1 /* $OpenBSD: ssl_clnt.c,v 1.168 2024/07/22 14:47:15 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151 #include <limits.h>
152 #include <stdint.h>
153 #include <stdio.h>
154
155 #include <openssl/bn.h>
156 #include <openssl/buffer.h>
157 #include <openssl/curve25519.h>
158 #include <openssl/dh.h>
159 #include <openssl/evp.h>
160 #include <openssl/md5.h>
161 #include <openssl/objects.h>
162 #include <openssl/opensslconf.h>
163
164 #include "bytestring.h"
165 #include "dtls_local.h"
166 #include "ssl_local.h"
167 #include "ssl_sigalgs.h"
168 #include "ssl_tlsext.h"
169
170 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
171
172 static int ssl3_send_client_hello(SSL *s);
173 static int ssl3_get_dtls_hello_verify(SSL *s);
174 static int ssl3_get_server_hello(SSL *s);
175 static int ssl3_get_certificate_request(SSL *s);
176 static int ssl3_get_new_session_ticket(SSL *s);
177 static int ssl3_get_cert_status(SSL *s);
178 static int ssl3_get_server_done(SSL *s);
179 static int ssl3_send_client_verify(SSL *s);
180 static int ssl3_send_client_certificate(SSL *s);
181 static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
182 static int ssl3_send_client_key_exchange(SSL *s);
183 static int ssl3_get_server_key_exchange(SSL *s);
184 static int ssl3_get_server_certificate(SSL *s);
185 static int ssl3_check_cert_and_algorithm(SSL *s);
186 static int ssl3_check_finished(SSL *s);
187 static int ssl3_send_client_change_cipher_spec(SSL *s);
188 static int ssl3_send_client_finished(SSL *s);
189 static int ssl3_get_server_finished(SSL *s);
190
191 int
ssl3_connect(SSL * s)192 ssl3_connect(SSL *s)
193 {
194 int new_state, state, skip = 0;
195 int ret = -1;
196
197 ERR_clear_error();
198 errno = 0;
199
200 s->in_handshake++;
201 if (!SSL_in_init(s) || SSL_in_before(s))
202 SSL_clear(s);
203
204 for (;;) {
205 state = s->s3->hs.state;
206
207 switch (s->s3->hs.state) {
208 case SSL_ST_RENEGOTIATE:
209 s->renegotiate = 1;
210 s->s3->hs.state = SSL_ST_CONNECT;
211 s->ctx->stats.sess_connect_renegotiate++;
212 /* break */
213 case SSL_ST_BEFORE:
214 case SSL_ST_CONNECT:
215 case SSL_ST_BEFORE|SSL_ST_CONNECT:
216 case SSL_ST_OK|SSL_ST_CONNECT:
217
218 s->server = 0;
219
220 ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
221
222 if (!ssl_legacy_stack_version(s, s->version)) {
223 SSLerror(s, ERR_R_INTERNAL_ERROR);
224 ret = -1;
225 goto end;
226 }
227
228 if (!ssl_supported_tls_version_range(s,
229 &s->s3->hs.our_min_tls_version,
230 &s->s3->hs.our_max_tls_version)) {
231 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
232 ret = -1;
233 goto end;
234 }
235
236 if (!ssl_security_version(s,
237 s->s3->hs.our_min_tls_version)) {
238 SSLerror(s, SSL_R_VERSION_TOO_LOW);
239 ret = -1;
240 goto end;
241 }
242
243 if (!ssl3_setup_init_buffer(s)) {
244 ret = -1;
245 goto end;
246 }
247 if (!ssl3_setup_buffers(s)) {
248 ret = -1;
249 goto end;
250 }
251 if (!ssl_init_wbio_buffer(s, 0)) {
252 ret = -1;
253 goto end;
254 }
255
256 /* don't push the buffering BIO quite yet */
257
258 if (!tls1_transcript_init(s)) {
259 ret = -1;
260 goto end;
261 }
262
263 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
264 s->ctx->stats.sess_connect++;
265 s->init_num = 0;
266
267 if (SSL_is_dtls(s)) {
268 /* mark client_random uninitialized */
269 memset(s->s3->client_random, 0,
270 sizeof(s->s3->client_random));
271 s->d1->send_cookie = 0;
272 s->hit = 0;
273 }
274 break;
275
276 case SSL3_ST_CW_CLNT_HELLO_A:
277 case SSL3_ST_CW_CLNT_HELLO_B:
278 s->shutdown = 0;
279
280 if (SSL_is_dtls(s)) {
281 /* every DTLS ClientHello resets Finished MAC */
282 tls1_transcript_reset(s);
283
284 dtls1_start_timer(s);
285 }
286
287 ret = ssl3_send_client_hello(s);
288 if (ret <= 0)
289 goto end;
290
291 if (SSL_is_dtls(s) && s->d1->send_cookie) {
292 s->s3->hs.state = SSL3_ST_CW_FLUSH;
293 s->s3->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A;
294 } else
295 s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
296
297 s->init_num = 0;
298
299 /* turn on buffering for the next lot of output */
300 if (s->bbio != s->wbio)
301 s->wbio = BIO_push(s->bbio, s->wbio);
302
303 break;
304
305 case SSL3_ST_CR_SRVR_HELLO_A:
306 case SSL3_ST_CR_SRVR_HELLO_B:
307 ret = ssl3_get_server_hello(s);
308 if (ret <= 0)
309 goto end;
310
311 if (s->hit) {
312 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
313 if (!SSL_is_dtls(s)) {
314 if (s->tlsext_ticket_expected) {
315 /* receive renewed session ticket */
316 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
317 }
318
319 /* No client certificate verification. */
320 tls1_transcript_free(s);
321 }
322 } else if (SSL_is_dtls(s)) {
323 s->s3->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
324 } else {
325 s->s3->hs.state = SSL3_ST_CR_CERT_A;
326 }
327 s->init_num = 0;
328 break;
329
330 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
331 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
332 ret = ssl3_get_dtls_hello_verify(s);
333 if (ret <= 0)
334 goto end;
335 dtls1_stop_timer(s);
336 if (s->d1->send_cookie) /* start again, with a cookie */
337 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
338 else
339 s->s3->hs.state = SSL3_ST_CR_CERT_A;
340 s->init_num = 0;
341 break;
342
343 case SSL3_ST_CR_CERT_A:
344 case SSL3_ST_CR_CERT_B:
345 ret = ssl3_check_finished(s);
346 if (ret <= 0)
347 goto end;
348 if (ret == 2) {
349 s->hit = 1;
350 if (s->tlsext_ticket_expected)
351 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
352 else
353 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
354 s->init_num = 0;
355 break;
356 }
357 /* Check if it is anon DH/ECDH. */
358 if (!(s->s3->hs.cipher->algorithm_auth &
359 SSL_aNULL)) {
360 ret = ssl3_get_server_certificate(s);
361 if (ret <= 0)
362 goto end;
363 if (s->tlsext_status_expected)
364 s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A;
365 else
366 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
367 } else {
368 skip = 1;
369 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
370 }
371 s->init_num = 0;
372 break;
373
374 case SSL3_ST_CR_KEY_EXCH_A:
375 case SSL3_ST_CR_KEY_EXCH_B:
376 ret = ssl3_get_server_key_exchange(s);
377 if (ret <= 0)
378 goto end;
379 s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A;
380 s->init_num = 0;
381
382 /*
383 * At this point we check that we have the
384 * required stuff from the server.
385 */
386 if (!ssl3_check_cert_and_algorithm(s)) {
387 ret = -1;
388 goto end;
389 }
390 break;
391
392 case SSL3_ST_CR_CERT_REQ_A:
393 case SSL3_ST_CR_CERT_REQ_B:
394 ret = ssl3_get_certificate_request(s);
395 if (ret <= 0)
396 goto end;
397 s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A;
398 s->init_num = 0;
399 break;
400
401 case SSL3_ST_CR_SRVR_DONE_A:
402 case SSL3_ST_CR_SRVR_DONE_B:
403 ret = ssl3_get_server_done(s);
404 if (ret <= 0)
405 goto end;
406 if (SSL_is_dtls(s))
407 dtls1_stop_timer(s);
408 if (s->s3->hs.tls12.cert_request)
409 s->s3->hs.state = SSL3_ST_CW_CERT_A;
410 else
411 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
412 s->init_num = 0;
413
414 break;
415
416 case SSL3_ST_CW_CERT_A:
417 case SSL3_ST_CW_CERT_B:
418 case SSL3_ST_CW_CERT_C:
419 case SSL3_ST_CW_CERT_D:
420 if (SSL_is_dtls(s))
421 dtls1_start_timer(s);
422 ret = ssl3_send_client_certificate(s);
423 if (ret <= 0)
424 goto end;
425 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
426 s->init_num = 0;
427 break;
428
429 case SSL3_ST_CW_KEY_EXCH_A:
430 case SSL3_ST_CW_KEY_EXCH_B:
431 if (SSL_is_dtls(s))
432 dtls1_start_timer(s);
433 ret = ssl3_send_client_key_exchange(s);
434 if (ret <= 0)
435 goto end;
436 /*
437 * EAY EAY EAY need to check for DH fix cert
438 * sent back
439 */
440 /*
441 * For TLS, cert_req is set to 2, so a cert chain
442 * of nothing is sent, but no verify packet is sent
443 */
444 /*
445 * XXX: For now, we do not support client
446 * authentication in ECDH cipher suites with
447 * ECDH (rather than ECDSA) certificates.
