1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  *
114  * Portions of the attached software ("Contribution") are developed by
115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116  *
117  * The Contribution is licensed pursuant to the OpenSSL open source
118  * license provided above.
119  *
120  * ECC cipher suite support in OpenSSL originally written by
121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122  *
123  */
124 /* ====================================================================
125  * Copyright 2005 Nokia. All rights reserved.
126  *
127  * The portions of the attached software ("Contribution") is developed by
128  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129  * license.
130  *
131  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133  * support (see RFC 4279) to OpenSSL.
134  *
135  * No patent licenses or other rights except those expressly stated in
136  * the OpenSSL open source license shall be deemed granted or received
137  * expressly, by implication, estoppel, or otherwise.
138  *
139  * No assurances are provided by Nokia that the Contribution does not
140  * infringe the patent or other intellectual property rights of any third
141  * party or that the license provides you with all the necessary rights
142  * to make use of the Contribution.
143  *
144  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148  * OTHERWISE.
149  */
150 
151 #include <assert.h>
152 #include <stdio.h>
153 #include <string.h>
154 
155 #include <openssl/buf.h>
156 #include <openssl/bytestring.h>
157 #include <openssl/rand.h>
158 #include <openssl/obj.h>
159 #include <openssl/err.h>
160 #include <openssl/evp.h>
161 #include <openssl/mem.h>
162 #include <openssl/md5.h>
163 #include <openssl/dh.h>
164 #include <openssl/bn.h>
165 #include <openssl/x509.h>
166 
167 #include "internal.h"
168 #include "../crypto/dh/internal.h"
169 
170 
ssl3_connect(SSL * s)171 int ssl3_connect(SSL *s) {
172   BUF_MEM *buf = NULL;
173   void (*cb)(const SSL *ssl, int type, int val) = NULL;
174   int ret = -1;
175   int new_state, state, skip = 0;
176 
177   assert(s->handshake_func == ssl3_connect);
178   assert(!s->server);
179   assert(!SSL_IS_DTLS(s));
180 
181   ERR_clear_error();
182   ERR_clear_system_error();
183 
184   if (s->info_callback != NULL) {
185     cb = s->info_callback;
186   } else if (s->ctx->info_callback != NULL) {
187     cb = s->ctx->info_callback;
188   }
189 
190   s->in_handshake++;
191 
192   for (;;) {
193     state = s->state;
194 
195     switch (s->state) {
196       case SSL_ST_CONNECT:
197         if (cb != NULL) {
198           cb(s, SSL_CB_HANDSHAKE_START, 1);
199         }
200 
201         if (s->init_buf == NULL) {
202           buf = BUF_MEM_new();
203           if (buf == NULL ||
204               !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
205             ret = -1;
206             goto end;
207           }
208 
209           s->init_buf = buf;
210           buf = NULL;
211         }
212 
213         if (!ssl_init_wbio_buffer(s, 0)) {
214           ret = -1;
215           goto end;
216         }
217 
218         /* don't push the buffering BIO quite yet */
219 
220         if (!ssl3_init_finished_mac(s)) {
221           OPENSSL_PUT_ERROR(SSL, ssl3_connect, ERR_R_INTERNAL_ERROR);
222           ret = -1;
223           goto end;
224         }
225 
226         s->state = SSL3_ST_CW_CLNT_HELLO_A;
227         s->init_num = 0;
228         break;
229 
230       case SSL3_ST_CW_CLNT_HELLO_A:
231       case SSL3_ST_CW_CLNT_HELLO_B:
232         s->shutdown = 0;
233         ret = ssl3_send_client_hello(s);
234         if (ret <= 0) {
235           goto end;
236         }
237         s->state = SSL3_ST_CR_SRVR_HELLO_A;
238         s->init_num = 0;
239 
240         /* turn on buffering for the next lot of output */
241         if (s->bbio != s->wbio) {
242           s->wbio = BIO_push(s->bbio, s->wbio);
243         }
244 
245         break;
246 
247       case SSL3_ST_CR_SRVR_HELLO_A:
248       case SSL3_ST_CR_SRVR_HELLO_B:
249         ret = ssl3_get_server_hello(s);
250         if (ret <= 0) {
251           goto end;
252         }
253 
254         if (s->hit) {
255           s->state = SSL3_ST_CR_CHANGE;
256           if (s->tlsext_ticket_expected) {
257             /* receive renewed session ticket */
258             s->state = SSL3_ST_CR_SESSION_TICKET_A;
259           }
260         } else {
261           s->state = SSL3_ST_CR_CERT_A;
262         }
263         s->init_num = 0;
264         break;
265 
266       case SSL3_ST_CR_CERT_A:
267       case SSL3_ST_CR_CERT_B:
268         if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
269           ret = ssl3_get_server_certificate(s);
270           if (ret <= 0) {
271             goto end;
272           }
273           if (s->s3->tmp.certificate_status_expected) {
274             s->state = SSL3_ST_CR_CERT_STATUS_A;
275           } else {
276             s->state = SSL3_ST_CR_KEY_EXCH_A;
277           }
278         } else {
279           skip = 1;
280           s->state = SSL3_ST_CR_KEY_EXCH_A;
281         }
282         s->init_num = 0;
283         break;
284 
285       case SSL3_ST_CR_KEY_EXCH_A:
286       case SSL3_ST_CR_KEY_EXCH_B:
287         ret = ssl3_get_server_key_exchange(s);
288         if (ret <= 0) {
289           goto end;
290         }
291         s->state = SSL3_ST_CR_CERT_REQ_A;
292         s->init_num = 0;
293 
294         /* at this point we check that we have the
295          * required stuff from the server */
296         if (!ssl3_check_cert_and_algorithm(s)) {
297           ret = -1;
298           goto end;
299         }
300         break;
301 
302       case SSL3_ST_CR_CERT_REQ_A:
303       case SSL3_ST_CR_CERT_REQ_B:
304         ret = ssl3_get_certificate_request(s);
305         if (ret <= 0) {
306           goto end;
307         }
308         s->state = SSL3_ST_CR_SRVR_DONE_A;
309         s->init_num = 0;
310         break;
311 
312       case SSL3_ST_CR_SRVR_DONE_A:
313       case SSL3_ST_CR_SRVR_DONE_B:
314         ret = ssl3_get_server_done(s);
315         if (ret <= 0) {
316           goto end;
317         }
318         if (s->s3->tmp.cert_req) {
319           s->state = SSL3_ST_CW_CERT_A;
320         } else {
321           s->state = SSL3_ST_CW_KEY_EXCH_A;
322         }
323         s->init_num = 0;
324 
325         break;
326 
327       case SSL3_ST_CW_CERT_A:
328       case SSL3_ST_CW_CERT_B:
329       case SSL3_ST_CW_CERT_C:
330       case SSL3_ST_CW_CERT_D:
331         ret = ssl3_send_client_certificate(s);
332         if (ret <= 0) {
333           goto end;
334         }
335         s->state = SSL3_ST_CW_KEY_EXCH_A;
336         s->init_num = 0;
337         break;
338 
339       case SSL3_ST_CW_KEY_EXCH_A:
340       case SSL3_ST_CW_KEY_EXCH_B:
341         ret = ssl3_send_client_key_exchange(s);
342         if (ret <= 0) {
343           goto end;
344         }
345         /* For TLS, cert_req is set to 2, so a cert chain
346          * of nothing is sent, but no verify packet is sent */
347         if (s->s3->tmp.cert_req == 1) {
348           s->state = SSL3_ST_CW_CERT_VRFY_A;
349         } else {
350           s->state = SSL3_ST_CW_CHANGE_A;
351           s->s3->change_cipher_spec = 0;
352         }
353 
354         s->init_num = 0;
355         break;
356 
357       case SSL3_ST_CW_CERT_VRFY_A:
358       case SSL3_ST_CW_CERT_VRFY_B:
359         ret = ssl3_send_cert_verify(s);
360         if (ret <= 0) {
361           goto end;
362         }
363         s->state = SSL3_ST_CW_CHANGE_A;
364         s->init_num = 0;
365         s->s3->change_cipher_spec = 0;
366         break;
367 
368       case SSL3_ST_CW_CHANGE_A:
369       case SSL3_ST_CW_CHANGE_B:
370         ret = ssl3_send_change_cipher_spec(s, SSL3_ST_CW_CHANGE_A,
371                                            SSL3_ST_CW_CHANGE_B);
372         if (ret <= 0) {
373           goto end;
374         }
375 
376         s->state = SSL3_ST_CW_FINISHED_A;
377         if (s->s3->tlsext_channel_id_valid) {
378           s->state = SSL3_ST_CW_CHANNEL_ID_A;
379         }
380         if (s->s3->next_proto_neg_seen) {
381           s->state = SSL3_ST_CW_NEXT_PROTO_A;
382         }
383         s->init_num = 0;
384 
385         s->session->cipher = s->s3->tmp.new_cipher;
386         if (!s->enc_method->setup_key_block(s) ||
387             !s->enc_method->change_cipher_state(
388                 s, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
389           ret = -1;
390           goto end;
391         }
392 
393         break;
394 
395       case SSL3_ST_CW_NEXT_PROTO_A:
396       case SSL3_ST_CW_NEXT_PROTO_B:
397         ret = ssl3_send_next_proto(s);
398         if (ret <= 0) {
399           goto end;
400         }
401 
402         if (s->s3->tlsext_channel_id_valid) {
403           s->state = SSL3_ST_CW_CHANNEL_ID_A;
404         } else {
405           s->state = SSL3_ST_CW_FINISHED_A;
406         }
407         break;
408 
409       case SSL3_ST_CW_CHANNEL_ID_A:
410       case SSL3_ST_CW_CHANNEL_ID_B:
411         ret = ssl3_send_channel_id(s);
412         if (ret <= 0) {
413           goto end;
414         }
415         s->state = SSL3_ST_CW_FINISHED_A;
416         break;
417 
418       case SSL3_ST_CW_FINISHED_A:
419       case SSL3_ST_CW_FINISHED_B:
420         ret =
421             ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
422                                s->enc_method->client_finished_label,
423                                s->enc_method->client_finished_label_len);
424         if (ret <= 0) {
425           goto end;
426         }
427         s->state = SSL3_ST_CW_FLUSH;
428 
429         if (s->hit) {
430           s->s3->tmp.next_state = SSL_ST_OK;
431         } else {
432           /* This is a non-resumption handshake. If it involves ChannelID, then
433            * record the handshake hashes at this point in the session so that
434            * any resumption of this session with ChannelID can sign those
435            * hashes. */
436           if (s->s3->tlsext_channel_id_new) {
437             ret = tls1_record_handshake_hashes_for_channel_id(s);
438             if (ret <= 0) {
439               goto end;
440             }
441           }
442           if ((SSL_get_mode(s) & SSL_MODE_ENABLE_FALSE_START) &&
443               ssl3_can_false_start(s) &&
444               /* No False Start on renegotiation (would complicate the state
445                * machine). */
