1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: ssl_srvr.c,v 1.149 2022/08/17 07:39:19 jsing Exp $ */
272c33676SMaxim Ag /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
372c33676SMaxim Ag * All rights reserved.
472c33676SMaxim Ag *
572c33676SMaxim Ag * This package is an SSL implementation written
672c33676SMaxim Ag * by Eric Young (eay@cryptsoft.com).
772c33676SMaxim Ag * The implementation was written so as to conform with Netscapes SSL.
872c33676SMaxim Ag *
972c33676SMaxim Ag * This library is free for commercial and non-commercial use as long as
1072c33676SMaxim Ag * the following conditions are aheared to. The following conditions
1172c33676SMaxim Ag * apply to all code found in this distribution, be it the RC4, RSA,
1272c33676SMaxim Ag * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1372c33676SMaxim Ag * included with this distribution is covered by the same copyright terms
1472c33676SMaxim Ag * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1572c33676SMaxim Ag *
1672c33676SMaxim Ag * Copyright remains Eric Young's, and as such any Copyright notices in
1772c33676SMaxim Ag * the code are not to be removed.
1872c33676SMaxim Ag * If this package is used in a product, Eric Young should be given attribution
1972c33676SMaxim Ag * as the author of the parts of the library used.
2072c33676SMaxim Ag * This can be in the form of a textual message at program startup or
2172c33676SMaxim Ag * in documentation (online or textual) provided with the package.
2272c33676SMaxim Ag *
2372c33676SMaxim Ag * Redistribution and use in source and binary forms, with or without
2472c33676SMaxim Ag * modification, are permitted provided that the following conditions
2572c33676SMaxim Ag * are met:
2672c33676SMaxim Ag * 1. Redistributions of source code must retain the copyright
2772c33676SMaxim Ag * notice, this list of conditions and the following disclaimer.
2872c33676SMaxim Ag * 2. Redistributions in binary form must reproduce the above copyright
2972c33676SMaxim Ag * notice, this list of conditions and the following disclaimer in the
3072c33676SMaxim Ag * documentation and/or other materials provided with the distribution.
3172c33676SMaxim Ag * 3. All advertising materials mentioning features or use of this software
3272c33676SMaxim Ag * must display the following acknowledgement:
3372c33676SMaxim Ag * "This product includes cryptographic software written by
3472c33676SMaxim Ag * Eric Young (eay@cryptsoft.com)"
3572c33676SMaxim Ag * The word 'cryptographic' can be left out if the rouines from the library
3672c33676SMaxim Ag * being used are not cryptographic related :-).
3772c33676SMaxim Ag * 4. If you include any Windows specific code (or a derivative thereof) from
3872c33676SMaxim Ag * the apps directory (application code) you must include an acknowledgement:
3972c33676SMaxim Ag * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
4072c33676SMaxim Ag *
4172c33676SMaxim Ag * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
4272c33676SMaxim Ag * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4372c33676SMaxim Ag * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4472c33676SMaxim Ag * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
4572c33676SMaxim Ag * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4672c33676SMaxim Ag * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4772c33676SMaxim Ag * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4872c33676SMaxim Ag * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4972c33676SMaxim Ag * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5072c33676SMaxim Ag * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5172c33676SMaxim Ag * SUCH DAMAGE.
5272c33676SMaxim Ag *
5372c33676SMaxim Ag * The licence and distribution terms for any publically available version or
5472c33676SMaxim Ag * derivative of this code cannot be changed. i.e. this code cannot simply be
5572c33676SMaxim Ag * copied and put under another distribution licence
5672c33676SMaxim Ag * [including the GNU Public Licence.]
5772c33676SMaxim Ag */
5872c33676SMaxim Ag /* ====================================================================
5972c33676SMaxim Ag * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
6072c33676SMaxim Ag *
6172c33676SMaxim Ag * Redistribution and use in source and binary forms, with or without
6272c33676SMaxim Ag * modification, are permitted provided that the following conditions
6372c33676SMaxim Ag * are met:
6472c33676SMaxim Ag *
6572c33676SMaxim Ag * 1. Redistributions of source code must retain the above copyright
6672c33676SMaxim Ag * notice, this list of conditions and the following disclaimer.
6772c33676SMaxim Ag *
6872c33676SMaxim Ag * 2. Redistributions in binary form must reproduce the above copyright
6972c33676SMaxim Ag * notice, this list of conditions and the following disclaimer in
7072c33676SMaxim Ag * the documentation and/or other materials provided with the
7172c33676SMaxim Ag * distribution.
7272c33676SMaxim Ag *
7372c33676SMaxim Ag * 3. All advertising materials mentioning features or use of this
7472c33676SMaxim Ag * software must display the following acknowledgment:
7572c33676SMaxim Ag * "This product includes software developed by the OpenSSL Project
7672c33676SMaxim Ag * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
7772c33676SMaxim Ag *
7872c33676SMaxim Ag * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7972c33676SMaxim Ag * endorse or promote products derived from this software without
8072c33676SMaxim Ag * prior written permission. For written permission, please contact
8172c33676SMaxim Ag * openssl-core@openssl.org.
8272c33676SMaxim Ag *
8372c33676SMaxim Ag * 5. Products derived from this software may not be called "OpenSSL"
8472c33676SMaxim Ag * nor may "OpenSSL" appear in their names without prior written
8572c33676SMaxim Ag * permission of the OpenSSL Project.
8672c33676SMaxim Ag *
8772c33676SMaxim Ag * 6. Redistributions of any form whatsoever must retain the following
8872c33676SMaxim Ag * acknowledgment:
8972c33676SMaxim Ag * "This product includes software developed by the OpenSSL Project
9072c33676SMaxim Ag * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9172c33676SMaxim Ag *
9272c33676SMaxim Ag * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9372c33676SMaxim Ag * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9472c33676SMaxim Ag * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9572c33676SMaxim Ag * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9672c33676SMaxim Ag * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9772c33676SMaxim Ag * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9872c33676SMaxim Ag * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9972c33676SMaxim Ag * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10072c33676SMaxim Ag * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10172c33676SMaxim Ag * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10272c33676SMaxim Ag * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10372c33676SMaxim Ag * OF THE POSSIBILITY OF SUCH DAMAGE.
10472c33676SMaxim Ag * ====================================================================
10572c33676SMaxim Ag *
10672c33676SMaxim Ag * This product includes cryptographic software written by Eric Young
10772c33676SMaxim Ag * (eay@cryptsoft.com). This product includes software written by Tim
10872c33676SMaxim Ag * Hudson (tjh@cryptsoft.com).
10972c33676SMaxim Ag *
11072c33676SMaxim Ag */
11172c33676SMaxim Ag /* ====================================================================
11272c33676SMaxim Ag * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
11372c33676SMaxim Ag *
11472c33676SMaxim Ag * Portions of the attached software ("Contribution") are developed by
11572c33676SMaxim Ag * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
11672c33676SMaxim Ag *
11772c33676SMaxim Ag * The Contribution is licensed pursuant to the OpenSSL open source
11872c33676SMaxim Ag * license provided above.
11972c33676SMaxim Ag *
12072c33676SMaxim Ag * ECC cipher suite support in OpenSSL originally written by
12172c33676SMaxim Ag * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
12272c33676SMaxim Ag *
12372c33676SMaxim Ag */
12472c33676SMaxim Ag /* ====================================================================
12572c33676SMaxim Ag * Copyright 2005 Nokia. All rights reserved.
12672c33676SMaxim Ag *
12772c33676SMaxim Ag * The portions of the attached software ("Contribution") is developed by
12872c33676SMaxim Ag * Nokia Corporation and is licensed pursuant to the OpenSSL open source
12972c33676SMaxim Ag * license.
13072c33676SMaxim Ag *
13172c33676SMaxim Ag * The Contribution, originally written by Mika Kousa and Pasi Eronen of
13272c33676SMaxim Ag * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
13372c33676SMaxim Ag * support (see RFC 4279) to OpenSSL.
13472c33676SMaxim Ag *
13572c33676SMaxim Ag * No patent licenses or other rights except those expressly stated in
13672c33676SMaxim Ag * the OpenSSL open source license shall be deemed granted or received
13772c33676SMaxim Ag * expressly, by implication, estoppel, or otherwise.
13872c33676SMaxim Ag *
13972c33676SMaxim Ag * No assurances are provided by Nokia that the Contribution does not
14072c33676SMaxim Ag * infringe the patent or other intellectual property rights of any third
14172c33676SMaxim Ag * party or that the license provides you with all the necessary rights
14272c33676SMaxim Ag * to make use of the Contribution.
14372c33676SMaxim Ag *
14472c33676SMaxim Ag * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
14572c33676SMaxim Ag * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
14672c33676SMaxim Ag * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
14772c33676SMaxim Ag * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
14872c33676SMaxim Ag * OTHERWISE.
14972c33676SMaxim Ag */
15072c33676SMaxim Ag
15172c33676SMaxim Ag #include <stdio.h>
15272c33676SMaxim Ag
15372c33676SMaxim Ag #include <openssl/bn.h>
15472c33676SMaxim Ag #include <openssl/buffer.h>
15572c33676SMaxim Ag #include <openssl/curve25519.h>
15672c33676SMaxim Ag #include <openssl/evp.h>
15772c33676SMaxim Ag #include <openssl/dh.h>
15872c33676SMaxim Ag #include <openssl/hmac.h>
15972c33676SMaxim Ag #include <openssl/md5.h>
16072c33676SMaxim Ag #include <openssl/objects.h>
161*de0e0e4dSAntonio Huete Jimenez #include <openssl/opensslconf.h>
16272c33676SMaxim Ag #include <openssl/x509.h>
16372c33676SMaxim Ag
164*de0e0e4dSAntonio Huete Jimenez #ifndef OPENSSL_NO_GOST
165*de0e0e4dSAntonio Huete Jimenez #include <openssl/gost.h>
166*de0e0e4dSAntonio Huete Jimenez #endif
167*de0e0e4dSAntonio Huete Jimenez
16872c33676SMaxim Ag #include "bytestring.h"
169*de0e0e4dSAntonio Huete Jimenez #include "dtls_locl.h"
170*de0e0e4dSAntonio Huete Jimenez #include "ssl_locl.h"
17172c33676SMaxim Ag #include "ssl_sigalgs.h"
17272c33676SMaxim Ag #include "ssl_tlsext.h"
17372c33676SMaxim Ag
17472c33676SMaxim Ag int
ssl3_accept(SSL * s)17572c33676SMaxim Ag ssl3_accept(SSL *s)
17672c33676SMaxim Ag {
17772c33676SMaxim Ag unsigned long alg_k;
17872c33676SMaxim Ag int new_state, state, skip = 0;
17972c33676SMaxim Ag int listen = 0;
180*de0e0e4dSAntonio Huete Jimenez int ret = -1;
18172c33676SMaxim Ag
18272c33676SMaxim Ag ERR_clear_error();
18372c33676SMaxim Ag errno = 0;
18472c33676SMaxim Ag
185*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
186*de0e0e4dSAntonio Huete Jimenez listen = s->d1->listen;
18772c33676SMaxim Ag
18872c33676SMaxim Ag /* init things to blank */
18972c33676SMaxim Ag s->internal->in_handshake++;
19072c33676SMaxim Ag if (!SSL_in_init(s) || SSL_in_before(s))
19172c33676SMaxim Ag SSL_clear(s);
19272c33676SMaxim Ag
193*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
194*de0e0e4dSAntonio Huete Jimenez s->d1->listen = listen;
19572c33676SMaxim Ag
19672c33676SMaxim Ag for (;;) {
197*de0e0e4dSAntonio Huete Jimenez state = s->s3->hs.state;
19872c33676SMaxim Ag
199*de0e0e4dSAntonio Huete Jimenez switch (s->s3->hs.state) {
20072c33676SMaxim Ag case SSL_ST_RENEGOTIATE:
20172c33676SMaxim Ag s->internal->renegotiate = 1;
202*de0e0e4dSAntonio Huete Jimenez /* s->s3->hs.state=SSL_ST_ACCEPT; */
20372c33676SMaxim Ag
20472c33676SMaxim Ag case SSL_ST_BEFORE:
20572c33676SMaxim Ag case SSL_ST_ACCEPT:
20672c33676SMaxim Ag case SSL_ST_BEFORE|SSL_ST_ACCEPT:
20772c33676SMaxim Ag case SSL_ST_OK|SSL_ST_ACCEPT:
20872c33676SMaxim Ag s->server = 1;
20972c33676SMaxim Ag
210*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
211*de0e0e4dSAntonio Huete Jimenez
212*de0e0e4dSAntonio Huete Jimenez if (!ssl_legacy_stack_version(s, s->version)) {
21372c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
21472c33676SMaxim Ag ret = -1;
21572c33676SMaxim Ag goto end;
21672c33676SMaxim Ag }
217*de0e0e4dSAntonio Huete Jimenez
218*de0e0e4dSAntonio Huete Jimenez if (!ssl_supported_tls_version_range(s,
219*de0e0e4dSAntonio Huete Jimenez &s->s3->hs.our_min_tls_version,
220*de0e0e4dSAntonio Huete Jimenez &s->s3->hs.our_max_tls_version)) {
221*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
22272c33676SMaxim Ag ret = -1;
22372c33676SMaxim Ag goto end;
22472c33676SMaxim Ag }
225*de0e0e4dSAntonio Huete Jimenez
226*de0e0e4dSAntonio Huete Jimenez if (!ssl_security_version(s,
227*de0e0e4dSAntonio Huete Jimenez s->s3->hs.our_min_tls_version)) {
228*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_VERSION_TOO_LOW);
229*de0e0e4dSAntonio Huete Jimenez ret = -1;
230*de0e0e4dSAntonio Huete Jimenez goto end;
23172c33676SMaxim Ag }
23272c33676SMaxim Ag
23372c33676SMaxim Ag if (!ssl3_setup_init_buffer(s)) {
23472c33676SMaxim Ag ret = -1;
23572c33676SMaxim Ag goto end;
23672c33676SMaxim Ag }
23772c33676SMaxim Ag if (!ssl3_setup_buffers(s)) {
23872c33676SMaxim Ag ret = -1;
23972c33676SMaxim Ag goto end;
24072c33676SMaxim Ag }
24172c33676SMaxim Ag
24272c33676SMaxim Ag s->internal->init_num = 0;
24372c33676SMaxim Ag
244*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state != SSL_ST_RENEGOTIATE) {
24572c33676SMaxim Ag /*
24672c33676SMaxim Ag * Ok, we now need to push on a buffering BIO
24772c33676SMaxim Ag * so that the output is sent in a way that
24872c33676SMaxim Ag * TCP likes :-)
24972c33676SMaxim Ag */
25072c33676SMaxim Ag if (!ssl_init_wbio_buffer(s, 1)) {
25172c33676SMaxim Ag ret = -1;
25272c33676SMaxim Ag goto end;
25372c33676SMaxim Ag }
25472c33676SMaxim Ag
25572c33676SMaxim Ag if (!tls1_transcript_init(s)) {
25672c33676SMaxim Ag ret = -1;
25772c33676SMaxim Ag goto end;
25872c33676SMaxim Ag }
25972c33676SMaxim Ag
260*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
26172c33676SMaxim Ag s->ctx->internal->stats.sess_accept++;
262*de0e0e4dSAntonio Huete Jimenez } else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) {
26372c33676SMaxim Ag /*
26472c33676SMaxim Ag * Server attempting to renegotiate with
26572c33676SMaxim Ag * client that doesn't support secure
26672c33676SMaxim Ag * renegotiation.
26772c33676SMaxim Ag */
26872c33676SMaxim Ag SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
26972c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL,
27072c33676SMaxim Ag SSL_AD_HANDSHAKE_FAILURE);
27172c33676SMaxim Ag ret = -1;
27272c33676SMaxim Ag goto end;
27372c33676SMaxim Ag } else {
27472c33676SMaxim Ag /*
275*de0e0e4dSAntonio Huete Jimenez * s->s3->hs.state == SSL_ST_RENEGOTIATE,
27672c33676SMaxim Ag * we will just send a HelloRequest.