448 * We need to skip the certificate verify
449 * message when client's ECDH public key is sent
450 * inside the client certificate.
451 */
452 if (s->s3->hs.tls12.cert_request == 1) {
453 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_A;
454 } else {
455 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
456 s->s3->change_cipher_spec = 0;
457 }
458
459 s->init_num = 0;
460 break;
461
462 case SSL3_ST_CW_CERT_VRFY_A:
463 case SSL3_ST_CW_CERT_VRFY_B:
464 if (SSL_is_dtls(s))
465 dtls1_start_timer(s);
466 ret = ssl3_send_client_verify(s);
467 if (ret <= 0)
468 goto end;
469 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
470 s->init_num = 0;
471 s->s3->change_cipher_spec = 0;
472 break;
473
474 case SSL3_ST_CW_CHANGE_A:
475 case SSL3_ST_CW_CHANGE_B:
476 if (SSL_is_dtls(s) && !s->hit)
477 dtls1_start_timer(s);
478 ret = ssl3_send_client_change_cipher_spec(s);
479 if (ret <= 0)
480 goto end;
481
482 s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
483 s->init_num = 0;
484 s->session->cipher_value = s->s3->hs.cipher->value;
485
486 if (!tls1_setup_key_block(s)) {
487 ret = -1;
488 goto end;
489 }
490 if (!tls1_change_write_cipher_state(s)) {
491 ret = -1;
492 goto end;
493 }
494 break;
495
496 case SSL3_ST_CW_FINISHED_A:
497 case SSL3_ST_CW_FINISHED_B:
498 if (SSL_is_dtls(s) && !s->hit)
499 dtls1_start_timer(s);
500 ret = ssl3_send_client_finished(s);
501 if (ret <= 0)
502 goto end;
503 if (!SSL_is_dtls(s))
504 s->s3->flags |= SSL3_FLAGS_CCS_OK;
505 s->s3->hs.state = SSL3_ST_CW_FLUSH;
506
507 /* clear flags */
508 if (s->hit) {
509 s->s3->hs.tls12.next_state = SSL_ST_OK;
510 } else {
511 /* Allow NewSessionTicket if ticket expected */
512 if (s->tlsext_ticket_expected)
513 s->s3->hs.tls12.next_state =
514 SSL3_ST_CR_SESSION_TICKET_A;
515 else
516 s->s3->hs.tls12.next_state =
517 SSL3_ST_CR_FINISHED_A;
518 }
519 s->init_num = 0;
520 break;
521
522 case SSL3_ST_CR_SESSION_TICKET_A:
523 case SSL3_ST_CR_SESSION_TICKET_B:
524 ret = ssl3_get_new_session_ticket(s);
525 if (ret <= 0)
526 goto end;
527 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
528 s->init_num = 0;
529 break;
530
531 case SSL3_ST_CR_CERT_STATUS_A:
532 case SSL3_ST_CR_CERT_STATUS_B:
533 ret = ssl3_get_cert_status(s);
534 if (ret <= 0)
535 goto end;
536 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
537 s->init_num = 0;
538 break;
539
540 case SSL3_ST_CR_FINISHED_A:
541 case SSL3_ST_CR_FINISHED_B:
542 if (SSL_is_dtls(s))
543 s->d1->change_cipher_spec_ok = 1;
544 else
545 s->s3->flags |= SSL3_FLAGS_CCS_OK;
546 ret = ssl3_get_server_finished(s);
547 if (ret <= 0)
548 goto end;
549 if (SSL_is_dtls(s))
550 dtls1_stop_timer(s);
551
552 if (s->hit)
553 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
554 else
555 s->s3->hs.state = SSL_ST_OK;
556 s->init_num = 0;
557 break;
558
559 case SSL3_ST_CW_FLUSH:
560 s->rwstate = SSL_WRITING;
561 if (BIO_flush(s->wbio) <= 0) {
562 if (SSL_is_dtls(s)) {
563 /* If the write error was fatal, stop trying */
564 if (!BIO_should_retry(s->wbio)) {
565 s->rwstate = SSL_NOTHING;
566 s->s3->hs.state = s->s3->hs.tls12.next_state;
567 }
568 }
569 ret = -1;
570 goto end;
571 }
572 s->rwstate = SSL_NOTHING;
573 s->s3->hs.state = s->s3->hs.tls12.next_state;
574 break;
575
576 case SSL_ST_OK:
577 /* clean a few things up */
578 tls1_cleanup_key_block(s);
579
580 if (s->s3->handshake_transcript != NULL) {
581 SSLerror(s, ERR_R_INTERNAL_ERROR);
582 ret = -1;
583 goto end;
584 }
585
586 if (!SSL_is_dtls(s))
587 ssl3_release_init_buffer(s);
588
589 ssl_free_wbio_buffer(s);
590
591 s->init_num = 0;
592 s->renegotiate = 0;
593 s->new_session = 0;
594
595 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
596 if (s->hit)
597 s->ctx->stats.sess_hit++;
598
599 ret = 1;
600 /* s->server=0; */
601 s->handshake_func = ssl3_connect;
602 s->ctx->stats.sess_connect_good++;
603
604 ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
605
606 if (SSL_is_dtls(s)) {
607 /* done with handshaking */
608 s->d1->handshake_read_seq = 0;
609 s->d1->next_handshake_write_seq = 0;
610 }
611
612 goto end;
613 /* break; */
614
615 default:
616 SSLerror(s, SSL_R_UNKNOWN_STATE);
617 ret = -1;
618 goto end;
619 /* break; */
620 }
621
622 /* did we do anything */
623 if (!s->s3->hs.tls12.reuse_message && !skip) {
624 if (s->s3->hs.state != state) {
625 new_state = s->s3->hs.state;
626 s->s3->hs.state = state;
627 ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1);
628 s->s3->hs.state = new_state;
629 }
630 }
631 skip = 0;
632 }
633
634 end:
635 s->in_handshake--;
636 ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret);
637
638 return (ret);
639 }
640
641 static int
ssl3_send_client_hello(SSL * s)642 ssl3_send_client_hello(SSL *s)
643 {
644 CBB cbb, client_hello, session_id, cookie, cipher_suites;
645 CBB compression_methods;
646 uint16_t max_version;
647 size_t sl;
648
649 memset(&cbb, 0, sizeof(cbb));
650
651 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_A) {
652 SSL_SESSION *sess = s->session;
653
654 if (!ssl_max_supported_version(s, &max_version)) {
655 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
656 return (-1);
657 }
658 s->version = max_version;
659
660 if (sess == NULL || sess->ssl_version != s->version ||
661 (sess->session_id_length == 0 && sess->tlsext_tick == NULL) ||
662 sess->not_resumable) {
663 if (!ssl_get_new_session(s, 0))
664 goto err;
665 }
666 /* else use the pre-loaded session */
667
668 /*
669 * If a DTLS ClientHello message is being resent after a
670 * HelloVerifyRequest, we must retain the original client
671 * random value.
