1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * 113 * Portions of the attached software ("Contribution") are developed by 114 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 115 * 116 * The Contribution is licensed pursuant to the OpenSSL open source 117 * license provided above. 118 * 119 * ECC cipher suite support in OpenSSL originally written by 120 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 121 * 122 */ 123 /* ==================================================================== 124 * Copyright 2005 Nokia. All rights reserved. 125 * 126 * The portions of the attached software ("Contribution") is developed by 127 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 128 * license. 129 * 130 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 131 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 132 * support (see RFC 4279) to OpenSSL. 133 * 134 * No patent licenses or other rights except those expressly stated in 135 * the OpenSSL open source license shall be deemed granted or received 136 * expressly, by implication, estoppel, or otherwise. 137 * 138 * No assurances are provided by Nokia that the Contribution does not 139 * infringe the patent or other intellectual property rights of any third 140 * party or that the license provides you with all the necessary rights 141 * to make use of the Contribution. 142 * 143 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 144 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 145 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 146 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 147 * OTHERWISE. */ 148 149 #include <openssl/ssl.h> 150 151 #include <assert.h> 152 #include <string.h> 153 154 #include <openssl/bn.h> 155 #include <openssl/buf.h> 156 #include <openssl/bytestring.h> 157 #include <openssl/cipher.h> 158 #include <openssl/ec.h> 159 #include <openssl/ecdsa.h> 160 #include <openssl/err.h> 161 #include <openssl/evp.h> 162 #include <openssl/hmac.h> 163 #include <openssl/md5.h> 164 #include <openssl/mem.h> 165 #include <openssl/nid.h> 166 #include <openssl/rand.h> 167 #include <openssl/x509.h> 168 169 #include "internal.h" 170 #include "../crypto/internal.h" 171 172 173 static int ssl3_process_client_hello(SSL_HANDSHAKE *hs); 174 static int ssl3_select_certificate(SSL_HANDSHAKE *hs); 175 static int ssl3_select_parameters(SSL_HANDSHAKE *hs); 176 static int ssl3_send_server_hello(SSL_HANDSHAKE *hs); 177 static int ssl3_send_server_certificate(SSL_HANDSHAKE *hs); 178 static int ssl3_send_server_key_exchange(SSL_HANDSHAKE *hs); 179 static int ssl3_send_server_hello_done(SSL_HANDSHAKE *hs); 180 static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs); 181 static int ssl3_get_client_key_exchange(SSL_HANDSHAKE *hs); 182 static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs); 183 static int ssl3_get_next_proto(SSL_HANDSHAKE *hs); 184 static int ssl3_get_channel_id(SSL_HANDSHAKE *hs); 185 static int ssl3_send_server_finished(SSL_HANDSHAKE *hs); 186 187 int ssl3_accept(SSL_HANDSHAKE *hs) { 188 SSL *const ssl = hs->ssl; 189 int ret = -1; 190 191 assert(ssl->handshake_func == ssl3_accept); 192 assert(ssl->server); 193 194 for (;;) { 195 int state = hs->state; 196 197 switch (hs->state) { 198 case SSL_ST_INIT: 199 ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1); 200 hs->state = SSL3_ST_SR_CLNT_HELLO_A; 201 break; 202 203 case SSL3_ST_SR_CLNT_HELLO_A: 204 ret = ssl->method->ssl_get_message(ssl); 205 if (ret <= 0) { 206 goto end; 207 } 208 hs->state = SSL3_ST_SR_CLNT_HELLO_B; 209 break; 210 211 case SSL3_ST_SR_CLNT_HELLO_B: 212 ret = ssl3_process_client_hello(hs); 213 if (ret <= 0) { 214 goto end; 215 } 216 hs->state = SSL3_ST_SR_CLNT_HELLO_C; 217 break; 218 219 case SSL3_ST_SR_CLNT_HELLO_C: 220 ret = ssl3_select_certificate(hs); 221 if (ret <= 0) { 222 goto end; 223 } 224 if (hs->state != SSL_ST_TLS13) { 225 hs->state = SSL3_ST_SR_CLNT_HELLO_D; 226 } 227 break; 228 229 case SSL3_ST_SR_CLNT_HELLO_D: 230 ret = ssl3_select_parameters(hs); 231 if (ret <= 0) { 232 goto end; 233 } 234 ssl->method->received_flight(ssl); 235 hs->state = SSL3_ST_SW_SRVR_HELLO_A; 236 break; 237 238 case SSL3_ST_SW_SRVR_HELLO_A: 239 ret = ssl3_send_server_hello(hs); 240 if (ret <= 0) { 241 goto end; 242 } 243 if (ssl->session != NULL) { 244 hs->state = SSL3_ST_SW_FINISHED_A; 245 } else { 246 hs->state = SSL3_ST_SW_CERT_A; 247 } 248 break; 249 250 case SSL3_ST_SW_CERT_A: 251 ret = ssl3_send_server_certificate(hs); 252 if (ret <= 0) { 253 goto end; 254 } 255 hs->state = SSL3_ST_SW_KEY_EXCH_A; 256 break; 257 258 case SSL3_ST_SW_KEY_EXCH_A: 259 if (hs->server_params_len > 0) { 260 ret = ssl3_send_server_key_exchange(hs); 261 if (ret <= 0) { 262 goto end; 263 } 264 } 265 266 hs->state = SSL3_ST_SW_SRVR_DONE_A; 267 break; 268 269 case SSL3_ST_SW_SRVR_DONE_A: 270 ret = ssl3_send_server_hello_done(hs); 271 if (ret <= 0) { 272 goto end; 273 } 274 hs->next_state = SSL3_ST_SR_CERT_A; 275 hs->state = SSL3_ST_SW_FLUSH; 276 break; 277 278 case SSL3_ST_SR_CERT_A: 279 if (hs->cert_request) { 280 ret = ssl3_get_client_certificate(hs); 281 if (ret <= 0) { 282 goto end; 283 } 284 } 285 hs->state = SSL3_ST_SR_KEY_EXCH_A; 286 break; 287 288 case SSL3_ST_SR_KEY_EXCH_A: 289 case SSL3_ST_SR_KEY_EXCH_B: 290 ret = ssl3_get_client_key_exchange(hs); 291 if (ret <= 0) { 292 goto end; 293 } 294 hs->state = SSL3_ST_SR_CERT_VRFY_A; 295 break; 296 297 case SSL3_ST_SR_CERT_VRFY_A: 298 ret = ssl3_get_cert_verify(hs); 299 if (ret <= 0) { 300 goto end; 301 } 302 303 hs->state = SSL3_ST_SR_CHANGE; 304 break; 305 306 case SSL3_ST_SR_CHANGE: 307 ret = ssl->method->read_change_cipher_spec(ssl); 308 if (ret <= 0) { 309 goto end; 310 } 311 312 if (!tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_READ)) { 313 ret = -1; 314 goto end; 315 } 316 317 hs->state = SSL3_ST_SR_NEXT_PROTO_A; 318 break; 319 320 case SSL3_ST_SR_NEXT_PROTO_A: 321 if (hs->next_proto_neg_seen) { 322 ret = ssl3_get_next_proto(hs); 323 if (ret <= 0) { 324 goto end; 325 } 326 } 327 hs->state = SSL3_ST_SR_CHANNEL_ID_A; 328 break; 329 330 case SSL3_ST_SR_CHANNEL_ID_A: 331 if (ssl->s3->tlsext_channel_id_valid) { 332 ret = ssl3_get_channel_id(hs); 333 if (ret <= 0) { 334 goto end; 335 } 336 } 337 hs->state = SSL3_ST_SR_FINISHED_A; 338 break; 339 340 case SSL3_ST_SR_FINISHED_A: 341 ret = ssl3_get_finished(hs); 342 if (ret <= 0) { 343 