27772c33676SMaxim Ag */
27872c33676SMaxim Ag s->ctx->internal->stats.sess_accept_renegotiate++;
279*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A;
28072c33676SMaxim Ag }
28172c33676SMaxim Ag break;
28272c33676SMaxim Ag
28372c33676SMaxim Ag case SSL3_ST_SW_HELLO_REQ_A:
28472c33676SMaxim Ag case SSL3_ST_SW_HELLO_REQ_B:
28572c33676SMaxim Ag s->internal->shutdown = 0;
286*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
28772c33676SMaxim Ag dtls1_clear_record_buffer(s);
28872c33676SMaxim Ag dtls1_start_timer(s);
28972c33676SMaxim Ag }
29072c33676SMaxim Ag ret = ssl3_send_hello_request(s);
29172c33676SMaxim Ag if (ret <= 0)
29272c33676SMaxim Ag goto end;
293*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
294*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
29572c33676SMaxim Ag else
296*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C;
297*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_FLUSH;
29872c33676SMaxim Ag s->internal->init_num = 0;
29972c33676SMaxim Ag
300*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
30172c33676SMaxim Ag if (!tls1_transcript_init(s)) {
30272c33676SMaxim Ag ret = -1;
30372c33676SMaxim Ag goto end;
30472c33676SMaxim Ag }
305*de0e0e4dSAntonio Huete Jimenez }
30672c33676SMaxim Ag break;
30772c33676SMaxim Ag
30872c33676SMaxim Ag case SSL3_ST_SW_HELLO_REQ_C:
309*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL_ST_OK;
31072c33676SMaxim Ag break;
31172c33676SMaxim Ag
31272c33676SMaxim Ag case SSL3_ST_SR_CLNT_HELLO_A:
31372c33676SMaxim Ag case SSL3_ST_SR_CLNT_HELLO_B:
31472c33676SMaxim Ag case SSL3_ST_SR_CLNT_HELLO_C:
31572c33676SMaxim Ag s->internal->shutdown = 0;
316*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
31772c33676SMaxim Ag ret = ssl3_get_client_hello(s);
31872c33676SMaxim Ag if (ret <= 0)
31972c33676SMaxim Ag goto end;
32072c33676SMaxim Ag dtls1_stop_timer(s);
32172c33676SMaxim Ag
32272c33676SMaxim Ag if (ret == 1 &&
32372c33676SMaxim Ag (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
324*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
32572c33676SMaxim Ag else
326*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
32772c33676SMaxim Ag
32872c33676SMaxim Ag s->internal->init_num = 0;
32972c33676SMaxim Ag
33072c33676SMaxim Ag /*
33172c33676SMaxim Ag * Reflect ClientHello sequence to remain
33272c33676SMaxim Ag * stateless while listening.
33372c33676SMaxim Ag */
33472c33676SMaxim Ag if (listen) {
335*de0e0e4dSAntonio Huete Jimenez tls12_record_layer_reflect_seq_num(
336*de0e0e4dSAntonio Huete Jimenez s->internal->rl);
33772c33676SMaxim Ag }
33872c33676SMaxim Ag
33972c33676SMaxim Ag /* If we're just listening, stop here */
340*de0e0e4dSAntonio Huete Jimenez if (listen && s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
34172c33676SMaxim Ag ret = 2;
342*de0e0e4dSAntonio Huete Jimenez s->d1->listen = 0;
34372c33676SMaxim Ag /*
34472c33676SMaxim Ag * Set expected sequence numbers to
34572c33676SMaxim Ag * continue the handshake.
34672c33676SMaxim Ag */
347*de0e0e4dSAntonio Huete Jimenez s->d1->handshake_read_seq = 2;
348*de0e0e4dSAntonio Huete Jimenez s->d1->handshake_write_seq = 1;
349*de0e0e4dSAntonio Huete Jimenez s->d1->next_handshake_write_seq = 1;
35072c33676SMaxim Ag goto end;
35172c33676SMaxim Ag }
35272c33676SMaxim Ag } else {
35372c33676SMaxim Ag if (s->internal->rwstate != SSL_X509_LOOKUP) {
35472c33676SMaxim Ag ret = ssl3_get_client_hello(s);
35572c33676SMaxim Ag if (ret <= 0)
35672c33676SMaxim Ag goto end;
35772c33676SMaxim Ag }
35872c33676SMaxim Ag
35972c33676SMaxim Ag s->internal->renegotiate = 2;
360*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
36172c33676SMaxim Ag s->internal->init_num = 0;
36272c33676SMaxim Ag }
36372c33676SMaxim Ag break;
36472c33676SMaxim Ag
36572c33676SMaxim Ag case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
36672c33676SMaxim Ag case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
367*de0e0e4dSAntonio Huete Jimenez ret = ssl3_send_dtls_hello_verify_request(s);
36872c33676SMaxim Ag if (ret <= 0)
36972c33676SMaxim Ag goto end;
370*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_FLUSH;
371*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
37272c33676SMaxim Ag
37372c33676SMaxim Ag /* HelloVerifyRequest resets Finished MAC. */
37472c33676SMaxim Ag tls1_transcript_reset(s);
37572c33676SMaxim Ag break;
37672c33676SMaxim Ag
37772c33676SMaxim Ag case SSL3_ST_SW_SRVR_HELLO_A:
37872c33676SMaxim Ag case SSL3_ST_SW_SRVR_HELLO_B:
379*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
38072c33676SMaxim Ag s->internal->renegotiate = 2;
38172c33676SMaxim Ag dtls1_start_timer(s);
38272c33676SMaxim Ag }
38372c33676SMaxim Ag ret = ssl3_send_server_hello(s);
38472c33676SMaxim Ag if (ret <= 0)
38572c33676SMaxim Ag goto end;
38672c33676SMaxim Ag if (s->internal->hit) {
38772c33676SMaxim Ag if (s->internal->tlsext_ticket_expected)
388*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
38972c33676SMaxim Ag else
390*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
39172c33676SMaxim Ag } else {
392*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CERT_A;
39372c33676SMaxim Ag }
39472c33676SMaxim Ag s->internal->init_num = 0;
39572c33676SMaxim Ag break;
39672c33676SMaxim Ag
39772c33676SMaxim Ag case SSL3_ST_SW_CERT_A:
39872c33676SMaxim Ag case SSL3_ST_SW_CERT_B:
39972c33676SMaxim Ag /* Check if it is anon DH or anon ECDH. */
400*de0e0e4dSAntonio Huete Jimenez if (!(s->s3->hs.cipher->algorithm_auth &
40172c33676SMaxim Ag SSL_aNULL)) {
402*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
40372c33676SMaxim Ag dtls1_start_timer(s);
40472c33676SMaxim Ag ret = ssl3_send_server_certificate(s);
40572c33676SMaxim Ag if (ret <= 0)
40672c33676SMaxim Ag goto end;
40772c33676SMaxim Ag if (s->internal->tlsext_status_expected)
408*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A;
40972c33676SMaxim Ag else
410*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
41172c33676SMaxim Ag } else {
41272c33676SMaxim Ag skip = 1;
413*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
41472c33676SMaxim Ag }
41572c33676SMaxim Ag s->internal->init_num = 0;
41672c33676SMaxim Ag break;
41772c33676SMaxim Ag
41872c33676SMaxim Ag case SSL3_ST_SW_KEY_EXCH_A:
41972c33676SMaxim Ag case SSL3_ST_SW_KEY_EXCH_B:
420*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
42172c33676SMaxim Ag
42272c33676SMaxim Ag /*
42372c33676SMaxim Ag * Only send if using a DH key exchange.
42472c33676SMaxim Ag *
42572c33676SMaxim Ag * For ECC ciphersuites, we send a ServerKeyExchange
42672c33676SMaxim Ag * message only if the cipher suite is ECDHE. In other
42772c33676SMaxim Ag * cases, the server certificate contains the server's
42872c33676SMaxim Ag * public key for key exchange.
42972c33676SMaxim Ag */
43072c33676SMaxim Ag if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
431*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
43272c33676SMaxim Ag dtls1_start_timer(s);
43372c33676SMaxim Ag ret = ssl3_send_server_key_exchange(s);
43472c33676SMaxim Ag if (ret <= 0)
43572c33676SMaxim Ag goto end;
43672c33676SMaxim Ag } else
43772c33676SMaxim Ag skip = 1;
43872c33676SMaxim Ag
439*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A;
44072c33676SMaxim Ag s->internal->init_num = 0;
44172c33676SMaxim Ag break;
44272c33676SMaxim Ag
44372c33676SMaxim Ag case SSL3_ST_SW_CERT_REQ_A:
44472c33676SMaxim Ag case SSL3_ST_SW_CERT_REQ_B:
44572c33676SMaxim Ag /*
44672c33676SMaxim Ag * Determine whether or not we need to request a
44772c33676SMaxim Ag * certificate.
44872c33676SMaxim Ag *
44972c33676SMaxim Ag * Do not request a certificate if:
45072c33676SMaxim Ag *
45172c33676SMaxim Ag * - We did not ask for it (SSL_VERIFY_PEER is unset).
45272c33676SMaxim Ag *
45372c33676SMaxim Ag * - SSL_VERIFY_CLIENT_ONCE is set and we are
45472c33676SMaxim Ag * renegotiating.
45572c33676SMaxim Ag *
45672c33676SMaxim Ag * - We are using an anonymous ciphersuites
45772c33676SMaxim Ag * (see section "Certificate request" in SSL 3 drafts
45872c33676SMaxim Ag * and in RFC 2246) ... except when the application
45972c33676SMaxim Ag * insists on verification (against the specs, but
46072c33676SMaxim Ag * s3_clnt.c accepts this for SSL 3).
46172c33676SMaxim Ag */
46272c33676SMaxim Ag if (!(s->verify_mode & SSL_VERIFY_PEER) ||
463*de0e0e4dSAntonio Huete Jimenez ((s->session->peer_cert != NULL) &&
46472c33676SMaxim Ag (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
465*de0e0e4dSAntonio Huete Jimenez ((s->s3->hs.cipher->algorithm_auth &
46672c33676SMaxim Ag SSL_aNULL) && !(s->verify_mode &
46772c33676SMaxim Ag SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
46872c33676SMaxim Ag /* No cert request. */
46972c33676SMaxim Ag skip = 1;
470*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.cert_request = 0;
471*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
47272c33676SMaxim Ag
473*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_dtls(s))
47472c33676SMaxim Ag tls1_transcript_free(s);
47572c33676SMaxim Ag } else {
476*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.cert_request = 1;
477*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
47872c33676SMaxim Ag dtls1_start_timer(s);
47972c33676SMaxim Ag ret = ssl3_send_certificate_request(s);
48072c33676SMaxim Ag if (ret <= 0)
48172c33676SMaxim Ag goto end;
482*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
48372c33676SMaxim Ag s->internal->init_num = 0;
48472c33676SMaxim Ag }
48572c33676SMaxim Ag break;
48672c33676SMaxim Ag
48772c33676SMaxim Ag case SSL3_ST_SW_SRVR_DONE_A:
48872c33676SMaxim Ag case SSL3_ST_SW_SRVR_DONE_B:
489*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
49072c33676SMaxim Ag dtls1_start_timer(s);
49172c33676SMaxim Ag ret = ssl3_send_server_done(s);
49272c33676SMaxim Ag if (ret <= 0)
49372c33676SMaxim Ag goto end;
494*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A;
495*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_FLUSH;
49672c33676SMaxim Ag s->internal->init_num = 0;
49772c33676SMaxim Ag break;
49872c33676SMaxim Ag
49972c33676SMaxim Ag case SSL3_ST_SW_FLUSH:
50072c33676SMaxim Ag /*
50172c33676SMaxim Ag * This code originally checked to see if
50272c33676SMaxim Ag * any data was pending using BIO_CTRL_INFO
50372c33676SMaxim Ag * and then flushed. This caused problems
50472c33676SMaxim Ag * as documented in PR#1939. The proposed
50572c33676SMaxim Ag * fix doesn't completely resolve this issue
50672c33676SMaxim Ag * as buggy implementations of BIO_CTRL_PENDING
50772c33676SMaxim Ag * still exist. So instead we just flush
50872c33676SMaxim Ag * unconditionally.
50972c33676SMaxim Ag */
51072c33676SMaxim Ag s->internal->rwstate = SSL_WRITING;
51172c33676SMaxim Ag if (BIO_flush(s->wbio) <= 0) {
512*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
51372c33676SMaxim Ag /* If the write error was fatal, stop trying. */
51472c33676SMaxim Ag if (!BIO_should_retry(s->wbio)) {
51572c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
516*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = s->s3->hs.tls12.next_state;
51772c33676SMaxim Ag }
51872c33676SMaxim Ag }
51972c33676SMaxim Ag ret = -1;
52072c33676SMaxim Ag goto end;
52172c33676SMaxim Ag }
52272c33676SMaxim Ag s->internal->rwstate = SSL_NOTHING;
523*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = s->s3->hs.tls12.next_state;
52472c33676SMaxim Ag break;
52572c33676SMaxim Ag
52672c33676SMaxim Ag case SSL3_ST_SR_CERT_A:
52772c33676SMaxim Ag case SSL3_ST_SR_CERT_B:
528*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.cert_request != 0) {
52972c33676SMaxim Ag ret = ssl3_get_client_certificate(s);
53072c33676SMaxim Ag if (ret <= 0)
53172c33676SMaxim Ag goto end;
53272c33676SMaxim Ag }
53372c33676SMaxim Ag s->internal->init_num = 0;
534*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A;
53572c33676SMaxim Ag break;
53672c33676SMaxim Ag
53772c33676SMaxim Ag case SSL3_ST_SR_KEY_EXCH_A:
53872c33676SMaxim Ag case SSL3_ST_SR_KEY_EXCH_B:
53972c33676SMaxim Ag ret = ssl3_get_client_key_exchange(s);
54072c33676SMaxim Ag if (ret <= 0)
54172c33676SMaxim Ag goto end;
54272c33676SMaxim Ag
543*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
544*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
54572c33676SMaxim Ag s->internal->init_num = 0;
54672c33676SMaxim Ag }
54772c33676SMaxim Ag
548*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
549*de0e0e4dSAntonio Huete Jimenez if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
55072c33676SMaxim Ag /*
551*de0e0e4dSAntonio Huete Jimenez * A GOST client may use the key from its
552*de0e0e4dSAntonio Huete Jimenez * certificate for key exchange, in which case
553*de0e0e4dSAntonio Huete Jimenez * the CertificateVerify message is not sent.
55472c33676SMaxim Ag */
555*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
55672c33676SMaxim Ag s->internal->init_num = 0;
55772c33676SMaxim Ag } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
558*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
55972c33676SMaxim Ag s->internal->init_num = 0;
560*de0e0e4dSAntonio Huete Jimenez if (!s->session->peer_cert)
56172c33676SMaxim Ag break;
56272c33676SMaxim Ag /*
56372c33676SMaxim Ag * Freeze the transcript for use during client
56472c33676SMaxim Ag * certificate verification.
56572c33676SMaxim Ag */
56672c33676SMaxim Ag tls1_transcript_freeze(s);
56772c33676SMaxim Ag } else {
568*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
56972c33676SMaxim Ag s->internal->init_num = 0;
57072c33676SMaxim Ag
57172c33676SMaxim Ag tls1_transcript_free(s);
57272c33676SMaxim Ag
57372c33676SMaxim Ag /*
57472c33676SMaxim Ag * We need to get hashes here so if there is
57572c33676SMaxim Ag * a client cert, it can be verified.
