s3_srvr.c 121.3 KB
Newer Older
1
/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 4 5 6 7
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9 10 11 12 13 14
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16 17 18 19 20 21
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
22
 *
23 24 25 26 27 28 29 30 31 32 33 34 35 36
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38 39
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41 42 43 44 45 46 47 48 49 50 51
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
52
 *
53 54 55 56 57
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
58
/* ====================================================================
59
 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 61 62 63 64 65
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
66
 *    notice, this list of conditions and the following disclaimer.
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
B
Bodo Möller 已提交
111 112 113
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
114
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
115 116 117 118 119 120 121 122 123
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
150

151

152
#include <stdio.h>
153
#include "ssl_locl.h"
154
#include "internal/constant_time_locl.h"
155 156 157 158
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
159
#include <openssl/hmac.h>
160
#include <openssl/x509.h>
N
make  
Nils Larsch 已提交
161
#ifndef OPENSSL_NO_DH
162
# include <openssl/dh.h>
N
make  
Nils Larsch 已提交
163
#endif
164
#include <openssl/bn.h>
165
#include <openssl/md5.h>
166

167 168 169 170
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                      PACKET *cipher_suites,
                                                      STACK_OF(SSL_CIPHER) **skp,
                                                      int sslv2format, int *al);
M
Matt Caswell 已提交
171

172

B
Ben Laurie 已提交
173
#ifndef OPENSSL_NO_SRP
174
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
195 196
#endif

U
Ulf Möller 已提交
197
int ssl3_accept(SSL *s)
198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
{
    BUF_MEM *buf;
    unsigned long alg_k, Time = (unsigned long)time(NULL);
    void (*cb) (const SSL *ssl, int type, int val) = NULL;
    int ret = -1;
    int new_state, state, skip = 0;

    RAND_add(&Time, sizeof(Time), 0);
    ERR_clear_error();
    clear_sys_error();

    if (s->info_callback != NULL)
        cb = s->info_callback;
    else if (s->ctx->info_callback != NULL)
        cb = s->ctx->info_callback;

    /* init things to blank */
    s->in_handshake++;
M
Matt Caswell 已提交
216
    if (!SSL_in_init(s) || SSL_in_before(s)) {
V
Viktor Dukhovni 已提交
217
        if (!SSL_clear(s))
M
Matt Caswell 已提交
218 219
            return -1;
    }
220

D
Dr. Stephen Henson 已提交
221
#ifndef OPENSSL_NO_HEARTBEATS
222 223 224 225 226 227 228 229 230
    /*
     * If we're awaiting a HeartbeatResponse, pretend we already got and
     * don't await it anymore, because Heartbeats don't make sense during
     * handshakes anyway.
     */
    if (s->tlsext_hb_pending) {
        s->tlsext_hb_pending = 0;
        s->tlsext_hb_seq++;
    }
D
Dr. Stephen Henson 已提交
231 232
#endif

233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249
    for (;;) {
        state = s->state;

        switch (s->state) {
        case SSL_ST_RENEGOTIATE:
            s->renegotiate = 1;
            /* s->state=SSL_ST_ACCEPT; */

        case SSL_ST_BEFORE:
        case SSL_ST_ACCEPT:
        case SSL_ST_BEFORE | SSL_ST_ACCEPT:
        case SSL_ST_OK | SSL_ST_ACCEPT:

            s->server = 1;
            if (cb != NULL)
                cb(s, SSL_CB_HANDSHAKE_START, 1);

250
            if ((s->version >> 8 != 3) && s->version != TLS_ANY_VERSION) {
251
                SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
252
                s->state = SSL_ST_ERR;
253 254 255 256 257 258 259 260 261 262 263 264 265
                return -1;
            }

            if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
                SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_VERSION_TOO_LOW);
                return -1;
            }

            s->type = SSL_ST_ACCEPT;

            if (s->init_buf == NULL) {
                if ((buf = BUF_MEM_new()) == NULL) {
                    ret = -1;
M
Matt Caswell 已提交
266
                    s->state = SSL_ST_ERR;
267 268 269 270 271
                    goto end;
                }
                if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
                    BUF_MEM_free(buf);
                    ret = -1;
M
Matt Caswell 已提交
272
                    s->state = SSL_ST_ERR;
273 274 275 276 277 278 279
                    goto end;
                }
                s->init_buf = buf;
            }

            if (!ssl3_setup_buffers(s)) {
                ret = -1;
M
Matt Caswell 已提交
280
                s->state = SSL_ST_ERR;
281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297
                goto end;
            }

            s->init_num = 0;
            s->s3->flags &= ~TLS1_FLAGS_SKIP_CERT_VERIFY;
            /*
             * Should have been reset by ssl3_get_finished, too.
             */
            s->s3->change_cipher_spec = 0;

            if (s->state != SSL_ST_RENEGOTIATE) {
                /*
                 * Ok, we now need to push on a buffering BIO so that the
                 * output is sent in a way that TCP likes :-)
                 */
                if (!ssl_init_wbio_buffer(s, 1)) {
                    ret = -1;
M
Matt Caswell 已提交
298
                    s->state = SSL_ST_ERR;
299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315
                    goto end;
                }

                ssl3_init_finished_mac(s);
                s->state = SSL3_ST_SR_CLNT_HELLO_A;
                s->ctx->stats.sess_accept++;
            } else if (!s->s3->send_connection_binding &&
                       !(s->options &
                         SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
                /*
                 * Server attempting to renegotiate with client that doesn't
                 * support secure renegotiation.
                 */
                SSLerr(SSL_F_SSL3_ACCEPT,
                       SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                ret = -1;
M
Matt Caswell 已提交
316
                s->state = SSL_ST_ERR;
317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352
                goto end;
            } else {
                /*
                 * s->state == SSL_ST_RENEGOTIATE, we will just send a
                 * HelloRequest
                 */
                s->ctx->stats.sess_accept_renegotiate++;
                s->state = SSL3_ST_SW_HELLO_REQ_A;
            }
            break;

        case SSL3_ST_SW_HELLO_REQ_A:
        case SSL3_ST_SW_HELLO_REQ_B:

            s->shutdown = 0;
            ret = ssl3_send_hello_request(s);
            if (ret <= 0)
                goto end;
            s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
            s->state = SSL3_ST_SW_FLUSH;
            s->init_num = 0;

            ssl3_init_finished_mac(s);
            break;

        case SSL3_ST_SW_HELLO_REQ_C:
            s->state = SSL_ST_OK;
            break;

        case SSL3_ST_SR_CLNT_HELLO_A:
        case SSL3_ST_SR_CLNT_HELLO_B:
        case SSL3_ST_SR_CLNT_HELLO_C:

            ret = ssl3_get_client_hello(s);
            if (ret <= 0)
                goto end;
B
Ben Laurie 已提交
353
#ifndef OPENSSL_NO_SRP
354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373
            s->state = SSL3_ST_SR_CLNT_HELLO_D;
        case SSL3_ST_SR_CLNT_HELLO_D:
            {
                int al;
                if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
                    /*
                     * callback indicates firther work to be done
                     */
                    s->rwstate = SSL_X509_LOOKUP;
                    goto end;
                }
                if (ret != SSL_ERROR_NONE) {
                    ssl3_send_alert(s, SSL3_AL_FATAL, al);
                    /*
                     * This is not really an error but the only means to for
                     * a client to detect whether srp is supported.
                     */
                    if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                        SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
                    ret = -1;
M
Matt Caswell 已提交
374
                    s->state = SSL_ST_ERR;
375 376 377 378 379 380 381 382 383 384 385 386 387 388 389
                    goto end;
                }
            }
#endif

            s->renegotiate = 2;
            s->state = SSL3_ST_SW_SRVR_HELLO_A;
            s->init_num = 0;
            break;

        case SSL3_ST_SW_SRVR_HELLO_A:
        case SSL3_ST_SW_SRVR_HELLO_B:
            ret = ssl3_send_server_hello(s);
            if (ret <= 0)
                goto end;
390

391 392 393 394 395
            if (s->hit) {
                if (s->tlsext_ticket_expected)
                    s->state = SSL3_ST_SW_SESSION_TICKET_A;
                else
                    s->state = SSL3_ST_SW_CHANGE_A;
396
            } else {
397
                s->state = SSL3_ST_SW_CERT_A;
398
            }
399 400 401 402 403 404
            s->init_num = 0;
            break;

        case SSL3_ST_SW_CERT_A:
        case SSL3_ST_SW_CERT_B:
            /* Check if it is anon DH or anon ECDH, */
405
            /* normal PSK or SRP */
406 407
            if (!(s->s3->tmp.new_cipher->algorithm_auth &
                 (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
408 409 410
                ret = ssl3_send_server_certificate(s);
                if (ret <= 0)
                    goto end;
411

412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445
                if (s->tlsext_status_expected)
                    s->state = SSL3_ST_SW_CERT_STATUS_A;
                else
                    s->state = SSL3_ST_SW_KEY_EXCH_A;
            } else {
                skip = 1;
                s->state = SSL3_ST_SW_KEY_EXCH_A;
            }
            s->init_num = 0;
            break;

        case SSL3_ST_SW_KEY_EXCH_A:
        case SSL3_ST_SW_KEY_EXCH_B:
            alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

            /*
             * clear this, it may get reset by
             * send_server_key_exchange
             */
            s->s3->tmp.use_rsa_tmp = 0;

            /*
             * only send if a DH key exchange, fortezza or RSA but we have a
             * sign only certificate PSK: may send PSK identity hints For
             * ECC ciphersuites, we send a serverKeyExchange message only if
             * the cipher suite is either ECDH-anon or ECDHE. In other cases,
             * the server certificate contains the server's public key for
             * key exchange.
             */
            if (0
                /*
                 * PSK: send ServerKeyExchange if PSK identity hint if
                 * provided
                 */
446
#ifndef OPENSSL_NO_PSK
447
                /* Only send SKE if we have identity hint for plain PSK */
448
                || ((alg_k & (SSL_kPSK | SSL_kRSAPSK)) && s->cert->psk_identity_hint)
449 450
                /* For other PSK always send SKE */
                || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
B
Ben Laurie 已提交
451 452
#endif
#ifndef OPENSSL_NO_SRP
453 454
                /* SRP: send ServerKeyExchange */
                || (alg_k & SSL_kSRP)
455
#endif
456 457 458 459 460
                || (alg_k & SSL_kDHE)
                || (alg_k & SSL_kECDHE)
                || ((alg_k & SSL_kRSA)
                    && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
                        || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
461
                            && EVP_PKEY_size(s->cert->pkeys
462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494
                                             [SSL_PKEY_RSA_ENC].privatekey) *
                            8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
                        )
                    )
                )
                ) {
                ret = ssl3_send_server_key_exchange(s);
                if (ret <= 0)
                    goto end;
            } else
                skip = 1;

            s->state = SSL3_ST_SW_CERT_REQ_A;
            s->init_num = 0;
            break;

        case SSL3_ST_SW_CERT_REQ_A:
        case SSL3_ST_SW_CERT_REQ_B:
            if (                /* don't request cert unless asked for it: */
                   !(s->verify_mode & SSL_VERIFY_PEER) ||
                   /*
                    * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
                    * during re-negotiation:
                    */
                   ((s->session->peer != NULL) &&
                    (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
                   /*
                    * never request cert in anonymous ciphersuites (see
                    * section "Certificate request" in SSL 3 drafts and in
                    * RFC 2246):
                    */
                   ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
                   /*
495 496 497
                    * ... except when the application insists on
                    * verification (against the specs, but s3_clnt.c accepts
                    * this for SSL 3)
498
                    */
499
                   !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
500 501 502 503 504 505
                   /* don't request certificate for SRP auth */
                   (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
                   /*
                    * With normal PSK Certificates and Certificate Requests
                    * are omitted
                    */
506
                   || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
507 508 509 510
                /* no cert request */
                skip = 1;
                s->s3->tmp.cert_request = 0;
                s->state = SSL3_ST_SW_SRVR_DONE_A;
511 512 513
                if (!ssl3_digest_cached_records(s, 0)) {
                    s->state = SSL_ST_ERR;
                    return -1;
M
Matt Caswell 已提交
514
                }
515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578
            } else {
                s->s3->tmp.cert_request = 1;
                ret = ssl3_send_certificate_request(s);
                if (ret <= 0)
                    goto end;
                s->state = SSL3_ST_SW_SRVR_DONE_A;
                s->init_num = 0;
            }
            break;

        case SSL3_ST_SW_SRVR_DONE_A:
        case SSL3_ST_SW_SRVR_DONE_B:
            ret = ssl3_send_server_done(s);
            if (ret <= 0)
                goto end;
            s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
            s->state = SSL3_ST_SW_FLUSH;
            s->init_num = 0;
            break;

        case SSL3_ST_SW_FLUSH:

            /*
             * This code originally checked to see if any data was pending
             * using BIO_CTRL_INFO and then flushed. This caused problems as
             * documented in PR#1939. The proposed fix doesn't completely
             * resolve this issue as buggy implementations of
             * BIO_CTRL_PENDING still exist. So instead we just flush
             * unconditionally.
             */

            s->rwstate = SSL_WRITING;
            if (BIO_flush(s->wbio) <= 0) {
                ret = -1;
                goto end;
            }
            s->rwstate = SSL_NOTHING;

            s->state = s->s3->tmp.next_state;
            break;

        case SSL3_ST_SR_CERT_A:
        case SSL3_ST_SR_CERT_B:
            if (s->s3->tmp.cert_request) {
                ret = ssl3_get_client_certificate(s);
                if (ret <= 0)
                    goto end;
            }
            s->init_num = 0;
            s->state = SSL3_ST_SR_KEY_EXCH_A;
            break;

        case SSL3_ST_SR_KEY_EXCH_A:
        case SSL3_ST_SR_KEY_EXCH_B:
            ret = ssl3_get_client_key_exchange(s);
            if (ret <= 0)
                goto end;
            if (ret == 2) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
579
                s->state = SSL3_ST_SR_CHANGE_A;
580 581 582 583 584 585 586 587
                s->init_num = 0;
            } else if (SSL_USE_SIGALGS(s)) {
                s->state = SSL3_ST_SR_CERT_VRFY_A;
                s->init_num = 0;
                if (!s->session->peer)
                    break;
                if (!s->s3->handshake_buffer) {
                    SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
588
                    s->state = SSL_ST_ERR;
589 590
                    return -1;
                }
591 592
                /*
                 * For sigalgs freeze the handshake buffer. If we support
593
                 * extms we've done this already so this is a no-op
594
                 */
595 596 597
                if (!ssl3_digest_cached_records(s, 1)) {
                    s->state = SSL_ST_ERR;
                    return -1;
598
                }
599 600 601 602 603 604 605 606 607 608 609 610 611
            } else {
                int offset = 0;
                int dgst_num;

                s->state = SSL3_ST_SR_CERT_VRFY_A;
                s->init_num = 0;

                /*
                 * We need to get hashes here so if there is a client cert,
                 * it can be verified FIXME - digest processing for
                 * CertificateVerify should be generalized. But it is next
                 * step
                 */
612 613 614
                if (!ssl3_digest_cached_records(s, 0)) {
                    s->state = SSL_ST_ERR;
                    return -1;
M
Matt Caswell 已提交
615
                }
616 617 618 619 620 621 622 623 624 625 626 627 628 629 630
                for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
                    if (s->s3->handshake_dgst[dgst_num]) {
                        int dgst_size;

                        s->method->ssl3_enc->cert_verify_mac(s,
                                                             EVP_MD_CTX_type
                                                             (s->
                                                              s3->handshake_dgst
                                                              [dgst_num]),
                                                             &(s->s3->
                                                               tmp.cert_verify_md
                                                               [offset]));
                        dgst_size =
                            EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
                        if (dgst_size < 0) {
M
Matt Caswell 已提交
631
                            s->state = SSL_ST_ERR;
632 633 634 635 636 637 638 639 640 641 642 643 644
                            ret = -1;
                            goto end;
                        }
                        offset += dgst_size;
                    }
            }
            break;

        case SSL3_ST_SR_CERT_VRFY_A:
        case SSL3_ST_SR_CERT_VRFY_B:
            ret = ssl3_get_cert_verify(s);
            if (ret <= 0)
                goto end;
645

646
            s->state = SSL3_ST_SR_CHANGE_A;
647 648
            s->init_num = 0;
            break;
649

650
#if !defined(OPENSSL_NO_NEXTPROTONEG)
651 652 653 654 655 656 657 658
        case SSL3_ST_SR_NEXT_PROTO_A:
        case SSL3_ST_SR_NEXT_PROTO_B:
            ret = ssl3_get_next_proto(s);
            if (ret <= 0)
                goto end;
            s->init_num = 0;
            s->state = SSL3_ST_SR_FINISHED_A;
            break;
B
Ben Laurie 已提交
659 660
#endif

661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679

        case SSL3_ST_SR_CHANGE_A:
        case SSL3_ST_SR_CHANGE_B:
            ret = ssl3_get_change_cipher_spec(s, SSL3_ST_SR_CHANGE_A,
                                              SSL3_ST_SR_CHANGE_B);
            if (ret <= 0)
                goto end;

#if defined(OPENSSL_NO_NEXTPROTONEG)
            s->state = SSL3_ST_SR_FINISHED_A;
#else
            if (s->s3->next_proto_neg_seen)
                s->state = SSL3_ST_SR_NEXT_PROTO_A;
            else
                s->state = SSL3_ST_SR_FINISHED_A;
#endif
            s->init_num = 0;
            break;

680 681 682 683 684 685 686 687 688 689 690 691 692 693
        case SSL3_ST_SR_FINISHED_A:
        case SSL3_ST_SR_FINISHED_B:
            ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
                                    SSL3_ST_SR_FINISHED_B);
            if (ret <= 0)
                goto end;
            if (s->hit)
                s->state = SSL_ST_OK;
            else if (s->tlsext_ticket_expected)
                s->state = SSL3_ST_SW_SESSION_TICKET_A;
            else
                s->state = SSL3_ST_SW_CHANGE_A;
            s->init_num = 0;
            break;
694

695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711
        case SSL3_ST_SW_SESSION_TICKET_A:
        case SSL3_ST_SW_SESSION_TICKET_B:
            ret = ssl3_send_newsession_ticket(s);
            if (ret <= 0)
                goto end;
            s->state = SSL3_ST_SW_CHANGE_A;
            s->init_num = 0;
            break;

        case SSL3_ST_SW_CERT_STATUS_A:
        case SSL3_ST_SW_CERT_STATUS_B:
            ret = ssl3_send_cert_status(s);
            if (ret <= 0)
                goto end;
            s->state = SSL3_ST_SW_KEY_EXCH_A;
            s->init_num = 0;
            break;
712

713 714 715 716 717 718
        case SSL3_ST_SW_CHANGE_A:
        case SSL3_ST_SW_CHANGE_B:

            s->session->cipher = s->s3->tmp.new_cipher;
            if (!s->method->ssl3_enc->setup_key_block(s)) {
                ret = -1;
M
Matt Caswell 已提交
719
                s->state = SSL_ST_ERR;
720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735
                goto end;
            }

            ret = ssl3_send_change_cipher_spec(s,
                                               SSL3_ST_SW_CHANGE_A,
                                               SSL3_ST_SW_CHANGE_B);

            if (ret <= 0)
                goto end;
            s->state = SSL3_ST_SW_FINISHED_A;
            s->init_num = 0;

            if (!s->method->ssl3_enc->change_cipher_state(s,
                                                          SSL3_CHANGE_CIPHER_SERVER_WRITE))
            {
                ret = -1;
M
Matt Caswell 已提交
736
                s->state = SSL_ST_ERR;
737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754
                goto end;
            }

            break;

        case SSL3_ST_SW_FINISHED_A:
        case SSL3_ST_SW_FINISHED_B:
            ret = ssl3_send_finished(s,
                                     SSL3_ST_SW_FINISHED_A,
                                     SSL3_ST_SW_FINISHED_B,
                                     s->method->
                                     ssl3_enc->server_finished_label,
                                     s->method->
                                     ssl3_enc->server_finished_label_len);
            if (ret <= 0)
                goto end;
            s->state = SSL3_ST_SW_FLUSH;
            if (s->hit) {
755
                s->s3->tmp.next_state = SSL3_ST_SR_CHANGE_A;
756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791
            } else
                s->s3->tmp.next_state = SSL_ST_OK;
            s->init_num = 0;
            break;

        case SSL_ST_OK:
            /* clean a few things up */
            ssl3_cleanup_key_block(s);

            BUF_MEM_free(s->init_buf);
            s->init_buf = NULL;

            /* remove buffering on output */
            ssl_free_wbio_buffer(s);

            s->init_num = 0;

            if (s->renegotiate == 2) { /* skipped if we just sent a
                                        * HelloRequest */
                s->renegotiate = 0;
                s->new_session = 0;

                ssl_update_cache(s, SSL_SESS_CACHE_SERVER);

                s->ctx->stats.sess_accept_good++;
                /* s->server=1; */
                s->handshake_func = ssl3_accept;

                if (cb != NULL)
                    cb(s, SSL_CB_HANDSHAKE_DONE, 1);
            }

            ret = 1;
            goto end;
            /* break; */

M
Matt Caswell 已提交
792
        case SSL_ST_ERR:
793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822
        default:
            SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
            ret = -1;
            goto end;
            /* break; */
        }

        if (!s->s3->tmp.reuse_message && !skip) {
            if (s->debug) {
                if ((ret = BIO_flush(s->wbio)) <= 0)
                    goto end;
            }

            if ((cb != NULL) && (s->state != state)) {
                new_state = s->state;
                s->state = state;
                cb(s, SSL_CB_ACCEPT_LOOP, 1);
                s->state = new_state;
            }
        }
        skip = 0;
    }
 end:
    /* BIO_flush(s->wbio); */

    s->in_handshake--;
    if (cb != NULL)
        cb(s, SSL_CB_ACCEPT_EXIT, ret);
    return (ret);
}
823

B
Ben Laurie 已提交
824
int ssl3_send_hello_request(SSL *s)
825
{
826

827
    if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
V
Viktor Dukhovni 已提交
828
        if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
M
Matt Caswell 已提交
829 830 831
            SSLerr(SSL_F_SSL3_SEND_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
            return -1;
        }
832 833
        s->state = SSL3_ST_SW_HELLO_REQ_B;
    }
834

835 836 837
    /* SSL3_ST_SW_HELLO_REQ_B */
    return ssl_do_write(s);
}
838

B
Ben Laurie 已提交
839
int ssl3_get_client_hello(SSL *s)
840
{
M
Matt Caswell 已提交
841
    int i, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
842
    unsigned int j, complen = 0;
843 844 845
    long n;
    unsigned long id;
    SSL_CIPHER *c;
846
#ifndef OPENSSL_NO_COMP
847
    SSL_COMP *comp = NULL;
848
#endif
849
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
850
    int protverr = 1;
851 852 853
    /* |cookie| will only be initialized for DTLS. */
    PACKET pkt, session_id, cipher_suites, compression, extensions, cookie;
    int is_v2_record;
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876

    if (s->state == SSL3_ST_SR_CLNT_HELLO_C && !s->first_packet)
        goto retry_cert;

    /*
     * We do this so that we will respond with our native type. If we are
     * TLSv1 and we get SSLv3, we will respond with TLSv1, This down
     * switching should be handled by a different method. If we are SSLv3, we
     * will respond with SSLv3, even if prompted with TLSv1.
     */
    if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
        s->state = SSL3_ST_SR_CLNT_HELLO_B;
    }
    s->first_packet = 1;
    n = s->method->ssl_get_message(s,
                                   SSL3_ST_SR_CLNT_HELLO_B,
                                   SSL3_ST_SR_CLNT_HELLO_C,
                                   SSL3_MT_CLIENT_HELLO,
                                   SSL3_RT_MAX_PLAIN_LENGTH, &ok);

    if (!ok)
        return ((int)n);
    s->first_packet = 0;
877 878 879 880 881
    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
882

883 884
    is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer);

E
Emilia Kasper 已提交
885
    PACKET_null_init(&cookie);
886
    /* First lets get s->client_version set correctly */
887
    if (is_v2_record) {
M
Matt Caswell 已提交
888 889
        unsigned int version;
        unsigned int mt;
890 891 892 893 894 895 896 897 898 899 900 901 902 903 904
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

M
Matt Caswell 已提交
905 906
        if (!PACKET_get_1(&pkt, &mt)
                || mt != SSL2_MT_CLIENT_HELLO) {
907 908 909 910 911 912
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
913
            goto err;
914 915
        }

