;
224372c33676SMaxim Ag }
2244*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) {
224572c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
224672c33676SMaxim Ag goto err;
224772c33676SMaxim Ag }
224872c33676SMaxim Ag if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
224972c33676SMaxim Ag EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
225072c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
225172c33676SMaxim Ag goto err;
225272c33676SMaxim Ag }
2253*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) {
225472c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
225572c33676SMaxim Ag goto err;
225672c33676SMaxim Ag }
2257*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) ||
225872c33676SMaxim Ag signature_len == 0) {
225972c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
226072c33676SMaxim Ag goto err;
226172c33676SMaxim Ag }
226272c33676SMaxim Ag if ((signature = calloc(1, signature_len)) == NULL) {
226372c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
226472c33676SMaxim Ag goto err;
226572c33676SMaxim Ag }
2266*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) {
226772c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
226872c33676SMaxim Ag goto err;
226972c33676SMaxim Ag }
227072c33676SMaxim Ag
227172c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
227272c33676SMaxim Ag goto err;
227372c33676SMaxim Ag if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
227472c33676SMaxim Ag goto err;
227572c33676SMaxim Ag if (!CBB_flush(cert_verify))
227672c33676SMaxim Ag goto err;
227772c33676SMaxim Ag
227872c33676SMaxim Ag ret = 1;
227972c33676SMaxim Ag err:
2280*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(mctx);
228172c33676SMaxim Ag free(signature);
228272c33676SMaxim Ag return ret;
228372c33676SMaxim Ag }
228472c33676SMaxim Ag #endif
228572c33676SMaxim Ag
228672c33676SMaxim Ag int
ssl3_send_client_verify(SSL * s)228772c33676SMaxim Ag ssl3_send_client_verify(SSL *s)
228872c33676SMaxim Ag {
2289*de0e0e4dSAntonio Huete Jimenez const struct ssl_sigalg *sigalg;
229072c33676SMaxim Ag CBB cbb, cert_verify;
229172c33676SMaxim Ag EVP_PKEY *pkey;
229272c33676SMaxim Ag
229372c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
229472c33676SMaxim Ag
2295*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
229672c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
229772c33676SMaxim Ag SSL3_MT_CERTIFICATE_VERIFY))
229872c33676SMaxim Ag goto err;
229972c33676SMaxim Ag
230072c33676SMaxim Ag pkey = s->cert->key->privatekey;
2301*de0e0e4dSAntonio Huete Jimenez if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
2302*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2303*de0e0e4dSAntonio Huete Jimenez goto err;
2304*de0e0e4dSAntonio Huete Jimenez }
2305*de0e0e4dSAntonio Huete Jimenez s->s3->hs.our_sigalg = sigalg;
230672c33676SMaxim Ag
230772c33676SMaxim Ag /*
2308*de0e0e4dSAntonio Huete Jimenez * For TLS v1.2 send signature algorithm and signature using
2309*de0e0e4dSAntonio Huete Jimenez * agreed digest and cached handshake records.
231072c33676SMaxim Ag */
231172c33676SMaxim Ag if (SSL_USE_SIGALGS(s)) {
2312*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2313*de0e0e4dSAntonio Huete Jimenez &cert_verify))
231472c33676SMaxim Ag goto err;
2315*de0e0e4dSAntonio Huete Jimenez } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2316*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
231772c33676SMaxim Ag goto err;
2318*de0e0e4dSAntonio Huete Jimenez } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2319*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
232072c33676SMaxim Ag goto err;
232172c33676SMaxim Ag #ifndef OPENSSL_NO_GOST
2322*de0e0e4dSAntonio Huete Jimenez } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2323*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2324*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
232572c33676SMaxim Ag goto err;
232672c33676SMaxim Ag #endif
232772c33676SMaxim Ag } else {
232872c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
232972c33676SMaxim Ag goto err;
233072c33676SMaxim Ag }
233172c33676SMaxim Ag
233272c33676SMaxim Ag tls1_transcript_free(s);
233372c33676SMaxim Ag
233472c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
233572c33676SMaxim Ag goto err;
233672c33676SMaxim Ag
2337*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_B;
233872c33676SMaxim Ag }
233972c33676SMaxim Ag
234072c33676SMaxim Ag return (ssl3_handshake_write(s));
234172c33676SMaxim Ag
234272c33676SMaxim Ag err:
234372c33676SMaxim Ag CBB_cleanup(&cbb);
234472c33676SMaxim Ag
234572c33676SMaxim Ag return (-1);
234672c33676SMaxim Ag }
234772c33676SMaxim Ag
234872c33676SMaxim Ag int
ssl3_send_client_certificate(SSL * s)234972c33676SMaxim Ag ssl3_send_client_certificate(SSL *s)
235072c33676SMaxim Ag {
235172c33676SMaxim Ag EVP_PKEY *pkey = NULL;
235272c33676SMaxim Ag X509 *x509 = NULL;
235372c33676SMaxim Ag CBB cbb, client_cert;
235472c33676SMaxim Ag int i;
235572c33676SMaxim Ag
235672c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
235772c33676SMaxim Ag
2358*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_CW_CERT_A) {
235972c33676SMaxim Ag if (s->cert->key->x509 == NULL ||
236072c33676SMaxim Ag s->cert->key->privatekey == NULL)
2361*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_B;
236272c33676SMaxim Ag else
2363*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_C;
236472c33676SMaxim Ag }
236572c33676SMaxim Ag
236672c33676SMaxim Ag /* We need to get a client cert */
2367*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_CW_CERT_B) {
236872c33676SMaxim Ag /*
236972c33676SMaxim Ag * If we get an error, we need to
2370*de0e0e4dSAntonio Huete Jimenez * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1);
2371*de0e0e4dSAntonio Huete Jimenez * We then get retried later.
