1 /* $OpenBSD: ssl_clnt.c,v 1.141 2022/02/05 14:54:10 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <limits.h> 152 #include <stdint.h> 153 #include <stdio.h> 154 155 #include <openssl/bn.h> 156 #include <openssl/buffer.h> 157 #include <openssl/curve25519.h> 158 #include <openssl/dh.h> 159 #include <openssl/evp.h> 160 #include <openssl/md5.h> 161 #include <openssl/objects.h> 162 #include <openssl/opensslconf.h> 163 164 #ifndef OPENSSL_NO_ENGINE 165 #include <openssl/engine.h> 166 #endif 167 #ifndef OPENSSL_NO_GOST 168 #include <openssl/gost.h> 169 #endif 170 171 #include "bytestring.h" 172 #include "dtls_locl.h" 173 #include "ssl_locl.h" 174 #include "ssl_sigalgs.h" 175 #include "ssl_tlsext.h" 176 177 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); 178 179 int 180 ssl3_connect(SSL *s) 181 { 182 int new_state, state, skip = 0; 183 int ret = -1; 184 185 ERR_clear_error(); 186 errno = 0; 187 188 s->internal->in_handshake++; 189 if (!SSL_in_init(s) || SSL_in_before(s)) 190 SSL_clear(s); 191 192 for (;;) { 193 state = s->s3->hs.state; 194 195 switch (s->s3->hs.state) { 196 case SSL_ST_RENEGOTIATE: 197 s->internal->renegotiate = 1; 198 s->s3->hs.state = SSL_ST_CONNECT; 199 s->ctx->internal->stats.sess_connect_renegotiate++; 200 /* break */ 201 case SSL_ST_BEFORE: 202 case SSL_ST_CONNECT: 203 case SSL_ST_BEFORE|SSL_ST_CONNECT: 204 case SSL_ST_OK|SSL_ST_CONNECT: 205 206 s->server = 0; 207 208 ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1); 209 210 if (!ssl_legacy_stack_version(s, s->version)) { 211 SSLerror(s, ERR_R_INTERNAL_ERROR); 212 ret = -1; 213 goto end; 214 } 215 216 if (!ssl_supported_tls_version_range(s, 217 &s->s3->hs.our_min_tls_version, 218 &s->s3->hs.our_max_tls_version)) { 219 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 220 ret = -1; 221 goto end; 222 } 223 224 if (!ssl3_setup_init_buffer(s)) { 225 ret = -1; 226 goto end; 227 } 228 if (!ssl3_setup_buffers(s)) { 229 ret = -1; 230 goto end; 231 } 232 if (!ssl_init_wbio_buffer(s, 0)) { 233 ret = -1; 234 goto end; 235 } 236 237 /* don't push the buffering BIO quite yet */ 238 239 if (!tls1_transcript_init(s)) { 240 ret = -1; 241 goto end; 242 } 243 244 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A; 245 s->ctx->internal->stats.sess_connect++; 246 s->internal->init_num = 0; 247 248 if (SSL_is_dtls(s)) { 249 /* mark client_random uninitialized */ 250 memset(s->s3->client_random, 0, 251 sizeof(s->s3->client_random)); 252 s->d1->send_cookie = 0; 253 s->internal->hit = 0; 254 } 255 break; 256 257 case SSL3_ST_CW_CLNT_HELLO_A: 258 case SSL3_ST_CW_CLNT_HELLO_B: 259 s->internal->shutdown = 0; 260 261 if (SSL_is_dtls(s)) { 262 /* every DTLS ClientHello resets Finished MAC */ 263 tls1_transcript_reset(s); 264 265 dtls1_start_timer(s); 266 } 267 268 ret = ssl3_send_client_hello(s); 269 if (ret <= 0) 270 goto end; 271 272 if (SSL_is_dtls(s) && s->d1->send_cookie) { 273 s->s3->hs.state = SSL3_ST_CW_FLUSH; 274 s->s3->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A; 275 } else 276 s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 277 278 s->internal->init_num = 0; 279 280 /* turn on buffering for the next lot of output */ 281 if (s->bbio != s->wbio) 282 s->wbio = BIO_push(s->bbio, s->wbio); 283 284 break; 285 286 case SSL3_ST_CR_SRVR_HELLO_A: 287 case SSL3_ST_CR_SRVR_HELLO_B: 288 ret = ssl3_get_server_hello(s); 289 if (ret <= 0) 290 goto end; 291 292 if (s->internal->hit) { 293 s->s3->hs.state = SSL3_ST_CR_FINISHED_A; 294 if (!SSL_is_dtls(s)) { 295 if (s->internal->tlsext_ticket_expected) { 296 /* receive renewed session ticket */ 297 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A; 298 } 299 300 /* No client certificate verification. */ 301 tls1_transcript_free(s); 302 } 303 } else if (SSL_is_dtls(s)) { 304 s->s3->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 305 } else { 306 s->s3->hs.state = SSL3_ST_CR_CERT_A; 307 } 308 s->internal->init_num = 0; 309 break; 310 311 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 312 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 313 ret = ssl3_get_dtls_hello_verify(s); 314 if (ret <= 0) 315 goto end; 316 dtls1_stop_timer(s); 317 if (s->d1->send_cookie) /* start again, with a cookie */ 318 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A; 319 else 320 s->s3->hs.state = SSL3_ST_CR_CERT_A; 321 s->internal->init_num = 0; 322 break; 323 324 case SSL3_ST_CR_CERT_A: 325 case SSL3_ST_CR_CERT_B: 326 ret = ssl3_check_finished(s); 327 if (ret <= 0) 328 goto end; 329 if (ret == 2) { 330 s->internal->hit = 1; 331 if (s->internal->tlsext_ticket_expected) 332 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A; 333 else 334 s->s3->hs.state = SSL3_ST_CR_FINISHED_A; 335 s->internal->init_num = 0; 336 break; 337 } 338 /* Check if it is anon DH/ECDH. */ 339 if (!(s->s3->hs.cipher->algorithm_auth & 340 SSL_aNULL)) { 341 ret = ssl3_get_server_certificate(s); 342 if (ret <= 0) 343 goto end; 344 if (s->internal->tlsext_status_expected) 345 s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A; 346 else 347 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; 348 } else { 349 skip = 1; 350 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; 351 } 352 s->internal->init_num = 0; 353 break; 354 355 case SSL3_ST_CR_KEY_EXCH_A: 356 case SSL3_ST_CR_KEY_EXCH_B: 357 ret = ssl3_get_server_key_exchange(s); 358 if (ret <= 0) 359 goto end; 360 s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A; 361 s->internal->init_num = 0; 362 363 /* 364 * At this point we check that we have the 365 * required stuff from the server. 366 */ 367 if (!ssl3_check_cert_and_algorithm(s)) { 368 ret = -1; 369 goto end; 370 } 371 break; 372 373 case SSL3_ST_CR_CERT_REQ_A: 374 case SSL3_ST_CR_CERT_REQ_B: 375 ret = ssl3_get_certificate_request(s); 376 if (ret <= 0) 377 goto end; 378 s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A; 379 s->internal->init_num = 0; 380 break; 381 382 case SSL3_ST_CR_SRVR_DONE_A: 383 case SSL3_ST_CR_SRVR_DONE_B: 384 ret = ssl3_get_server_done(s); 385 if (ret <= 0) 386 goto end; 387 if (SSL_is_dtls(s)) 388 dtls1_stop_timer(s); 389 if (s->s3->hs.tls12.cert_request) 390 s->s3->hs.state = SSL3_ST_CW_CERT_A; 391 else 392 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A; 393 s->internal->init_num = 0; 394 395 break; 396 397 case SSL3_ST_CW_CERT_A: 398 case SSL3_ST_CW_CERT_B: 399 case SSL3_ST_CW_CERT_C: 400 case SSL3_ST_CW_CERT_D: 401 if (SSL_is_dtls(s)) 402 dtls1_start_timer(s); 403 ret = ssl3_send_client_certificate(s); 404 if (ret <= 0) 405 goto end; 406 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A; 407 s->internal->init_num = 0; 408 break; 409 410 case SSL3_ST_CW_KEY_EXCH_A: 411 case SSL3_ST_CW_KEY_EXCH_B: 412 if (SSL_is_dtls(s)) 413 dtls1_start_timer(s); 414 ret = ssl3_send_client_key_exchange(s); 415 if (ret <= 0) 416 goto end; 417 /* 418 * EAY EAY EAY need to check for DH fix cert 419 * sent back 420 */ 421 /* 422 * For TLS, cert_req is set to 2, so a cert chain 423 * of nothing is sent, but no verify packet is sent 424 */ 425 /* 426 * XXX: For now, we do not support client 427 * authentication in ECDH cipher suites with 428 * ECDH (rather than ECDSA) certificates. 429 * We need to skip the certificate verify 430 * message when client's ECDH public key is sent 431 * inside the client certificate. 