goto end; 344 } 345 346 ssl->method->received_flight(ssl); 347 if (ssl->session != NULL) { 348 hs->state = SSL_ST_OK; 349 } else { 350 hs->state = SSL3_ST_SW_FINISHED_A; 351 } 352 353 /* If this is a full handshake with ChannelID then record the handshake 354 * hashes in |hs->new_session| in case we need them to verify a 355 * ChannelID signature on a resumption of this session in the future. */ 356 if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid) { 357 ret = tls1_record_handshake_hashes_for_channel_id(hs); 358 if (ret <= 0) { 359 goto end; 360 } 361 } 362 break; 363 364 case SSL3_ST_SW_FINISHED_A: 365 ret = ssl3_send_server_finished(hs); 366 if (ret <= 0) { 367 goto end; 368 } 369 hs->state = SSL3_ST_SW_FLUSH; 370 if (ssl->session != NULL) { 371 hs->next_state = SSL3_ST_SR_CHANGE; 372 } else { 373 hs->next_state = SSL_ST_OK; 374 } 375 break; 376 377 case SSL3_ST_SW_FLUSH: 378 ret = ssl->method->flush_flight(ssl); 379 if (ret <= 0) { 380 goto end; 381 } 382 383 hs->state = hs->next_state; 384 if (hs->state != SSL_ST_OK) { 385 ssl->method->expect_flight(ssl); 386 } 387 break; 388 389 case SSL_ST_TLS13: { 390 int early_return = 0; 391 ret = tls13_handshake(hs, &early_return); 392 if (ret <= 0) { 393 goto end; 394 } 395 396 if (early_return) { 397 ret = 1; 398 goto end; 399 } 400 401 hs->state = SSL_ST_OK; 402 break; 403 } 404 405 case SSL_ST_OK: 406 ssl->method->release_current_message(ssl, 1 /* free_buffer */); 407 408 /* If we aren't retaining peer certificates then we can discard it 409 * now. */ 410 if (hs->new_session != NULL && 411 ssl->retain_only_sha256_of_client_certs) { 412 sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free); 413 hs->new_session->certs = NULL; 414 ssl->ctx->x509_method->session_clear(hs->new_session); 415 } 416 417 SSL_SESSION_free(ssl->s3->established_session); 418 if (ssl->session != NULL) { 419 SSL_SESSION_up_ref(ssl->session); 420 ssl->s3->established_session = ssl->session; 421 } else { 422 ssl->s3->established_session = hs->new_session; 423 ssl->s3->established_session->not_resumable = 0; 424 hs->new_session = NULL; 425 } 426 427 ssl->s3->initial_handshake_complete = 1; 428 ssl_update_cache(hs, SSL_SESS_CACHE_SERVER); 429 430 ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_DONE, 1); 431 ret = 1; 432 goto end; 433 434 default: 435 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE); 436 ret = -1; 437 goto end; 438 } 439 440 if (hs->state != state) { 441 ssl_do_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 1); 442 } 443 } 444 445 end: 446 ssl_do_info_callback(ssl, SSL_CB_ACCEPT_EXIT, ret); 447 return ret; 448 } 449 450 int ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO *client_hello, 451 uint16_t id) { 452 CBS cipher_suites; 453 CBS_init(&cipher_suites, client_hello->cipher_suites, 454 client_hello->cipher_suites_len); 455 456 while (CBS_len(&cipher_suites) > 0) { 457 uint16_t got_id; 458 if (!CBS_get_u16(&cipher_suites, &got_id)) { 459 return 0; 460 } 461 462 if (got_id == id) { 463 return 1; 464 } 465 } 466 467 return 0; 468 } 469 470 static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, 471 const SSL_CLIENT_HELLO *client_hello) { 472 SSL *const ssl = hs->ssl; 473 assert(!ssl->s3->have_version); 474 CBS supported_versions, versions; 475 if (ssl_client_hello_get_extension(client_hello, &supported_versions, 476 TLSEXT_TYPE_supported_versions)) { 477 if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) || 478 CBS_len(&supported_versions) != 0 || 479 CBS_len(&versions) == 0) { 480 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 481 *out_alert = SSL_AD_DECODE_ERROR; 482 return 0; 483 } 484 } else { 485 /* Convert the ClientHello version to an equivalent supported_versions 486 * extension. */ 487 static const uint8_t kTLSVersions[] = { 488 0x03, 0x03, /* TLS 1.2 */ 489 0x03, 0x02, /* TLS 1.1 */ 490 0x03, 0x01, /* TLS 1 */ 491 0x03, 0x00, /* SSL 3 */ 492 }; 493 494 static const uint8_t kDTLSVersions[] = { 495 0xfe, 0xfd, /* DTLS 1.2 */ 496 0xfe, 0xff, /* DTLS 1.0 */ 497 }; 498 499 size_t versions_len = 0; 500 if (SSL_is_dtls(ssl)) { 501 if (client_hello->version <= DTLS1_2_VERSION) { 502 versions_len = 4; 503 } else if (client_hello->version <= DTLS1_VERSION) { 504 versions_len = 2; 505 } 506 CBS_init(&versions, kDTLSVersions + sizeof(kDTLSVersions) - versions_len, 507 versions_len); 508 } else { 509 if (client_hello->version >= TLS1_2_VERSION) { 510 versions_len = 8; 511 } else if (client_hello->version >= TLS1_1_VERSION) { 512 versions_len = 6; 513 } else if (client_hello->version >= TLS1_VERSION) { 514 versions_len = 4; 515 } else if (client_hello->version >= SSL3_VERSION) { 516 versions_len = 2; 517 } 518 CBS_init(&versions, kTLSVersions + sizeof(kTLSVersions) - versions_len, 519 versions_len); 520 } 521 } 522 523 if (!ssl_negotiate_version(hs, out_alert, &ssl->version, &versions)) { 524 return 0; 525 } 526 527 /* At this point, the connection's version is known and |ssl->version| is 528 * fixed. Begin enforcing the record-layer version. */ 529 ssl->s3->have_version = 1; 530 531 /* Handle FALLBACK_SCSV. */ 532 if (ssl_client_cipher_list_contains_cipher(client_hello, 533 SSL3_CK_FALLBACK_SCSV & 0xffff) && 534 ssl3_protocol_version(ssl) < hs->max_version) { 535 OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK); 536 *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK; 537 return 0; 538 } 539 540 return 1; 541 } 542 543 static STACK_OF(SSL_CIPHER) * 544 ssl_parse_client_cipher_list(const SSL_CLIENT_HELLO *client_hello) { 545 CBS cipher_suites; 546 CBS_init(&cipher_suites, client_hello->cipher_suites, 547 client_hello->cipher_suites_len); 548 549 STACK_OF(SSL_CIPHER) *sk = sk_SSL_CIPHER_new_null(); 550 if (sk == NULL) { 551 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 552 goto err; 553 } 554 555 while (CBS_len(&cipher_suites) > 0) { 556 uint16_t cipher_suite; 557 558 if (!CBS_get_u16(&cipher_suites, &cipher_suite)) { 559 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 560 goto err; 561 } 562 563 const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite); 564 if (c != NULL && !sk_SSL_CIPHER_push(sk, c)) { 565 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 566 goto err; 567 } 568 } 569 570 return sk; 571 572 err: 573 sk_SSL_CIPHER_free(sk); 574 return NULL; 575 } 576 577 /* ssl_get_compatible_server_ciphers determines