446               !s->s3->initial_handshake_complete) {
447             s->s3->tmp.next_state = SSL3_ST_FALSE_START;
448           } else {
449             /* Allow NewSessionTicket if ticket expected */
450             if (s->tlsext_ticket_expected) {
451               s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
452             } else {
453               s->s3->tmp.next_state = SSL3_ST_CR_CHANGE;
454             }
455           }
456         }
457         s->init_num = 0;
458         break;
459 
460       case SSL3_ST_CR_SESSION_TICKET_A:
461       case SSL3_ST_CR_SESSION_TICKET_B:
462         ret = ssl3_get_new_session_ticket(s);
463         if (ret <= 0) {
464           goto end;
465         }
466         s->state = SSL3_ST_CR_CHANGE;
467         s->init_num = 0;
468         break;
469 
470       case SSL3_ST_CR_CERT_STATUS_A:
471       case SSL3_ST_CR_CERT_STATUS_B:
472         ret = ssl3_get_cert_status(s);
473         if (ret <= 0) {
474           goto end;
475         }
476         s->state = SSL3_ST_CR_KEY_EXCH_A;
477         s->init_num = 0;
478         break;
479 
480       case SSL3_ST_CR_CHANGE:
481         /* At this point, the next message must be entirely behind a
482          * ChangeCipherSpec. */
483         if (!ssl3_expect_change_cipher_spec(s)) {
484           ret = -1;
485           goto end;
486         }
487         s->state = SSL3_ST_CR_FINISHED_A;
488         break;
489 
490       case SSL3_ST_CR_FINISHED_A:
491       case SSL3_ST_CR_FINISHED_B:
492         ret =
493             ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B);
494         if (ret <= 0) {
495           goto end;
496         }
497 
498         if (s->hit) {
499           s->state = SSL3_ST_CW_CHANGE_A;
500         } else {
501           s->state = SSL_ST_OK;
502         }
503         s->init_num = 0;
504         break;
505 
506       case SSL3_ST_CW_FLUSH:
507         s->rwstate = SSL_WRITING;
508         if (BIO_flush(s->wbio) <= 0) {
509           ret = -1;
510           goto end;
511         }
512         s->rwstate = SSL_NOTHING;
513         s->state = s->s3->tmp.next_state;
514         break;
515 
516       case SSL3_ST_FALSE_START:
517         /* Allow NewSessionTicket if ticket expected */
518         if (s->tlsext_ticket_expected) {
519           s->state = SSL3_ST_CR_SESSION_TICKET_A;
520         } else {
521           s->state = SSL3_ST_CR_CHANGE;
522         }
523         s->s3->tmp.in_false_start = 1;
524 
525         ssl_free_wbio_buffer(s);
526         ret = 1;
527         goto end;
528 
529       case SSL_ST_OK:
530         /* clean a few things up */
531         ssl3_cleanup_key_block(s);
532 
533         BUF_MEM_free(s->init_buf);
534         s->init_buf = NULL;
535 
536         /* Remove write buffering now. */
537         ssl_free_wbio_buffer(s);
538 
539         s->init_num = 0;
540         s->s3->tmp.in_false_start = 0;
541         s->s3->initial_handshake_complete = 1;
542 
543         ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
544 
545         ret = 1;
546         /* s->server=0; */
547 
548         if (cb != NULL) {
549           cb(s, SSL_CB_HANDSHAKE_DONE, 1);
550         }
551 
552         goto end;
553 
554       default:
555         OPENSSL_PUT_ERROR(SSL, ssl3_connect, SSL_R_UNKNOWN_STATE);
556         ret = -1;
557         goto end;
558     }
559 
560     if (!s->s3->tmp.reuse_message && !skip) {
561       if (cb != NULL && s->state != state) {
562         new_state = s->state;
563         s->state = state;
564         cb(s, SSL_CB_CONNECT_LOOP, 1);
565         s->state = new_state;
566       }
567     }
568     skip = 0;
569   }
570 
571 end:
572   s->in_handshake--;
573   BUF_MEM_free(buf);
574   if (cb != NULL) {
575     cb(s, SSL_CB_CONNECT_EXIT, ret);
576   }
577   return ret;
578 }
579 
ssl3_send_client_hello(SSL * s)580 int ssl3_send_client_hello(SSL *s) {
581   uint8_t *buf, *p, *d;
582   int i;
583   unsigned long l;
584 
585   buf = (uint8_t *)s->init_buf->data;
586   if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
587     if (!s->s3->have_version) {
588       uint16_t max_version = ssl3_get_max_client_version(s);
589       /* Disabling all versions is silly: return an error. */
590       if (max_version == 0) {
591         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, SSL_R_WRONG_SSL_VERSION);
592         goto err;
593       }
594       s->version = max_version;
595       s->client_version = max_version;
596     }
597 
598     /* If the configured session was created at a version higher than our
599      * maximum version, drop it. */
600     if (s->session &&
601         (s->session->session_id_length == 0 || s->session->not_resumable ||
602          (!SSL_IS_DTLS(s) && s->session->ssl_version > s->version) ||
603          (SSL_IS_DTLS(s) && s->session->ssl_version < s->version))) {
604       SSL_set_session(s, NULL);
605     }
606 
607     /* else use the pre-loaded session */
608     p = s->s3->client_random;
609 
610     /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
611      * renegerate the client_random. The random must be reused. */
612     if ((!SSL_IS_DTLS(s) || !s->d1->send_cookie) &&
613         !ssl_fill_hello_random(p, sizeof(s->s3->client_random),
614                                0 /* client */)) {
615       goto err;
616     }
617 
618     /* Do the message type and length last. Note: the final argument to
619      * ssl_add_clienthello_tlsext below depends on the size of this prefix. */
620     d = p = ssl_handshake_start(s);
621 
622     /* version indicates the negotiated version: for example from an SSLv2/v3
623      * compatible client hello). The client_version field is the maximum
624      * version we permit and it is also used in RSA encrypted premaster
625      * secrets. Some servers can choke if we initially report a higher version
626      * then renegotiate to a lower one in the premaster secret. This didn't
627      * happen with TLS 1.0 as most servers supported it but it can with TLS 1.1
628      * or later if the server only supports 1.0.
629      *
630      * Possible scenario with previous logic:
631      *   1. Client hello indicates TLS 1.2
632      *   2. Server hello says TLS 1.0
633      *   3. RSA encrypted premaster secret uses 1.2.
634      *   4. Handhaked proceeds using TLS 1.0.
635      *   5. Server sends hello request to renegotiate.
636      *   6. Client hello indicates TLS v1.0 as we now
637      *      know that is maximum server supports.
638      *   7. Server chokes on RSA encrypted premaster secret
639      *      containing version 1.0.
640      *
641      * For interoperability it should be OK to always use the maximum version
642      * we support in client hello and then rely on the checking of version to
643      * ensure the servers isn't being inconsistent: for example initially
644      * negotiating with TLS 1.0 and renegotiating with TLS 1.2. We do this by
645      * using client_version in client hello and not resetting it to the
646      * negotiated version. */
647     *(p++) = s->client_version >> 8;
648     *(p++) = s->client_version & 0xff;
649 
650     /* Random stuff */
651     memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
652     p += SSL3_RANDOM_SIZE;
653 
654     /* Session ID */
655     if (s->s3->initial_handshake_complete || s->session == NULL) {
656       /* Renegotiations do not participate in session resumption. */
657       i = 0;
658     } else {
659       i = s->session->session_id_length;
660     }
661     *(p++) = i;
662     if (i != 0) {
663       if (i > (int)sizeof(s->session->session_id)) {
664         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, ERR_R_INTERNAL_ERROR);
665         goto err;
666       }
667       memcpy(p, s->session->session_id, i);
668       p += i;
669     }
670 
671     /* cookie stuff for DTLS */
672     if (SSL_IS_DTLS(s)) {
673       if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
674         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, ERR_R_INTERNAL_ERROR);
675         goto err;
676       }
677       *(p++) = s->d1->cookie_len;
678       memcpy(p, s->d1->cookie, s->d1->cookie_len);
679       p += s->d1->cookie_len;
680     }
681 
682     /* Ciphers supported */
683     i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]);
684     if (i == 0) {
685       OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello,
686                         SSL_R_NO_CIPHERS_AVAILABLE);
687       goto err;
688     }
689     s2n(i, p);
690     p += i;
691 
692     /* COMPRESSION */
693     *(p++) = 1;
694     *(p++) = 0; /* Add the NULL method */
695 
696     /* TLS extensions*/
697     if (ssl_prepare_clienthello_tlsext(s) <= 0) {
698       OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, SSL_R_CLIENTHELLO_TLSEXT);
699       goto err;
700     }
701 
702     p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
703                                    p - buf);
704     if (p == NULL) {
705       OPENSSL_PUT_ERROR(SSL, ssl3_send_client_hello, ERR_R_INTERNAL_ERROR);
706       goto err;
707     }
708 
709     l = p - d;
710     if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
711       goto err;
712     }
713     s->state = SSL3_ST_CW_CLNT_HELLO_B;
714   }
715 
716   /* SSL3_ST_CW_CLNT_HELLO_B */
717   return ssl_do_write(s);
718 
719 err:
720   return -1;
721 }
722 
ssl3_get_server_hello(SSL * s)723 int ssl3_get_server_hello(SSL *s) {
724   STACK_OF(SSL_CIPHER) *sk;
725   const SSL_CIPHER *c;
726   CERT *ct = s->cert;
727   int al = SSL_AD_INTERNAL_ERROR, ok;
728   long n;
729   CBS server_hello, server_random, session_id;
730   uint16_t server_version, cipher_suite;
731   uint8_t compression_method;
732   uint32_t mask_ssl;
733 
734   n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
735                                  SSL3_ST_CR_SRVR_HELLO_B, SSL3_MT_SERVER_HELLO,
736                                  20000, /* ?? */
737                                  ssl_hash_message, &ok);
738 
739   if (!ok) {
740     uint32_t err = ERR_peek_error();
741     if (ERR_GET_LIB(err) == ERR_LIB_SSL &&
742         ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {
743       /* Add a dedicated error code to the queue for a handshake_failure alert
744        * in response to ClientHello. This matches NSS's client behavior and
745        * gives a better error on a (probable) failure to negotiate initial
746        * parameters. Note: this error code comes after the original one.