57672c33676SMaxim Ag */
57772c33676SMaxim Ag if (!tls1_transcript_hash_value(s,
578*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.cert_verify,
579*de0e0e4dSAntonio Huete Jimenez sizeof(s->s3->hs.tls12.cert_verify),
58072c33676SMaxim Ag NULL)) {
58172c33676SMaxim Ag ret = -1;
58272c33676SMaxim Ag goto end;
58372c33676SMaxim Ag }
58472c33676SMaxim Ag }
58572c33676SMaxim Ag break;
58672c33676SMaxim Ag
58772c33676SMaxim Ag case SSL3_ST_SR_CERT_VRFY_A:
58872c33676SMaxim Ag case SSL3_ST_SR_CERT_VRFY_B:
589*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
590*de0e0e4dSAntonio Huete Jimenez s->d1->change_cipher_spec_ok = 1;
59172c33676SMaxim Ag else
59272c33676SMaxim Ag s->s3->flags |= SSL3_FLAGS_CCS_OK;
59372c33676SMaxim Ag
59472c33676SMaxim Ag /* we should decide if we expected this one */
59572c33676SMaxim Ag ret = ssl3_get_cert_verify(s);
59672c33676SMaxim Ag if (ret <= 0)
59772c33676SMaxim Ag goto end;
598*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
59972c33676SMaxim Ag s->internal->init_num = 0;
60072c33676SMaxim Ag break;
60172c33676SMaxim Ag
60272c33676SMaxim Ag case SSL3_ST_SR_FINISHED_A:
60372c33676SMaxim Ag case SSL3_ST_SR_FINISHED_B:
604*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
605*de0e0e4dSAntonio Huete Jimenez s->d1->change_cipher_spec_ok = 1;
60672c33676SMaxim Ag else
60772c33676SMaxim Ag s->s3->flags |= SSL3_FLAGS_CCS_OK;
60872c33676SMaxim Ag ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
60972c33676SMaxim Ag SSL3_ST_SR_FINISHED_B);
61072c33676SMaxim Ag if (ret <= 0)
61172c33676SMaxim Ag goto end;
612*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s))
61372c33676SMaxim Ag dtls1_stop_timer(s);
61472c33676SMaxim Ag if (s->internal->hit)
615*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL_ST_OK;
61672c33676SMaxim Ag else if (s->internal->tlsext_ticket_expected)
617*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
61872c33676SMaxim Ag else
619*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
62072c33676SMaxim Ag s->internal->init_num = 0;
62172c33676SMaxim Ag break;
62272c33676SMaxim Ag
62372c33676SMaxim Ag case SSL3_ST_SW_SESSION_TICKET_A:
62472c33676SMaxim Ag case SSL3_ST_SW_SESSION_TICKET_B:
62572c33676SMaxim Ag ret = ssl3_send_newsession_ticket(s);
62672c33676SMaxim Ag if (ret <= 0)
62772c33676SMaxim Ag goto end;
628*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
62972c33676SMaxim Ag s->internal->init_num = 0;
63072c33676SMaxim Ag break;
63172c33676SMaxim Ag
63272c33676SMaxim Ag case SSL3_ST_SW_CERT_STATUS_A:
63372c33676SMaxim Ag case SSL3_ST_SW_CERT_STATUS_B:
63472c33676SMaxim Ag ret = ssl3_send_cert_status(s);
63572c33676SMaxim Ag if (ret <= 0)
63672c33676SMaxim Ag goto end;
637*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
63872c33676SMaxim Ag s->internal->init_num = 0;
63972c33676SMaxim Ag break;
64072c33676SMaxim Ag
64172c33676SMaxim Ag case SSL3_ST_SW_CHANGE_A:
64272c33676SMaxim Ag case SSL3_ST_SW_CHANGE_B:
64372c33676SMaxim Ag ret = ssl3_send_change_cipher_spec(s,
64472c33676SMaxim Ag SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
64572c33676SMaxim Ag if (ret <= 0)
64672c33676SMaxim Ag goto end;
647*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
64872c33676SMaxim Ag s->internal->init_num = 0;
649*de0e0e4dSAntonio Huete Jimenez s->session->cipher = s->s3->hs.cipher;
65072c33676SMaxim Ag
651*de0e0e4dSAntonio Huete Jimenez if (!tls1_setup_key_block(s)) {
65272c33676SMaxim Ag ret = -1;
65372c33676SMaxim Ag goto end;
65472c33676SMaxim Ag }
655*de0e0e4dSAntonio Huete Jimenez if (!tls1_change_write_cipher_state(s)) {
656*de0e0e4dSAntonio Huete Jimenez ret = -1;
657*de0e0e4dSAntonio Huete Jimenez goto end;
658*de0e0e4dSAntonio Huete Jimenez }
65972c33676SMaxim Ag break;
66072c33676SMaxim Ag
66172c33676SMaxim Ag case SSL3_ST_SW_FINISHED_A:
66272c33676SMaxim Ag case SSL3_ST_SW_FINISHED_B:
663*de0e0e4dSAntonio Huete Jimenez ret = ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A,
664*de0e0e4dSAntonio Huete Jimenez SSL3_ST_SW_FINISHED_B);
66572c33676SMaxim Ag if (ret <= 0)
66672c33676SMaxim Ag goto end;
667*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_FLUSH;
66872c33676SMaxim Ag if (s->internal->hit) {
669*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A;
67072c33676SMaxim Ag tls1_transcript_free(s);
67172c33676SMaxim Ag } else
672*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.next_state = SSL_ST_OK;
67372c33676SMaxim Ag s->internal->init_num = 0;
67472c33676SMaxim Ag break;
67572c33676SMaxim Ag
67672c33676SMaxim Ag case SSL_ST_OK:
67772c33676SMaxim Ag /* clean a few things up */
67872c33676SMaxim Ag tls1_cleanup_key_block(s);
67972c33676SMaxim Ag
680*de0e0e4dSAntonio Huete Jimenez if (s->s3->handshake_transcript != NULL) {
68172c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
68272c33676SMaxim Ag ret = -1;
68372c33676SMaxim Ag goto end;
68472c33676SMaxim Ag }
68572c33676SMaxim Ag
686*de0e0e4dSAntonio Huete Jimenez if (!SSL_is_dtls(s))
6878edacedfSDaniel Fojt ssl3_release_init_buffer(s);
68872c33676SMaxim Ag
68972c33676SMaxim Ag /* remove buffering on output */
69072c33676SMaxim Ag ssl_free_wbio_buffer(s);
69172c33676SMaxim Ag
69272c33676SMaxim Ag s->internal->init_num = 0;
69372c33676SMaxim Ag
69472c33676SMaxim Ag /* Skipped if we just sent a HelloRequest. */
69572c33676SMaxim Ag if (s->internal->renegotiate == 2) {
69672c33676SMaxim Ag s->internal->renegotiate = 0;
69772c33676SMaxim Ag s->internal->new_session = 0;
69872c33676SMaxim Ag
69972c33676SMaxim Ag ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
70072c33676SMaxim Ag
70172c33676SMaxim Ag s->ctx->internal->stats.sess_accept_good++;
70272c33676SMaxim Ag /* s->server=1; */
70372c33676SMaxim Ag s->internal->handshake_func = ssl3_accept;
70472c33676SMaxim Ag
705*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
70672c33676SMaxim Ag }
70772c33676SMaxim Ag
70872c33676SMaxim Ag ret = 1;
70972c33676SMaxim Ag
710*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
71172c33676SMaxim Ag /* Done handshaking, next message is client hello. */
712*de0e0e4dSAntonio Huete Jimenez s->d1->handshake_read_seq = 0;
71372c33676SMaxim Ag /* Next message is server hello. */
714*de0e0e4dSAntonio Huete Jimenez s->d1->handshake_write_seq = 0;
715*de0e0e4dSAntonio Huete Jimenez s->d1->next_handshake_write_seq = 0;
71672c33676SMaxim Ag }
71772c33676SMaxim Ag goto end;
71872c33676SMaxim Ag /* break; */
71972c33676SMaxim Ag
72072c33676SMaxim Ag default:
72172c33676SMaxim Ag SSLerror(s, SSL_R_UNKNOWN_STATE);
72272c33676SMaxim Ag ret = -1;
72372c33676SMaxim Ag goto end;
72472c33676SMaxim Ag /* break; */
72572c33676SMaxim Ag }
72672c33676SMaxim Ag
727*de0e0e4dSAntonio Huete Jimenez if (!s->s3->hs.tls12.reuse_message && !skip) {
72872c33676SMaxim Ag if (s->internal->debug) {
72972c33676SMaxim Ag if ((ret = BIO_flush(s->wbio)) <= 0)
73072c33676SMaxim Ag goto end;
73172c33676SMaxim Ag }
73272c33676SMaxim Ag
73372c33676SMaxim Ag
734*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state != state) {
735*de0e0e4dSAntonio Huete Jimenez new_state = s->s3->hs.state;
736*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = state;
737*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1);
738*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = new_state;
73972c33676SMaxim Ag }
74072c33676SMaxim Ag }
74172c33676SMaxim Ag skip = 0;
74272c33676SMaxim Ag }
74372c33676SMaxim Ag end:
74472c33676SMaxim Ag /* BIO_flush(s->wbio); */
74572c33676SMaxim Ag s->internal->in_handshake--;
746*de0e0e4dSAntonio Huete Jimenez ssl_info_callback(s, SSL_CB_ACCEPT_EXIT, ret);
74772c33676SMaxim Ag
74872c33676SMaxim Ag return (ret);
74972c33676SMaxim Ag }
75072c33676SMaxim Ag
75172c33676SMaxim Ag int
ssl3_send_hello_request(SSL * s)75272c33676SMaxim Ag ssl3_send_hello_request(SSL *s)
75372c33676SMaxim Ag {
75472c33676SMaxim Ag CBB cbb, hello;
75572c33676SMaxim Ag
75672c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
75772c33676SMaxim Ag
758*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_HELLO_REQ_A) {
75972c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &hello,
76072c33676SMaxim Ag SSL3_MT_HELLO_REQUEST))
76172c33676SMaxim Ag goto err;
76272c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
76372c33676SMaxim Ag goto err;
76472c33676SMaxim Ag
765*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_B;
76672c33676SMaxim Ag }
76772c33676SMaxim Ag
76872c33676SMaxim Ag /* SSL3_ST_SW_HELLO_REQ_B */
76972c33676SMaxim Ag return (ssl3_handshake_write(s));
77072c33676SMaxim Ag
77172c33676SMaxim Ag err:
77272c33676SMaxim Ag CBB_cleanup(&cbb);
77372c33676SMaxim Ag
77472c33676SMaxim Ag return (-1);
77572c33676SMaxim Ag }
77672c33676SMaxim Ag
77772c33676SMaxim Ag int
ssl3_get_client_hello(SSL * s)77872c33676SMaxim Ag ssl3_get_client_hello(SSL *s)
77972c33676SMaxim Ag {
78072c33676SMaxim Ag CBS cbs, client_random, session_id, cookie, cipher_suites;
78172c33676SMaxim Ag CBS compression_methods;
78272c33676SMaxim Ag uint16_t client_version;
78372c33676SMaxim Ag uint8_t comp_method;
78472c33676SMaxim Ag int comp_null;
785*de0e0e4dSAntonio Huete Jimenez int i, j, al, ret, cookie_valid = 0;
78672c33676SMaxim Ag unsigned long id;
78772c33676SMaxim Ag SSL_CIPHER *c;
78872c33676SMaxim Ag STACK_OF(SSL_CIPHER) *ciphers = NULL;
78972c33676SMaxim Ag unsigned long alg_k;
79072c33676SMaxim Ag const SSL_METHOD *method;
791*de0e0e4dSAntonio Huete Jimenez uint16_t shared_version;
79272c33676SMaxim Ag
79372c33676SMaxim Ag /*
79472c33676SMaxim Ag * We do this so that we will respond with our native type.
79572c33676SMaxim Ag * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
79672c33676SMaxim Ag * This down switching should be handled by a different method.
79772c33676SMaxim Ag * If we are SSLv3, we will respond with SSLv3, even if prompted with
79872c33676SMaxim Ag * TLSv1.
79972c33676SMaxim Ag */
800*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A)
801*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B;
80272c33676SMaxim Ag
80372c33676SMaxim Ag s->internal->first_packet = 1;
804*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
80572c33676SMaxim Ag SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
806*de0e0e4dSAntonio Huete Jimenez SSL3_RT_MAX_PLAIN_LENGTH)) <= 0)
807*de0e0e4dSAntonio Huete Jimenez return ret;
80872c33676SMaxim Ag s->internal->first_packet = 0;
80972c33676SMaxim Ag
810*de0e0e4dSAntonio Huete Jimenez ret = -1;
811*de0e0e4dSAntonio Huete Jimenez
812*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
81372c33676SMaxim Ag goto err;
81472c33676SMaxim Ag
815*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
81672c33676SMaxim Ag
81772c33676SMaxim Ag /* Parse client hello up until the extensions (if any). */
81872c33676SMaxim Ag if (!CBS_get_u16(&cbs, &client_version))
819*de0e0e4dSAntonio Huete Jimenez goto decode_err;
82072c33676SMaxim Ag if (!CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE))
821*de0e0e4dSAntonio Huete Jimenez goto decode_err;
82272c33676SMaxim Ag if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
823*de0e0e4dSAntonio Huete Jimenez goto decode_err;
8248edacedfSDaniel Fojt if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) {
8258edacedfSDaniel Fojt al = SSL_AD_ILLEGAL_PARAMETER;
8268edacedfSDaniel Fojt SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
827*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
8288edacedfSDaniel Fojt }
829*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
83072c33676SMaxim Ag if (!CBS_get_u8_length_prefixed(&cbs, &cookie))
831*de0e0e4dSAntonio Huete Jimenez goto decode_err;
83272c33676SMaxim Ag }
83372c33676SMaxim Ag if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites))
834*de0e0e4dSAntonio Huete Jimenez goto decode_err;
83572c33676SMaxim Ag if (!CBS_get_u8_length_prefixed(&cbs, &compression_methods))
836*de0e0e4dSAntonio Huete Jimenez goto decode_err;
83772c33676SMaxim Ag
83872c33676SMaxim Ag /*
83972c33676SMaxim Ag * Use version from inside client hello, not from record header.
84072c33676SMaxim Ag * (may differ: see RFC 2246, Appendix E, second paragraph)
84172c33676SMaxim Ag */
842*de0e0e4dSAntonio Huete Jimenez if (!ssl_max_shared_version(s, client_version, &shared_version)) {
843*de0e0e4dSAntonio Huete Jimenez if ((client_version >> 8) == SSL3_VERSION_MAJOR &&
844*de0e0e4dSAntonio Huete Jimenez !tls12_record_layer_write_protected(s->internal->rl)) {
84572c33676SMaxim Ag /*
84672c33676SMaxim Ag * Similar to ssl3_get_record, send alert using remote
84772c33676SMaxim Ag * version number.
84872c33676SMaxim Ag */
849*de0e0e4dSAntonio Huete Jimenez s->version = client_version;
85072c33676SMaxim Ag }
851*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
85272c33676SMaxim Ag al = SSL_AD_PROTOCOL_VERSION;
853*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
85472c33676SMaxim Ag }
855*de0e0e4dSAntonio Huete Jimenez s->s3->hs.peer_legacy_version = client_version;
85672c33676SMaxim Ag s->version = shared_version;
85772c33676SMaxim Ag
858*de0e0e4dSAntonio Huete Jimenez s->s3->hs.negotiated_tls_version = ssl_tls_version(shared_version);
859*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.negotiated_tls_version == 0) {
860*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_INTERNAL_ERROR);
861*de0e0e4dSAntonio Huete Jimenez goto err;
862*de0e0e4dSAntonio Huete Jimenez }
863*de0e0e4dSAntonio Huete Jimenez
864*de0e0e4dSAntonio Huete Jimenez if ((method = ssl_get_method(shared_version)) == NULL) {
86572c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
86672c33676SMaxim Ag goto err;
86772c33676SMaxim Ag }
86872c33676SMaxim Ag s->method = method;
86972c33676SMaxim Ag
87072c33676SMaxim Ag /*
87172c33676SMaxim Ag * If we require cookies (DTLS) and this ClientHello does not contain
87272c33676SMaxim Ag * one, just return since we do not want to allocate any memory yet.
87372c33676SMaxim Ag * So check cookie length...
87472c33676SMaxim Ag */
875*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
87672c33676SMaxim Ag if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
87772c33676SMaxim Ag if (CBS_len(&cookie) == 0)
87872c33676SMaxim Ag return (1);
87972c33676SMaxim Ag }
88072c33676SMaxim Ag }
88172c33676SMaxim Ag
88272c33676SMaxim Ag if (!CBS_write_bytes(&client_random, s->s3->client_random,
88372c33676SMaxim Ag sizeof(s->s3->client_random), NULL))
88472c33676SMaxim Ag goto err;
88572c33676SMaxim Ag
88672c33676SMaxim Ag s->internal->hit = 0;
88772c33676SMaxim Ag
88872c33676SMaxim Ag /*
88972c33676SMaxim Ag * Versions before 0.9.7 always allow clients to resume sessions in
89072c33676SMaxim Ag * renegotiation. 0.9.7 and later allow this by default, but optionally
89172c33676SMaxim Ag * ignore resumption requests with flag
89272c33676SMaxim Ag * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
89372c33676SMaxim Ag * rather than a change to default behavior so that applications
89472c33676SMaxim Ag * relying on this for security won't even compile against older
89572c33676SMaxim Ag * library versions).
89672c33676SMaxim Ag *
89772c33676SMaxim Ag * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
89872c33676SMaxim Ag * to request renegotiation but not a new session (s->internal->new_session
89972c33676SMaxim Ag * remains unset): for servers, this essentially just means that the
90072c33676SMaxim Ag * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
90172c33676SMaxim Ag * ignored.
90272c33676SMaxim Ag */
90372c33676SMaxim Ag if ((s->internal->new_session && (s->internal->options &
90472c33676SMaxim Ag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
90572c33676SMaxim Ag if (!ssl_get_new_session(s, 1))
90672c33676SMaxim Ag goto err;
90772c33676SMaxim Ag } else {
90872c33676SMaxim Ag CBS ext_block;
90972c33676SMaxim Ag
91072c33676SMaxim Ag CBS_dup(&cbs, &ext_block);
91172c33676SMaxim Ag
9128edacedfSDaniel Fojt i = ssl_get_prev_session(s, &session_id, &ext_block, &al);
91372c33676SMaxim Ag if (i == 1) { /* previous session */
91472c33676SMaxim Ag s->internal->hit = 1;
91572c33676SMaxim Ag } else if (i == -1)
916*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
91772c33676SMaxim Ag else {
91872c33676SMaxim Ag /* i == 0 */
91972c33676SMaxim Ag if (!ssl_get_new_session(s, 1))
92072c33676SMaxim Ag goto err;
92172c33676SMaxim Ag }
92272c33676SMaxim Ag }
92372c33676SMaxim Ag
924*de0e0e4dSAntonio Huete Jimenez if (SSL_is_dtls(s)) {
92572c33676SMaxim Ag /*
92672c33676SMaxim Ag * The ClientHello may contain a cookie even if the HelloVerify
92772c33676SMaxim Ag * message has not been sent - make sure that it does not cause
92872c33676SMaxim Ag * an overflow.