the key exchange and 578 * authentication cipher suite masks compatible with the server configuration 579 * and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key 580 * exchange mask and |*out_mask_a| to the authentication mask. */ 581 static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, 582 uint32_t *out_mask_k, 583 uint32_t *out_mask_a) { 584 SSL *const ssl = hs->ssl; 585 uint32_t mask_k = 0; 586 uint32_t mask_a = 0; 587 588 if (ssl_has_certificate(ssl)) { 589 mask_a |= ssl_cipher_auth_mask_for_key(hs->local_pubkey); 590 if (EVP_PKEY_id(hs->local_pubkey) == EVP_PKEY_RSA) { 591 mask_k |= SSL_kRSA; 592 } 593 } 594 595 /* Check for a shared group to consider ECDHE ciphers. */ 596 uint16_t unused; 597 if (tls1_get_shared_group(hs, &unused)) { 598 mask_k |= SSL_kECDHE; 599 } 600 601 /* PSK requires a server callback. */ 602 if (ssl->psk_server_callback != NULL) { 603 mask_k |= SSL_kPSK; 604 mask_a |= SSL_aPSK; 605 } 606 607 *out_mask_k = mask_k; 608 *out_mask_a = mask_a; 609 } 610 611 static const SSL_CIPHER *ssl3_choose_cipher( 612 SSL_HANDSHAKE *hs, const SSL_CLIENT_HELLO *client_hello, 613 const struct ssl_cipher_preference_list_st *server_pref) { 614 SSL *const ssl = hs->ssl; 615 STACK_OF(SSL_CIPHER) *prio, *allow; 616 /* in_group_flags will either be NULL, or will point to an array of bytes 617 * which indicate equal-preference groups in the |prio| stack. See the 618 * comment about |in_group_flags| in the |ssl_cipher_preference_list_st| 619 * struct. */ 620 const uint8_t *in_group_flags; 621 /* group_min contains the minimal index so far found in a group, or -1 if no 622 * such value exists yet. */ 623 int group_min = -1; 624 625 STACK_OF(SSL_CIPHER) *client_pref = 626 ssl_parse_client_cipher_list(client_hello); 627 if (client_pref == NULL) { 628 return NULL; 629 } 630 631 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { 632 prio = server_pref->ciphers; 633 in_group_flags = server_pref->in_group_flags; 634 allow = client_pref; 635 } else { 636 prio = client_pref; 637 in_group_flags = NULL; 638 allow = server_pref->ciphers; 639 } 640 641 uint32_t mask_k, mask_a; 642 ssl_get_compatible_server_ciphers(hs, &mask_k, &mask_a); 643 644 const SSL_CIPHER *ret = NULL; 645 for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) { 646 const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i); 647 648 size_t cipher_index; 649 if (/* Check if the cipher is supported for the current version. */ 650 SSL_CIPHER_get_min_version(c) <= ssl3_protocol_version(ssl) && 651 ssl3_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && 652 /* Check the cipher is supported for the server configuration. */ 653 (c->algorithm_mkey & mask_k) && 654 (c->algorithm_auth & mask_a) && 655 /* Check the cipher is in the |allow| list. */ 656 sk_SSL_CIPHER_find(allow, &cipher_index, c)) { 657 if (in_group_flags != NULL && in_group_flags[i] == 1) { 658 /* This element of |prio| is in a group. Update the minimum index found 659 * so far and continue looking. */ 660 if (group_min == -1 || (size_t)group_min > cipher_index) { 661 group_min = cipher_index; 662 } 663 } else { 664 if (group_min != -1 && (size_t)group_min < cipher_index) { 665 cipher_index = group_min; 666 } 667 ret = sk_SSL_CIPHER_value(allow, cipher_index); 668 break; 669 } 670 } 671 672 if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) { 673 /* We are about to leave a group, but we found a match in it, so that's 674 * our answer. */ 675 ret = sk_SSL_CIPHER_value(allow, group_min); 676 break; 677 } 678 } 679 680 sk_SSL_CIPHER_free(client_pref); 681 return ret; 682 } 683 684 static int ssl3_process_client_hello(SSL_HANDSHAKE *hs) { 685 SSL *const ssl = hs->ssl; 686 if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) { 687 return -1; 688 } 689 690 SSL_CLIENT_HELLO client_hello; 691 if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg, 692 ssl->init_num)) { 693 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 694 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 695 return -1; 696 } 697 698 /* Run the early callback. */ 699 if (ssl->ctx->select_certificate_cb != NULL) { 700 switch (ssl->ctx->select_certificate_cb(&client_hello)) { 701 case ssl_select_cert_retry: 702 ssl->rwstate = SSL_CERTIFICATE_SELECTION_PENDING; 703 return -1; 704 705 case ssl_select_cert_error: 706 /* Connection rejected. */ 707 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); 708 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 709 return -1; 710 711 default: 712 /* fallthrough */; 713 } 714 } 715 716 /* Freeze the version range after the early callback. */ 717 if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) { 718 return -1; 719 } 720 721 uint8_t alert = SSL_AD_DECODE_ERROR; 722 if (!negotiate_version(hs, &alert, &client_hello)) { 723 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 724 return -1; 725 } 726 727 hs->client_version = client_hello.version; 728 if (client_hello.random_len != SSL3_RANDOM_SIZE) { 729 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 730 return -1; 731 } 732 OPENSSL_memcpy(ssl->s3->client_random, client_hello.random, 733 client_hello.random_len); 734 735 /* Only null compression is supported. TLS 1.3 further requires the peer 736 * advertise no other compression. */ 737 if (OPENSSL_memchr(client_hello.compression_methods, 0, 738 client_hello.compression_methods_len) == NULL || 739 (ssl3_protocol_version(ssl) >= TLS1_3_VERSION && 740 client_hello.compression_methods_len != 1)) { 741 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST); 742 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 743 return -1; 744 } 745 746 /* TLS extensions. */ 747 if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) { 748 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); 749 return -1; 750 } 751 752 return 1; 753 } 754 755 static int ssl3_select_certificate(SSL_HANDSHAKE *hs) { 756 SSL *const ssl = hs->ssl; 757 /* Call |cert_cb| to update server certificates if required. */ 758 if (ssl->cert->cert_cb != NULL) { 759 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); 760 if (rv == 0) { 761 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR); 762 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 763 return -1; 764 } 765 if (rv < 0) { 766 ssl->rwstate = SSL_X509_LOOKUP; 767 return -1; 768 } 769 } 770 771 if (!ssl_on_certificate_selected(hs)) { 