747        *
748        * See https://crbug.com/446505. */
749       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
750                         SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);
751     }
752     return n;
753   }
754 
755   CBS_init(&server_hello, s->init_msg, n);
756 
757   if (!CBS_get_u16(&server_hello, &server_version) ||
758       !CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
759       !CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
760       CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
761       !CBS_get_u16(&server_hello, &cipher_suite) ||
762       !CBS_get_u8(&server_hello, &compression_method)) {
763     al = SSL_AD_DECODE_ERROR;
764     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_DECODE_ERROR);
765     goto f_err;
766   }
767 
768   assert(s->s3->have_version == s->s3->initial_handshake_complete);
769   if (!s->s3->have_version) {
770     if (!ssl3_is_version_enabled(s, server_version)) {
771       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNSUPPORTED_PROTOCOL);
772       s->version = server_version;
773       /* Mark the version as fixed so the record-layer version is not clamped
774        * to TLS 1.0. */
775       s->s3->have_version = 1;
776       al = SSL_AD_PROTOCOL_VERSION;
777       goto f_err;
778     }
779     s->version = server_version;
780     s->enc_method = ssl3_get_enc_method(server_version);
781     assert(s->enc_method != NULL);
782     /* At this point, the connection's version is known and s->version is
783      * fixed. Begin enforcing the record-layer version. */
784     s->s3->have_version = 1;
785   } else if (server_version != s->version) {
786     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
787     al = SSL_AD_PROTOCOL_VERSION;
788     goto f_err;
789   }
790 
791   /* Copy over the server random. */
792   memcpy(s->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
793 
794   assert(s->session == NULL || s->session->session_id_length > 0);
795   if (!s->s3->initial_handshake_complete && s->session != NULL &&
796       CBS_mem_equal(&session_id, s->session->session_id,
797                     s->session->session_id_length)) {
798     if (s->sid_ctx_length != s->session->sid_ctx_length ||
799         memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
800       /* actually a client application bug */
801       al = SSL_AD_ILLEGAL_PARAMETER;
802       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
803                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
804       goto f_err;
805     }
806     s->hit = 1;
807   } else {
808     /* The session wasn't resumed. Create a fresh SSL_SESSION to
809      * fill out. */
810     s->hit = 0;
811     if (!ssl_get_new_session(s, 0)) {
812       goto f_err;
813     }
814     /* Note: session_id could be empty. */
815     s->session->session_id_length = CBS_len(&session_id);
816     memcpy(s->session->session_id, CBS_data(&session_id), CBS_len(&session_id));
817   }
818 
819   c = SSL_get_cipher_by_value(cipher_suite);
820   if (c == NULL) {
821     /* unknown cipher */
822     al = SSL_AD_ILLEGAL_PARAMETER;
823     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
824                       SSL_R_UNKNOWN_CIPHER_RETURNED);
825     goto f_err;
826   }
827   /* ct->mask_ssl was computed from client capabilities. Now
828    * that the final version is known, compute a new mask_ssl. */
829   if (!SSL_USE_TLS1_2_CIPHERS(s)) {
830     mask_ssl = SSL_TLSV1_2;
831   } else {
832     mask_ssl = 0;
833   }
834   /* If the cipher is disabled then we didn't sent it in the ClientHello, so if
835    * the server selected it, it's an error. */
836   if ((c->algorithm_ssl & mask_ssl) ||
837       (c->algorithm_mkey & ct->mask_k) ||
838       (c->algorithm_auth & ct->mask_a)) {
839     al = SSL_AD_ILLEGAL_PARAMETER;
840     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
841     goto f_err;
842   }
843 
844   sk = ssl_get_ciphers_by_id(s);
845   if (!sk_SSL_CIPHER_find(sk, NULL, c)) {
846     /* we did not say we would use this cipher */
847     al = SSL_AD_ILLEGAL_PARAMETER;
848     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
849     goto f_err;
850   }
851 
852   if (s->hit) {
853     if (s->session->cipher != c) {
854       al = SSL_AD_ILLEGAL_PARAMETER;
855       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
856                         SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
857       goto f_err;
858     }
859     if (s->session->ssl_version != s->version) {
860       al = SSL_AD_ILLEGAL_PARAMETER;
861       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
862                         SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
863       goto f_err;
864     }
865   }
866   s->s3->tmp.new_cipher = c;
867 
868   /* If doing a full handshake with TLS 1.2, the server may request a client
869    * certificate which requires hashing the handshake transcript under a
870    * different hash. Otherwise, release the handshake buffer. */
871   if ((!SSL_USE_SIGALGS(s) || s->hit) &&
872       !ssl3_digest_cached_records(s, free_handshake_buffer)) {
873     goto f_err;
874   }
875 
876   /* Only the NULL compression algorithm is supported. */
877   if (compression_method != 0) {
878     al = SSL_AD_ILLEGAL_PARAMETER;
879     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
880                       SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
881     goto f_err;
882   }
883 
884   /* TLS extensions */
885   if (!ssl_parse_serverhello_tlsext(s, &server_hello)) {
886     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_PARSE_TLSEXT);
887     goto err;
888   }
889 
890   /* There should be nothing left over in the record. */
891   if (CBS_len(&server_hello) != 0) {
892     /* wrong packet length */
893     al = SSL_AD_DECODE_ERROR;
894     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_PACKET_LENGTH);
895     goto f_err;
896   }
897 
898   if (s->hit &&
899       s->s3->tmp.extended_master_secret != s->session->extended_master_secret) {
900     al = SSL_AD_HANDSHAKE_FAILURE;
901     if (s->session->extended_master_secret) {
902       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
903                         SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
904     } else {
905       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
906                         SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION);
907     }
908     goto f_err;
909   }
910 
911   return 1;
912 
913 f_err:
914   ssl3_send_alert(s, SSL3_AL_FATAL, al);
915 err:
916   return -1;
917 }
918 
ssl3_get_server_certificate(SSL * s)919 int ssl3_get_server_certificate(SSL *s) {
920   int al, i, ok, ret = -1;
921   unsigned long n;
922   X509 *x = NULL;
923   STACK_OF(X509) *sk = NULL;
924   SESS_CERT *sc;
925   EVP_PKEY *pkey = NULL;
926   CBS cbs, certificate_list;
927   const uint8_t *data;
928 
929   n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B,
930                                  SSL3_MT_CERTIFICATE, (long)s->max_cert_list,
931                                  ssl_hash_message, &ok);
932 
933   if (!ok) {
934     return n;
935   }
936 
937   CBS_init(&cbs, s->init_msg, n);
938 
939   sk = sk_X509_new_null();
940   if (sk == NULL) {
941     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
942     goto err;
943   }
944 
945   if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list) ||
946       CBS_len(&cbs) != 0) {
947     al = SSL_AD_DECODE_ERROR;
948     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_LENGTH_MISMATCH);
949     goto f_err;
950   }
951 
952   while (CBS_len(&certificate_list) > 0) {
953     CBS certificate;
954     if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate)) {
955       al = SSL_AD_DECODE_ERROR;
956       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate,
957                         SSL_R_CERT_LENGTH_MISMATCH);
958       goto f_err;
959     }
960     data = CBS_data(&certificate);
961     x = d2i_X509(NULL, &data, CBS_len(&certificate));
962     if (x == NULL) {
963       al = SSL_AD_BAD_CERTIFICATE;
964       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_ASN1_LIB);
965       goto f_err;
966     }
967     if (data != CBS_data(&certificate) + CBS_len(&certificate)) {
968       al = SSL_AD_DECODE_ERROR;
969       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate,
970                         SSL_R_CERT_LENGTH_MISMATCH);
971       goto f_err;
972     }
973     if (!sk_X509_push(sk, x)) {
974       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
975       goto err;
976     }
977     x = NULL;
978   }
979 
980   i = ssl_verify_cert_chain(s, sk);
981   if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
982     al = ssl_verify_alarm_type(s->verify_result);
983     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate,
984                       SSL_R_CERTIFICATE_VERIFY_FAILED);
985     goto f_err;
986   }
987   ERR_clear_error(); /* but we keep s->verify_result */
988 
989   sc = ssl_sess_cert_new();
990   if (sc == NULL) {
991     goto err;
992   }
993 
994   ssl_sess_cert_free(s->session->sess_cert);
995   s->session->sess_cert = sc;
996 
997   sc->cert_chain = sk;
998   /* Inconsistency alert: cert_chain does include the peer's certificate, which
999    * we don't include in s3_srvr.c */
1000   x = sk_X509_value(sk, 0);
1001   sk = NULL;
1002   /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1003 
1004   pkey = X509_get_pubkey(x);
1005 
1006   if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
1007     x = NULL;
1008     al = SSL3_AL_FATAL;
1009     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate,