432 */ 433 if (s->s3->hs.tls12.cert_request == 1) { 434 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_A; 435 } else { 436 s->s3->hs.state = SSL3_ST_CW_CHANGE_A; 437 s->s3->change_cipher_spec = 0; 438 } 439 if (!SSL_is_dtls(s)) { 440 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 441 s->s3->hs.state = SSL3_ST_CW_CHANGE_A; 442 s->s3->change_cipher_spec = 0; 443 } 444 } 445 446 s->internal->init_num = 0; 447 break; 448 449 case SSL3_ST_CW_CERT_VRFY_A: 450 case SSL3_ST_CW_CERT_VRFY_B: 451 if (SSL_is_dtls(s)) 452 dtls1_start_timer(s); 453 ret = ssl3_send_client_verify(s); 454 if (ret <= 0) 455 goto end; 456 s->s3->hs.state = SSL3_ST_CW_CHANGE_A; 457 s->internal->init_num = 0; 458 s->s3->change_cipher_spec = 0; 459 break; 460 461 case SSL3_ST_CW_CHANGE_A: 462 case SSL3_ST_CW_CHANGE_B: 463 if (SSL_is_dtls(s) && !s->internal->hit) 464 dtls1_start_timer(s); 465 ret = ssl3_send_change_cipher_spec(s, 466 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); 467 if (ret <= 0) 468 goto end; 469 470 s->s3->hs.state = SSL3_ST_CW_FINISHED_A; 471 s->internal->init_num = 0; 472 s->session->cipher = s->s3->hs.cipher; 473 474 if (!tls1_setup_key_block(s)) { 475 ret = -1; 476 goto end; 477 } 478 if (!tls1_change_write_cipher_state(s)) { 479 ret = -1; 480 goto end; 481 } 482 break; 483 484 case SSL3_ST_CW_FINISHED_A: 485 case SSL3_ST_CW_FINISHED_B: 486 if (SSL_is_dtls(s) && !s->internal->hit) 487 dtls1_start_timer(s); 488 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, 489 SSL3_ST_CW_FINISHED_B); 490 if (ret <= 0) 491 goto end; 492 if (!SSL_is_dtls(s)) 493 s->s3->flags |= SSL3_FLAGS_CCS_OK; 494 s->s3->hs.state = SSL3_ST_CW_FLUSH; 495 496 /* clear flags */ 497 if (s->internal->hit) { 498 s->s3->hs.tls12.next_state = SSL_ST_OK; 499 } else { 500 /* Allow NewSessionTicket if ticket expected */ 501 if (s->internal->tlsext_ticket_expected) 502 s->s3->hs.tls12.next_state = 503 SSL3_ST_CR_SESSION_TICKET_A; 504 else 505 s->s3->hs.tls12.next_state = 506 SSL3_ST_CR_FINISHED_A; 507 } 508 s->internal->init_num = 0; 509 break; 510 511 case SSL3_ST_CR_SESSION_TICKET_A: 512 case SSL3_ST_CR_SESSION_TICKET_B: 513 ret = ssl3_get_new_session_ticket(s); 514 if (ret <= 0) 515 goto end; 516 s->s3->hs.state = SSL3_ST_CR_FINISHED_A; 517 s->internal->init_num = 0; 518 break; 519 520 case SSL3_ST_CR_CERT_STATUS_A: 521 case SSL3_ST_CR_CERT_STATUS_B: 522 ret = ssl3_get_cert_status(s); 523 if (ret <= 0) 524 goto end; 525 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; 526 s->internal->init_num = 0; 527 break; 528 529 case SSL3_ST_CR_FINISHED_A: 530 case SSL3_ST_CR_FINISHED_B: 531 if (SSL_is_dtls(s)) 532 s->d1->change_cipher_spec_ok = 1; 533 else 534 s->s3->flags |= SSL3_FLAGS_CCS_OK; 535 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, 536 SSL3_ST_CR_FINISHED_B); 537 if (ret <= 0) 538 goto end; 539 if (SSL_is_dtls(s)) 540 dtls1_stop_timer(s); 541 542 if (s->internal->hit) 543 s->s3->hs.state = SSL3_ST_CW_CHANGE_A; 544 else 545 s->s3->hs.state = SSL_ST_OK; 546 s->internal->init_num = 0; 547 break; 548 549 case SSL3_ST_CW_FLUSH: 550 s->internal->rwstate = SSL_WRITING; 551 if (BIO_flush(s->wbio) <= 0) { 552 if (SSL_is_dtls(s)) { 553 /* If the write error was fatal, stop trying */ 554 if (!BIO_should_retry(s->wbio)) { 555 s->internal->rwstate = SSL_NOTHING; 556 s->s3->hs.state = s->s3->hs.tls12.next_state; 557 } 558 } 559 ret = -1; 560 goto end; 561 } 562 s->internal->rwstate = SSL_NOTHING; 563 s->s3->hs.state = s->s3->hs.tls12.next_state; 564 break; 565 566 case SSL_ST_OK: 567 /* clean a few things up */ 568 tls1_cleanup_key_block(s); 569 570 if (s->s3->handshake_transcript != NULL) { 571 SSLerror(s, ERR_R_INTERNAL_ERROR); 572 ret = -1; 573 goto end; 574 } 575 576 if (!SSL_is_dtls(s)) 577 ssl3_release_init_buffer(s); 578 579 ssl_free_wbio_buffer(s); 580 581 s->internal->init_num = 0; 582 s->internal->renegotiate = 0; 583 s->internal->new_session = 0; 584 585 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 586 if (s->internal->hit) 587 s->ctx->internal->stats.sess_hit++; 588 589 ret = 1; 590 /* s->server=0; */ 591 s->internal->handshake_func = ssl3_connect; 592 s->ctx->internal->stats.sess_connect_good++; 593 594 ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1); 595 596 if (SSL_is_dtls(s)) { 597 /* done with handshaking */ 598 s->d1->handshake_read_seq = 0; 599 s->d1->next_handshake_write_seq = 0; 600 } 601 602 goto end; 603 /* break; */ 604 605 default: 606 SSLerror(s, SSL_R_UNKNOWN_STATE); 607 ret = -1; 608 goto end; 609 /* break; */ 610 } 611 612 /* did we do anything */ 613 if (!s->s3->hs.tls12.reuse_message && !skip) { 614 if (s->internal->debug) { 615 if ((ret = BIO_flush(s->wbio)) <= 0) 616 goto end; 617 } 618 619 if (s->s3->hs.state != state) { 620 new_state = s->s3->hs.state; 621 s->s3->hs.state = state; 622 ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1); 623 s->s3->hs.state = new_state; 624 } 625 } 626 skip = 0; 627 } 628 629 end: 630 s->internal->in_handshake--; 631 ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret); 632 633 return (ret); 634 } 635 636 int 637 ssl3_send_client_hello(SSL *s) 638 { 639 CBB cbb, client_hello, session_id, cookie, cipher_suites; 640 CBB compression_methods; 641 uint16_t max_version; 642 size_t sl; 643 644 memset(&cbb, 0, sizeof(cbb)); 645 646 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_A) { 647 SSL_SESSION *sess = s->session; 648 649 if (!ssl_max_supported_version(s, &max_version)) { 650 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 651 return (-1); 652 } 653 s->version = max_version; 654 655 if (sess == NULL || 656 sess->ssl_version != s->version || 657 (!sess->session_id_length && !sess->tlsext_tick) || 658 sess->not_resumable) { 659 if (!ssl_get_new_session(s, 0)) 660 goto err; 661 } 662 /* else use the pre-loaded session */ 663 664 /* 665 * If a DTLS ClientHello message is being resent after a 666 * HelloVerifyRequest, we must retain the original client 667 * random value. 668 */ 669 if (!SSL_is_dtls(s) || s->d1->send_cookie == 0) 670 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 671 672 if (!ssl3_handshake_msg_start(s, &cbb, &client_hello, 673 SSL3_MT_CLIENT_HELLO)) 674 goto err; 675 676 if (!CBB_add_u16(&client_hello, s->version)) 677 goto err; 678 679 /* Random stuff */ 680 if (!CBB_add_bytes(&client_hello, s->s3->client_random, 681 sizeof(s->s3->client_random))) 682 goto err; 683 684 /* Session ID */ 685 if (!CBB_add_u8_length_prefixed(&client_hello, &session_id)) 686 goto err; 687 if (!s->internal->new_session && 688 s->session->session_id_length > 0) { 689 sl = s->session->session_id_length; 690 if (sl > sizeof(s->session->session_id)) { 691 SSLerror(s, ERR_R_INTERNAL_ERROR); 692 goto err; 693 } 694 if (!CBB_add_bytes(&session_id, 695 s->session->session_id, sl)) 696 goto err; 697 } 698 699 /* DTLS Cookie. */ 700 if (SSL_is_dtls(s)) { 701 if (s->d1->cookie_len > sizeof(s->d1->cookie)) { 702 SSLerror(s, ERR_R_INTERNAL_ERROR); 703 goto err; 704 } 705 if (!CBB_add_u8_length_prefixed(&client_hello, &cookie)) 706 goto err; 707 if (!CBB_add_bytes(&cookie, s->d1->cookie, 708 s->d1->cookie_len)) 709 goto err; 710 } 711 712 /* Ciphers supported */ 713 if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites)) 714 return 0; 715 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), 716 &cipher_suites)) { 717 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); 718 goto err; 719 } 720 721 /* Add in compression methods (null) */ 722 if (!CBB_add_u8_length_prefixed(&client_hello, 723 &compression_methods)) 724 goto err; 725 if (!CBB_add_u8(&compression_methods, 0)) 726 goto err; 727 728 /* TLS extensions */ 729 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) { 730 SSLerror(s, ERR_R_INTERNAL_ERROR); 731 goto err; 732 } 733 734 if (!ssl3_handshake_msg_finish(s, &cbb)) 735 goto err; 736 737 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_B; 738 } 739 740 /* SSL3_ST_CW_CLNT_HELLO_B */ 741 return (ssl3_handshake_write(s)); 742 743 err: 744 CBB_cleanup(&cbb); 745 746 return (-1); 747 } 748 749 int 750 ssl3_get_dtls_hello_verify(SSL *s) 751 { 752 CBS hello_verify_request, cookie; 753 size_t cookie_len; 754 uint16_t ssl_version; 755 int al, ret; 756 757 if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 758 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list)) <= 0) 759 return ret; 760 761 if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { 762 s->d1->send_cookie = 0; 763 s->s3->hs.tls12.reuse_message = 1; 764 return (1); 765 } 766 767 if (s->internal->init_num < 0) 768 goto decode_err; 769 770 CBS_init(&hello_verify_request, s->internal->init_msg, 771 s->internal->init_num); 772 773 if (!CBS_get_u16(&hello_verify_request, &ssl_version)) 774 goto decode_err; 775 if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie)) 776 goto decode_err; 777 if (CBS_len(&hello_verify_request) != 0) 778 goto decode_err; 779 780 /* 781 * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always 782 * contain DTLSv1.0 the version that is going to be negotiated. 