772 return -1; 773 } 774 775 if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { 776 /* Jump to the TLS 1.3 state machine. */ 777 hs->state = SSL_ST_TLS13; 778 hs->do_tls13_handshake = tls13_server_handshake; 779 return 1; 780 } 781 782 SSL_CLIENT_HELLO client_hello; 783 if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg, 784 ssl->init_num)) { 785 return -1; 786 } 787 788 /* Negotiate the cipher suite. This must be done after |cert_cb| so the 789 * certificate is finalized. */ 790 hs->new_cipher = 791 ssl3_choose_cipher(hs, &client_hello, ssl_get_cipher_preferences(ssl)); 792 if (hs->new_cipher == NULL) { 793 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); 794 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 795 return -1; 796 } 797 798 return 1; 799 } 800 801 static int ssl3_select_parameters(SSL_HANDSHAKE *hs) { 802 SSL *const ssl = hs->ssl; 803 SSL_CLIENT_HELLO client_hello; 804 if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg, 805 ssl->init_num)) { 806 return -1; 807 } 808 809 /* Determine whether we are doing session resumption. */ 810 int tickets_supported = 0, renew_ticket = 0; 811 /* TODO(davidben): Switch |ssl_get_prev_session| to take a |bssl::UniquePtr| 812 * output and simplify this. */ 813 SSL_SESSION *session_raw = nullptr; 814 auto session_ret = ssl_get_prev_session(ssl, &session_raw, &tickets_supported, 815 &renew_ticket, &client_hello); 816 bssl::UniquePtr<SSL_SESSION> session(session_raw); 817 switch (session_ret) { 818 case ssl_session_success: 819 break; 820 case ssl_session_error: 821 return -1; 822 case ssl_session_retry: 823 ssl->rwstate = SSL_PENDING_SESSION; 824 return -1; 825 case ssl_session_ticket_retry: 826 ssl->rwstate = SSL_PENDING_TICKET; 827 return -1; 828 } 829 830 if (session) { 831 if (session->extended_master_secret && !hs->extended_master_secret) { 832 /* A ClientHello without EMS that attempts to resume a session with EMS 833 * is fatal to the connection. */ 834 OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION); 835 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 836 return -1; 837 } 838 839 if (!ssl_session_is_resumable(hs, session.get()) || 840 /* If the client offers the EMS extension, but the previous session 841 * didn't use it, then negotiate a new session. */ 842 hs->extended_master_secret != session->extended_master_secret) { 843 session.reset(); 844 } 845 } 846 847 if (session) { 848 /* Use the old session. */ 849 hs->ticket_expected = renew_ticket; 850 ssl->session = session.release(); 851 ssl->s3->session_reused = 1; 852 } else { 853 hs->ticket_expected = tickets_supported; 854 ssl_set_session(ssl, NULL); 855 if (!ssl_get_new_session(hs, 1 /* server */)) { 856 return -1; 857 } 858 859 /* Clear the session ID if we want the session to be single-use. */ 860 if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) { 861 hs->new_session->session_id_length = 0; 862 } 863 } 864 865 if (ssl->ctx->dos_protection_cb != NULL && 866 ssl->ctx->dos_protection_cb(&client_hello) == 0) { 867 /* Connection rejected for DOS reasons. */ 868 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); 869 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 870 return -1; 871 } 872 873 if (ssl->session == NULL) { 874 hs->new_session->cipher = hs->new_cipher; 875 876 /* On new sessions, stash the SNI value in the session. */ 877 if (hs->hostname != NULL) { 878 OPENSSL_free(hs->new_session->tlsext_hostname); 879 hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname); 880 if (hs->new_session->tlsext_hostname == NULL) { 881 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 882 return -1; 883 } 884 } 885 886 /* Determine whether to request a client certificate. */ 887 hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); 888 /* Only request a certificate if Channel ID isn't negotiated. */ 889 if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) && 890 ssl->s3->tlsext_channel_id_valid) { 891 hs->cert_request = 0; 892 } 893 /* CertificateRequest may only be sent in certificate-based ciphers. */ 894 if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) { 895 hs->cert_request = 0; 896 } 897 898 if (!hs->cert_request) { 899 /* OpenSSL returns X509_V_OK when no certificates are requested. This is 900 * classed by them as a bug, but it's assumed by at least NGINX. */ 901 hs->new_session->verify_result = X509_V_OK; 902 } 903 } 904 905 /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was 906 * deferred. Complete it now. */ 907 uint8_t alert = SSL_AD_DECODE_ERROR; 908 if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { 909 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 910 return -1; 911 } 912 913 /* Now that all parameters are known, initialize the handshake hash and hash 914 * the ClientHello. */ 915 if (!SSL_TRANSCRIPT_init_hash(&hs->transcript, ssl3_protocol_version(ssl), 916 hs->new_cipher->algorithm_prf) || 917 !ssl_hash_current_message(hs)) { 918 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 919 return -1; 920 } 921 922 /* Release the handshake buffer if client authentication isn't required. */ 923 if (!hs->cert_request) { 924 SSL_TRANSCRIPT_free_buffer(&hs->transcript); 925 } 926 927 return 1; 928 } 929 930 static int ssl3_send_server_hello(SSL_HANDSHAKE *hs) { 931 SSL *const ssl = hs->ssl; 932 933 /* We only accept ChannelIDs on connections with ECDHE in order to avoid a 934 * known attack while we fix ChannelID itself. */ 935 if (ssl->s3->tlsext_channel_id_valid && 936 (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) { 937 ssl->s3->tlsext_channel_id_valid = 0; 938 } 939 940 /* If this is a resumption and the original handshake didn't support 941 * ChannelID then we didn't record the original handshake hashes in the 942 * session and so cannot resume with ChannelIDs. */ 943 if (ssl->session != NULL && 944 ssl->session->original_handshake_hash_len == 0) { 945 ssl->s3->tlsext_channel_id_valid = 0; 946 } 947 948 struct OPENSSL_timeval now; 949 ssl_get_current_time(ssl, &now); 950 ssl->s3->server_random[0] = now.tv_sec >> 24; 951 ssl->s3->server_random[1] = now.tv_sec >> 16; 952 ssl->s3->server_random[2] = now.tv_sec >> 8; 953 ssl->s3->server_random[3] = now.tv_sec; 954 if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) { 955 return -1; 956 } 957 958 /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS 959 * 1.3 is finalized and we are not implementing a draft version. */ 960 961 const SSL_SESSION *session = hs->new_session; 962 if (ssl->session != NULL) { 963 session = ssl->session; 964 } 965 966 CBB cbb, body, session_id; 967 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) || 968 !CBB_add_u16(&body, ssl->version) || 969 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || 970 !CBB_add_u8_length_prefixed(&body, &session_id) || 971 !CBB_add_bytes(&session_id, session->session_id, 972 session->session_id_length) || 973 !