1010                       SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1011     goto f_err;
1012   }
1013 
1014   i = ssl_cert_type(pkey);
1015   if (i < 0) {
1016     x = NULL;
1017     al = SSL3_AL_FATAL;
1018     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate,
1019                       SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1020     goto f_err;
1021   }
1022 
1023   int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1024   if (exp_idx >= 0 && i != exp_idx) {
1025     x = NULL;
1026     al = SSL_AD_ILLEGAL_PARAMETER;
1027     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate,
1028                       SSL_R_WRONG_CERTIFICATE_TYPE);
1029     goto f_err;
1030   }
1031   sc->peer_cert_type = i;
1032   X509_free(sc->peer_pkeys[i].x509);
1033   sc->peer_pkeys[i].x509 = X509_up_ref(x);
1034   sc->peer_key = &(sc->peer_pkeys[i]);
1035 
1036   X509_free(s->session->peer);
1037   s->session->peer = X509_up_ref(x);
1038 
1039   s->session->verify_result = s->verify_result;
1040 
1041   x = NULL;
1042   ret = 1;
1043 
1044   if (0) {
1045   f_err:
1046     ssl3_send_alert(s, SSL3_AL_FATAL, al);
1047   }
1048 
1049 err:
1050   EVP_PKEY_free(pkey);
1051   X509_free(x);
1052   sk_X509_pop_free(sk, X509_free);
1053   return ret;
1054 }
1055 
ssl3_get_server_key_exchange(SSL * s)1056 int ssl3_get_server_key_exchange(SSL *s) {
1057   EVP_MD_CTX md_ctx;
1058   int al, ok;
1059   long n, alg_k, alg_a;
1060   EVP_PKEY *pkey = NULL;
1061   const EVP_MD *md = NULL;
1062   RSA *rsa = NULL;
1063   DH *dh = NULL;
1064   EC_KEY *ecdh = NULL;
1065   BN_CTX *bn_ctx = NULL;
1066   EC_POINT *srvr_ecpoint = NULL;
1067   CBS server_key_exchange, server_key_exchange_orig, parameter;
1068 
1069   /* use same message size as in ssl3_get_certificate_request() as
1070    * ServerKeyExchange message may be skipped */
1071   n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1072                                  SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
1073                                  ssl_hash_message, &ok);
1074   if (!ok) {
1075     return n;
1076   }
1077 
1078   if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1079     if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher)) {
1080       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1081                         SSL_R_UNEXPECTED_MESSAGE);
1082       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1083       return -1;
1084     }
1085 
1086     /* In plain PSK ciphersuite, ServerKeyExchange can be
1087        omitted if no identity hint is sent. Set session->sess_cert anyway to
1088        avoid problems later.*/
1089     if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) {
1090       /* PSK ciphersuites that also send a Certificate would have already
1091        * initialized |sess_cert|. */
1092       if (s->session->sess_cert == NULL) {
1093         s->session->sess_cert = ssl_sess_cert_new();
1094         if (s->session->sess_cert == NULL) {
1095           return -1;
1096         }
1097       }
1098 
1099       /* TODO(davidben): This should be reset in one place with the rest of the
1100        * handshake state. */
1101       OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
1102       s->s3->tmp.peer_psk_identity_hint = NULL;
1103     }
1104     s->s3->tmp.reuse_message = 1;
1105     return 1;
1106   }
1107 
1108   /* Retain a copy of the original CBS to compute the signature over. */
1109   CBS_init(&server_key_exchange, s->init_msg, n);
1110   server_key_exchange_orig = server_key_exchange;
1111 
1112   if (s->session->sess_cert != NULL) {
1113     DH_free(s->session->sess_cert->peer_dh_tmp);
1114     s->session->sess_cert->peer_dh_tmp = NULL;
1115     EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1116     s->session->sess_cert->peer_ecdh_tmp = NULL;
1117   } else {
1118     s->session->sess_cert = ssl_sess_cert_new();
1119     if (s->session->sess_cert == NULL) {
1120       return -1;
1121     }
1122   }
1123 
1124   alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1125   alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1126   EVP_MD_CTX_init(&md_ctx);
1127 
1128   if (alg_a & SSL_aPSK) {
1129     CBS psk_identity_hint;
1130 
1131     /* Each of the PSK key exchanges begins with a psk_identity_hint. */
1132     if (!CBS_get_u16_length_prefixed(&server_key_exchange,
1133                                      &psk_identity_hint)) {
1134       al = SSL_AD_DECODE_ERROR;
1135       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
1136       goto f_err;
1137     }
1138 
1139     /* Store PSK identity hint for later use, hint is used in
1140      * ssl3_send_client_key_exchange.  Assume that the maximum length of a PSK
1141      * identity hint can be as long as the maximum length of a PSK identity.
1142      * Also do not allow NULL characters; identities are saved as C strings.
1143      *
1144      * TODO(davidben): Should invalid hints be ignored? It's a hint rather than
1145      * a specific identity. */
1146     if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
1147         CBS_contains_zero_byte(&psk_identity_hint)) {
1148       al = SSL_AD_HANDSHAKE_FAILURE;
1149       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1150                         SSL_R_DATA_LENGTH_TOO_LONG);
1151       goto f_err;
1152     }
1153 
1154     /* Save the identity hint as a C string. */
1155     if (!CBS_strdup(&psk_identity_hint, &s->s3->tmp.peer_psk_identity_hint)) {
1156       al = SSL_AD_INTERNAL_ERROR;
1157       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1158                         ERR_R_MALLOC_FAILURE);
1159       goto f_err;
1160     }
1161   }
1162 
1163   if (alg_k & SSL_kDHE) {
1164     CBS dh_p, dh_g, dh_Ys;
1165 
1166     if (!CBS_get_u16_length_prefixed(&server_key_exchange, &dh_p) ||
1167         CBS_len(&dh_p) == 0 ||
1168         !CBS_get_u16_length_prefixed(&server_key_exchange, &dh_g) ||
1169         CBS_len(&dh_g) == 0 ||
1170         !CBS_get_u16_length_prefixed(&server_key_exchange, &dh_Ys) ||
1171         CBS_len(&dh_Ys) == 0) {
1172       al = SSL_AD_DECODE_ERROR;
1173       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
1174       goto f_err;
1175     }
1176 
1177     dh = DH_new();
1178     if (dh == NULL) {
1179       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_DH_LIB);
1180       goto err;
1181     }
1182 
1183     if ((dh->p = BN_bin2bn(CBS_data(&dh_p), CBS_len(&dh_p), NULL)) == NULL ||
1184         (dh->g = BN_bin2bn(CBS_data(&dh_g), CBS_len(&dh_g), NULL)) == NULL ||
1185         (dh->pub_key = BN_bin2bn(CBS_data(&dh_Ys), CBS_len(&dh_Ys), NULL)) ==
1186             NULL) {
1187       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
1188       goto err;
1189     }
1190 
1191     if (DH_num_bits(dh) < 1024) {
1192       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1193                         SSL_R_BAD_DH_P_LENGTH);
1194       goto err;
1195     }
1196 
1197     if (alg_a & SSL_aRSA) {
1198       pkey = X509_get_pubkey(
1199           s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1200     }
1201     /* else anonymous DH, so no certificate or pkey. */
1202 
1203     s->session->sess_cert->peer_dh_tmp = dh;
1204     dh = NULL;
1205   } else if (alg_k & SSL_kECDHE) {
1206     uint16_t curve_id;
1207     int curve_nid = 0;
1208     const EC_GROUP *group;
1209     CBS point;
1210 
1211     /* Extract elliptic curve parameters and the server's ephemeral ECDH public
1212      * key.  Check curve is one of our preferences, if not server has sent an
1213      * invalid curve. */
1214     if (!tls1_check_curve(s, &server_key_exchange, &curve_id)) {
1215       al = SSL_AD_DECODE_ERROR;
1216       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_WRONG_CURVE);
1217       goto f_err;
1218     }
1219 
1220     curve_nid = tls1_ec_curve_id2nid(curve_id);
1221     if (curve_nid == 0) {
1222       al = SSL_AD_INTERNAL_ERROR;
1223       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1224                         SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1225       goto f_err;
1226     }
1227 
1228     ecdh = EC_KEY_new_by_curve_name(curve_nid);
1229     if (ecdh == NULL) {
1230       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1231                         ERR_R_EC_LIB);
1232       goto err;
1233     }
1234 
1235     group = EC_KEY_get0_group(ecdh);
1236 
1237     /* Next, get the encoded ECPoint */
1238     if (!CBS_get_u8_length_prefixed(&server_key_exchange, &point)) {
1239       al = SSL_AD_DECODE_ERROR;
1240       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
1241       goto f_err;
1242     }
1243 
1244     if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1245         ((bn_ctx = BN_CTX_new()) == NULL)) {
1246       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1247                         ERR_R_MALLOC_FAILURE);
1248       goto err;
1249     }
1250 
1251     if (!EC_POINT_oct2point(group, srvr_ecpoint, CBS_data(&point),
1252                             CBS_len(&point), bn_ctx)) {
1253       al = SSL_AD_DECODE_ERROR;
1254       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_ECPOINT);
1255       goto f_err;
1256     }
1257 
1258     /* The ECC/TLS specification does not mention the use of DSA to sign
1259      * ECParameters in the server key exchange message. We do support RSA and
1260      * ECDSA. */
1261     if (alg_a & SSL_aRSA) {
1262       pkey = X509_get_pubkey(
1263           s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1264     } else if (alg_a & SSL_aECDSA) {
1265       pkey =
1266           X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1267     }
1268     /* else anonymous ECDH, so no certificate or pkey. */