M
Matt Caswell 已提交
916 917 918 919 920 921
        if (!PACKET_get_net_2(&pkt, &version)) {
            /* No protocol version supplied! */
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
            goto err;
        }
        if (version == 0x0002) {
922 923 924
            /* This is real SSLv2. We don't support it. */
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
            goto err;
M
Matt Caswell 已提交
925
        } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
926
            /* SSLv3/TLS */
M
Matt Caswell 已提交
927
            s->client_version = version;
928 929 930 931 932 933 934
        } else {
            /* No idea what protocol this is */
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
            goto err;
        }
    } else {
        /*
M
Matt Caswell 已提交
935 936
         * use version from inside client hello, not from record header (may
         * differ: see RFC 2246, Appendix E, second paragraph)
937
         */
M
Matt Caswell 已提交
938
        if(!PACKET_get_net_2(&pkt, (unsigned int *)&s->client_version)) {
939 940 941 942
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
            goto f_err;
        }
943 944
    }

945 946 947
    /* Do SSL/TLS version negotiation if applicable */
    if (!SSL_IS_DTLS(s)) {
        if (s->version != TLS_ANY_VERSION) {
948
            if (s->client_version >= s->version) {
949 950
                protverr = 0;
            }
951
        } else if (s->client_version >= SSL3_VERSION) {
952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978
            switch(s->client_version) {
            default:
            case TLS1_2_VERSION:
                if(!(s->options & SSL_OP_NO_TLSv1_2)) {
                    s->version = TLS1_2_VERSION;
                    s->method = TLSv1_2_server_method();
                    protverr = 0;
                    break;
                }
                /* Deliberately fall through */
            case TLS1_1_VERSION:
                if(!(s->options & SSL_OP_NO_TLSv1_1)) {
                    s->version = TLS1_1_VERSION;
                    s->method = TLSv1_1_server_method();
                    protverr = 0;
                    break;
                }
                /* Deliberately fall through */
            case TLS1_VERSION:
                if(!(s->options & SSL_OP_NO_TLSv1)) {
                    s->version = TLS1_VERSION;
                    s->method = TLSv1_server_method();
                    protverr = 0;
                    break;
                }
                /* Deliberately fall through */
            case SSL3_VERSION:
979
#ifndef OPENSSL_NO_SSL3
980 981 982 983 984 985
                if(!(s->options & SSL_OP_NO_SSLv3)) {
                    s->version = SSL3_VERSION;
                    s->method = SSLv3_server_method();
                    protverr = 0;
                    break;
                }
986 987 988
#else
                break;
#endif
989 990
            }
        }
991 992
    } else if (s->client_version <= s->version
                || s->method->version == DTLS_ANY_VERSION) {
993 994 995 996 997 998 999 1000 1001 1002
        /*
         * For DTLS we just check versions are potentially compatible. Version
         * negotiation comes later.
         */
        protverr = 0;
    }

    if (protverr) {
        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
        if ((!s->enc_write_ctx && !s->write_hash)) {
1003 1004 1005 1006 1007 1008 1009 1010 1011 1012
            /*
             * similar to ssl3_get_record, send alert using remote version
             * number
             */
            s->version = s->client_version;
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
    }

1013 1014
    /* Parse the message and load client random. */
    if (is_v2_record) {
1015 1016 1017 1018 1019
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
         * Real SSLv2 is not supported, and is rejected above.
         */
1020
        unsigned int cipher_len, session_id_len, challenge_len;
1021
        PACKET challenge;
1022

1023 1024 1025
        if (!PACKET_get_net_2(&pkt, &cipher_len)
                || !PACKET_get_net_2(&pkt, &session_id_len)
                || !PACKET_get_net_2(&pkt, &challenge_len)) {
1026
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
1027 1028
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1029
        }
1030

1031 1032 1033 1034 1035
        if (!PACKET_get_sub_packet(&pkt, &cipher_suites, cipher_len)
            || !PACKET_get_sub_packet(&pkt, &session_id, session_id_len)
            || !PACKET_get_sub_packet(&pkt, &challenge, challenge_len)
            /* No extensions. */
            || PACKET_remaining(&pkt) != 0) {
M
Matt Caswell 已提交
1036 1037 1038 1039 1040
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }

1041
        /* Load the client random */
1042 1043
        challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
            challenge_len;
1044
        memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
1045 1046 1047 1048 1049
        if (!PACKET_copy_bytes(&challenge,
                               s->s3->client_random + SSL3_RANDOM_SIZE -
                               challenge_len, challenge_len)) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1050 1051
            goto f_err;
        }
1052 1053 1054

        PACKET_null_init(&compression);
        PACKET_null_init(&extensions);
1055
    } else {
1056
        /* Regular ClientHello. */
M
Matt Caswell 已提交
1057
        if (!PACKET_copy_bytes(&pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
1058
            || !PACKET_get_length_prefixed_1(&pkt, &session_id)) {
M
Matt Caswell 已提交
1059
            al = SSL_AD_DECODE_ERROR;
1060
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1061 1062
            goto f_err;
        }
1063

1064 1065
        if (SSL_IS_DTLS(s)) {
            if (!PACKET_get_length_prefixed_1(&pkt, &cookie)) {
1066
                al = SSL_AD_DECODE_ERROR;
1067
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1068 1069
                goto f_err;
            }
1070 1071 1072 1073 1074 1075 1076
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
                if (PACKET_remaining(&cookie) == 0)
1077
                return 1;
1078
            }
1079
        }
1080

1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115
        if (!PACKET_get_length_prefixed_2(&pkt, &cipher_suites)
            || !PACKET_get_length_prefixed_1(&pkt, &compression)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
        /* Could be empty. */
        extensions = pkt;
    }

    s->hit = 0;

    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
    if (is_v2_record ||
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
        i = ssl_get_prev_session(s, &extensions, &session_id);
1116
        /*
1117 1118 1119 1120 1121 1122 1123
         * Only resume if the session's version matches the negotiated
         * version.
         * RFC 5246 does not provide much useful advice on resumption
         * with a different protocol version. It doesn't forbid it but
         * the sanity of such behaviour would be questionable.
         * In practice, clients do not accept a version mismatch and
         * will abort the handshake with an error.
1124
         */
1125 1126 1127 1128 1129
        if (i == 1 && s->version == s->session->ssl_version) {
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
            goto err;
1130
        } else {
1131 1132
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1133
                goto err;
1134
        }
1135
    }
1136

1137
    if (SSL_IS_DTLS(s)) {
E
Emilia Kasper 已提交
1138 1139
	/* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1140
            if (s->ctx->app_verify_cookie_cb != NULL) {
E
Emilia Kasper 已提交
1141 1142
                if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
                                                 PACKET_remaining(&cookie)) == 0) {
1143 1144
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1145
                           SSL_R_COOKIE_MISMATCH);
1146
                    goto f_err;
E
Emilia Kasper 已提交
1147
                    /* else cookie verification succeeded */
1148
                }
1149
            /* default verification */
E
Emilia Kasper 已提交
1150 1151
            } else if (!PACKET_equal(&cookie, s->d1->cookie,
                                     s->d1->cookie_len)) {
1152 1153 1154
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                goto f_err;
1155
            }
1156 1157
            /* Set to -2 so if successful we return 2 */
            ret = -2;
1158
        }
1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182
        if (s->method->version == DTLS_ANY_VERSION) {
            /* Select version to use */
            if (s->client_version <= DTLS1_2_VERSION &&
                !(s->options & SSL_OP_NO_DTLSv1_2)) {
                s->version = DTLS1_2_VERSION;
                s->method = DTLSv1_2_server_method();
            } else if (tls1_suiteb(s)) {
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                       SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            } else if (s->client_version <= DTLS1_VERSION &&
                       !(s->options & SSL_OP_NO_DTLSv1)) {
                s->version = DTLS1_VERSION;
                s->method = DTLSv1_server_method();
            } else {
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                       SSL_R_WRONG_VERSION_NUMBER);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
            s->session->ssl_version = s->version;
1183
        }
1184
    }
1185

1186 1187
    if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
                                 is_v2_record, &al) == NULL) {
1188 1189
        goto f_err;
    }
1190

1191 1192 1193 1194
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1195

1196
#ifdef CIPHER_DEBUG
1197 1198
        fprintf(stderr, "client sent %d ciphers\n",
                sk_SSL_CIPHER_num(ciphers));
1199
#endif
1200 1201
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1202
#ifdef CIPHER_DEBUG
1203 1204
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1205
#endif
1206 1207 1208
            if (c->id == id) {
                j = 1;
                break;
1209
            }
1210
        }
1211
        if (j == 0) {
1212
            /*
1213 1214
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1215
             */
1216 1217 1218
            al = SSL_AD_ILLEGAL_PARAMETER;
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                   SSL_R_REQUIRED_CIPHER_MISSING);
1219 1220
            goto f_err;
        }
1221
    }
M
Matt Caswell 已提交
1222

1223 1224 1225 1226
    complen = PACKET_remaining(&compression);
    for (j = 0; j < complen; j++) {
        if (PACKET_data(&compression)[j] == 0)
            break;
1227
    }
1228

1229 1230 1231 1232 1233 1234 1235
    if (j >= complen) {
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
        goto f_err;
    }
    
1236 1237
    /* TLS extensions */
    if (s->version >= SSL3_VERSION) {
1238
        if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
            goto err;
        }
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
        SSL_CIPHER *pref_cipher = NULL;

        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length, ciphers,
                                     &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
            pref_cipher =
                pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
                                                               s->
                                                               session->ciphers,
                                                               SSL_get_ciphers
                                                               (s));
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1286
            sk_SSL_CIPHER_free(s->cipher_list);
1287
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1288
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1289 1290 1291
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1292

1293 1294
    /*
     * Worst case, we will use the NULL compression, but if we have other
1295
     * options, we will now look for them.  We have complen-1 compression
1296 1297 1298
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1299
#ifndef OPENSSL_NO_COMP
1300 1301 1302
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1303
        unsigned int k;
1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
M
Matt Caswell 已提交
1325
        for (k = 0; k < complen; k++) {
1326
            if (PACKET_data(&compression)[k] == comp_id)
1327 1328
                break;
        }
M
Matt Caswell 已提交
1329
        if (k >= complen) {
1330 1331 1332 1333 1334 1335 1336 1337
            al = SSL_AD_ILLEGAL_PARAMETER;
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                   SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1338
        /* See if we have a match */
M
Matt Caswell 已提交
1339 1340
        int m, nn, v, done = 0;
        unsigned int o;
1341 1342 1343 1344 1345

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1346
            for (o = 0; o < complen; o++) {
1347
                if (v == PACKET_data(&compression)[o]) {
1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1360
#else
1361 1362 1363 1364 1365 1366 1367 1368
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
        goto f_err;
    }
1369
#endif
1370

1371 1372 1373
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1374

1375
    if (!s->hit) {
1376
#ifdef OPENSSL_NO_COMP
1377
        s->session->compress_meth = 0;
1378
#else
1379
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1380
#endif
R
Rich Salz 已提交
1381
        sk_SSL_CIPHER_free(s->session->ciphers);
1382 1383
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1384 1385
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
            goto err;
        }
        /* Let cert callback update server certificates if required */
 retry_cert:
        if (s->cert->cert_cb) {
            int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
            if (rv == 0) {
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
                goto f_err;
            }
            if (rv < 0) {
                s->rwstate = SSL_X509_LOOKUP;
                return -1;
            }
            s->rwstate = SSL_NOTHING;
        }
        c = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

        if (c == NULL) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
            goto f_err;
        }
        s->s3->tmp.new_cipher = c;
        /* check whether we should disable session resumption */
        if (s->not_resumable_session_cb != NULL)
            s->session->not_resumable = s->not_resumable_session_cb(s,
                                                                    ((c->algorithm_mkey & (SSL_kDHE | SSL_kECDHE))
                                                                     != 0));
        if (s->session->not_resumable)
            /* do not send a session ticket */
            s->tlsext_ticket_expected = 0;
    } else {
        /* Session-id reuse */
1426
        s->s3->tmp.new_cipher = s->session->cipher;
1427 1428 1429
    }

    if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {
1430
        if (!ssl3_digest_cached_records(s, 0))
1431 1432 1433
            goto f_err;
    }

1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444
    /*-
     * we now have the following setup.
     * client_random
     * cipher_list          - our prefered list of ciphers
     * ciphers              - the clients prefered list of ciphers
     * compression          - basically ignored right now
     * ssl version is set   - sslv3
     * s->session           - The ssl session has been setup.
     * s->hit               - session reuse flag
     * s->s3->tmp.new_cipher- the new cipher to use.
     */
1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459

    /* Handles TLS extensions that we couldn't check earlier */
    if (s->version >= SSL3_VERSION) {
        if (ssl_check_clienthello_tlsext_late(s) <= 0) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
            goto err;
        }
    }

    if (ret < 0)
        ret = -ret;
    if (0) {
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1460 1461 1462
        s->state = SSL_ST_ERR;
    }

