xref: /dflybsd-src/crypto/libressl/ssl/ssl_srvr.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: ssl_srvr.c,v 1.149 2022/08/17 07:39:19 jsing Exp $ */
272c33676SMaxim Ag /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
372c33676SMaxim Ag  * All rights reserved.
472c33676SMaxim Ag  *
572c33676SMaxim Ag  * This package is an SSL implementation written
672c33676SMaxim Ag  * by Eric Young (eay@cryptsoft.com).
772c33676SMaxim Ag  * The implementation was written so as to conform with Netscapes SSL.
872c33676SMaxim Ag  *
972c33676SMaxim Ag  * This library is free for commercial and non-commercial use as long as
1072c33676SMaxim Ag  * the following conditions are aheared to.  The following conditions
1172c33676SMaxim Ag  * apply to all code found in this distribution, be it the RC4, RSA,
1272c33676SMaxim Ag  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
1372c33676SMaxim Ag  * included with this distribution is covered by the same copyright terms
1472c33676SMaxim Ag  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1572c33676SMaxim Ag  *
1672c33676SMaxim Ag  * Copyright remains Eric Young's, and as such any Copyright notices in
1772c33676SMaxim Ag  * the code are not to be removed.
1872c33676SMaxim Ag  * If this package is used in a product, Eric Young should be given attribution
1972c33676SMaxim Ag  * as the author of the parts of the library used.
2072c33676SMaxim Ag  * This can be in the form of a textual message at program startup or
2172c33676SMaxim Ag  * in documentation (online or textual) provided with the package.
2272c33676SMaxim Ag  *
2372c33676SMaxim Ag  * Redistribution and use in source and binary forms, with or without
2472c33676SMaxim Ag  * modification, are permitted provided that the following conditions
2572c33676SMaxim Ag  * are met:
2672c33676SMaxim Ag  * 1. Redistributions of source code must retain the copyright
2772c33676SMaxim Ag  *    notice, this list of conditions and the following disclaimer.
2872c33676SMaxim Ag  * 2. Redistributions in binary form must reproduce the above copyright
2972c33676SMaxim Ag  *    notice, this list of conditions and the following disclaimer in the
3072c33676SMaxim Ag  *    documentation and/or other materials provided with the distribution.
3172c33676SMaxim Ag  * 3. All advertising materials mentioning features or use of this software
3272c33676SMaxim Ag  *    must display the following acknowledgement:
3372c33676SMaxim Ag  *    "This product includes cryptographic software written by
3472c33676SMaxim Ag  *     Eric Young (eay@cryptsoft.com)"
3572c33676SMaxim Ag  *    The word 'cryptographic' can be left out if the rouines from the library
3672c33676SMaxim Ag  *    being used are not cryptographic related :-).
3772c33676SMaxim Ag  * 4. If you include any Windows specific code (or a derivative thereof) from
3872c33676SMaxim Ag  *    the apps directory (application code) you must include an acknowledgement:
3972c33676SMaxim Ag  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
4072c33676SMaxim Ag  *
4172c33676SMaxim Ag  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
4272c33676SMaxim Ag  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4372c33676SMaxim Ag  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4472c33676SMaxim Ag  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
4572c33676SMaxim Ag  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4672c33676SMaxim Ag  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4772c33676SMaxim Ag  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4872c33676SMaxim Ag  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4972c33676SMaxim Ag  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5072c33676SMaxim Ag  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5172c33676SMaxim Ag  * SUCH DAMAGE.
5272c33676SMaxim Ag  *
5372c33676SMaxim Ag  * The licence and distribution terms for any publically available version or
5472c33676SMaxim Ag  * derivative of this code cannot be changed.  i.e. this code cannot simply be
5572c33676SMaxim Ag  * copied and put under another distribution licence
5672c33676SMaxim Ag  * [including the GNU Public Licence.]
5772c33676SMaxim Ag  */
5872c33676SMaxim Ag /* ====================================================================
5972c33676SMaxim Ag  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
6072c33676SMaxim Ag  *
6172c33676SMaxim Ag  * Redistribution and use in source and binary forms, with or without
6272c33676SMaxim Ag  * modification, are permitted provided that the following conditions
6372c33676SMaxim Ag  * are met:
6472c33676SMaxim Ag  *
6572c33676SMaxim Ag  * 1. Redistributions of source code must retain the above copyright
6672c33676SMaxim Ag  *    notice, this list of conditions and the following disclaimer.
6772c33676SMaxim Ag  *
6872c33676SMaxim Ag  * 2. Redistributions in binary form must reproduce the above copyright
6972c33676SMaxim Ag  *    notice, this list of conditions and the following disclaimer in
7072c33676SMaxim Ag  *    the documentation and/or other materials provided with the
7172c33676SMaxim Ag  *    distribution.
7272c33676SMaxim Ag  *
7372c33676SMaxim Ag  * 3. All advertising materials mentioning features or use of this
7472c33676SMaxim Ag  *    software must display the following acknowledgment:
7572c33676SMaxim Ag  *    "This product includes software developed by the OpenSSL Project
7672c33676SMaxim Ag  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
7772c33676SMaxim Ag  *
7872c33676SMaxim Ag  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7972c33676SMaxim Ag  *    endorse or promote products derived from this software without
8072c33676SMaxim Ag  *    prior written permission. For written permission, please contact
8172c33676SMaxim Ag  *    openssl-core@openssl.org.
8272c33676SMaxim Ag  *
8372c33676SMaxim Ag  * 5. Products derived from this software may not be called "OpenSSL"
8472c33676SMaxim Ag  *    nor may "OpenSSL" appear in their names without prior written
8572c33676SMaxim Ag  *    permission of the OpenSSL Project.
8672c33676SMaxim Ag  *
8772c33676SMaxim Ag  * 6. Redistributions of any form whatsoever must retain the following
8872c33676SMaxim Ag  *    acknowledgment:
8972c33676SMaxim Ag  *    "This product includes software developed by the OpenSSL Project
9072c33676SMaxim Ag  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9172c33676SMaxim Ag  *
9272c33676SMaxim Ag  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9372c33676SMaxim Ag  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9472c33676SMaxim Ag  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9572c33676SMaxim Ag  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
9672c33676SMaxim Ag  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9772c33676SMaxim Ag  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9872c33676SMaxim Ag  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9972c33676SMaxim Ag  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10072c33676SMaxim Ag  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10172c33676SMaxim Ag  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10272c33676SMaxim Ag  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10372c33676SMaxim Ag  * OF THE POSSIBILITY OF SUCH DAMAGE.
10472c33676SMaxim Ag  * ====================================================================
10572c33676SMaxim Ag  *
10672c33676SMaxim Ag  * This product includes cryptographic software written by Eric Young
10772c33676SMaxim Ag  * (eay@cryptsoft.com).  This product includes software written by Tim
10872c33676SMaxim Ag  * Hudson (tjh@cryptsoft.com).
10972c33676SMaxim Ag  *
11072c33676SMaxim Ag  */
11172c33676SMaxim Ag /* ====================================================================
11272c33676SMaxim Ag  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
11372c33676SMaxim Ag  *
11472c33676SMaxim Ag  * Portions of the attached software ("Contribution") are developed by
11572c33676SMaxim Ag  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
11672c33676SMaxim Ag  *
11772c33676SMaxim Ag  * The Contribution is licensed pursuant to the OpenSSL open source
11872c33676SMaxim Ag  * license provided above.
11972c33676SMaxim Ag  *
12072c33676SMaxim Ag  * ECC cipher suite support in OpenSSL originally written by
12172c33676SMaxim Ag  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
12272c33676SMaxim Ag  *
12372c33676SMaxim Ag  */
12472c33676SMaxim Ag /* ====================================================================
12572c33676SMaxim Ag  * Copyright 2005 Nokia. All rights reserved.
12672c33676SMaxim Ag  *
12772c33676SMaxim Ag  * The portions of the attached software ("Contribution") is developed by
12872c33676SMaxim Ag  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
12972c33676SMaxim Ag  * license.
13072c33676SMaxim Ag  *
13172c33676SMaxim Ag  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
13272c33676SMaxim Ag  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
13372c33676SMaxim Ag  * support (see RFC 4279) to OpenSSL.
13472c33676SMaxim Ag  *
13572c33676SMaxim Ag  * No patent licenses or other rights except those expressly stated in
13672c33676SMaxim Ag  * the OpenSSL open source license shall be deemed granted or received
13772c33676SMaxim Ag  * expressly, by implication, estoppel, or otherwise.
13872c33676SMaxim Ag  *
13972c33676SMaxim Ag  * No assurances are provided by Nokia that the Contribution does not
14072c33676SMaxim Ag  * infringe the patent or other intellectual property rights of any third
14172c33676SMaxim Ag  * party or that the license provides you with all the necessary rights
14272c33676SMaxim Ag  * to make use of the Contribution.
14372c33676SMaxim Ag  *
14472c33676SMaxim Ag  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
14572c33676SMaxim Ag  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
14672c33676SMaxim Ag  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
14772c33676SMaxim Ag  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
14872c33676SMaxim Ag  * OTHERWISE.
14972c33676SMaxim Ag  */
15072c33676SMaxim Ag 
15172c33676SMaxim Ag #include <stdio.h>
15272c33676SMaxim Ag 
15372c33676SMaxim Ag #include <openssl/bn.h>
15472c33676SMaxim Ag #include <openssl/buffer.h>
15572c33676SMaxim Ag #include <openssl/curve25519.h>
15672c33676SMaxim Ag #include <openssl/evp.h>
15772c33676SMaxim Ag #include <openssl/dh.h>
15872c33676SMaxim Ag #include <openssl/hmac.h>
15972c33676SMaxim Ag #include <openssl/md5.h>
16072c33676SMaxim Ag #include <openssl/objects.h>
161*de0e0e4dSAntonio Huete Jimenez #include <openssl/opensslconf.h>
16272c33676SMaxim Ag #include <openssl/x509.h>
16372c33676SMaxim Ag 
164*de0e0e4dSAntonio Huete Jimenez #ifndef OPENSSL_NO_GOST
165*de0e0e4dSAntonio Huete Jimenez #include <openssl/gost.h>
166*de0e0e4dSAntonio Huete Jimenez #endif
167*de0e0e4dSAntonio Huete Jimenez 
16872c33676SMaxim Ag #include "bytestring.h"
169*de0e0e4dSAntonio Huete Jimenez #include "dtls_locl.h"
170*de0e0e4dSAntonio Huete Jimenez #include "ssl_locl.h"
17172c33676SMaxim Ag #include "ssl_sigalgs.h"
17272c33676SMaxim Ag #include "ssl_tlsext.h"
17372c33676SMaxim Ag 
17472c33676SMaxim Ag int
ssl3_accept(SSL * s)17572c33676SMaxim Ag ssl3_accept(SSL *s)
17672c33676SMaxim Ag {
17772c33676SMaxim Ag 	unsigned long alg_k;
17872c33676SMaxim Ag 	int new_state, state, skip = 0;
17972c33676SMaxim Ag 	int listen = 0;
180*de0e0e4dSAntonio Huete Jimenez 	int ret = -1;
18172c33676SMaxim Ag 
18272c33676SMaxim Ag 	ERR_clear_error();
18372c33676SMaxim Ag 	errno = 0;
18472c33676SMaxim Ag 
185*de0e0e4dSAntonio Huete Jimenez 	if (SSL_is_dtls(s))
186*de0e0e4dSAntonio Huete Jimenez 		listen = s->d1->listen;
18772c33676SMaxim Ag 
18872c33676SMaxim Ag 	/* init things to blank */
18972c33676SMaxim Ag 	s->internal->in_handshake++;
19072c33676SMaxim Ag 	if (!SSL_in_init(s) || SSL_in_before(s))
19172c33676SMaxim Ag 		SSL_clear(s);
19272c33676SMaxim Ag 
193*de0e0e4dSAntonio Huete Jimenez 	if (SSL_is_dtls(s))
194*de0e0e4dSAntonio Huete Jimenez 		s->d1->listen = listen;
19572c33676SMaxim Ag 
19672c33676SMaxim Ag 	for (;;) {
197*de0e0e4dSAntonio Huete Jimenez 		state = s->s3->hs.state;
19872c33676SMaxim Ag 
199*de0e0e4dSAntonio Huete Jimenez 		switch (s->s3->hs.state) {
20072c33676SMaxim Ag 		case SSL_ST_RENEGOTIATE:
20172c33676SMaxim Ag 			s->internal->renegotiate = 1;
202*de0e0e4dSAntonio Huete Jimenez 			/* s->s3->hs.state=SSL_ST_ACCEPT; */
20372c33676SMaxim Ag 
20472c33676SMaxim Ag 		case SSL_ST_BEFORE:
20572c33676SMaxim Ag 		case SSL_ST_ACCEPT:
20672c33676SMaxim Ag 		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
20772c33676SMaxim Ag 		case SSL_ST_OK|SSL_ST_ACCEPT:
20872c33676SMaxim Ag 			s->server = 1;
20972c33676SMaxim Ag 
210*de0e0e4dSAntonio Huete Jimenez 			ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
211*de0e0e4dSAntonio Huete Jimenez 
212*de0e0e4dSAntonio Huete Jimenez 			if (!ssl_legacy_stack_version(s, s->version)) {
21372c33676SMaxim Ag 				SSLerror(s, ERR_R_INTERNAL_ERROR);
21472c33676SMaxim Ag 				ret = -1;
21572c33676SMaxim Ag 				goto end;
21672c33676SMaxim Ag 			}
217*de0e0e4dSAntonio Huete Jimenez 
218*de0e0e4dSAntonio Huete Jimenez 			if (!ssl_supported_tls_version_range(s,
219*de0e0e4dSAntonio Huete Jimenez 			    &s->s3->hs.our_min_tls_version,
220*de0e0e4dSAntonio Huete Jimenez 			    &s->s3->hs.our_max_tls_version)) {
221*de0e0e4dSAntonio Huete Jimenez 				SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
22272c33676SMaxim Ag 				ret = -1;
22372c33676SMaxim Ag 				goto end;
22472c33676SMaxim Ag 			}
225*de0e0e4dSAntonio Huete Jimenez 
226*de0e0e4dSAntonio Huete Jimenez 			if (!ssl_security_version(s,
227*de0e0e4dSAntonio Huete Jimenez 			    s->s3->hs.our_min_tls_version)) {
228*de0e0e4dSAntonio Huete Jimenez 				SSLerror(s, SSL_R_VERSION_TOO_LOW);
229*de0e0e4dSAntonio Huete Jimenez 				ret = -1;
230*de0e0e4dSAntonio Huete Jimenez 				goto end;
23172c33676SMaxim Ag 			}
23272c33676SMaxim Ag 
23372c33676SMaxim Ag 			if (!ssl3_setup_init_buffer(s)) {
23472c33676SMaxim Ag 				ret = -1;
23572c33676SMaxim Ag 				goto end;
23672c33676SMaxim Ag 			}
23772c33676SMaxim Ag 			if (!ssl3_setup_buffers(s)) {
23872c33676SMaxim Ag 				ret = -1;
23972c33676SMaxim Ag 				goto end;
24072c33676SMaxim Ag 			}
24172c33676SMaxim Ag 
24272c33676SMaxim Ag 			s->internal->init_num = 0;
24372c33676SMaxim Ag 
244*de0e0e4dSAntonio Huete Jimenez 			if (s->s3->hs.state != SSL_ST_RENEGOTIATE) {
24572c33676SMaxim Ag 				/*
24672c33676SMaxim Ag 				 * Ok, we now need to push on a buffering BIO
24772c33676SMaxim Ag 				 * so that the output is sent in a way that
24872c33676SMaxim Ag 				 * TCP likes :-)
24972c33676SMaxim Ag 				 */
25072c33676SMaxim Ag 				if (!ssl_init_wbio_buffer(s, 1)) {
25172c33676SMaxim Ag 					ret = -1;
25272c33676SMaxim Ag 					goto end;
25372c33676SMaxim Ag 				}
25472c33676SMaxim Ag 
25572c33676SMaxim Ag 				if (!tls1_transcript_init(s)) {
25672c33676SMaxim Ag 					ret = -1;
25772c33676SMaxim Ag 					goto end;
25872c33676SMaxim Ag 				}
25972c33676SMaxim Ag 
260*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
26172c33676SMaxim Ag 				s->ctx->internal->stats.sess_accept++;
262*de0e0e4dSAntonio Huete Jimenez 			} else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) {
26372c33676SMaxim Ag 				/*
26472c33676SMaxim Ag 				 * Server attempting to renegotiate with
26572c33676SMaxim Ag 				 * client that doesn't support secure
26672c33676SMaxim Ag 				 * renegotiation.
26772c33676SMaxim Ag 				 */
26872c33676SMaxim Ag 				SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
26972c33676SMaxim Ag 				ssl3_send_alert(s, SSL3_AL_FATAL,
27072c33676SMaxim Ag 				    SSL_AD_HANDSHAKE_FAILURE);
27172c33676SMaxim Ag 				ret = -1;
27272c33676SMaxim Ag 				goto end;
27372c33676SMaxim Ag 			} else {
27472c33676SMaxim Ag 				/*
275*de0e0e4dSAntonio Huete Jimenez 				 * s->s3->hs.state == SSL_ST_RENEGOTIATE,
27672c33676SMaxim Ag 				 * we will just send a HelloRequest.
27772c33676SMaxim Ag 				 */
27872c33676SMaxim Ag 				s->ctx->internal->stats.sess_accept_renegotiate++;
279*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A;
28072c33676SMaxim Ag 			}
28172c33676SMaxim Ag 			break;
28272c33676SMaxim Ag 
28372c33676SMaxim Ag 		case SSL3_ST_SW_HELLO_REQ_A:
28472c33676SMaxim Ag 		case SSL3_ST_SW_HELLO_REQ_B:
28572c33676SMaxim Ag 			s->internal->shutdown = 0;
286*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s)) {
28772c33676SMaxim Ag 				dtls1_clear_record_buffer(s);
28872c33676SMaxim Ag 				dtls1_start_timer(s);
28972c33676SMaxim Ag 			}
29072c33676SMaxim Ag 			ret = ssl3_send_hello_request(s);
29172c33676SMaxim Ag 			if (ret <= 0)
29272c33676SMaxim Ag 				goto end;
293*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s))
294*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
29572c33676SMaxim Ag 			else
296*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C;
297*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_FLUSH;
29872c33676SMaxim Ag 			s->internal->init_num = 0;
29972c33676SMaxim Ag 
300*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s)) {
30172c33676SMaxim Ag 				if (!tls1_transcript_init(s)) {
30272c33676SMaxim Ag 					ret = -1;
30372c33676SMaxim Ag 					goto end;
30472c33676SMaxim Ag 				}
305*de0e0e4dSAntonio Huete Jimenez 			}
30672c33676SMaxim Ag 			break;
30772c33676SMaxim Ag 
30872c33676SMaxim Ag 		case SSL3_ST_SW_HELLO_REQ_C:
309*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL_ST_OK;
31072c33676SMaxim Ag 			break;
31172c33676SMaxim Ag 
31272c33676SMaxim Ag 		case SSL3_ST_SR_CLNT_HELLO_A:
31372c33676SMaxim Ag 		case SSL3_ST_SR_CLNT_HELLO_B:
31472c33676SMaxim Ag 		case SSL3_ST_SR_CLNT_HELLO_C:
31572c33676SMaxim Ag 			s->internal->shutdown = 0;
316*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s)) {
31772c33676SMaxim Ag 				ret = ssl3_get_client_hello(s);
31872c33676SMaxim Ag 				if (ret <= 0)
31972c33676SMaxim Ag 					goto end;
32072c33676SMaxim Ag 				dtls1_stop_timer(s);
32172c33676SMaxim Ag 
32272c33676SMaxim Ag 				if (ret == 1 &&
32372c33676SMaxim Ag 				    (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
324*de0e0e4dSAntonio Huete Jimenez 					s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
32572c33676SMaxim Ag 				else
326*de0e0e4dSAntonio Huete Jimenez 					s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
32772c33676SMaxim Ag 
32872c33676SMaxim Ag 				s->internal->init_num = 0;
32972c33676SMaxim Ag 
33072c33676SMaxim Ag 				/*
33172c33676SMaxim Ag 				 * Reflect ClientHello sequence to remain
33272c33676SMaxim Ag 				 * stateless while listening.