1269     EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1270     s->session->sess_cert->peer_ecdh_tmp = ecdh;
1271     ecdh = NULL;
1272     BN_CTX_free(bn_ctx);
1273     bn_ctx = NULL;
1274     EC_POINT_free(srvr_ecpoint);
1275     srvr_ecpoint = NULL;
1276   } else if (!(alg_k & SSL_kPSK)) {
1277     al = SSL_AD_UNEXPECTED_MESSAGE;
1278     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1279                       SSL_R_UNEXPECTED_MESSAGE);
1280     goto f_err;
1281   }
1282 
1283   /* At this point, |server_key_exchange| contains the signature, if any, while
1284    * |server_key_exchange_orig| contains the entire message. From that, derive
1285    * a CBS containing just the parameter. */
1286   CBS_init(&parameter, CBS_data(&server_key_exchange_orig),
1287            CBS_len(&server_key_exchange_orig) - CBS_len(&server_key_exchange));
1288 
1289   /* if it was signed, check the signature */
1290   if (pkey != NULL) {
1291     CBS signature;
1292 
1293     if (SSL_USE_SIGALGS(s)) {
1294       if (!tls12_check_peer_sigalg(&md, &al, s, &server_key_exchange, pkey)) {
1295         goto f_err;
1296       }
1297     } else if (pkey->type == EVP_PKEY_RSA) {
1298       md = EVP_md5_sha1();
1299     } else {
1300       md = EVP_sha1();
1301     }
1302 
1303     /* The last field in |server_key_exchange| is the signature. */
1304     if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||
1305         CBS_len(&server_key_exchange) != 0) {
1306       al = SSL_AD_DECODE_ERROR;
1307       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
1308       goto f_err;
1309     }
1310 
1311     if (!EVP_DigestVerifyInit(&md_ctx, NULL, md, NULL, pkey) ||
1312         !EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random,
1313                                 SSL3_RANDOM_SIZE) ||
1314         !EVP_DigestVerifyUpdate(&md_ctx, s->s3->server_random,
1315                                 SSL3_RANDOM_SIZE) ||
1316         !EVP_DigestVerifyUpdate(&md_ctx, CBS_data(&parameter),
1317                                 CBS_len(&parameter)) ||
1318         !EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),
1319                                CBS_len(&signature))) {
1320       /* bad signature */
1321       al = SSL_AD_DECRYPT_ERROR;
1322       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_BAD_SIGNATURE);
1323       goto f_err;
1324     }
1325   } else {
1326     if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
1327       /* Might be wrong key type, check it */
1328       if (ssl3_check_cert_and_algorithm(s)) {
1329         /* Otherwise this shouldn't happen */
1330         OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1331                           ERR_R_INTERNAL_ERROR);
1332       }
1333       goto err;
1334     }
1335     /* still data left over */
1336     if (CBS_len(&server_key_exchange) > 0) {
1337       al = SSL_AD_DECODE_ERROR;
1338       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
1339                         SSL_R_EXTRA_DATA_IN_MESSAGE);
1340       goto f_err;
1341     }
1342   }
1343   EVP_PKEY_free(pkey);
1344   EVP_MD_CTX_cleanup(&md_ctx);
1345   return 1;
1346 
1347 f_err:
1348   ssl3_send_alert(s, SSL3_AL_FATAL, al);
1349 err:
1350   EVP_PKEY_free(pkey);
1351   RSA_free(rsa);
1352   DH_free(dh);
1353   BN_CTX_free(bn_ctx);
1354   EC_POINT_free(srvr_ecpoint);
1355   EC_KEY_free(ecdh);
1356   EVP_MD_CTX_cleanup(&md_ctx);
1357   return -1;
1358 }
1359 
ca_dn_cmp(const X509_NAME ** a,const X509_NAME ** b)1360 static int ca_dn_cmp(const X509_NAME **a, const X509_NAME **b) {
1361   return X509_NAME_cmp(*a, *b);
1362 }
1363 
ssl3_get_certificate_request(SSL * s)1364 int ssl3_get_certificate_request(SSL *s) {
1365   int ok, ret = 0;
1366   unsigned long n;
1367   X509_NAME *xn = NULL;
1368   STACK_OF(X509_NAME) *ca_sk = NULL;
1369   CBS cbs;
1370   CBS certificate_types;
1371   CBS certificate_authorities;
1372   const uint8_t *data;
1373 
1374   n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1375                                  SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list,
1376                                  ssl_hash_message, &ok);
1377 
1378   if (!ok) {
1379     return n;
1380   }
1381 
1382   s->s3->tmp.cert_req = 0;
1383 
1384   if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
1385     s->s3->tmp.reuse_message = 1;
1386     /* If we get here we don't need any cached handshake records as we wont be
1387      * doing client auth. */
1388     if (s->s3->handshake_buffer &&
1389         !ssl3_digest_cached_records(s, free_handshake_buffer)) {
1390       goto err;
1391     }
1392     return 1;
1393   }
1394 
1395   if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1396     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1397     OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
1398                       SSL_R_WRONG_MESSAGE_TYPE);
1399     goto err;
1400   }
1401 
1402   CBS_init(&cbs, s->init_msg, n);
1403 
1404   ca_sk = sk_X509_NAME_new(ca_dn_cmp);
1405   if (ca_sk == NULL) {
1406     OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1407     goto err;
1408   }
1409 
1410   /* get the certificate types */
1411   if (!CBS_get_u8_length_prefixed(&cbs, &certificate_types)) {
1412     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1413     OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DECODE_ERROR);
1414     goto err;
1415   }
1416 
1417   if (!CBS_stow(&certificate_types, &s->s3->tmp.certificate_types,
1418                 &s->s3->tmp.num_certificate_types)) {
1419     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1420     goto err;
1421   }
1422 
1423   if (SSL_USE_SIGALGS(s)) {
1424     CBS supported_signature_algorithms;
1425     if (!CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms)) {
1426       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1427       OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DECODE_ERROR);
1428       goto err;
1429     }
1430 
1431     if (!tls1_process_sigalgs(s, &supported_signature_algorithms)) {
1432       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1433       OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
1434                         SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1435       goto err;
1436     }
1437   }
1438 
1439   /* get the CA RDNs */
1440   if (!CBS_get_u16_length_prefixed(&cbs, &certificate_authorities)) {
1441     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1442     OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_LENGTH_MISMATCH);
1443     goto err;
1444   }
1445 
1446   while (CBS_len(&certificate_authorities) > 0) {
1447     CBS distinguished_name;
1448     if (!CBS_get_u16_length_prefixed(&certificate_authorities,
1449                                      &distinguished_name)) {
1450       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1451       OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
1452                         SSL_R_CA_DN_TOO_LONG);
1453       goto err;
1454     }
1455 
1456     data = CBS_data(&distinguished_name);
1457 
1458     xn = d2i_X509_NAME(NULL, &data, CBS_len(&distinguished_name));
1459     if (xn == NULL) {
1460       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1461       OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_ASN1_LIB);
1462       goto err;
1463     }
1464 
1465     if (!CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name))) {
1466       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1467       OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_INTERNAL_ERROR);
1468       goto err;
1469     }
1470 
1471     if (CBS_len(&distinguished_name) != 0) {
1472       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1473       OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
1474                         SSL_R_CA_DN_LENGTH_MISMATCH);
1475       goto err;
1476     }
1477 
1478     if (!sk_X509_NAME_push(ca_sk, xn)) {
1479       OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
1480                         ERR_R_MALLOC_FAILURE);
1481       goto err;
1482     }
1483   }
1484 
1485   /* we should setup a certificate to return.... */
1486   s->s3->tmp.cert_req = 1;
1487   sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
1488   s->s3->tmp.ca_names = ca_sk;
1489   ca_sk = NULL;
1490 
1491   ret = 1;
1492 
1493 err:
1494   sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
1495   return ret;
1496 }
1497 
ssl3_get_new_session_ticket(SSL * s)1498 int ssl3_get_new_session_ticket(SSL *s) {
1499   int ok, al;
1500   long n;
1501   CBS new_session_ticket, ticket;
1502 
1503   n = s->method->ssl_get_message(
1504       s, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B,
1505       SSL3_MT_NEWSESSION_TICKET, 16384, ssl_hash_message, &ok);
1506 
1507   if (!ok) {
1508     return n;
1509   }
1510 
1511   CBS_init(&new_session_ticket, s->init_msg, n);
1512 
1513   if (!CBS_get_u32(&new_session_ticket,
1514                    &s->session->tlsext_tick_lifetime_hint) ||
1515       !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||
1516       CBS_len(&new_session_ticket) != 0) {
1517     al = SSL_AD_DECODE_ERROR;
1518     OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_DECODE_ERROR);
1519     goto f_err;
1520   }
1521 
1522   if (!CBS_stow(&ticket, &s->session->tlsext_tick,
1523                 &s->session->tlsext_ticklen)) {
1524     OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, ERR_R_MALLOC_FAILURE);
1525     goto err;
1526   }
1527 
1528   /* Generate a session ID for this session based on the session ticket. We use
1529    * the session ID mechanism for detecting ticket resumption. This also fits in
1530    * with assumptions elsewhere in OpenSSL.*/