92972c33676SMaxim Ag */
930*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&cookie) > sizeof(s->d1->rcvd_cookie)) {
93172c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
93272c33676SMaxim Ag SSLerror(s, SSL_R_COOKIE_MISMATCH);
933*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
93472c33676SMaxim Ag }
93572c33676SMaxim Ag
93672c33676SMaxim Ag /* Verify the cookie if appropriate option is set. */
93772c33676SMaxim Ag if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
93872c33676SMaxim Ag CBS_len(&cookie) > 0) {
93972c33676SMaxim Ag size_t cookie_len;
94072c33676SMaxim Ag
94172c33676SMaxim Ag /* XXX - rcvd_cookie seems to only be used here... */
942*de0e0e4dSAntonio Huete Jimenez if (!CBS_write_bytes(&cookie, s->d1->rcvd_cookie,
943*de0e0e4dSAntonio Huete Jimenez sizeof(s->d1->rcvd_cookie), &cookie_len))
94472c33676SMaxim Ag goto err;
94572c33676SMaxim Ag
94672c33676SMaxim Ag if (s->ctx->internal->app_verify_cookie_cb != NULL) {
94772c33676SMaxim Ag if (s->ctx->internal->app_verify_cookie_cb(s,
948*de0e0e4dSAntonio Huete Jimenez s->d1->rcvd_cookie, cookie_len) == 0) {
94972c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
95072c33676SMaxim Ag SSLerror(s, SSL_R_COOKIE_MISMATCH);
951*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
95272c33676SMaxim Ag }
95372c33676SMaxim Ag /* else cookie verification succeeded */
95472c33676SMaxim Ag /* XXX - can d1->cookie_len > sizeof(rcvd_cookie) ? */
955*de0e0e4dSAntonio Huete Jimenez } else if (timingsafe_memcmp(s->d1->rcvd_cookie,
956*de0e0e4dSAntonio Huete Jimenez s->d1->cookie, s->d1->cookie_len) != 0) {
95772c33676SMaxim Ag /* default verification */
95872c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
95972c33676SMaxim Ag SSLerror(s, SSL_R_COOKIE_MISMATCH);
960*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
96172c33676SMaxim Ag }
96272c33676SMaxim Ag cookie_valid = 1;
96372c33676SMaxim Ag }
96472c33676SMaxim Ag }
96572c33676SMaxim Ag
96672c33676SMaxim Ag /* XXX - This logic seems wrong... */
96772c33676SMaxim Ag if (CBS_len(&cipher_suites) == 0 && CBS_len(&session_id) != 0) {
96872c33676SMaxim Ag /* we need a cipher if we are not resuming a session */
96972c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
97072c33676SMaxim Ag SSLerror(s, SSL_R_NO_CIPHERS_SPECIFIED);
971*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
97272c33676SMaxim Ag }
97372c33676SMaxim Ag
97472c33676SMaxim Ag if (CBS_len(&cipher_suites) > 0) {
97572c33676SMaxim Ag if ((ciphers = ssl_bytes_to_cipher_list(s,
97672c33676SMaxim Ag &cipher_suites)) == NULL)
97772c33676SMaxim Ag goto err;
97872c33676SMaxim Ag }
97972c33676SMaxim Ag
98072c33676SMaxim Ag /* If it is a hit, check that the cipher is in the list */
98172c33676SMaxim Ag /* XXX - CBS_len(&cipher_suites) will always be zero here... */
98272c33676SMaxim Ag if (s->internal->hit && CBS_len(&cipher_suites) > 0) {
98372c33676SMaxim Ag j = 0;
98472c33676SMaxim Ag id = s->session->cipher->id;
98572c33676SMaxim Ag
98672c33676SMaxim Ag for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
98772c33676SMaxim Ag c = sk_SSL_CIPHER_value(ciphers, i);
98872c33676SMaxim Ag if (c->id == id) {
98972c33676SMaxim Ag j = 1;
99072c33676SMaxim Ag break;
99172c33676SMaxim Ag }
99272c33676SMaxim Ag }
99372c33676SMaxim Ag if (j == 0) {
99472c33676SMaxim Ag /*
99572c33676SMaxim Ag * We need to have the cipher in the cipher
99672c33676SMaxim Ag * list if we are asked to reuse it
99772c33676SMaxim Ag */
99872c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
99972c33676SMaxim Ag SSLerror(s, SSL_R_REQUIRED_CIPHER_MISSING);
1000*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
100172c33676SMaxim Ag }
100272c33676SMaxim Ag }
100372c33676SMaxim Ag
100472c33676SMaxim Ag comp_null = 0;
100572c33676SMaxim Ag while (CBS_len(&compression_methods) > 0) {
100672c33676SMaxim Ag if (!CBS_get_u8(&compression_methods, &comp_method))
1007*de0e0e4dSAntonio Huete Jimenez goto decode_err;
100872c33676SMaxim Ag if (comp_method == 0)
100972c33676SMaxim Ag comp_null = 1;
101072c33676SMaxim Ag }
101172c33676SMaxim Ag if (comp_null == 0) {
101272c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
101372c33676SMaxim Ag SSLerror(s, SSL_R_NO_COMPRESSION_SPECIFIED);
1014*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
101572c33676SMaxim Ag }
101672c33676SMaxim Ag
10178edacedfSDaniel Fojt if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) {
101872c33676SMaxim Ag SSLerror(s, SSL_R_PARSE_TLSEXT);
1019*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
102072c33676SMaxim Ag }
102172c33676SMaxim Ag
1022*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&cbs) != 0)
1023*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1024*de0e0e4dSAntonio Huete Jimenez
1025*de0e0e4dSAntonio Huete Jimenez if (!s->s3->renegotiate_seen && s->internal->renegotiate) {
102672c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
102772c33676SMaxim Ag SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1028*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
102972c33676SMaxim Ag }
103072c33676SMaxim Ag
103172c33676SMaxim Ag if (ssl_check_clienthello_tlsext_early(s) <= 0) {
103272c33676SMaxim Ag SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT);
103372c33676SMaxim Ag goto err;
103472c33676SMaxim Ag }
103572c33676SMaxim Ag
103672c33676SMaxim Ag /*
103772c33676SMaxim Ag * Check if we want to use external pre-shared secret for this
103872c33676SMaxim Ag * handshake for not reused session only. We need to generate
103972c33676SMaxim Ag * server_random before calling tls_session_secret_cb in order to allow
104072c33676SMaxim Ag * SessionTicket processing to use it in key derivation.
104172c33676SMaxim Ag */
104272c33676SMaxim Ag arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
104372c33676SMaxim Ag
1044*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
1045*de0e0e4dSAntonio Huete Jimenez s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
1046cca6fc52SDaniel Fojt /*
1047cca6fc52SDaniel Fojt * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
1048cca6fc52SDaniel Fojt * we must set the last 8 bytes of the server random to magical
1049cca6fc52SDaniel Fojt * values to indicate we meant to downgrade. For TLS 1.2 it is
1050cca6fc52SDaniel Fojt * recommended that we do the same.
1051cca6fc52SDaniel Fojt */
1052cca6fc52SDaniel Fojt size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12);
1053cca6fc52SDaniel Fojt uint8_t *magic = &s->s3->server_random[index];
1054*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION) {
1055cca6fc52SDaniel Fojt /* Indicate we chose to downgrade to 1.2. */
1056cca6fc52SDaniel Fojt memcpy(magic, tls13_downgrade_12,
1057cca6fc52SDaniel Fojt sizeof(tls13_downgrade_12));
1058cca6fc52SDaniel Fojt } else {
1059cca6fc52SDaniel Fojt /* Indicate we chose to downgrade to 1.1 or lower */
1060cca6fc52SDaniel Fojt memcpy(magic, tls13_downgrade_11,
1061cca6fc52SDaniel Fojt sizeof(tls13_downgrade_11));
1062cca6fc52SDaniel Fojt }
1063cca6fc52SDaniel Fojt }
1064cca6fc52SDaniel Fojt
1065*de0e0e4dSAntonio Huete Jimenez if (!s->internal->hit && s->internal->tls_session_secret_cb != NULL) {
106672c33676SMaxim Ag SSL_CIPHER *pref_cipher = NULL;
1067*de0e0e4dSAntonio Huete Jimenez int master_key_length = sizeof(s->session->master_key);
106872c33676SMaxim Ag
1069*de0e0e4dSAntonio Huete Jimenez if (!s->internal->tls_session_secret_cb(s,
1070*de0e0e4dSAntonio Huete Jimenez s->session->master_key, &master_key_length, ciphers,
1071*de0e0e4dSAntonio Huete Jimenez &pref_cipher, s->internal->tls_session_secret_cb_arg)) {
1072*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_INTERNAL_ERROR);
1073*de0e0e4dSAntonio Huete Jimenez goto err;
1074*de0e0e4dSAntonio Huete Jimenez }
1075*de0e0e4dSAntonio Huete Jimenez if (master_key_length <= 0) {
1076*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_INTERNAL_ERROR);
1077*de0e0e4dSAntonio Huete Jimenez goto err;
1078*de0e0e4dSAntonio Huete Jimenez }
1079*de0e0e4dSAntonio Huete Jimenez s->session->master_key_length = master_key_length;
1080*de0e0e4dSAntonio Huete Jimenez
108172c33676SMaxim Ag s->internal->hit = 1;
108272c33676SMaxim Ag s->session->verify_result = X509_V_OK;
108372c33676SMaxim Ag
1084*de0e0e4dSAntonio Huete Jimenez sk_SSL_CIPHER_free(s->session->ciphers);
1085*de0e0e4dSAntonio Huete Jimenez s->session->ciphers = ciphers;
108672c33676SMaxim Ag ciphers = NULL;
108772c33676SMaxim Ag
1088*de0e0e4dSAntonio Huete Jimenez /* Check if some cipher was preferred by the callback. */
1089*de0e0e4dSAntonio Huete Jimenez if (pref_cipher == NULL)
1090*de0e0e4dSAntonio Huete Jimenez pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
109172c33676SMaxim Ag SSL_get_ciphers(s));
109272c33676SMaxim Ag if (pref_cipher == NULL) {
109372c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
109472c33676SMaxim Ag SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1095*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
109672c33676SMaxim Ag }
109772c33676SMaxim Ag s->session->cipher = pref_cipher;
109872c33676SMaxim Ag
109972c33676SMaxim Ag sk_SSL_CIPHER_free(s->cipher_list);
110072c33676SMaxim Ag s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
110172c33676SMaxim Ag }
110272c33676SMaxim Ag
110372c33676SMaxim Ag /*
110472c33676SMaxim Ag * Given s->session->ciphers and SSL_get_ciphers, we must
110572c33676SMaxim Ag * pick a cipher
110672c33676SMaxim Ag */
110772c33676SMaxim Ag
110872c33676SMaxim Ag if (!s->internal->hit) {
110972c33676SMaxim Ag if (ciphers == NULL) {
111072c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
111172c33676SMaxim Ag SSLerror(s, SSL_R_NO_CIPHERS_PASSED);
1112*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
111372c33676SMaxim Ag }
1114*de0e0e4dSAntonio Huete Jimenez sk_SSL_CIPHER_free(s->session->ciphers);
1115*de0e0e4dSAntonio Huete Jimenez s->session->ciphers = ciphers;
111672c33676SMaxim Ag ciphers = NULL;
111772c33676SMaxim Ag
1118*de0e0e4dSAntonio Huete Jimenez if ((c = ssl3_choose_cipher(s, s->session->ciphers,
1119*de0e0e4dSAntonio Huete Jimenez SSL_get_ciphers(s))) == NULL) {
112072c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
112172c33676SMaxim Ag SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1122*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
112372c33676SMaxim Ag }
1124*de0e0e4dSAntonio Huete Jimenez s->s3->hs.cipher = c;
112572c33676SMaxim Ag } else {
1126*de0e0e4dSAntonio Huete Jimenez s->s3->hs.cipher = s->session->cipher;
112772c33676SMaxim Ag }
112872c33676SMaxim Ag
112972c33676SMaxim Ag if (!tls1_transcript_hash_init(s))
113072c33676SMaxim Ag goto err;
113172c33676SMaxim Ag
1132*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
113372c33676SMaxim Ag if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
113472c33676SMaxim Ag !(s->verify_mode & SSL_VERIFY_PEER))
113572c33676SMaxim Ag tls1_transcript_free(s);
113672c33676SMaxim Ag
113772c33676SMaxim Ag /*
113872c33676SMaxim Ag * We now have the following setup.
113972c33676SMaxim Ag * client_random
114072c33676SMaxim Ag * cipher_list - our prefered list of ciphers
114172c33676SMaxim Ag * ciphers - the clients prefered list of ciphers
114272c33676SMaxim Ag * compression - basically ignored right now
114372c33676SMaxim Ag * ssl version is set - sslv3
114472c33676SMaxim Ag * s->session - The ssl session has been setup.
114572c33676SMaxim Ag * s->internal->hit - session reuse flag
1146*de0e0e4dSAntonio Huete Jimenez * s->hs.cipher - the new cipher to use.
114772c33676SMaxim Ag */
114872c33676SMaxim Ag
114972c33676SMaxim Ag /* Handles TLS extensions that we couldn't check earlier */
115072c33676SMaxim Ag if (ssl_check_clienthello_tlsext_late(s) <= 0) {
115172c33676SMaxim Ag SSLerror(s, SSL_R_CLIENTHELLO_TLSEXT);
115272c33676SMaxim Ag goto err;
115372c33676SMaxim Ag }
115472c33676SMaxim Ag
115572c33676SMaxim Ag ret = cookie_valid ? 2 : 1;
115672c33676SMaxim Ag
115772c33676SMaxim Ag if (0) {
1158*de0e0e4dSAntonio Huete Jimenez decode_err:
115972c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
116072c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1161*de0e0e4dSAntonio Huete Jimenez fatal_err:
116272c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
116372c33676SMaxim Ag }
116472c33676SMaxim Ag err:
116572c33676SMaxim Ag sk_SSL_CIPHER_free(ciphers);
116672c33676SMaxim Ag
116772c33676SMaxim Ag return (ret);
116872c33676SMaxim Ag }
116972c33676SMaxim Ag
117072c33676SMaxim Ag int
ssl3_send_dtls_hello_verify_request(SSL * s)1171*de0e0e4dSAntonio Huete Jimenez ssl3_send_dtls_hello_verify_request(SSL *s)
1172*de0e0e4dSAntonio Huete Jimenez {
1173*de0e0e4dSAntonio Huete Jimenez CBB cbb, verify, cookie;
1174*de0e0e4dSAntonio Huete Jimenez
1175*de0e0e4dSAntonio Huete Jimenez memset(&cbb, 0, sizeof(cbb));
1176*de0e0e4dSAntonio Huete Jimenez
1177*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
1178*de0e0e4dSAntonio Huete Jimenez if (s->ctx->internal->app_gen_cookie_cb == NULL ||
1179*de0e0e4dSAntonio Huete Jimenez s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie,
1180*de0e0e4dSAntonio Huete Jimenez &(s->d1->cookie_len)) == 0) {
1181*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_INTERNAL_ERROR);
1182*de0e0e4dSAntonio Huete Jimenez return 0;
1183*de0e0e4dSAntonio Huete Jimenez }
1184*de0e0e4dSAntonio Huete Jimenez
1185*de0e0e4dSAntonio Huete Jimenez /*
1186*de0e0e4dSAntonio Huete Jimenez * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should
1187*de0e0e4dSAntonio Huete Jimenez * always contain DTLSv1.0 regardless of the version that is
1188*de0e0e4dSAntonio Huete Jimenez * going to be negotiated.
1189*de0e0e4dSAntonio Huete Jimenez */
1190*de0e0e4dSAntonio Huete Jimenez if (!ssl3_handshake_msg_start(s, &cbb, &verify,
1191*de0e0e4dSAntonio Huete Jimenez DTLS1_MT_HELLO_VERIFY_REQUEST))
1192*de0e0e4dSAntonio Huete Jimenez goto err;
1193*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u16(&verify, DTLS1_VERSION))
1194*de0e0e4dSAntonio Huete Jimenez goto err;
1195*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u8_length_prefixed(&verify, &cookie))
1196*de0e0e4dSAntonio Huete Jimenez goto err;
1197*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_bytes(&cookie, s->d1->cookie, s->d1->cookie_len))
1198*de0e0e4dSAntonio Huete Jimenez goto err;
1199*de0e0e4dSAntonio Huete Jimenez if (!ssl3_handshake_msg_finish(s, &cbb))
1200*de0e0e4dSAntonio Huete Jimenez goto err;
1201*de0e0e4dSAntonio Huete Jimenez
1202*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
1203*de0e0e4dSAntonio Huete Jimenez }
1204*de0e0e4dSAntonio Huete Jimenez
1205*de0e0e4dSAntonio Huete Jimenez /* s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
1206*de0e0e4dSAntonio Huete Jimenez return (ssl3_handshake_write(s));
1207*de0e0e4dSAntonio Huete Jimenez
1208*de0e0e4dSAntonio Huete Jimenez err:
1209*de0e0e4dSAntonio Huete Jimenez CBB_cleanup(&cbb);
1210*de0e0e4dSAntonio Huete Jimenez
1211*de0e0e4dSAntonio Huete Jimenez return (-1);
1212*de0e0e4dSAntonio Huete Jimenez }
1213*de0e0e4dSAntonio Huete Jimenez
1214*de0e0e4dSAntonio Huete Jimenez int
ssl3_send_server_hello(SSL * s)121572c33676SMaxim Ag ssl3_send_server_hello(SSL *s)
121672c33676SMaxim Ag {
121772c33676SMaxim Ag CBB cbb, server_hello, session_id;
121872c33676SMaxim Ag size_t sl;
121972c33676SMaxim Ag
122072c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
122172c33676SMaxim Ag
1222*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
122372c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &server_hello,
122472c33676SMaxim Ag SSL3_MT_SERVER_HELLO))
122572c33676SMaxim Ag goto err;
122672c33676SMaxim Ag
122772c33676SMaxim Ag if (!CBB_add_u16(&server_hello, s->version))
122872c33676SMaxim Ag goto err;
122972c33676SMaxim Ag if (!CBB_add_bytes(&server_hello, s->s3->server_random,
123072c33676SMaxim Ag sizeof(s->s3->server_random)))
123172c33676SMaxim Ag goto err;
123272c33676SMaxim Ag
123372c33676SMaxim Ag /*
123472c33676SMaxim Ag * There are several cases for the session ID to send
123572c33676SMaxim Ag * back in the server hello:
123672c33676SMaxim Ag *
123772c33676SMaxim Ag * - For session reuse from the session cache,
123872c33676SMaxim Ag * we send back the old session ID.