33372c33676SMaxim Ag 				 */
33472c33676SMaxim Ag 				if (listen) {
335*de0e0e4dSAntonio Huete Jimenez 					tls12_record_layer_reflect_seq_num(
336*de0e0e4dSAntonio Huete Jimenez 					    s->internal->rl);
33772c33676SMaxim Ag 				}
33872c33676SMaxim Ag 
33972c33676SMaxim Ag 				/* If we're just listening, stop here */
340*de0e0e4dSAntonio Huete Jimenez 				if (listen && s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
34172c33676SMaxim Ag 					ret = 2;
342*de0e0e4dSAntonio Huete Jimenez 					s->d1->listen = 0;
34372c33676SMaxim Ag 					/*
34472c33676SMaxim Ag 					 * Set expected sequence numbers to
34572c33676SMaxim Ag 					 * continue the handshake.
34672c33676SMaxim Ag 					 */
347*de0e0e4dSAntonio Huete Jimenez 					s->d1->handshake_read_seq = 2;
348*de0e0e4dSAntonio Huete Jimenez 					s->d1->handshake_write_seq = 1;
349*de0e0e4dSAntonio Huete Jimenez 					s->d1->next_handshake_write_seq = 1;
35072c33676SMaxim Ag 					goto end;
35172c33676SMaxim Ag 				}
35272c33676SMaxim Ag 			} else {
35372c33676SMaxim Ag 				if (s->internal->rwstate != SSL_X509_LOOKUP) {
35472c33676SMaxim Ag 					ret = ssl3_get_client_hello(s);
35572c33676SMaxim Ag 					if (ret <= 0)
35672c33676SMaxim Ag 						goto end;
35772c33676SMaxim Ag 				}
35872c33676SMaxim Ag 
35972c33676SMaxim Ag 				s->internal->renegotiate = 2;
360*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
36172c33676SMaxim Ag 				s->internal->init_num = 0;
36272c33676SMaxim Ag 			}
36372c33676SMaxim Ag 			break;
36472c33676SMaxim Ag 
36572c33676SMaxim Ag 		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
36672c33676SMaxim Ag 		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
367*de0e0e4dSAntonio Huete Jimenez 			ret = ssl3_send_dtls_hello_verify_request(s);
36872c33676SMaxim Ag 			if (ret <= 0)
36972c33676SMaxim Ag 				goto end;
370*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_FLUSH;
371*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
37272c33676SMaxim Ag 
37372c33676SMaxim Ag 			/* HelloVerifyRequest resets Finished MAC. */
37472c33676SMaxim Ag 			tls1_transcript_reset(s);
37572c33676SMaxim Ag 			break;
37672c33676SMaxim Ag 
37772c33676SMaxim Ag 		case SSL3_ST_SW_SRVR_HELLO_A:
37872c33676SMaxim Ag 		case SSL3_ST_SW_SRVR_HELLO_B:
379*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s)) {
38072c33676SMaxim Ag 				s->internal->renegotiate = 2;
38172c33676SMaxim Ag 				dtls1_start_timer(s);
38272c33676SMaxim Ag 			}
38372c33676SMaxim Ag 			ret = ssl3_send_server_hello(s);
38472c33676SMaxim Ag 			if (ret <= 0)
38572c33676SMaxim Ag 				goto end;
38672c33676SMaxim Ag 			if (s->internal->hit) {
38772c33676SMaxim Ag 				if (s->internal->tlsext_ticket_expected)
388*de0e0e4dSAntonio Huete Jimenez 					s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
38972c33676SMaxim Ag 				else
390*de0e0e4dSAntonio Huete Jimenez 					s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
39172c33676SMaxim Ag 			} else {
392*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_CERT_A;
39372c33676SMaxim Ag 			}
39472c33676SMaxim Ag 			s->internal->init_num = 0;
39572c33676SMaxim Ag 			break;
39672c33676SMaxim Ag 
39772c33676SMaxim Ag 		case SSL3_ST_SW_CERT_A:
39872c33676SMaxim Ag 		case SSL3_ST_SW_CERT_B:
39972c33676SMaxim Ag 			/* Check if it is anon DH or anon ECDH. */
400*de0e0e4dSAntonio Huete Jimenez 			if (!(s->s3->hs.cipher->algorithm_auth &
40172c33676SMaxim Ag 			    SSL_aNULL)) {
402*de0e0e4dSAntonio Huete Jimenez 				if (SSL_is_dtls(s))
40372c33676SMaxim Ag 					dtls1_start_timer(s);
40472c33676SMaxim Ag 				ret = ssl3_send_server_certificate(s);
40572c33676SMaxim Ag 				if (ret <= 0)
40672c33676SMaxim Ag 					goto end;
40772c33676SMaxim Ag 				if (s->internal->tlsext_status_expected)
408*de0e0e4dSAntonio Huete Jimenez 					s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A;
40972c33676SMaxim Ag 				else
410*de0e0e4dSAntonio Huete Jimenez 					s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
41172c33676SMaxim Ag 			} else {
41272c33676SMaxim Ag 				skip = 1;
413*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
41472c33676SMaxim Ag 			}
41572c33676SMaxim Ag 			s->internal->init_num = 0;
41672c33676SMaxim Ag 			break;
41772c33676SMaxim Ag 
41872c33676SMaxim Ag 		case SSL3_ST_SW_KEY_EXCH_A:
41972c33676SMaxim Ag 		case SSL3_ST_SW_KEY_EXCH_B:
420*de0e0e4dSAntonio Huete Jimenez 			alg_k = s->s3->hs.cipher->algorithm_mkey;
42172c33676SMaxim Ag 
42272c33676SMaxim Ag 			/*
42372c33676SMaxim Ag 			 * Only send if using a DH key exchange.
42472c33676SMaxim Ag 			 *
42572c33676SMaxim Ag 			 * For ECC ciphersuites, we send a ServerKeyExchange
42672c33676SMaxim Ag 			 * message only if the cipher suite is ECDHE. In other
42772c33676SMaxim Ag 			 * cases, the server certificate contains the server's
42872c33676SMaxim Ag 			 * public key for key exchange.
42972c33676SMaxim Ag 			 */
43072c33676SMaxim Ag 			if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
431*de0e0e4dSAntonio Huete Jimenez 				if (SSL_is_dtls(s))
43272c33676SMaxim Ag 					dtls1_start_timer(s);
43372c33676SMaxim Ag 				ret = ssl3_send_server_key_exchange(s);
43472c33676SMaxim Ag 				if (ret <= 0)
43572c33676SMaxim Ag 					goto end;
43672c33676SMaxim Ag 			} else
43772c33676SMaxim Ag 				skip = 1;
43872c33676SMaxim Ag 
439*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A;
44072c33676SMaxim Ag 			s->internal->init_num = 0;
44172c33676SMaxim Ag 			break;
44272c33676SMaxim Ag 
44372c33676SMaxim Ag 		case SSL3_ST_SW_CERT_REQ_A:
44472c33676SMaxim Ag 		case SSL3_ST_SW_CERT_REQ_B:
44572c33676SMaxim Ag 			/*
44672c33676SMaxim Ag 			 * Determine whether or not we need to request a
44772c33676SMaxim Ag 			 * certificate.
44872c33676SMaxim Ag 			 *
44972c33676SMaxim Ag 			 * Do not request a certificate if:
45072c33676SMaxim Ag 			 *
45172c33676SMaxim Ag 			 * - We did not ask for it (SSL_VERIFY_PEER is unset).
45272c33676SMaxim Ag 			 *
45372c33676SMaxim Ag 			 * - SSL_VERIFY_CLIENT_ONCE is set and we are
45472c33676SMaxim Ag 			 *   renegotiating.
45572c33676SMaxim Ag 			 *
45672c33676SMaxim Ag 			 * - We are using an anonymous ciphersuites
45772c33676SMaxim Ag 			 *   (see section "Certificate request" in SSL 3 drafts
45872c33676SMaxim Ag 			 *   and in RFC 2246) ... except when the application
45972c33676SMaxim Ag 			 *   insists on verification (against the specs, but
46072c33676SMaxim Ag 			 *   s3_clnt.c accepts this for SSL 3).
46172c33676SMaxim Ag 			 */
46272c33676SMaxim Ag 			if (!(s->verify_mode & SSL_VERIFY_PEER) ||
463*de0e0e4dSAntonio Huete Jimenez 			    ((s->session->peer_cert != NULL) &&
46472c33676SMaxim Ag 			     (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
465*de0e0e4dSAntonio Huete Jimenez 			    ((s->s3->hs.cipher->algorithm_auth &
46672c33676SMaxim Ag 			     SSL_aNULL) && !(s->verify_mode &
46772c33676SMaxim Ag 			     SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
46872c33676SMaxim Ag 				/* No cert request. */
46972c33676SMaxim Ag 				skip = 1;
470*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.tls12.cert_request = 0;
471*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
47272c33676SMaxim Ag 
473*de0e0e4dSAntonio Huete Jimenez 				if (!SSL_is_dtls(s))
47472c33676SMaxim Ag 					tls1_transcript_free(s);
47572c33676SMaxim Ag 			} else {
476*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.tls12.cert_request = 1;
477*de0e0e4dSAntonio Huete Jimenez 				if (SSL_is_dtls(s))
47872c33676SMaxim Ag 					dtls1_start_timer(s);
47972c33676SMaxim Ag 				ret = ssl3_send_certificate_request(s);
48072c33676SMaxim Ag 				if (ret <= 0)
48172c33676SMaxim Ag 					goto end;
482*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
48372c33676SMaxim Ag 				s->internal->init_num = 0;
48472c33676SMaxim Ag 			}
48572c33676SMaxim Ag 			break;
48672c33676SMaxim Ag 
48772c33676SMaxim Ag 		case SSL3_ST_SW_SRVR_DONE_A:
48872c33676SMaxim Ag 		case SSL3_ST_SW_SRVR_DONE_B:
489*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s))
49072c33676SMaxim Ag 				dtls1_start_timer(s);
49172c33676SMaxim Ag 			ret = ssl3_send_server_done(s);
49272c33676SMaxim Ag 			if (ret <= 0)
49372c33676SMaxim Ag 				goto end;
494*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A;
495*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_FLUSH;
49672c33676SMaxim Ag 			s->internal->init_num = 0;
49772c33676SMaxim Ag 			break;
49872c33676SMaxim Ag 
49972c33676SMaxim Ag 		case SSL3_ST_SW_FLUSH:
50072c33676SMaxim Ag 			/*
50172c33676SMaxim Ag 			 * This code originally checked to see if
50272c33676SMaxim Ag 			 * any data was pending using BIO_CTRL_INFO
50372c33676SMaxim Ag 			 * and then flushed. This caused problems
50472c33676SMaxim Ag 			 * as documented in PR#1939. The proposed
50572c33676SMaxim Ag 			 * fix doesn't completely resolve this issue
50672c33676SMaxim Ag 			 * as buggy implementations of BIO_CTRL_PENDING
50772c33676SMaxim Ag 			 * still exist. So instead we just flush
50872c33676SMaxim Ag 			 * unconditionally.
50972c33676SMaxim Ag 			 */
51072c33676SMaxim Ag 			s->internal->rwstate = SSL_WRITING;
51172c33676SMaxim Ag 			if (BIO_flush(s->wbio) <= 0) {
512*de0e0e4dSAntonio Huete Jimenez 				if (SSL_is_dtls(s)) {
51372c33676SMaxim Ag 					/* If the write error was fatal, stop trying. */
51472c33676SMaxim Ag 					if (!BIO_should_retry(s->wbio)) {
51572c33676SMaxim Ag 						s->internal->rwstate = SSL_NOTHING;
516*de0e0e4dSAntonio Huete Jimenez 						s->s3->hs.state = s->s3->hs.tls12.next_state;
51772c33676SMaxim Ag 					}
51872c33676SMaxim Ag 				}
51972c33676SMaxim Ag 				ret = -1;
52072c33676SMaxim Ag 				goto end;
52172c33676SMaxim Ag 			}
52272c33676SMaxim Ag 			s->internal->rwstate = SSL_NOTHING;
523*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = s->s3->hs.tls12.next_state;
52472c33676SMaxim Ag 			break;
52572c33676SMaxim Ag 
52672c33676SMaxim Ag 		case SSL3_ST_SR_CERT_A:
52772c33676SMaxim Ag 		case SSL3_ST_SR_CERT_B:
528*de0e0e4dSAntonio Huete Jimenez 			if (s->s3->hs.tls12.cert_request != 0) {
52972c33676SMaxim Ag 				ret = ssl3_get_client_certificate(s);
53072c33676SMaxim Ag 				if (ret <= 0)
53172c33676SMaxim Ag 					goto end;
53272c33676SMaxim Ag 			}
53372c33676SMaxim Ag 			s->internal->init_num = 0;
534*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A;
53572c33676SMaxim Ag 			break;
53672c33676SMaxim Ag 
53772c33676SMaxim Ag 		case SSL3_ST_SR_KEY_EXCH_A:
53872c33676SMaxim Ag 		case SSL3_ST_SR_KEY_EXCH_B:
53972c33676SMaxim Ag 			ret = ssl3_get_client_key_exchange(s);
54072c33676SMaxim Ag 			if (ret <= 0)
54172c33676SMaxim Ag 				goto end;
54272c33676SMaxim Ag 
543*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s)) {
544*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
54572c33676SMaxim Ag 				s->internal->init_num = 0;
54672c33676SMaxim Ag 			}
54772c33676SMaxim Ag 
548*de0e0e4dSAntonio Huete Jimenez 			alg_k = s->s3->hs.cipher->algorithm_mkey;
549*de0e0e4dSAntonio Huete Jimenez 			if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
55072c33676SMaxim Ag 				/*
551*de0e0e4dSAntonio Huete Jimenez 				 * A GOST client may use the key from its
552*de0e0e4dSAntonio Huete Jimenez 				 * certificate for key exchange, in which case
553*de0e0e4dSAntonio Huete Jimenez 				 * the CertificateVerify message is not sent.
55472c33676SMaxim Ag 				 */
555*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
55672c33676SMaxim Ag 				s->internal->init_num = 0;
55772c33676SMaxim Ag 			} else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
558*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
55972c33676SMaxim Ag 				s->internal->init_num = 0;
560*de0e0e4dSAntonio Huete Jimenez 				if (!s->session->peer_cert)
56172c33676SMaxim Ag 					break;
56272c33676SMaxim Ag 				/*
56372c33676SMaxim Ag 				 * Freeze the transcript for use during client
56472c33676SMaxim Ag 				 * certificate verification.
56572c33676SMaxim Ag 				 */
56672c33676SMaxim Ag 				tls1_transcript_freeze(s);
56772c33676SMaxim Ag 			} else {
568*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
56972c33676SMaxim Ag 				s->internal->init_num = 0;
57072c33676SMaxim Ag 
57172c33676SMaxim Ag 				tls1_transcript_free(s);
57272c33676SMaxim Ag 
57372c33676SMaxim Ag 				/*
57472c33676SMaxim Ag 				 * We need to get hashes here so if there is
57572c33676SMaxim Ag 				 * a client cert, it can be verified.