237272c33676SMaxim Ag */
237372c33676SMaxim Ag i = ssl_do_client_cert_cb(s, &x509, &pkey);
237472c33676SMaxim Ag if (i < 0) {
237572c33676SMaxim Ag s->internal->rwstate = SSL_X509_LOOKUP;
237672c33676SMaxim Ag return (-1);
237772c33676SMaxim Ag }
237872c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
237972c33676SMaxim Ag if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
2380*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_B;
238172c33676SMaxim Ag if (!SSL_use_certificate(s, x509) ||
238272c33676SMaxim Ag !SSL_use_PrivateKey(s, pkey))
238372c33676SMaxim Ag i = 0;
238472c33676SMaxim Ag } else if (i == 1) {
238572c33676SMaxim Ag i = 0;
238672c33676SMaxim Ag SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
238772c33676SMaxim Ag }
238872c33676SMaxim Ag
238972c33676SMaxim Ag X509_free(x509);
239072c33676SMaxim Ag EVP_PKEY_free(pkey);
239172c33676SMaxim Ag if (i == 0) {
2392*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.cert_request = 2;
239372c33676SMaxim Ag
239472c33676SMaxim Ag /* There is no client certificate to verify. */
239572c33676SMaxim Ag tls1_transcript_free(s);
239672c33676SMaxim Ag }
239772c33676SMaxim Ag
239872c33676SMaxim Ag /* Ok, we have a cert */
2399*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_C;
240072c33676SMaxim Ag }
240172c33676SMaxim Ag
2402*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_CW_CERT_C) {
240372c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &client_cert,
240472c33676SMaxim Ag SSL3_MT_CERTIFICATE))
240572c33676SMaxim Ag goto err;
240672c33676SMaxim Ag if (!ssl3_output_cert_chain(s, &client_cert,
2407*de0e0e4dSAntonio Huete Jimenez (s->s3->hs.tls12.cert_request == 2) ? NULL : s->cert->key))
240872c33676SMaxim Ag goto err;
240972c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
241072c33676SMaxim Ag goto err;
241172c33676SMaxim Ag
2412*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_CW_CERT_D;
241372c33676SMaxim Ag }
241472c33676SMaxim Ag
241572c33676SMaxim Ag /* SSL3_ST_CW_CERT_D */
241672c33676SMaxim Ag return (ssl3_handshake_write(s));
241772c33676SMaxim Ag
241872c33676SMaxim Ag err:
241972c33676SMaxim Ag CBB_cleanup(&cbb);
242072c33676SMaxim Ag
242172c33676SMaxim Ag return (0);
242272c33676SMaxim Ag }
242372c33676SMaxim Ag
242472c33676SMaxim Ag #define has_bits(i,m) (((i)&(m)) == (m))
242572c33676SMaxim Ag
242672c33676SMaxim Ag int
ssl3_check_cert_and_algorithm(SSL * s)242772c33676SMaxim Ag ssl3_check_cert_and_algorithm(SSL *s)
242872c33676SMaxim Ag {
242972c33676SMaxim Ag long alg_k, alg_a;
2430*de0e0e4dSAntonio Huete Jimenez int nid = NID_undef;
2431*de0e0e4dSAntonio Huete Jimenez int i;
243272c33676SMaxim Ag
2433*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
2434*de0e0e4dSAntonio Huete Jimenez alg_a = s->s3->hs.cipher->algorithm_auth;
243572c33676SMaxim Ag
243672c33676SMaxim Ag /* We don't have a certificate. */
243772c33676SMaxim Ag if (alg_a & SSL_aNULL)
243872c33676SMaxim Ag return (1);
243972c33676SMaxim Ag
2440*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.key_share != NULL)
2441*de0e0e4dSAntonio Huete Jimenez nid = tls_key_share_nid(s->s3->hs.key_share);
244272c33676SMaxim Ag
244372c33676SMaxim Ag /* This is the passed certificate. */
244472c33676SMaxim Ag
2445*de0e0e4dSAntonio Huete Jimenez if (s->session->peer_cert_type == SSL_PKEY_ECC) {
2446*de0e0e4dSAntonio Huete Jimenez if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) {
244772c33676SMaxim Ag SSLerror(s, SSL_R_BAD_ECC_CERT);
2448*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
2449*de0e0e4dSAntonio Huete Jimenez }
245072c33676SMaxim Ag return (1);
245172c33676SMaxim Ag }