R
Rich Salz 已提交
1463
    sk_SSL_CIPHER_free(ciphers);
1464 1465
    return ret < 0 ? -1 : ret;
}
1466

B
Ben Laurie 已提交
1467
int ssl3_send_server_hello(SSL *s)
1468 1469 1470 1471 1472 1473 1474 1475 1476
{
    unsigned char *buf;
    unsigned char *p, *d;
    int i, sl;
    int al = 0;
    unsigned long l;

    if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
        buf = (unsigned char *)s->init_buf->data;
1477

1478 1479 1480 1481 1482 1483
        /* Do the message type and length last */
        d = p = ssl_handshake_start(s);

        *(p++) = s->version >> 8;
        *(p++) = s->version & 0xff;

1484 1485 1486 1487
        /*
         * Random stuff. Filling of the server_random takes place in
         * ssl3_get_client_hello()
         */
1488 1489 1490
        memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
        p += SSL3_RANDOM_SIZE;

1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506
        /*-
         * There are several cases for the session ID to send
         * back in the server hello:
         * - For session reuse from the session cache,
         *   we send back the old session ID.
         * - If stateless session reuse (using a session ticket)
         *   is successful, we send back the client's "session ID"
         *   (which doesn't actually identify the session).
         * - If it is a new session, we send back the new
         *   session ID.
         * - However, if we want the new session to be single-use,
         *   we send back a 0-length session ID.
         * s->hit is non-zero in either case of session reuse,
         * so the following won't overwrite an ID that we're supposed
         * to send back.
         */
1507 1508 1509 1510 1511 1512 1513 1514
        if (s->session->not_resumable ||
            (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
             && !s->hit))
            s->session->session_id_length = 0;

        sl = s->session->session_id_length;
        if (sl > (int)sizeof(s->session->session_id)) {
            SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1515
            s->state = SSL_ST_ERR;
1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526
            return -1;
        }
        *(p++) = sl;
        memcpy(p, s->session->session_id, sl);
        p += sl;

        /* put the cipher */
        i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
        p += i;

        /* put the compression method */
1527
#ifdef OPENSSL_NO_COMP
1528
        *(p++) = 0;
1529
#else
1530 1531 1532 1533
        if (s->s3->tmp.new_compression == NULL)
            *(p++) = 0;
        else
            *(p++) = s->s3->tmp.new_compression->id;
1534
#endif
1535

1536 1537
        if (ssl_prepare_serverhello_tlsext(s) <= 0) {
            SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
M
Matt Caswell 已提交
1538
            s->state = SSL_ST_ERR;
1539 1540 1541 1542 1543 1544 1545
            return -1;
        }
        if ((p =
             ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
                                        &al)) == NULL) {
            ssl3_send_alert(s, SSL3_AL_FATAL, al);
            SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1546
            s->state = SSL_ST_ERR;
1547 1548
            return -1;
        }
1549

1550 1551
        /* do the header */
        l = (p - d);
V
Viktor Dukhovni 已提交
1552
        if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
M
Matt Caswell 已提交
1553 1554 1555
            SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
            return -1;
        }
1556 1557
        s->state = SSL3_ST_SW_SRVR_HELLO_B;
    }
1558

1559 1560 1561
    /* SSL3_ST_SW_SRVR_HELLO_B */
    return ssl_do_write(s);
}
1562

B
Ben Laurie 已提交
1563
int ssl3_send_server_done(SSL *s)
1564
{
1565

1566
    if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
V
Viktor Dukhovni 已提交
1567
        if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
M
Matt Caswell 已提交
1568 1569 1570
            SSLerr(SSL_F_SSL3_SEND_SERVER_DONE, ERR_R_INTERNAL_ERROR);
            return -1;
        }
1571 1572
        s->state = SSL3_ST_SW_SRVR_DONE_B;
    }
1573

1574 1575 1576
    /* SSL3_ST_SW_SRVR_DONE_B */
    return ssl_do_write(s);
}
1577

B
Ben Laurie 已提交
1578
int ssl3_send_server_key_exchange(SSL *s)
1579
{
1580
#ifndef OPENSSL_NO_RSA
1581 1582 1583 1584 1585
    unsigned char *q;
    int j, num;
    RSA *rsa;
    unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
    unsigned int u;
1586
#endif
1587
#ifndef OPENSSL_NO_DH
1588
    DH *dh = NULL, *dhp;
B
Bodo Möller 已提交
1589
#endif
1590
#ifndef OPENSSL_NO_EC
1591 1592 1593 1594 1595
    EC_KEY *ecdh = NULL, *ecdhp;
    unsigned char *encodedPoint = NULL;
    int encodedlen = 0;
    int curve_id = 0;
    BN_CTX *bn_ctx = NULL;
1596
#endif
1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617
    EVP_PKEY *pkey;
    const EVP_MD *md = NULL;
    unsigned char *p, *d;
    int al, i;
    unsigned long type;
    int n;
    CERT *cert;
    BIGNUM *r[4];
    int nr[4], kn;
    BUF_MEM *buf;
    EVP_MD_CTX md_ctx;

    EVP_MD_CTX_init(&md_ctx);
    if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
        type = s->s3->tmp.new_cipher->algorithm_mkey;
        cert = s->cert;

        buf = s->init_buf;

        r[0] = r[1] = r[2] = r[3] = NULL;
        n = 0;
1618 1619 1620 1621 1622 1623
#ifndef OPENSSL_NO_PSK
        if (type & SSL_PSK) {
            /*
             * reserve size for record length and PSK identity hint
             */
            n += 2;
1624 1625
            if (s->cert->psk_identity_hint)
                n += strlen(s->cert->psk_identity_hint);
1626 1627 1628 1629 1630
        }
        /* Plain PSK or RSAPSK nothing to do */
        if (type & (SSL_kPSK | SSL_kRSAPSK)) {
        } else
#endif                          /* !OPENSSL_NO_PSK */
1631
#ifndef OPENSSL_NO_RSA
1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658
        if (type & SSL_kRSA) {
            rsa = cert->rsa_tmp;
            if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
                rsa = s->cert->rsa_tmp_cb(s,
                                          SSL_C_IS_EXPORT(s->s3->
                                                          tmp.new_cipher),
                                          SSL_C_EXPORT_PKEYLENGTH(s->s3->
                                                                  tmp.new_cipher));
                if (rsa == NULL) {
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                           SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
                    goto f_err;
                }
                RSA_up_ref(rsa);
                cert->rsa_tmp = rsa;
            }
            if (rsa == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_MISSING_TMP_RSA_KEY);
                goto f_err;
            }
            r[0] = rsa->n;
            r[1] = rsa->e;
            s->s3->tmp.use_rsa_tmp = 1;
        } else
1659
#endif
1660
#ifndef OPENSSL_NO_DH
1661
        if (type & (SSL_kDHE | SSL_kDHEPSK)) {
1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723
            if (s->cert->dh_tmp_auto) {
                dhp = ssl_get_auto_dh(s);
                if (dhp == NULL) {
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
                }
            } else
                dhp = cert->dh_tmp;
            if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
                dhp = s->cert->dh_tmp_cb(s,
                                         SSL_C_IS_EXPORT(s->s3->
                                                         tmp.new_cipher),
                                         SSL_C_EXPORT_PKEYLENGTH(s->s3->
                                                                 tmp.new_cipher));
            if (dhp == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_MISSING_TMP_DH_KEY);
                goto f_err;
            }
            if (!ssl_security(s, SSL_SECOP_TMP_DH,
                              DH_security_bits(dhp), 0, dhp)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_DH_KEY_TOO_SMALL);
                goto f_err;
            }
            if (s->s3->tmp.dh != NULL) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto err;
            }

            if (s->cert->dh_tmp_auto)
                dh = dhp;
            else if ((dh = DHparams_dup(dhp)) == NULL) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
                goto err;
            }

            s->s3->tmp.dh = dh;
            if ((dhp->pub_key == NULL ||
                 dhp->priv_key == NULL ||
                 (s->options & SSL_OP_SINGLE_DH_USE))) {
                if (!DH_generate_key(dh)) {
                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
                    goto err;
                }
            } else {
                dh->pub_key = BN_dup(dhp->pub_key);
                dh->priv_key = BN_dup(dhp->priv_key);
                if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) {
                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
                    goto err;
                }
            }
            r[0] = dh->p;
            r[1] = dh->g;
            r[2] = dh->pub_key;
        } else
1724
#endif
1725
#ifndef OPENSSL_NO_EC
1726
        if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841
            const EC_GROUP *group;

            ecdhp = cert->ecdh_tmp;
            if (s->cert->ecdh_tmp_auto) {
                /* Get NID of appropriate shared curve */
                int nid = tls1_shared_curve(s, -2);
                if (nid != NID_undef)
                    ecdhp = EC_KEY_new_by_curve_name(nid);
            } else if ((ecdhp == NULL) && s->cert->ecdh_tmp_cb) {
                ecdhp = s->cert->ecdh_tmp_cb(s,
                                             SSL_C_IS_EXPORT(s->s3->
                                                             tmp.new_cipher),
                                             SSL_C_EXPORT_PKEYLENGTH(s->
                                                                     s3->tmp.new_cipher));
            }
            if (ecdhp == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_MISSING_TMP_ECDH_KEY);
                goto f_err;
            }

            if (s->s3->tmp.ecdh != NULL) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto err;
            }

            /* Duplicate the ECDH structure. */
            if (ecdhp == NULL) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
                goto err;
            }
            if (s->cert->ecdh_tmp_auto)
                ecdh = ecdhp;
            else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
                goto err;
            }

            s->s3->tmp.ecdh = ecdh;
            if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
                (EC_KEY_get0_private_key(ecdh) == NULL) ||
                (s->options & SSL_OP_SINGLE_ECDH_USE)) {
                if (!EC_KEY_generate_key(ecdh)) {
                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                           ERR_R_ECDH_LIB);
                    goto err;
                }
            }

            if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
                (EC_KEY_get0_public_key(ecdh) == NULL) ||
                (EC_KEY_get0_private_key(ecdh) == NULL)) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
                goto err;
            }

            if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
                (EC_GROUP_get_degree(group) > 163)) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
                goto err;
            }

            /*
             * XXX: For now, we only support ephemeral ECDH keys over named
             * (not generic) curves. For supported named curves, curve_id is
             * non-zero.
             */
            if ((curve_id =
                 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
                == 0) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
                goto err;
            }

            /*
             * Encode the public key. First check the size of encoding and
             * allocate memory accordingly.
             */
            encodedlen = EC_POINT_point2oct(group,
                                            EC_KEY_get0_public_key(ecdh),
                                            POINT_CONVERSION_UNCOMPRESSED,
                                            NULL, 0, NULL);

            encodedPoint = (unsigned char *)
                OPENSSL_malloc(encodedlen * sizeof(unsigned char));
            bn_ctx = BN_CTX_new();
            if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       ERR_R_MALLOC_FAILURE);
                goto err;
            }

            encodedlen = EC_POINT_point2oct(group,
                                            EC_KEY_get0_public_key(ecdh),
                                            POINT_CONVERSION_UNCOMPRESSED,
                                            encodedPoint, encodedlen, bn_ctx);

            if (encodedlen == 0) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
                goto err;
            }

            BN_CTX_free(bn_ctx);
            bn_ctx = NULL;

            /*
             * XXX: For now, we only support named (not generic) curves in
             * ECDH ephemeral key exchanges. In this situation, we need four
             * additional bytes to encode the entire ServerECDHParams
             * structure.
             */
1842
            n += 4 + encodedlen;
1843 1844 1845 1846 1847 1848 1849 1850 1851 1852

            /*
             * We'll generate the serverKeyExchange message explicitly so we
             * can set these to NULLs
             */
            r[0] = NULL;
            r[1] = NULL;
            r[2] = NULL;
            r[3] = NULL;
        } else
1853
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
1854
#ifndef OPENSSL_NO_SRP
1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867
        if (type & SSL_kSRP) {
            if ((s->srp_ctx.N == NULL) ||
                (s->srp_ctx.g == NULL) ||
                (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_MISSING_SRP_PARAM);
                goto err;
            }
            r[0] = s->srp_ctx.N;
            r[1] = s->srp_ctx.g;
            r[2] = s->srp_ctx.s;
            r[3] = s->srp_ctx.B;
        } else
B
Ben Laurie 已提交
1868
#endif
1869 1870 1871 1872 1873 1874 1875 1876
        {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                   SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
            goto f_err;
        }
        for (i = 0; i < 4 && r[i] != NULL; i++) {
            nr[i] = BN_num_bytes(r[i]);
B
Ben Laurie 已提交
1877
#ifndef OPENSSL_NO_SRP
1878 1879 1880
            if ((i == 2) && (type & SSL_kSRP))
                n += 1 + nr[i];
            else
B
Ben Laurie 已提交
1881
#endif
1882 1883 1884
                n += 2 + nr[i];
        }