57672c33676SMaxim Ag 				 */
57772c33676SMaxim Ag 				if (!tls1_transcript_hash_value(s,
578*de0e0e4dSAntonio Huete Jimenez 				    s->s3->hs.tls12.cert_verify,
579*de0e0e4dSAntonio Huete Jimenez 				    sizeof(s->s3->hs.tls12.cert_verify),
58072c33676SMaxim Ag 				    NULL)) {
58172c33676SMaxim Ag 					ret = -1;
58272c33676SMaxim Ag 					goto end;
58372c33676SMaxim Ag 				}
58472c33676SMaxim Ag 			}
58572c33676SMaxim Ag 			break;
58672c33676SMaxim Ag 
58772c33676SMaxim Ag 		case SSL3_ST_SR_CERT_VRFY_A:
58872c33676SMaxim Ag 		case SSL3_ST_SR_CERT_VRFY_B:
589*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s))
590*de0e0e4dSAntonio Huete Jimenez 				s->d1->change_cipher_spec_ok = 1;
59172c33676SMaxim Ag 			else
59272c33676SMaxim Ag 				s->s3->flags |= SSL3_FLAGS_CCS_OK;
59372c33676SMaxim Ag 
59472c33676SMaxim Ag 			/* we should decide if we expected this one */
59572c33676SMaxim Ag 			ret = ssl3_get_cert_verify(s);
59672c33676SMaxim Ag 			if (ret <= 0)
59772c33676SMaxim Ag 				goto end;
598*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
59972c33676SMaxim Ag 			s->internal->init_num = 0;
60072c33676SMaxim Ag 			break;
60172c33676SMaxim Ag 
60272c33676SMaxim Ag 		case SSL3_ST_SR_FINISHED_A:
60372c33676SMaxim Ag 		case SSL3_ST_SR_FINISHED_B:
604*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s))
605*de0e0e4dSAntonio Huete Jimenez 				s->d1->change_cipher_spec_ok = 1;
60672c33676SMaxim Ag 			else
60772c33676SMaxim Ag 				s->s3->flags |= SSL3_FLAGS_CCS_OK;
60872c33676SMaxim Ag 			ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
60972c33676SMaxim Ag 			    SSL3_ST_SR_FINISHED_B);
61072c33676SMaxim Ag 			if (ret <= 0)
61172c33676SMaxim Ag 				goto end;
612*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s))
61372c33676SMaxim Ag 				dtls1_stop_timer(s);
61472c33676SMaxim Ag 			if (s->internal->hit)
615*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL_ST_OK;
61672c33676SMaxim Ag 			else if (s->internal->tlsext_ticket_expected)
617*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
61872c33676SMaxim Ag 			else
619*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
62072c33676SMaxim Ag 			s->internal->init_num = 0;
62172c33676SMaxim Ag 			break;
62272c33676SMaxim Ag 
62372c33676SMaxim Ag 		case SSL3_ST_SW_SESSION_TICKET_A:
62472c33676SMaxim Ag 		case SSL3_ST_SW_SESSION_TICKET_B:
62572c33676SMaxim Ag 			ret = ssl3_send_newsession_ticket(s);
62672c33676SMaxim Ag 			if (ret <= 0)
62772c33676SMaxim Ag 				goto end;
628*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
62972c33676SMaxim Ag 			s->internal->init_num = 0;
63072c33676SMaxim Ag 			break;
63172c33676SMaxim Ag 
63272c33676SMaxim Ag 		case SSL3_ST_SW_CERT_STATUS_A:
63372c33676SMaxim Ag 		case SSL3_ST_SW_CERT_STATUS_B:
63472c33676SMaxim Ag 			ret = ssl3_send_cert_status(s);
63572c33676SMaxim Ag 			if (ret <= 0)
63672c33676SMaxim Ag 				goto end;
637*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
63872c33676SMaxim Ag 			s->internal->init_num = 0;
63972c33676SMaxim Ag 			break;
64072c33676SMaxim Ag 
64172c33676SMaxim Ag 		case SSL3_ST_SW_CHANGE_A:
64272c33676SMaxim Ag 		case SSL3_ST_SW_CHANGE_B:
64372c33676SMaxim Ag 			ret = ssl3_send_change_cipher_spec(s,
64472c33676SMaxim Ag 			    SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
64572c33676SMaxim Ag 			if (ret <= 0)
64672c33676SMaxim Ag 				goto end;
647*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
64872c33676SMaxim Ag 			s->internal->init_num = 0;
649*de0e0e4dSAntonio Huete Jimenez 			s->session->cipher = s->s3->hs.cipher;
65072c33676SMaxim Ag 
651*de0e0e4dSAntonio Huete Jimenez 			if (!tls1_setup_key_block(s)) {
65272c33676SMaxim Ag 				ret = -1;
65372c33676SMaxim Ag 				goto end;
65472c33676SMaxim Ag 			}
655*de0e0e4dSAntonio Huete Jimenez 			if (!tls1_change_write_cipher_state(s)) {
656*de0e0e4dSAntonio Huete Jimenez 				ret = -1;
657*de0e0e4dSAntonio Huete Jimenez 				goto end;
658*de0e0e4dSAntonio Huete Jimenez 			}
65972c33676SMaxim Ag 			break;
66072c33676SMaxim Ag 
66172c33676SMaxim Ag 		case SSL3_ST_SW_FINISHED_A:
66272c33676SMaxim Ag 		case SSL3_ST_SW_FINISHED_B:
663*de0e0e4dSAntonio Huete Jimenez 			ret = ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A,
664*de0e0e4dSAntonio Huete Jimenez 			    SSL3_ST_SW_FINISHED_B);
66572c33676SMaxim Ag 			if (ret <= 0)
66672c33676SMaxim Ag 				goto end;
667*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.state = SSL3_ST_SW_FLUSH;
66872c33676SMaxim Ag 			if (s->internal->hit) {
669*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A;
67072c33676SMaxim Ag 				tls1_transcript_free(s);
67172c33676SMaxim Ag 			} else
672*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.tls12.next_state = SSL_ST_OK;
67372c33676SMaxim Ag 			s->internal->init_num = 0;
67472c33676SMaxim Ag 			break;
67572c33676SMaxim Ag 
67672c33676SMaxim Ag 		case SSL_ST_OK:
67772c33676SMaxim Ag 			/* clean a few things up */
67872c33676SMaxim Ag 			tls1_cleanup_key_block(s);
67972c33676SMaxim Ag 
680*de0e0e4dSAntonio Huete Jimenez 			if (s->s3->handshake_transcript != NULL) {
68172c33676SMaxim Ag 				SSLerror(s, ERR_R_INTERNAL_ERROR);
68272c33676SMaxim Ag 				ret = -1;
68372c33676SMaxim Ag 				goto end;
68472c33676SMaxim Ag 			}
68572c33676SMaxim Ag 
686*de0e0e4dSAntonio Huete Jimenez 			if (!SSL_is_dtls(s))
6878edacedfSDaniel Fojt 				ssl3_release_init_buffer(s);
68872c33676SMaxim Ag 
68972c33676SMaxim Ag 			/* remove buffering on output */
69072c33676SMaxim Ag 			ssl_free_wbio_buffer(s);
69172c33676SMaxim Ag 
69272c33676SMaxim Ag 			s->internal->init_num = 0;
69372c33676SMaxim Ag 
69472c33676SMaxim Ag 			/* Skipped if we just sent a HelloRequest. */
69572c33676SMaxim Ag 			if (s->internal->renegotiate == 2) {
69672c33676SMaxim Ag 				s->internal->renegotiate = 0;
69772c33676SMaxim Ag 				s->internal->new_session = 0;
69872c33676SMaxim Ag 
69972c33676SMaxim Ag 				ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
70072c33676SMaxim Ag 
70172c33676SMaxim Ag 				s->ctx->internal->stats.sess_accept_good++;
70272c33676SMaxim Ag 				/* s->server=1; */
70372c33676SMaxim Ag 				s->internal->handshake_func = ssl3_accept;
70472c33676SMaxim Ag 
705*de0e0e4dSAntonio Huete Jimenez 				ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
70672c33676SMaxim Ag 			}
70772c33676SMaxim Ag 
70872c33676SMaxim Ag 			ret = 1;
70972c33676SMaxim Ag 
710*de0e0e4dSAntonio Huete Jimenez 			if (SSL_is_dtls(s)) {
71172c33676SMaxim Ag 				/* Done handshaking, next message is client hello. */
712*de0e0e4dSAntonio Huete Jimenez 				s->d1->handshake_read_seq = 0;
71372c33676SMaxim Ag 				/* Next message is server hello. */
714*de0e0e4dSAntonio Huete Jimenez 				s->d1->handshake_write_seq = 0;
715*de0e0e4dSAntonio Huete Jimenez 				s->d1->next_handshake_write_seq = 0;
71672c33676SMaxim Ag 			}
71772c33676SMaxim Ag 			goto end;
71872c33676SMaxim Ag 			/* break; */
71972c33676SMaxim Ag 
72072c33676SMaxim Ag 		default:
72172c33676SMaxim Ag 			SSLerror(s, SSL_R_UNKNOWN_STATE);
72272c33676SMaxim Ag 			ret = -1;
72372c33676SMaxim Ag 			goto end;
72472c33676SMaxim Ag 			/* break; */
72572c33676SMaxim Ag 		}
72672c33676SMaxim Ag 
727*de0e0e4dSAntonio Huete Jimenez 		if (!s->s3->hs.tls12.reuse_message && !skip) {
72872c33676SMaxim Ag 			if (s->internal->debug) {
72972c33676SMaxim Ag 				if ((ret = BIO_flush(s->wbio)) <= 0)
73072c33676SMaxim Ag 					goto end;
73172c33676SMaxim Ag 			}
73272c33676SMaxim Ag 
73372c33676SMaxim Ag 
734*de0e0e4dSAntonio Huete Jimenez 			if (s->s3->hs.state != state) {
735*de0e0e4dSAntonio Huete Jimenez 				new_state = s->s3->hs.state;
736*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = state;
737*de0e0e4dSAntonio Huete Jimenez 				ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1);
738*de0e0e4dSAntonio Huete Jimenez 				s->s3->hs.state = new_state;
73972c33676SMaxim Ag 			}
74072c33676SMaxim Ag 		}
74172c33676SMaxim Ag 		skip = 0;
74272c33676SMaxim Ag 	}
74372c33676SMaxim Ag  end:
74472c33676SMaxim Ag 	/* BIO_flush(s->wbio); */
74572c33676SMaxim Ag 	s->internal->in_handshake--;
746*de0e0e4dSAntonio Huete Jimenez 	ssl_info_callback(s, SSL_CB_ACCEPT_EXIT, ret);
74772c33676SMaxim Ag 
74872c33676SMaxim Ag 	return (ret);
74972c33676SMaxim Ag }
75072c33676SMaxim Ag 
75172c33676SMaxim Ag int
ssl3_send_hello_request(SSL * s)75272c33676SMaxim Ag ssl3_send_hello_request(SSL *s)
75372c33676SMaxim Ag {
75472c33676SMaxim Ag 	CBB cbb, hello;
75572c33676SMaxim Ag 
75672c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
75772c33676SMaxim Ag 
758*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_HELLO_REQ_A) {
75972c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &hello,
76072c33676SMaxim Ag 		    SSL3_MT_HELLO_REQUEST))
76172c33676SMaxim Ag 			goto err;
76272c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
76372c33676SMaxim Ag 			goto err;
76472c33676SMaxim Ag 
765*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_B;
76672c33676SMaxim Ag 	}
76772c33676SMaxim Ag 
76872c33676SMaxim Ag 	/* SSL3_ST_SW_HELLO_REQ_B */
76972c33676SMaxim Ag 	return (ssl3_handshake_write(s));
77072c33676SMaxim Ag 
77172c33676SMaxim Ag  err:
77272c33676SMaxim Ag 	CBB_cleanup(&cbb);
77372c33676SMaxim Ag 
77472c33676SMaxim Ag 	return (-1);
77572c33676SMaxim Ag }
77672c33676SMaxim Ag 
77772c33676SMaxim Ag int
ssl3_get_client_hello(SSL * s)77872c33676SMaxim Ag ssl3_get_client_hello(SSL *s)
77972c33676SMaxim Ag {
78072c33676SMaxim Ag 	CBS cbs, client_random, session_id, cookie, cipher_suites;
78172c33676SMaxim Ag 	CBS compression_methods;
78272c33676SMaxim Ag 	uint16_t client_version;
78372c33676SMaxim Ag 	uint8_t comp_method;
78472c33676SMaxim Ag 	int comp_null;
785*de0e0e4dSAntonio Huete Jimenez 	int i, j, al, ret, cookie_valid = 0;
78672c33676SMaxim Ag 	unsigned long id;
78772c33676SMaxim Ag 	SSL_CIPHER *c;
78872c33676SMaxim Ag 	STACK_OF(SSL_CIPHER) *ciphers = NULL;
78972c33676SMaxim Ag 	unsigned long alg_k;
79072c33676SMaxim Ag 	const SSL_METHOD *method;
791*de0e0e4dSAntonio Huete Jimenez 	uint16_t shared_version;
79272c33676SMaxim Ag 
79372c33676SMaxim Ag 	/*
79472c33676SMaxim Ag 	 * We do this so that we will respond with our native type.
79572c33676SMaxim Ag 	 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
79672c33676SMaxim Ag 	 * This down switching should be handled by a different method.
79772c33676SMaxim Ag 	 * If we are SSLv3, we will respond with SSLv3, even if prompted with
79872c33676SMaxim Ag 	 * TLSv1.
79972c33676SMaxim Ag 	 */
800*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A)
801*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B;
80272c33676SMaxim Ag 
80372c33676SMaxim Ag 	s->internal->first_packet = 1;
804*de0e0e4dSAntonio Huete Jimenez 	if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
80572c33676SMaxim Ag 	    SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
806*de0e0e4dSAntonio Huete Jimenez 	    SSL3_RT_MAX_PLAIN_LENGTH)) <= 0)
807*de0e0e4dSAntonio Huete Jimenez 		return ret;
80872c33676SMaxim Ag 	s->internal->first_packet = 0;
80972c33676SMaxim Ag 
810*de0e0e4dSAntonio Huete Jimenez 	ret = -1;
811*de0e0e4dSAntonio Huete Jimenez 
812*de0e0e4dSAntonio Huete Jimenez 	if (s->internal->init_num < 0)
81372c33676SMaxim Ag 		goto err;
81472c33676SMaxim Ag 
815*de0e0e4dSAntonio Huete Jimenez 	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
81672c33676SMaxim Ag 
81772c33676SMaxim Ag 	/* Parse client hello up until the extensions (if any). */
81872c33676SMaxim Ag 	if (!CBS_get_u16(&cbs, &client_version))
819*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
82072c33676SMaxim Ag 	if (!CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE))
821*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
82272c33676SMaxim Ag 	if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
823*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
8248edacedfSDaniel Fojt 	if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) {
8258edacedfSDaniel Fojt 		al = SSL_AD_ILLEGAL_PARAMETER;
8268edacedfSDaniel Fojt 		SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
827*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
8288edacedfSDaniel Fojt 	}
829*de0e0e4dSAntonio Huete Jimenez 	if (SSL_is_dtls(s)) {
83072c33676SMaxim Ag 		if (!CBS_get_u8_length_prefixed(&cbs, &cookie))
831*de0e0e4dSAntonio Huete Jimenez 			goto decode_err;
83272c33676SMaxim Ag 	}
83372c33676SMaxim Ag 	if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites))
834*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
83572c33676SMaxim Ag 	if (!CBS_get_u8_length_prefixed(&cbs, &compression_methods))
836*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
83772c33676SMaxim Ag 
83872c33676SMaxim Ag 	/*
83972c33676SMaxim Ag 	 * Use version from inside client hello, not from record header.
84072c33676SMaxim Ag 	 * (may differ: see RFC 2246, Appendix E, second paragraph)
84172c33676SMaxim Ag 	 */
842*de0e0e4dSAntonio Huete Jimenez 	if (!ssl_max_shared_version(s, client_version, &shared_version)) {
843*de0e0e4dSAntonio Huete Jimenez 		if ((client_version >> 8) == SSL3_VERSION_MAJOR &&
844*de0e0e4dSAntonio Huete Jimenez 		    !tls12_record_layer_write_protected(s->internal->rl)) {
84572c33676SMaxim Ag 			/*
84672c33676SMaxim Ag 			 * Similar to ssl3_get_record, send alert using remote
84772c33676SMaxim Ag 			 * version number.
84872c33676SMaxim Ag 			 */
849*de0e0e4dSAntonio Huete Jimenez 			s->version = client_version;
85072c33676SMaxim Ag 		}
851*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
85272c33676SMaxim Ag 		al = SSL_AD_PROTOCOL_VERSION;
853*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
85472c33676SMaxim Ag 	}
855*de0e0e4dSAntonio Huete Jimenez 	s->s3->hs.peer_legacy_version = client_version;
85672c33676SMaxim Ag 	s->version = shared_version;
85772c33676SMaxim Ag 
858*de0e0e4dSAntonio Huete Jimenez 	s->s3->hs.negotiated_tls_version = ssl_tls_version(shared_version);
859*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.negotiated_tls_version == 0) {
860*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, ERR_R_INTERNAL_ERROR);
861*de0e0e4dSAntonio Huete Jimenez 		goto err;
862*de0e0e4dSAntonio Huete Jimenez 	}
863*de0e0e4dSAntonio Huete Jimenez 
864*de0e0e4dSAntonio Huete Jimenez 	if ((method = ssl_get_method(shared_version)) == NULL) {
86572c33676SMaxim Ag 		SSLerror(s, ERR_R_INTERNAL_ERROR);
86672c33676SMaxim Ag 		goto err;
86772c33676SMaxim Ag 	}
86872c33676SMaxim Ag 	s->method = method;
86972c33676SMaxim Ag 
87072c33676SMaxim Ag 	/*
87172c33676SMaxim Ag 	 * If we require cookies (DTLS) and this ClientHello does not contain
87272c33676SMaxim Ag 	 * one, just return since we do not want to allocate any memory yet.
87372c33676SMaxim Ag 	 * So check cookie length...
87472c33676SMaxim Ag 	 */
875*de0e0e4dSAntonio Huete Jimenez 	if (SSL_is_dtls(s)) {
87672c33676SMaxim Ag 		if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
87772c33676SMaxim Ag 			if (CBS_len(&cookie) == 0)
87872c33676SMaxim Ag 				return (1);
87972c33676SMaxim Ag 		}
88072c33676SMaxim Ag 	}
88172c33676SMaxim Ag 
88272c33676SMaxim Ag 	if (!CBS_write_bytes(&client_random, s->s3->client_random,
88372c33676SMaxim Ag 	    sizeof(s->s3->client_random), NULL))
88472c33676SMaxim Ag 		goto err;
88572c33676SMaxim Ag 
88672c33676SMaxim Ag 	s->internal->hit = 0;
88772c33676SMaxim Ag 
88872c33676SMaxim Ag 	/*
88972c33676SMaxim Ag 	 * Versions before 0.9.7 always allow clients to resume sessions in
89072c33676SMaxim Ag 	 * renegotiation. 0.9.7 and later allow this by default, but optionally
89172c33676SMaxim Ag 	 * ignore resumption requests with flag
89272c33676SMaxim Ag 	 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
89372c33676SMaxim Ag 	 * rather than a change to default behavior so that applications
89472c33676SMaxim Ag 	 * relying on this for security won't even compile against older
89572c33676SMaxim Ag 	 * library versions).
89672c33676SMaxim Ag 	 *
89772c33676SMaxim Ag 	 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
89872c33676SMaxim Ag 	 * to request renegotiation but not a new session (s->internal->new_session
89972c33676SMaxim Ag 	 * remains unset): for servers, this essentially just means that the
90072c33676SMaxim Ag 	 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
90172c33676SMaxim Ag 	 * ignored.
90272c33676SMaxim Ag 	 */
90372c33676SMaxim Ag 	if ((s->internal->new_session && (s->internal->options &
90472c33676SMaxim Ag 	    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
90572c33676SMaxim Ag 		if (!ssl_get_new_session(s, 1))
90672c33676SMaxim Ag 			goto err;
90772c33676SMaxim Ag 	} else {
90872c33676SMaxim Ag 		CBS ext_block;
90972c33676SMaxim Ag 
91072c33676SMaxim Ag 		CBS_dup(&cbs, &ext_block);
91172c33676SMaxim Ag 
9128edacedfSDaniel Fojt 		i = ssl_get_prev_session(s, &session_id, &ext_block, &al);
91372c33676SMaxim Ag 		if (i == 1) { /* previous session */
91472c33676SMaxim Ag 			s->internal->hit = 1;
91572c33676SMaxim Ag 		} else if (i == -1)
916*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
91772c33676SMaxim Ag 		else {
91872c33676SMaxim Ag 			/* i == 0 */
91972c33676SMaxim Ag 			if (!ssl_get_new_session(s, 1))
92072c33676SMaxim Ag 				goto err;
92172c33676SMaxim Ag 		}
92272c33676SMaxim Ag 	}
92372c33676SMaxim Ag 
924*de0e0e4dSAntonio Huete Jimenez 	if (SSL_is_dtls(s)) {
92572c33676SMaxim Ag 		/*
92672c33676SMaxim Ag 		 * The ClientHello may contain a cookie even if the HelloVerify
92772c33676SMaxim Ag 		 * message has not been sent - make sure that it does not cause
92872c33676SMaxim Ag 		 * an overflow.