783 * Tolerate DTLSv1.2 just in case. 784 */ 785 if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) { 786 SSLerror(s, SSL_R_WRONG_SSL_VERSION); 787 s->version = (s->version & 0xff00) | (ssl_version & 0xff); 788 al = SSL_AD_PROTOCOL_VERSION; 789 goto fatal_err; 790 } 791 792 if (!CBS_write_bytes(&cookie, s->d1->cookie, 793 sizeof(s->d1->cookie), &cookie_len)) { 794 s->d1->cookie_len = 0; 795 al = SSL_AD_ILLEGAL_PARAMETER; 796 goto fatal_err; 797 } 798 s->d1->cookie_len = cookie_len; 799 s->d1->send_cookie = 1; 800 801 return 1; 802 803 decode_err: 804 al = SSL_AD_DECODE_ERROR; 805 fatal_err: 806 ssl3_send_alert(s, SSL3_AL_FATAL, al); 807 return -1; 808 } 809 810 int 811 ssl3_get_server_hello(SSL *s) 812 { 813 CBS cbs, server_random, session_id; 814 uint16_t server_version, cipher_suite; 815 uint8_t compression_method; 816 const SSL_CIPHER *cipher; 817 const SSL_METHOD *method; 818 unsigned long alg_k; 819 size_t outlen; 820 int al, ret; 821 822 s->internal->first_packet = 1; 823 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, 824 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000 /* ?? */)) <= 0) 825 return ret; 826 s->internal->first_packet = 0; 827 828 if (s->internal->init_num < 0) 829 goto decode_err; 830 831 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 832 833 if (SSL_is_dtls(s)) { 834 if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { 835 if (s->d1->send_cookie == 0) { 836 s->s3->hs.tls12.reuse_message = 1; 837 return (1); 838 } else { 839 /* Already sent a cookie. */ 840 al = SSL_AD_UNEXPECTED_MESSAGE; 841 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 842 goto fatal_err; 843 } 844 } 845 } 846 847 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) { 848 al = SSL_AD_UNEXPECTED_MESSAGE; 849 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 850 goto fatal_err; 851 } 852 853 if (!CBS_get_u16(&cbs, &server_version)) 854 goto decode_err; 855 856 if (!ssl_check_version_from_server(s, server_version)) { 857 SSLerror(s, SSL_R_WRONG_SSL_VERSION); 858 s->version = (s->version & 0xff00) | (server_version & 0xff); 859 al = SSL_AD_PROTOCOL_VERSION; 860 goto fatal_err; 861 } 862 s->s3->hs.peer_legacy_version = server_version; 863 s->version = server_version; 864 865 s->s3->hs.negotiated_tls_version = ssl_tls_version(server_version); 866 if (s->s3->hs.negotiated_tls_version == 0) { 867 SSLerror(s, ERR_R_INTERNAL_ERROR); 868 goto err; 869 } 870 871 if ((method = ssl_get_method(server_version)) == NULL) { 872 SSLerror(s, ERR_R_INTERNAL_ERROR); 873 goto err; 874 } 875 s->method = method; 876 877 /* Server random. */ 878 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE)) 879 goto decode_err; 880 if (!CBS_write_bytes(&server_random, s->s3->server_random, 881 sizeof(s->s3->server_random), NULL)) 882 goto err; 883 884 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION && 885 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) { 886 /* 887 * RFC 8446 section 4.1.3. We must not downgrade if the server 888 * random value contains the TLS 1.2 or TLS 1.1 magical value. 889 */ 890 if (!CBS_skip(&server_random, 891 CBS_len(&server_random) - sizeof(tls13_downgrade_12))) 892 goto err; 893 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION && 894 CBS_mem_equal(&server_random, tls13_downgrade_12, 895 sizeof(tls13_downgrade_12))) { 896 al = SSL_AD_ILLEGAL_PARAMETER; 897 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); 898 goto fatal_err; 899 } 900 if (CBS_mem_equal(&server_random, tls13_downgrade_11, 901 sizeof(tls13_downgrade_11))) { 902 al = SSL_AD_ILLEGAL_PARAMETER; 903 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); 904 goto fatal_err; 905 } 906 } 907 908 /* Session ID. */ 909 if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) 910 goto decode_err; 911 912 if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) { 913 al = SSL_AD_ILLEGAL_PARAMETER; 914 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); 915 goto fatal_err; 916 } 917 918 /* Cipher suite. */ 919 if (!CBS_get_u16(&cbs, &cipher_suite)) 920 goto decode_err; 921 922 /* 923 * Check if we want to resume the session based on external 924 * pre-shared secret. 925 */ 926 if (s->internal->tls_session_secret_cb) { 927 SSL_CIPHER *pref_cipher = NULL; 928 s->session->master_key_length = sizeof(s->session->master_key); 929 if (s->internal->tls_session_secret_cb(s, s->session->master_key, 930 &s->session->master_key_length, NULL, &pref_cipher, 931 s->internal->tls_session_secret_cb_arg)) { 932 s->session->cipher = pref_cipher ? pref_cipher : 933 ssl3_get_cipher_by_value(cipher_suite); 934 s->s3->flags |= SSL3_FLAGS_CCS_OK; 935 } 936 } 937 938 if (s->session->session_id_length != 0 && 939 CBS_mem_equal(&session_id, s->session->session_id, 940 s->session->session_id_length)) { 941 if (s->sid_ctx_length != s->session->sid_ctx_length || 942 timingsafe_memcmp(s->session->sid_ctx, 943 s->sid_ctx, s->sid_ctx_length) != 0) { 944 /* actually a client application bug */ 945 al = SSL_AD_ILLEGAL_PARAMETER; 946 SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 947 goto fatal_err; 948 } 949 s->s3->flags |= SSL3_FLAGS_CCS_OK; 950 s->internal->hit = 1; 951 } else { 952 /* a miss or crap from the other end */ 953 954 /* If we were trying for session-id reuse, make a new 955 * SSL_SESSION so we don't stuff up other people */ 956 s->internal->hit = 0; 957 if (s->session->session_id_length > 0) { 958 if (!ssl_get_new_session(s, 0)) { 959 al = SSL_AD_INTERNAL_ERROR; 960 goto fatal_err; 961 } 962 } 963 964 /* 965 * XXX - improve the handling for the case where there is a 966 * zero length session identifier. 967 */ 968 if (!CBS_write_bytes(&session_id, s->session->session_id, 969 sizeof(s->session->session_id), &outlen)) 970 goto err; 971 s->session->session_id_length = outlen; 972 973 s->session->ssl_version = s->version; 974 } 975 976 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) { 977 al = SSL_AD_ILLEGAL_PARAMETER; 978 SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED); 979 goto fatal_err; 980 } 981 982 /* TLS v1.2 only ciphersuites require v1.2 or later. */ 983 if ((cipher->algorithm_ssl & SSL_TLSV1_2) && 984 s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) { 985 al = SSL_AD_ILLEGAL_PARAMETER; 986 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); 987 goto fatal_err; 988 } 989 990 if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { 991 /* we did not say we would use this cipher */ 992 al = SSL_AD_ILLEGAL_PARAMETER; 993 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); 994 goto fatal_err; 995 } 996 997 /* 998 * Depending on the session caching (internal/external), the cipher 999 * and/or cipher_id values may not be set. Make sure that 1000 * cipher_id is set and use it for comparison. 1001 */ 1002 if (s->session->cipher) 1003 s->session->cipher_id = s->session->cipher->id; 1004 if (s->internal->hit && (s->session->cipher_id != cipher->id)) { 1005 al = SSL_AD_ILLEGAL_PARAMETER; 1006 SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1007 goto fatal_err; 1008 } 1009 s->s3->hs.cipher = cipher; 1010 1011 if (!tls1_transcript_hash_init(s)) 1012 goto err; 1013 1014 /* 1015 * Don't digest cached records if no sigalgs: we may need them for 1016 * client authentication. 1017 */ 1018 alg_k = s->s3->hs.cipher->algorithm_mkey; 1019 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST))) 1020 tls1_transcript_free(s); 1021 1022 if (!CBS_get_u8(&cbs, &compression_method)) 1023 goto decode_err; 1024 1025 if (compression_method != 0) { 1026 al = SSL_AD_ILLEGAL_PARAMETER; 1027 SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1028 goto fatal_err; 1029 } 1030 1031 if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) { 1032 SSLerror(s, SSL_R_PARSE_TLSEXT); 1033 goto fatal_err; 1034 } 1035 1036 if (CBS_len(&cbs) != 0) 1037 goto decode_err; 1038 1039 /* 1040 * Determine if we need to see RI. Strictly speaking if we want to 1041 * avoid an attack we should *always* see RI even on initial server 1042 * hello because the client doesn't see any renegotiation during an 1043 * attack. However this would mean we could not connect to any server 1044 * which doesn't support RI so for the immediate future tolerate RI 1045 * absence on initial connect only. 1046 */ 1047 if (!s->s3->renegotiate_seen && 1048 !