1885 1886
        if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
            && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903
            if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
                == NULL) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
            kn = EVP_PKEY_size(pkey);
        } else {
            pkey = NULL;
            kn = 0;
        }

        if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
            SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
            goto err;
        }
        d = p = ssl_handshake_start(s);

1904 1905 1906
#ifndef OPENSSL_NO_PSK
        if (type & SSL_PSK) {
            /* copy PSK identity hint */
1907 1908 1909 1910 1911
            if (s->cert->psk_identity_hint) {
                s2n(strlen(s->cert->psk_identity_hint), p);
                strncpy((char *)p, s->cert->psk_identity_hint,
                        strlen(s->cert->psk_identity_hint));
                p += strlen(s->cert->psk_identity_hint);
1912 1913 1914 1915 1916 1917
            } else {
                s2n(0, p);
            }
        }
#endif

1918
        for (i = 0; i < 4 && r[i] != NULL; i++) {
B
Ben Laurie 已提交
1919
#ifndef OPENSSL_NO_SRP
1920 1921 1922 1923
            if ((i == 2) && (type & SSL_kSRP)) {
                *p = nr[i];
                p++;
            } else
B
Ben Laurie 已提交
1924
#endif
1925 1926 1927 1928
                s2n(nr[i], p);
            BN_bn2bin(r[i], p);
            p += nr[i];
        }
1929

1930
#ifndef OPENSSL_NO_EC
1931
        if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945
            /*
             * XXX: For now, we only support named (not generic) curves. In
             * this situation, the serverKeyExchange message has: [1 byte
             * CurveType], [2 byte CurveName] [1 byte length of encoded
             * point], followed by the actual encoded point itself
             */
            *p = NAMED_CURVE_TYPE;
            p += 1;
            *p = 0;
            p += 1;
            *p = curve_id;
            p += 1;
            *p = encodedlen;
            p += 1;
1946
            memcpy(p, encodedPoint, encodedlen);
1947 1948 1949 1950
            OPENSSL_free(encodedPoint);
            encodedPoint = NULL;
            p += encodedlen;
        }
B
Bodo Möller 已提交
1951 1952
#endif

1953 1954 1955 1956 1957 1958
        /* not anonymous */
        if (pkey != NULL) {
            /*
             * n is the length of the params, they start at &(d[4]) and p
             * points to the space at the end.
             */
1959
#ifndef OPENSSL_NO_RSA
1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984
            if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
                q = md_buf;
                j = 0;
                for (num = 2; num > 0; num--) {
                    EVP_MD_CTX_set_flags(&md_ctx,
                                         EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                    EVP_DigestInit_ex(&md_ctx, (num == 2)
                                      ? s->ctx->md5 : s->ctx->sha1, NULL);
                    EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
                                     SSL3_RANDOM_SIZE);
                    EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
                                     SSL3_RANDOM_SIZE);
                    EVP_DigestUpdate(&md_ctx, d, n);
                    EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
                    q += i;
                    j += i;
                }
                if (RSA_sign(NID_md5_sha1, md_buf, j,
                             &(p[2]), &u, pkey->pkey.rsa) <= 0) {
                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
                    goto err;
                }
                s2n(u, p);
                n += u + 2;
            } else
1985
#endif
1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997
            if (md) {
                /* send signature algorithm */
                if (SSL_USE_SIGALGS(s)) {
                    if (!tls12_get_sigandhash(p, pkey, md)) {
                        /* Should never happen */
                        al = SSL_AD_INTERNAL_ERROR;
                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                               ERR_R_INTERNAL_ERROR);
                        goto f_err;
                    }
                    p += 2;
                }
1998
#ifdef SSL_DEBUG
1999
                fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
2000
#endif
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
                EVP_SignInit_ex(&md_ctx, md, NULL);
                EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]),
                               SSL3_RANDOM_SIZE);
                EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]),
                               SSL3_RANDOM_SIZE);
                EVP_SignUpdate(&md_ctx, d, n);
                if (!EVP_SignFinal(&md_ctx, &(p[2]),
                                   (unsigned int *)&i, pkey)) {
                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
                    goto err;
                }
                s2n(i, p);
                n += i + 2;
                if (SSL_USE_SIGALGS(s))
                    n += 2;
            } else {
                /* Is this error check actually needed? */
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
                       SSL_R_UNKNOWN_PKEY_TYPE);
                goto f_err;
            }
        }

V
Viktor Dukhovni 已提交
2025
        if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
M
Matt Caswell 已提交
2026 2027 2028 2029
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2030 2031 2032 2033 2034 2035 2036 2037
    }

    s->state = SSL3_ST_SW_KEY_EXCH_B;
    EVP_MD_CTX_cleanup(&md_ctx);
    return ssl_do_write(s);
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
2038
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2039
    OPENSSL_free(encodedPoint);
2040
    BN_CTX_free(bn_ctx);
B
Bodo Möller 已提交
2041
#endif
2042
    EVP_MD_CTX_cleanup(&md_ctx);
M
Matt Caswell 已提交
2043
    s->state = SSL_ST_ERR;
2044 2045
    return (-1);
}
2046

B
Ben Laurie 已提交
2047
int ssl3_send_certificate_request(SSL *s)
2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096
{
    unsigned char *p, *d;
    int i, j, nl, off, n;
    STACK_OF(X509_NAME) *sk = NULL;
    X509_NAME *name;
    BUF_MEM *buf;

    if (s->state == SSL3_ST_SW_CERT_REQ_A) {
        buf = s->init_buf;

        d = p = ssl_handshake_start(s);

        /* get the list of acceptable cert types */
        p++;
        n = ssl3_get_req_cert_type(s, p);
        d[0] = n;
        p += n;
        n++;

        if (SSL_USE_SIGALGS(s)) {
            const unsigned char *psigs;
            unsigned char *etmp = p;
            nl = tls12_get_psigalgs(s, &psigs);
            /* Skip over length for now */
            p += 2;
            nl = tls12_copy_sigalgs(s, p, psigs, nl);
            /* Now fill in length */
            s2n(nl, etmp);
            p += nl;
            n += nl + 2;
        }

        off = n;
        p += 2;
        n += 2;

        sk = SSL_get_client_CA_list(s);
        nl = 0;
        if (sk != NULL) {
            for (i = 0; i < sk_X509_NAME_num(sk); i++) {
                name = sk_X509_NAME_value(sk, i);
                j = i2d_X509_NAME(name, NULL);
                if (!BUF_MEM_grow_clean
                    (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
                    SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
                           ERR_R_BUF_LIB);
                    goto err;
                }
                p = ssl_handshake_start(s) + n;
2097 2098 2099 2100
                s2n(j, p);
                i2d_X509_NAME(name, &p);
                n += 2 + j;
                nl += 2 + j;
2101 2102 2103 2104 2105 2106
            }
        }
        /* else no CA names */
        p = ssl_handshake_start(s) + off;
        s2n(nl, p);

V
Viktor Dukhovni 已提交
2107
        if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
M
Matt Caswell 已提交
2108 2109 2110
            SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
            return -1;
        }
2111

2112 2113
        s->state = SSL3_ST_SW_CERT_REQ_B;
    }
2114

2115 2116 2117
    /* SSL3_ST_SW_CERT_REQ_B */
    return ssl_do_write(s);
 err:
M
Matt Caswell 已提交
2118
    s->state = SSL_ST_ERR;
2119 2120
    return (-1);
}
2121

B
Ben Laurie 已提交
2122
int ssl3_get_client_key_exchange(SSL *s)
2123
{
2124 2125
    unsigned int i;
    int al, ok;
2126 2127
    long n;
    unsigned long alg_k;
2128
#ifndef OPENSSL_NO_RSA
2129 2130
    RSA *rsa = NULL;
    EVP_PKEY *pkey = NULL;
2131
#endif
2132
#ifndef OPENSSL_NO_DH
2133 2134
    BIGNUM *pub = NULL;
    DH *dh_srvr, *dh_clnt = NULL;
2135
#endif
2136
#ifndef OPENSSL_NO_EC
2137 2138 2139 2140
    EC_KEY *srvr_ecdh = NULL;
    EVP_PKEY *clnt_pub_pkey = NULL;
    EC_POINT *clnt_ecpoint = NULL;
    BN_CTX *bn_ctx = NULL;
B
Bodo Möller 已提交
2141
#endif
2142 2143
    PACKET pkt, enc_premaster;
    unsigned char *data, *rsa_decrypt = NULL;
B
Bodo Möller 已提交
2144

2145 2146 2147 2148
    n = s->method->ssl_get_message(s,
                                   SSL3_ST_SR_KEY_EXCH_A,
                                   SSL3_ST_SR_KEY_EXCH_B,
                                   SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
2149

2150 2151
    if (!ok)
        return ((int)n);
2152 2153 2154 2155 2156
    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }
2157

2158
    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2159

2160 2161 2162 2163 2164
#ifndef OPENSSL_NO_PSK
    /* For PSK parse and retrieve identity, obtain PSK key */
    if (alg_k & SSL_PSK) {
        unsigned char psk[PSK_MAX_PSK_LEN];
        size_t psklen;
2165
	PACKET psk_identity;
2166

2167
        if (!PACKET_get_length_prefixed_2(&pkt, &psk_identity)) {
2168 2169 2170 2171
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }
2172
        if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                   SSL_R_DATA_LENGTH_TOO_LONG);
            goto f_err;
        }
        if (s->psk_server_callback == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                   SSL_R_PSK_NO_SERVER_CB);
            goto f_err;
        }

2185
        if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
2186
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2187
            al = SSL_AD_INTERNAL_ERROR;
2188 2189
            goto f_err;
        }
2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221

        psklen = s->psk_server_callback(s, s->session->psk_identity,
                                         psk, sizeof(psk));

        if (psklen > PSK_MAX_PSK_LEN) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        } else if (psklen == 0) {
            /*
             * PSK related to the given identity not found
             */
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                   SSL_R_PSK_IDENTITY_NOT_FOUND);
            al = SSL_AD_UNKNOWN_PSK_IDENTITY;
            goto f_err;
        }

        OPENSSL_free(s->s3->tmp.psk);
        s->s3->tmp.psk = BUF_memdup(psk, psklen);
        OPENSSL_cleanse(psk, psklen);

        if (s->s3->tmp.psk == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto f_err;
        }

        s->s3->tmp.psklen = psklen;
    }
    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
2222
        if (PACKET_remaining(&pkt) != 0) {
2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
    } else
#endif
2235
#ifndef OPENSSL_NO_RSA
2236
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267
        unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
        int decrypt_len;
        unsigned char decrypt_good, version_good;
        size_t j;

        /* FIX THIS UP EAY EAY EAY EAY */
        if (s->s3->tmp.use_rsa_tmp) {
            if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
                rsa = s->cert->rsa_tmp;
            /*
             * Don't do a callback because rsa_tmp should be sent already
             */
            if (rsa == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_MISSING_TMP_RSA_PKEY);
                goto f_err;

            }
        } else {
            pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
            if ((pkey == NULL) ||
                (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_MISSING_RSA_CERTIFICATE);
                goto f_err;
            }
            rsa = pkey->pkey.rsa;
        }

2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278
        /* SSLv3 and pre-standard DTLS omit the length bytes. */
        if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
            enc_premaster = pkt;
        } else {
            PACKET orig = pkt;
            if (!PACKET_get_length_prefixed_2(&pkt, &enc_premaster)
                || PACKET_remaining(&pkt) != 0) {
                /* Try SSLv3 behaviour for TLS. */
                if (s->options & SSL_OP_TLS_D5_BUG) {
                    enc_premaster = orig;
                } else {
2279
                    al = SSL_AD_DECODE_ERROR;
2280
                    SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2281
                    goto f_err;
2282 2283
                }
            }
2284 2285 2286
        }

        /*
2287 2288 2289 2290
         * We want to be sure that the plaintext buffer size makes it safe to
         * iterate over the entire size of a premaster secret
         * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
         * their ciphertext cannot accommodate a premaster secret anyway.
2291
         */
2292 2293
        if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
            al = SSL_AD_INTERNAL_ERROR;
2294
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2295
                   RSA_R_KEY_SIZE_TOO_SMALL);
2296 2297 2298
            goto f_err;
        }