123972c33676SMaxim Ag * - If stateless session reuse (using a session ticket)
124072c33676SMaxim Ag * is successful, we send back the client's "session ID"
124172c33676SMaxim Ag * (which doesn't actually identify the session).
124272c33676SMaxim Ag * - If it is a new session, we send back the new
124372c33676SMaxim Ag * session ID.
124472c33676SMaxim Ag * - However, if we want the new session to be single-use,
124572c33676SMaxim Ag * we send back a 0-length session ID.
124672c33676SMaxim Ag *
124772c33676SMaxim Ag * s->internal->hit is non-zero in either case of session reuse,
124872c33676SMaxim Ag * so the following won't overwrite an ID that we're supposed
124972c33676SMaxim Ag * to send back.
125072c33676SMaxim Ag */
125172c33676SMaxim Ag if (!(s->ctx->internal->session_cache_mode & SSL_SESS_CACHE_SERVER)
125272c33676SMaxim Ag && !s->internal->hit)
125372c33676SMaxim Ag s->session->session_id_length = 0;
125472c33676SMaxim Ag
125572c33676SMaxim Ag sl = s->session->session_id_length;
125672c33676SMaxim Ag if (sl > sizeof(s->session->session_id)) {
125772c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
125872c33676SMaxim Ag goto err;
125972c33676SMaxim Ag }
126072c33676SMaxim Ag if (!CBB_add_u8_length_prefixed(&server_hello, &session_id))
126172c33676SMaxim Ag goto err;
126272c33676SMaxim Ag if (!CBB_add_bytes(&session_id, s->session->session_id, sl))
126372c33676SMaxim Ag goto err;
126472c33676SMaxim Ag
126572c33676SMaxim Ag /* Cipher suite. */
126672c33676SMaxim Ag if (!CBB_add_u16(&server_hello,
1267*de0e0e4dSAntonio Huete Jimenez ssl3_cipher_get_value(s->s3->hs.cipher)))
126872c33676SMaxim Ag goto err;
126972c33676SMaxim Ag
127072c33676SMaxim Ag /* Compression method (null). */
127172c33676SMaxim Ag if (!CBB_add_u8(&server_hello, 0))
127272c33676SMaxim Ag goto err;
127372c33676SMaxim Ag
127472c33676SMaxim Ag /* TLS extensions */
12758edacedfSDaniel Fojt if (!tlsext_server_build(s, SSL_TLSEXT_MSG_SH, &server_hello)) {
127672c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
127772c33676SMaxim Ag goto err;
127872c33676SMaxim Ag }
127972c33676SMaxim Ag
128072c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
128172c33676SMaxim Ag goto err;
128272c33676SMaxim Ag }
128372c33676SMaxim Ag
128472c33676SMaxim Ag /* SSL3_ST_SW_SRVR_HELLO_B */
128572c33676SMaxim Ag return (ssl3_handshake_write(s));
128672c33676SMaxim Ag
128772c33676SMaxim Ag err:
128872c33676SMaxim Ag CBB_cleanup(&cbb);
128972c33676SMaxim Ag
129072c33676SMaxim Ag return (-1);
129172c33676SMaxim Ag }
129272c33676SMaxim Ag
129372c33676SMaxim Ag int
ssl3_send_server_done(SSL * s)129472c33676SMaxim Ag ssl3_send_server_done(SSL *s)
129572c33676SMaxim Ag {
129672c33676SMaxim Ag CBB cbb, done;
129772c33676SMaxim Ag
129872c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
129972c33676SMaxim Ag
1300*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_SRVR_DONE_A) {
130172c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &done,
130272c33676SMaxim Ag SSL3_MT_SERVER_DONE))
130372c33676SMaxim Ag goto err;
130472c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
130572c33676SMaxim Ag goto err;
130672c33676SMaxim Ag
1307*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_B;
130872c33676SMaxim Ag }
130972c33676SMaxim Ag
131072c33676SMaxim Ag /* SSL3_ST_SW_SRVR_DONE_B */
131172c33676SMaxim Ag return (ssl3_handshake_write(s));
131272c33676SMaxim Ag
131372c33676SMaxim Ag err:
131472c33676SMaxim Ag CBB_cleanup(&cbb);
131572c33676SMaxim Ag
131672c33676SMaxim Ag return (-1);
131772c33676SMaxim Ag }
131872c33676SMaxim Ag
131972c33676SMaxim Ag static int
ssl3_send_server_kex_dhe(SSL * s,CBB * cbb)132072c33676SMaxim Ag ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
132172c33676SMaxim Ag {
1322*de0e0e4dSAntonio Huete Jimenez int nid = NID_dhKeyAgreement;
132372c33676SMaxim Ag
1324*de0e0e4dSAntonio Huete Jimenez tls_key_share_free(s->s3->hs.key_share);
1325*de0e0e4dSAntonio Huete Jimenez if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1326*de0e0e4dSAntonio Huete Jimenez goto err;
1327*de0e0e4dSAntonio Huete Jimenez
1328*de0e0e4dSAntonio Huete Jimenez if (s->cert->dhe_params_auto != 0) {
1329*de0e0e4dSAntonio Huete Jimenez size_t key_bits;
1330*de0e0e4dSAntonio Huete Jimenez
1331*de0e0e4dSAntonio Huete Jimenez if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) {
133272c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
1333*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL,
1334*de0e0e4dSAntonio Huete Jimenez SSL_AD_INTERNAL_ERROR);
1335*de0e0e4dSAntonio Huete Jimenez goto err;
133672c33676SMaxim Ag }
1337*de0e0e4dSAntonio Huete Jimenez tls_key_share_set_key_bits(s->s3->hs.key_share,
1338*de0e0e4dSAntonio Huete Jimenez key_bits);
1339*de0e0e4dSAntonio Huete Jimenez } else {
1340*de0e0e4dSAntonio Huete Jimenez DH *dh_params = s->cert->dhe_params;
134172c33676SMaxim Ag
1342*de0e0e4dSAntonio Huete Jimenez if (dh_params == NULL && s->cert->dhe_params_cb != NULL)
1343*de0e0e4dSAntonio Huete Jimenez dh_params = s->cert->dhe_params_cb(s, 0,
1344*de0e0e4dSAntonio Huete Jimenez SSL_C_PKEYLENGTH(s->s3->hs.cipher));
134572c33676SMaxim Ag
1346*de0e0e4dSAntonio Huete Jimenez if (dh_params == NULL) {
134772c33676SMaxim Ag SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1348*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL,
1349*de0e0e4dSAntonio Huete Jimenez SSL_AD_HANDSHAKE_FAILURE);
135072c33676SMaxim Ag goto err;
135172c33676SMaxim Ag }
135272c33676SMaxim Ag
1353*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_set_dh_params(s->s3->hs.key_share, dh_params))
135472c33676SMaxim Ag goto err;
135572c33676SMaxim Ag }
135672c33676SMaxim Ag
1357*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_generate(s->s3->hs.key_share))
135872c33676SMaxim Ag goto err;
135972c33676SMaxim Ag
1360*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_params(s->s3->hs.key_share, cbb))
1361*de0e0e4dSAntonio Huete Jimenez goto err;
1362*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1363*de0e0e4dSAntonio Huete Jimenez goto err;
136472c33676SMaxim Ag
1365*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1366*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1367*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1368*de0e0e4dSAntonio Huete Jimenez return 0;
136972c33676SMaxim Ag }
137072c33676SMaxim Ag
1371*de0e0e4dSAntonio Huete Jimenez return 1;
137272c33676SMaxim Ag
137372c33676SMaxim Ag err:
1374*de0e0e4dSAntonio Huete Jimenez return 0;
137572c33676SMaxim Ag }
137672c33676SMaxim Ag
137772c33676SMaxim Ag static int
ssl3_send_server_kex_ecdhe(SSL * s,CBB * cbb)137872c33676SMaxim Ag ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
137972c33676SMaxim Ag {
1380*de0e0e4dSAntonio Huete Jimenez CBB public;
138172c33676SMaxim Ag int nid;
138272c33676SMaxim Ag
1383*de0e0e4dSAntonio Huete Jimenez if (!tls1_get_supported_group(s, &nid)) {
1384*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1385*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1386*de0e0e4dSAntonio Huete Jimenez goto err;
1387*de0e0e4dSAntonio Huete Jimenez }
138872c33676SMaxim Ag
1389*de0e0e4dSAntonio Huete Jimenez tls_key_share_free(s->s3->hs.key_share);
1390*de0e0e4dSAntonio Huete Jimenez if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1391*de0e0e4dSAntonio Huete Jimenez goto err;
139272c33676SMaxim Ag
1393*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_generate(s->s3->hs.key_share))
1394*de0e0e4dSAntonio Huete Jimenez goto err;
1395*de0e0e4dSAntonio Huete Jimenez
1396*de0e0e4dSAntonio Huete Jimenez /*
1397*de0e0e4dSAntonio Huete Jimenez * ECC key exchange - see RFC 8422, section 5.4.
1398*de0e0e4dSAntonio Huete Jimenez */
1399*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1400*de0e0e4dSAntonio Huete Jimenez goto err;
1401*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1402*de0e0e4dSAntonio Huete Jimenez goto err;
1403*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u8_length_prefixed(cbb, &public))
1404*de0e0e4dSAntonio Huete Jimenez goto err;
1405*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_public(s->s3->hs.key_share, &public))
1406*de0e0e4dSAntonio Huete Jimenez goto err;
1407*de0e0e4dSAntonio Huete Jimenez if (!CBB_flush(cbb))
1408*de0e0e4dSAntonio Huete Jimenez goto err;
1409*de0e0e4dSAntonio Huete Jimenez
1410*de0e0e4dSAntonio Huete Jimenez return 1;
1411*de0e0e4dSAntonio Huete Jimenez
1412*de0e0e4dSAntonio Huete Jimenez err:
1413*de0e0e4dSAntonio Huete Jimenez return 0;
141472c33676SMaxim Ag }
141572c33676SMaxim Ag
141672c33676SMaxim Ag int
ssl3_send_server_key_exchange(SSL * s)141772c33676SMaxim Ag ssl3_send_server_key_exchange(SSL *s)
141872c33676SMaxim Ag {
141972c33676SMaxim Ag CBB cbb, cbb_params, cbb_signature, server_kex;
142072c33676SMaxim Ag const struct ssl_sigalg *sigalg = NULL;
142172c33676SMaxim Ag unsigned char *signature = NULL;
142272c33676SMaxim Ag size_t signature_len = 0;
142372c33676SMaxim Ag unsigned char *params = NULL;
142472c33676SMaxim Ag size_t params_len;
142572c33676SMaxim Ag const EVP_MD *md = NULL;
142672c33676SMaxim Ag unsigned long type;
1427*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX *md_ctx = NULL;
142872c33676SMaxim Ag EVP_PKEY_CTX *pctx;
142972c33676SMaxim Ag EVP_PKEY *pkey;
143072c33676SMaxim Ag int al;
143172c33676SMaxim Ag
143272c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
143372c33676SMaxim Ag memset(&cbb_params, 0, sizeof(cbb_params));
143472c33676SMaxim Ag
1435*de0e0e4dSAntonio Huete Jimenez if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1436*de0e0e4dSAntonio Huete Jimenez goto err;
143772c33676SMaxim Ag
1438*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_KEY_EXCH_A) {
143972c33676SMaxim Ag
144072c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &server_kex,
144172c33676SMaxim Ag SSL3_MT_SERVER_KEY_EXCHANGE))
144272c33676SMaxim Ag goto err;
144372c33676SMaxim Ag
144472c33676SMaxim Ag if (!CBB_init(&cbb_params, 0))
144572c33676SMaxim Ag goto err;
144672c33676SMaxim Ag
1447*de0e0e4dSAntonio Huete Jimenez type = s->s3->hs.cipher->algorithm_mkey;
144872c33676SMaxim Ag if (type & SSL_kDHE) {
1449*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_server_kex_dhe(s, &cbb_params))
145072c33676SMaxim Ag goto err;
145172c33676SMaxim Ag } else if (type & SSL_kECDHE) {
1452*de0e0e4dSAntonio Huete Jimenez if (!ssl3_send_server_kex_ecdhe(s, &cbb_params))
145372c33676SMaxim Ag goto err;
145472c33676SMaxim Ag } else {
145572c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
145672c33676SMaxim Ag SSLerror(s, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1457*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
145872c33676SMaxim Ag }
145972c33676SMaxim Ag
146072c33676SMaxim Ag if (!CBB_finish(&cbb_params, ¶ms, ¶ms_len))
146172c33676SMaxim Ag goto err;
146272c33676SMaxim Ag
146372c33676SMaxim Ag if (!CBB_add_bytes(&server_kex, params, params_len))
146472c33676SMaxim Ag goto err;
146572c33676SMaxim Ag
146672c33676SMaxim Ag /* Add signature unless anonymous. */
1467*de0e0e4dSAntonio Huete Jimenez if (!(s->s3->hs.cipher->algorithm_auth & SSL_aNULL)) {
1468*de0e0e4dSAntonio Huete Jimenez if ((pkey = ssl_get_sign_pkey(s, s->s3->hs.cipher,
146972c33676SMaxim Ag &md, &sigalg)) == NULL) {
147072c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
1471*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
147272c33676SMaxim Ag }
1473*de0e0e4dSAntonio Huete Jimenez s->s3->hs.our_sigalg = sigalg;
147472c33676SMaxim Ag
147572c33676SMaxim Ag /* Send signature algorithm. */
147672c33676SMaxim Ag if (SSL_USE_SIGALGS(s)) {
147772c33676SMaxim Ag if (!CBB_add_u16(&server_kex, sigalg->value)) {
147872c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
147972c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
1480*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
148172c33676SMaxim Ag }
148272c33676SMaxim Ag }
148372c33676SMaxim Ag
1484*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey)) {
148572c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
148672c33676SMaxim Ag goto err;
148772c33676SMaxim Ag }
148872c33676SMaxim Ag if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
148972c33676SMaxim Ag (!EVP_PKEY_CTX_set_rsa_padding(pctx,
149072c33676SMaxim Ag RSA_PKCS1_PSS_PADDING) ||
149172c33676SMaxim Ag !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
149272c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
149372c33676SMaxim Ag goto err;
149472c33676SMaxim Ag }
1495*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignUpdate(md_ctx, s->s3->client_random,
149672c33676SMaxim Ag SSL3_RANDOM_SIZE)) {
149772c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
149872c33676SMaxim Ag goto err;
149972c33676SMaxim Ag }
1500*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignUpdate(md_ctx, s->s3->server_random,
150172c33676SMaxim Ag SSL3_RANDOM_SIZE)) {
150272c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
150372c33676SMaxim Ag goto err;
150472c33676SMaxim Ag }
1505*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignUpdate(md_ctx, params, params_len)) {
150672c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
150772c33676SMaxim Ag goto err;
150872c33676SMaxim Ag }
1509*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignFinal(md_ctx, NULL, &signature_len) ||
151072c33676SMaxim Ag !signature_len) {
151172c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
151272c33676SMaxim Ag goto err;
151372c33676SMaxim Ag }
151472c33676SMaxim Ag if ((signature = calloc(1, signature_len)) == NULL) {
151572c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
151672c33676SMaxim Ag goto err;
151772c33676SMaxim Ag }
1518*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestSignFinal(md_ctx, signature, &signature_len)) {
151972c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
152072c33676SMaxim Ag goto err;
152172c33676SMaxim Ag }
152272c33676SMaxim Ag
152372c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(&server_kex,
152472c33676SMaxim Ag &cbb_signature))
152572c33676SMaxim Ag goto err;
152672c33676SMaxim Ag if (!CBB_add_bytes(&cbb_signature, signature,
152772c33676SMaxim Ag signature_len))
152872c33676SMaxim Ag goto err;
152972c33676SMaxim Ag }
153072c33676SMaxim Ag
153172c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
153272c33676SMaxim Ag goto err;
153372c33676SMaxim Ag
1534*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_B;
153572c33676SMaxim Ag }
153672c33676SMaxim Ag
1537*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(md_ctx);
153872c33676SMaxim Ag free(params);
153972c33676SMaxim Ag free(signature);
154072c33676SMaxim Ag
154172c33676SMaxim Ag return (ssl3_handshake_write(s));
154272c33676SMaxim Ag
1543*de0e0e4dSAntonio Huete Jimenez fatal_err:
154472c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
154572c33676SMaxim Ag err:
154672c33676SMaxim Ag CBB_cleanup(&cbb_params);
154772c33676SMaxim Ag CBB_cleanup(&cbb);
1548*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(md_ctx);
154972c33676SMaxim Ag free(params);
155072c33676SMaxim Ag free(signature);
155172c33676SMaxim Ag
155272c33676SMaxim Ag return (-1);
155372c33676SMaxim Ag }
155472c33676SMaxim Ag
155572c33676SMaxim Ag int
ssl3_send_certificate_request(SSL * s)155672c33676SMaxim Ag ssl3_send_certificate_request(SSL *s)
155772c33676SMaxim Ag {
155872c33676SMaxim Ag CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
155972c33676SMaxim Ag STACK_OF(X509_NAME) *sk = NULL;
156072c33676SMaxim Ag X509_NAME *name;
156172c33676SMaxim Ag int i;
156272c33676SMaxim Ag
156372c33676SMaxim Ag /*
156472c33676SMaxim Ag * Certificate Request - RFC 5246 section 7.4.4.