672 */
673 if (!SSL_is_dtls(s) || s->d1->send_cookie == 0)
674 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
675
676 if (!ssl3_handshake_msg_start(s, &cbb, &client_hello,
677 SSL3_MT_CLIENT_HELLO))
678 goto err;
679
680 if (!CBB_add_u16(&client_hello, s->version))
681 goto err;
682
683 /* Random stuff */
684 if (!CBB_add_bytes(&client_hello, s->s3->client_random,
685 sizeof(s->s3->client_random)))
686 goto err;
687
688 /* Session ID */
689 if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
690 goto err;
691 if (!s->new_session &&
692 s->session->session_id_length > 0) {
693 sl = s->session->session_id_length;
694 if (sl > sizeof(s->session->session_id)) {
695 SSLerror(s, ERR_R_INTERNAL_ERROR);
696 goto err;
697 }
698 if (!CBB_add_bytes(&session_id,
699 s->session->session_id, sl))
700 goto err;
701 }
702
703 /* DTLS Cookie. */
704 if (SSL_is_dtls(s)) {
705 if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
706 SSLerror(s, ERR_R_INTERNAL_ERROR);
707 goto err;
708 }
709 if (!CBB_add_u8_length_prefixed(&client_hello, &cookie))
710 goto err;
711 if (!CBB_add_bytes(&cookie, s->d1->cookie,
712 s->d1->cookie_len))
713 goto err;
714 }
715
716 /* Ciphers supported */
717 if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
718 return 0;
719 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s),
720 &cipher_suites)) {
721 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
722 goto err;
723 }
724
725 /* Add in compression methods (null) */
726 if (!CBB_add_u8_length_prefixed(&client_hello,
727 &compression_methods))
728 goto err;
729 if (!CBB_add_u8(&compression_methods, 0))
730 goto err;
731
732 /* TLS extensions */
733 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) {
734 SSLerror(s, ERR_R_INTERNAL_ERROR);
735 goto err;
736 }
737
738 if (!ssl3_handshake_msg_finish(s, &cbb))
739 goto err;
740
741 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_B;
742 }
743
744 /* SSL3_ST_CW_CLNT_HELLO_B */
745 return (ssl3_handshake_write(s));
746
747 err:
748 CBB_cleanup(&cbb);
749
750 return (-1);
751 }
752
753 static int
ssl3_get_dtls_hello_verify(SSL * s)754 ssl3_get_dtls_hello_verify(SSL *s)
755 {
756 CBS hello_verify_request, cookie;
757 size_t cookie_len;
758 uint16_t ssl_version;
759 int al, ret;
760
761 if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
762 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list)) <= 0)
763 return ret;
764
765 if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
766 s->d1->send_cookie = 0;
767 s->s3->hs.tls12.reuse_message = 1;
768 return (1);
769 }
770
771 if (s->init_num < 0)
772 goto decode_err;
773
774 CBS_init(&hello_verify_request, s->init_msg,
775 s->init_num);
776
777 if (!CBS_get_u16(&hello_verify_request, &ssl_version))
778 goto decode_err;
779 if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))
780 goto decode_err;
781 if (CBS_len(&hello_verify_request) != 0)
782 goto decode_err;
783
784 /*
785 * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always
786 * contain DTLSv1.0 the version that is going to be negotiated.
787 * Tolerate DTLSv1.2 just in case.
788 */
789 if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) {
790 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
791 s->version = (s->version & 0xff00) | (ssl_version & 0xff);
792 al = SSL_AD_PROTOCOL_VERSION;
793 goto fatal_err;
794 }
795
796 if (!CBS_write_bytes(&cookie, s->d1->cookie,
797 sizeof(s->d1->cookie), &cookie_len)) {
798 s->d1->cookie_len = 0;
799 al = SSL_AD_ILLEGAL_PARAMETER;
800 goto fatal_err;
801 }
802 s->d1->cookie_len = cookie_len;
803 s->d1->send_cookie = 1;
804
805 return 1;
806
807 decode_err:
808 al = SSL_AD_DECODE_ERROR;
809 fatal_err:
810 ssl3_send_alert(s, SSL3_AL_FATAL, al);
811 return -1;
812 }
813
814 static int
ssl3_get_server_hello(SSL * s)815 ssl3_get_server_hello(SSL *s)
816 {
817 CBS cbs, server_random, session_id;
818 uint16_t server_version, cipher_suite;
819 uint8_t compression_method;
820 const SSL_CIPHER *cipher;
821 const SSL_METHOD *method;
822 int al, ret;
823
824 s->first_packet = 1;
825 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
826 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000 /* ?? */)) <= 0)
827 return ret;
828 s->first_packet = 0;
829
830 if (s->init_num < 0)
831 goto decode_err;
832
833 CBS_init(&cbs, s->init_msg, s->init_num);
834
835 if (SSL_is_dtls(s)) {
836 if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
837 if (s->d1->send_cookie == 0) {
838 s->s3->hs.tls12.reuse_message = 1;
839 return (1);
840 } else {
841 /* Already sent a cookie. */
842 al = SSL_AD_UNEXPECTED_MESSAGE;
843 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
844 goto fatal_err;
845 }
846 }
847 }
848
849 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) {
850 al = SSL_AD_UNEXPECTED_MESSAGE;
851 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
852 goto fatal_err;
853 }
854
855 if (!CBS_get_u16(&cbs, &server_version))
856 goto decode_err;
857
858 if (!ssl_check_version_from_server(s, server_version)) {
859 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
860 s->version = (s->version & 0xff00) | (server_version & 0xff);
861 al = SSL_AD_PROTOCOL_VERSION;
862 goto fatal_err;
863 }
864 s->s3->hs.peer_legacy_version = server_version;
865 s->version = server_version;
866
867 s->s3->hs.negotiated_tls_version = ssl_tls_version(server_version);
868 if (s->s3->hs.negotiated_tls_version == 0) {
869 SSLerror(s, ERR_R_INTERNAL_ERROR);
870 goto err;
871 }
872
873 if ((method = ssl_get_method(server_version)) == NULL) {
874 SSLerror(s, ERR_R_INTERNAL_ERROR);
875 goto err;
876 }
877 s->method = method;
878
879 /* Server random. */
880 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE))
881 goto decode_err;
882 if (!CBS_write_bytes(&server_random, s->s3->server_random,
883 sizeof(s->s3->server_random), NULL))
884 goto err;
885
886 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
887 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
888 /*
889 * RFC 8446 section 4.1.3. We must not downgrade if the server
890 * random value contains the TLS 1.2 or TLS 1.1 magical value.
891 */
892 if (!CBS_skip(&server_random,
893 CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
894 goto err;
895 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION &&
896 CBS_mem_equal(&server_random, tls13_downgrade_12,
897 sizeof(tls13_downgrade_12))) {
898 al = SSL_AD_ILLEGAL_PARAMETER;
899 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
900 goto fatal_err;
901 }
902 if (CBS_mem_equal(&server_random, tls13_downgrade_11,
903 sizeof(tls13_downgrade_11))) {
904 al = SSL_AD_ILLEGAL_PARAMETER;
905 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
906 goto fatal_err;
907 }
908 }
909
910 /* Session ID. */
911 if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
912 goto decode_err;
913
914 if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) {
915 al = SSL_AD_ILLEGAL_PARAMETER;
916 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
917 goto fatal_err;
918 }
919
920 /* Cipher suite. */
921 if (!CBS_get_u16(&cbs, &cipher_suite))
922 goto decode_err;
923
924 /*
925 * Check if we want to resume the session based on external
926 * pre-shared secret.
927 */
928 if (s->tls_session_secret_cb != NULL) {
929 SSL_CIPHER *pref_cipher = NULL;
930 int master_key_length = sizeof(s->session->master_key);
931
932 if (!s->tls_session_secret_cb(s,
933 s->session->master_key, &master_key_length, NULL,
934 &pref_cipher, s->tls_session_secret_cb_arg)) {
935 SSLerror(s, ERR_R_INTERNAL_ERROR);
936 goto err;
937 }
938 if (master_key_length <= 0) {
939 SSLerror(s, ERR_R_INTERNAL_ERROR);
940 goto err;
941 }
942 s->session->master_key_length = master_key_length;
943
944 /*
945 * XXX - this appears to be completely broken. The
946 * client cannot change the cipher at this stage,
947 * as the server has already made a selection.
948 */
949 if ((s->s3->hs.cipher = pref_cipher) == NULL)
950 s->s3->hs.cipher =
951 ssl3_get_cipher_by_value(cipher_suite);
952 s->s3->flags |= SSL3_FLAGS_CCS_OK;
953 }
954
955 if (s->session->session_id_length != 0 &&
956 CBS_mem_equal(&session_id, s->session->session_id,
957 s->session->session_id_length)) {
958 if (s->sid_ctx_length != s->session->sid_ctx_length ||
959 timingsafe_memcmp(s->session->sid_ctx,
960 s->sid_ctx, s->sid_ctx_length) != 0) {
961 /* actually a client application bug */
962 al = SSL_AD_ILLEGAL_PARAMETER;
963 SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
964 goto fatal_err;
965 }
966 s->s3->flags |= SSL3_FLAGS_CCS_OK;
967 s->hit = 1;
968 } else {
969 /* a miss or crap from the other end */
970
971 /* If we were trying for session-id reuse, make a new
972 * SSL_SESSION so we don't stuff up other people */
973 s->hit = 0;
974 if (s->session->session_id_length > 0) {
975 if (!ssl_get_new_session(s, 0)) {
976 al = SSL_AD_INTERNAL_ERROR;
977 goto fatal_err;
978 }
979 }
980
981 /*
982 * XXX - improve the handling for the case where there is a
983 * zero length session identifier.