1531   if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), s->session->session_id,
1532                   &s->session->session_id_length, EVP_sha256(), NULL)) {
1533     goto err;
1534   }
1535 
1536   return 1;
1537 
1538 f_err:
1539   ssl3_send_alert(s, SSL3_AL_FATAL, al);
1540 err:
1541   return -1;
1542 }
1543 
ssl3_get_cert_status(SSL * s)1544 int ssl3_get_cert_status(SSL *s) {
1545   int ok, al;
1546   long n;
1547   CBS certificate_status, ocsp_response;
1548   uint8_t status_type;
1549 
1550   n = s->method->ssl_get_message(
1551       s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B,
1552       -1, 16384, ssl_hash_message, &ok);
1553 
1554   if (!ok) {
1555     return n;
1556   }
1557 
1558   if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) {
1559     /* A server may send status_request in ServerHello and then change
1560      * its mind about sending CertificateStatus. */
1561     s->s3->tmp.reuse_message = 1;
1562     return 1;
1563   }
1564 
1565   CBS_init(&certificate_status, s->init_msg, n);
1566   if (!CBS_get_u8(&certificate_status, &status_type) ||
1567       status_type != TLSEXT_STATUSTYPE_ocsp ||
1568       !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
1569       CBS_len(&ocsp_response) == 0 ||
1570       CBS_len(&certificate_status) != 0) {
1571     al = SSL_AD_DECODE_ERROR;
1572     OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_DECODE_ERROR);
1573     goto f_err;
1574   }
1575 
1576   if (!CBS_stow(&ocsp_response, &s->session->ocsp_response,
1577                 &s->session->ocsp_response_length)) {
1578     al = SSL_AD_INTERNAL_ERROR;
1579     OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
1580     goto f_err;
1581   }
1582   return 1;
1583 
1584 f_err:
1585   ssl3_send_alert(s, SSL3_AL_FATAL, al);
1586   return -1;
1587 }
1588 
ssl3_get_server_done(SSL * s)1589 int ssl3_get_server_done(SSL *s) {
1590   int ok;
1591   long n;
1592 
1593   n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
1594                                  SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
1595                                  30, /* should be very small, like 0 :-) */
1596                                  ssl_hash_message, &ok);
1597 
1598   if (!ok) {
1599     return n;
1600   }
1601 
1602   if (n > 0) {
1603     /* should contain no data */
1604     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1605     OPENSSL_PUT_ERROR(SSL, ssl3_get_server_done, SSL_R_LENGTH_MISMATCH);
1606     return -1;
1607   }
1608 
1609   return 1;
1610 }
1611 
1612 
ssl3_send_client_key_exchange(SSL * s)1613 int ssl3_send_client_key_exchange(SSL *s) {
1614   uint8_t *p;
1615   int n = 0;
1616   uint32_t alg_k;
1617   uint32_t alg_a;
1618   uint8_t *q;
1619   EVP_PKEY *pkey = NULL;
1620   EC_KEY *clnt_ecdh = NULL;
1621   const EC_POINT *srvr_ecpoint = NULL;
1622   EVP_PKEY *srvr_pub_pkey = NULL;
1623   uint8_t *encodedPoint = NULL;
1624   int encoded_pt_len = 0;
1625   BN_CTX *bn_ctx = NULL;
1626   unsigned int psk_len = 0;
1627   uint8_t psk[PSK_MAX_PSK_LEN];
1628   uint8_t *pms = NULL;
1629   size_t pms_len = 0;
1630 
1631   if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
1632     p = ssl_handshake_start(s);
1633 
1634     alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1635     alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1636 
1637     /* If using a PSK key exchange, prepare the pre-shared key. */
1638     if (alg_a & SSL_aPSK) {
1639       char identity[PSK_MAX_IDENTITY_LEN + 1];
1640       size_t identity_len;
1641 
1642       if (s->psk_client_callback == NULL) {
1643         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1644                           SSL_R_PSK_NO_CLIENT_CB);
1645         goto err;
1646       }
1647 
1648       memset(identity, 0, sizeof(identity));
1649       psk_len =
1650           s->psk_client_callback(s, s->s3->tmp.peer_psk_identity_hint, identity,
1651                                  sizeof(identity), psk, sizeof(psk));
1652       if (psk_len > PSK_MAX_PSK_LEN) {
1653         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1654                           ERR_R_INTERNAL_ERROR);
1655         goto err;
1656       } else if (psk_len == 0) {
1657         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1658                           SSL_R_PSK_IDENTITY_NOT_FOUND);
1659         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1660         goto err;
1661       }
1662 
1663       identity_len = OPENSSL_strnlen(identity, sizeof(identity));
1664       if (identity_len > PSK_MAX_IDENTITY_LEN) {
1665         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1666                           ERR_R_INTERNAL_ERROR);
1667         goto err;
1668       }
1669 
1670       OPENSSL_free(s->session->psk_identity);
1671       s->session->psk_identity = BUF_strdup(identity);
1672       if (s->session->psk_identity == NULL) {
1673         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1674                           ERR_R_MALLOC_FAILURE);
1675         goto err;
1676       }
1677 
1678       /* Write out psk_identity. */
1679       s2n(identity_len, p);
1680       memcpy(p, identity, identity_len);
1681       p += identity_len;
1682       n = 2 + identity_len;
1683     }
1684 
1685     /* Depending on the key exchange method, compute |pms| and |pms_len|. */
1686     if (alg_k & SSL_kRSA) {
1687       RSA *rsa;
1688       size_t enc_pms_len;
1689 
1690       pms_len = SSL_MAX_MASTER_KEY_LENGTH;
1691       pms = OPENSSL_malloc(pms_len);
1692       if (pms == NULL) {
1693         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1694                           ERR_R_MALLOC_FAILURE);
1695         goto err;
1696       }
1697 
1698       if (s->session->sess_cert == NULL) {
1699         /* We should always have a server certificate with SSL_kRSA. */
1700         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1701                           ERR_R_INTERNAL_ERROR);
1702         goto err;
1703       }
1704 
1705       pkey = X509_get_pubkey(
1706           s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1707       if (pkey == NULL ||
1708           pkey->type != EVP_PKEY_RSA ||
1709           pkey->pkey.rsa == NULL) {
1710         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1711                           ERR_R_INTERNAL_ERROR);
1712         EVP_PKEY_free(pkey);
1713         goto err;
1714       }
1715 
1716       rsa = pkey->pkey.rsa;
1717       EVP_PKEY_free(pkey);
1718 
1719       pms[0] = s->client_version >> 8;
1720       pms[1] = s->client_version & 0xff;
1721       if (!RAND_bytes(&pms[2], SSL_MAX_MASTER_KEY_LENGTH - 2)) {
1722         goto err;
1723       }
1724 
1725       s->session->master_key_length = SSL_MAX_MASTER_KEY_LENGTH;
1726 
1727       q = p;
1728       /* In TLS and beyond, reserve space for the length prefix. */
1729       if (s->version > SSL3_VERSION) {
1730         p += 2;
1731         n += 2;
1732       }
1733       if (!RSA_encrypt(rsa, &enc_pms_len, p, RSA_size(rsa), pms, pms_len,
1734                        RSA_PKCS1_PADDING)) {
1735         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1736                           SSL_R_BAD_RSA_ENCRYPT);
1737         goto err;
1738       }
1739       n += enc_pms_len;
1740 
1741       /* Log the premaster secret, if logging is enabled. */
1742       if (!ssl_ctx_log_rsa_client_key_exchange(s->ctx, p, enc_pms_len, pms,
1743                                                pms_len)) {
1744         goto err;
1745       }
1746 
1747       /* Fill in the length prefix. */
1748       if (s->version > SSL3_VERSION) {
1749         s2n(enc_pms_len, q);
1750       }
1751     } else if (alg_k & SSL_kDHE) {
1752       DH *dh_srvr, *dh_clnt;
1753       SESS_CERT *scert = s->session->sess_cert;
1754       int dh_len;
1755       size_t pub_len;
1756 
1757       if (scert == NULL) {
1758         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1759         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1760                           SSL_R_UNEXPECTED_MESSAGE);
1761         goto err;
1762       }
1763 
1764       if (scert->peer_dh_tmp == NULL) {
1765         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1766                           ERR_R_INTERNAL_ERROR);
1767         goto err;
1768       }
1769       dh_srvr = scert->peer_dh_tmp;
1770 
1771       /* generate a new random key */
1772       dh_clnt = DHparams_dup(dh_srvr);
1773       if (dh_clnt == NULL) {
1774         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
1775         goto err;
1776       }
1777       if (!DH_generate_key(dh_clnt)) {
1778         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
1779         DH_free(dh_clnt);
1780         goto err;
1781       }
1782 
1783       pms_len = DH_size(dh_clnt);
1784       pms = OPENSSL_malloc(pms_len);
1785       if (pms == NULL) {
1786         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1787                           ERR_R_MALLOC_FAILURE);
1788         DH_free(dh_clnt);
1789         goto err;
1790       }
1791 
1792       dh_len = DH_compute_key(pms, dh_srvr->pub_key, dh_clnt);
1793       if (dh_len <= 0) {
1794         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
1795         DH_free(dh_clnt);
1796         goto err;
1797       }
1798       pms_len = dh_len;
1799 
1800       /* send off the data */
1801       pub_len = BN_num_bytes(dh_clnt->pub_key);
1802       s2n(pub_len, p);
1803       BN_bn2bin(dh_clnt->pub_key, p);
1804       n += 2 + pub_len;
1805 
1806       DH_free(dh_clnt);
1807     } else if (alg_k & SSL_kECDHE) {
1808       const EC_GROUP *srvr_group = NULL;
1809       EC_KEY *tkey;
1810       int field_size = 0, ecdh_len;
1811 
1812       if (s->session->sess_cert == NULL) {