156572c33676SMaxim Ag */
156672c33676SMaxim Ag
156772c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
156872c33676SMaxim Ag
1569*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_CERT_REQ_A) {
157072c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &cert_request,
157172c33676SMaxim Ag SSL3_MT_CERTIFICATE_REQUEST))
157272c33676SMaxim Ag goto err;
157372c33676SMaxim Ag
157472c33676SMaxim Ag if (!CBB_add_u8_length_prefixed(&cert_request, &cert_types))
157572c33676SMaxim Ag goto err;
157672c33676SMaxim Ag if (!ssl3_get_req_cert_types(s, &cert_types))
157772c33676SMaxim Ag goto err;
157872c33676SMaxim Ag
157972c33676SMaxim Ag if (SSL_USE_SIGALGS(s)) {
1580*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_u16_length_prefixed(&cert_request,
1581*de0e0e4dSAntonio Huete Jimenez &sigalgs))
158272c33676SMaxim Ag goto err;
1583*de0e0e4dSAntonio Huete Jimenez if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version,
1584*de0e0e4dSAntonio Huete Jimenez &sigalgs, SSL_get_security_level(s)))
158572c33676SMaxim Ag goto err;
158672c33676SMaxim Ag }
158772c33676SMaxim Ag
158872c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(&cert_request, &cert_auth))
158972c33676SMaxim Ag goto err;
159072c33676SMaxim Ag
159172c33676SMaxim Ag sk = SSL_get_client_CA_list(s);
159272c33676SMaxim Ag for (i = 0; i < sk_X509_NAME_num(sk); i++) {
159372c33676SMaxim Ag unsigned char *name_data;
159472c33676SMaxim Ag size_t name_len;
159572c33676SMaxim Ag
159672c33676SMaxim Ag name = sk_X509_NAME_value(sk, i);
159772c33676SMaxim Ag name_len = i2d_X509_NAME(name, NULL);
159872c33676SMaxim Ag
159972c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(&cert_auth, &dn))
160072c33676SMaxim Ag goto err;
160172c33676SMaxim Ag if (!CBB_add_space(&dn, &name_data, name_len))
160272c33676SMaxim Ag goto err;
160372c33676SMaxim Ag if (i2d_X509_NAME(name, &name_data) != name_len)
160472c33676SMaxim Ag goto err;
160572c33676SMaxim Ag }
160672c33676SMaxim Ag
160772c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
160872c33676SMaxim Ag goto err;
160972c33676SMaxim Ag
1610*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CERT_REQ_B;
161172c33676SMaxim Ag }
161272c33676SMaxim Ag
161372c33676SMaxim Ag /* SSL3_ST_SW_CERT_REQ_B */
161472c33676SMaxim Ag return (ssl3_handshake_write(s));
161572c33676SMaxim Ag
161672c33676SMaxim Ag err:
161772c33676SMaxim Ag CBB_cleanup(&cbb);
161872c33676SMaxim Ag
161972c33676SMaxim Ag return (-1);
162072c33676SMaxim Ag }
162172c33676SMaxim Ag
162272c33676SMaxim Ag static int
ssl3_get_client_kex_rsa(SSL * s,CBS * cbs)162372c33676SMaxim Ag ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
162472c33676SMaxim Ag {
162572c33676SMaxim Ag unsigned char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
162672c33676SMaxim Ag unsigned char *pms = NULL;
162772c33676SMaxim Ag unsigned char *p;
162872c33676SMaxim Ag size_t pms_len = 0;
162972c33676SMaxim Ag EVP_PKEY *pkey = NULL;
163072c33676SMaxim Ag RSA *rsa = NULL;
163172c33676SMaxim Ag CBS enc_pms;
163272c33676SMaxim Ag int decrypt_len;
163372c33676SMaxim Ag int al = -1;
163472c33676SMaxim Ag
163572c33676SMaxim Ag arc4random_buf(fakekey, sizeof(fakekey));
1636*de0e0e4dSAntonio Huete Jimenez
1637*de0e0e4dSAntonio Huete Jimenez fakekey[0] = s->s3->hs.peer_legacy_version >> 8;
1638*de0e0e4dSAntonio Huete Jimenez fakekey[1] = s->s3->hs.peer_legacy_version & 0xff;
163972c33676SMaxim Ag
16408edacedfSDaniel Fojt pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
1641*de0e0e4dSAntonio Huete Jimenez if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
164272c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
164372c33676SMaxim Ag SSLerror(s, SSL_R_MISSING_RSA_CERTIFICATE);
1644*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
164572c33676SMaxim Ag }
164672c33676SMaxim Ag
164772c33676SMaxim Ag pms_len = RSA_size(rsa);
164872c33676SMaxim Ag if (pms_len < SSL_MAX_MASTER_KEY_LENGTH)
164972c33676SMaxim Ag goto err;
165072c33676SMaxim Ag if ((pms = malloc(pms_len)) == NULL)
165172c33676SMaxim Ag goto err;
165272c33676SMaxim Ag p = pms;
165372c33676SMaxim Ag
165472c33676SMaxim Ag if (!CBS_get_u16_length_prefixed(cbs, &enc_pms))
1655*de0e0e4dSAntonio Huete Jimenez goto decode_err;
165672c33676SMaxim Ag if (CBS_len(cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) {
165772c33676SMaxim Ag SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
165872c33676SMaxim Ag goto err;
165972c33676SMaxim Ag }
166072c33676SMaxim Ag
166172c33676SMaxim Ag decrypt_len = RSA_private_decrypt(CBS_len(&enc_pms), CBS_data(&enc_pms),
166272c33676SMaxim Ag pms, rsa, RSA_PKCS1_PADDING);
166372c33676SMaxim Ag
166472c33676SMaxim Ag ERR_clear_error();
166572c33676SMaxim Ag
166672c33676SMaxim Ag if (decrypt_len != SSL_MAX_MASTER_KEY_LENGTH) {
166772c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
166872c33676SMaxim Ag /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
166972c33676SMaxim Ag }
167072c33676SMaxim Ag
1671*de0e0e4dSAntonio Huete Jimenez if ((al == -1) && !((pms[0] == (s->s3->hs.peer_legacy_version >> 8)) &&
1672*de0e0e4dSAntonio Huete Jimenez (pms[1] == (s->s3->hs.peer_legacy_version & 0xff)))) {
167372c33676SMaxim Ag /*
167472c33676SMaxim Ag * The premaster secret must contain the same version number
167572c33676SMaxim Ag * as the ClientHello to detect version rollback attacks
167672c33676SMaxim Ag * (strangely, the protocol does not offer such protection for
167772c33676SMaxim Ag * DH ciphersuites).
167872c33676SMaxim Ag *
167972c33676SMaxim Ag * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
168072c33676SMaxim Ag * (http://eprint.iacr.org/2003/052/) exploits the version
168172c33676SMaxim Ag * number check as a "bad version oracle" -- an alert would
168272c33676SMaxim Ag * reveal that the plaintext corresponding to some ciphertext
168372c33676SMaxim Ag * made up by the adversary is properly formatted except that
168472c33676SMaxim Ag * the version number is wrong. To avoid such attacks, we should
168572c33676SMaxim Ag * treat this just like any other decryption error.
168672c33676SMaxim Ag */
168772c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
168872c33676SMaxim Ag /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
168972c33676SMaxim Ag }
169072c33676SMaxim Ag
169172c33676SMaxim Ag if (al != -1) {
169272c33676SMaxim Ag /*
169372c33676SMaxim Ag * Some decryption failure -- use random value instead
169472c33676SMaxim Ag * as countermeasure against Bleichenbacher's attack
169572c33676SMaxim Ag * on PKCS #1 v1.5 RSA padding (see RFC 2246,
169672c33676SMaxim Ag * section 7.4.7.1).
169772c33676SMaxim Ag */
169872c33676SMaxim Ag p = fakekey;
169972c33676SMaxim Ag }
170072c33676SMaxim Ag
1701*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, p, SSL_MAX_MASTER_KEY_LENGTH))
1702*de0e0e4dSAntonio Huete Jimenez goto err;
170372c33676SMaxim Ag
170472c33676SMaxim Ag freezero(pms, pms_len);
170572c33676SMaxim Ag
1706*de0e0e4dSAntonio Huete Jimenez return 1;
170772c33676SMaxim Ag
1708*de0e0e4dSAntonio Huete Jimenez decode_err:
170972c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
171072c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1711*de0e0e4dSAntonio Huete Jimenez fatal_err:
171272c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
171372c33676SMaxim Ag err:
171472c33676SMaxim Ag freezero(pms, pms_len);
171572c33676SMaxim Ag
1716*de0e0e4dSAntonio Huete Jimenez return 0;
171772c33676SMaxim Ag }
171872c33676SMaxim Ag
171972c33676SMaxim Ag static int
ssl3_get_client_kex_dhe(SSL * s,CBS * cbs)172072c33676SMaxim Ag ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
172172c33676SMaxim Ag {
1722cca6fc52SDaniel Fojt uint8_t *key = NULL;
1723cca6fc52SDaniel Fojt size_t key_len = 0;
1724*de0e0e4dSAntonio Huete Jimenez int decode_error, invalid_key;
1725*de0e0e4dSAntonio Huete Jimenez int ret = 0;
172672c33676SMaxim Ag
1727*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.key_share == NULL) {
1728*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1729*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
173072c33676SMaxim Ag goto err;
173172c33676SMaxim Ag }
173272c33676SMaxim Ag
1733*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1734*de0e0e4dSAntonio Huete Jimenez &decode_error, &invalid_key)) {
1735*de0e0e4dSAntonio Huete Jimenez if (decode_error) {
1736*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1737*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1738*de0e0e4dSAntonio Huete Jimenez }
173972c33676SMaxim Ag goto err;
1740*de0e0e4dSAntonio Huete Jimenez }
1741*de0e0e4dSAntonio Huete Jimenez if (invalid_key) {
1742*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1743*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1744*de0e0e4dSAntonio Huete Jimenez goto err;
1745*de0e0e4dSAntonio Huete Jimenez }
1746*de0e0e4dSAntonio Huete Jimenez
1747*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
174872c33676SMaxim Ag goto err;
174972c33676SMaxim Ag
1750*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, key, key_len))
175172c33676SMaxim Ag goto err;
175272c33676SMaxim Ag
175372c33676SMaxim Ag ret = 1;
175472c33676SMaxim Ag
175572c33676SMaxim Ag err:
1756cca6fc52SDaniel Fojt freezero(key, key_len);
175772c33676SMaxim Ag
1758*de0e0e4dSAntonio Huete Jimenez return ret;
175972c33676SMaxim Ag }
176072c33676SMaxim Ag
176172c33676SMaxim Ag static int
ssl3_get_client_kex_ecdhe(SSL * s,CBS * cbs)176272c33676SMaxim Ag ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
176372c33676SMaxim Ag {
1764*de0e0e4dSAntonio Huete Jimenez uint8_t *key = NULL;
1765*de0e0e4dSAntonio Huete Jimenez size_t key_len = 0;
1766*de0e0e4dSAntonio Huete Jimenez int decode_error;
1767*de0e0e4dSAntonio Huete Jimenez CBS public;
1768*de0e0e4dSAntonio Huete Jimenez int ret = 0;
176972c33676SMaxim Ag
1770*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.key_share == NULL) {
1771*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1772*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1773*de0e0e4dSAntonio Huete Jimenez goto err;
1774*de0e0e4dSAntonio Huete Jimenez }
1775*de0e0e4dSAntonio Huete Jimenez
1776*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u8_length_prefixed(cbs, &public)) {
1777*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1778*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1779*de0e0e4dSAntonio Huete Jimenez goto err;
1780*de0e0e4dSAntonio Huete Jimenez }
1781*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1782*de0e0e4dSAntonio Huete Jimenez &decode_error, NULL)) {
1783*de0e0e4dSAntonio Huete Jimenez if (decode_error) {
1784*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1785*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1786*de0e0e4dSAntonio Huete Jimenez }
1787*de0e0e4dSAntonio Huete Jimenez goto err;
1788*de0e0e4dSAntonio Huete Jimenez }
1789*de0e0e4dSAntonio Huete Jimenez
1790*de0e0e4dSAntonio Huete Jimenez if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1791*de0e0e4dSAntonio Huete Jimenez goto err;
1792*de0e0e4dSAntonio Huete Jimenez
1793*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, key, key_len))
1794*de0e0e4dSAntonio Huete Jimenez goto err;
1795*de0e0e4dSAntonio Huete Jimenez
1796*de0e0e4dSAntonio Huete Jimenez ret = 1;
1797*de0e0e4dSAntonio Huete Jimenez
1798*de0e0e4dSAntonio Huete Jimenez err:
1799*de0e0e4dSAntonio Huete Jimenez freezero(key, key_len);
1800*de0e0e4dSAntonio Huete Jimenez
1801*de0e0e4dSAntonio Huete Jimenez return ret;
180272c33676SMaxim Ag }
180372c33676SMaxim Ag
180472c33676SMaxim Ag static int
ssl3_get_client_kex_gost(SSL * s,CBS * cbs)180572c33676SMaxim Ag ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
180672c33676SMaxim Ag {
180772c33676SMaxim Ag unsigned char premaster_secret[32];
1808*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_CTX *pkey_ctx = NULL;
1809*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *client_pubkey;
1810*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *pkey = NULL;
1811*de0e0e4dSAntonio Huete Jimenez size_t outlen;
181272c33676SMaxim Ag CBS gostblob;
181372c33676SMaxim Ag
181472c33676SMaxim Ag /* Get our certificate private key*/
1815*de0e0e4dSAntonio Huete Jimenez if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1816*de0e0e4dSAntonio Huete Jimenez pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
181772c33676SMaxim Ag
1818*de0e0e4dSAntonio Huete Jimenez if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
181972c33676SMaxim Ag goto err;
182072c33676SMaxim Ag if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
1821*de0e0e4dSAntonio Huete Jimenez goto err;
182272c33676SMaxim Ag
182372c33676SMaxim Ag /*
182472c33676SMaxim Ag * If client certificate is present and is of the same type,
182572c33676SMaxim Ag * maybe use it for key exchange.
182672c33676SMaxim Ag * Don't mind errors from EVP_PKEY_derive_set_peer, because
182772c33676SMaxim Ag * it is completely valid to use a client certificate for
182872c33676SMaxim Ag * authorization only.