92972c33676SMaxim Ag 		 */
930*de0e0e4dSAntonio Huete Jimenez 		if (CBS_len(&cookie) > sizeof(s->d1->rcvd_cookie)) {
93172c33676SMaxim Ag 			al = SSL_AD_DECODE_ERROR;
93272c33676SMaxim Ag 			SSLerror(s, SSL_R_COOKIE_MISMATCH);
933*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
93472c33676SMaxim Ag 		}
93572c33676SMaxim Ag 
93672c33676SMaxim Ag 		/* Verify the cookie if appropriate option is set. */
93772c33676SMaxim Ag 		if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
93872c33676SMaxim Ag 		    CBS_len(&cookie) > 0) {
93972c33676SMaxim Ag 			size_t cookie_len;
94072c33676SMaxim Ag 
94172c33676SMaxim Ag 			/* XXX - rcvd_cookie seems to only be used here... */
942*de0e0e4dSAntonio Huete Jimenez 			if (!CBS_write_bytes(&cookie, s->d1->rcvd_cookie,
943*de0e0e4dSAntonio Huete Jimenez 			    sizeof(s->d1->rcvd_cookie), &cookie_len))
94472c33676SMaxim Ag 				goto err;
94572c33676SMaxim Ag 
94672c33676SMaxim Ag 			if (s->ctx->internal->app_verify_cookie_cb != NULL) {
94772c33676SMaxim Ag 				if (s->ctx->internal->app_verify_cookie_cb(s,
948*de0e0e4dSAntonio Huete Jimenez 				    s->d1->rcvd_cookie, cookie_len) == 0) {
94972c33676SMaxim Ag 					al = SSL_AD_HANDSHAKE_FAILURE;
95072c33676SMaxim Ag 					SSLerror(s, SSL_R_COOKIE_MISMATCH);
951*de0e0e4dSAntonio Huete Jimenez 					goto fatal_err;
95272c33676SMaxim Ag 				}
95372c33676SMaxim Ag 				/* else cookie verification succeeded */
95472c33676SMaxim Ag 			/* XXX - can d1->cookie_len > sizeof(rcvd_cookie) ? */
955*de0e0e4dSAntonio Huete Jimenez 			} else if (timingsafe_memcmp(s->d1->rcvd_cookie,
956*de0e0e4dSAntonio Huete Jimenez 			    s->d1->cookie, s->d1->cookie_len) != 0) {
95772c33676SMaxim Ag 				/* default verification */
95872c33676SMaxim Ag 				al = SSL_AD_HANDSHAKE_FAILURE;
95972c33676SMaxim Ag 				SSLerror(s, SSL_R_COOKIE_MISMATCH);
960*de0e0e4dSAntonio Huete Jimenez 				goto fatal_err;
96172c33676SMaxim Ag 			}
96272c33676SMaxim Ag 			cookie_valid = 1;
96372c33676SMaxim Ag 		}
96472c33676SMaxim Ag 	}
96572c33676SMaxim Ag 
96672c33676SMaxim Ag 	/* XXX - This logic seems wrong... */
96772c33676SMaxim Ag 	if (CBS_len(&cipher_suites) == 0 && CBS_len(&session_id) != 0) {
96872c33676SMaxim Ag 		/* we need a cipher if we are not resuming a session */
96972c33676SMaxim Ag 		al = SSL_AD_ILLEGAL_PARAMETER;
97072c33676SMaxim Ag 		SSLerror(s, SSL_R_NO_CIPHERS_SPECIFIED);
971*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
97272c33676SMaxim Ag 	}
97372c33676SMaxim Ag 
97472c33676SMaxim Ag 	if (CBS_len(&cipher_suites) > 0) {
97572c33676SMaxim Ag 		if ((ciphers = ssl_bytes_to_cipher_list(s,
97672c33676SMaxim Ag 		    &cipher_suites)) == NULL)
97772c33676SMaxim Ag 			goto err;
97872c33676SMaxim Ag 	}
97972c33676SMaxim Ag 
98072c33676SMaxim Ag 	/* If it is a hit, check that the cipher is in the list */
98172c33676SMaxim Ag 	/* XXX - CBS_len(&cipher_suites) will always be zero here... */
98272c33676SMaxim Ag 	if (s->internal->hit && CBS_len(&cipher_suites) > 0) {
98372c33676SMaxim Ag 		j = 0;
98472c33676SMaxim Ag 		id = s->session->cipher->id;
98572c33676SMaxim Ag 
98672c33676SMaxim Ag 		for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
98772c33676SMaxim Ag 			c = sk_SSL_CIPHER_value(ciphers, i);
98872c33676SMaxim Ag 			if (c->id == id) {
98972c33676SMaxim Ag 				j = 1;
99072c33676SMaxim Ag 				break;
99172c33676SMaxim Ag 			}
99272c33676SMaxim Ag 		}
99372c33676SMaxim Ag 		if (j == 0) {
99472c33676SMaxim Ag 			/*
99572c33676SMaxim Ag 			 * We need to have the cipher in the cipher
99672c33676SMaxim Ag 			 * list if we are asked to reuse it
99772c33676SMaxim Ag 			 */
99872c33676SMaxim Ag 			al = SSL_AD_ILLEGAL_PARAMETER;
99972c33676SMaxim Ag 			SSLerror(s, SSL_R_REQUIRED_CIPHER_MISSING);
1000*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
100172c33676SMaxim Ag 		}
100272c33676SMaxim Ag 	}
100372c33676SMaxim Ag 
100472c33676SMaxim Ag 	comp_null = 0;
100572c33676SMaxim Ag 	while (CBS_len(&compression_methods) > 0) {
100672c33676SMaxim Ag 		if (!CBS_get_u8(&compression_methods, &comp_method))
1007*de0e0e4dSAntonio Huete Jimenez 			goto decode_err;
100872c33676SMaxim Ag 		if (comp_method == 0)
100972c33676SMaxim Ag 			comp_null = 1;
101072c33676SMaxim Ag 	}
101172c33676SMaxim Ag 	if (comp_null == 0) {
101272c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
101372c33676SMaxim Ag 		SSLerror(s, SSL_R_NO_COMPRESSION_SPECIFIED);
1014*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
101572c33676SMaxim Ag 	}
101672c33676SMaxim Ag 
10178edacedfSDaniel Fojt 	if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) {
101872c33676SMaxim Ag 		SSLerror(s, SSL_R_PARSE_TLSEXT);
1019*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
102072c33676SMaxim Ag 	}
102172c33676SMaxim Ag 
1022*de0e0e4dSAntonio Huete Jimenez 	if (CBS_len(&cbs) != 0)
1023*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
1024*de0e0e4dSAntonio Huete Jimenez 
1025*de0e0e4dSAntonio Huete Jimenez 	if (!s->s3->renegotiate_seen && s->internal->renegotiate) {
102672c33676SMaxim Ag 		al = SSL_AD_HANDSHAKE_FAILURE;
102772c33676SMaxim Ag 		SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1028*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
102972c33676SMaxim Ag 	}
103072c33676SMaxim Ag 
103172c33676SMaxim Ag 	if (ssl_check_clienthello_tlsext_early(s) <= 0) {
103272c33676SMaxim Ag 		SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT);
103372c33676SMaxim Ag 		goto err;
103472c33676SMaxim Ag 	}
103572c33676SMaxim Ag 
103672c33676SMaxim Ag 	/*
103772c33676SMaxim Ag 	 * Check if we want to use external pre-shared secret for this
103872c33676SMaxim Ag 	 * handshake for not reused session only. We need to generate
103972c33676SMaxim Ag 	 * server_random before calling tls_session_secret_cb in order to allow
104072c33676SMaxim Ag 	 * SessionTicket processing to use it in key derivation.
104172c33676SMaxim Ag 	 */
104272c33676SMaxim Ag 	arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
104372c33676SMaxim Ag 
1044*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
1045*de0e0e4dSAntonio Huete Jimenez 	    s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
1046cca6fc52SDaniel Fojt 		/*
1047cca6fc52SDaniel Fojt 		 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
1048cca6fc52SDaniel Fojt 		 * we must set the last 8 bytes of the server random to magical
1049cca6fc52SDaniel Fojt 		 * values to indicate we meant to downgrade.  For TLS 1.2 it is
1050cca6fc52SDaniel Fojt 		 * recommended that we do the same.
1051cca6fc52SDaniel Fojt 		 */
1052cca6fc52SDaniel Fojt 		size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12);
1053cca6fc52SDaniel Fojt 		uint8_t *magic = &s->s3->server_random[index];
1054*de0e0e4dSAntonio Huete Jimenez 		if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION) {
1055cca6fc52SDaniel Fojt 			/* Indicate we chose to downgrade to 1.2. */
1056cca6fc52SDaniel Fojt 			memcpy(magic, tls13_downgrade_12,
1057cca6fc52SDaniel Fojt 			    sizeof(tls13_downgrade_12));
1058cca6fc52SDaniel Fojt 		} else {
1059cca6fc52SDaniel Fojt 			/* Indicate we chose to downgrade to 1.1 or lower */
1060cca6fc52SDaniel Fojt 			memcpy(magic, tls13_downgrade_11,
1061cca6fc52SDaniel Fojt 			    sizeof(tls13_downgrade_11));
1062cca6fc52SDaniel Fojt 		}
1063cca6fc52SDaniel Fojt 	}
1064cca6fc52SDaniel Fojt 
1065*de0e0e4dSAntonio Huete Jimenez 	if (!s->internal->hit && s->internal->tls_session_secret_cb != NULL) {
106672c33676SMaxim Ag 		SSL_CIPHER *pref_cipher = NULL;
1067*de0e0e4dSAntonio Huete Jimenez 		int master_key_length = sizeof(s->session->master_key);
106872c33676SMaxim Ag 
1069*de0e0e4dSAntonio Huete Jimenez 		if (!s->internal->tls_session_secret_cb(s,
1070*de0e0e4dSAntonio Huete Jimenez 		    s->session->master_key, &master_key_length, ciphers,
1071*de0e0e4dSAntonio Huete Jimenez 		    &pref_cipher, s->internal->tls_session_secret_cb_arg)) {
1072*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, ERR_R_INTERNAL_ERROR);
1073*de0e0e4dSAntonio Huete Jimenez 			goto err;
1074*de0e0e4dSAntonio Huete Jimenez 		}
1075*de0e0e4dSAntonio Huete Jimenez 		if (master_key_length <= 0) {
1076*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, ERR_R_INTERNAL_ERROR);
1077*de0e0e4dSAntonio Huete Jimenez 			goto err;
1078*de0e0e4dSAntonio Huete Jimenez 		}
1079*de0e0e4dSAntonio Huete Jimenez 		s->session->master_key_length = master_key_length;
1080*de0e0e4dSAntonio Huete Jimenez 
108172c33676SMaxim Ag 		s->internal->hit = 1;
108272c33676SMaxim Ag 		s->session->verify_result = X509_V_OK;
108372c33676SMaxim Ag 
1084*de0e0e4dSAntonio Huete Jimenez 		sk_SSL_CIPHER_free(s->session->ciphers);
1085*de0e0e4dSAntonio Huete Jimenez 		s->session->ciphers = ciphers;
108672c33676SMaxim Ag 		ciphers = NULL;
108772c33676SMaxim Ag 
1088*de0e0e4dSAntonio Huete Jimenez 		/* Check if some cipher was preferred by the callback. */
1089*de0e0e4dSAntonio Huete Jimenez 		if (pref_cipher == NULL)
1090*de0e0e4dSAntonio Huete Jimenez 			pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
109172c33676SMaxim Ag 			    SSL_get_ciphers(s));
109272c33676SMaxim Ag 		if (pref_cipher == NULL) {
109372c33676SMaxim Ag 			al = SSL_AD_HANDSHAKE_FAILURE;
109472c33676SMaxim Ag 			SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1095*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
109672c33676SMaxim Ag 		}
109772c33676SMaxim Ag 		s->session->cipher = pref_cipher;
109872c33676SMaxim Ag 
109972c33676SMaxim Ag 		sk_SSL_CIPHER_free(s->cipher_list);
110072c33676SMaxim Ag 		s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
110172c33676SMaxim Ag 	}
110272c33676SMaxim Ag 
110372c33676SMaxim Ag 	/*
110472c33676SMaxim Ag 	 * Given s->session->ciphers and SSL_get_ciphers, we must
110572c33676SMaxim Ag 	 * pick a cipher
110672c33676SMaxim Ag 	 */
110772c33676SMaxim Ag 
110872c33676SMaxim Ag 	if (!s->internal->hit) {
110972c33676SMaxim Ag 		if (ciphers == NULL) {
111072c33676SMaxim Ag 			al = SSL_AD_ILLEGAL_PARAMETER;
111172c33676SMaxim Ag 			SSLerror(s, SSL_R_NO_CIPHERS_PASSED);
1112*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
111372c33676SMaxim Ag 		}
1114*de0e0e4dSAntonio Huete Jimenez 		sk_SSL_CIPHER_free(s->session->ciphers);
1115*de0e0e4dSAntonio Huete Jimenez 		s->session->ciphers = ciphers;
111672c33676SMaxim Ag 		ciphers = NULL;
111772c33676SMaxim Ag 
1118*de0e0e4dSAntonio Huete Jimenez 		if ((c = ssl3_choose_cipher(s, s->session->ciphers,
1119*de0e0e4dSAntonio Huete Jimenez 		    SSL_get_ciphers(s))) == NULL) {
112072c33676SMaxim Ag 			al = SSL_AD_HANDSHAKE_FAILURE;
112172c33676SMaxim Ag 			SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1122*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
112372c33676SMaxim Ag 		}
1124*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.cipher = c;
112572c33676SMaxim Ag 	} else {
1126*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.cipher = s->session->cipher;
112772c33676SMaxim Ag 	}
112872c33676SMaxim Ag 
112972c33676SMaxim Ag 	if (!tls1_transcript_hash_init(s))
113072c33676SMaxim Ag 		goto err;
113172c33676SMaxim Ag 
1132*de0e0e4dSAntonio Huete Jimenez 	alg_k = s->s3->hs.cipher->algorithm_mkey;
113372c33676SMaxim Ag 	if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
113472c33676SMaxim Ag 	    !(s->verify_mode & SSL_VERIFY_PEER))
113572c33676SMaxim Ag 		tls1_transcript_free(s);
113672c33676SMaxim Ag 
113772c33676SMaxim Ag 	/*
113872c33676SMaxim Ag 	 * We now have the following setup.
113972c33676SMaxim Ag 	 * client_random
114072c33676SMaxim Ag 	 * cipher_list		- our prefered list of ciphers
114172c33676SMaxim Ag 	 * ciphers		- the clients prefered list of ciphers
114272c33676SMaxim Ag 	 * compression		- basically ignored right now
114372c33676SMaxim Ag 	 * ssl version is set	- sslv3
114472c33676SMaxim Ag 	 * s->session		- The ssl session has been setup.
114572c33676SMaxim Ag 	 * s->internal->hit		- session reuse flag
1146*de0e0e4dSAntonio Huete Jimenez 	 * s->hs.cipher	- the new cipher to use.
114772c33676SMaxim Ag 	 */
114872c33676SMaxim Ag 
114972c33676SMaxim Ag 	/* Handles TLS extensions that we couldn't check earlier */
115072c33676SMaxim Ag 	if (ssl_check_clienthello_tlsext_late(s) <= 0) {
115172c33676SMaxim Ag 		SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT);
115272c33676SMaxim Ag 		goto err;
115372c33676SMaxim Ag 	}
115472c33676SMaxim Ag 
115572c33676SMaxim Ag 	ret = cookie_valid ? 2 : 1;
115672c33676SMaxim Ag 
115772c33676SMaxim Ag 	if (0) {
1158*de0e0e4dSAntonio Huete Jimenez  decode_err:
115972c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
116072c33676SMaxim Ag 		SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1161*de0e0e4dSAntonio Huete Jimenez  fatal_err:
116272c33676SMaxim Ag 		ssl3_send_alert(s, SSL3_AL_FATAL, al);
116372c33676SMaxim Ag 	}
116472c33676SMaxim Ag  err:
116572c33676SMaxim Ag 	sk_SSL_CIPHER_free(ciphers);
116672c33676SMaxim Ag 
116772c33676SMaxim Ag 	return (ret);
116872c33676SMaxim Ag }
116972c33676SMaxim Ag 
117072c33676SMaxim Ag int
ssl3_send_dtls_hello_verify_request(SSL * s)1171*de0e0e4dSAntonio Huete Jimenez ssl3_send_dtls_hello_verify_request(SSL *s)
1172*de0e0e4dSAntonio Huete Jimenez {
1173*de0e0e4dSAntonio Huete Jimenez 	CBB cbb, verify, cookie;
1174*de0e0e4dSAntonio Huete Jimenez 
1175*de0e0e4dSAntonio Huete Jimenez 	memset(&cbb, 0, sizeof(cbb));
1176*de0e0e4dSAntonio Huete Jimenez 
1177*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
1178*de0e0e4dSAntonio Huete Jimenez 		if (s->ctx->internal->app_gen_cookie_cb == NULL ||
1179*de0e0e4dSAntonio Huete Jimenez 		    s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie,
1180*de0e0e4dSAntonio Huete Jimenez 			&(s->d1->cookie_len)) == 0) {
1181*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, ERR_R_INTERNAL_ERROR);
1182*de0e0e4dSAntonio Huete Jimenez 			return 0;
1183*de0e0e4dSAntonio Huete Jimenez 		}
1184*de0e0e4dSAntonio Huete Jimenez 
1185*de0e0e4dSAntonio Huete Jimenez 		/*
1186*de0e0e4dSAntonio Huete Jimenez 		 * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should
1187*de0e0e4dSAntonio Huete Jimenez 		 * always contain DTLSv1.0 regardless of the version that is
1188*de0e0e4dSAntonio Huete Jimenez 		 * going to be negotiated.
1189*de0e0e4dSAntonio Huete Jimenez 		 */
1190*de0e0e4dSAntonio Huete Jimenez 		if (!ssl3_handshake_msg_start(s, &cbb, &verify,
1191*de0e0e4dSAntonio Huete Jimenez 		    DTLS1_MT_HELLO_VERIFY_REQUEST))
1192*de0e0e4dSAntonio Huete Jimenez 			goto err;
1193*de0e0e4dSAntonio Huete Jimenez 		if (!CBB_add_u16(&verify, DTLS1_VERSION))
1194*de0e0e4dSAntonio Huete Jimenez 			goto err;
1195*de0e0e4dSAntonio Huete Jimenez 		if (!CBB_add_u8_length_prefixed(&verify, &cookie))
1196*de0e0e4dSAntonio Huete Jimenez 			goto err;
1197*de0e0e4dSAntonio Huete Jimenez 		if (!CBB_add_bytes(&cookie, s->d1->cookie, s->d1->cookie_len))
1198*de0e0e4dSAntonio Huete Jimenez 			goto err;
1199*de0e0e4dSAntonio Huete Jimenez 		if (!ssl3_handshake_msg_finish(s, &cbb))
1200*de0e0e4dSAntonio Huete Jimenez 			goto err;
1201*de0e0e4dSAntonio Huete Jimenez 
1202*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
1203*de0e0e4dSAntonio Huete Jimenez 	}
1204*de0e0e4dSAntonio Huete Jimenez 
1205*de0e0e4dSAntonio Huete Jimenez 	/* s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
1206*de0e0e4dSAntonio Huete Jimenez 	return (ssl3_handshake_write(s));
1207*de0e0e4dSAntonio Huete Jimenez 
1208*de0e0e4dSAntonio Huete Jimenez  err:
1209*de0e0e4dSAntonio Huete Jimenez 	CBB_cleanup(&cbb);
1210*de0e0e4dSAntonio Huete Jimenez 
1211*de0e0e4dSAntonio Huete Jimenez 	return (-1);
1212*de0e0e4dSAntonio Huete Jimenez }
1213*de0e0e4dSAntonio Huete Jimenez 
1214*de0e0e4dSAntonio Huete Jimenez int
ssl3_send_server_hello(SSL * s)121572c33676SMaxim Ag ssl3_send_server_hello(SSL *s)
121672c33676SMaxim Ag {
121772c33676SMaxim Ag 	CBB cbb, server_hello, session_id;
121872c33676SMaxim Ag 	size_t sl;
121972c33676SMaxim Ag 
122072c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
122172c33676SMaxim Ag 
1222*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
122372c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &server_hello,
122472c33676SMaxim Ag 		    SSL3_MT_SERVER_HELLO))
122572c33676SMaxim Ag 			goto err;
122672c33676SMaxim Ag 
122772c33676SMaxim Ag 		if (!CBB_add_u16(&server_hello, s->version))
122872c33676SMaxim Ag 			goto err;
122972c33676SMaxim Ag 		if (!CBB_add_bytes(&server_hello, s->s3->server_random,
123072c33676SMaxim Ag 		    sizeof(s->s3->server_random)))
123172c33676SMaxim Ag 			goto err;
123272c33676SMaxim Ag 
123372c33676SMaxim Ag 		/*
123472c33676SMaxim Ag 		 * There are several cases for the session ID to send
123572c33676SMaxim Ag 		 * back in the server hello:
123672c33676SMaxim Ag 		 *
123772c33676SMaxim Ag 		 * - For session reuse from the session cache,
123872c33676SMaxim Ag 		 *   we send back the old session ID.
123972c33676SMaxim Ag 		 * - If stateless session reuse (using a session ticket)
124072c33676SMaxim Ag 		 *   is successful, we send back the client's "session ID"
124172c33676SMaxim Ag 		 *   (which doesn't actually identify the session).
124272c33676SMaxim Ag 		 * - If it is a new session, we send back the new
124372c33676SMaxim Ag 		 *   session ID.
124472c33676SMaxim Ag 		 * - However, if we want the new session to be single-use,
124572c33676SMaxim Ag 		 *   we send back a 0-length session ID.
124672c33676SMaxim Ag 		 *
124772c33676SMaxim Ag 		 * s->internal->hit is non-zero in either case of session reuse,
124872c33676SMaxim Ag 		 * so the following won't overwrite an ID that we're supposed
124972c33676SMaxim Ag 		 * to send back.