2299 2300
        rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
        if (rsa_decrypt == NULL) {
2301
            al = SSL_AD_INTERNAL_ERROR;
2302
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2303 2304
            goto f_err;
        }
2305

2306 2307 2308 2309 2310 2311 2312 2313
        /*
         * We must not leak whether a decryption failure occurs because of
         * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
         * section 7.4.7.1). The code follows that advice of the TLS RFC and
         * generates a random premaster secret for the case that the decrypt
         * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
         */

M
Matt Caswell 已提交
2314
        if (RAND_bytes(rand_premaster_secret,
2315
                       sizeof(rand_premaster_secret)) <= 0) {
2316
            goto err;
2317 2318 2319 2320 2321
        }

        decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
                                          PACKET_data(&enc_premaster),
                                          rsa_decrypt, rsa, RSA_PKCS1_PADDING);
2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339
        ERR_clear_error();

        /*
         * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
         * be 0xff if so and zero otherwise.
         */
        decrypt_good =
            constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);

        /*
         * If the version in the decrypted pre-master secret is correct then
         * version_good will be 0xff, otherwise it'll be zero. The
         * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
         * (http://eprint.iacr.org/2003/052/) exploits the version number
         * check as a "bad version oracle". Thus version checks are done in
         * constant time and are treated like any other decryption error.
         */
        version_good =
2340 2341
            constant_time_eq_8(rsa_decrypt[0],
                               (unsigned)(s->client_version >> 8));
2342
        version_good &=
2343 2344
            constant_time_eq_8(rsa_decrypt[1],
                               (unsigned)(s->client_version & 0xff));
2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357

        /*
         * The premaster secret must contain the same version number as the
         * ClientHello to detect version rollback attacks (strangely, the
         * protocol does not offer such protection for DH ciphersuites).
         * However, buggy clients exist that send the negotiated protocol
         * version instead if the server does not support the requested
         * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
         * clients.
         */
        if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
            unsigned char workaround_good;
            workaround_good =
2358
                constant_time_eq_8(rsa_decrypt[0], (unsigned)(s->version >> 8));
2359
            workaround_good &=
2360 2361
                constant_time_eq_8(rsa_decrypt[1],
                                   (unsigned)(s->version & 0xff));
2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377
            version_good |= workaround_good;
        }

        /*
         * Both decryption and version must be good for decrypt_good to
         * remain non-zero (0xff).
         */
        decrypt_good &= version_good;

        /*
         * Now copy rand_premaster_secret over from p using
         * decrypt_good_mask. If decryption failed, then p does not
         * contain valid plaintext, however, a check above guarantees
         * it is still sufficiently large to read from.
         */
        for (j = 0; j < sizeof(rand_premaster_secret); j++) {
2378 2379 2380
            rsa_decrypt[j] =
                constant_time_select_8(decrypt_good, rsa_decrypt[j],
                                       rand_premaster_secret[j]);
2381 2382
        }

2383 2384
        if (!ssl_generate_master_secret(s, rsa_decrypt,
                                        sizeof(rand_premaster_secret), 0)) {
M
Matt Caswell 已提交
2385 2386 2387 2388
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2389 2390
        OPENSSL_free(rsa_decrypt);
        rsa_decrypt = NULL;
2391
    } else
U
Ulf Möller 已提交
2392
#endif
2393
#ifndef OPENSSL_NO_DH
2394
    if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd | SSL_kDHEPSK)) {
2395 2396
        int idx = -1;
        EVP_PKEY *skey = NULL;
2397
        PACKET bookmark = pkt;
2398 2399 2400
        unsigned char shared[(OPENSSL_DH_MAX_MODULUS_BITS + 7) / 8];

        if (!PACKET_get_net_2(&pkt, &i)) {
2401
            if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
M
Matt Caswell 已提交
2402 2403 2404 2405 2406
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
                goto f_err;
            }
2407
            i = 0;
M
Matt Caswell 已提交
2408
        }
2409
        if (PACKET_remaining(&pkt) != i) {
2410 2411 2412 2413 2414
            if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
                goto err;
            } else {
2415
                pkt = bookmark;
2416
                i = PACKET_remaining(&pkt);
2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455
            }
        }
        if (alg_k & SSL_kDHr)
            idx = SSL_PKEY_DH_RSA;
        else if (alg_k & SSL_kDHd)
            idx = SSL_PKEY_DH_DSA;
        if (idx >= 0) {
            skey = s->cert->pkeys[idx].privatekey;
            if ((skey == NULL) ||
                (skey->type != EVP_PKEY_DH) || (skey->pkey.dh == NULL)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_MISSING_RSA_CERTIFICATE);
                goto f_err;
            }
            dh_srvr = skey->pkey.dh;
        } else if (s->s3->tmp.dh == NULL) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        } else
            dh_srvr = s->s3->tmp.dh;

        if (n == 0L) {
            /* Get pubkey from cert */
            EVP_PKEY *clkey = X509_get_pubkey(s->session->peer);
            if (clkey) {
                if (EVP_PKEY_cmp_parameters(clkey, skey) == 1)
                    dh_clnt = EVP_PKEY_get1_DH(clkey);
            }
            if (dh_clnt == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_MISSING_TMP_DH_KEY);
                goto f_err;
            }
            EVP_PKEY_free(clkey);
            pub = dh_clnt->pub_key;
2456 2457 2458 2459 2460 2461 2462 2463 2464 2465
        } else {
            if (!PACKET_get_bytes(&pkt, &data, i)) {
                /* We already checked we have enough data */
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pub = BN_bin2bn(data, i, NULL);
        }
2466 2467 2468 2469 2470
        if (pub == NULL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
            goto err;
        }

2471
        i = DH_compute_key(shared, pub, dh_srvr);
2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485

        if (i <= 0) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
            BN_clear_free(pub);
            goto err;
        }

        DH_free(s->s3->tmp.dh);
        s->s3->tmp.dh = NULL;
        if (dh_clnt)
            DH_free(dh_clnt);
        else
            BN_clear_free(pub);
        pub = NULL;
2486
        if (!ssl_generate_master_secret(s, shared, i, 0)) {
M
Matt Caswell 已提交
2487 2488 2489 2490
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2491 2492 2493
        if (dh_clnt)
            return 2;
    } else
2494
#endif
B
Bodo Möller 已提交
2495

2496
#ifndef OPENSSL_NO_EC
2497
    if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) {
2498 2499 2500 2501 2502
        int ret = 1;
        int field_size = 0;
        const EC_KEY *tkey;
        const EC_GROUP *group;
        const BIGNUM *priv_key;
2503
        unsigned char *shared;
2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540

        /* initialize structures for server's ECDH key pair */
        if ((srvr_ecdh = EC_KEY_new()) == NULL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto err;
        }

        /* Let's get server private key and group information */
        if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
            /* use the certificate */
            tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
        } else {
            /*
             * use the ephermeral values we saved when generating the
             * ServerKeyExchange msg.
             */
            tkey = s->s3->tmp.ecdh;
        }

        group = EC_KEY_get0_group(tkey);
        priv_key = EC_KEY_get0_private_key(tkey);

        if (!EC_KEY_set_group(srvr_ecdh, group) ||
            !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
            goto err;
        }

        /* Let's get client's public key */
        if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto err;
        }

        if (n == 0L) {
            /* Client Publickey was in Client Certificate */

2541
            if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576 2577 2578 2579 2580 2581
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_MISSING_TMP_ECDH_KEY);
                goto f_err;
            }
            if (((clnt_pub_pkey = X509_get_pubkey(s->session->peer))
                 == NULL) || (clnt_pub_pkey->type != EVP_PKEY_EC)) {
                /*
                 * XXX: For now, we do not support client authentication
                 * using ECDH certificates so this branch (n == 0L) of the
                 * code is never executed. When that support is added, we
                 * ought to ensure the key received in the certificate is
                 * authorized for key agreement. ECDH_compute_key implicitly
                 * checks that the two ECDH shares are for the same group.
                 */
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
                goto f_err;
            }

            if (EC_POINT_copy(clnt_ecpoint,
                              EC_KEY_get0_public_key(clnt_pub_pkey->
                                                     pkey.ec)) == 0) {
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
                goto err;
            }
            ret = 2;            /* Skip certificate verify processing */
        } else {
            /*
             * Get client's public key from encoded point in the
             * ClientKeyExchange message.
             */
            if ((bn_ctx = BN_CTX_new()) == NULL) {
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       ERR_R_MALLOC_FAILURE);
                goto err;
            }

            /* Get encoded point length */
2582 2583 2584 2585 2586 2587 2588 2589
            if (!PACKET_get_1(&pkt, &i)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
            if (!PACKET_get_bytes(&pkt, &data, i)
                    || PACKET_remaining(&pkt) != 0) {
2590 2591 2592
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
                goto err;
            }
2593
            if (EC_POINT_oct2point(group, clnt_ecpoint, data, i, bn_ctx) == 0) {
2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604
                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
                goto err;
            }
        }

        /* Compute the shared pre-master secret */
        field_size = EC_GROUP_get_degree(group);
        if (field_size <= 0) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
            goto err;
        }
2605 2606 2607 2608 2609 2610 2611
        shared = OPENSSL_malloc((field_size + 7) / 8);
        if (shared == NULL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto err;
        }
        i = ECDH_compute_key(shared, (field_size + 7) / 8, clnt_ecpoint,
                             srvr_ecdh, NULL);
2612 2613
        if (i <= 0) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2614
            OPENSSL_free(shared);
2615 2616 2617 2618 2619 2620 2621 2622 2623 2624
            goto err;
        }

        EVP_PKEY_free(clnt_pub_pkey);
        EC_POINT_free(clnt_ecpoint);
        EC_KEY_free(srvr_ecdh);
        BN_CTX_free(bn_ctx);
        EC_KEY_free(s->s3->tmp.ecdh);
        s->s3->tmp.ecdh = NULL;

2625
        if (!ssl_generate_master_secret(s, shared, i, 1)) {
M
Matt Caswell 已提交
2626 2627 2628 2629
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2630 2631
        return (ret);
    } else
2632
#endif
B
Ben Laurie 已提交
2633
#ifndef OPENSSL_NO_SRP
2634
    if (alg_k & SSL_kSRP) {
2635 2636
        if (!PACKET_get_net_2(&pkt, &i)
                || !PACKET_get_bytes(&pkt, &data, i)) {
2637
            al = SSL_AD_DECODE_ERROR;
2638
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2639 2640
            goto f_err;
        }
2641
        if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
2642 2643 2644 2645 2646 2647 2648 2649 2650 2651
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
            goto err;
        }
        if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
            || BN_is_zero(s->srp_ctx.A)) {
            al = SSL_AD_ILLEGAL_PARAMETER;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                   SSL_R_BAD_SRP_PARAMETERS);
            goto f_err;
        }
R
Rich Salz 已提交
2652
        OPENSSL_free(s->session->srp_username);
2653 2654 2655 2656 2657 2658
        s->session->srp_username = BUF_strdup(s->srp_ctx.login);
        if (s->session->srp_username == NULL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto err;
        }

2659
        if (!srp_generate_server_master_secret(s)) {
2660 2661 2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto err;
        }
    } else
#endif                          /* OPENSSL_NO_SRP */
    if (alg_k & SSL_kGOST) {
        int ret = 0;
        EVP_PKEY_CTX *pkey_ctx;
        EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
        unsigned char premaster_secret[32], *start;
        size_t outlen = 32, inlen;
        unsigned long alg_a;
        int Ttag, Tclass;
        long Tlen;