182972c33676SMaxim Ag */
1830*de0e0e4dSAntonio Huete Jimenez if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
1831*de0e0e4dSAntonio Huete Jimenez if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
183272c33676SMaxim Ag ERR_clear_error();
183372c33676SMaxim Ag }
183472c33676SMaxim Ag
183572c33676SMaxim Ag /* Decrypt session key */
183672c33676SMaxim Ag if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
1837*de0e0e4dSAntonio Huete Jimenez goto decode_err;
183872c33676SMaxim Ag if (CBS_len(cbs) != 0)
1839*de0e0e4dSAntonio Huete Jimenez goto decode_err;
1840*de0e0e4dSAntonio Huete Jimenez outlen = sizeof(premaster_secret);
184172c33676SMaxim Ag if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
184272c33676SMaxim Ag CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
184372c33676SMaxim Ag SSLerror(s, SSL_R_DECRYPTION_FAILED);
1844*de0e0e4dSAntonio Huete Jimenez goto err;
184572c33676SMaxim Ag }
184672c33676SMaxim Ag
1847*de0e0e4dSAntonio Huete Jimenez if (!tls12_derive_master_secret(s, premaster_secret,
1848*de0e0e4dSAntonio Huete Jimenez sizeof(premaster_secret)))
184972c33676SMaxim Ag goto err;
185072c33676SMaxim Ag
1851*de0e0e4dSAntonio Huete Jimenez /* Check if pubkey from client certificate was used */
1852*de0e0e4dSAntonio Huete Jimenez if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY,
1853*de0e0e4dSAntonio Huete Jimenez 2, NULL) > 0)
1854*de0e0e4dSAntonio Huete Jimenez s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
1855*de0e0e4dSAntonio Huete Jimenez
1856*de0e0e4dSAntonio Huete Jimenez explicit_bzero(premaster_secret, sizeof(premaster_secret));
1857*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_CTX_free(pkey_ctx);
1858*de0e0e4dSAntonio Huete Jimenez
1859*de0e0e4dSAntonio Huete Jimenez return 1;
1860*de0e0e4dSAntonio Huete Jimenez
1861*de0e0e4dSAntonio Huete Jimenez decode_err:
186272c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1863*de0e0e4dSAntonio Huete Jimenez ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
186472c33676SMaxim Ag err:
1865*de0e0e4dSAntonio Huete Jimenez explicit_bzero(premaster_secret, sizeof(premaster_secret));
1866*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_CTX_free(pkey_ctx);
1867*de0e0e4dSAntonio Huete Jimenez
1868*de0e0e4dSAntonio Huete Jimenez return 0;
186972c33676SMaxim Ag }
187072c33676SMaxim Ag
187172c33676SMaxim Ag int
ssl3_get_client_key_exchange(SSL * s)187272c33676SMaxim Ag ssl3_get_client_key_exchange(SSL *s)
187372c33676SMaxim Ag {
187472c33676SMaxim Ag unsigned long alg_k;
1875*de0e0e4dSAntonio Huete Jimenez int al, ret;
187672c33676SMaxim Ag CBS cbs;
187772c33676SMaxim Ag
187872c33676SMaxim Ag /* 2048 maxlen is a guess. How long a key does that permit? */
1879*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1880*de0e0e4dSAntonio Huete Jimenez SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048)) <= 0)
1881*de0e0e4dSAntonio Huete Jimenez return ret;
188272c33676SMaxim Ag
1883*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
188472c33676SMaxim Ag goto err;
188572c33676SMaxim Ag
1886*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
188772c33676SMaxim Ag
1888*de0e0e4dSAntonio Huete Jimenez alg_k = s->s3->hs.cipher->algorithm_mkey;
188972c33676SMaxim Ag
189072c33676SMaxim Ag if (alg_k & SSL_kRSA) {
1891*de0e0e4dSAntonio Huete Jimenez if (!ssl3_get_client_kex_rsa(s, &cbs))
189272c33676SMaxim Ag goto err;
189372c33676SMaxim Ag } else if (alg_k & SSL_kDHE) {
1894*de0e0e4dSAntonio Huete Jimenez if (!ssl3_get_client_kex_dhe(s, &cbs))
189572c33676SMaxim Ag goto err;
189672c33676SMaxim Ag } else if (alg_k & SSL_kECDHE) {
1897*de0e0e4dSAntonio Huete Jimenez if (!ssl3_get_client_kex_ecdhe(s, &cbs))
189872c33676SMaxim Ag goto err;
189972c33676SMaxim Ag } else if (alg_k & SSL_kGOST) {
1900*de0e0e4dSAntonio Huete Jimenez if (!ssl3_get_client_kex_gost(s, &cbs))
190172c33676SMaxim Ag goto err;
190272c33676SMaxim Ag } else {
190372c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
190472c33676SMaxim Ag SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);
1905*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
190672c33676SMaxim Ag }
190772c33676SMaxim Ag
190872c33676SMaxim Ag if (CBS_len(&cbs) != 0) {
190972c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
191072c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1911*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
191272c33676SMaxim Ag }
191372c33676SMaxim Ag
191472c33676SMaxim Ag return (1);
191572c33676SMaxim Ag
1916*de0e0e4dSAntonio Huete Jimenez fatal_err:
191772c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
191872c33676SMaxim Ag err:
191972c33676SMaxim Ag return (-1);
192072c33676SMaxim Ag }
192172c33676SMaxim Ag
192272c33676SMaxim Ag int
ssl3_get_cert_verify(SSL * s)192372c33676SMaxim Ag ssl3_get_cert_verify(SSL *s)
192472c33676SMaxim Ag {
192572c33676SMaxim Ag CBS cbs, signature;
192672c33676SMaxim Ag const struct ssl_sigalg *sigalg = NULL;
1927*de0e0e4dSAntonio Huete Jimenez uint16_t sigalg_value = SIGALG_NONE;
1928*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *pkey;
1929*de0e0e4dSAntonio Huete Jimenez X509 *peer_cert = NULL;
1930*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX *mctx = NULL;
1931*de0e0e4dSAntonio Huete Jimenez int al, verify;
193272c33676SMaxim Ag const unsigned char *hdata;
193372c33676SMaxim Ag size_t hdatalen;
193472c33676SMaxim Ag int type = 0;
1935*de0e0e4dSAntonio Huete Jimenez int ret;
193672c33676SMaxim Ag
1937*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
1938*de0e0e4dSAntonio Huete Jimenez SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH)) <= 0)
1939*de0e0e4dSAntonio Huete Jimenez return ret;
194072c33676SMaxim Ag
1941*de0e0e4dSAntonio Huete Jimenez ret = 0;
194272c33676SMaxim Ag
1943*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
194472c33676SMaxim Ag goto err;
194572c33676SMaxim Ag
1946*de0e0e4dSAntonio Huete Jimenez if ((mctx = EVP_MD_CTX_new()) == NULL)
1947*de0e0e4dSAntonio Huete Jimenez goto err;
194872c33676SMaxim Ag
1949*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
195072c33676SMaxim Ag
1951*de0e0e4dSAntonio Huete Jimenez peer_cert = s->session->peer_cert;
1952*de0e0e4dSAntonio Huete Jimenez pkey = X509_get0_pubkey(peer_cert);
1953*de0e0e4dSAntonio Huete Jimenez type = X509_certificate_type(peer_cert, pkey);
1954*de0e0e4dSAntonio Huete Jimenez
1955*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
1956*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
1957*de0e0e4dSAntonio Huete Jimenez if (peer_cert != NULL) {
195872c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
195972c33676SMaxim Ag SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);
1960*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
196172c33676SMaxim Ag }
196272c33676SMaxim Ag ret = 1;
196372c33676SMaxim Ag goto end;
196472c33676SMaxim Ag }
196572c33676SMaxim Ag
1966*de0e0e4dSAntonio Huete Jimenez if (peer_cert == NULL) {
196772c33676SMaxim Ag SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED);
196872c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
1969*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
197072c33676SMaxim Ag }
197172c33676SMaxim Ag
197272c33676SMaxim Ag if (!(type & EVP_PKT_SIGN)) {
197372c33676SMaxim Ag SSLerror(s, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
197472c33676SMaxim Ag al = SSL_AD_ILLEGAL_PARAMETER;
1975*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
197672c33676SMaxim Ag }
197772c33676SMaxim Ag
1978*de0e0e4dSAntonio Huete Jimenez if (s->s3->change_cipher_spec) {
197972c33676SMaxim Ag SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
198072c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
1981*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
198272c33676SMaxim Ag }
198372c33676SMaxim Ag
198472c33676SMaxim Ag if (SSL_USE_SIGALGS(s)) {
198572c33676SMaxim Ag if (!CBS_get_u16(&cbs, &sigalg_value))
1986*de0e0e4dSAntonio Huete Jimenez goto decode_err;
198772c33676SMaxim Ag }
198872c33676SMaxim Ag if (!CBS_get_u16_length_prefixed(&cbs, &signature))
198972c33676SMaxim Ag goto err;
199072c33676SMaxim Ag if (CBS_len(&cbs) != 0) {
199172c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
199272c33676SMaxim Ag SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1993*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
199472c33676SMaxim Ag }
199572c33676SMaxim Ag
1996*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
1997*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE);
1998*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_DECODE_ERROR;
1999*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
2000*de0e0e4dSAntonio Huete Jimenez }
2001*de0e0e4dSAntonio Huete Jimenez
2002*de0e0e4dSAntonio Huete Jimenez if ((sigalg = ssl_sigalg_for_peer(s, pkey,
2003*de0e0e4dSAntonio Huete Jimenez sigalg_value)) == NULL) {
2004*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_DECODE_ERROR;
2005*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
2006*de0e0e4dSAntonio Huete Jimenez }
2007*de0e0e4dSAntonio Huete Jimenez s->s3->hs.peer_sigalg = sigalg;
2008*de0e0e4dSAntonio Huete Jimenez
2009*de0e0e4dSAntonio Huete Jimenez if (SSL_USE_SIGALGS(s)) {
2010*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_CTX *pctx;
2011*de0e0e4dSAntonio Huete Jimenez
201272c33676SMaxim Ag if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
201372c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
201472c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
2015*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
201672c33676SMaxim Ag }
2017*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestVerifyInit(mctx, &pctx, sigalg->md(),
2018*de0e0e4dSAntonio Huete Jimenez NULL, pkey)) {
201972c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
202072c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
2021*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
202272c33676SMaxim Ag }
202372c33676SMaxim Ag if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
2024*de0e0e4dSAntonio Huete Jimenez (!EVP_PKEY_CTX_set_rsa_padding(pctx,
2025*de0e0e4dSAntonio Huete Jimenez RSA_PKCS1_PSS_PADDING) ||
202672c33676SMaxim Ag !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
202772c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
2028*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
202972c33676SMaxim Ag }
20308edacedfSDaniel Fojt if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
20318edacedfSDaniel Fojt EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
20328edacedfSDaniel Fojt EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
20338edacedfSDaniel Fojt NULL) <= 0) {
20348edacedfSDaniel Fojt al = SSL_AD_INTERNAL_ERROR;
2035*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
20368edacedfSDaniel Fojt }
2037*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestVerifyUpdate(mctx, hdata, hdatalen)) {
203872c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
203972c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
2040*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
204172c33676SMaxim Ag }
2042*de0e0e4dSAntonio Huete Jimenez if (EVP_DigestVerifyFinal(mctx, CBS_data(&signature),
204372c33676SMaxim Ag CBS_len(&signature)) <= 0) {
204472c33676SMaxim Ag al = SSL_AD_DECRYPT_ERROR;
204572c33676SMaxim Ag SSLerror(s, SSL_R_BAD_SIGNATURE);
2046*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
204772c33676SMaxim Ag }
2048*de0e0e4dSAntonio Huete Jimenez } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2049*de0e0e4dSAntonio Huete Jimenez RSA *rsa;
2050*de0e0e4dSAntonio Huete Jimenez
2051*de0e0e4dSAntonio Huete Jimenez if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
2052*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_INTERNAL_ERROR;
2053*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_EVP_LIB);
2054*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
2055*de0e0e4dSAntonio Huete Jimenez }
2056*de0e0e4dSAntonio Huete Jimenez verify = RSA_verify(NID_md5_sha1, s->s3->hs.tls12.cert_verify,
205772c33676SMaxim Ag MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature),
2058*de0e0e4dSAntonio Huete Jimenez CBS_len(&signature), rsa);
205972c33676SMaxim Ag if (verify < 0) {
206072c33676SMaxim Ag al = SSL_AD_DECRYPT_ERROR;
206172c33676SMaxim Ag SSLerror(s, SSL_R_BAD_RSA_DECRYPT);
2062*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
206372c33676SMaxim Ag }
206472c33676SMaxim Ag if (verify == 0) {
206572c33676SMaxim Ag al = SSL_AD_DECRYPT_ERROR;
206672c33676SMaxim Ag SSLerror(s, SSL_R_BAD_RSA_SIGNATURE);
2067*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
206872c33676SMaxim Ag }
2069*de0e0e4dSAntonio Huete Jimenez } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2070*de0e0e4dSAntonio Huete Jimenez EC_KEY *eckey;
2071*de0e0e4dSAntonio Huete Jimenez
2072*de0e0e4dSAntonio Huete Jimenez if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
2073*de0e0e4dSAntonio Huete Jimenez al = SSL_AD_INTERNAL_ERROR;
2074*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_EVP_LIB);
2075*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
2076*de0e0e4dSAntonio Huete Jimenez }
2077*de0e0e4dSAntonio Huete Jimenez verify = ECDSA_verify(0,
2078*de0e0e4dSAntonio Huete Jimenez &(s->s3->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),
207972c33676SMaxim Ag SHA_DIGEST_LENGTH, CBS_data(&signature),
2080*de0e0e4dSAntonio Huete Jimenez CBS_len(&signature), eckey);
208172c33676SMaxim Ag if (verify <= 0) {
208272c33676SMaxim Ag al = SSL_AD_DECRYPT_ERROR;
208372c33676SMaxim Ag SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
2084*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
208572c33676SMaxim Ag }
208672c33676SMaxim Ag #ifndef OPENSSL_NO_GOST
2087*de0e0e4dSAntonio Huete Jimenez } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2088*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
208972c33676SMaxim Ag unsigned char sigbuf[128];
209072c33676SMaxim Ag unsigned int siglen = sizeof(sigbuf);
209172c33676SMaxim Ag EVP_PKEY_CTX *pctx;
2092*de0e0e4dSAntonio Huete Jimenez const EVP_MD *md;
209372c33676SMaxim Ag int nid;
209472c33676SMaxim Ag
209572c33676SMaxim Ag if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
209672c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
209772c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
2098*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
209972c33676SMaxim Ag }
210072c33676SMaxim Ag if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
210172c33676SMaxim Ag !(md = EVP_get_digestbynid(nid))) {
210272c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
210372c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
2104*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
210572c33676SMaxim Ag }
210672c33676SMaxim Ag if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
210772c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
210872c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
2109*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
211072c33676SMaxim Ag }
2111*de0e0e4dSAntonio Huete Jimenez if (!EVP_DigestInit_ex(mctx, md, NULL) ||
2112*de0e0e4dSAntonio Huete Jimenez !EVP_DigestUpdate(mctx, hdata, hdatalen) ||
2113*de0e0e4dSAntonio Huete Jimenez !EVP_DigestFinal(mctx, sigbuf, &siglen) ||
211472c33676SMaxim Ag (EVP_PKEY_verify_init(pctx) <= 0) ||
211572c33676SMaxim Ag (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
211672c33676SMaxim Ag (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
211772c33676SMaxim Ag EVP_PKEY_CTRL_GOST_SIG_FORMAT,
211872c33676SMaxim Ag GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) {
211972c33676SMaxim Ag SSLerror(s, ERR_R_EVP_LIB);
212072c33676SMaxim Ag al = SSL_AD_INTERNAL_ERROR;
212172c33676SMaxim Ag EVP_PKEY_CTX_free(pctx);
2122*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
212372c33676SMaxim Ag }
212472c33676SMaxim Ag if (EVP_PKEY_verify(pctx, CBS_data(&signature),
212572c33676SMaxim Ag CBS_len(&signature), sigbuf, siglen) <= 0) {
212672c33676SMaxim Ag al = SSL_AD_DECRYPT_ERROR;
212772c33676SMaxim Ag SSLerror(s, SSL_R_BAD_SIGNATURE);
212872c33676SMaxim Ag EVP_PKEY_CTX_free(pctx);
2129*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
213072c33676SMaxim Ag }
213172c33676SMaxim Ag
213272c33676SMaxim Ag EVP_PKEY_CTX_free(pctx);
213372c33676SMaxim Ag #endif
213472c33676SMaxim Ag } else {
213572c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
213672c33676SMaxim Ag al = SSL_AD_UNSUPPORTED_CERTIFICATE;
2137*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
213872c33676SMaxim Ag }
213972c33676SMaxim Ag
214072c33676SMaxim Ag ret = 1;
214172c33676SMaxim Ag if (0) {
2142*de0e0e4dSAntonio Huete Jimenez decode_err:
214372c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
214472c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
2145*de0e0e4dSAntonio Huete Jimenez fatal_err:
214672c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
214772c33676SMaxim Ag }
214872c33676SMaxim Ag end:
214972c33676SMaxim Ag tls1_transcript_free(s);
215072c33676SMaxim Ag err:
2151*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_free(mctx);
2152*de0e0e4dSAntonio Huete Jimenez
215372c33676SMaxim Ag return (ret);
215472c33676SMaxim Ag }
215572c33676SMaxim Ag
215672c33676SMaxim Ag int
ssl3_get_client_certificate(SSL * s)215772c33676SMaxim Ag ssl3_get_client_certificate(SSL *s)
215872c33676SMaxim Ag {
2159*de0e0e4dSAntonio Huete Jimenez CBS cbs, cert_list, cert_data;
2160*de0e0e4dSAntonio Huete Jimenez STACK_OF(X509) *certs = NULL;
2161*de0e0e4dSAntonio Huete Jimenez X509 *cert = NULL;
2162*de0e0e4dSAntonio Huete Jimenez const uint8_t *p;
2163*de0e0e4dSAntonio Huete Jimenez int al, ret;
216472c33676SMaxim Ag
2165*de0e0e4dSAntonio Huete Jimenez if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2166*de0e0e4dSAntonio Huete Jimenez -1, s->internal->max_cert_list)) <= 0)
2167*de0e0e4dSAntonio Huete Jimenez return ret;
216872c33676SMaxim Ag
2169*de0e0e4dSAntonio Huete Jimenez ret = -1;
2170*de0e0e4dSAntonio Huete Jimenez
2171*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
217272c33676SMaxim Ag if ((s->verify_mode & SSL_VERIFY_PEER) &&
217372c33676SMaxim Ag (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
217472c33676SMaxim Ag SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
217572c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
2176*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
217772c33676SMaxim Ag }
2178*de0e0e4dSAntonio Huete Jimenez
217972c33676SMaxim Ag /*
2180*de0e0e4dSAntonio Huete Jimenez * If we asked for a client certificate and the client has none,
2181*de0e0e4dSAntonio Huete Jimenez * it must respond with a certificate list of length zero.
218272c33676SMaxim Ag */
2183*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.cert_request != 0) {
2184*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
218572c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
2186*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
218772c33676SMaxim Ag }
2188*de0e0e4dSAntonio Huete Jimenez s->s3->hs.tls12.reuse_message = 1;
218972c33676SMaxim Ag return (1);
219072c33676SMaxim Ag }
219172c33676SMaxim Ag
2192*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
219372c33676SMaxim Ag al = SSL_AD_UNEXPECTED_MESSAGE;
219472c33676SMaxim Ag SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
2195*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
219672c33676SMaxim Ag }
219772c33676SMaxim Ag
2198*de0e0e4dSAntonio Huete Jimenez if (s->internal->init_num < 0)
2199*de0e0e4dSAntonio Huete Jimenez goto decode_err;
220072c33676SMaxim Ag
2201*de0e0e4dSAntonio Huete Jimenez CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
220272c33676SMaxim Ag
2203*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
2204*de0e0e4dSAntonio Huete Jimenez goto decode_err;
2205*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&cbs) != 0)
2206*de0e0e4dSAntonio Huete Jimenez goto decode_err;
220772c33676SMaxim Ag
220872c33676SMaxim Ag /*
2209*de0e0e4dSAntonio Huete Jimenez * A TLS client must send an empty certificate list, if no suitable
2210*de0e0e4dSAntonio Huete Jimenez * certificate is available (rather than omitting the Certificate
2211*de0e0e4dSAntonio Huete Jimenez * handshake message) - see RFC 5246 section 7.4.6.