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) || 974 !CBB_add_u8(&body, 0 /* no compression */) || 975 !ssl_add_serverhello_tlsext(hs, &body) || 976 !ssl_add_message_cbb(ssl, &cbb)) { 977 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 978 CBB_cleanup(&cbb); 979 return -1; 980 } 981 982 return 1; 983 } 984 985 static int ssl3_send_server_certificate(SSL_HANDSHAKE *hs) { 986 SSL *const ssl = hs->ssl; 987 bssl::ScopedCBB cbb; 988 989 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { 990 if (!ssl_has_certificate(ssl)) { 991 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); 992 return -1; 993 } 994 995 if (!ssl3_output_cert_chain(ssl)) { 996 return -1; 997 } 998 999 if (hs->certificate_status_expected) { 1000 CBB body, ocsp_response; 1001 if (!ssl->method->init_message(ssl, cbb.get(), &body, 1002 SSL3_MT_CERTIFICATE_STATUS) || 1003 !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) || 1004 !CBB_add_u24_length_prefixed(&body, &ocsp_response) || 1005 !CBB_add_bytes(&ocsp_response, 1006 CRYPTO_BUFFER_data(ssl->cert->ocsp_response), 1007 CRYPTO_BUFFER_len(ssl->cert->ocsp_response)) || 1008 !ssl_add_message_cbb(ssl, cbb.get())) { 1009 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 1010 return -1; 1011 } 1012 } 1013 } 1014 1015 /* Assemble ServerKeyExchange parameters if needed. */ 1016 uint32_t alg_k = hs->new_cipher->algorithm_mkey; 1017 uint32_t alg_a = hs->new_cipher->algorithm_auth; 1018 if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) || 1019 ((alg_a & SSL_aPSK) && ssl->psk_identity_hint)) { 1020 1021 /* Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend 1022 * the client and server randoms for the signing transcript. */ 1023 CBB child; 1024 if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) || 1025 !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) || 1026 !CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) { 1027 return -1; 1028 } 1029 1030 /* PSK ciphers begin with an identity hint. */ 1031 if (alg_a & SSL_aPSK) { 1032 size_t len = 1033 (ssl->psk_identity_hint == NULL) ? 0 : strlen(ssl->psk_identity_hint); 1034 if (!CBB_add_u16_length_prefixed(cbb.get(), &child) || 1035 !CBB_add_bytes(&child, (const uint8_t *)ssl->psk_identity_hint, 1036 len)) { 1037 return -1; 1038 } 1039 } 1040 1041 if (alg_k & SSL_kECDHE) { 1042 /* Determine the group to use. */ 1043 uint16_t group_id; 1044 if (!tls1_get_shared_group(hs, &group_id)) { 1045 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 1046 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1047 return -1; 1048 } 1049 hs->new_session->group_id = group_id; 1050 1051 /* Set up ECDH, generate a key, and emit the public half. */ 1052 if (!SSL_ECDH_CTX_init(&hs->ecdh_ctx, group_id) || 1053 !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || 1054 !CBB_add_u16(cbb.get(), group_id) || 1055 !CBB_add_u8_length_prefixed(cbb.get(), &child) || 1056 !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) { 1057 return -1; 1058 } 1059 } else { 1060 assert(alg_k & SSL_kPSK); 1061 } 1062 1063 if (!CBB_finish(cbb.get(), &hs->server_params, &hs->server_params_len)) { 1064 return -1; 1065 } 1066 } 1067 1068 return 1; 1069 } 1070 1071 static int ssl3_send_server_key_exchange(SSL_HANDSHAKE *hs) { 1072 SSL *const ssl = hs->ssl; 1073 CBB cbb, body, child; 1074 if (!ssl->method->init_message(ssl, &cbb, &body, 1075 SSL3_MT_SERVER_KEY_EXCHANGE) || 1076 /* |hs->server_params| contains a prefix for signing. */ 1077 hs->server_params_len < 2 * SSL3_RANDOM_SIZE || 1078 !CBB_add_bytes(&body, hs->server_params + 2 * SSL3_RANDOM_SIZE, 1079 hs->server_params_len - 2 * SSL3_RANDOM_SIZE)) { 1080 goto err; 1081 } 1082 1083 /* Add a signature. */ 1084 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { 1085 if (!ssl_has_private_key(ssl)) { 1086 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 1087 goto err; 1088 } 1089 1090 /* Determine the signature algorithm. */ 1091 uint16_t signature_algorithm; 1092 if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { 1093 goto err; 1094 } 1095 if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { 1096 if (!CBB_add_u16(&body, signature_algorithm)) { 1097 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 1098 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 1099 goto err; 1100 } 1101 } 1102 1103 /* Add space for the signature. */ 1104 const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey); 1105 uint8_t *ptr; 1106 if (!CBB_add_u16_length_prefixed(&body, &child) || 1107 !CBB_reserve(&child, &ptr, max_sig_len)) { 1108 goto err; 1109 } 1110 1111 size_t sig_len; 1112 switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len, 1113 signature_algorithm, hs->server_params, 1114 hs->server_params_len)) { 1115 case ssl_private_key_success: 1116 if (!CBB_did_write(&child, sig_len)) { 1117 goto err; 1118 } 1119 break; 1120 case ssl_private_key_failure: 1121 goto err; 1122 case ssl_private_key_retry: 1123 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION; 1124 goto err; 1125 } 1126 } 1127 1128 if (!ssl_add_message_cbb(ssl, &cbb)) { 1129 goto err; 1130 } 1131 1132 OPENSSL_free(hs->server_params); 1133 hs->server_params = NULL; 1134 hs->server_params_len = 0; 1135 1136 return 1; 1137 1138 err: 1139 CBB_cleanup(&cbb); 1140 return -1; 1141 } 1142 1143 static int ssl3_send_server_hello_done(SSL_HANDSHAKE *hs) { 1144 SSL *const ssl = hs->ssl; 1145 CBB cbb, body; 1146 1147 if (hs->cert_request) { 1148 CBB cert_types, sigalgs_cbb; 1149 if (!ssl->method->init_message(ssl, &cbb, &body, 1150 SSL3_MT_CERTIFICATE_REQUEST) || 1151 !CBB_add_u8_length_prefixed(&body, &cert_types) || 1152 !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) || 1153 (ssl3_protocol_version(ssl) >= TLS1_VERSION && 1154 !