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { 1049 al = SSL_AD_HANDSHAKE_FAILURE; 1050 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1051 goto fatal_err; 1052 } 1053 1054 if (ssl_check_serverhello_tlsext(s) <= 0) { 1055 SSLerror(s, SSL_R_SERVERHELLO_TLSEXT); 1056 goto err; 1057 } 1058 1059 return (1); 1060 1061 decode_err: 1062 /* wrong packet length */ 1063 al = SSL_AD_DECODE_ERROR; 1064 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1065 fatal_err: 1066 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1067 err: 1068 return (-1); 1069 } 1070 1071 int 1072 ssl3_get_server_certificate(SSL *s) 1073 { 1074 CBS cbs, cert_list; 1075 X509 *x = NULL; 1076 const unsigned char *q; 1077 STACK_OF(X509) *sk = NULL; 1078 EVP_PKEY *pkey; 1079 int cert_type; 1080 int al, ret; 1081 1082 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A, 1083 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0) 1084 return ret; 1085 1086 ret = -1; 1087 1088 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { 1089 s->s3->hs.tls12.reuse_message = 1; 1090 return (1); 1091 } 1092 1093 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { 1094 al = SSL_AD_UNEXPECTED_MESSAGE; 1095 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 1096 goto fatal_err; 1097 } 1098 1099 if ((sk = sk_X509_new_null()) == NULL) { 1100 SSLerror(s, ERR_R_MALLOC_FAILURE); 1101 goto err; 1102 } 1103 1104 if (s->internal->init_num < 0) 1105 goto decode_err; 1106 1107 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 1108 if (CBS_len(&cbs) < 3) 1109 goto decode_err; 1110 1111 if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) || 1112 CBS_len(&cbs) != 0) { 1113 al = SSL_AD_DECODE_ERROR; 1114 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1115 goto fatal_err; 1116 } 1117 1118 while (CBS_len(&cert_list) > 0) { 1119 CBS cert; 1120 1121 if (CBS_len(&cert_list) < 3) 1122 goto decode_err; 1123 if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) { 1124 al = SSL_AD_DECODE_ERROR; 1125 SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); 1126 goto fatal_err; 1127 } 1128 1129 q = CBS_data(&cert); 1130 x = d2i_X509(NULL, &q, CBS_len(&cert)); 1131 if (x == NULL) { 1132 al = SSL_AD_BAD_CERTIFICATE; 1133 SSLerror(s, ERR_R_ASN1_LIB); 1134 goto fatal_err; 1135 } 1136 if (q != CBS_data(&cert) + CBS_len(&cert)) { 1137 al = SSL_AD_DECODE_ERROR; 1138 SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); 1139 goto fatal_err; 1140 } 1141 if (!sk_X509_push(sk, x)) { 1142 SSLerror(s, ERR_R_MALLOC_FAILURE); 1143 goto err; 1144 } 1145 x = NULL; 1146 } 1147 1148 if (ssl_verify_cert_chain(s, sk) <= 0 && 1149 s->verify_mode != SSL_VERIFY_NONE) { 1150 al = ssl_verify_alarm_type(s->verify_result); 1151 SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED); 1152 goto fatal_err; 1153 } 1154 ERR_clear_error(); /* but we keep s->verify_result */ 1155 1156 /* 1157 * Inconsistency alert: cert_chain does include the peer's 1158 * certificate, which we don't include in s3_srvr.c 1159 */ 1160 x = sk_X509_value(sk, 0); 1161 1162 if ((pkey = X509_get0_pubkey(x)) == NULL || 1163 EVP_PKEY_missing_parameters(pkey)) { 1164 x = NULL; 1165 al = SSL3_AL_FATAL; 1166 SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1167 goto fatal_err; 1168 } 1169 if ((cert_type = ssl_cert_type(pkey)) < 0) { 1170 x = NULL; 1171 al = SSL3_AL_FATAL; 1172 SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1173 goto fatal_err; 1174 } 1175 1176 X509_up_ref(x); 1177 X509_free(s->session->peer_cert); 1178 s->session->peer_cert = x; 1179 s->session->peer_cert_type = cert_type; 1180 1181 s->session->verify_result = s->verify_result; 1182 1183 sk_X509_pop_free(s->session->cert_chain, X509_free); 1184 s->session->cert_chain = sk; 1185 sk = NULL; 1186 1187 x = NULL; 1188 ret = 1; 1189 1190 if (0) { 1191 decode_err: 1192 /* wrong packet length */ 1193 al = SSL_AD_DECODE_ERROR; 1194 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1195 fatal_err: 1196 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1197 } 1198 err: 1199 X509_free(x); 1200 sk_X509_pop_free(sk, X509_free); 1201 1202 return (ret); 1203 } 1204 1205 static int 1206 ssl3_get_server_kex_dhe(SSL *s, CBS *cbs) 1207 { 1208 int decode_error, invalid_params, invalid_key; 1209 int nid = NID_dhKeyAgreement; 1210 1211 tls_key_share_free(s->s3->hs.key_share); 1212 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL) 1213 goto err; 1214 1215 if (!tls_key_share_peer_params(s->s3->hs.key_share, cbs, 1216 &decode_error, &invalid_params)) { 1217 if (decode_error) { 1218 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1219 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1220 } 1221 goto err; 1222 } 1223 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs, 1224 &decode_error, &invalid_key)) { 1225 if (decode_error) { 1226 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1227 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1228 } 1229 goto err; 1230 } 1231 1232 if (invalid_params) { 1233 SSLerror(s, SSL_R_BAD_DH_P_LENGTH); 1234 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 1235 goto err; 1236 } 1237 if (invalid_key) { 1238 SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH); 1239 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 1240 goto err; 1241 } 1242 1243 return 1; 1244 1245 err: 1246 return 0; 1247 } 1248 1249 static int 1250 ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs) 1251 { 1252 uint8_t curve_type; 1253 uint16_t curve_id; 1254 int decode_error; 1255 CBS public; 1256 1257 if (!CBS_get_u8(cbs, &curve_type)) 1258 goto decode_err; 1259 if (!CBS_get_u16(cbs, &curve_id)) 1260 goto decode_err; 1261 1262 /* Only named curves are supported. */ 1263 if (curve_type != NAMED_CURVE_TYPE) { 1264 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1265 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1266 goto err; 1267 } 1268 1269 if (!CBS_get_u8_length_prefixed(cbs, &public)) 1270 goto decode_err; 1271 1272 /* 1273 * Check that the curve is one of our preferences - if it is not, 1274 * the server has sent us an invalid curve. 1275 */ 1276 if (!tls1_check_curve(s, curve_id)) { 1277 SSLerror(s, SSL_R_WRONG_CURVE); 1278 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 1279 goto err; 1280 } 1281 1282 tls_key_share_free(s->s3->hs.key_share); 1283 if ((s->s3->hs.key_share = tls_key_share_new(curve_id)) == NULL) 1284 goto err; 1285 1286 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public, 1287 &decode_error, NULL)) { 1288 if (decode_error) 1289 goto decode_err; 1290 goto err; 1291 } 1292 1293 return 1; 1294 1295 decode_err: 1296 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1297 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1298 err: 1299 return 0; 1300 } 1301 1302 int 1303 ssl3_get_server_key_exchange(SSL *s) 1304 { 1305 CBS cbs, signature; 1306 EVP_MD_CTX *md_ctx; 1307 const unsigned char *param; 1308 size_t param_len; 1309 long alg_k, alg_a; 1310 int al, ret; 1311 1312 alg_k = s->s3->hs.cipher->algorithm_mkey; 1313 alg_a = s->s3->hs.cipher->algorithm_auth; 1314 1315 /* 1316 * Use same message size as in ssl3_get_certificate_request() 1317 * as ServerKeyExchange message may be skipped. 