984 */
985 if (!CBS_write_bytes(&session_id, s->session->session_id,
986 sizeof(s->session->session_id),
987 &s->session->session_id_length))
988 goto err;
989
990 s->session->ssl_version = s->version;
991 }
992
993 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
994 al = SSL_AD_ILLEGAL_PARAMETER;
995 SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED);
996 goto fatal_err;
997 }
998
999 /* TLS v1.2 only ciphersuites require v1.2 or later. */
1000 if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
1001 s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) {
1002 al = SSL_AD_ILLEGAL_PARAMETER;
1003 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1004 goto fatal_err;
1005 }
1006
1007 if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
1008 /* we did not say we would use this cipher */
1009 al = SSL_AD_ILLEGAL_PARAMETER;
1010 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1011 goto fatal_err;
1012 }
1013
1014 /*
1015 * Depending on the session caching (internal/external), the cipher
1016 * and/or cipher_id values may not be set. Make sure that
1017 * cipher_id is set and use it for comparison.
1018 */
1019 if (s->hit && (s->session->cipher_value != cipher->value)) {
1020 al = SSL_AD_ILLEGAL_PARAMETER;
1021 SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1022 goto fatal_err;
1023 }
1024 s->s3->hs.cipher = cipher;
1025 s->session->cipher_value = cipher->value;
1026
1027 if (!tls1_transcript_hash_init(s))
1028 goto err;
1029
1030 /*
1031 * Don't digest cached records if no sigalgs: we may need them for
1032 * client authentication.
1033 */
1034 if (!SSL_USE_SIGALGS(s))
1035 tls1_transcript_free(s);
1036
1037 if (!CBS_get_u8(&cbs, &compression_method))
1038 goto decode_err;
1039
1040 if (compression_method != 0) {
1041 al = SSL_AD_ILLEGAL_PARAMETER;
1042 SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1043 goto fatal_err;
1044 }
1045
1046 if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) {
1047 SSLerror(s, SSL_R_PARSE_TLSEXT);
1048 goto fatal_err;
1049 }
1050
1051 if (CBS_len(&cbs) != 0)
1052 goto decode_err;
1053
1054 /*
1055 * Determine if we need to see RI. Strictly speaking if we want to
1056 * avoid an attack we should *always* see RI even on initial server
1057 * hello because the client doesn't see any renegotiation during an
1058 * attack. However this would mean we could not connect to any server
1059 * which doesn't support RI so for the immediate future tolerate RI
1060 * absence on initial connect only.
1061 */
1062 if (!s->s3->renegotiate_seen &&
1063 !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1064 al = SSL_AD_HANDSHAKE_FAILURE;
1065 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1066 goto fatal_err;
1067 }
1068
1069 if (ssl_check_serverhello_tlsext(s) <= 0) {
1070 SSLerror(s, SSL_R_SERVERHELLO_TLSEXT);
1071 goto err;
1072 }
1073
1074 return (1);
1075
1076 decode_err:
1077 /* wrong packet length */
1078 al = SSL_AD_DECODE_ERROR;
1079 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1080 fatal_err:
1081 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1082 err:
1083 return (-1);
1084 }
1085
1086 static int
ssl3_get_server_certificate(SSL * s)1087 ssl3_get_server_certificate(SSL *s)
1088 {
1089 CBS cbs, cert_list, cert_data;
1090 STACK_OF(X509) *certs = NULL;
1091 X509 *cert = NULL;
1092 const uint8_t *p;
1093 int al, ret;
1094
1095 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
1096 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
1097 return ret;
1098
1099 ret = -1;
1100
1101 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1102 s->s3->hs.tls12.reuse_message = 1;
1103 return (1);
1104 }
1105
1106 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
1107 al = SSL_AD_UNEXPECTED_MESSAGE;
1108 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1109 goto fatal_err;
1110 }
1111
1112 if ((certs = sk_X509_new_null()) == NULL) {
1113 SSLerror(s, ERR_R_MALLOC_FAILURE);
1114 goto err;
1115 }
1116
1117 if (s->init_num < 0)
1118 goto decode_err;
1119
1120 CBS_init(&cbs, s->init_msg, s->init_num);
1121
1122 if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
1123 goto decode_err;
1124 if (CBS_len(&cbs) != 0)
1125 goto decode_err;
1126
1127 while (CBS_len(&cert_list) > 0) {
1128 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
1129 goto decode_err;
1130 p = CBS_data(&cert_data);
1131 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) {
1132 al = SSL_AD_BAD_CERTIFICATE;
1133 SSLerror(s, ERR_R_ASN1_LIB);
1134 goto fatal_err;
1135 }
1136 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
1137 goto decode_err;
1138 if (!sk_X509_push(certs, cert)) {
1139 SSLerror(s, ERR_R_MALLOC_FAILURE);
1140 goto err;
1141 }
1142 cert = NULL;
1143 }
1144
1145 /* A server must always provide a non-empty certificate list. */
1146 if (sk_X509_num(certs) < 1) {
1147 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1148 goto decode_err;
1149 }
1150
1151 if (ssl_verify_cert_chain(s, certs) <= 0 &&
1152 s->verify_mode != SSL_VERIFY_NONE) {
1153 al = ssl_verify_alarm_type(s->verify_result);
1154 SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
1155 goto fatal_err;
1156 }
1157 s->session->verify_result = s->verify_result;
1158 ERR_clear_error();
1159
1160 if (!tls_process_peer_certs(s, certs))
1161 goto err;
1162
1163 ret = 1;
1164
1165 if (0) {
1166 decode_err:
1167 /* wrong packet length */
1168 al = SSL_AD_DECODE_ERROR;
1169 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1170 fatal_err:
1171 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1172 }
1173 err:
1174 sk_X509_pop_free(certs, X509_free);
1175 X509_free(cert);
1176
1177 return (ret);
1178 }
1179
1180 static int
ssl3_get_server_kex_dhe(SSL * s,CBS * cbs)1181 ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
1182 {
1183 int decode_error, invalid_params, invalid_key;
1184 int nid = NID_dhKeyAgreement;
1185
1186 tls_key_share_free(s->s3->hs.key_share);
1187 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1188 goto err;
1189
1190 if (!tls_key_share_peer_params(s->s3->hs.key_share, cbs,
1191 &decode_error, &invalid_params)) {
1192 if (decode_error) {
1193 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1194 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1195 }
1196 goto err;
1197 }
1198 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1199 &decode_error, &invalid_key)) {
1200 if (decode_error) {
1201 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1202 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1203 }
1204 goto err;
1205 }
1206
1207 if (invalid_params) {
1208 SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
1209 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1210 goto err;
1211 }
1212 if (invalid_key) {
1213 SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1214 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1215 goto err;
1216 }
1217
1218 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1219 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1220 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1221 return 0;
1222 }
1223
1224 return 1;
1225
1226 err:
1227 return 0;
1228 }
1229
1230 static int
ssl3_get_server_kex_ecdhe(SSL * s,CBS * cbs)1231 ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1232 {
1233 uint8_t curve_type;
1234 uint16_t group_id;
1235 int decode_error;
1236 CBS public;
1237
1238 if (!CBS_get_u8(cbs, &curve_type))
1239 goto decode_err;
1240 if (!CBS_get_u16(cbs, &group_id))
1241 goto decode_err;
1242
1243 /* Only named curves are supported. */
1244 if (curve_type != NAMED_CURVE_TYPE) {
1245 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1246 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1247 goto err;
1248 }
1249
1250 if (!CBS_get_u8_length_prefixed(cbs, &public))
1251 goto decode_err;
1252
1253 /*
1254 * Check that the group is one of our preferences - if it is not,
1255 * the server has sent us an invalid group.
1256 */
1257 if (!tls1_check_group(s, group_id)) {
1258 SSLerror(s, SSL_R_WRONG_CURVE);
1259 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1260 goto err;
1261 }
1262
1263 tls_key_share_free(s->s3->hs.key_share);
1264 if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
1265 goto err;
1266
1267 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1268 &decode_error, NULL)) {
1269 if (decode_error)
1270 goto decode_err;
1271 goto err;
1272 }
1273
1274 return 1;
1275
1276 decode_err:
1277 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1278 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1279 err:
1280 return 0;
1281 }
1282
1283 static int
ssl3_get_server_key_exchange(SSL * s)1284 ssl3_get_server_key_exchange(SSL *s)
1285 {
1286 CBB cbb;
1287 CBS cbs, params, signature;
1288 EVP_MD_CTX *md_ctx;
1289 unsigned char *signed_params = NULL;
1290 size_t signed_params_len;
1291 size_t params_len;
1292 long alg_k, alg_a;
1293 int al, ret;
1294
1295 memset(&cbb, 0, sizeof(cbb));
1296
1297 alg_k = s->s3->hs.cipher->algorithm_mkey;
1298 alg_a = s->s3->hs.cipher->algorithm_auth;
1299
1300 /*
1301 * Use same message size as in ssl3_get_certificate_request()
1302 * as ServerKeyExchange message may be skipped.