1813         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1814         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1815                           SSL_R_UNEXPECTED_MESSAGE);
1816         goto err;
1817       }
1818 
1819       if (s->session->sess_cert->peer_ecdh_tmp == NULL) {
1820         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1821                           ERR_R_INTERNAL_ERROR);
1822         goto err;
1823       }
1824 
1825       tkey = s->session->sess_cert->peer_ecdh_tmp;
1826 
1827       srvr_group = EC_KEY_get0_group(tkey);
1828       srvr_ecpoint = EC_KEY_get0_public_key(tkey);
1829       if (srvr_group == NULL || srvr_ecpoint == NULL) {
1830         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1831                           ERR_R_INTERNAL_ERROR);
1832         goto err;
1833       }
1834 
1835       clnt_ecdh = EC_KEY_new();
1836       if (clnt_ecdh == NULL) {
1837         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1838                           ERR_R_MALLOC_FAILURE);
1839         goto err;
1840       }
1841 
1842       if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
1843         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
1844         goto err;
1845       }
1846 
1847       /* Generate a new ECDH key pair */
1848       if (!EC_KEY_generate_key(clnt_ecdh)) {
1849         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
1850         goto err;
1851       }
1852 
1853       field_size = EC_GROUP_get_degree(srvr_group);
1854       if (field_size <= 0) {
1855         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
1856         goto err;
1857       }
1858 
1859       pms_len = (field_size + 7) / 8;
1860       pms = OPENSSL_malloc(pms_len);
1861       if (pms == NULL) {
1862         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1863                           ERR_R_MALLOC_FAILURE);
1864         goto err;
1865       }
1866 
1867       ecdh_len = ECDH_compute_key(pms, pms_len, srvr_ecpoint, clnt_ecdh, NULL);
1868       if (ecdh_len <= 0) {
1869         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
1870         goto err;
1871       }
1872       pms_len = ecdh_len;
1873 
1874       /* First check the size of encoding and allocate memory accordingly. */
1875       encoded_pt_len =
1876           EC_POINT_point2oct(srvr_group, EC_KEY_get0_public_key(clnt_ecdh),
1877                              POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
1878 
1879       encodedPoint =
1880           (uint8_t *)OPENSSL_malloc(encoded_pt_len * sizeof(uint8_t));
1881       bn_ctx = BN_CTX_new();
1882       if (encodedPoint == NULL || bn_ctx == NULL) {
1883         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1884                           ERR_R_MALLOC_FAILURE);
1885         goto err;
1886       }
1887 
1888       /* Encode the public key */
1889       encoded_pt_len = EC_POINT_point2oct(
1890           srvr_group, EC_KEY_get0_public_key(clnt_ecdh),
1891           POINT_CONVERSION_UNCOMPRESSED, encodedPoint, encoded_pt_len, bn_ctx);
1892 
1893       *p = encoded_pt_len; /* length of encoded point */
1894       /* Encoded point will be copied here */
1895       p += 1;
1896       n += 1;
1897       /* copy the point */
1898       memcpy(p, encodedPoint, encoded_pt_len);
1899       /* increment n to account for length field */
1900       n += encoded_pt_len;
1901 
1902       /* Free allocated memory */
1903       BN_CTX_free(bn_ctx);
1904       bn_ctx = NULL;
1905       OPENSSL_free(encodedPoint);
1906       encodedPoint = NULL;
1907       EC_KEY_free(clnt_ecdh);
1908       clnt_ecdh = NULL;
1909       EVP_PKEY_free(srvr_pub_pkey);
1910       srvr_pub_pkey = NULL;
1911     } else if (alg_k & SSL_kPSK) {
1912       /* For plain PSK, other_secret is a block of 0s with the same length as
1913        * the pre-shared key. */
1914       pms_len = psk_len;
1915       pms = OPENSSL_malloc(pms_len);
1916       if (pms == NULL) {
1917         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1918                           ERR_R_MALLOC_FAILURE);
1919         goto err;
1920       }
1921       memset(pms, 0, pms_len);
1922     } else {
1923       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1924       OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1925                         ERR_R_INTERNAL_ERROR);
1926       goto err;
1927     }
1928 
1929     /* For a PSK cipher suite, other_secret is combined with the pre-shared
1930      * key. */
1931     if (alg_a & SSL_aPSK) {
1932       CBB cbb, child;
1933       uint8_t *new_pms;
1934       size_t new_pms_len;
1935 
1936       if (!CBB_init(&cbb, 2 + psk_len + 2 + pms_len)) {
1937         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1938                           ERR_R_MALLOC_FAILURE);
1939         goto err;
1940       }
1941       if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
1942           !CBB_add_bytes(&child, pms, pms_len) ||
1943           !CBB_add_u16_length_prefixed(&cbb, &child) ||
1944           !CBB_add_bytes(&child, psk, psk_len) ||
1945           !CBB_finish(&cbb, &new_pms, &new_pms_len)) {
1946         CBB_cleanup(&cbb);
1947         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
1948                           ERR_R_INTERNAL_ERROR);
1949         goto err;
1950       }
1951       OPENSSL_cleanse(pms, pms_len);
1952       OPENSSL_free(pms);
1953       pms = new_pms;
1954       pms_len = new_pms_len;
1955     }
1956 
1957     /* The message must be added to the finished hash before calculating the
1958      * master secret. */
1959     if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) {
1960       goto err;
1961     }
1962     s->state = SSL3_ST_CW_KEY_EXCH_B;
1963 
1964     s->session->master_key_length = s->enc_method->generate_master_secret(
1965         s, s->session->master_key, pms, pms_len);
1966     if (s->session->master_key_length == 0) {
1967       goto err;
1968     }
1969     s->session->extended_master_secret = s->s3->tmp.extended_master_secret;
1970     OPENSSL_cleanse(pms, pms_len);
1971     OPENSSL_free(pms);
1972   }
1973 
1974   /* SSL3_ST_CW_KEY_EXCH_B */
1975   return s->method->do_write(s);
1976 
1977 err:
1978   BN_CTX_free(bn_ctx);
1979   OPENSSL_free(encodedPoint);
1980   EC_KEY_free(clnt_ecdh);
1981   EVP_PKEY_free(srvr_pub_pkey);
1982   if (pms) {
1983     OPENSSL_cleanse(pms, pms_len);
1984     OPENSSL_free(pms);
1985   }
1986   return -1;
1987 }
1988 
ssl3_send_cert_verify(SSL * s)1989 int ssl3_send_cert_verify(SSL *s) {
1990   uint8_t *buf, *p;
1991   const EVP_MD *md = NULL;
1992   uint8_t digest[EVP_MAX_MD_SIZE];
1993   size_t digest_length;
1994   EVP_PKEY *pkey;
1995   EVP_PKEY_CTX *pctx = NULL;
1996   size_t signature_length = 0;
1997   unsigned long n = 0;
1998 
1999   buf = (uint8_t *)s->init_buf->data;
2000 
2001   if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
2002     p = ssl_handshake_start(s);
2003     pkey = s->cert->key->privatekey;
2004 
2005     /* Write out the digest type if needbe. */
2006     if (SSL_USE_SIGALGS(s)) {
2007       md = tls1_choose_signing_digest(s, pkey);
2008       if (!tls12_get_sigandhash(p, pkey, md)) {
2009         OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, ERR_R_INTERNAL_ERROR);
2010         goto err;
2011       }
2012       p += 2;
2013       n += 2;
2014     }
2015 
2016     /* Compute the digest. */
2017     if (!ssl3_cert_verify_hash(s, digest, &digest_length, &md, pkey)) {
2018       goto err;
2019     }
2020 
2021     /* The handshake buffer is no longer necessary. */
2022     if (s->s3->handshake_buffer &&
2023         !ssl3_digest_cached_records(s, free_handshake_buffer)) {
2024       goto err;
2025     }
2026 
2027     /* Sign the digest. */
2028     pctx = EVP_PKEY_CTX_new(pkey, NULL);
2029     if (pctx == NULL) {
2030       goto err;
2031     }
2032 
2033     /* Initialize the EVP_PKEY_CTX and determine the size of the signature. */
2034     if (!EVP_PKEY_sign_init(pctx) || !EVP_PKEY_CTX_set_signature_md(pctx, md) ||
2035         !EVP_PKEY_sign(pctx, NULL, &signature_length, digest, digest_length)) {
2036       OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, ERR_R_EVP_LIB);
2037       goto err;
2038     }
2039 
2040     if (p + 2 + signature_length > buf + SSL3_RT_MAX_PLAIN_LENGTH) {
2041       OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, SSL_R_DATA_LENGTH_TOO_LONG);
2042       goto err;
2043     }
2044 
2045     if (!EVP_PKEY_sign(pctx, &p[2], &signature_length, digest, digest_length)) {
2046       OPENSSL_PUT_ERROR(SSL, ssl3_send_cert_verify, ERR_R_EVP_LIB);
2047       goto err;
2048     }
2049 
2050     s2n(signature_length, p);
2051     n += signature_length + 2;
2052 
2053     if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
2054       goto err;
2055     }
2056     s->state = SSL3_ST_CW_CERT_VRFY_B;
2057   }
2058 
2059   EVP_PKEY_CTX_free(pctx);
2060   return ssl_do_write(s);
2061 
2062 err:
2063   EVP_PKEY_CTX_free(pctx);
2064   return -1;
2065 }
2066 
2067 /* ssl3_has_client_certificate returns true if a client certificate is
2068  * configured. */
ssl3_has_client_certificate(SSL * s)2069 static int ssl3_has_client_certificate(SSL *s) {
2070   return s->cert && s->cert->key->x509 && s->cert->key->privatekey;
2071 }
2072 
ssl3_send_client_certificate(SSL * s)2073 int ssl3_send_client_certificate(SSL *s) {
2074   X509 *x509 = NULL;
2075   EVP_PKEY *pkey = NULL;
2076   int i;
2077 
2078   if (s->state == SSL3_ST_CW_CERT_A) {
2079     /* Let cert callback update client certificates if required */
2080     if (s->cert->cert_cb) {
2081       i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2082       if (i < 0) {
2083         s->rwstate = SSL_X509_LOOKUP;