1318 */ 1319 if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, 1320 SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list)) <= 0) 1321 return ret; 1322 1323 if ((md_ctx = EVP_MD_CTX_new()) == NULL) 1324 goto err; 1325 1326 if (s->internal->init_num < 0) 1327 goto err; 1328 1329 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 1330 1331 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { 1332 /* 1333 * Do not skip server key exchange if this cipher suite uses 1334 * ephemeral keys. 1335 */ 1336 if (alg_k & (SSL_kDHE|SSL_kECDHE)) { 1337 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); 1338 al = SSL_AD_UNEXPECTED_MESSAGE; 1339 goto fatal_err; 1340 } 1341 1342 s->s3->hs.tls12.reuse_message = 1; 1343 EVP_MD_CTX_free(md_ctx); 1344 return (1); 1345 } 1346 1347 param = CBS_data(&cbs); 1348 param_len = CBS_len(&cbs); 1349 1350 if (alg_k & SSL_kDHE) { 1351 if (!ssl3_get_server_kex_dhe(s, &cbs)) 1352 goto err; 1353 } else if (alg_k & SSL_kECDHE) { 1354 if (!ssl3_get_server_kex_ecdhe(s, &cbs)) 1355 goto err; 1356 } else if (alg_k != 0) { 1357 al = SSL_AD_UNEXPECTED_MESSAGE; 1358 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); 1359 goto fatal_err; 1360 } 1361 1362 param_len -= CBS_len(&cbs); 1363 1364 /* if it was signed, check the signature */ 1365 if ((alg_a & SSL_aNULL) == 0) { 1366 uint16_t sigalg_value = SIGALG_NONE; 1367 const struct ssl_sigalg *sigalg; 1368 EVP_PKEY_CTX *pctx; 1369 EVP_PKEY *pkey = NULL; 1370 1371 if ((alg_a & SSL_aRSA) != 0 && 1372 s->session->peer_cert_type == SSL_PKEY_RSA) { 1373 pkey = X509_get0_pubkey(s->session->peer_cert); 1374 } else if ((alg_a & SSL_aECDSA) != 0 && 1375 s->session->peer_cert_type == SSL_PKEY_ECC) { 1376 pkey = X509_get0_pubkey(s->session->peer_cert); 1377 } 1378 if (pkey == NULL) { 1379 al = SSL_AD_ILLEGAL_PARAMETER; 1380 SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1381 goto fatal_err; 1382 } 1383 1384 if (SSL_USE_SIGALGS(s)) { 1385 if (!CBS_get_u16(&cbs, &sigalg_value)) 1386 goto decode_err; 1387 } 1388 if (!CBS_get_u16_length_prefixed(&cbs, &signature)) 1389 goto decode_err; 1390 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { 1391 al = SSL_AD_DECODE_ERROR; 1392 SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH); 1393 goto fatal_err; 1394 } 1395 1396 if ((sigalg = ssl_sigalg_for_peer(s, pkey, 1397 sigalg_value)) == NULL) { 1398 al = SSL_AD_DECODE_ERROR; 1399 goto fatal_err; 1400 } 1401 s->s3->hs.peer_sigalg = sigalg; 1402 1403 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(), 1404 NULL, pkey)) 1405 goto err; 1406 if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->client_random, 1407 SSL3_RANDOM_SIZE)) 1408 goto err; 1409 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && 1410 (!EVP_PKEY_CTX_set_rsa_padding(pctx, 1411 RSA_PKCS1_PSS_PADDING) || 1412 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) 1413 goto err; 1414 if (!EVP_DigestVerifyUpdate(md_ctx, s->s3->server_random, 1415 SSL3_RANDOM_SIZE)) 1416 goto err; 1417 if (!EVP_DigestVerifyUpdate(md_ctx, param, param_len)) 1418 goto err; 1419 if (EVP_DigestVerifyFinal(md_ctx, CBS_data(&signature), 1420 CBS_len(&signature)) <= 0) { 1421 al = SSL_AD_DECRYPT_ERROR; 1422 SSLerror(s, SSL_R_BAD_SIGNATURE); 1423 goto fatal_err; 1424 } 1425 } 1426 1427 if (CBS_len(&cbs) != 0) { 1428 al = SSL_AD_DECODE_ERROR; 1429 SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); 1430 goto fatal_err; 1431 } 1432 1433 EVP_MD_CTX_free(md_ctx); 1434 1435 return (1); 1436 1437 decode_err: 1438 al = SSL_AD_DECODE_ERROR; 1439 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1440 1441 fatal_err: 1442 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1443 1444 err: 1445 EVP_MD_CTX_free(md_ctx); 1446 1447 return (-1); 1448 } 1449 1450 int 1451 ssl3_get_certificate_request(SSL *s) 1452 { 1453 CBS cert_request, cert_types, rdn_list; 1454 X509_NAME *xn = NULL; 1455 const unsigned char *q; 1456 STACK_OF(X509_NAME) *ca_sk = NULL; 1457 int ret; 1458 1459 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, 1460 SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list)) <= 0) 1461 return ret; 1462 1463 ret = 0; 1464 1465 s->s3->hs.tls12.cert_request = 0; 1466 1467 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_DONE) { 1468 s->s3->hs.tls12.reuse_message = 1; 1469 /* 1470 * If we get here we don't need any cached handshake records 1471 * as we wont be doing client auth. 1472 */ 1473 tls1_transcript_free(s); 1474 return (1); 1475 } 1476 1477 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) { 1478 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1479 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); 1480 goto err; 1481 } 1482 1483 /* TLS does not like anon-DH with client cert */ 1484 if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) { 1485 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1486 SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1487 goto err; 1488 } 1489 1490 if (s->internal->init_num < 0) 1491 goto decode_err; 1492 CBS_init(&cert_request, s->internal->init_msg, s->internal->init_num); 1493 1494 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { 1495 SSLerror(s, ERR_R_MALLOC_FAILURE); 1496 goto err; 1497 } 1498 1499 if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types)) 1500 goto decode_err; 1501 1502 if (SSL_USE_SIGALGS(s)) { 1503 CBS sigalgs; 1504 1505 if (CBS_len(&cert_request) < 2) { 1506 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1507 goto err; 1508 } 1509 if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) { 1510 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1511 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1512 goto err; 1513 } 1514 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) { 1515 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1516 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); 1517 goto err; 1518 } 1519 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs, 1520 &s->s3->hs.sigalgs_len)) 1521 goto err; 1522 } 1523 1524 /* get the CA RDNs */ 1525 if (CBS_len(&cert_request) < 2) { 1526 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1527 goto err; 1528 } 1529 1530 if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) || 1531 CBS_len(&cert_request) != 0) { 1532 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1533 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1534 goto err; 1535 } 1536 1537 while (CBS_len(&rdn_list) > 0) { 1538 CBS rdn; 1539 1540 if (CBS_len(&rdn_list) < 2) { 1541 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1542 goto err; 1543 } 1544 1545 if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) { 1546 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1547 SSLerror(s, SSL_R_CA_DN_TOO_LONG); 1548 goto err; 1549 } 1550 1551 q = CBS_data(&rdn); 1552 if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) { 1553 ssl3_send_alert(s, SSL3_AL_FATAL, 1554 SSL_AD_DECODE_ERROR); 1555 SSLerror(s, ERR_R_ASN1_LIB); 1556 goto err; 1557 } 1558 1559 if (q != CBS_data(&rdn) + CBS_len(&rdn)) { 1560 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1561 SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH); 1562 goto err; 1563 } 1564 if (!sk_X509_NAME_push(ca_sk, xn)) { 1565 SSLerror(s, ERR_R_MALLOC_FAILURE); 1566 goto err; 1567 } 1568 xn = NULL; /* avoid free in err block */ 1569 } 1570 1571 /* we should setup a certificate to return.... */ 1572 s->s3->hs.tls12.cert_request = 1; 1573 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); 1574 s->s3->hs.tls12.ca_names = ca_sk; 1575 ca_sk = NULL; 1576 1577 ret = 1; 1578 if (0) { 1579 decode_err: 1580 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1581 } 1582 err: 1583 X509_NAME_free(xn); 1584 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 1585 return (ret); 1586 } 1587 1588 static int 1589 ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 1590 { 1591 return (X509_NAME_cmp(*a, *b)); 1592 } 1593 1594 int 1595 ssl3_get_new_session_ticket(SSL *s) 1596 { 1597 uint32_t lifetime_hint; 1598 CBS cbs, session_ticket; 1599 int al, ret; 1600 1601 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, 1602 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384)) <= 0) 1603 return ret; 1604 1605 if (s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) { 1606 s->s3->hs.tls12.reuse_message = 1; 1607 return (1); 1608 } 1609 if (s->s3->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) { 1610 al = SSL_AD_UNEXPECTED_MESSAGE; 1611 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 1612 goto fatal_err; 1613 } 1614 1615 if (s->internal->init_num < 0) { 1616 al = SSL_AD_DECODE_ERROR; 1617 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1618 goto fatal_err; 1619 } 1620 1621 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 1622 if (!CBS_get_u32(&cbs, &lifetime_hint) || 1623 !CBS_get_u16_length_prefixed(&cbs, &session_ticket) || 1624 CBS_len(&cbs) != 0) { 1625 al = SSL_AD_DECODE_ERROR; 1626 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1627 goto fatal_err; 1628 } 1629 s->session->tlsext_tick_lifetime_hint = lifetime_hint; 1630 1631 if (!CBS_stow(&session_ticket, &s->session->tlsext_tick, 1632 &s->session->tlsext_ticklen)) { 1633 SSLerror(s, ERR_R_MALLOC_FAILURE); 1634 goto err; 1635 } 1636 1637 /* 1638 * There are two ways to detect a resumed ticket sesion. 1639 * One is to set an appropriate session ID and then the server 1640 * must return a match in ServerHello. This allows the normal 1641 * client session ID matching to work and we know much 1642 * earlier that the ticket has been accepted. 