1303 */
1304 if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1305 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list)) <= 0)
1306 return ret;
1307
1308 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1309 goto err;
1310
1311 if (s->init_num < 0)
1312 goto err;
1313
1314 CBS_init(&cbs, s->init_msg, s->init_num);
1315
1316 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1317 /*
1318 * Do not skip server key exchange if this cipher suite uses
1319 * ephemeral keys.
1320 */
1321 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
1322 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1323 al = SSL_AD_UNEXPECTED_MESSAGE;
1324 goto fatal_err;
1325 }
1326
1327 s->s3->hs.tls12.reuse_message = 1;
1328 EVP_MD_CTX_free(md_ctx);
1329 return (1);
1330 }
1331
1332 if (!CBB_init(&cbb, 0))
1333 goto err;
1334 if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
1335 goto err;
1336 if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE))
1337 goto err;
1338
1339 CBS_dup(&cbs, ¶ms);
1340
1341 if (alg_k & SSL_kDHE) {
1342 if (!ssl3_get_server_kex_dhe(s, &cbs))
1343 goto err;
1344 } else if (alg_k & SSL_kECDHE) {
1345 if (!ssl3_get_server_kex_ecdhe(s, &cbs))
1346 goto err;
1347 } else if (alg_k != 0) {
1348 al = SSL_AD_UNEXPECTED_MESSAGE;
1349 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1350 goto fatal_err;
1351 }
1352
1353 if ((params_len = CBS_offset(&cbs)) > CBS_len(¶ms))
1354 goto err;
1355 if (!CBB_add_bytes(&cbb, CBS_data(¶ms), params_len))
1356 goto err;
1357 if (!CBB_finish(&cbb, &signed_params, &signed_params_len))
1358 goto err;
1359
1360 /* if it was signed, check the signature */
1361 if ((alg_a & SSL_aNULL) == 0) {
1362 uint16_t sigalg_value = SIGALG_NONE;
1363 const struct ssl_sigalg *sigalg;
1364 EVP_PKEY_CTX *pctx;
1365 EVP_PKEY *pkey = NULL;
1366
1367 if ((alg_a & SSL_aRSA) != 0 &&
1368 s->session->peer_cert_type == SSL_PKEY_RSA) {
1369 pkey = X509_get0_pubkey(s->session->peer_cert);
1370 } else if ((alg_a & SSL_aECDSA) != 0 &&
1371 s->session->peer_cert_type == SSL_PKEY_ECC) {
1372 pkey = X509_get0_pubkey(s->session->peer_cert);
1373 }
1374 if (pkey == NULL) {
1375 al = SSL_AD_ILLEGAL_PARAMETER;
1376 SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1377 goto fatal_err;
1378 }
1379
1380 if (SSL_USE_SIGALGS(s)) {
1381 if (!CBS_get_u16(&cbs, &sigalg_value))
1382 goto decode_err;
1383 }
1384 if (!CBS_get_u16_length_prefixed(&cbs, &signature))
1385 goto decode_err;
1386 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) {
1387 al = SSL_AD_DECODE_ERROR;
1388 SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);
1389 goto fatal_err;
1390 }
1391
1392 if ((sigalg = ssl_sigalg_for_peer(s, pkey,
1393 sigalg_value)) == NULL) {
1394 al = SSL_AD_DECODE_ERROR;
1395 goto fatal_err;
1396 }
1397 s->s3->hs.peer_sigalg = sigalg;
1398
1399 if (!EVP_DigestVerifyInit(md_ctx, &pctx, sigalg->md(),
1400 NULL, pkey))
1401 goto err;
1402 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
1403 (!EVP_PKEY_CTX_set_rsa_padding(pctx,
1404 RSA_PKCS1_PSS_PADDING) ||
1405 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)))
1406 goto err;
1407 if (EVP_DigestVerify(md_ctx, CBS_data(&signature),
1408 CBS_len(&signature), signed_params, signed_params_len) <= 0) {
1409 al = SSL_AD_DECRYPT_ERROR;
1410 SSLerror(s, SSL_R_BAD_SIGNATURE);
1411 goto fatal_err;
1412 }
1413 }
1414
1415 if (CBS_len(&cbs) != 0) {
1416 al = SSL_AD_DECODE_ERROR;
1417 SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1418 goto fatal_err;
1419 }
1420
1421 EVP_MD_CTX_free(md_ctx);
1422 free(signed_params);
1423
1424 return (1);
1425
1426 decode_err:
1427 al = SSL_AD_DECODE_ERROR;
1428 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1429
1430 fatal_err:
1431 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1432
1433 err:
1434 CBB_cleanup(&cbb);
1435 EVP_MD_CTX_free(md_ctx);
1436 free(signed_params);
1437
1438 return (-1);
1439 }
1440
1441 static int
ssl3_get_certificate_request(SSL * s)1442 ssl3_get_certificate_request(SSL *s)
1443 {
1444 CBS cert_request, cert_types, rdn_list;
1445 X509_NAME *xn = NULL;
1446 const unsigned char *q;
1447 STACK_OF(X509_NAME) *ca_sk = NULL;
1448 int ret;
1449
1450 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1451 SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list)) <= 0)
1452 return ret;
1453
1454 ret = 0;
1455
1456 s->s3->hs.tls12.cert_request = 0;
1457
1458 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_DONE) {
1459 s->s3->hs.tls12.reuse_message = 1;
1460 /*
1461 * If we get here we don't need any cached handshake records
1462 * as we wont be doing client auth.
1463 */
1464 tls1_transcript_free(s);
1465 return (1);
1466 }
1467
1468 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1469 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1470 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
1471 goto err;
1472 }
1473
1474 /* TLS does not like anon-DH with client cert */
1475 if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
1476 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1477 SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1478 goto err;
1479 }
1480
1481 if (s->init_num < 0)
1482 goto decode_err;
1483 CBS_init(&cert_request, s->init_msg, s->init_num);
1484
1485 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1486 SSLerror(s, ERR_R_MALLOC_FAILURE);
1487 goto err;
1488 }
1489
1490 if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types))
1491 goto decode_err;
1492
1493 if (SSL_USE_SIGALGS(s)) {
1494 CBS sigalgs;
1495
1496 if (CBS_len(&cert_request) < 2) {
1497 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1498 goto err;
1499 }
1500 if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {
1501 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1502 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1503 goto err;
1504 }
1505 if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) {
1506 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1507 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1508 goto err;
1509 }
1510 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs,
1511 &s->s3->hs.sigalgs_len))
1512 goto err;
1513 }
1514
1515 /* get the CA RDNs */
1516 if (CBS_len(&cert_request) < 2) {
1517 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1518 goto err;
1519 }
1520
1521 if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) ||
1522 CBS_len(&cert_request) != 0) {
1523 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1524 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1525 goto err;
1526 }
1527
1528 while (CBS_len(&rdn_list) > 0) {
1529 CBS rdn;
1530
1531 if (CBS_len(&rdn_list) < 2) {
1532 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1533 goto err;
1534 }
1535
1536 if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {
1537 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1538 SSLerror(s, SSL_R_CA_DN_TOO_LONG);
1539 goto err;
1540 }
1541
1542 q = CBS_data(&rdn);
1543 if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) {
1544 ssl3_send_alert(s, SSL3_AL_FATAL,
1545 SSL_AD_DECODE_ERROR);
1546 SSLerror(s, ERR_R_ASN1_LIB);
1547 goto err;
1548 }
1549
1550 if (q != CBS_data(&rdn) + CBS_len(&rdn)) {
1551 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1552 SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH);
1553 goto err;
1554 }
1555 if (!sk_X509_NAME_push(ca_sk, xn)) {
1556 SSLerror(s, ERR_R_MALLOC_FAILURE);
1557 goto err;
1558 }
1559 xn = NULL; /* avoid free in err block */
1560 }
1561
1562 /* we should setup a certificate to return.... */
1563 s->s3->hs.tls12.cert_request = 1;
1564 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1565 s->s3->hs.tls12.ca_names = ca_sk;
1566 ca_sk = NULL;
1567
1568 ret = 1;
1569 if (0) {
1570 decode_err:
1571 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1572 }
1573 err:
1574 X509_NAME_free(xn);
1575 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
1576 return (ret);
1577 }
1578
1579 static int
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)1580 ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1581 {
1582 return (X509_NAME_cmp(*a, *b));
1583 }
1584
1585 static int
ssl3_get_new_session_ticket(SSL * s)1586 ssl3_get_new_session_ticket(SSL *s)
1587 {
1588 uint32_t lifetime_hint;
1589 CBS cbs, session_ticket;
1590 unsigned int session_id_length = 0;
1591 int al, ret;
1592
1593 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
1594 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384)) <= 0)
1595 return ret;
1596
1597 if (s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) {
1598 s->s3->hs.tls12.reuse_message = 1;
1599 return (1);
1600 }
1601 if (s->s3->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) {
1602 al = SSL_AD_UNEXPECTED_MESSAGE;
1603 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1604 goto fatal_err;
1605 }
1606
1607 if (s->init_num < 0) {
1608 al = SSL_AD_DECODE_ERROR;
1609 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1610 goto fatal_err;
1611 }
1612
1613 CBS_init(&cbs, s->init_msg, s->init_num);
1614 if (!CBS_get_u32(&cbs, &lifetime_hint) ||
1615 !CBS_get_u16_length_prefixed(&cbs, &session_ticket) ||
1616 CBS_len(&cbs) != 0) {
1617 al = SSL_AD_DECODE_ERROR;
1618 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1619 goto fatal_err;
1620 }
1621 s->session->tlsext_tick_lifetime_hint = lifetime_hint;
1622
1623 if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
1624 &s->session->tlsext_ticklen)) {
1625 SSLerror(s, ERR_R_MALLOC_FAILURE);
1626 goto err;
1627 }
1628
1629 /*
1630 * There are two ways to detect a resumed ticket session.