125072c33676SMaxim Ag 		 */
125172c33676SMaxim Ag 		if (!(s->ctx->internal->session_cache_mode & SSL_SESS_CACHE_SERVER)
125272c33676SMaxim Ag 		    && !s->internal->hit)
125372c33676SMaxim Ag 			s->session->session_id_length = 0;
125472c33676SMaxim Ag 
125572c33676SMaxim Ag 		sl = s->session->session_id_length;
125672c33676SMaxim Ag 		if (sl > sizeof(s->session->session_id)) {
125772c33676SMaxim Ag 			SSLerror(s, ERR_R_INTERNAL_ERROR);
125872c33676SMaxim Ag 			goto err;
125972c33676SMaxim Ag 		}
126072c33676SMaxim Ag 		if (!CBB_add_u8_length_prefixed(&server_hello, &session_id))
126172c33676SMaxim Ag 			goto err;
126272c33676SMaxim Ag 		if (!CBB_add_bytes(&session_id, s->session->session_id, sl))
126372c33676SMaxim Ag 			goto err;
126472c33676SMaxim Ag 
126572c33676SMaxim Ag 		/* Cipher suite. */
126672c33676SMaxim Ag 		if (!CBB_add_u16(&server_hello,
1267*de0e0e4dSAntonio Huete Jimenez 		    ssl3_cipher_get_value(s->s3->hs.cipher)))
126872c33676SMaxim Ag 			goto err;
126972c33676SMaxim Ag 
127072c33676SMaxim Ag 		/* Compression method (null). */
127172c33676SMaxim Ag 		if (!CBB_add_u8(&server_hello, 0))
127272c33676SMaxim Ag 			goto err;
127372c33676SMaxim Ag 
127472c33676SMaxim Ag 		/* TLS extensions */
12758edacedfSDaniel Fojt 		if (!tlsext_server_build(s, SSL_TLSEXT_MSG_SH, &server_hello)) {
127672c33676SMaxim Ag 			SSLerror(s, ERR_R_INTERNAL_ERROR);
127772c33676SMaxim Ag 			goto err;
127872c33676SMaxim Ag 		}
127972c33676SMaxim Ag 
128072c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
128172c33676SMaxim Ag 			goto err;
128272c33676SMaxim Ag 	}
128372c33676SMaxim Ag 
128472c33676SMaxim Ag 	/* SSL3_ST_SW_SRVR_HELLO_B */
128572c33676SMaxim Ag 	return (ssl3_handshake_write(s));
128672c33676SMaxim Ag 
128772c33676SMaxim Ag  err:
128872c33676SMaxim Ag 	CBB_cleanup(&cbb);
128972c33676SMaxim Ag 
129072c33676SMaxim Ag 	return (-1);
129172c33676SMaxim Ag }
129272c33676SMaxim Ag 
129372c33676SMaxim Ag int
ssl3_send_server_done(SSL * s)129472c33676SMaxim Ag ssl3_send_server_done(SSL *s)
129572c33676SMaxim Ag {
129672c33676SMaxim Ag 	CBB cbb, done;
129772c33676SMaxim Ag 
129872c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
129972c33676SMaxim Ag 
1300*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_SRVR_DONE_A) {
130172c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &done,
130272c33676SMaxim Ag 		    SSL3_MT_SERVER_DONE))
130372c33676SMaxim Ag 			goto err;
130472c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
130572c33676SMaxim Ag 			goto err;
130672c33676SMaxim Ag 
1307*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_B;
130872c33676SMaxim Ag 	}
130972c33676SMaxim Ag 
131072c33676SMaxim Ag 	/* SSL3_ST_SW_SRVR_DONE_B */
131172c33676SMaxim Ag 	return (ssl3_handshake_write(s));
131272c33676SMaxim Ag 
131372c33676SMaxim Ag  err:
131472c33676SMaxim Ag 	CBB_cleanup(&cbb);
131572c33676SMaxim Ag 
131672c33676SMaxim Ag 	return (-1);
131772c33676SMaxim Ag }
131872c33676SMaxim Ag 
131972c33676SMaxim Ag static int
ssl3_send_server_kex_dhe(SSL * s,CBB * cbb)132072c33676SMaxim Ag ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
132172c33676SMaxim Ag {
1322*de0e0e4dSAntonio Huete Jimenez 	int nid = NID_dhKeyAgreement;
132372c33676SMaxim Ag 
1324*de0e0e4dSAntonio Huete Jimenez 	tls_key_share_free(s->s3->hs.key_share);
1325*de0e0e4dSAntonio Huete Jimenez 	if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1326*de0e0e4dSAntonio Huete Jimenez 		goto err;
1327*de0e0e4dSAntonio Huete Jimenez 
1328*de0e0e4dSAntonio Huete Jimenez 	if (s->cert->dhe_params_auto != 0) {
1329*de0e0e4dSAntonio Huete Jimenez 		size_t key_bits;
1330*de0e0e4dSAntonio Huete Jimenez 
1331*de0e0e4dSAntonio Huete Jimenez 		if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
133272c33676SMaxim Ag 			SSLerror(s, ERR_R_INTERNAL_ERROR);
1333*de0e0e4dSAntonio Huete Jimenez 			ssl3_send_alert(s, SSL3_AL_FATAL,
1334*de0e0e4dSAntonio Huete Jimenez 			    SSL_AD_INTERNAL_ERROR);
1335*de0e0e4dSAntonio Huete Jimenez 			goto err;
133672c33676SMaxim Ag 		}
1337*de0e0e4dSAntonio Huete Jimenez 		tls_key_share_set_key_bits(s->s3->hs.key_share,
1338*de0e0e4dSAntonio Huete Jimenez 		    key_bits);
1339*de0e0e4dSAntonio Huete Jimenez 	} else {
1340*de0e0e4dSAntonio Huete Jimenez 		DH *dh_params = s->cert->dhe_params;
134172c33676SMaxim Ag 
1342*de0e0e4dSAntonio Huete Jimenez 		if (dh_params == NULL && s->cert->dhe_params_cb != NULL)
1343*de0e0e4dSAntonio Huete Jimenez 			dh_params = s->cert->dhe_params_cb(s, 0,
1344*de0e0e4dSAntonio Huete Jimenez 			    SSL_C_PKEYLENGTH(s->s3->hs.cipher));
134572c33676SMaxim Ag 
1346*de0e0e4dSAntonio Huete Jimenez 		if (dh_params == NULL) {
134772c33676SMaxim Ag 			SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1348*de0e0e4dSAntonio Huete Jimenez 			ssl3_send_alert(s, SSL3_AL_FATAL,
1349*de0e0e4dSAntonio Huete Jimenez 			    SSL_AD_HANDSHAKE_FAILURE);
135072c33676SMaxim Ag 			goto err;
135172c33676SMaxim Ag 		}
135272c33676SMaxim Ag 
1353*de0e0e4dSAntonio Huete Jimenez 		if (!tls_key_share_set_dh_params(s->s3->hs.key_share, dh_params))
135472c33676SMaxim Ag 			goto err;
135572c33676SMaxim Ag 	}
135672c33676SMaxim Ag 
1357*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_generate(s->s3->hs.key_share))
135872c33676SMaxim Ag 		goto err;
135972c33676SMaxim Ag 
1360*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_params(s->s3->hs.key_share, cbb))
1361*de0e0e4dSAntonio Huete Jimenez 		goto err;
1362*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1363*de0e0e4dSAntonio Huete Jimenez 		goto err;
136472c33676SMaxim Ag 
1365*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1366*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1367*de0e0e4dSAntonio Huete Jimenez 		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1368*de0e0e4dSAntonio Huete Jimenez 		return 0;
136972c33676SMaxim Ag 	}
137072c33676SMaxim Ag 
1371*de0e0e4dSAntonio Huete Jimenez 	return 1;
137272c33676SMaxim Ag 
137372c33676SMaxim Ag  err:
1374*de0e0e4dSAntonio Huete Jimenez 	return 0;
137572c33676SMaxim Ag }
137672c33676SMaxim Ag 
137772c33676SMaxim Ag static int
ssl3_send_server_kex_ecdhe(SSL * s,CBB * cbb)137872c33676SMaxim Ag ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
137972c33676SMaxim Ag {
1380*de0e0e4dSAntonio Huete Jimenez 	CBB public;
138172c33676SMaxim Ag 	int nid;
138272c33676SMaxim Ag 
1383*de0e0e4dSAntonio Huete Jimenez 	if (!tls1_get_supported_group(s, &nid)) {
1384*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1385*de0e0e4dSAntonio Huete Jimenez 		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1386*de0e0e4dSAntonio Huete Jimenez 		goto err;
1387*de0e0e4dSAntonio Huete Jimenez 	}
138872c33676SMaxim Ag 
1389*de0e0e4dSAntonio Huete Jimenez 	tls_key_share_free(s->s3->hs.key_share);
1390*de0e0e4dSAntonio Huete Jimenez 	if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1391*de0e0e4dSAntonio Huete Jimenez 		goto err;
139272c33676SMaxim Ag 
1393*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_generate(s->s3->hs.key_share))
1394*de0e0e4dSAntonio Huete Jimenez 		goto err;
1395*de0e0e4dSAntonio Huete Jimenez 
1396*de0e0e4dSAntonio Huete Jimenez 	/*
1397*de0e0e4dSAntonio Huete Jimenez 	 * ECC key exchange - see RFC 8422, section 5.4.
1398*de0e0e4dSAntonio Huete Jimenez 	 */
1399*de0e0e4dSAntonio Huete Jimenez 	if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1400*de0e0e4dSAntonio Huete Jimenez 		goto err;
1401*de0e0e4dSAntonio Huete Jimenez 	if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1402*de0e0e4dSAntonio Huete Jimenez 		goto err;
1403*de0e0e4dSAntonio Huete Jimenez 	if (!CBB_add_u8_length_prefixed(cbb, &public))
1404*de0e0e4dSAntonio Huete Jimenez 		goto err;
1405*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_public(s->s3->hs.key_share, &public))
1406*de0e0e4dSAntonio Huete Jimenez 		goto err;
1407*de0e0e4dSAntonio Huete Jimenez 	if (!CBB_flush(cbb))
1408*de0e0e4dSAntonio Huete Jimenez 		goto err;
1409*de0e0e4dSAntonio Huete Jimenez 
1410*de0e0e4dSAntonio Huete Jimenez 	return 1;
1411*de0e0e4dSAntonio Huete Jimenez 
1412*de0e0e4dSAntonio Huete Jimenez  err:
1413*de0e0e4dSAntonio Huete Jimenez 	return 0;
141472c33676SMaxim Ag }
141572c33676SMaxim Ag 
141672c33676SMaxim Ag int
ssl3_send_server_key_exchange(SSL * s)141772c33676SMaxim Ag ssl3_send_server_key_exchange(SSL *s)
141872c33676SMaxim Ag {
141972c33676SMaxim Ag 	CBB cbb, cbb_params, cbb_signature, server_kex;
142072c33676SMaxim Ag 	const struct ssl_sigalg *sigalg = NULL;
142172c33676SMaxim Ag 	unsigned char *signature = NULL;
142272c33676SMaxim Ag 	size_t signature_len = 0;
142372c33676SMaxim Ag 	unsigned char *params = NULL;
142472c33676SMaxim Ag 	size_t params_len;
142572c33676SMaxim Ag 	const EVP_MD *md = NULL;
142672c33676SMaxim Ag 	unsigned long type;
1427*de0e0e4dSAntonio Huete Jimenez 	EVP_MD_CTX *md_ctx = NULL;
142872c33676SMaxim Ag 	EVP_PKEY_CTX *pctx;
142972c33676SMaxim Ag 	EVP_PKEY *pkey;
143072c33676SMaxim Ag 	int al;
143172c33676SMaxim Ag 
143272c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
143372c33676SMaxim Ag 	memset(&cbb_params, 0, sizeof(cbb_params));
143472c33676SMaxim Ag 
1435*de0e0e4dSAntonio Huete Jimenez 	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1436*de0e0e4dSAntonio Huete Jimenez 		goto err;
143772c33676SMaxim Ag 
1438*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_KEY_EXCH_A) {
143972c33676SMaxim Ag 
144072c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &server_kex,
144172c33676SMaxim Ag 		    SSL3_MT_SERVER_KEY_EXCHANGE))
144272c33676SMaxim Ag 			goto err;
144372c33676SMaxim Ag 
144472c33676SMaxim Ag 		if (!CBB_init(&cbb_params, 0))
144572c33676SMaxim Ag 			goto err;
144672c33676SMaxim Ag 
1447*de0e0e4dSAntonio Huete Jimenez 		type = s->s3->hs.cipher->algorithm_mkey;
144872c33676SMaxim Ag 		if (type & SSL_kDHE) {
1449*de0e0e4dSAntonio Huete Jimenez 			if (!ssl3_send_server_kex_dhe(s, &cbb_params))
145072c33676SMaxim Ag 				goto err;
145172c33676SMaxim Ag 		} else if (type & SSL_kECDHE) {
1452*de0e0e4dSAntonio Huete Jimenez 			if (!ssl3_send_server_kex_ecdhe(s, &cbb_params))
145372c33676SMaxim Ag 				goto err;
145472c33676SMaxim Ag 		} else {
145572c33676SMaxim Ag 			al = SSL_AD_HANDSHAKE_FAILURE;
145672c33676SMaxim Ag 			SSLerror(s, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1457*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
145872c33676SMaxim Ag 		}
145972c33676SMaxim Ag 
146072c33676SMaxim Ag 		if (!CBB_finish(&cbb_params, &params, &params_len))
146172c33676SMaxim Ag 			goto err;
146272c33676SMaxim Ag 
146372c33676SMaxim Ag 		if (!CBB_add_bytes(&server_kex, params, params_len))
146472c33676SMaxim Ag 			goto err;
146572c33676SMaxim Ag 
146672c33676SMaxim Ag 		/* Add signature unless anonymous. */
1467*de0e0e4dSAntonio Huete Jimenez 		if (!(s->s3->hs.cipher->algorithm_auth & SSL_aNULL)) {
1468*de0e0e4dSAntonio Huete Jimenez 			if ((pkey = ssl_get_sign_pkey(s, s->s3->hs.cipher,
146972c33676SMaxim Ag 			    &md, &sigalg)) == NULL) {
147072c33676SMaxim Ag 				al = SSL_AD_DECODE_ERROR;
1471*de0e0e4dSAntonio Huete Jimenez 				goto fatal_err;
147272c33676SMaxim Ag 			}
1473*de0e0e4dSAntonio Huete Jimenez 			s->s3->hs.our_sigalg = sigalg;
147472c33676SMaxim Ag 
147572c33676SMaxim Ag 			/* Send signature algorithm. */
147672c33676SMaxim Ag 			if (SSL_USE_SIGALGS(s)) {
147772c33676SMaxim Ag 				if (!CBB_add_u16(&server_kex, sigalg->value)) {
147872c33676SMaxim Ag 					al = SSL_AD_INTERNAL_ERROR;
147972c33676SMaxim Ag 					SSLerror(s, ERR_R_INTERNAL_ERROR);
1480*de0e0e4dSAntonio Huete Jimenez 					goto fatal_err;
148172c33676SMaxim Ag 				}
148272c33676SMaxim Ag 			}
148372c33676SMaxim Ag 
1484*de0e0e4dSAntonio Huete Jimenez 			if (!EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey)) {
148572c33676SMaxim Ag 				SSLerror(s, ERR_R_EVP_LIB);
148672c33676SMaxim Ag 				goto err;
148772c33676SMaxim Ag 			}
148872c33676SMaxim Ag 			if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
148972c33676SMaxim Ag 			    (!EVP_PKEY_CTX_set_rsa_padding(pctx,
149072c33676SMaxim Ag 			    RSA_PKCS1_PSS_PADDING) ||
149172c33676SMaxim Ag 			    !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
149272c33676SMaxim Ag 				SSLerror(s, ERR_R_EVP_LIB);
149372c33676SMaxim Ag 				goto err;
149472c33676SMaxim Ag 			}
1495*de0e0e4dSAntonio Huete Jimenez 			if (!EVP_DigestSignUpdate(md_ctx, s->s3->client_random,
149672c33676SMaxim Ag 			    SSL3_RANDOM_SIZE)) {
149772c33676SMaxim Ag 				SSLerror(s, ERR_R_EVP_LIB);
149872c33676SMaxim Ag 				goto err;
149972c33676SMaxim Ag 			}
1500*de0e0e4dSAntonio Huete Jimenez 			if (!EVP_DigestSignUpdate(md_ctx, s->s3->server_random,
150172c33676SMaxim Ag 			    SSL3_RANDOM_SIZE)) {
150272c33676SMaxim Ag 				SSLerror(s, ERR_R_EVP_LIB);
150372c33676SMaxim Ag 				goto err;
150472c33676SMaxim Ag 			}
1505*de0e0e4dSAntonio Huete Jimenez 			if (!EVP_DigestSignUpdate(md_ctx, params, params_len)) {
150672c33676SMaxim Ag 				SSLerror(s, ERR_R_EVP_LIB);
150772c33676SMaxim Ag 				goto err;
150872c33676SMaxim Ag 			}
1509*de0e0e4dSAntonio Huete Jimenez 			if (!EVP_DigestSignFinal(md_ctx, NULL, &signature_len) ||
151072c33676SMaxim Ag 			    !signature_len) {
151172c33676SMaxim Ag 				SSLerror(s, ERR_R_EVP_LIB);
151272c33676SMaxim Ag 				goto err;
151372c33676SMaxim Ag 			}
151472c33676SMaxim Ag 			if ((signature = calloc(1, signature_len)) == NULL) {
151572c33676SMaxim Ag 				SSLerror(s, ERR_R_MALLOC_FAILURE);
151672c33676SMaxim Ag 				goto err;
151772c33676SMaxim Ag 			}
1518*de0e0e4dSAntonio Huete Jimenez 			if (!EVP_DigestSignFinal(md_ctx, signature, &signature_len)) {
151972c33676SMaxim Ag 				SSLerror(s, ERR_R_EVP_LIB);
152072c33676SMaxim Ag 				goto err;
152172c33676SMaxim Ag 			}
152272c33676SMaxim Ag 
152372c33676SMaxim Ag 			if (!CBB_add_u16_length_prefixed(&server_kex,
152472c33676SMaxim Ag 			    &cbb_signature))
152572c33676SMaxim Ag 				goto err;
152672c33676SMaxim Ag 			if (!CBB_add_bytes(&cbb_signature, signature,
152772c33676SMaxim Ag 			    signature_len))
152872c33676SMaxim Ag 				goto err;
152972c33676SMaxim Ag 		}
153072c33676SMaxim Ag 
153172c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
153272c33676SMaxim Ag 			goto err;
153372c33676SMaxim Ag 
1534*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_B;
153572c33676SMaxim Ag 	}
153672c33676SMaxim Ag 
1537*de0e0e4dSAntonio Huete Jimenez 	EVP_MD_CTX_free(md_ctx);
153872c33676SMaxim Ag 	free(params);
153972c33676SMaxim Ag 	free(signature);
154072c33676SMaxim Ag 
154172c33676SMaxim Ag 	return (ssl3_handshake_write(s));
154272c33676SMaxim Ag 
1543*de0e0e4dSAntonio Huete Jimenez  fatal_err:
154472c33676SMaxim Ag 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
154572c33676SMaxim Ag  err:
154672c33676SMaxim Ag 	CBB_cleanup(&cbb_params);
154772c33676SMaxim Ag 	CBB_cleanup(&cbb);
1548*de0e0e4dSAntonio Huete Jimenez 	EVP_MD_CTX_free(md_ctx);
154972c33676SMaxim Ag 	free(params);
155072c33676SMaxim Ag 	free(signature);
155172c33676SMaxim Ag 
155272c33676SMaxim Ag 	return (-1);
155372c33676SMaxim Ag }
155472c33676SMaxim Ag 
155572c33676SMaxim Ag int
ssl3_send_certificate_request(SSL * s)155672c33676SMaxim Ag ssl3_send_certificate_request(SSL *s)
155772c33676SMaxim Ag {
155872c33676SMaxim Ag 	CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
155972c33676SMaxim Ag 	STACK_OF(X509_NAME) *sk = NULL;
156072c33676SMaxim Ag 	X509_NAME *name;
156172c33676SMaxim Ag 	int i;
156272c33676SMaxim Ag 
156372c33676SMaxim Ag 	/*
156472c33676SMaxim Ag 	 * Certificate Request - RFC 5246 section 7.4.4.