1643 * 1644 * The other way is to set zero length session ID when the 1645 * ticket is presented and rely on the handshake to determine 1646 * session resumption. 1647 * 1648 * We choose the former approach because this fits in with 1649 * assumptions elsewhere in OpenSSL. The session ID is set 1650 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 1651 * ticket. 1652 */ 1653 EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket), 1654 s->session->session_id, &s->session->session_id_length, 1655 EVP_sha256(), NULL); 1656 1657 return (1); 1658 1659 fatal_err: 1660 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1661 err: 1662 return (-1); 1663 } 1664 1665 int 1666 ssl3_get_cert_status(SSL *s) 1667 { 1668 CBS cert_status, response; 1669 uint8_t status_type; 1670 int al, ret; 1671 1672 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A, 1673 SSL3_ST_CR_CERT_STATUS_B, -1, 16384)) <= 0) 1674 return ret; 1675 1676 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { 1677 /* 1678 * Tell the callback the server did not send us an OSCP 1679 * response, and has decided to head directly to key exchange. 1680 */ 1681 if (s->ctx->internal->tlsext_status_cb) { 1682 free(s->internal->tlsext_ocsp_resp); 1683 s->internal->tlsext_ocsp_resp = NULL; 1684 s->internal->tlsext_ocsp_resp_len = 0; 1685 1686 ret = s->ctx->internal->tlsext_status_cb(s, 1687 s->ctx->internal->tlsext_status_arg); 1688 if (ret == 0) { 1689 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1690 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); 1691 goto fatal_err; 1692 } 1693 if (ret < 0) { 1694 al = SSL_AD_INTERNAL_ERROR; 1695 SSLerror(s, ERR_R_MALLOC_FAILURE); 1696 goto fatal_err; 1697 } 1698 } 1699 s->s3->hs.tls12.reuse_message = 1; 1700 return (1); 1701 } 1702 1703 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE && 1704 s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) { 1705 al = SSL_AD_UNEXPECTED_MESSAGE; 1706 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); 1707 goto fatal_err; 1708 } 1709 1710 if (s->internal->init_num < 0) { 1711 /* need at least status type + length */ 1712 al = SSL_AD_DECODE_ERROR; 1713 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1714 goto fatal_err; 1715 } 1716 1717 CBS_init(&cert_status, s->internal->init_msg, s->internal->init_num); 1718 if (!CBS_get_u8(&cert_status, &status_type) || 1719 CBS_len(&cert_status) < 3) { 1720 /* need at least status type + length */ 1721 al = SSL_AD_DECODE_ERROR; 1722 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1723 goto fatal_err; 1724 } 1725 1726 if (status_type != TLSEXT_STATUSTYPE_ocsp) { 1727 al = SSL_AD_DECODE_ERROR; 1728 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); 1729 goto fatal_err; 1730 } 1731 1732 if (!CBS_get_u24_length_prefixed(&cert_status, &response) || 1733 CBS_len(&cert_status) != 0) { 1734 al = SSL_AD_DECODE_ERROR; 1735 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1736 goto fatal_err; 1737 } 1738 1739 if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, 1740 &s->internal->tlsext_ocsp_resp_len)) { 1741 al = SSL_AD_INTERNAL_ERROR; 1742 SSLerror(s, ERR_R_MALLOC_FAILURE); 1743 goto fatal_err; 1744 } 1745 1746 if (s->ctx->internal->tlsext_status_cb) { 1747 int ret; 1748 ret = s->ctx->internal->tlsext_status_cb(s, 1749 s->ctx->internal->tlsext_status_arg); 1750 if (ret == 0) { 1751 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1752 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); 1753 goto fatal_err; 1754 } 1755 if (ret < 0) { 1756 al = SSL_AD_INTERNAL_ERROR; 1757 SSLerror(s, ERR_R_MALLOC_FAILURE); 1758 goto fatal_err; 1759 } 1760 } 1761 return (1); 1762 fatal_err: 1763 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1764 return (-1); 1765 } 1766 1767 int 1768 ssl3_get_server_done(SSL *s) 1769 { 1770 int ret; 1771 1772 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A, 1773 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, 1774 30 /* should be very small, like 0 :-) */)) <= 0) 1775 return ret; 1776 1777 if (s->internal->init_num != 0) { 1778 /* should contain no data */ 1779 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1780 SSLerror(s, SSL_R_LENGTH_MISMATCH); 1781 return -1; 1782 } 1783 1784 return 1; 1785 } 1786 1787 static int 1788 ssl3_send_client_kex_rsa(SSL *s, CBB *cbb) 1789 { 1790 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH]; 1791 unsigned char *enc_pms = NULL; 1792 uint16_t max_legacy_version; 1793 EVP_PKEY *pkey; 1794 RSA *rsa; 1795 int ret = 0; 1796 int enc_len; 1797 CBB epms; 1798 1799 /* 1800 * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1. 1801 */ 1802 1803 pkey = X509_get0_pubkey(s->session->peer_cert); 1804 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { 1805 SSLerror(s, ERR_R_INTERNAL_ERROR); 1806 goto err; 1807 } 1808 1809 /* 1810 * Our maximum legacy protocol version - while RFC 5246 section 7.4.7.1 1811 * says "The latest (newest) version supported by the client", if we're 1812 * doing RSA key exchange then we have to presume that we're talking to 1813 * a server that does not understand the supported versions extension 1814 * and therefore our maximum version is that sent in the ClientHello. 1815 */ 1816 if (!ssl_max_legacy_version(s, &max_legacy_version)) 1817 goto err; 1818 pms[0] = max_legacy_version >> 8; 1819 pms[1] = max_legacy_version & 0xff; 1820 arc4random_buf(&pms[2], sizeof(pms) - 2); 1821 1822 if ((enc_pms = malloc(RSA_size(rsa))) == NULL) { 1823 SSLerror(s, ERR_R_MALLOC_FAILURE); 1824 goto err; 1825 } 1826 1827 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa, 1828 RSA_PKCS1_PADDING); 1829 if (enc_len <= 0) { 1830 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT); 1831 goto err; 1832 } 1833 1834 if (!CBB_add_u16_length_prefixed(cbb, &epms)) 1835 goto err; 1836 if (!CBB_add_bytes(&epms, enc_pms, enc_len)) 1837 goto err; 1838 if (!CBB_flush(cbb)) 1839 goto err; 1840 1841 if (!tls12_derive_master_secret(s, pms, sizeof(pms))) 1842 goto err; 1843 1844 ret = 1; 1845 1846 err: 1847 explicit_bzero(pms, sizeof(pms)); 1848 free(enc_pms); 1849 1850 return ret; 1851 } 1852 1853 static int 1854 ssl3_send_client_kex_dhe(SSL *s, CBB *cbb) 1855 { 1856 uint8_t *key = NULL; 1857 size_t key_len = 0; 1858 int ret = 0; 1859 1860 /* Ensure that we have an ephemeral key from the server for DHE. */ 1861 if (s->s3->hs.key_share == NULL) { 1862 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1863 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1864 goto err; 1865 } 1866 1867 if (!tls_key_share_generate(s->s3->hs.key_share)) 1868 goto err; 1869 if (!tls_key_share_public(s->s3->hs.key_share, cbb)) 1870 goto err; 1871 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len)) 1872 goto err; 1873 1874 if (!tls12_derive_master_secret(s, key, key_len)) 1875 goto err; 1876 1877 ret = 1; 1878 1879 err: 1880 freezero(key, key_len); 1881 1882 return ret; 1883 } 1884 1885 static int 1886 ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb) 1887 { 1888 uint8_t *key = NULL; 1889 size_t key_len = 0; 1890 CBB public; 1891 int ret = 0; 1892 1893 /* Ensure that we have an ephemeral key for ECDHE. */ 1894 if (s->s3->hs.key_share == NULL) { 1895 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1896 SSLerror(s, ERR_R_INTERNAL_ERROR); 1897 goto err; 1898 } 1899 1900 if (!tls_key_share_generate(s->s3->hs.key_share)) 1901 goto err; 1902 1903 if (!CBB_add_u8_length_prefixed(cbb, &public)) 1904 return 0; 1905 if (!tls_key_share_public(s->s3->hs.key_share, &public)) 1906 goto err; 1907 if (!CBB_flush(cbb)) 1908 goto err; 1909 1910 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len)) 1911 goto err; 1912 1913 if (!tls12_derive_master_secret(s, key, key_len)) 1914 goto err; 1915 1916 ret = 1; 1917 1918 err: 1919 freezero(key, key_len); 1920 1921 return ret; 1922 } 1923 1924 static int 1925 ssl3_send_client_kex_gost(SSL *s, CBB *cbb) 1926 { 1927 unsigned char premaster_secret[32], shared_ukm[32], tmp[256]; 1928 EVP_PKEY_CTX *pkey_ctx = NULL; 1929 EVP_MD_CTX *ukm_hash = NULL; 1930 EVP_PKEY *pkey; 1931 size_t msglen; 1932 unsigned int md_len; 1933 CBB gostblob; 1934 int nid; 1935 int ret = 0; 1936 1937 /* Get server sertificate PKEY and create ctx from it */ 1938 pkey = X509_get0_pubkey(s->session->peer_cert); 1939 if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) { 1940 SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 1941 goto err; 1942 } 1943 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { 1944 SSLerror(s, ERR_R_MALLOC_FAILURE); 1945 goto err; 1946 } 1947 1948 /* 1949 * If we have send a certificate, and certificate key parameters match 1950 * those of server certificate, use certificate key for key exchange. 