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN)) || 1155 (ssl3_protocol_version(ssl) >= TLS1_2_VERSION && 1156 (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) || 1157 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb))) || 1158 !ssl_add_client_CA_list(ssl, &body) || 1159 !ssl_add_message_cbb(ssl, &cbb)) { 1160 goto err; 1161 } 1162 } 1163 1164 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO_DONE) || 1165 !ssl_add_message_cbb(ssl, &cbb)) { 1166 goto err; 1167 } 1168 1169 return 1; 1170 1171 err: 1172 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 1173 CBB_cleanup(&cbb); 1174 return -1; 1175 } 1176 1177 static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs) { 1178 SSL *const ssl = hs->ssl; 1179 assert(hs->cert_request); 1180 1181 int msg_ret = ssl->method->ssl_get_message(ssl); 1182 if (msg_ret <= 0) { 1183 return msg_ret; 1184 } 1185 1186 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { 1187 if (ssl->version == SSL3_VERSION && 1188 ssl->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { 1189 /* In SSL 3.0, the Certificate message is omitted to signal no 1190 * certificate. */ 1191 if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { 1192 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 1193 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1194 return -1; 1195 } 1196 1197 /* OpenSSL returns X509_V_OK when no certificates are received. This is 1198 * classed by them as a bug, but it's assumed by at least NGINX. */ 1199 hs->new_session->verify_result = X509_V_OK; 1200 ssl->s3->tmp.reuse_message = 1; 1201 return 1; 1202 } 1203 1204 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 1205 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1206 return -1; 1207 } 1208 1209 if (!ssl_hash_current_message(hs)) { 1210 return -1; 1211 } 1212 1213 CBS certificate_msg; 1214 CBS_init(&certificate_msg, ssl->init_msg, ssl->init_num); 1215 1216 sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free); 1217 EVP_PKEY_free(hs->peer_pubkey); 1218 hs->peer_pubkey = NULL; 1219 uint8_t alert = SSL_AD_DECODE_ERROR; 1220 hs->new_session->certs = ssl_parse_cert_chain( 1221 &alert, &hs->peer_pubkey, 1222 ssl->retain_only_sha256_of_client_certs ? hs->new_session->peer_sha256 1223 : NULL, 1224 &certificate_msg, ssl->ctx->pool); 1225 if (hs->new_session->certs == NULL) { 1226 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 1227 return -1; 1228 } 1229 1230 if (CBS_len(&certificate_msg) != 0 || 1231 !ssl->ctx->x509_method->session_cache_objects(hs->new_session)) { 1232 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1233 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1234 return -1; 1235 } 1236 1237 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { 1238 /* No client certificate so the handshake buffer may be discarded. */ 1239 SSL_TRANSCRIPT_free_buffer(&hs->transcript); 1240 1241 /* In SSL 3.0, sending no certificate is signaled by omitting the 1242 * Certificate message. */ 1243 if (ssl->version == SSL3_VERSION) { 1244 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED); 1245 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1246 return -1; 1247 } 1248 1249 if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { 1250 /* Fail for TLS only if we required a certificate */ 1251 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 1252 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1253 return -1; 1254 } 1255 1256 /* OpenSSL returns X509_V_OK when no certificates are received. This is 1257 * classed by them as a bug, but it's assumed by at least NGINX. */ 1258 hs->new_session->verify_result = X509_V_OK; 1259 return 1; 1260 } 1261 1262 /* The hash will have been filled in. */ 1263 if (ssl->retain_only_sha256_of_client_certs) { 1264 hs->new_session->peer_sha256_valid = 1; 1265 } 1266 1267 if (!ssl->ctx->x509_method->session_verify_cert_chain(hs->new_session, ssl)) { 1268 return -1; 1269 } 1270 1271 return 1; 1272 } 1273 1274 static int ssl3_get_client_key_exchange(SSL_HANDSHAKE *hs) { 1275 SSL *const ssl = hs->ssl; 1276 CBS client_key_exchange; 1277 uint8_t *premaster_secret = NULL; 1278 size_t premaster_secret_len = 0; 1279 uint8_t *decrypt_buf = NULL; 1280 1281 if (hs->state == SSL3_ST_SR_KEY_EXCH_A) { 1282 int ret = ssl->method->ssl_get_message(ssl); 1283 if (ret <= 0) { 1284 return ret; 1285 } 1286 } 1287 1288 if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE)) { 1289 return -1; 1290 } 1291 1292 CBS_init(&client_key_exchange, ssl->init_msg, ssl->init_num); 1293 uint32_t alg_k = hs->new_cipher->algorithm_mkey; 1294 uint32_t alg_a = hs->new_cipher->algorithm_auth; 1295 1296 /* If using a PSK key exchange, parse the PSK identity. */ 1297 if (alg_a & SSL_aPSK) { 1298 CBS psk_identity; 1299 1300 /* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK, 1301 * then this is the only field in the message. */ 1302 if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) || 1303 ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) { 1304 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1305 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1306 goto err; 1307 } 1308 1309 if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN || 1310 CBS_contains_zero_byte(&psk_identity)) { 1311 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); 1312 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 1313 goto err; 1314 } 1315 1316 if (!CBS_strdup(&psk_identity, &hs->new_session->psk_identity)) { 1317 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1318 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 1319 goto err; 1320 } 1321 } 1322 1323 /* Depending on the key exchange method, compute |premaster_secret| and 1324 * |premaster_secret_len|. */ 1325 if (alg_k & SSL_kRSA) { 1326 CBS encrypted_premaster_secret; 1327 if (ssl->version > SSL3_VERSION) { 1328 if (!CBS_get_u16_length_prefixed(&client_key_exchange, 1329 &encrypted_premaster_secret) || 1330 CBS_len(&client_key_exchange) != 0) { 1331 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1332 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1333 goto err; 1334 } 1335 } else { 1336 encrypted_premaster_secret = client_key_exchange; 1337 } 1338 1339 /* Allocate a buffer large enough for an RSA decryption. */ 1340 const size_t rsa_size = EVP_PKEY_size(hs->local_pubkey); 1341 decrypt_buf = (uint8_t *)OPENSSL_malloc(rsa_size); 1342 if (decrypt_buf == NULL) { 1343 