        /* Get our certificate private key */
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
R
Rich Salz 已提交
2677
        if (alg_a & SSL_aGOST01)
2678 2679 2680 2681 2682 2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;

        pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
        EVP_PKEY_decrypt_init(pkey_ctx);
        /*
         * If client certificate is present and is of the same type, maybe
         * use it for key exchange.  Don't mind errors from
         * EVP_PKEY_derive_set_peer, because it is completely valid to use a
         * client certificate for authorization only.
         */
        client_pub_pkey = X509_get_pubkey(s->session->peer);
        if (client_pub_pkey) {
            if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
                ERR_clear_error();
        }
        /* Decrypt session key */
2694 2695 2696 2697 2698
        if (!PACKET_get_bytes(&pkt, &data, n)) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2699
        if (ASN1_get_object
2700
            ((const unsigned char **)&data, &Tlen, &Ttag, &Tclass,
2701 2702 2703 2704 2705 2706
             n) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE
            || Tclass != V_ASN1_UNIVERSAL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
2707
        start = data;
2708 2709 2710 2711 2712 2713 2714 2715
        inlen = Tlen;
        if (EVP_PKEY_decrypt
            (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
        /* Generate master secret */
2716 2717
        if (!ssl_generate_master_secret(s, premaster_secret,
                                        sizeof(premaster_secret), 0)) {
M
Matt Caswell 已提交
2718 2719 2720 2721
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732
        /* Check if pubkey from client certificate was used */
        if (EVP_PKEY_CTX_ctrl
            (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
            ret = 2;
        else
            ret = 1;
 gerr:
        EVP_PKEY_free(client_pub_pkey);
        EVP_PKEY_CTX_free(pkey_ctx);
        if (ret)
            return ret;
R
Rich Salz 已提交
2733
        goto err;
2734 2735 2736 2737 2738 2739 2740 2741 2742
    } else {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
        goto f_err;
    }

    return (1);
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2743
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
2744
 err:
B
Bodo Möller 已提交
2745
#endif
2746
#ifndef OPENSSL_NO_EC
2747 2748
    EVP_PKEY_free(clnt_pub_pkey);
    EC_POINT_free(clnt_ecpoint);
R
Rich Salz 已提交
2749
    EC_KEY_free(srvr_ecdh);
2750
    BN_CTX_free(bn_ctx);
2751
    OPENSSL_free(rsa_decrypt);
2752 2753 2754 2755
#endif
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2756
#endif
M
Matt Caswell 已提交
2757
    s->state = SSL_ST_ERR;
2758 2759
    return (-1);
}
2760

B
Ben Laurie 已提交
2761
int ssl3_get_cert_verify(SSL *s)
2762 2763
{
    EVP_PKEY *pkey = NULL;
2764
    unsigned char *sig, *data;
2765 2766 2767
    int al, ok, ret = 0;
    long n;
    int type = 0, i, j;
2768
    unsigned int len;
2769 2770 2771
    X509 *peer;
    const EVP_MD *md = NULL;
    EVP_MD_CTX mctx;
2772
    PACKET pkt;
2773 2774
    EVP_MD_CTX_init(&mctx);

2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787
    /*
     * We should only process a CertificateVerify message if we have received
     * a Certificate from the client. If so then |s->session->peer| will be non
     * NULL. In some instances a CertificateVerify message is not required even
     * if the peer has sent a Certificate (e.g. such as in the case of static
     * DH). In that case the ClientKeyExchange processing will skip the
     * CertificateVerify state so we should not arrive here.
     */
    if (s->session->peer == NULL) {
        ret = 1;
        goto end;
    }

2788 2789 2790
    n = s->method->ssl_get_message(s,
                                   SSL3_ST_SR_CERT_VRFY_A,
                                   SSL3_ST_SR_CERT_VRFY_B,
2791 2792
                                   SSL3_MT_CERTIFICATE_VERIFY,
                                   SSL3_RT_MAX_PLAIN_LENGTH, &ok);
2793 2794 2795 2796

    if (!ok)
        return ((int)n);

2797 2798 2799
    peer = s->session->peer;
    pkey = X509_get_pubkey(peer);
    type = X509_certificate_type(peer, pkey);
2800 2801 2802 2803 2804 2805 2806 2807 2808

    if (!(type & EVP_PKT_SIGN)) {
        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
               SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
        al = SSL_AD_ILLEGAL_PARAMETER;
        goto f_err;
    }

    /* we now have a signature that we need to verify */
2809 2810 2811 2812 2813
    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
2814 2815 2816 2817 2818
    /* Check for broken implementations of GOST ciphersuites */
    /*
     * If key is GOST and n is exactly 64, it is bare signature without
     * length field
     */
R
Rich Salz 已提交
2819
    if (n == 64 && pkey->type == NID_id_GostR3410_2001) {
2820
        len = 64;
2821 2822
    } else {
        if (SSL_USE_SIGALGS(s)) {
2823 2824 2825 2826 2827 2828 2829
            int rv;

            if (!PACKET_get_bytes(&pkt, &sig, 2)) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
            rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
2830 2831 2832 2833 2834 2835 2836
            if (rv == -1) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            } else if (rv == 0) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
D
Dr. Stephen Henson 已提交
2837
#ifdef SSL_DEBUG
2838
            fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2839
#endif
2840
        }
2841
        if (!PACKET_get_net_2(&pkt, &len)) {
2842 2843 2844 2845 2846 2847
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
    }
    j = EVP_PKEY_size(pkey);
2848
    if (((int)len > j) || ((int)PACKET_remaining(&pkt) > j) || (n <= 0)) {
2849 2850 2851 2852
        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2853 2854 2855 2856 2857
    if (!PACKET_get_bytes(&pkt, &data, len)) {
        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2858 2859 2860 2861 2862 2863 2864 2865 2866 2867

    if (SSL_USE_SIGALGS(s)) {
        long hdatalen = 0;
        void *hdata;
        hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
        if (hdatalen <= 0) {
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
            al = SSL_AD_INTERNAL_ERROR;
            goto f_err;
        }
D
Dr. Stephen Henson 已提交
2868
#ifdef SSL_DEBUG
2869 2870
        fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
                EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2871
#endif
2872 2873 2874 2875 2876 2877 2878
        if (!EVP_VerifyInit_ex(&mctx, md, NULL)
            || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
            al = SSL_AD_INTERNAL_ERROR;
            goto f_err;
        }

2879
        if (EVP_VerifyFinal(&mctx, data, len, pkey) <= 0) {
2880 2881 2882 2883 2884 2885 2886 2887
            al = SSL_AD_DECRYPT_ERROR;
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
            goto f_err;
        }
    } else
#ifndef OPENSSL_NO_RSA
    if (pkey->type == EVP_PKEY_RSA) {
        i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
2888
                       MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, data, len,
2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899 2900
                       pkey->pkey.rsa);
        if (i < 0) {
            al = SSL_AD_DECRYPT_ERROR;
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
            goto f_err;
        }
        if (i == 0) {
            al = SSL_AD_DECRYPT_ERROR;
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
            goto f_err;
        }
    } else
2901
#endif
2902
#ifndef OPENSSL_NO_DSA
2903 2904 2905
    if (pkey->type == EVP_PKEY_DSA) {
        j = DSA_verify(pkey->save_type,
                       &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2906
                       SHA_DIGEST_LENGTH, data, len, pkey->pkey.dsa);
2907 2908 2909 2910 2911 2912 2913
        if (j <= 0) {
            /* bad signature */
            al = SSL_AD_DECRYPT_ERROR;
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
            goto f_err;
        }
    } else
B
Bodo Möller 已提交
2914
#endif
2915
#ifndef OPENSSL_NO_EC
2916 2917 2918
    if (pkey->type == EVP_PKEY_EC) {
        j = ECDSA_verify(pkey->save_type,
                         &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2919
                         SHA_DIGEST_LENGTH, data, len, pkey->pkey.ec);
2920 2921 2922 2923 2924 2925 2926
        if (j <= 0) {
            /* bad signature */
            al = SSL_AD_DECRYPT_ERROR;
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE);
            goto f_err;
        }
    } else
2927
#endif
R
Rich Salz 已提交
2928
    if (pkey->type == NID_id_GostR3410_2001) {
2929 2930 2931 2932
        unsigned char signature[64];
        int idx;
        EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
        EVP_PKEY_verify_init(pctx);
2933 2934
        if (len != 64) {
            fprintf(stderr, "GOST signature length is %d", len);
2935 2936
        }
        for (idx = 0; idx < 64; idx++) {
2937
            signature[63 - idx] = data[idx];
2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956
        }
        j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md,
                            32);
        EVP_PKEY_CTX_free(pctx);
        if (j <= 0) {
            al = SSL_AD_DECRYPT_ERROR;
            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE);
            goto f_err;
        }
    } else {
        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_UNSUPPORTED_CERTIFICATE;
        goto f_err;
    }

    ret = 1;
    if (0) {
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2957
        s->state = SSL_ST_ERR;
2958 2959
    }
 end:
R
Rich Salz 已提交
2960 2961
    BIO_free(s->s3->handshake_buffer);
    s->s3->handshake_buffer = NULL;
2962 2963 2964 2965
    EVP_MD_CTX_cleanup(&mctx);
    EVP_PKEY_free(pkey);
    return (ret);
}
2966

B
Ben Laurie 已提交
2967
int ssl3_get_client_certificate(SSL *s)
2968 2969 2970
{
    int i, ok, al, ret = -1;
    X509 *x = NULL;
2971 2972 2973
    unsigned long l, llen, n;
    const unsigned char *certstart;
    unsigned char *certbytes;
2974
    STACK_OF(X509) *sk = NULL;
2975
    PACKET pkt, spkt;
2976 2977 2978 2979 2980 2981 2982 2983 2984 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010

    n = s->method->ssl_get_message(s,
                                   SSL3_ST_SR_CERT_A,
                                   SSL3_ST_SR_CERT_B,
                                   -1, s->max_cert_list, &ok);

    if (!ok)
        return ((int)n);

    if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
        if ((s->verify_mode & SSL_VERIFY_PEER) &&
            (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /*
         * If tls asked for a client cert, the client must return a 0 list
         */
        if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
            al = SSL_AD_UNEXPECTED_MESSAGE;
            goto f_err;
        }
        s->s3->tmp.reuse_message = 1;
        return (1);
    }

    if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
        al = SSL_AD_UNEXPECTED_MESSAGE;
        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
        goto f_err;
    }
3011 3012 3013 3014 3015 3016

    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }
3017 3018 3019

    if ((sk = sk_X509_new_null()) == NULL) {
        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
R
Rich Salz 已提交
3020
        goto done;
3021 3022
    }

3023 3024 3025
    if (!PACKET_get_net_3(&pkt, &llen)
            || !PACKET_get_sub_packet(&pkt, &spkt, llen)
            || PACKET_remaining(&pkt) != 0) {
3026 3027 3028 3029
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }
3030 3031 3032 3033

    while (PACKET_remaining(&spkt) > 0) {
        if (!PACKET_get_net_3(&spkt, &l)
                || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3034 3035 3036 3037 3038 3039
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

3040 3041
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3042 3043
        if (x == NULL) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
R
Rich Salz 已提交
3044
            goto done;
3045
        }
3046
        if (certbytes != (certstart + l)) {
3047 3048 3049 3050 3051 3052 3053
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
        if (!sk_X509_push(sk, x)) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
R
Rich Salz 已提交
3054
            goto done;
3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
3076
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103
            al = SSL_AD_INTERNAL_ERROR;
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, i);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        pkey = X509_get_pubkey(sk_X509_value(sk, 0));
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
        EVP_PKEY_free(pkey);
    }

R
Rich Salz 已提交
3104
    X509_free(s->session->peer);
3105 3106 3107
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

3108 3109
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
3110 3111 3112 3113 3114 3115
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
     * certificate, while we do include it in s3_clnt.c
     */
    sk = NULL;
    ret = 1;
R
Rich Salz 已提交
3116 3117
    goto done;

3118
 f_err:
R
Rich Salz 已提交
3119 3120
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 done:
M
Matt Caswell 已提交
3121
    s->state = SSL_ST_ERR;
R
Rich Salz 已提交
3122 3123
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
3124 3125
    return (ret);
}
3126

U
Ulf Möller 已提交
3127
int ssl3_send_server_certificate(SSL *s)
3128 3129 3130 3131 3132 3133
{
    CERT_PKEY *cpk;

    if (s->state == SSL3_ST_SW_CERT_A) {
        cpk = ssl_get_server_send_pkey(s);
        if (cpk == NULL) {
3134 3135 3136
            SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
            s->state = SSL_ST_ERR;
            return (0);
3137 3138 3139 3140
        }

        if (!ssl3_output_cert_chain(s, cpk)) {
            SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3141
            s->state = SSL_ST_ERR;
3142 3143 3144 3145 3146 3147 3148 3149
            return (0);
        }
        s->state = SSL3_ST_SW_CERT_B;
    }

    /* SSL3_ST_SW_CERT_B */
    return ssl_do_write(s);
}
B
Bodo Möller 已提交
3150 3151

/* send a new session ticket (not necessarily for a new session) */
3152
int ssl3_send_newsession_ticket(SSL *s)
3153
{
M
Matt Caswell 已提交
3154 3155 3156 3157
    unsigned char *senc = NULL;
    EVP_CIPHER_CTX ctx;
    HMAC_CTX hctx;