1631 * One is to set an appropriate session ID and then the server
1632 * must return a match in ServerHello. This allows the normal
1633 * client session ID matching to work and we know much
1634 * earlier that the ticket has been accepted.
1635 *
1636 * The other way is to set zero length session ID when the
1637 * ticket is presented and rely on the handshake to determine
1638 * session resumption.
1639 *
1640 * We choose the former approach because this fits in with
1641 * assumptions elsewhere in OpenSSL. The session ID is set
1642 * to the SHA256 hash of the ticket.
1643 */
1644 /* XXX - ensure this doesn't overflow session_id if hash is changed. */
1645 if (!EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket),
1646 s->session->session_id, &session_id_length, EVP_sha256(), NULL)) {
1647 al = SSL_AD_INTERNAL_ERROR;
1648 SSLerror(s, ERR_R_EVP_LIB);
1649 goto fatal_err;
1650 }
1651 s->session->session_id_length = session_id_length;
1652
1653 return (1);
1654
1655 fatal_err:
1656 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1657 err:
1658 return (-1);
1659 }
1660
1661 static int
ssl3_get_cert_status(SSL * s)1662 ssl3_get_cert_status(SSL *s)
1663 {
1664 CBS cert_status, response;
1665 uint8_t status_type;
1666 int al, ret;
1667
1668 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1669 SSL3_ST_CR_CERT_STATUS_B, -1, 16384)) <= 0)
1670 return ret;
1671
1672 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1673 /*
1674 * Tell the callback the server did not send us an OSCP
1675 * response, and has decided to head directly to key exchange.
1676 */
1677 if (s->ctx->tlsext_status_cb) {
1678 free(s->tlsext_ocsp_resp);
1679 s->tlsext_ocsp_resp = NULL;
1680 s->tlsext_ocsp_resp_len = 0;
1681
1682 ret = s->ctx->tlsext_status_cb(s,
1683 s->ctx->tlsext_status_arg);
1684 if (ret == 0) {
1685 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1686 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1687 goto fatal_err;
1688 }
1689 if (ret < 0) {
1690 al = SSL_AD_INTERNAL_ERROR;
1691 SSLerror(s, ERR_R_MALLOC_FAILURE);
1692 goto fatal_err;
1693 }
1694 }
1695 s->s3->hs.tls12.reuse_message = 1;
1696 return (1);
1697 }
1698
1699 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
1700 s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
1701 al = SSL_AD_UNEXPECTED_MESSAGE;
1702 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1703 goto fatal_err;
1704 }
1705
1706 if (s->init_num < 0) {
1707 /* need at least status type + length */
1708 al = SSL_AD_DECODE_ERROR;
1709 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1710 goto fatal_err;
1711 }
1712
1713 CBS_init(&cert_status, s->init_msg, s->init_num);
1714 if (!CBS_get_u8(&cert_status, &status_type) ||
1715 CBS_len(&cert_status) < 3) {
1716 /* need at least status type + length */
1717 al = SSL_AD_DECODE_ERROR;
1718 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1719 goto fatal_err;
1720 }
1721
1722 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1723 al = SSL_AD_DECODE_ERROR;
1724 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1725 goto fatal_err;
1726 }
1727
1728 if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
1729 CBS_len(&cert_status) != 0) {
1730 al = SSL_AD_DECODE_ERROR;
1731 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1732 goto fatal_err;
1733 }
1734
1735 if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1736 &s->tlsext_ocsp_resp_len)) {
1737 al = SSL_AD_INTERNAL_ERROR;
1738 SSLerror(s, ERR_R_MALLOC_FAILURE);
1739 goto fatal_err;
1740 }
1741
1742 if (s->ctx->tlsext_status_cb) {
1743 ret = s->ctx->tlsext_status_cb(s,
1744 s->ctx->tlsext_status_arg);
1745 if (ret == 0) {
1746 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1747 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1748 goto fatal_err;
1749 }
1750 if (ret < 0) {
1751 al = SSL_AD_INTERNAL_ERROR;
1752 SSLerror(s, ERR_R_MALLOC_FAILURE);
1753 goto fatal_err;
1754 }
1755 }
1756 return (1);
1757 fatal_err:
1758 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1759 return (-1);
1760 }
1761
1762 static int
ssl3_get_server_done(SSL * s)1763 ssl3_get_server_done(SSL *s)
1764 {
1765 int ret;
1766
1767 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
1768 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
1769 30 /* should be very small, like 0 :-) */)) <= 0)
1770 return ret;
1771
1772 if (s->init_num != 0) {
1773 /* should contain no data */
1774 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1775 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1776 return -1;
1777 }
1778
1779 return 1;
1780 }
1781
1782 static int
ssl3_send_client_kex_rsa(SSL * s,CBB * cbb)1783 ssl3_send_client_kex_rsa(SSL *s, CBB *cbb)
1784 {
1785 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];
1786 unsigned char *enc_pms = NULL;
1787 uint16_t max_legacy_version;
1788 EVP_PKEY *pkey;
1789 RSA *rsa;
1790 int ret = 0;
1791 int enc_len;
1792 CBB epms;
1793
1794 /*
1795 * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1.
1796 */
1797
1798 pkey = X509_get0_pubkey(s->session->peer_cert);
1799 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
1800 SSLerror(s, ERR_R_INTERNAL_ERROR);
1801 goto err;
1802 }
1803
1804 /*
1805 * Our maximum legacy protocol version - while RFC 5246 section 7.4.7.1
1806 * says "The latest (newest) version supported by the client", if we're
1807 * doing RSA key exchange then we have to presume that we're talking to
1808 * a server that does not understand the supported versions extension
1809 * and therefore our maximum version is that sent in the ClientHello.