1951 * Otherwise, generate ephemeral key pair. 1952 */ 1953 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0) 1954 goto err; 1955 1956 /* Generate session key. */ 1957 arc4random_buf(premaster_secret, sizeof(premaster_secret)); 1958 1959 /* 1960 * If we have client certificate, use its secret as peer key. 1961 * XXX - this presumably lacks PFS. 1962 */ 1963 if (s->s3->hs.tls12.cert_request != 0 && 1964 s->cert->key->privatekey != NULL) { 1965 if (EVP_PKEY_derive_set_peer(pkey_ctx, 1966 s->cert->key->privatekey) <=0) { 1967 /* 1968 * If there was an error - just ignore it. 1969 * Ephemeral key would be used. 1970 */ 1971 ERR_clear_error(); 1972 } 1973 } 1974 1975 /* 1976 * Compute shared IV and store it in algorithm-specific context data. 1977 */ 1978 if ((ukm_hash = EVP_MD_CTX_new()) == NULL) { 1979 SSLerror(s, ERR_R_MALLOC_FAILURE); 1980 goto err; 1981 } 1982 1983 /* XXX check handshake hash instead. */ 1984 if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) 1985 nid = NID_id_GostR3411_94; 1986 else 1987 nid = NID_id_tc26_gost3411_2012_256; 1988 if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid))) 1989 goto err; 1990 if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE)) 1991 goto err; 1992 if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE)) 1993 goto err; 1994 if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len)) 1995 goto err; 1996 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 1997 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { 1998 SSLerror(s, SSL_R_LIBRARY_BUG); 1999 goto err; 2000 } 2001 2002 /* 2003 * Make GOST keytransport blob message, encapsulate it into sequence. 2004 */ 2005 msglen = 255; 2006 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 2007 sizeof(premaster_secret)) < 0) { 2008 SSLerror(s, SSL_R_LIBRARY_BUG); 2009 goto err; 2010 } 2011 2012 if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE)) 2013 goto err; 2014 if (!CBB_add_bytes(&gostblob, tmp, msglen)) 2015 goto err; 2016 if (!CBB_flush(cbb)) 2017 goto err; 2018 2019 /* Check if pubkey from client certificate was used. */ 2020 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, 2021 NULL) > 0) 2022 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2023 2024 if (!tls12_derive_master_secret(s, premaster_secret, 32)) 2025 goto err; 2026 2027 ret = 1; 2028 2029 err: 2030 explicit_bzero(premaster_secret, sizeof(premaster_secret)); 2031 EVP_PKEY_CTX_free(pkey_ctx); 2032 EVP_MD_CTX_free(ukm_hash); 2033 2034 return ret; 2035 } 2036 2037 int 2038 ssl3_send_client_key_exchange(SSL *s) 2039 { 2040 unsigned long alg_k; 2041 CBB cbb, kex; 2042 2043 memset(&cbb, 0, sizeof(cbb)); 2044 2045 if (s->s3->hs.state == SSL3_ST_CW_KEY_EXCH_A) { 2046 alg_k = s->s3->hs.cipher->algorithm_mkey; 2047 2048 if (!ssl3_handshake_msg_start(s, &cbb, &kex, 2049 SSL3_MT_CLIENT_KEY_EXCHANGE)) 2050 goto err; 2051 2052 if (alg_k & SSL_kRSA) { 2053 if (!ssl3_send_client_kex_rsa(s, &kex)) 2054 goto err; 2055 } else if (alg_k & SSL_kDHE) { 2056 if (!ssl3_send_client_kex_dhe(s, &kex)) 2057 goto err; 2058 } else if (alg_k & SSL_kECDHE) { 2059 if (!ssl3_send_client_kex_ecdhe(s, &kex)) 2060 goto err; 2061 } else if (alg_k & SSL_kGOST) { 2062 if (!ssl3_send_client_kex_gost(s, &kex)) 2063 goto err; 2064 } else { 2065 ssl3_send_alert(s, SSL3_AL_FATAL, 2066 SSL_AD_HANDSHAKE_FAILURE); 2067 SSLerror(s, ERR_R_INTERNAL_ERROR); 2068 goto err; 2069 } 2070 2071 if (!ssl3_handshake_msg_finish(s, &cbb)) 2072 goto err; 2073 2074 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_B; 2075 } 2076 2077 /* SSL3_ST_CW_KEY_EXCH_B */ 2078 return (ssl3_handshake_write(s)); 2079 2080 err: 2081 CBB_cleanup(&cbb); 2082 2083 return (-1); 2084 } 2085 2086 static int 2087 ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey, 2088 const struct ssl_sigalg *sigalg, CBB *cert_verify) 2089 { 2090 CBB cbb_signature; 2091 EVP_PKEY_CTX *pctx = NULL; 2092 EVP_MD_CTX *mctx = NULL; 2093 const unsigned char *hdata; 2094 unsigned char *signature = NULL; 2095 size_t signature_len, hdata_len; 2096 int ret = 0; 2097 2098 if ((mctx = EVP_MD_CTX_new()) == NULL) 2099 goto err; 2100 2101 if (!tls1_transcript_data(s, &hdata, &hdata_len)) { 2102 SSLerror(s, ERR_R_INTERNAL_ERROR); 2103 goto err; 2104 } 2105 if (!EVP_DigestSignInit(mctx, &pctx, sigalg->md(), NULL, pkey)) { 2106 SSLerror(s, ERR_R_EVP_LIB); 2107 goto err; 2108 } 2109 if (sigalg->key_type == EVP_PKEY_GOSTR01 && 2110 EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 2111 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { 2112 SSLerror(s, ERR_R_EVP_LIB); 2113 goto err; 2114 } 2115 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && 2116 (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || 2117 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { 2118 SSLerror(s, ERR_R_EVP_LIB); 2119 goto err; 2120 } 2121 if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) { 2122 SSLerror(s, ERR_R_EVP_LIB); 2123 goto err; 2124 } 2125 if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) || 2126 signature_len == 0) { 2127 SSLerror(s, ERR_R_EVP_LIB); 2128 goto err; 2129 } 2130 if ((signature = calloc(1, signature_len)) == NULL) { 2131 SSLerror(s, ERR_R_MALLOC_FAILURE); 2132 goto err; 2133 } 2134 if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) { 2135 SSLerror(s, ERR_R_EVP_LIB); 2136 goto err; 2137 } 2138 2139 if (!CBB_add_u16(cert_verify, sigalg->value)) 2140 goto err; 2141 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) 2142 goto err; 2143 if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) 2144 goto err; 2145 if (!CBB_flush(cert_verify)) 2146 goto err; 2147 2148 ret = 1; 2149 2150 err: 2151 EVP_MD_CTX_free(mctx); 2152 free(signature); 2153 return ret; 2154 } 2155 2156 static int 2157 ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) 2158 { 2159 CBB cbb_signature; 2160 RSA *rsa; 2161 unsigned char data[EVP_MAX_MD_SIZE]; 2162 unsigned char *signature = NULL; 2163 unsigned int signature_len; 2164 size_t data_len; 2165 int ret = 0; 2166 2167 if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len)) 2168 goto err; 2169 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) 2170 goto err; 2171 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) 2172 goto err; 2173 if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len, 2174 rsa) <= 0 ) { 2175 SSLerror(s, ERR_R_RSA_LIB); 2176 goto err; 2177 } 2178 2179 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) 2180 goto err; 2181 if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) 2182 goto err; 2183 if (!CBB_flush(cert_verify)) 2184 goto err; 2185 2186 ret = 1; 2187 err: 2188 free(signature); 2189 return ret; 2190 } 2191 2192 static int 2193 ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) 2194 { 2195 CBB cbb_signature; 2196 EC_KEY *eckey; 2197 unsigned char data[EVP_MAX_MD_SIZE]; 2198 unsigned char *signature = NULL; 2199 unsigned int signature_len; 2200 int ret = 0; 2201 2202 if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL)) 2203 goto err; 2204 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) 2205 goto err; 2206 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) 2207 goto err; 2208 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH, 2209 signature, &signature_len, eckey)) { 2210 SSLerror(s, ERR_R_ECDSA_LIB); 2211 goto err; 2212 } 2213 2214 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) 2215 goto err; 2216 if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) 2217 goto err; 2218 if (!CBB_flush(cert_verify)) 2219 goto err; 2220 2221 ret = 1; 2222 err: 2223 free(signature); 2224 return ret; 2225 } 2226 2227 #ifndef OPENSSL_NO_GOST 2228 static int 2229 ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) 2230 { 2231 CBB cbb_signature; 2232 EVP_MD_CTX *mctx; 2233 EVP_PKEY_CTX *pctx; 2234 const EVP_MD *md; 2235 const unsigned char *hdata; 2236 unsigned char *signature = NULL; 2237 size_t signature_len; 2238 size_t hdata_len; 2239 int nid; 2240 int ret = 0; 2241 2242 if ((mctx = EVP_MD_CTX_new()) == NULL) 2243 goto err; 2244 2245 if (!tls1_transcript_data(s, &hdata, &hdata_len)) { 2246 SSLerror(s, ERR_R_INTERNAL_ERROR); 2247 goto err; 2248 } 2249 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || 2250 (md = EVP_get_digestbynid(nid)) == NULL) { 2251 SSLerror(s, ERR_R_EVP_LIB); 2252 goto err; 2253 } 2254 if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) { 2255 SSLerror(s, ERR_R_EVP_LIB); 2256 goto err; 2257 } 2258 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 2259 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { 2260 SSLerror(s, ERR_R_EVP_LIB); 2261 goto err; 2262 } 2263 if (!EVP_DigestSignUpdate(mctx, hdata, hdata_len)) { 2264 SSLerror(s, ERR_R_EVP_LIB); 2265 goto err; 2266 } 2267 if (!EVP_DigestSignFinal(mctx, NULL, &signature_len) || 2268 signature_len == 0) { 2269 SSLerror(s, ERR_R_EVP_LIB); 2270 goto err; 2271 } 2272 if ((signature = calloc(1, signature_len)) == NULL) { 2273 SSLerror(s, ERR_R_MALLOC_FAILURE); 2274 goto err; 2275 } 2276 if (!EVP_DigestSignFinal(mctx, signature, &signature_len)) { 2277 SSLerror(s, ERR_R_EVP_LIB); 2278 goto err; 2279 } 2280 2281 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) 2282 goto err; 2283 if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) 2284 goto err; 2285 if (!CBB_flush(cert_verify)) 2286 goto err; 2287 2288 ret = 1; 2289 err: 2290 EVP_MD_CTX_free(mctx); 2291 free(signature); 2292 return ret; 2293 } 2294 #endif 2295 2296 int 2297 ssl3_send_client_verify(SSL *s) 2298 { 2299 const struct ssl_sigalg *sigalg; 2300 CBB cbb, cert_verify; 2301 EVP_PKEY *pkey; 2302 2303 memset(&cbb, 0, sizeof(cbb)); 2304 2305 if (s->s3->hs.state == SSL3_ST_CW_CERT_VRFY_A) { 2306 if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify, 2307 SSL3_MT_CERTIFICATE_VERIFY)) 2308 goto err; 2309 2310 pkey = s->cert->key->privatekey; 2311 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 2312 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2313 goto err; 2314 } 2315 s->s3->hs.our_sigalg = sigalg; 2316 2317 /* 2318 * For TLS v1.2 send signature algorithm and signature using 2319 * agreed digest and cached handshake records. 2320 */ 2321 if (SSL_USE_SIGALGS(s)) { 2322 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg, 2323 &cert_verify)) 2324 goto err; 2325 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { 2326 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify)) 2327 goto err; 2328 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { 2329 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) 2330 goto err; 2331 #ifndef OPENSSL_NO_GOST 2332 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 || 2333 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { 2334 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify)) 2335 goto err; 2336 #endif 2337 } else { 2338 SSLerror(s, ERR_R_INTERNAL_ERROR); 2339 goto err; 2340 } 2341 2342 tls1_transcript_free(s); 2343 2344 if (!ssl3_handshake_msg_finish(s, &cbb)) 2345 goto err; 2346 2347 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_B; 2348 } 2349 2350 return (ssl3_handshake_write(s)); 2351 2352 err: 2353 CBB_cleanup(&cbb); 2354 2355 return (-1); 2356 } 2357 2358 int 2359 ssl3_send_client_certificate(SSL *s) 2360 { 2361 EVP_PKEY *pkey = NULL; 2362 X509 *x509 = NULL; 2363 CBB cbb, client_cert; 2364 int i; 2365 2366 memset(&cbb, 0, sizeof(cbb)); 2367 2368 if (s->s3->hs.state == SSL3_ST_CW_CERT_A) { 2369 if (s->cert->key->x509 == NULL || 2370 s->cert->key->privatekey == NULL) 2371 s->s3->hs.state = SSL3_ST_CW_CERT_B; 2372 else 2373 s->s3->hs.state = SSL3_ST_CW_CERT_C; 2374 } 2375 2376 /* We need to get a client cert */ 2377 if (s->s3->hs.state == SSL3_ST_CW_CERT_B) { 2378 /* 2379 * If we get an error, we need to 2380 * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1); 2381 * We then get retried later. 2382 */ 2383 i = ssl_do_client_cert_cb(s, &x509, &pkey); 2384 if (i < 0) { 2385 s->internal->rwstate = SSL_X509_LOOKUP; 2386 return (-1); 2387 } 2388 s->internal->rwstate = SSL_NOTHING; 2389 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 2390 s->s3->hs.state = SSL3_ST_CW_CERT_B; 2391 if (!SSL_use_certificate(s, x509) || 2392 !SSL_use_PrivateKey(s, pkey)) 2393 i = 0; 2394 } else if (i == 1) { 2395 i = 0; 2396 SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 2397 } 2398 2399 X509_free(x509); 2400 EVP_PKEY_free(pkey); 2401 if (i == 0) { 2402 s->s3->hs.tls12.cert_request = 2; 2403 2404 /* There is no client certificate to verify. */ 2405 tls1_transcript_free(s); 2406 } 2407 2408 /* Ok, we have a cert */ 2409 s->s3->hs.state = SSL3_ST_CW_CERT_C; 2410 } 2411 2412 if (s->s3->hs.state == SSL3_ST_CW_CERT_C) { 2413 if (!ssl3_handshake_msg_start(s, &cbb, &client_cert, 2414 SSL3_MT_CERTIFICATE)) 2415 goto err; 2416 if (!ssl3_output_cert_chain(s, &client_cert, 2417 (s->s3->hs.tls12.cert_request == 2) ? NULL : s->cert->key)) 2418 goto err; 2419 if (!ssl3_handshake_msg_finish(s, &cbb)) 2420 goto err; 2421 2422 s->s3->hs.state = SSL3_ST_CW_CERT_D; 2423 } 2424 2425 /* SSL3_ST_CW_CERT_D */ 2426 return (ssl3_handshake_write(s)); 2427 2428 err: 2429 CBB_cleanup(&cbb); 2430 2431 return (0); 2432 } 2433 2434 #define has_bits(i,m) (((i)&(m)) == (m)) 2435 2436 int 2437 ssl3_check_cert_and_algorithm(SSL *s) 2438 { 2439 long alg_k, alg_a; 2440 int nid = NID_undef; 2441 int i; 2442 2443 alg_k = s->s3->hs.cipher->algorithm_mkey; 2444 alg_a = s->s3->hs.cipher->algorithm_auth; 2445 2446 /* We don't have a certificate. */ 2447 if (alg_a & SSL_aNULL) 2448 return (1); 2449 2450 if (s->s3->hs.key_share != NULL) 2451 nid = tls_key_share_nid(s->s3->hs.key_share); 2452 2453 /* This is the passed certificate. */ 2454 2455 if (s->session->peer_cert_type == SSL_PKEY_ECC) { 2456 if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) { 2457 SSLerror(s, SSL_R_BAD_ECC_CERT); 2458 goto fatal_err; 2459 } 2460 return (1); 2461 } 2462 2463 i = X509_certificate_type(s->session->peer_cert, NULL); 2464 2465 /* Check that we have a certificate if we require one. */ 2466 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { 2467 SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT); 2468 goto fatal_err; 2469 } 2470 if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) { 2471 SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2472 goto fatal_err; 2473 } 2474 if ((alg_k & SSL_kDHE) && 2475 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) { 2476 SSLerror(s, SSL_R_MISSING_DH_KEY); 2477 goto fatal_err; 2478 } 2479 2480 return (1); 2481 2482 fatal_err: 2483 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2484 2485 return (0); 2486 } 2487 2488 /* 2489 * Check to see if handshake is full or resumed. Usually this is just a 2490 * case of checking to see if a cache hit has occurred. In the case of 2491 * session tickets we have to check the next message to be sure. 2492 */ 2493 2494 int 2495 ssl3_check_finished(SSL *s) 2496 { 2497 int ret; 2498 2499 /* If we have no ticket it cannot be a resumed session. */ 2500 if (!s->session->tlsext_tick) 2501 return (1); 2502 /* this function is called when we really expect a Certificate 2503 * message, so permit appropriate message length */ 2504 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A, 2505 SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0) 2506 return ret; 2507 2508 s->s3->hs.tls12.reuse_message = 1; 2509 if ((s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) || 2510 (s->s3->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET)) 2511 return (2); 2512 2513 return (1); 2514 } 2515 2516 int 2517 ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 2518 { 2519 int i = 0; 2520 2521 #ifndef OPENSSL_NO_ENGINE 2522 if (s->ctx->internal->client_cert_engine) { 2523 i = ENGINE_load_ssl_client_cert( 2524 s->ctx->internal->client_cert_engine, s, 2525 SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL); 2526 if (i != 0) 2527 return (i); 2528 } 2529 #endif 2530 if (s->ctx->internal->client_cert_cb) 2531 i = s->ctx->internal->client_cert_cb(s, px509, ppkey); 2532 return (i); 2533 } 2534