2452*de0e0e4dSAntonio Huete Jimenez
2453*de0e0e4dSAntonio Huete Jimenez i = X509_certificate_type(s->session->peer_cert, NULL);
245472c33676SMaxim Ag
245572c33676SMaxim Ag /* Check that we have a certificate if we require one. */
245672c33676SMaxim Ag if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
245772c33676SMaxim Ag SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
2458*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
245972c33676SMaxim Ag }
246072c33676SMaxim Ag if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
246172c33676SMaxim Ag SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2462*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
246372c33676SMaxim Ag }
246472c33676SMaxim Ag if ((alg_k & SSL_kDHE) &&
2465*de0e0e4dSAntonio Huete Jimenez !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) {
246672c33676SMaxim Ag SSLerror(s, SSL_R_MISSING_DH_KEY);
2467*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
246872c33676SMaxim Ag }
246972c33676SMaxim Ag
247072c33676SMaxim Ag return (1);
2471*de0e0e4dSAntonio Huete Jimenez
2472*de0e0e4dSAntonio Huete Jimenez fatal_err:
247372c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2474*de0e0e4dSAntonio Huete Jimenez
247572c33676SMaxim Ag return (0);
247672c33676SMaxim Ag }
247772c33676SMaxim Ag
247872c33676SMaxim Ag /*
247972c33676SMaxim Ag * Check to see if handshake is full or resumed. Usually this is just a
248072c33676SMaxim Ag * case of checking to see if a cache hit has occurred. In the case of
248172c33676SMaxim Ag * session tickets we have to check the next message to be sure.
248272c33676SMaxim Ag */
248372c33676SMaxim Ag
248472c33676SMaxim Ag int
ssl3_check_finished(SSL * s)248572c33676SMaxim Ag ssl3_check_finished(SSL *s)
248672c33676SMaxim Ag {
2487*de0e0e4dSAntonio Huete Jimenez int ret;
248872c33676SMaxim Ag
248972c33676SMaxim Ag /* If we have no ticket it cannot be a resumed session. */
249072c33676SMaxim Ag if (!s->session->tlsext_tick)
249172c33676SMaxim Ag return (1);
249272c33676SMaxim Ag /* this function is called when we really expect a Certificate
249372c33676SMaxim Ag * message, so permit appropriate message length */
2494*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
2495*de0e0e4dSAntonio Huete Jimenez SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0)
2496*de0e0e4dSAntonio Huete Jimenez return ret;
2497cca6fc52SDaniel Fojt
2498*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
2499*de0e0e4dSAntonio Huete Jimenez if ((s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) ||
2500*de0e0e4dSAntonio Huete Jimenez (s->s3->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET))
250172c33676SMaxim Ag return (2);
250272c33676SMaxim Ag
250372c33676SMaxim Ag return (1);
250472c33676SMaxim Ag }
250572c33676SMaxim Ag
250672c33676SMaxim Ag int
ssl_do_client_cert_cb(SSL * s,X509 ** px509,EVP_PKEY ** ppkey)250772c33676SMaxim Ag ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
250872c33676SMaxim Ag {
250972c33676SMaxim Ag int i = 0;
251072c33676SMaxim Ag
251172c33676SMaxim Ag #ifndef OPENSSL_NO_ENGINE
251272c33676SMaxim Ag if (s->ctx->internal->client_cert_engine) {
251372c33676SMaxim Ag i = ENGINE_load_ssl_client_cert(
251472c33676SMaxim Ag s->ctx->internal->client_cert_engine, s,
251572c33676SMaxim Ag SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL);
251672c33676SMaxim Ag if (i != 0)
251772c33676SMaxim Ag return (i);
251872c33676SMaxim Ag }
251972c33676SMaxim Ag #endif
252072c33676SMaxim Ag if (s->ctx->internal->client_cert_cb)
252172c33676SMaxim Ag i = s->ctx->internal->client_cert_cb(s, px509, ppkey);
252272c33676SMaxim Ag return (i);
252372c33676SMaxim Ag }
2524