1810 */
1811 if (!ssl_max_legacy_version(s, &max_legacy_version))
1812 goto err;
1813 pms[0] = max_legacy_version >> 8;
1814 pms[1] = max_legacy_version & 0xff;
1815 arc4random_buf(&pms[2], sizeof(pms) - 2);
1816
1817 if ((enc_pms = malloc(RSA_size(rsa))) == NULL) {
1818 SSLerror(s, ERR_R_MALLOC_FAILURE);
1819 goto err;
1820 }
1821
1822 enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, rsa,
1823 RSA_PKCS1_PADDING);
1824 if (enc_len <= 0) {
1825 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
1826 goto err;
1827 }
1828
1829 if (!CBB_add_u16_length_prefixed(cbb, &epms))
1830 goto err;
1831 if (!CBB_add_bytes(&epms, enc_pms, enc_len))
1832 goto err;
1833 if (!CBB_flush(cbb))
1834 goto err;
1835
1836 if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
1837 goto err;
1838
1839 ret = 1;
1840
1841 err:
1842 explicit_bzero(pms, sizeof(pms));
1843 free(enc_pms);
1844
1845 return ret;
1846 }
1847
1848 static int
ssl3_send_client_kex_dhe(SSL * s,CBB * cbb)1849 ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
1850 {
1851 uint8_t *key = NULL;
1852 size_t key_len = 0;
1853 int ret = 0;
1854
1855 /* Ensure that we have an ephemeral key from the server for DHE. */
1856 if (s->s3->hs.key_share == NULL) {
1857 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1858 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1859 goto err;
1860 }
1861
1862 if (!tls_key_share_generate(s->s3->hs.key_share))
1863 goto err;
1864 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1865 goto err;
1866 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1867 goto err;
1868
1869 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1870 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1871 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1872 return 0;
1873 }
1874
1875 if (!tls12_derive_master_secret(s, key, key_len))
1876 goto err;
1877
1878 ret = 1;
1879
1880 err:
1881 freezero(key, key_len);
1882
1883 return ret;
1884 }
1885
1886 static int
ssl3_send_client_kex_ecdhe(SSL * s,CBB * cbb)1887 ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
1888 {
1889 uint8_t *key = NULL;
1890 size_t key_len = 0;
1891 CBB public;
1892 int ret = 0;
1893
1894 /* Ensure that we have an ephemeral key for ECDHE. */
1895 if (s->s3->hs.key_share == NULL) {
1896 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1897 SSLerror(s, ERR_R_INTERNAL_ERROR);
1898 goto err;
1899 }
1900
1901 if (!tls_key_share_generate(s->s3->hs.key_share))
1902 goto err;
1903
1904 if (!CBB_add_u8_length_prefixed(cbb, &public))
1905 return 0;
1906 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1907 goto err;
1908 if (!CBB_flush(cbb))
1909 goto err;
1910
1911 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1912 goto err;
1913
1914 if (!tls12_derive_master_secret(s, key, key_len))
1915 goto err;
1916
1917 ret = 1;
1918
1919 err:
1920 freezero(key, key_len);
1921
1922 return ret;
1923 }
1924
1925 static int
ssl3_send_client_key_exchange(SSL * s)1926 ssl3_send_client_key_exchange(SSL *s)
1927 {
1928 unsigned long alg_k;
1929 CBB cbb, kex;
1930
1931 memset(&cbb, 0, sizeof(cbb));
1932
1933 if (s->s3->hs.state == SSL3_ST_CW_KEY_EXCH_A) {
1934 alg_k = s->s3->hs.cipher->algorithm_mkey;
1935
1936 if (!ssl3_handshake_msg_start(s, &cbb, &kex,
1937 SSL3_MT_CLIENT_KEY_EXCHANGE))
1938 goto err;
1939
1940 if (alg_k & SSL_kRSA) {
1941 if (!ssl3_send_client_kex_rsa(s, &kex))
1942 goto err;
1943 } else if (alg_k & SSL_kDHE) {
1944 if (!ssl3_send_client_kex_dhe(s, &kex))
1945 goto err;
1946 } else if (alg_k & SSL_kECDHE) {
1947 if (!ssl3_send_client_kex_ecdhe(s, &kex))
1948 goto err;
1949 } else {
1950 ssl3_send_alert(s, SSL3_AL_FATAL,
1951 SSL_AD_HANDSHAKE_FAILURE);
1952 SSLerror(s, ERR_R_INTERNAL_ERROR);
1953 goto err;
1954 }
1955
1956 if (!ssl3_handshake_msg_finish(s, &cbb))
1957 goto err;
1958
1959 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_B;
1960 }
1961
1962 /* SSL3_ST_CW_KEY_EXCH_B */
1963 return (ssl3_handshake_write(s));
1964
1965 err:
1966 CBB_cleanup(&cbb);
1967
1968 return (-1);
1969 }
1970
1971 static int
ssl3_send_client_verify_sigalgs(SSL * s,EVP_PKEY * pkey,const struct ssl_sigalg * sigalg,CBB * cert_verify)1972 ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
1973 const struct ssl_sigalg *sigalg, CBB *cert_verify)
1974 {
1975 CBB cbb_signature;
1976 EVP_PKEY_CTX *pctx = NULL;
1977 EVP_MD_CTX *mctx = NULL;
1978 const unsigned char *hdata;
1979 unsigned char *signature = NULL;
1980 size_t signature_len, hdata_len;
1981 int ret = 0;
1982
1983 if ((mctx = EVP_MD_CTX_new()) == NULL)
1984 goto err;
1985
1986 if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
1987 SSLerror(s, ERR_R_INTERNAL_ERROR);
1988 goto err;
1989 }
1990 if (!EVP_DigestSignInit(mctx, &pctx, sigalg->md(), NULL, pkey)) {
1991 SSLerror(s, ERR_R_EVP_LIB);
1992 goto err;
1993 }
1994 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
1995 (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
1996 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
1997 SSLerror(s, ERR_R_EVP_LIB);
1998 goto err;
1999 }
2000 if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
2001 SSLerror(s, ERR_R_EVP_LIB);
2002 goto err;
2003 }
2004 if ((signature = calloc(1, signature_len)) == NULL) {
2005 SSLerror(s, ERR_R_MALLOC_FAILURE);
2006 goto err;
2007 }
2008 if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
2009 SSLerror(s, ERR_R_EVP_LIB);
2010 goto err;
2011 }
2012
2013 if (!CBB_add_u16(cert_verify, sigalg->value))
2014 goto err;
2015 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2016 goto err;
2017 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2018 goto err;
2019 if (!CBB_flush(cert_verify))
2020 goto err;
2021
2022 ret = 1;
2023
2024 err:
2025 EVP_MD_CTX_free(mctx);
2026 free(signature);
2027 return ret;
2028 }
2029
2030 static int
ssl3_send_client_verify_rsa(SSL * s,EVP_PKEY * pkey,CBB * cert_verify)2031 ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2032 {
2033 CBB cbb_signature;
2034 RSA *rsa;
2035 unsigned char data[EVP_MAX_MD_SIZE];
2036 unsigned char *signature = NULL;
2037 unsigned int signature_len;
2038 size_t data_len;
2039 int ret = 0;
2040
2041 if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len))
2042 goto err;
2043 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2044 goto err;
2045 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL)
2046 goto err;
2047 if (RSA_sign(NID_md5_sha1, data, data_len, signature, &signature_len,
2048 rsa) <= 0 ) {
2049 SSLerror(s, ERR_R_RSA_LIB);
2050 goto err;
2051 }
2052
2053 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2054 goto err;
2055 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2056 goto err;
2057 if (!CBB_flush(cert_verify))
2058 goto err;
2059
2060 ret = 1;
2061 err:
2062 free(signature);
2063 return ret;
2064 }
2065
2066 static int
ssl3_send_client_verify_ec(SSL * s,EVP_PKEY * pkey,CBB * cert_verify)2067 ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2068 {
2069 CBB cbb_signature;
2070 EC_KEY *eckey;
2071 unsigned char data[EVP_MAX_MD_SIZE];
2072 unsigned char *signature = NULL;
2073 unsigned int signature_len;
2074 int ret = 0;
2075
2076 if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL))
2077 goto err;
2078 if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL)
2079 goto err;
2080 if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
2081 goto err;
2082 if (!ECDSA_sign(0, &data[MD5_DIGEST_LENGTH], SHA_DIGEST_LENGTH,
2083 signature, &signature_len, eckey)) {
2084 SSLerror(s, ERR_R_ECDSA_LIB);
2085 goto err;
2086 }
2087
2088 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2089 goto err;
2090 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2091 goto err;
2092 if (!CBB_flush(cert_verify))
2093 goto err;
2094
2095 ret = 1;
2096 err:
2097 free(signature);
2098 return ret;
2099 }
2100
2101 static int
ssl3_send_client_verify(SSL * s)2102 ssl3_send_client_verify(SSL *s)
2103 {
2104 const struct ssl_sigalg *sigalg;
2105 CBB cbb, cert_verify;
2106 EVP_PKEY *pkey;
2107
2108 memset(&cbb, 0, sizeof(cbb));
2109
2110 if (s->s3->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
2111 if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2112 SSL3_MT_CERTIFICATE_VERIFY))
2113 goto err;
2114
2115 pkey = s->cert->key->privatekey;
2116 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
2117 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2118 goto err;
2119 }
2120 s->s3->hs.our_sigalg = sigalg;
2121
2122 /*
2123 * For TLS v1.2 send signature algorithm and signature using
2124 * agreed digest and cached handshake records.
2125 */
2126 if (SSL_USE_SIGALGS(s)) {
2127 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2128 &cert_verify))
2129 goto err;
2130 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
2131 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
2132 goto err;
2133 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2134 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2135 goto err;
2136 } else {
2137 SSLerror(s, ERR_R_INTERNAL_ERROR);
2138 goto err;
2139 }
2140
2141 tls1_transcript_free(s);
2142
2143 if (!ssl3_handshake_msg_finish(s, &cbb))
2144 goto err;
2145
2146 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_B;
2147 }
2148
2149 return (ssl3_handshake_write(s));
2150
2151 err:
2152 CBB_cleanup(&cbb);
2153
2154 return (-1);
2155 }
2156
2157 static int
ssl3_send_client_certificate(SSL * s)2158 ssl3_send_client_certificate(SSL *s)
2159 {
2160 EVP_PKEY *pkey = NULL;
2161 X509 *x509 = NULL;
2162 CBB cbb, client_cert;
2163 int i;
2164
2165 memset(&cbb, 0, sizeof(cbb));
2166
2167 if (s->s3->hs.state == SSL3_ST_CW_CERT_A) {
2168 if (s->cert->key->x509 == NULL ||
2169 s->cert->key->privatekey == NULL)
2170 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2171 else
2172 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2173 }
2174
2175 /* We need to get a client cert */
2176 if (s->s3->hs.state == SSL3_ST_CW_CERT_B) {
2177 /*
2178 * If we get an error, we need to
2179 * ssl->rwstate = SSL_X509_LOOKUP; return(-1);
2180 * We then get retried later.