156572c33676SMaxim Ag 	 */
156672c33676SMaxim Ag 
156772c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
156872c33676SMaxim Ag 
1569*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_CERT_REQ_A) {
157072c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &cert_request,
157172c33676SMaxim Ag 		    SSL3_MT_CERTIFICATE_REQUEST))
157272c33676SMaxim Ag 			goto err;
157372c33676SMaxim Ag 
157472c33676SMaxim Ag 		if (!CBB_add_u8_length_prefixed(&cert_request, &cert_types))
157572c33676SMaxim Ag 			goto err;
157672c33676SMaxim Ag 		if (!ssl3_get_req_cert_types(s, &cert_types))
157772c33676SMaxim Ag 			goto err;
157872c33676SMaxim Ag 
157972c33676SMaxim Ag 		if (SSL_USE_SIGALGS(s)) {
1580*de0e0e4dSAntonio Huete Jimenez 			if (!CBB_add_u16_length_prefixed(&cert_request,
1581*de0e0e4dSAntonio Huete Jimenez 			    &sigalgs))
158272c33676SMaxim Ag 				goto err;
1583*de0e0e4dSAntonio Huete Jimenez 			if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version,
1584*de0e0e4dSAntonio Huete Jimenez 			    &sigalgs, SSL_get_security_level(s)))
158572c33676SMaxim Ag 				goto err;
158672c33676SMaxim Ag 		}
158772c33676SMaxim Ag 
158872c33676SMaxim Ag 		if (!CBB_add_u16_length_prefixed(&cert_request, &cert_auth))
158972c33676SMaxim Ag 			goto err;
159072c33676SMaxim Ag 
159172c33676SMaxim Ag 		sk = SSL_get_client_CA_list(s);
159272c33676SMaxim Ag 		for (i = 0; i < sk_X509_NAME_num(sk); i++) {
159372c33676SMaxim Ag 			unsigned char *name_data;
159472c33676SMaxim Ag 			size_t name_len;
159572c33676SMaxim Ag 
159672c33676SMaxim Ag 			name = sk_X509_NAME_value(sk, i);
159772c33676SMaxim Ag 			name_len = i2d_X509_NAME(name, NULL);
159872c33676SMaxim Ag 
159972c33676SMaxim Ag 			if (!CBB_add_u16_length_prefixed(&cert_auth, &dn))
160072c33676SMaxim Ag 				goto err;
160172c33676SMaxim Ag 			if (!CBB_add_space(&dn, &name_data, name_len))
160272c33676SMaxim Ag 				goto err;
160372c33676SMaxim Ag 			if (i2d_X509_NAME(name, &name_data) != name_len)
160472c33676SMaxim Ag 				goto err;
160572c33676SMaxim Ag 		}
160672c33676SMaxim Ag 
160772c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
160872c33676SMaxim Ag 			goto err;
160972c33676SMaxim Ag 
1610*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SW_CERT_REQ_B;
161172c33676SMaxim Ag 	}
161272c33676SMaxim Ag 
161372c33676SMaxim Ag 	/* SSL3_ST_SW_CERT_REQ_B */
161472c33676SMaxim Ag 	return (ssl3_handshake_write(s));
161572c33676SMaxim Ag 
161672c33676SMaxim Ag  err:
161772c33676SMaxim Ag 	CBB_cleanup(&cbb);
161872c33676SMaxim Ag 
161972c33676SMaxim Ag 	return (-1);
162072c33676SMaxim Ag }
162172c33676SMaxim Ag 
162272c33676SMaxim Ag static int
ssl3_get_client_kex_rsa(SSL * s,CBS * cbs)162372c33676SMaxim Ag ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
162472c33676SMaxim Ag {
162572c33676SMaxim Ag 	unsigned char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
162672c33676SMaxim Ag 	unsigned char *pms = NULL;
162772c33676SMaxim Ag 	unsigned char *p;
162872c33676SMaxim Ag 	size_t pms_len = 0;
162972c33676SMaxim Ag 	EVP_PKEY *pkey = NULL;
163072c33676SMaxim Ag 	RSA *rsa = NULL;
163172c33676SMaxim Ag 	CBS enc_pms;
163272c33676SMaxim Ag 	int decrypt_len;
163372c33676SMaxim Ag 	int al = -1;
163472c33676SMaxim Ag 
163572c33676SMaxim Ag 	arc4random_buf(fakekey, sizeof(fakekey));
1636*de0e0e4dSAntonio Huete Jimenez 
1637*de0e0e4dSAntonio Huete Jimenez 	fakekey[0] = s->s3->hs.peer_legacy_version >> 8;
1638*de0e0e4dSAntonio Huete Jimenez 	fakekey[1] = s->s3->hs.peer_legacy_version & 0xff;
163972c33676SMaxim Ag 
16408edacedfSDaniel Fojt 	pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
1641*de0e0e4dSAntonio Huete Jimenez 	if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
164272c33676SMaxim Ag 		al = SSL_AD_HANDSHAKE_FAILURE;
164372c33676SMaxim Ag 		SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE);
1644*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
164572c33676SMaxim Ag 	}
164672c33676SMaxim Ag 
164772c33676SMaxim Ag 	pms_len = RSA_size(rsa);
164872c33676SMaxim Ag 	if (pms_len < SSL_MAX_MASTER_KEY_LENGTH)
164972c33676SMaxim Ag 		goto err;
165072c33676SMaxim Ag 	if ((pms = malloc(pms_len)) == NULL)
165172c33676SMaxim Ag 		goto err;
165272c33676SMaxim Ag 	p = pms;
165372c33676SMaxim Ag 
165472c33676SMaxim Ag 	if (!CBS_get_u16_length_prefixed(cbs, &enc_pms))
1655*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
165672c33676SMaxim Ag 	if (CBS_len(cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) {
165772c33676SMaxim Ag 		SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
165872c33676SMaxim Ag 		goto err;
165972c33676SMaxim Ag 	}
166072c33676SMaxim Ag 
166172c33676SMaxim Ag 	decrypt_len = RSA_private_decrypt(CBS_len(&enc_pms), CBS_data(&enc_pms),
166272c33676SMaxim Ag 	    pms, rsa, RSA_PKCS1_PADDING);
166372c33676SMaxim Ag 
166472c33676SMaxim Ag 	ERR_clear_error();
166572c33676SMaxim Ag 
166672c33676SMaxim Ag 	if (decrypt_len != SSL_MAX_MASTER_KEY_LENGTH) {
166772c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
166872c33676SMaxim Ag 		/* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
166972c33676SMaxim Ag 	}
167072c33676SMaxim Ag 
1671*de0e0e4dSAntonio Huete Jimenez 	if ((al == -1) && !((pms[0] == (s->s3->hs.peer_legacy_version >> 8)) &&
1672*de0e0e4dSAntonio Huete Jimenez 	    (pms[1] == (s->s3->hs.peer_legacy_version & 0xff)))) {
167372c33676SMaxim Ag 		/*
167472c33676SMaxim Ag 		 * The premaster secret must contain the same version number
167572c33676SMaxim Ag 		 * as the ClientHello to detect version rollback attacks
167672c33676SMaxim Ag 		 * (strangely, the protocol does not offer such protection for
167772c33676SMaxim Ag 		 * DH ciphersuites).
167872c33676SMaxim Ag 		 *
167972c33676SMaxim Ag 		 * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
168072c33676SMaxim Ag 		 * (http://eprint.iacr.org/2003/052/) exploits the version
168172c33676SMaxim Ag 		 * number check as a "bad version oracle" -- an alert would
168272c33676SMaxim Ag 		 * reveal that the plaintext corresponding to some ciphertext
168372c33676SMaxim Ag 		 * made up by the adversary is properly formatted except that
168472c33676SMaxim Ag 		 * the version number is wrong. To avoid such attacks, we should
168572c33676SMaxim Ag 		 * treat this just like any other decryption error.
168672c33676SMaxim Ag 		 */
168772c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
168872c33676SMaxim Ag 		/* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
168972c33676SMaxim Ag 	}
169072c33676SMaxim Ag 
169172c33676SMaxim Ag 	if (al != -1) {
169272c33676SMaxim Ag 		/*
169372c33676SMaxim Ag 		 * Some decryption failure -- use random value instead
169472c33676SMaxim Ag 		 * as countermeasure against Bleichenbacher's attack
169572c33676SMaxim Ag 		 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
169672c33676SMaxim Ag 		 * section 7.4.7.1).
169772c33676SMaxim Ag 		 */
169872c33676SMaxim Ag 		p = fakekey;
169972c33676SMaxim Ag 	}
170072c33676SMaxim Ag 
1701*de0e0e4dSAntonio Huete Jimenez 	if (!tls12_derive_master_secret(s, p, SSL_MAX_MASTER_KEY_LENGTH))
1702*de0e0e4dSAntonio Huete Jimenez 		goto err;
170372c33676SMaxim Ag 
170472c33676SMaxim Ag 	freezero(pms, pms_len);
170572c33676SMaxim Ag 
1706*de0e0e4dSAntonio Huete Jimenez 	return 1;
170772c33676SMaxim Ag 
1708*de0e0e4dSAntonio Huete Jimenez  decode_err:
170972c33676SMaxim Ag 	al = SSL_AD_DECODE_ERROR;
171072c33676SMaxim Ag 	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1711*de0e0e4dSAntonio Huete Jimenez  fatal_err:
171272c33676SMaxim Ag 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
171372c33676SMaxim Ag  err:
171472c33676SMaxim Ag 	freezero(pms, pms_len);
171572c33676SMaxim Ag 
1716*de0e0e4dSAntonio Huete Jimenez 	return 0;
171772c33676SMaxim Ag }
171872c33676SMaxim Ag 
171972c33676SMaxim Ag static int
ssl3_get_client_kex_dhe(SSL * s,CBS * cbs)172072c33676SMaxim Ag ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
172172c33676SMaxim Ag {
1722cca6fc52SDaniel Fojt 	uint8_t *key = NULL;
1723cca6fc52SDaniel Fojt 	size_t key_len = 0;
1724*de0e0e4dSAntonio Huete Jimenez 	int decode_error, invalid_key;
1725*de0e0e4dSAntonio Huete Jimenez 	int ret = 0;
172672c33676SMaxim Ag 
1727*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.key_share == NULL) {
1728*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1729*de0e0e4dSAntonio Huete Jimenez 		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
173072c33676SMaxim Ag 		goto err;
173172c33676SMaxim Ag 	}
173272c33676SMaxim Ag 
1733*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1734*de0e0e4dSAntonio Huete Jimenez 	    &decode_error, &invalid_key)) {
1735*de0e0e4dSAntonio Huete Jimenez 		if (decode_error) {
1736*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1737*de0e0e4dSAntonio Huete Jimenez 			ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1738*de0e0e4dSAntonio Huete Jimenez 		}
173972c33676SMaxim Ag 		goto err;
1740*de0e0e4dSAntonio Huete Jimenez 	}
1741*de0e0e4dSAntonio Huete Jimenez 	if (invalid_key) {
1742*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1743*de0e0e4dSAntonio Huete Jimenez 		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1744*de0e0e4dSAntonio Huete Jimenez 		goto err;
1745*de0e0e4dSAntonio Huete Jimenez 	}
1746*de0e0e4dSAntonio Huete Jimenez 
1747*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
174872c33676SMaxim Ag 		goto err;
174972c33676SMaxim Ag 
1750*de0e0e4dSAntonio Huete Jimenez 	if (!tls12_derive_master_secret(s, key, key_len))
175172c33676SMaxim Ag 		goto err;
175272c33676SMaxim Ag 
175372c33676SMaxim Ag 	ret = 1;
175472c33676SMaxim Ag 
175572c33676SMaxim Ag  err:
1756cca6fc52SDaniel Fojt 	freezero(key, key_len);
175772c33676SMaxim Ag 
1758*de0e0e4dSAntonio Huete Jimenez 	return ret;
175972c33676SMaxim Ag }
176072c33676SMaxim Ag 
176172c33676SMaxim Ag static int
ssl3_get_client_kex_ecdhe(SSL * s,CBS * cbs)176272c33676SMaxim Ag ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
176372c33676SMaxim Ag {
1764*de0e0e4dSAntonio Huete Jimenez 	uint8_t *key = NULL;
1765*de0e0e4dSAntonio Huete Jimenez 	size_t key_len = 0;
1766*de0e0e4dSAntonio Huete Jimenez 	int decode_error;
1767*de0e0e4dSAntonio Huete Jimenez 	CBS public;
1768*de0e0e4dSAntonio Huete Jimenez 	int ret = 0;
176972c33676SMaxim Ag 
1770*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.key_share == NULL) {
1771*de0e0e4dSAntonio Huete Jimenez 		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1772*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1773*de0e0e4dSAntonio Huete Jimenez 		goto err;
1774*de0e0e4dSAntonio Huete Jimenez 	}
1775*de0e0e4dSAntonio Huete Jimenez 
1776*de0e0e4dSAntonio Huete Jimenez 	if (!CBS_get_u8_length_prefixed(cbs, &public)) {
1777*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1778*de0e0e4dSAntonio Huete Jimenez 		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1779*de0e0e4dSAntonio Huete Jimenez 		goto err;
1780*de0e0e4dSAntonio Huete Jimenez 	}
1781*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1782*de0e0e4dSAntonio Huete Jimenez 	    &decode_error, NULL)) {
1783*de0e0e4dSAntonio Huete Jimenez 		if (decode_error) {
1784*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1785*de0e0e4dSAntonio Huete Jimenez 			ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1786*de0e0e4dSAntonio Huete Jimenez 		}
1787*de0e0e4dSAntonio Huete Jimenez 		goto err;
1788*de0e0e4dSAntonio Huete Jimenez 	}
1789*de0e0e4dSAntonio Huete Jimenez 
1790*de0e0e4dSAntonio Huete Jimenez 	if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1791*de0e0e4dSAntonio Huete Jimenez 		goto err;
1792*de0e0e4dSAntonio Huete Jimenez 
1793*de0e0e4dSAntonio Huete Jimenez 	if (!tls12_derive_master_secret(s, key, key_len))
1794*de0e0e4dSAntonio Huete Jimenez 		goto err;
1795*de0e0e4dSAntonio Huete Jimenez 
1796*de0e0e4dSAntonio Huete Jimenez 	ret = 1;
1797*de0e0e4dSAntonio Huete Jimenez 
1798*de0e0e4dSAntonio Huete Jimenez  err:
1799*de0e0e4dSAntonio Huete Jimenez 	freezero(key, key_len);
1800*de0e0e4dSAntonio Huete Jimenez 
1801*de0e0e4dSAntonio Huete Jimenez 	return ret;
180272c33676SMaxim Ag }
180372c33676SMaxim Ag 
180472c33676SMaxim Ag static int
ssl3_get_client_kex_gost(SSL * s,CBS * cbs)180572c33676SMaxim Ag ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
180672c33676SMaxim Ag {
180772c33676SMaxim Ag 	unsigned char premaster_secret[32];
1808*de0e0e4dSAntonio Huete Jimenez 	EVP_PKEY_CTX *pkey_ctx = NULL;
1809*de0e0e4dSAntonio Huete Jimenez 	EVP_PKEY *client_pubkey;
1810*de0e0e4dSAntonio Huete Jimenez 	EVP_PKEY *pkey = NULL;
1811*de0e0e4dSAntonio Huete Jimenez 	size_t outlen;
181272c33676SMaxim Ag 	CBS gostblob;
181372c33676SMaxim Ag 
181472c33676SMaxim Ag 	/* Get our certificate private key*/
1815*de0e0e4dSAntonio Huete Jimenez 	if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1816*de0e0e4dSAntonio Huete Jimenez 		pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
181772c33676SMaxim Ag 
1818*de0e0e4dSAntonio Huete Jimenez 	if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
181972c33676SMaxim Ag 		goto err;
182072c33676SMaxim Ag 	if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
1821*de0e0e4dSAntonio Huete Jimenez 		goto err;
182272c33676SMaxim Ag 
182372c33676SMaxim Ag 	/*
182472c33676SMaxim Ag 	 * If client certificate is present and is of the same type,
182572c33676SMaxim Ag 	 * maybe use it for key exchange.
182672c33676SMaxim Ag 	 * Don't mind errors from EVP_PKEY_derive_set_peer, because
182772c33676SMaxim Ag 	 * it is completely valid to use a client certificate for
182872c33676SMaxim Ag 	 * authorization only.