221272c33676SMaxim Ag */
2213*de0e0e4dSAntonio Huete Jimenez if (CBS_len(&cert_list) == 0) {
221472c33676SMaxim Ag if ((s->verify_mode & SSL_VERIFY_PEER) &&
221572c33676SMaxim Ag (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
221672c33676SMaxim Ag SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
221772c33676SMaxim Ag al = SSL_AD_HANDSHAKE_FAILURE;
2218*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
221972c33676SMaxim Ag }
222072c33676SMaxim Ag /* No client certificate so free transcript. */
222172c33676SMaxim Ag tls1_transcript_free(s);
2222*de0e0e4dSAntonio Huete Jimenez goto done;
222372c33676SMaxim Ag }
222472c33676SMaxim Ag
2225*de0e0e4dSAntonio Huete Jimenez if ((certs = sk_X509_new_null()) == NULL) {
222672c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE);
222772c33676SMaxim Ag goto err;
222872c33676SMaxim Ag }
2229*de0e0e4dSAntonio Huete Jimenez
2230*de0e0e4dSAntonio Huete Jimenez while (CBS_len(&cert_list) > 0) {
2231*de0e0e4dSAntonio Huete Jimenez if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
2232*de0e0e4dSAntonio Huete Jimenez goto decode_err;
2233*de0e0e4dSAntonio Huete Jimenez p = CBS_data(&cert_data);
2234*de0e0e4dSAntonio Huete Jimenez if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) {
2235*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_ASN1_LIB);
2236*de0e0e4dSAntonio Huete Jimenez goto err;
223772c33676SMaxim Ag }
2238*de0e0e4dSAntonio Huete Jimenez if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
2239*de0e0e4dSAntonio Huete Jimenez goto decode_err;
2240*de0e0e4dSAntonio Huete Jimenez if (!sk_X509_push(certs, cert)) {
2241*de0e0e4dSAntonio Huete Jimenez SSLerror(s, ERR_R_MALLOC_FAILURE);
2242*de0e0e4dSAntonio Huete Jimenez goto err;
2243*de0e0e4dSAntonio Huete Jimenez }
2244*de0e0e4dSAntonio Huete Jimenez cert = NULL;
2245*de0e0e4dSAntonio Huete Jimenez }
224672c33676SMaxim Ag
2247*de0e0e4dSAntonio Huete Jimenez if (ssl_verify_cert_chain(s, certs) <= 0) {
2248*de0e0e4dSAntonio Huete Jimenez al = ssl_verify_alarm_type(s->verify_result);
2249*de0e0e4dSAntonio Huete Jimenez SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED);
2250*de0e0e4dSAntonio Huete Jimenez goto fatal_err;
2251*de0e0e4dSAntonio Huete Jimenez }
2252*de0e0e4dSAntonio Huete Jimenez s->session->verify_result = s->verify_result;
2253*de0e0e4dSAntonio Huete Jimenez ERR_clear_error();
225472c33676SMaxim Ag
2255*de0e0e4dSAntonio Huete Jimenez if (!tls_process_peer_certs(s, certs))
2256*de0e0e4dSAntonio Huete Jimenez goto err;
225772c33676SMaxim Ag
2258*de0e0e4dSAntonio Huete Jimenez done:
225972c33676SMaxim Ag ret = 1;
226072c33676SMaxim Ag if (0) {
2261*de0e0e4dSAntonio Huete Jimenez decode_err:
226272c33676SMaxim Ag al = SSL_AD_DECODE_ERROR;
226372c33676SMaxim Ag SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
2264*de0e0e4dSAntonio Huete Jimenez fatal_err:
226572c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, al);
226672c33676SMaxim Ag }
226772c33676SMaxim Ag err:
2268*de0e0e4dSAntonio Huete Jimenez sk_X509_pop_free(certs, X509_free);
2269*de0e0e4dSAntonio Huete Jimenez X509_free(cert);
227072c33676SMaxim Ag
227172c33676SMaxim Ag return (ret);
227272c33676SMaxim Ag }
227372c33676SMaxim Ag
227472c33676SMaxim Ag int
ssl3_send_server_certificate(SSL * s)227572c33676SMaxim Ag ssl3_send_server_certificate(SSL *s)
227672c33676SMaxim Ag {
227772c33676SMaxim Ag CBB cbb, server_cert;
2278*de0e0e4dSAntonio Huete Jimenez SSL_CERT_PKEY *cpk;
227972c33676SMaxim Ag
228072c33676SMaxim Ag /*
228172c33676SMaxim Ag * Server Certificate - RFC 5246, section 7.4.2.
228272c33676SMaxim Ag */
228372c33676SMaxim Ag
228472c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
228572c33676SMaxim Ag
2286*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_CERT_A) {
228772c33676SMaxim Ag if ((cpk = ssl_get_server_send_pkey(s)) == NULL) {
228872c33676SMaxim Ag SSLerror(s, ERR_R_INTERNAL_ERROR);
228972c33676SMaxim Ag return (0);
229072c33676SMaxim Ag }
229172c33676SMaxim Ag
229272c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &server_cert,
229372c33676SMaxim Ag SSL3_MT_CERTIFICATE))
229472c33676SMaxim Ag goto err;
229572c33676SMaxim Ag if (!ssl3_output_cert_chain(s, &server_cert, cpk))
229672c33676SMaxim Ag goto err;
229772c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
229872c33676SMaxim Ag goto err;
229972c33676SMaxim Ag
2300*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CERT_B;
230172c33676SMaxim Ag }
230272c33676SMaxim Ag
230372c33676SMaxim Ag /* SSL3_ST_SW_CERT_B */
230472c33676SMaxim Ag return (ssl3_handshake_write(s));
230572c33676SMaxim Ag
230672c33676SMaxim Ag err:
230772c33676SMaxim Ag CBB_cleanup(&cbb);
230872c33676SMaxim Ag
230972c33676SMaxim Ag return (0);
231072c33676SMaxim Ag }
231172c33676SMaxim Ag
231272c33676SMaxim Ag /* send a new session ticket (not necessarily for a new session) */
231372c33676SMaxim Ag int
ssl3_send_newsession_ticket(SSL * s)231472c33676SMaxim Ag ssl3_send_newsession_ticket(SSL *s)
231572c33676SMaxim Ag {
231672c33676SMaxim Ag CBB cbb, session_ticket, ticket;
231772c33676SMaxim Ag SSL_CTX *tctx = s->initial_ctx;
231872c33676SMaxim Ag size_t enc_session_len, enc_session_max_len, hmac_len;
231972c33676SMaxim Ag size_t session_len = 0;
232072c33676SMaxim Ag unsigned char *enc_session = NULL, *session = NULL;
232172c33676SMaxim Ag unsigned char iv[EVP_MAX_IV_LENGTH];
232272c33676SMaxim Ag unsigned char key_name[16];
232372c33676SMaxim Ag unsigned char *hmac;
232472c33676SMaxim Ag unsigned int hlen;
2325*de0e0e4dSAntonio Huete Jimenez EVP_CIPHER_CTX *ctx = NULL;
2326*de0e0e4dSAntonio Huete Jimenez HMAC_CTX *hctx = NULL;
232772c33676SMaxim Ag int len;
232872c33676SMaxim Ag
232972c33676SMaxim Ag /*
233072c33676SMaxim Ag * New Session Ticket - RFC 5077, section 3.3.
233172c33676SMaxim Ag */
233272c33676SMaxim Ag
233372c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
233472c33676SMaxim Ag
2335*de0e0e4dSAntonio Huete Jimenez if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
2336*de0e0e4dSAntonio Huete Jimenez goto err;
2337*de0e0e4dSAntonio Huete Jimenez if ((hctx = HMAC_CTX_new()) == NULL)
2338*de0e0e4dSAntonio Huete Jimenez goto err;
2339*de0e0e4dSAntonio Huete Jimenez
2340*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_SESSION_TICKET_A) {
234172c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket,
234272c33676SMaxim Ag SSL3_MT_NEWSESSION_TICKET))
234372c33676SMaxim Ag goto err;
234472c33676SMaxim Ag
234572c33676SMaxim Ag if (!SSL_SESSION_ticket(s->session, &session, &session_len))
234672c33676SMaxim Ag goto err;
234772c33676SMaxim Ag if (session_len > 0xffff)
234872c33676SMaxim Ag goto err;
234972c33676SMaxim Ag
235072c33676SMaxim Ag /*
235172c33676SMaxim Ag * Initialize HMAC and cipher contexts. If callback is present
235272c33676SMaxim Ag * it does all the work, otherwise use generated values from
235372c33676SMaxim Ag * parent context.
235472c33676SMaxim Ag */
235572c33676SMaxim Ag if (tctx->internal->tlsext_ticket_key_cb != NULL) {
235672c33676SMaxim Ag if (tctx->internal->tlsext_ticket_key_cb(s,
2357*de0e0e4dSAntonio Huete Jimenez key_name, iv, ctx, hctx, 1) < 0)
235872c33676SMaxim Ag goto err;
235972c33676SMaxim Ag } else {
236072c33676SMaxim Ag arc4random_buf(iv, 16);
2361*de0e0e4dSAntonio Huete Jimenez EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
236272c33676SMaxim Ag tctx->internal->tlsext_tick_aes_key, iv);
2363*de0e0e4dSAntonio Huete Jimenez HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key,
2364cca6fc52SDaniel Fojt 16, EVP_sha256(), NULL);
236572c33676SMaxim Ag memcpy(key_name, tctx->internal->tlsext_tick_key_name, 16);
236672c33676SMaxim Ag }
236772c33676SMaxim Ag
236872c33676SMaxim Ag /* Encrypt the session state. */
236972c33676SMaxim Ag enc_session_max_len = session_len + EVP_MAX_BLOCK_LENGTH;
237072c33676SMaxim Ag if ((enc_session = calloc(1, enc_session_max_len)) == NULL)
237172c33676SMaxim Ag goto err;
237272c33676SMaxim Ag enc_session_len = 0;
2373*de0e0e4dSAntonio Huete Jimenez if (!EVP_EncryptUpdate(ctx, enc_session, &len, session,
237472c33676SMaxim Ag session_len))
237572c33676SMaxim Ag goto err;
237672c33676SMaxim Ag enc_session_len += len;
2377*de0e0e4dSAntonio Huete Jimenez if (!EVP_EncryptFinal_ex(ctx, enc_session + enc_session_len,
237872c33676SMaxim Ag &len))
237972c33676SMaxim Ag goto err;
238072c33676SMaxim Ag enc_session_len += len;
238172c33676SMaxim Ag
238272c33676SMaxim Ag if (enc_session_len > enc_session_max_len)
238372c33676SMaxim Ag goto err;
238472c33676SMaxim Ag
238572c33676SMaxim Ag /* Generate the HMAC. */
2386*de0e0e4dSAntonio Huete Jimenez if (!HMAC_Update(hctx, key_name, sizeof(key_name)))
238772c33676SMaxim Ag goto err;
2388*de0e0e4dSAntonio Huete Jimenez if (!HMAC_Update(hctx, iv, EVP_CIPHER_CTX_iv_length(ctx)))
238972c33676SMaxim Ag goto err;
2390*de0e0e4dSAntonio Huete Jimenez if (!HMAC_Update(hctx, enc_session, enc_session_len))
239172c33676SMaxim Ag goto err;
239272c33676SMaxim Ag
2393*de0e0e4dSAntonio Huete Jimenez if ((hmac_len = HMAC_size(hctx)) <= 0)
239472c33676SMaxim Ag goto err;
239572c33676SMaxim Ag
239672c33676SMaxim Ag /*
239772c33676SMaxim Ag * Ticket lifetime hint (advisory only):
239872c33676SMaxim Ag * We leave this unspecified for resumed session
239972c33676SMaxim Ag * (for simplicity), and guess that tickets for new
240072c33676SMaxim Ag * sessions will live as long as their sessions.
240172c33676SMaxim Ag */
240272c33676SMaxim Ag if (!CBB_add_u32(&session_ticket,
240372c33676SMaxim Ag s->internal->hit ? 0 : s->session->timeout))
240472c33676SMaxim Ag goto err;
240572c33676SMaxim Ag
240672c33676SMaxim Ag if (!CBB_add_u16_length_prefixed(&session_ticket, &ticket))
240772c33676SMaxim Ag goto err;
240872c33676SMaxim Ag if (!CBB_add_bytes(&ticket, key_name, sizeof(key_name)))
240972c33676SMaxim Ag goto err;
2410*de0e0e4dSAntonio Huete Jimenez if (!CBB_add_bytes(&ticket, iv, EVP_CIPHER_CTX_iv_length(ctx)))
241172c33676SMaxim Ag goto err;
241272c33676SMaxim Ag if (!CBB_add_bytes(&ticket, enc_session, enc_session_len))
241372c33676SMaxim Ag goto err;
241472c33676SMaxim Ag if (!CBB_add_space(&ticket, &hmac, hmac_len))
241572c33676SMaxim Ag goto err;
241672c33676SMaxim Ag
2417*de0e0e4dSAntonio Huete Jimenez if (!HMAC_Final(hctx, hmac, &hlen))
241872c33676SMaxim Ag goto err;
241972c33676SMaxim Ag if (hlen != hmac_len)
242072c33676SMaxim Ag goto err;
242172c33676SMaxim Ag
242272c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
242372c33676SMaxim Ag goto err;
242472c33676SMaxim Ag
2425*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_B;
242672c33676SMaxim Ag }
242772c33676SMaxim Ag
2428*de0e0e4dSAntonio Huete Jimenez EVP_CIPHER_CTX_free(ctx);
2429*de0e0e4dSAntonio Huete Jimenez HMAC_CTX_free(hctx);
243072c33676SMaxim Ag freezero(session, session_len);
243172c33676SMaxim Ag free(enc_session);
243272c33676SMaxim Ag
243372c33676SMaxim Ag /* SSL3_ST_SW_SESSION_TICKET_B */
243472c33676SMaxim Ag return (ssl3_handshake_write(s));
243572c33676SMaxim Ag
243672c33676SMaxim Ag err:
243772c33676SMaxim Ag CBB_cleanup(&cbb);
2438*de0e0e4dSAntonio Huete Jimenez EVP_CIPHER_CTX_free(ctx);
2439*de0e0e4dSAntonio Huete Jimenez HMAC_CTX_free(hctx);
244072c33676SMaxim Ag freezero(session, session_len);
244172c33676SMaxim Ag free(enc_session);
244272c33676SMaxim Ag
244372c33676SMaxim Ag return (-1);
244472c33676SMaxim Ag }
244572c33676SMaxim Ag
244672c33676SMaxim Ag int
ssl3_send_cert_status(SSL * s)244772c33676SMaxim Ag ssl3_send_cert_status(SSL *s)
244872c33676SMaxim Ag {
244972c33676SMaxim Ag CBB cbb, certstatus, ocspresp;
245072c33676SMaxim Ag
245172c33676SMaxim Ag memset(&cbb, 0, sizeof(cbb));
245272c33676SMaxim Ag
2453*de0e0e4dSAntonio Huete Jimenez if (s->s3->hs.state == SSL3_ST_SW_CERT_STATUS_A) {
245472c33676SMaxim Ag if (!ssl3_handshake_msg_start(s, &cbb, &certstatus,
245572c33676SMaxim Ag SSL3_MT_CERTIFICATE_STATUS))
245672c33676SMaxim Ag goto err;
245772c33676SMaxim Ag if (!CBB_add_u8(&certstatus, s->tlsext_status_type))
245872c33676SMaxim Ag goto err;
245972c33676SMaxim Ag if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp))
246072c33676SMaxim Ag goto err;
246172c33676SMaxim Ag if (!CBB_add_bytes(&ocspresp, s->internal->tlsext_ocsp_resp,
24628edacedfSDaniel Fojt s->internal->tlsext_ocsp_resp_len))
246372c33676SMaxim Ag goto err;
246472c33676SMaxim Ag if (!ssl3_handshake_msg_finish(s, &cbb))
246572c33676SMaxim Ag goto err;
246672c33676SMaxim Ag
2467*de0e0e4dSAntonio Huete Jimenez s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_B;
246872c33676SMaxim Ag }
246972c33676SMaxim Ag
247072c33676SMaxim Ag /* SSL3_ST_SW_CERT_STATUS_B */
247172c33676SMaxim Ag return (ssl3_handshake_write(s));
247272c33676SMaxim Ag
247372c33676SMaxim Ag err:
247472c33676SMaxim Ag CBB_cleanup(&cbb);
247572c33676SMaxim Ag
247672c33676SMaxim Ag return (-1);
247772c33676SMaxim Ag }
2478