2181 */
2182 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2183 if (i < 0) {
2184 s->rwstate = SSL_X509_LOOKUP;
2185 return (-1);
2186 }
2187 s->rwstate = SSL_NOTHING;
2188 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
2189 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2190 if (!SSL_use_certificate(s, x509) ||
2191 !SSL_use_PrivateKey(s, pkey))
2192 i = 0;
2193 } else if (i == 1) {
2194 i = 0;
2195 SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2196 }
2197
2198 X509_free(x509);
2199 EVP_PKEY_free(pkey);
2200 if (i == 0) {
2201 s->s3->hs.tls12.cert_request = 2;
2202
2203 /* There is no client certificate to verify. */
2204 tls1_transcript_free(s);
2205 }
2206
2207 /* Ok, we have a cert */
2208 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2209 }
2210
2211 if (s->s3->hs.state == SSL3_ST_CW_CERT_C) {
2212 if (!ssl3_handshake_msg_start(s, &cbb, &client_cert,
2213 SSL3_MT_CERTIFICATE))
2214 goto err;
2215 if (!ssl3_output_cert_chain(s, &client_cert,
2216 (s->s3->hs.tls12.cert_request == 2) ? NULL : s->cert->key))
2217 goto err;
2218 if (!ssl3_handshake_msg_finish(s, &cbb))
2219 goto err;
2220
2221 s->s3->hs.state = SSL3_ST_CW_CERT_D;
2222 }
2223
2224 /* SSL3_ST_CW_CERT_D */
2225 return (ssl3_handshake_write(s));
2226
2227 err:
2228 CBB_cleanup(&cbb);
2229
2230 return (0);
2231 }
2232
2233 #define has_bits(i,m) (((i)&(m)) == (m))
2234
2235 static int
ssl3_check_cert_and_algorithm(SSL * s)2236 ssl3_check_cert_and_algorithm(SSL *s)
2237 {
2238 long alg_k, alg_a;
2239 int nid = NID_undef;
2240 int i;
2241
2242 alg_k = s->s3->hs.cipher->algorithm_mkey;
2243 alg_a = s->s3->hs.cipher->algorithm_auth;
2244
2245 /* We don't have a certificate. */
2246 if (alg_a & SSL_aNULL)
2247 return (1);
2248
2249 if (s->s3->hs.key_share != NULL)
2250 nid = tls_key_share_nid(s->s3->hs.key_share);
2251
2252 /* This is the passed certificate. */
2253
2254 if (s->session->peer_cert_type == SSL_PKEY_ECC) {
2255 if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) {
2256 SSLerror(s, SSL_R_BAD_ECC_CERT);
2257 goto fatal_err;
2258 }
2259 return (1);
2260 }
2261
2262 i = X509_certificate_type(s->session->peer_cert, NULL);
2263
2264 /* Check that we have a certificate if we require one. */
2265 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
2266 SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
2267 goto fatal_err;
2268 }
2269 if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
2270 SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2271 goto fatal_err;
2272 }
2273 if ((alg_k & SSL_kDHE) &&
2274 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (nid == NID_dhKeyAgreement))) {
2275 SSLerror(s, SSL_R_MISSING_DH_KEY);
2276 goto fatal_err;
2277 }
2278
2279 return (1);
2280
2281 fatal_err:
2282 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2283
2284 return (0);
2285 }
2286
2287 /*
2288 * Check to see if handshake is full or resumed. Usually this is just a
2289 * case of checking to see if a cache hit has occurred. In the case of
2290 * session tickets we have to check the next message to be sure.
2291 */
2292
2293 static int
ssl3_check_finished(SSL * s)2294 ssl3_check_finished(SSL *s)
2295 {
2296 int ret;
2297
2298 /* If we have no ticket it cannot be a resumed session. */
2299 if (!s->session->tlsext_tick)
2300 return (1);
2301 /* this function is called when we really expect a Certificate
2302 * message, so permit appropriate message length */
2303 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
2304 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
2305 return ret;
2306
2307 s->s3->hs.tls12.reuse_message = 1;
2308 if ((s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) ||
2309 (s->s3->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET))
2310 return (2);
2311
2312 return (1);
2313 }
2314
2315 static int
ssl_do_client_cert_cb(SSL * s,X509 ** px509,EVP_PKEY ** ppkey)2316 ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2317 {
2318 if (s->ctx->client_cert_cb == NULL)
2319 return 0;
2320
2321 return s->ctx->client_cert_cb(s, px509, ppkey);
2322 }
2323
2324 static int
ssl3_send_client_change_cipher_spec(SSL * s)2325 ssl3_send_client_change_cipher_spec(SSL *s)
2326 {
2327 size_t outlen;
2328 CBB cbb;
2329
2330 memset(&cbb, 0, sizeof(cbb));
2331
2332 if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) {
2333 if (!CBB_init_fixed(&cbb, s->init_buf->data,
2334 s->init_buf->length))
2335 goto err;
2336 if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
2337 goto err;
2338 if (!CBB_finish(&cbb, NULL, &outlen))
2339 goto err;
2340
2341 if (outlen > INT_MAX)
2342 goto err;
2343
2344 s->init_num = (int)outlen;
2345 s->init_off = 0;
2346
2347 if (SSL_is_dtls(s)) {
2348 s->d1->handshake_write_seq =
2349 s->d1->next_handshake_write_seq;
2350 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
2351 s->d1->handshake_write_seq, 0, 0);
2352 dtls1_buffer_message(s, 1);
2353 }
2354
2355 s->s3->hs.state = SSL3_ST_CW_CHANGE_B;
2356 }
2357
2358 /* SSL3_ST_CW_CHANGE_B */
2359 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
2360
2361 err:
2362 CBB_cleanup(&cbb);
2363
2364 return -1;
2365 }
2366
2367 static int
ssl3_send_client_finished(SSL * s)2368 ssl3_send_client_finished(SSL *s)
2369 {
2370 CBB cbb, finished;
2371
2372 memset(&cbb, 0, sizeof(cbb));
2373
2374 if (s->s3->hs.state == SSL3_ST_CW_FINISHED_A) {
2375 if (!tls12_derive_finished(s))
2376 goto err;
2377
2378 /* Copy finished so we can use it for renegotiation checks. */
2379 memcpy(s->s3->previous_client_finished,
2380 s->s3->hs.finished, s->s3->hs.finished_len);
2381 s->s3->previous_client_finished_len =
2382 s->s3->hs.finished_len;
2383
2384 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
2385 SSL3_MT_FINISHED))
2386 goto err;
2387 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
2388 s->s3->hs.finished_len))
2389 goto err;
2390 if (!ssl3_handshake_msg_finish(s, &cbb))
2391 goto err;
2392
2393 s->s3->hs.state = SSL3_ST_CW_FINISHED_B;
2394 }
2395
2396 return (ssl3_handshake_write(s));
2397
2398 err:
2399 CBB_cleanup(&cbb);
2400
2401 return (-1);
2402 }
2403
2404 static int
ssl3_get_server_finished(SSL * s)2405 ssl3_get_server_finished(SSL *s)
2406 {
2407 int al, md_len, ret;
2408 CBS cbs;
2409
2410 /* should actually be 36+4 :-) */
2411 if ((ret = ssl3_get_message(s, SSL3_ST_CR_FINISHED_A,
2412 SSL3_ST_CR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0)
2413 return ret;
2414
2415 /* If this occurs, we have missed a message */
2416 if (!s->s3->change_cipher_spec) {
2417 al = SSL_AD_UNEXPECTED_MESSAGE;
2418 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
2419 goto fatal_err;
2420 }
2421 s->s3->change_cipher_spec = 0;
2422
2423 md_len = TLS1_FINISH_MAC_LENGTH;
2424
2425 if (s->init_num < 0) {
2426 al = SSL_AD_DECODE_ERROR;
2427 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2428 goto fatal_err;
2429 }
2430
2431 CBS_init(&cbs, s->init_msg, s->init_num);
2432
2433 if (s->s3->hs.peer_finished_len != md_len ||
2434 CBS_len(&cbs) != md_len) {
2435 al = SSL_AD_DECODE_ERROR;
2436 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2437 goto fatal_err;
2438 }
2439
2440 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
2441 al = SSL_AD_DECRYPT_ERROR;
2442 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
2443 goto fatal_err;
2444 }
2445
2446 /* Copy finished so we can use it for renegotiation checks. */
2447 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
2448 memcpy(s->s3->previous_server_finished,
2449 s->s3->hs.peer_finished, md_len);
2450 s->s3->previous_server_finished_len = md_len;
2451
2452 return (1);
2453 fatal_err:
2454 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2455 return (0);
2456 }
2457