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1344 goto err; 1345 } 1346 1347 /* Decrypt with no padding. PKCS#1 padding will be removed as part of the 1348 * timing-sensitive code below. */ 1349 size_t decrypt_len; 1350 switch (ssl_private_key_decrypt(hs, decrypt_buf, &decrypt_len, rsa_size, 1351 CBS_data(&encrypted_premaster_secret), 1352 CBS_len(&encrypted_premaster_secret))) { 1353 case ssl_private_key_success: 1354 break; 1355 case ssl_private_key_failure: 1356 goto err; 1357 case ssl_private_key_retry: 1358 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION; 1359 hs->state = SSL3_ST_SR_KEY_EXCH_B; 1360 goto err; 1361 } 1362 1363 if (decrypt_len != rsa_size) { 1364 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); 1365 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 1366 goto err; 1367 } 1368 1369 /* Prepare a random premaster, to be used on invalid padding. See RFC 5246, 1370 * section 7.4.7.1. */ 1371 premaster_secret_len = SSL_MAX_MASTER_KEY_LENGTH; 1372 premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len); 1373 if (premaster_secret == NULL) { 1374 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1375 goto err; 1376 } 1377 if (!RAND_bytes(premaster_secret, premaster_secret_len)) { 1378 goto err; 1379 } 1380 1381 /* The smallest padded premaster is 11 bytes of overhead. Small keys are 1382 * publicly invalid. */ 1383 if (decrypt_len < 11 + premaster_secret_len) { 1384 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); 1385 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 1386 goto err; 1387 } 1388 1389 /* Check the padding. See RFC 3447, section 7.2.2. */ 1390 size_t padding_len = decrypt_len - premaster_secret_len; 1391 uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) & 1392 constant_time_eq_int_8(decrypt_buf[1], 2); 1393 for (size_t i = 2; i < padding_len - 1; i++) { 1394 good &= ~constant_time_is_zero_8(decrypt_buf[i]); 1395 } 1396 good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]); 1397 1398 /* The premaster secret must begin with |client_version|. This too must be 1399 * checked in constant time (http://eprint.iacr.org/2003/052/). */ 1400 good &= constant_time_eq_8(decrypt_buf[padding_len], 1401 (unsigned)(hs->client_version >> 8)); 1402 good &= constant_time_eq_8(decrypt_buf[padding_len + 1], 1403 (unsigned)(hs->client_version & 0xff)); 1404 1405 /* Select, in constant time, either the decrypted premaster or the random 1406 * premaster based on |good|. */ 1407 for (size_t i = 0; i < premaster_secret_len; i++) { 1408 premaster_secret[i] = constant_time_select_8( 1409 good, decrypt_buf[padding_len + i], premaster_secret[i]); 1410 } 1411 1412 OPENSSL_free(decrypt_buf); 1413 decrypt_buf = NULL; 1414 } else if (alg_k & SSL_kECDHE) { 1415 /* Parse the ClientKeyExchange. */ 1416 CBS peer_key; 1417 if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) || 1418 CBS_len(&client_key_exchange) != 0) { 1419 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1420 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1421 goto err; 1422 } 1423 1424 /* Compute the premaster. */ 1425 uint8_t alert = SSL_AD_DECODE_ERROR; 1426 if (!SSL_ECDH_CTX_finish(&hs->ecdh_ctx, &premaster_secret, 1427 &premaster_secret_len, &alert, CBS_data(&peer_key), 1428 CBS_len(&peer_key))) { 1429 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 1430 goto err; 1431 } 1432 1433 /* The key exchange state may now be discarded. */ 1434 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx); 1435 } else if (!(alg_k & SSL_kPSK)) { 1436 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 1437 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1438 goto err; 1439 } 1440 1441 /* For a PSK cipher suite, the actual pre-master secret is combined with the 1442 * pre-shared key. */ 1443 if (alg_a & SSL_aPSK) { 1444 if (ssl->psk_server_callback == NULL) { 1445 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 1446 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 1447 goto err; 1448 } 1449 1450 /* Look up the key for the identity. */ 1451 uint8_t psk[PSK_MAX_PSK_LEN]; 1452 unsigned psk_len = ssl->psk_server_callback( 1453 ssl, hs->new_session->psk_identity, psk, sizeof(psk)); 1454 if (psk_len > PSK_MAX_PSK_LEN) { 1455 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 1456 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 1457 goto err; 1458 } else if (psk_len == 0) { 1459 /* PSK related to the given identity not found */ 1460 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); 1461 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY); 1462 goto err; 1463 } 1464 1465 if (alg_k & SSL_kPSK) { 1466 /* In plain PSK, other_secret is a block of 0s with the same length as the 1467 * pre-shared key. */ 1468 premaster_secret_len = psk_len; 1469 premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len); 1470 if (premaster_secret == NULL) { 1471 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1472 goto err; 1473 } 1474 OPENSSL_memset(premaster_secret, 0, premaster_secret_len); 1475 } 1476 1477 CBB new_premaster, child; 1478 uint8_t *new_data; 1479 size_t new_len; 1480 CBB_zero(&new_premaster); 1481 if (!CBB_init(&new_premaster, 2 + psk_len + 2 + premaster_secret_len) || 1482 !CBB_add_u16_length_prefixed(&new_premaster, &child) || 1483 !CBB_add_bytes(&child, premaster_secret, premaster_secret_len) || 1484 !CBB_add_u16_length_prefixed(&new_premaster, &child) || 1485 !CBB_add_bytes(&child, psk, psk_len) || 1486 !CBB_finish(&new_premaster, &new_data, &new_len)) { 1487 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1488 CBB_cleanup(&new_premaster); 1489 goto err; 1490 } 1491 1492 OPENSSL_cleanse(premaster_secret, premaster_secret_len); 1493 OPENSSL_free(premaster_secret); 1494 premaster_secret = new_data; 1495 premaster_secret_len = new_len; 1496 } 1497 1498 if (!ssl_hash_current_message(hs)) { 1499 goto err; 1500 } 1501 1502 /* Compute the master secret */ 1503 hs->new_session->master_key_length = tls1_generate_master_secret( 1504 hs, hs->new_session->master_key, premaster_secret, premaster_secret_len); 1505 if (hs->new_session->master_key_length == 0) { 1506 goto err; 1507 } 1508 hs->new_session->extended_master_secret = hs->extended_master_secret; 1509 1510 OPENSSL_cleanse(premaster_secret, premaster_secret_len); 1511 OPENSSL_free(premaster_secret); 1512 return 1; 1513 1514 err: 1515 if (premaster_secret != NULL) { 1516 OPENSSL_cleanse(premaster_secret, premaster_secret_len); 1517 OPENSSL_free(premaster_secret); 1518 } 1519 OPENSSL_free(decrypt_buf); 1520 1521 return -1; 1522 } 1523 1524 static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs) { 1525 SSL *const ssl = hs->ssl; 1526 CBS certificate_verify, signature; 1527 1528 /* Only RSA and ECDSA client certificates are supported, so a 1529 * CertificateVerify is required if and only if there's a client certificate. 