182972c33676SMaxim Ag 	 */
1830*de0e0e4dSAntonio Huete Jimenez 	if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
1831*de0e0e4dSAntonio Huete Jimenez 		if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
183272c33676SMaxim Ag 			ERR_clear_error();
183372c33676SMaxim Ag 	}
183472c33676SMaxim Ag 
183572c33676SMaxim Ag 	/* Decrypt session key */
183672c33676SMaxim Ag 	if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
1837*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
183872c33676SMaxim Ag 	if (CBS_len(cbs) != 0)
1839*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
1840*de0e0e4dSAntonio Huete Jimenez 	outlen = sizeof(premaster_secret);
184172c33676SMaxim Ag 	if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
184272c33676SMaxim Ag 	    CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
184372c33676SMaxim Ag 		SSLerror(s, SSL_R_DECRYPTION_FAILED);
1844*de0e0e4dSAntonio Huete Jimenez 		goto err;
184572c33676SMaxim Ag 	}
184672c33676SMaxim Ag 
1847*de0e0e4dSAntonio Huete Jimenez 	if (!tls12_derive_master_secret(s, premaster_secret,
1848*de0e0e4dSAntonio Huete Jimenez 	    sizeof(premaster_secret)))
184972c33676SMaxim Ag 		goto err;
185072c33676SMaxim Ag 
1851*de0e0e4dSAntonio Huete Jimenez 	/* Check if pubkey from client certificate was used */
1852*de0e0e4dSAntonio Huete Jimenez 	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY,
1853*de0e0e4dSAntonio Huete Jimenez 	    2, NULL) > 0)
1854*de0e0e4dSAntonio Huete Jimenez 		s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
1855*de0e0e4dSAntonio Huete Jimenez 
1856*de0e0e4dSAntonio Huete Jimenez 	explicit_bzero(premaster_secret, sizeof(premaster_secret));
1857*de0e0e4dSAntonio Huete Jimenez 	EVP_PKEY_CTX_free(pkey_ctx);
1858*de0e0e4dSAntonio Huete Jimenez 
1859*de0e0e4dSAntonio Huete Jimenez 	return 1;
1860*de0e0e4dSAntonio Huete Jimenez 
1861*de0e0e4dSAntonio Huete Jimenez  decode_err:
186272c33676SMaxim Ag 	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1863*de0e0e4dSAntonio Huete Jimenez 	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
186472c33676SMaxim Ag  err:
1865*de0e0e4dSAntonio Huete Jimenez 	explicit_bzero(premaster_secret, sizeof(premaster_secret));
1866*de0e0e4dSAntonio Huete Jimenez 	EVP_PKEY_CTX_free(pkey_ctx);
1867*de0e0e4dSAntonio Huete Jimenez 
1868*de0e0e4dSAntonio Huete Jimenez 	return 0;
186972c33676SMaxim Ag }
187072c33676SMaxim Ag 
187172c33676SMaxim Ag int
ssl3_get_client_key_exchange(SSL * s)187272c33676SMaxim Ag ssl3_get_client_key_exchange(SSL *s)
187372c33676SMaxim Ag {
187472c33676SMaxim Ag 	unsigned long alg_k;
1875*de0e0e4dSAntonio Huete Jimenez 	int al, ret;
187672c33676SMaxim Ag 	CBS cbs;
187772c33676SMaxim Ag 
187872c33676SMaxim Ag 	/* 2048 maxlen is a guess.  How long a key does that permit? */
1879*de0e0e4dSAntonio Huete Jimenez 	if ((ret = ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1880*de0e0e4dSAntonio Huete Jimenez 	    SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048)) <= 0)
1881*de0e0e4dSAntonio Huete Jimenez 		return ret;
188272c33676SMaxim Ag 
1883*de0e0e4dSAntonio Huete Jimenez 	if (s->internal->init_num < 0)
188472c33676SMaxim Ag 		goto err;
188572c33676SMaxim Ag 
1886*de0e0e4dSAntonio Huete Jimenez 	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
188772c33676SMaxim Ag 
1888*de0e0e4dSAntonio Huete Jimenez 	alg_k = s->s3->hs.cipher->algorithm_mkey;
188972c33676SMaxim Ag 
189072c33676SMaxim Ag 	if (alg_k & SSL_kRSA) {
1891*de0e0e4dSAntonio Huete Jimenez 		if (!ssl3_get_client_kex_rsa(s, &cbs))
189272c33676SMaxim Ag 			goto err;
189372c33676SMaxim Ag 	} else if (alg_k & SSL_kDHE) {
1894*de0e0e4dSAntonio Huete Jimenez 		if (!ssl3_get_client_kex_dhe(s, &cbs))
189572c33676SMaxim Ag 			goto err;
189672c33676SMaxim Ag 	} else if (alg_k & SSL_kECDHE) {
1897*de0e0e4dSAntonio Huete Jimenez 		if (!ssl3_get_client_kex_ecdhe(s, &cbs))
189872c33676SMaxim Ag 			goto err;
189972c33676SMaxim Ag 	} else if (alg_k & SSL_kGOST) {
1900*de0e0e4dSAntonio Huete Jimenez 		if (!ssl3_get_client_kex_gost(s, &cbs))
190172c33676SMaxim Ag 			goto err;
190272c33676SMaxim Ag 	} else {
190372c33676SMaxim Ag 		al = SSL_AD_HANDSHAKE_FAILURE;
190472c33676SMaxim Ag 		SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);
1905*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
190672c33676SMaxim Ag 	}
190772c33676SMaxim Ag 
190872c33676SMaxim Ag 	if (CBS_len(&cbs) != 0) {
190972c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
191072c33676SMaxim Ag 		SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1911*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
191272c33676SMaxim Ag 	}
191372c33676SMaxim Ag 
191472c33676SMaxim Ag 	return (1);
191572c33676SMaxim Ag 
1916*de0e0e4dSAntonio Huete Jimenez  fatal_err:
191772c33676SMaxim Ag 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
191872c33676SMaxim Ag  err:
191972c33676SMaxim Ag 	return (-1);
192072c33676SMaxim Ag }
192172c33676SMaxim Ag 
192272c33676SMaxim Ag int
ssl3_get_cert_verify(SSL * s)192372c33676SMaxim Ag ssl3_get_cert_verify(SSL *s)
192472c33676SMaxim Ag {
192572c33676SMaxim Ag 	CBS cbs, signature;
192672c33676SMaxim Ag 	const struct ssl_sigalg *sigalg = NULL;
1927*de0e0e4dSAntonio Huete Jimenez 	uint16_t sigalg_value = SIGALG_NONE;
1928*de0e0e4dSAntonio Huete Jimenez 	EVP_PKEY *pkey;
1929*de0e0e4dSAntonio Huete Jimenez 	X509 *peer_cert = NULL;
1930*de0e0e4dSAntonio Huete Jimenez 	EVP_MD_CTX *mctx = NULL;
1931*de0e0e4dSAntonio Huete Jimenez 	int al, verify;
193272c33676SMaxim Ag 	const unsigned char *hdata;
193372c33676SMaxim Ag 	size_t hdatalen;
193472c33676SMaxim Ag 	int type = 0;
1935*de0e0e4dSAntonio Huete Jimenez 	int ret;
193672c33676SMaxim Ag 
1937*de0e0e4dSAntonio Huete Jimenez 	if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
1938*de0e0e4dSAntonio Huete Jimenez 	    SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH)) <= 0)
1939*de0e0e4dSAntonio Huete Jimenez 		return ret;
194072c33676SMaxim Ag 
1941*de0e0e4dSAntonio Huete Jimenez 	ret = 0;
194272c33676SMaxim Ag 
1943*de0e0e4dSAntonio Huete Jimenez 	if (s->internal->init_num < 0)
194472c33676SMaxim Ag 		goto err;
194572c33676SMaxim Ag 
1946*de0e0e4dSAntonio Huete Jimenez 	if ((mctx = EVP_MD_CTX_new()) == NULL)
1947*de0e0e4dSAntonio Huete Jimenez 		goto err;
194872c33676SMaxim Ag 
1949*de0e0e4dSAntonio Huete Jimenez 	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
195072c33676SMaxim Ag 
1951*de0e0e4dSAntonio Huete Jimenez 	peer_cert = s->session->peer_cert;
1952*de0e0e4dSAntonio Huete Jimenez 	pkey = X509_get0_pubkey(peer_cert);
1953*de0e0e4dSAntonio Huete Jimenez 	type = X509_certificate_type(peer_cert, pkey);
1954*de0e0e4dSAntonio Huete Jimenez 
1955*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
1956*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.tls12.reuse_message = 1;
1957*de0e0e4dSAntonio Huete Jimenez 		if (peer_cert != NULL) {
195872c33676SMaxim Ag 			al = SSL_AD_UNEXPECTED_MESSAGE;
195972c33676SMaxim Ag 			SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);
1960*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
196172c33676SMaxim Ag 		}
196272c33676SMaxim Ag 		ret = 1;
196372c33676SMaxim Ag 		goto end;
196472c33676SMaxim Ag 	}
196572c33676SMaxim Ag 
1966*de0e0e4dSAntonio Huete Jimenez 	if (peer_cert == NULL) {
196772c33676SMaxim Ag 		SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED);
196872c33676SMaxim Ag 		al = SSL_AD_UNEXPECTED_MESSAGE;
1969*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
197072c33676SMaxim Ag 	}
197172c33676SMaxim Ag 
197272c33676SMaxim Ag 	if (!(type & EVP_PKT_SIGN)) {
197372c33676SMaxim Ag 		SSLerror(s, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
197472c33676SMaxim Ag 		al = SSL_AD_ILLEGAL_PARAMETER;
1975*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
197672c33676SMaxim Ag 	}
197772c33676SMaxim Ag 
1978*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->change_cipher_spec) {
197972c33676SMaxim Ag 		SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
198072c33676SMaxim Ag 		al = SSL_AD_UNEXPECTED_MESSAGE;
1981*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
198272c33676SMaxim Ag 	}
198372c33676SMaxim Ag 
198472c33676SMaxim Ag 	if (SSL_USE_SIGALGS(s)) {
198572c33676SMaxim Ag 		if (!CBS_get_u16(&cbs, &sigalg_value))
1986*de0e0e4dSAntonio Huete Jimenez 			goto decode_err;
198772c33676SMaxim Ag 	}
198872c33676SMaxim Ag 	if (!CBS_get_u16_length_prefixed(&cbs, &signature))
198972c33676SMaxim Ag 		goto err;
199072c33676SMaxim Ag 	if (CBS_len(&cbs) != 0) {
199172c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
199272c33676SMaxim Ag 		SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1993*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
199472c33676SMaxim Ag 	}
199572c33676SMaxim Ag 
1996*de0e0e4dSAntonio Huete Jimenez 	if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
1997*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE);
1998*de0e0e4dSAntonio Huete Jimenez 		al = SSL_AD_DECODE_ERROR;
1999*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
2000*de0e0e4dSAntonio Huete Jimenez 	}
2001*de0e0e4dSAntonio Huete Jimenez 
2002*de0e0e4dSAntonio Huete Jimenez 	if ((sigalg = ssl_sigalg_for_peer(s, pkey,
2003*de0e0e4dSAntonio Huete Jimenez 	    sigalg_value)) == NULL) {
2004*de0e0e4dSAntonio Huete Jimenez 		al = SSL_AD_DECODE_ERROR;
2005*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
2006*de0e0e4dSAntonio Huete Jimenez 	}
2007*de0e0e4dSAntonio Huete Jimenez 	s->s3->hs.peer_sigalg = sigalg;
2008*de0e0e4dSAntonio Huete Jimenez 
2009*de0e0e4dSAntonio Huete Jimenez 	if (SSL_USE_SIGALGS(s)) {
2010*de0e0e4dSAntonio Huete Jimenez 		EVP_PKEY_CTX *pctx;
2011*de0e0e4dSAntonio Huete Jimenez 
201272c33676SMaxim Ag 		if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
201372c33676SMaxim Ag 			SSLerror(s, ERR_R_INTERNAL_ERROR);
201472c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
2015*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
201672c33676SMaxim Ag 		}
2017*de0e0e4dSAntonio Huete Jimenez 		if (!EVP_DigestVerifyInit(mctx, &pctx, sigalg->md(),
2018*de0e0e4dSAntonio Huete Jimenez 		    NULL, pkey)) {
201972c33676SMaxim Ag 			SSLerror(s, ERR_R_EVP_LIB);
202072c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
2021*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
202272c33676SMaxim Ag 		}
202372c33676SMaxim Ag 		if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
2024*de0e0e4dSAntonio Huete Jimenez 		    (!EVP_PKEY_CTX_set_rsa_padding(pctx,
2025*de0e0e4dSAntonio Huete Jimenez 			RSA_PKCS1_PSS_PADDING) ||
202672c33676SMaxim Ag 		    !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
202772c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
2028*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
202972c33676SMaxim Ag 		}
20308edacedfSDaniel Fojt 		if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
20318edacedfSDaniel Fojt 		    EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
20328edacedfSDaniel Fojt 		    EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
20338edacedfSDaniel Fojt 		    NULL) <= 0) {
20348edacedfSDaniel Fojt 			al = SSL_AD_INTERNAL_ERROR;
2035*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
20368edacedfSDaniel Fojt 		}
2037*de0e0e4dSAntonio Huete Jimenez 		if (!EVP_DigestVerifyUpdate(mctx, hdata, hdatalen)) {
203872c33676SMaxim Ag 			SSLerror(s, ERR_R_EVP_LIB);
203972c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
2040*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
204172c33676SMaxim Ag 		}
2042*de0e0e4dSAntonio Huete Jimenez 		if (EVP_DigestVerifyFinal(mctx, CBS_data(&signature),
204372c33676SMaxim Ag 		    CBS_len(&signature)) <= 0) {
204472c33676SMaxim Ag 			al = SSL_AD_DECRYPT_ERROR;
204572c33676SMaxim Ag 			SSLerror(s, SSL_R_BAD_SIGNATURE);
2046*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
204772c33676SMaxim Ag 		}
2048*de0e0e4dSAntonio Huete Jimenez 	} else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2049*de0e0e4dSAntonio Huete Jimenez 		RSA *rsa;
2050*de0e0e4dSAntonio Huete Jimenez 
2051*de0e0e4dSAntonio Huete Jimenez 		if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
2052*de0e0e4dSAntonio Huete Jimenez 			al = SSL_AD_INTERNAL_ERROR;
2053*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, ERR_R_EVP_LIB);
2054*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
2055*de0e0e4dSAntonio Huete Jimenez 		}
2056*de0e0e4dSAntonio Huete Jimenez 		verify = RSA_verify(NID_md5_sha1, s->s3->hs.tls12.cert_verify,
205772c33676SMaxim Ag 		    MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature),
2058*de0e0e4dSAntonio Huete Jimenez 		    CBS_len(&signature), rsa);
205972c33676SMaxim Ag 		if (verify < 0) {
206072c33676SMaxim Ag 			al = SSL_AD_DECRYPT_ERROR;
206172c33676SMaxim Ag 			SSLerror(s, SSL_R_BAD_RSA_DECRYPT);
2062*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
206372c33676SMaxim Ag 		}
206472c33676SMaxim Ag 		if (verify == 0) {
206572c33676SMaxim Ag 			al = SSL_AD_DECRYPT_ERROR;
206672c33676SMaxim Ag 			SSLerror(s, SSL_R_BAD_RSA_SIGNATURE);
2067*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
206872c33676SMaxim Ag 		}
2069*de0e0e4dSAntonio Huete Jimenez 	} else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2070*de0e0e4dSAntonio Huete Jimenez 		EC_KEY *eckey;
2071*de0e0e4dSAntonio Huete Jimenez 
2072*de0e0e4dSAntonio Huete Jimenez 		if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
2073*de0e0e4dSAntonio Huete Jimenez 			al = SSL_AD_INTERNAL_ERROR;
2074*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, ERR_R_EVP_LIB);
2075*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
2076*de0e0e4dSAntonio Huete Jimenez 		}
2077*de0e0e4dSAntonio Huete Jimenez 		verify = ECDSA_verify(0,
2078*de0e0e4dSAntonio Huete Jimenez 		    &(s->s3->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),
207972c33676SMaxim Ag 		    SHA_DIGEST_LENGTH, CBS_data(&signature),
2080*de0e0e4dSAntonio Huete Jimenez 		    CBS_len(&signature), eckey);
208172c33676SMaxim Ag 		if (verify <= 0) {
208272c33676SMaxim Ag 			al = SSL_AD_DECRYPT_ERROR;
208372c33676SMaxim Ag 			SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
2084*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
208572c33676SMaxim Ag 		}
208672c33676SMaxim Ag #ifndef OPENSSL_NO_GOST
2087*de0e0e4dSAntonio Huete Jimenez 	} else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2088*de0e0e4dSAntonio Huete Jimenez 	    EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
208972c33676SMaxim Ag 		unsigned char sigbuf[128];
209072c33676SMaxim Ag 		unsigned int siglen = sizeof(sigbuf);
209172c33676SMaxim Ag 		EVP_PKEY_CTX *pctx;
2092*de0e0e4dSAntonio Huete Jimenez 		const EVP_MD *md;
209372c33676SMaxim Ag 		int nid;
209472c33676SMaxim Ag 
209572c33676SMaxim Ag 		if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
209672c33676SMaxim Ag 			SSLerror(s, ERR_R_INTERNAL_ERROR);
209772c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
2098*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
209972c33676SMaxim Ag 		}
210072c33676SMaxim Ag 		if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
210172c33676SMaxim Ag 		    !(md = EVP_get_digestbynid(nid))) {
210272c33676SMaxim Ag 			SSLerror(s, ERR_R_EVP_LIB);
210372c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
2104*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
210572c33676SMaxim Ag 		}
210672c33676SMaxim Ag 		if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
210772c33676SMaxim Ag 			SSLerror(s, ERR_R_EVP_LIB);
210872c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
2109*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
211072c33676SMaxim Ag 		}
2111*de0e0e4dSAntonio Huete Jimenez 		if (!EVP_DigestInit_ex(mctx, md, NULL) ||
2112*de0e0e4dSAntonio Huete Jimenez 		    !EVP_DigestUpdate(mctx, hdata, hdatalen) ||
2113*de0e0e4dSAntonio Huete Jimenez 		    !EVP_DigestFinal(mctx, sigbuf, &siglen) ||
211472c33676SMaxim Ag 		    (EVP_PKEY_verify_init(pctx) <= 0) ||
211572c33676SMaxim Ag 		    (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
211672c33676SMaxim Ag 		    (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
211772c33676SMaxim Ag 		    EVP_PKEY_CTRL_GOST_SIG_FORMAT,
211872c33676SMaxim Ag 		    GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) {
211972c33676SMaxim Ag 			SSLerror(s, ERR_R_EVP_LIB);
212072c33676SMaxim Ag 			al = SSL_AD_INTERNAL_ERROR;
212172c33676SMaxim Ag 			EVP_PKEY_CTX_free(pctx);
2122*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
212372c33676SMaxim Ag 		}
212472c33676SMaxim Ag 		if (EVP_PKEY_verify(pctx, CBS_data(&signature),
212572c33676SMaxim Ag 		    CBS_len(&signature), sigbuf, siglen) <= 0) {
212672c33676SMaxim Ag 			al = SSL_AD_DECRYPT_ERROR;
212772c33676SMaxim Ag 			SSLerror(s, SSL_R_BAD_SIGNATURE);
212872c33676SMaxim Ag 			EVP_PKEY_CTX_free(pctx);
2129*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
213072c33676SMaxim Ag 		}
213172c33676SMaxim Ag 
213272c33676SMaxim Ag 		EVP_PKEY_CTX_free(pctx);
213372c33676SMaxim Ag #endif
213472c33676SMaxim Ag 	} else {
213572c33676SMaxim Ag 		SSLerror(s, ERR_R_INTERNAL_ERROR);
213672c33676SMaxim Ag 		al = SSL_AD_UNSUPPORTED_CERTIFICATE;
2137*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
213872c33676SMaxim Ag 	}
213972c33676SMaxim Ag 
214072c33676SMaxim Ag 	ret = 1;
214172c33676SMaxim Ag 	if (0) {
2142*de0e0e4dSAntonio Huete Jimenez  decode_err:
214372c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
214472c33676SMaxim Ag 		SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
2145*de0e0e4dSAntonio Huete Jimenez  fatal_err:
214672c33676SMaxim Ag 		ssl3_send_alert(s, SSL3_AL_FATAL, al);
214772c33676SMaxim Ag 	}
214872c33676SMaxim Ag  end:
214972c33676SMaxim Ag 	tls1_transcript_free(s);
215072c33676SMaxim Ag  err:
2151*de0e0e4dSAntonio Huete Jimenez 	EVP_MD_CTX_free(mctx);
2152*de0e0e4dSAntonio Huete Jimenez 
215372c33676SMaxim Ag 	return (ret);
215472c33676SMaxim Ag }
215572c33676SMaxim Ag 
215672c33676SMaxim Ag int
ssl3_get_client_certificate(SSL * s)215772c33676SMaxim Ag ssl3_get_client_certificate(SSL *s)
215872c33676SMaxim Ag {
2159*de0e0e4dSAntonio Huete Jimenez 	CBS cbs, cert_list, cert_data;
2160*de0e0e4dSAntonio Huete Jimenez 	STACK_OF(X509) *certs = NULL;
2161*de0e0e4dSAntonio Huete Jimenez 	X509 *cert = NULL;
2162*de0e0e4dSAntonio Huete Jimenez 	const uint8_t *p;
2163*de0e0e4dSAntonio Huete Jimenez 	int al, ret;
216472c33676SMaxim Ag 
2165*de0e0e4dSAntonio Huete Jimenez 	if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2166*de0e0e4dSAntonio Huete Jimenez 	    -1, s->internal->max_cert_list)) <= 0)
2167*de0e0e4dSAntonio Huete Jimenez 		return ret;
216872c33676SMaxim Ag 
2169*de0e0e4dSAntonio Huete Jimenez 	ret = -1;
2170*de0e0e4dSAntonio Huete Jimenez 
2171*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
217272c33676SMaxim Ag 		if ((s->verify_mode & SSL_VERIFY_PEER) &&
217372c33676SMaxim Ag 		    (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
217472c33676SMaxim Ag 			SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
217572c33676SMaxim Ag 			al = SSL_AD_HANDSHAKE_FAILURE;
2176*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
217772c33676SMaxim Ag 		}
2178*de0e0e4dSAntonio Huete Jimenez 
217972c33676SMaxim Ag 		/*
2180*de0e0e4dSAntonio Huete Jimenez 		 * If we asked for a client certificate and the client has none,
2181*de0e0e4dSAntonio Huete Jimenez 		 * it must respond with a certificate list of length zero.