3158
    if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
M
Matt Caswell 已提交
3159
        unsigned char *p, *macstart;
3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173
        const unsigned char *const_p;
        int len, slen_full, slen;
        SSL_SESSION *sess;
        unsigned int hlen;
        SSL_CTX *tctx = s->initial_ctx;
        unsigned char iv[EVP_MAX_IV_LENGTH];
        unsigned char key_name[16];

        /* get session encoding length */
        slen_full = i2d_SSL_SESSION(s->session, NULL);
        /*
         * Some length values are 16 bits, so forget it if session is too
         * long
         */
M
Matt Caswell 已提交
3174 3175
        if (slen_full == 0 || slen_full > 0xFF00) {
            s->state = SSL_ST_ERR;
3176
            return -1;
M
Matt Caswell 已提交
3177
        }
3178
        senc = OPENSSL_malloc(slen_full);
M
Matt Caswell 已提交
3179 3180
        if (!senc) {
            s->state = SSL_ST_ERR;
3181
            return -1;
M
Matt Caswell 已提交
3182
        }
M
Matt Caswell 已提交
3183 3184 3185 3186

        EVP_CIPHER_CTX_init(&ctx);
        HMAC_CTX_init(&hctx);

3187
        p = senc;
M
Matt Caswell 已提交
3188 3189
        if (!i2d_SSL_SESSION(s->session, &p))
            goto err;
3190 3191 3192 3193 3194 3195

        /*
         * create a fresh copy (not shared with other threads) to clean up
         */
        const_p = senc;
        sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
M
Matt Caswell 已提交
3196 3197
        if (sess == NULL)
            goto err;
3198 3199 3200
        sess->session_id_length = 0; /* ID is irrelevant for the ticket */

        slen = i2d_SSL_SESSION(sess, NULL);
M
Matt Caswell 已提交
3201 3202 3203
        if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
            SSL_SESSION_free(sess);
            goto err;
3204 3205
        }
        p = senc;
M
Matt Caswell 已提交
3206 3207 3208 3209
        if (!i2d_SSL_SESSION(sess, &p)) {
            SSL_SESSION_free(sess);
            goto err;
        }
3210 3211
        SSL_SESSION_free(sess);

3212 3213 3214 3215 3216 3217 3218 3219
        /*-
         * Grow buffer if need be: the length calculation is as
         * follows handshake_header_length +
         * 4 (ticket lifetime hint) + 2 (ticket length) +
         * 16 (key name) + max_iv_len (iv length) +
         * session_length + max_enc_block_size (max encrypted session
         * length) + max_md_size (HMAC).
         */
3220 3221 3222
        if (!BUF_MEM_grow(s->init_buf,
                          SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
                          EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
M
Matt Caswell 已提交
3223 3224
            goto err;

3225 3226 3227 3228 3229 3230 3231
        p = ssl_handshake_start(s);
        /*
         * Initialize HMAC and cipher contexts. If callback present it does
         * all the work otherwise use generated values from parent ctx.
         */
        if (tctx->tlsext_ticket_key_cb) {
            if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
M
Matt Caswell 已提交
3232 3233
                                           &hctx, 1) < 0)
                goto err;
3234
        } else {
M
Matt Caswell 已提交
3235 3236 3237 3238 3239 3240 3241 3242
            if (RAND_bytes(iv, 16) <= 0)
                goto err;
            if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
                                    tctx->tlsext_tick_aes_key, iv))
                goto err;
            if (!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
                              EVP_sha256(), NULL))
                goto err;
3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262
            memcpy(key_name, tctx->tlsext_tick_key_name, 16);
        }

        /*
         * Ticket lifetime hint (advisory only): We leave this unspecified
         * for resumed session (for simplicity), and guess that tickets for
         * new sessions will live as long as their sessions.
         */
        l2n(s->hit ? 0 : s->session->timeout, p);

        /* Skip ticket length for now */
        p += 2;
        /* Output key name */
        macstart = p;
        memcpy(p, key_name, 16);
        p += 16;
        /* output IV */
        memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
        p += EVP_CIPHER_CTX_iv_length(&ctx);
        /* Encrypt session data */
M
Matt Caswell 已提交
3263 3264
        if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen))
            goto err;
3265
        p += len;
M
Matt Caswell 已提交
3266 3267
        if (!EVP_EncryptFinal(&ctx, p, &len))
            goto err;
3268 3269
        p += len;

M
Matt Caswell 已提交
3270 3271 3272 3273 3274 3275
        if (!HMAC_Update(&hctx, macstart, p - macstart))
            goto err;
        if (!HMAC_Final(&hctx, p, &hlen))
            goto err;

        EVP_CIPHER_CTX_cleanup(&ctx);
3276 3277 3278 3279 3280 3281 3282 3283 3284
        HMAC_CTX_cleanup(&hctx);

        p += hlen;
        /* Now write out lengths: p points to end of data written */
        /* Total length */
        len = p - ssl_handshake_start(s);
        /* Skip ticket lifetime hint */
        p = ssl_handshake_start(s) + 4;
        s2n(len - 6, p);
V
Viktor Dukhovni 已提交
3285
        if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
3286
            goto err;
3287 3288 3289 3290 3291 3292
        s->state = SSL3_ST_SW_SESSION_TICKET_B;
        OPENSSL_free(senc);
    }

    /* SSL3_ST_SW_SESSION_TICKET_B */
    return ssl_do_write(s);
M
Matt Caswell 已提交
3293
 err:
R
Rich Salz 已提交
3294
    OPENSSL_free(senc);
M
Matt Caswell 已提交
3295 3296
    EVP_CIPHER_CTX_cleanup(&ctx);
    HMAC_CTX_cleanup(&hctx);
M
Matt Caswell 已提交
3297
    s->state = SSL_ST_ERR;
M
Matt Caswell 已提交
3298
    return -1;
3299
}
3300 3301

int ssl3_send_cert_status(SSL *s)
3302 3303 3304
{
    if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
        unsigned char *p;
3305 3306 3307 3308 3309 3310
        /*-
         * Grow buffer if need be: the length calculation is as
         * follows 1 (message type) + 3 (message length) +
         * 1 (ocsp response type) + 3 (ocsp response length)
         * + (ocsp response)
         */
M
Matt Caswell 已提交
3311 3312
        if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
            s->state = SSL_ST_ERR;
3313
            return -1;
M
Matt Caswell 已提交
3314
        }
3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336

        p = (unsigned char *)s->init_buf->data;

        /* do the header */
        *(p++) = SSL3_MT_CERTIFICATE_STATUS;
        /* message length */
        l2n3(s->tlsext_ocsp_resplen + 4, p);
        /* status type */
        *(p++) = s->tlsext_status_type;
        /* length of OCSP response */
        l2n3(s->tlsext_ocsp_resplen, p);
        /* actual response */
        memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
        /* number of bytes to write */
        s->init_num = 8 + s->tlsext_ocsp_resplen;
        s->state = SSL3_ST_SW_CERT_STATUS_B;
        s->init_off = 0;
    }

    /* SSL3_ST_SW_CERT_STATUS_B */
    return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
}
B
Ben Laurie 已提交
3337

3338
#ifndef OPENSSL_NO_NEXTPROTONEG
3339 3340 3341 3342
/*
 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
B
Ben Laurie 已提交
3343
int ssl3_get_next_proto(SSL *s)
3344 3345 3346
{
    int ok;
    long n;
3347 3348
    PACKET pkt, next_proto, padding;
    size_t next_proto_len;
3349 3350 3351 3352 3353 3354 3355 3356

    /*
     * Clients cannot send a NextProtocol message if we didn't see the
     * extension in their ClientHello
     */
    if (!s->s3->next_proto_neg_seen) {
        SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
               SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
M
Matt Caswell 已提交
3357
        s->state = SSL_ST_ERR;
3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376
        return -1;
    }

    /* See the payload format below */
    n = s->method->ssl_get_message(s,
                                   SSL3_ST_SR_NEXT_PROTO_A,
                                   SSL3_ST_SR_NEXT_PROTO_B,
                                   SSL3_MT_NEXT_PROTO, 514, &ok);

    if (!ok)
        return ((int)n);

    /*
     * s->state doesn't reflect whether ChangeCipherSpec has been received in
     * this handshake, but s->s3->change_cipher_spec does (will be reset by
     * ssl3_get_finished).
     */
    if (!s->s3->change_cipher_spec) {
        SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
M
Matt Caswell 已提交
3377
        s->state = SSL_ST_ERR;
3378 3379 3380
        return -1;
    }

M
Matt Caswell 已提交
3381
    if (n < 2) {
M
Matt Caswell 已提交
3382
        goto err;               /* The body must be > 1 bytes long */
M
Matt Caswell 已提交
3383
    }
3384

M
Matt Caswell 已提交
3385 3386 3387 3388
    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
        SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
        goto err;
    }
3389

3390 3391 3392 3393 3394 3395 3396
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3397 3398 3399
    if (!PACKET_get_length_prefixed_1(&pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(&pkt, &padding)
        || PACKET_remaining(&pkt) > 0) {
M
Matt Caswell 已提交
3400 3401
        SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
        goto err;
M
Matt Caswell 已提交
3402
    }
3403

3404 3405 3406
    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
                       &next_proto_len)) {
        s->next_proto_negotiated_len = 0;
M
Matt Caswell 已提交
3407 3408 3409
        goto err;
    }

3410
    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
3411 3412

    return 1;
M
Matt Caswell 已提交
3413 3414 3415
err:
    s->state = SSL_ST_ERR;
    return 0;
3416
}
3417
#endif
M
Matt Caswell 已提交
3418 3419 3420

#define SSLV2_CIPHER_LEN    3

3421 3422
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                               PACKET *cipher_suites,
M
Matt Caswell 已提交
3423
                                               STACK_OF(SSL_CIPHER) **skp,
3424 3425
                                               int sslv2format, int *al
                                               )
M
Matt Caswell 已提交
3426 3427 3428
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk;
3429 3430 3431
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];
M
Matt Caswell 已提交
3432

3433 3434 3435 3436 3437 3438 3439 3440
    s->s3->send_connection_binding = 0;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return NULL;
M
Matt Caswell 已提交
3441
    }
3442 3443

    if (PACKET_remaining(cipher_suites) % n != 0) {
M
Matt Caswell 已提交
3444 3445
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3446 3447
        *al = SSL_AD_DECODE_ERROR;
        return NULL;
M
Matt Caswell 已提交
3448
    }
3449

M
Matt Caswell 已提交
3450 3451 3452 3453
    if ((skp == NULL) || (*skp == NULL)) {
        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
        if(sk == NULL) {
            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3454
            *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3455 3456 3457 3458 3459 3460 3461
            return NULL;
        }
    } else {
        sk = *skp;
        sk_SSL_CIPHER_zero(sk);
    }

3462 3463 3464
    if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                       &s->s3->tmp.ciphers_rawlen)) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3465 3466 3467
        goto err;
    }

3468 3469
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
3470 3471 3472
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
3473 3474 3475 3476
         */
        if (sslv2format && cipher[0] != '\0')
                continue;

M
Matt Caswell 已提交
3477
        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3478 3479
        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3480 3481 3482 3483
            /* SCSV fatal if renegotiating */
            if (s->renegotiate) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3484
                *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3485 3486 3487 3488 3489 3490 3491 3492 3493 3494
                goto err;
            }
            s->s3->send_connection_binding = 1;
#ifdef OPENSSL_RI_DEBUG
            fprintf(stderr, "SCSV received by server\n");
#endif
            continue;
        }

        /* Check for TLS_FALLBACK_SCSV */
3495 3496
        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3497 3498 3499 3500 3501 3502 3503 3504
            /*
             * The SCSV indicates that the client previously tried a higher
             * version. Fail if the current version is an unexpected
             * downgrade.
             */
            if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_INAPPROPRIATE_FALLBACK);
3505
                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
M
Matt Caswell 已提交
3506 3507 3508 3509 3510
                goto err;
            }
            continue;
        }

3511 3512
        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
M
Matt Caswell 已提交
3513 3514 3515
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3516
                *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3517 3518 3519 3520
                goto err;
            }
        }
    }
3521 3522 3523 3524 3525
    if (PACKET_remaining(cipher_suites) > 0) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
3526 3527 3528 3529 3530 3531 3532

    if (skp != NULL)
        *skp = sk;
    return (sk);
 err:
    if ((skp == NULL) || (*skp == NULL))
        sk_SSL_CIPHER_free(sk);
3533
    return NULL;
M
Matt Caswell 已提交
3534
}