1530 * */ 1531 if (hs->peer_pubkey == NULL) { 1532 SSL_TRANSCRIPT_free_buffer(&hs->transcript); 1533 return 1; 1534 } 1535 1536 int msg_ret = ssl->method->ssl_get_message(ssl); 1537 if (msg_ret <= 0) { 1538 return msg_ret; 1539 } 1540 1541 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY)) { 1542 return -1; 1543 } 1544 1545 CBS_init(&certificate_verify, ssl->init_msg, ssl->init_num); 1546 1547 /* Determine the digest type if needbe. */ 1548 uint16_t signature_algorithm = 0; 1549 if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { 1550 if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) { 1551 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1552 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1553 return -1; 1554 } 1555 uint8_t alert = SSL_AD_DECODE_ERROR; 1556 if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) { 1557 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 1558 return -1; 1559 } 1560 hs->new_session->peer_signature_algorithm = signature_algorithm; 1561 } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm, 1562 hs->peer_pubkey)) { 1563 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE); 1564 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE); 1565 return -1; 1566 } 1567 1568 /* Parse and verify the signature. */ 1569 if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) || 1570 CBS_len(&certificate_verify) != 0) { 1571 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1572 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1573 return -1; 1574 } 1575 1576 int sig_ok; 1577 /* The SSL3 construction for CertificateVerify does not decompose into a 1578 * single final digest and signature, and must be special-cased. */ 1579 if (ssl3_protocol_version(ssl) == SSL3_VERSION) { 1580 uint8_t digest[EVP_MAX_MD_SIZE]; 1581 size_t digest_len; 1582 if (!SSL_TRANSCRIPT_ssl3_cert_verify_hash(&hs->transcript, digest, 1583 &digest_len, hs->new_session, 1584 signature_algorithm)) { 1585 return -1; 1586 } 1587 1588 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(hs->peer_pubkey, NULL); 1589 sig_ok = pctx != NULL && 1590 EVP_PKEY_verify_init(pctx) && 1591 EVP_PKEY_verify(pctx, CBS_data(&signature), CBS_len(&signature), 1592 digest, digest_len); 1593 EVP_PKEY_CTX_free(pctx); 1594 } else { 1595 sig_ok = ssl_public_key_verify( 1596 ssl, CBS_data(&signature), CBS_len(&signature), signature_algorithm, 1597 hs->peer_pubkey, (const uint8_t *)hs->transcript.buffer->data, 1598 hs->transcript.buffer->length); 1599 } 1600 1601 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 1602 sig_ok = 1; 1603 ERR_clear_error(); 1604 #endif 1605 if (!sig_ok) { 1606 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); 1607 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 1608 return -1; 1609 } 1610 1611 /* The handshake buffer is no longer necessary, and we may hash the current 1612 * message.*/ 1613 SSL_TRANSCRIPT_free_buffer(&hs->transcript); 1614 if (!ssl_hash_current_message(hs)) { 1615 return -1; 1616 } 1617 1618 return 1; 1619 } 1620 1621 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 1622 * sets the next_proto member in s if found */ 1623 static int ssl3_get_next_proto(SSL_HANDSHAKE *hs) { 1624 SSL *const ssl = hs->ssl; 1625 int ret = ssl->method->ssl_get_message(ssl); 1626 if (ret <= 0) { 1627 return ret; 1628 } 1629 1630 if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO) || 1631 !ssl_hash_current_message(hs)) { 1632 return -1; 1633 } 1634 1635 CBS next_protocol, selected_protocol, padding; 1636 CBS_init(&next_protocol, ssl->init_msg, ssl->init_num); 1637 if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) || 1638 !CBS_get_u8_length_prefixed(&next_protocol, &padding) || 1639 CBS_len(&next_protocol) != 0) { 1640 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 1641 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1642 return 0; 1643 } 1644 1645 if (!CBS_stow(&selected_protocol, &ssl->s3->next_proto_negotiated, 1646 &ssl->s3->next_proto_negotiated_len)) { 1647 return 0; 1648 } 1649 1650 return 1; 1651 } 1652 1653 /* ssl3_get_channel_id reads and verifies a ClientID handshake message. */ 1654 static int ssl3_get_channel_id(SSL_HANDSHAKE *hs) { 1655 SSL *const ssl = hs->ssl; 1656 int msg_ret = ssl->method->ssl_get_message(ssl); 1657 if (msg_ret <= 0) { 1658 return msg_ret; 1659 } 1660 1661 if (!ssl_check_message_type(ssl, SSL3_MT_CHANNEL_ID) || 1662 !tls1_verify_channel_id(hs) || 1663 !ssl_hash_current_message(hs)) { 1664 return -1; 1665 } 1666 return 1; 1667 } 1668 1669 static int ssl3_send_server_finished(SSL_HANDSHAKE *hs) { 1670 SSL *const ssl = hs->ssl; 1671 1672 if (hs->ticket_expected) { 1673 const SSL_SESSION *session; 1674 SSL_SESSION *session_copy = NULL; 1675 if (ssl->session == NULL) { 1676 /* Fix the timeout to measure from the ticket issuance time. */ 1677 ssl_session_rebase_time(ssl, hs->new_session); 1678 session = hs->new_session; 1679 } else { 1680 /* We are renewing an existing session. Duplicate the session to adjust 1681 * the timeout. */ 1682 session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH); 1683 if (session_copy == NULL) { 1684 return -1; 1685 } 1686 1687 ssl_session_rebase_time(ssl, session_copy); 1688 session = session_copy; 1689 } 1690 1691 CBB cbb, body, ticket; 1692 int ok = ssl->method->init_message(ssl, &cbb, &body, 1693 SSL3_MT_NEW_SESSION_TICKET) && 1694 CBB_add_u32(&body, session->timeout) && 1695 CBB_add_u16_length_prefixed(&body, &ticket) && 1696 ssl_encrypt_ticket(ssl, &ticket, session) && 1697 ssl_add_message_cbb(ssl, &cbb); 1698 SSL_SESSION_free(session_copy); 1699 CBB_cleanup(&cbb); 1700 if (!ok) { 1701 return -1; 1702 } 1703 } 1704 1705 if (!ssl->method->add_change_cipher_spec(ssl) || 1706 !tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_WRITE)) { 1707 return -1; 1708 } 1709 1710 return ssl3_send_finished(hs); 1711 } 1712