218272c33676SMaxim Ag 		 */
2183*de0e0e4dSAntonio Huete Jimenez 		if (s->s3->hs.tls12.cert_request != 0) {
2184*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
218572c33676SMaxim Ag 			al = SSL_AD_UNEXPECTED_MESSAGE;
2186*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
218772c33676SMaxim Ag 		}
2188*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.tls12.reuse_message = 1;
218972c33676SMaxim Ag 		return (1);
219072c33676SMaxim Ag 	}
219172c33676SMaxim Ag 
2192*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
219372c33676SMaxim Ag 		al = SSL_AD_UNEXPECTED_MESSAGE;
219472c33676SMaxim Ag 		SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
2195*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
219672c33676SMaxim Ag 	}
219772c33676SMaxim Ag 
2198*de0e0e4dSAntonio Huete Jimenez 	if (s->internal->init_num < 0)
2199*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
220072c33676SMaxim Ag 
2201*de0e0e4dSAntonio Huete Jimenez 	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
220272c33676SMaxim Ag 
2203*de0e0e4dSAntonio Huete Jimenez 	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
2204*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
2205*de0e0e4dSAntonio Huete Jimenez 	if (CBS_len(&cbs) != 0)
2206*de0e0e4dSAntonio Huete Jimenez 		goto decode_err;
220772c33676SMaxim Ag 
220872c33676SMaxim Ag 	/*
2209*de0e0e4dSAntonio Huete Jimenez 	 * A TLS client must send an empty certificate list, if no suitable
2210*de0e0e4dSAntonio Huete Jimenez 	 * certificate is available (rather than omitting the Certificate
2211*de0e0e4dSAntonio Huete Jimenez 	 * handshake message) - see RFC 5246 section 7.4.6.
221272c33676SMaxim Ag 	 */
2213*de0e0e4dSAntonio Huete Jimenez 	if (CBS_len(&cert_list) == 0) {
221472c33676SMaxim Ag 		if ((s->verify_mode & SSL_VERIFY_PEER) &&
221572c33676SMaxim Ag 		    (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
221672c33676SMaxim Ag 			SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
221772c33676SMaxim Ag 			al = SSL_AD_HANDSHAKE_FAILURE;
2218*de0e0e4dSAntonio Huete Jimenez 			goto fatal_err;
221972c33676SMaxim Ag 		}
222072c33676SMaxim Ag 		/* No client certificate so free transcript. */
222172c33676SMaxim Ag 		tls1_transcript_free(s);
2222*de0e0e4dSAntonio Huete Jimenez 		goto done;
222372c33676SMaxim Ag 	}
222472c33676SMaxim Ag 
2225*de0e0e4dSAntonio Huete Jimenez 	if ((certs = sk_X509_new_null()) == NULL) {
222672c33676SMaxim Ag 		SSLerror(s, ERR_R_MALLOC_FAILURE);
222772c33676SMaxim Ag 		goto err;
222872c33676SMaxim Ag 	}
2229*de0e0e4dSAntonio Huete Jimenez 
2230*de0e0e4dSAntonio Huete Jimenez 	while (CBS_len(&cert_list) > 0) {
2231*de0e0e4dSAntonio Huete Jimenez 		if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
2232*de0e0e4dSAntonio Huete Jimenez 			goto decode_err;
2233*de0e0e4dSAntonio Huete Jimenez 		p = CBS_data(&cert_data);
2234*de0e0e4dSAntonio Huete Jimenez 		if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) {
2235*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, ERR_R_ASN1_LIB);
2236*de0e0e4dSAntonio Huete Jimenez 			goto err;
223772c33676SMaxim Ag 		}
2238*de0e0e4dSAntonio Huete Jimenez 		if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
2239*de0e0e4dSAntonio Huete Jimenez 			goto decode_err;
2240*de0e0e4dSAntonio Huete Jimenez 		if (!sk_X509_push(certs, cert)) {
2241*de0e0e4dSAntonio Huete Jimenez 			SSLerror(s, ERR_R_MALLOC_FAILURE);
2242*de0e0e4dSAntonio Huete Jimenez 			goto err;
2243*de0e0e4dSAntonio Huete Jimenez 		}
2244*de0e0e4dSAntonio Huete Jimenez 		cert = NULL;
2245*de0e0e4dSAntonio Huete Jimenez 	}
224672c33676SMaxim Ag 
2247*de0e0e4dSAntonio Huete Jimenez 	if (ssl_verify_cert_chain(s, certs) <= 0) {
2248*de0e0e4dSAntonio Huete Jimenez 		al = ssl_verify_alarm_type(s->verify_result);
2249*de0e0e4dSAntonio Huete Jimenez 		SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED);
2250*de0e0e4dSAntonio Huete Jimenez 		goto fatal_err;
2251*de0e0e4dSAntonio Huete Jimenez 	}
2252*de0e0e4dSAntonio Huete Jimenez 	s->session->verify_result = s->verify_result;
2253*de0e0e4dSAntonio Huete Jimenez 	ERR_clear_error();
225472c33676SMaxim Ag 
2255*de0e0e4dSAntonio Huete Jimenez 	if (!tls_process_peer_certs(s, certs))
2256*de0e0e4dSAntonio Huete Jimenez 		goto err;
225772c33676SMaxim Ag 
2258*de0e0e4dSAntonio Huete Jimenez  done:
225972c33676SMaxim Ag 	ret = 1;
226072c33676SMaxim Ag 	if (0) {
2261*de0e0e4dSAntonio Huete Jimenez  decode_err:
226272c33676SMaxim Ag 		al = SSL_AD_DECODE_ERROR;
226372c33676SMaxim Ag 		SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
2264*de0e0e4dSAntonio Huete Jimenez  fatal_err:
226572c33676SMaxim Ag 		ssl3_send_alert(s, SSL3_AL_FATAL, al);
226672c33676SMaxim Ag 	}
226772c33676SMaxim Ag  err:
2268*de0e0e4dSAntonio Huete Jimenez 	sk_X509_pop_free(certs, X509_free);
2269*de0e0e4dSAntonio Huete Jimenez 	X509_free(cert);
227072c33676SMaxim Ag 
227172c33676SMaxim Ag 	return (ret);
227272c33676SMaxim Ag }
227372c33676SMaxim Ag 
227472c33676SMaxim Ag int
ssl3_send_server_certificate(SSL * s)227572c33676SMaxim Ag ssl3_send_server_certificate(SSL *s)
227672c33676SMaxim Ag {
227772c33676SMaxim Ag 	CBB cbb, server_cert;
2278*de0e0e4dSAntonio Huete Jimenez 	SSL_CERT_PKEY *cpk;
227972c33676SMaxim Ag 
228072c33676SMaxim Ag 	/*
228172c33676SMaxim Ag 	 * Server Certificate - RFC 5246, section 7.4.2.
228272c33676SMaxim Ag 	 */
228372c33676SMaxim Ag 
228472c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
228572c33676SMaxim Ag 
2286*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_CERT_A) {
228772c33676SMaxim Ag 		if ((cpk = ssl_get_server_send_pkey(s)) == NULL) {
228872c33676SMaxim Ag 			SSLerror(s, ERR_R_INTERNAL_ERROR);
228972c33676SMaxim Ag 			return (0);
229072c33676SMaxim Ag 		}
229172c33676SMaxim Ag 
229272c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &server_cert,
229372c33676SMaxim Ag 		    SSL3_MT_CERTIFICATE))
229472c33676SMaxim Ag 			goto err;
229572c33676SMaxim Ag 		if (!ssl3_output_cert_chain(s, &server_cert, cpk))
229672c33676SMaxim Ag 			goto err;
229772c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
229872c33676SMaxim Ag 			goto err;
229972c33676SMaxim Ag 
2300*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SW_CERT_B;
230172c33676SMaxim Ag 	}
230272c33676SMaxim Ag 
230372c33676SMaxim Ag 	/* SSL3_ST_SW_CERT_B */
230472c33676SMaxim Ag 	return (ssl3_handshake_write(s));
230572c33676SMaxim Ag 
230672c33676SMaxim Ag  err:
230772c33676SMaxim Ag 	CBB_cleanup(&cbb);
230872c33676SMaxim Ag 
230972c33676SMaxim Ag 	return (0);
231072c33676SMaxim Ag }
231172c33676SMaxim Ag 
231272c33676SMaxim Ag /* send a new session ticket (not necessarily for a new session) */
231372c33676SMaxim Ag int
ssl3_send_newsession_ticket(SSL * s)231472c33676SMaxim Ag ssl3_send_newsession_ticket(SSL *s)
231572c33676SMaxim Ag {
231672c33676SMaxim Ag 	CBB cbb, session_ticket, ticket;
231772c33676SMaxim Ag 	SSL_CTX *tctx = s->initial_ctx;
231872c33676SMaxim Ag 	size_t enc_session_len, enc_session_max_len, hmac_len;
231972c33676SMaxim Ag 	size_t session_len = 0;
232072c33676SMaxim Ag 	unsigned char *enc_session = NULL, *session = NULL;
232172c33676SMaxim Ag 	unsigned char iv[EVP_MAX_IV_LENGTH];
232272c33676SMaxim Ag 	unsigned char key_name[16];
232372c33676SMaxim Ag 	unsigned char *hmac;
232472c33676SMaxim Ag 	unsigned int hlen;
2325*de0e0e4dSAntonio Huete Jimenez 	EVP_CIPHER_CTX *ctx = NULL;
2326*de0e0e4dSAntonio Huete Jimenez 	HMAC_CTX *hctx = NULL;
232772c33676SMaxim Ag 	int len;
232872c33676SMaxim Ag 
232972c33676SMaxim Ag 	/*
233072c33676SMaxim Ag 	 * New Session Ticket - RFC 5077, section 3.3.
233172c33676SMaxim Ag 	 */
233272c33676SMaxim Ag 
233372c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
233472c33676SMaxim Ag 
2335*de0e0e4dSAntonio Huete Jimenez 	if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
2336*de0e0e4dSAntonio Huete Jimenez 		goto err;
2337*de0e0e4dSAntonio Huete Jimenez 	if ((hctx = HMAC_CTX_new()) == NULL)
2338*de0e0e4dSAntonio Huete Jimenez 		goto err;
2339*de0e0e4dSAntonio Huete Jimenez 
2340*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_SESSION_TICKET_A) {
234172c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket,
234272c33676SMaxim Ag 		    SSL3_MT_NEWSESSION_TICKET))
234372c33676SMaxim Ag 			goto err;
234472c33676SMaxim Ag 
234572c33676SMaxim Ag 		if (!SSL_SESSION_ticket(s->session, &session, &session_len))
234672c33676SMaxim Ag 			goto err;
234772c33676SMaxim Ag 		if (session_len > 0xffff)
234872c33676SMaxim Ag 			goto err;
234972c33676SMaxim Ag 
235072c33676SMaxim Ag 		/*
235172c33676SMaxim Ag 		 * Initialize HMAC and cipher contexts. If callback is present
235272c33676SMaxim Ag 		 * it does all the work, otherwise use generated values from
235372c33676SMaxim Ag 		 * parent context.
235472c33676SMaxim Ag 		 */
235572c33676SMaxim Ag 		if (tctx->internal->tlsext_ticket_key_cb != NULL) {
235672c33676SMaxim Ag 			if (tctx->internal->tlsext_ticket_key_cb(s,
2357*de0e0e4dSAntonio Huete Jimenez 			    key_name, iv, ctx, hctx, 1) < 0)
235872c33676SMaxim Ag 				goto err;
235972c33676SMaxim Ag 		} else {
236072c33676SMaxim Ag 			arc4random_buf(iv, 16);
2361*de0e0e4dSAntonio Huete Jimenez 			EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
236272c33676SMaxim Ag 			    tctx->internal->tlsext_tick_aes_key, iv);
2363*de0e0e4dSAntonio Huete Jimenez 			HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key,
2364cca6fc52SDaniel Fojt 			    16, EVP_sha256(), NULL);
236572c33676SMaxim Ag 			memcpy(key_name, tctx->internal->tlsext_tick_key_name, 16);
236672c33676SMaxim Ag 		}
236772c33676SMaxim Ag 
236872c33676SMaxim Ag 		/* Encrypt the session state. */
236972c33676SMaxim Ag 		enc_session_max_len = session_len + EVP_MAX_BLOCK_LENGTH;
237072c33676SMaxim Ag 		if ((enc_session = calloc(1, enc_session_max_len)) == NULL)
237172c33676SMaxim Ag 			goto err;
237272c33676SMaxim Ag 		enc_session_len = 0;
2373*de0e0e4dSAntonio Huete Jimenez 		if (!EVP_EncryptUpdate(ctx, enc_session, &len, session,
237472c33676SMaxim Ag 		    session_len))
237572c33676SMaxim Ag 			goto err;
237672c33676SMaxim Ag 		enc_session_len += len;
2377*de0e0e4dSAntonio Huete Jimenez 		if (!EVP_EncryptFinal_ex(ctx, enc_session + enc_session_len,
237872c33676SMaxim Ag 		    &len))
237972c33676SMaxim Ag 			goto err;
238072c33676SMaxim Ag 		enc_session_len += len;
238172c33676SMaxim Ag 
238272c33676SMaxim Ag 		if (enc_session_len > enc_session_max_len)
238372c33676SMaxim Ag 			goto err;
238472c33676SMaxim Ag 
238572c33676SMaxim Ag 		/* Generate the HMAC. */
2386*de0e0e4dSAntonio Huete Jimenez 		if (!HMAC_Update(hctx, key_name, sizeof(key_name)))
238772c33676SMaxim Ag 			goto err;
2388*de0e0e4dSAntonio Huete Jimenez 		if (!HMAC_Update(hctx, iv, EVP_CIPHER_CTX_iv_length(ctx)))
238972c33676SMaxim Ag 			goto err;
2390*de0e0e4dSAntonio Huete Jimenez 		if (!HMAC_Update(hctx, enc_session, enc_session_len))
239172c33676SMaxim Ag 			goto err;
239272c33676SMaxim Ag 
2393*de0e0e4dSAntonio Huete Jimenez 		if ((hmac_len = HMAC_size(hctx)) <= 0)
239472c33676SMaxim Ag 			goto err;
239572c33676SMaxim Ag 
239672c33676SMaxim Ag 		/*
239772c33676SMaxim Ag 		 * Ticket lifetime hint (advisory only):
239872c33676SMaxim Ag 		 * We leave this unspecified for resumed session
239972c33676SMaxim Ag 		 * (for simplicity), and guess that tickets for new
240072c33676SMaxim Ag 		 * sessions will live as long as their sessions.
240172c33676SMaxim Ag 		 */
240272c33676SMaxim Ag 		if (!CBB_add_u32(&session_ticket,
240372c33676SMaxim Ag 		    s->internal->hit ? 0 : s->session->timeout))
240472c33676SMaxim Ag 			goto err;
240572c33676SMaxim Ag 
240672c33676SMaxim Ag 		if (!CBB_add_u16_length_prefixed(&session_ticket, &ticket))
240772c33676SMaxim Ag 			goto err;
240872c33676SMaxim Ag 		if (!CBB_add_bytes(&ticket, key_name, sizeof(key_name)))
240972c33676SMaxim Ag 			goto err;
2410*de0e0e4dSAntonio Huete Jimenez 		if (!CBB_add_bytes(&ticket, iv, EVP_CIPHER_CTX_iv_length(ctx)))
241172c33676SMaxim Ag 			goto err;
241272c33676SMaxim Ag 		if (!CBB_add_bytes(&ticket, enc_session, enc_session_len))
241372c33676SMaxim Ag 			goto err;
241472c33676SMaxim Ag 		if (!CBB_add_space(&ticket, &hmac, hmac_len))
241572c33676SMaxim Ag 			goto err;
241672c33676SMaxim Ag 
2417*de0e0e4dSAntonio Huete Jimenez 		if (!HMAC_Final(hctx, hmac, &hlen))
241872c33676SMaxim Ag 			goto err;
241972c33676SMaxim Ag 		if (hlen != hmac_len)
242072c33676SMaxim Ag 			goto err;
242172c33676SMaxim Ag 
242272c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
242372c33676SMaxim Ag 			goto err;
242472c33676SMaxim Ag 
2425*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_B;
242672c33676SMaxim Ag 	}
242772c33676SMaxim Ag 
2428*de0e0e4dSAntonio Huete Jimenez 	EVP_CIPHER_CTX_free(ctx);
2429*de0e0e4dSAntonio Huete Jimenez 	HMAC_CTX_free(hctx);
243072c33676SMaxim Ag 	freezero(session, session_len);
243172c33676SMaxim Ag 	free(enc_session);
243272c33676SMaxim Ag 
243372c33676SMaxim Ag 	/* SSL3_ST_SW_SESSION_TICKET_B */
243472c33676SMaxim Ag 	return (ssl3_handshake_write(s));
243572c33676SMaxim Ag 
243672c33676SMaxim Ag  err:
243772c33676SMaxim Ag 	CBB_cleanup(&cbb);
2438*de0e0e4dSAntonio Huete Jimenez 	EVP_CIPHER_CTX_free(ctx);
2439*de0e0e4dSAntonio Huete Jimenez 	HMAC_CTX_free(hctx);
244072c33676SMaxim Ag 	freezero(session, session_len);
244172c33676SMaxim Ag 	free(enc_session);
244272c33676SMaxim Ag 
244372c33676SMaxim Ag 	return (-1);
244472c33676SMaxim Ag }
244572c33676SMaxim Ag 
244672c33676SMaxim Ag int
ssl3_send_cert_status(SSL * s)244772c33676SMaxim Ag ssl3_send_cert_status(SSL *s)
244872c33676SMaxim Ag {
244972c33676SMaxim Ag 	CBB cbb, certstatus, ocspresp;
245072c33676SMaxim Ag 
245172c33676SMaxim Ag 	memset(&cbb, 0, sizeof(cbb));
245272c33676SMaxim Ag 
2453*de0e0e4dSAntonio Huete Jimenez 	if (s->s3->hs.state == SSL3_ST_SW_CERT_STATUS_A) {
245472c33676SMaxim Ag 		if (!ssl3_handshake_msg_start(s, &cbb, &certstatus,
245572c33676SMaxim Ag 		    SSL3_MT_CERTIFICATE_STATUS))
245672c33676SMaxim Ag 			goto err;
245772c33676SMaxim Ag 		if (!CBB_add_u8(&certstatus, s->tlsext_status_type))
245872c33676SMaxim Ag 			goto err;
245972c33676SMaxim Ag 		if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp))
246072c33676SMaxim Ag 			goto err;
246172c33676SMaxim Ag 		if (!CBB_add_bytes(&ocspresp, s->internal->tlsext_ocsp_resp,
24628edacedfSDaniel Fojt 		    s->internal->tlsext_ocsp_resp_len))
246372c33676SMaxim Ag 			goto err;
246472c33676SMaxim Ag 		if (!ssl3_handshake_msg_finish(s, &cbb))
246572c33676SMaxim Ag 			goto err;
246672c33676SMaxim Ag 
2467*de0e0e4dSAntonio Huete Jimenez 		s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_B;
246872c33676SMaxim Ag 	}
246972c33676SMaxim Ag 
247072c33676SMaxim Ag 	/* SSL3_ST_SW_CERT_STATUS_B */
247172c33676SMaxim Ag 	return (ssl3_handshake_write(s));
247272c33676SMaxim Ag 
247372c33676SMaxim Ag  err:
247472c33676SMaxim Ag 	CBB_cleanup(&cbb);
247572c33676SMaxim Ag 
247672c33676SMaxim Ag 	return (-1);
247772c33676SMaxim Ag }
2478