2084         return -1;
2085       }
2086       if (i == 0) {
2087         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2088         return 0;
2089       }
2090       s->rwstate = SSL_NOTHING;
2091     }
2092 
2093     if (ssl3_has_client_certificate(s)) {
2094       s->state = SSL3_ST_CW_CERT_C;
2095     } else {
2096       s->state = SSL3_ST_CW_CERT_B;
2097     }
2098   }
2099 
2100   /* We need to get a client cert */
2101   if (s->state == SSL3_ST_CW_CERT_B) {
2102     /* If we get an error, we need to:
2103      *   ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2104      * We then get retried later */
2105     i = ssl_do_client_cert_cb(s, &x509, &pkey);
2106     if (i < 0) {
2107       s->rwstate = SSL_X509_LOOKUP;
2108       return -1;
2109     }
2110     s->rwstate = SSL_NOTHING;
2111     if (i == 1 && pkey != NULL && x509 != NULL) {
2112       s->state = SSL3_ST_CW_CERT_B;
2113       if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) {
2114         i = 0;
2115       }
2116     } else if (i == 1) {
2117       i = 0;
2118       OPENSSL_PUT_ERROR(SSL, ssl3_send_client_certificate,
2119                         SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2120     }
2121 
2122     X509_free(x509);
2123     EVP_PKEY_free(pkey);
2124     if (i && !ssl3_has_client_certificate(s)) {
2125       i = 0;
2126     }
2127     if (i == 0) {
2128       if (s->version == SSL3_VERSION) {
2129         s->s3->tmp.cert_req = 0;
2130         ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
2131         return 1;
2132       } else {
2133         s->s3->tmp.cert_req = 2;
2134         /* There is no client certificate, so the handshake buffer may be
2135          * released. */
2136         if (s->s3->handshake_buffer &&
2137             !ssl3_digest_cached_records(s, free_handshake_buffer)) {
2138           ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2139           return -1;
2140         }
2141       }
2142     }
2143 
2144     /* Ok, we have a cert */
2145     s->state = SSL3_ST_CW_CERT_C;
2146   }
2147 
2148   if (s->state == SSL3_ST_CW_CERT_C) {
2149     CERT_PKEY *cert_pkey = (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key;
2150     if (!ssl3_output_cert_chain(s, cert_pkey)) {
2151       return -1;
2152     }
2153   }
2154 
2155   /* SSL3_ST_CW_CERT_D */
2156   return ssl_do_write(s);
2157 }
2158 
2159 #define has_bits(i, m) (((i) & (m)) == (m))
2160 
ssl3_check_cert_and_algorithm(SSL * s)2161 int ssl3_check_cert_and_algorithm(SSL *s) {
2162   int i, idx;
2163   long alg_k, alg_a;
2164   EVP_PKEY *pkey = NULL;
2165   SESS_CERT *sc;
2166   DH *dh;
2167 
2168   /* we don't have a certificate */
2169   if (!ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
2170     return 1;
2171   }
2172 
2173   alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2174   alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2175 
2176   sc = s->session->sess_cert;
2177   if (sc == NULL) {
2178     OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, ERR_R_INTERNAL_ERROR);
2179     goto err;
2180   }
2181 
2182   dh = s->session->sess_cert->peer_dh_tmp;
2183 
2184   /* This is the passed certificate */
2185 
2186   idx = sc->peer_cert_type;
2187   if (idx == SSL_PKEY_ECC) {
2188     if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, s) == 0) {
2189       /* check failed */
2190       OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_BAD_ECC_CERT);
2191       goto f_err;
2192     } else {
2193       return 1;
2194     }
2195   } else if (alg_a & SSL_aECDSA) {
2196     OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm,
2197                       SSL_R_MISSING_ECDSA_SIGNING_CERT);
2198     goto f_err;
2199   }
2200   pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
2201   i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
2202   EVP_PKEY_free(pkey);
2203 
2204   /* Check that we have a certificate if we require one */
2205   if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
2206     OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm,
2207                       SSL_R_MISSING_RSA_SIGNING_CERT);
2208     goto f_err;
2209   }
2210 
2211   if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
2212     OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm,
2213                       SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2214     goto f_err;
2215   }
2216 
2217   if ((alg_k & SSL_kDHE) &&
2218       !(has_bits(i, EVP_PK_DH | EVP_PKT_EXCH) || dh != NULL)) {
2219     OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DH_KEY);
2220     goto f_err;
2221   }
2222 
2223   return 1;
2224 
2225 f_err:
2226   ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2227 err:
2228   return 0;
2229 }
2230 
ssl3_send_next_proto(SSL * s)2231 int ssl3_send_next_proto(SSL *s) {
2232   unsigned int len, padding_len;
2233   uint8_t *d, *p;
2234 
2235   if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
2236     len = s->next_proto_negotiated_len;
2237     padding_len = 32 - ((len + 2) % 32);
2238 
2239     d = p = ssl_handshake_start(s);
2240     *(p++) = len;
2241     memcpy(p, s->next_proto_negotiated, len);
2242     p += len;
2243     *(p++) = padding_len;
2244     memset(p, 0, padding_len);
2245     p += padding_len;
2246 
2247     if (!ssl_set_handshake_header(s, SSL3_MT_NEXT_PROTO, p - d)) {
2248       return -1;
2249     }
2250     s->state = SSL3_ST_CW_NEXT_PROTO_B;
2251   }
2252 
2253   return ssl_do_write(s);
2254 }
2255 
ssl3_send_channel_id(SSL * s)2256 int ssl3_send_channel_id(SSL *s) {
2257   uint8_t *d;
2258   int ret = -1, public_key_len;
2259   EVP_MD_CTX md_ctx;
2260   size_t sig_len;
2261   ECDSA_SIG *sig = NULL;
2262   uint8_t *public_key = NULL, *derp, *der_sig = NULL;
2263 
2264   if (s->state != SSL3_ST_CW_CHANNEL_ID_A) {
2265     return ssl_do_write(s);
2266   }
2267 
2268   if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb) {
2269     EVP_PKEY *key = NULL;
2270     s->ctx->channel_id_cb(s, &key);
2271     if (key != NULL) {
2272       s->tlsext_channel_id_private = key;
2273     }
2274   }
2275 
2276   if (!s->tlsext_channel_id_private) {
2277     s->rwstate = SSL_CHANNEL_ID_LOOKUP;
2278     return -1;
2279   }
2280   s->rwstate = SSL_NOTHING;
2281 
2282   d = ssl_handshake_start(s);
2283   if (s->s3->tlsext_channel_id_new) {
2284     s2n(TLSEXT_TYPE_channel_id_new, d);
2285   } else {
2286     s2n(TLSEXT_TYPE_channel_id, d);
2287   }
2288   s2n(TLSEXT_CHANNEL_ID_SIZE, d);
2289 
2290   EVP_MD_CTX_init(&md_ctx);
2291 
2292   public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL);
2293   if (public_key_len <= 0) {
2294     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id,
2295                       SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY);
2296     goto err;
2297   }
2298 
2299   /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a
2300    * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y
2301    * field elements as 32-byte, big-endian numbers. */
2302   if (public_key_len != 65) {
2303     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_CHANNEL_ID_NOT_P256);
2304     goto err;
2305   }
2306   public_key = OPENSSL_malloc(public_key_len);
2307   if (!public_key) {
2308     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
2309     goto err;
2310   }
2311 
2312   derp = public_key;
2313   i2d_PublicKey(s->tlsext_channel_id_private, &derp);
2314 
2315   if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL,
2316                          s->tlsext_channel_id_private) != 1) {
2317     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id,
2318                       SSL_R_EVP_DIGESTSIGNINIT_FAILED);
2319     goto err;
2320   }
2321 
2322   if (!tls1_channel_id_hash(&md_ctx, s)) {
2323     goto err;
2324   }
2325 
2326   if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) {
2327     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id,
2328                       SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
2329     goto err;
2330   }
2331 
2332   der_sig = OPENSSL_malloc(sig_len);
2333   if (!der_sig) {
2334     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_MALLOC_FAILURE);
2335     goto err;
2336   }
2337 
2338   if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len)) {
2339     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id,
2340                       SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
2341     goto err;
2342   }
2343 
2344   derp = der_sig;
2345   sig = d2i_ECDSA_SIG(NULL, (const uint8_t **)&derp, sig_len);
2346   if (sig == NULL) {
2347     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, SSL_R_D2I_ECDSA_SIG);
2348     goto err;
2349   }
2350 
2351   /* The first byte of public_key will be 0x4, denoting an uncompressed key. */
2352   memcpy(d, public_key + 1, 64);
2353   d += 64;
2354   if (!BN_bn2bin_padded(d, 32, sig->r) ||
2355       !BN_bn2bin_padded(d + 32, 32, sig->s)) {
2356     OPENSSL_PUT_ERROR(SSL, ssl3_send_channel_id, ERR_R_INTERNAL_ERROR);
2357     goto err;
2358   }
2359 
2360   if (!ssl_set_handshake_header(s, SSL3_MT_ENCRYPTED_EXTENSIONS,
2361                                 2 + 2 + TLSEXT_CHANNEL_ID_SIZE)) {
2362     goto err;
2363   }
2364   s->state = SSL3_ST_CW_CHANNEL_ID_B;
2365 
2366   ret = ssl_do_write(s);
2367 
2368 err:
2369   EVP_MD_CTX_cleanup(&md_ctx);
2370   OPENSSL_free(public_key);
2371   OPENSSL_free(der_sig);
2372   ECDSA_SIG_free(sig);
2373 
2374   return ret;
2375 }
2376 
ssl_do_client_cert_cb(SSL * s,X509 ** px509,EVP_PKEY ** ppkey)2377 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) {
2378   int i = 0;
2379   if (s->ctx->client_cert_cb) {
2380     i = s->ctx->client_cert_cb(s, px509, ppkey);
2381   }
2382   return i;
2383 }
2384