s3_clnt.c revision 8a903428736d72d6272cb91d66fb8ed46aaaeb1f
1/* ssl/s3_clnt.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125#include <stdio.h> 126#include "ssl_locl.h" 127#include "kssl_lcl.h" 128#include <openssl/buffer.h> 129#include <openssl/rand.h> 130#include <openssl/objects.h> 131#include <openssl/evp.h> 132#include <openssl/md5.h> 133#ifdef OPENSSL_FIPS 134#include <openssl/fips.h> 135#endif 136 137#ifndef OPENSSL_NO_DH 138#include <openssl/dh.h> 139#endif 140#include <openssl/bn.h> 141#ifndef OPENSSL_NO_ENGINE 142#include <openssl/engine.h> 143#endif 144 145static SSL_METHOD *ssl3_get_client_method(int ver); 146static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 147#ifndef OPENSSL_NO_TLSEXT 148static int ssl3_check_finished(SSL *s); 149#endif 150 151#ifndef OPENSSL_NO_ECDH 152static int curve_id2nid(int curve_id); 153int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs); 154#endif 155 156static SSL_METHOD *ssl3_get_client_method(int ver) 157 { 158 if (ver == SSL3_VERSION) 159 return(SSLv3_client_method()); 160 else 161 return(NULL); 162 } 163 164IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 165 ssl_undefined_function, 166 ssl3_connect, 167 ssl3_get_client_method) 168 169int ssl3_connect(SSL *s) 170 { 171 BUF_MEM *buf=NULL; 172 unsigned long Time=(unsigned long)time(NULL),l; 173 long num1; 174 void (*cb)(const SSL *ssl,int type,int val)=NULL; 175 int ret= -1; 176 int new_state,state,skip=0; 177 178 RAND_add(&Time,sizeof(Time),0); 179 ERR_clear_error(); 180 clear_sys_error(); 181 182 if (s->info_callback != NULL) 183 cb=s->info_callback; 184 else if (s->ctx->info_callback != NULL) 185 cb=s->ctx->info_callback; 186 187 s->in_handshake++; 188 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 189 if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) 190 { 191 /* Reneotiation complicates the state machine */ 192 s->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; 193 /* Send app data along with CCS/Finished */ 194 s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED; 195 } 196 197 for (;;) 198 { 199 state=s->state; 200 201 switch(s->state) 202 { 203 case SSL_ST_RENEGOTIATE: 204 s->new_session=1; 205 s->state=SSL_ST_CONNECT; 206 s->ctx->stats.sess_connect_renegotiate++; 207 /* break */ 208 case SSL_ST_BEFORE: 209 case SSL_ST_CONNECT: 210 case SSL_ST_BEFORE|SSL_ST_CONNECT: 211 case SSL_ST_OK|SSL_ST_CONNECT: 212 213 s->server=0; 214 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 215 216 if ((s->version & 0xff00 ) != 0x0300) 217 { 218 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 219 ret = -1; 220 goto end; 221 } 222 223 /* s->version=SSL3_VERSION; */ 224 s->type=SSL_ST_CONNECT; 225 226 if (s->init_buf == NULL) 227 { 228 if ((buf=BUF_MEM_new()) == NULL) 229 { 230 ret= -1; 231 goto end; 232 } 233 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 234 { 235 ret= -1; 236 goto end; 237 } 238 s->init_buf=buf; 239 buf=NULL; 240 } 241 242 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 243 244 /* setup buffing BIO */ 245 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 246 247 /* don't push the buffering BIO quite yet */ 248 249 ssl3_init_finished_mac(s); 250 251 s->state=SSL3_ST_CW_CLNT_HELLO_A; 252 s->ctx->stats.sess_connect++; 253 s->init_num=0; 254 break; 255 256 case SSL3_ST_CW_CLNT_HELLO_A: 257 case SSL3_ST_CW_CLNT_HELLO_B: 258 259 s->shutdown=0; 260 ret=ssl3_client_hello(s); 261 if (ret <= 0) goto end; 262 s->state=SSL3_ST_CR_SRVR_HELLO_A; 263 s->init_num=0; 264 265 /* turn on buffering for the next lot of output */ 266 if (s->bbio != s->wbio) 267 s->wbio=BIO_push(s->bbio,s->wbio); 268 269 break; 270 271 case SSL3_ST_CR_SRVR_HELLO_A: 272 case SSL3_ST_CR_SRVR_HELLO_B: 273 ret=ssl3_get_server_hello(s); 274 if (ret <= 0) goto end; 275 if (s->hit) 276 s->state=SSL3_ST_CR_FINISHED_A; 277 else 278 s->state=SSL3_ST_CR_CERT_A; 279 s->init_num=0; 280 break; 281 282 case SSL3_ST_CR_CERT_A: 283 case SSL3_ST_CR_CERT_B: 284#ifndef OPENSSL_NO_TLSEXT 285 ret=ssl3_check_finished(s); 286 if (ret <= 0) goto end; 287 if (ret == 2) 288 { 289 s->hit = 1; 290 if (s->tlsext_ticket_expected) 291 s->state=SSL3_ST_CR_SESSION_TICKET_A; 292 else 293 s->state=SSL3_ST_CR_FINISHED_A; 294 s->init_num=0; 295 break; 296 } 297#endif 298 /* Check if it is anon DH/ECDH */ 299 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 300 { 301 ret=ssl3_get_server_certificate(s); 302 if (ret <= 0) goto end; 303#ifndef OPENSSL_NO_TLSEXT 304 if (s->tlsext_status_expected) 305 s->state=SSL3_ST_CR_CERT_STATUS_A; 306 else 307 s->state=SSL3_ST_CR_KEY_EXCH_A; 308 } 309 else 310 { 311 skip = 1; 312 s->state=SSL3_ST_CR_KEY_EXCH_A; 313 } 314#else 315 } 316 else 317 skip=1; 318 319 s->state=SSL3_ST_CR_KEY_EXCH_A; 320#endif 321 s->init_num=0; 322 break; 323 324 case SSL3_ST_CR_KEY_EXCH_A: 325 case SSL3_ST_CR_KEY_EXCH_B: 326 ret=ssl3_get_key_exchange(s); 327 if (ret <= 0) goto end; 328 s->state=SSL3_ST_CR_CERT_REQ_A; 329 s->init_num=0; 330 331 /* at this point we check that we have the 332 * required stuff from the server */ 333 if (!ssl3_check_cert_and_algorithm(s)) 334 { 335 ret= -1; 336 goto end; 337 } 338 break; 339 340 case SSL3_ST_CR_CERT_REQ_A: 341 case SSL3_ST_CR_CERT_REQ_B: 342 ret=ssl3_get_certificate_request(s); 343 if (ret <= 0) goto end; 344 s->state=SSL3_ST_CR_SRVR_DONE_A; 345 s->init_num=0; 346 break; 347 348 case SSL3_ST_CR_SRVR_DONE_A: 349 case SSL3_ST_CR_SRVR_DONE_B: 350 ret=ssl3_get_server_done(s); 351 if (ret <= 0) goto end; 352 if (s->s3->tmp.cert_req) 353 s->state=SSL3_ST_CW_CERT_A; 354 else 355 s->state=SSL3_ST_CW_KEY_EXCH_A; 356 s->init_num=0; 357 358 break; 359 360 case SSL3_ST_CW_CERT_A: 361 case SSL3_ST_CW_CERT_B: 362 case SSL3_ST_CW_CERT_C: 363 case SSL3_ST_CW_CERT_D: 364 ret=ssl3_send_client_certificate(s); 365 if (ret <= 0) goto end; 366 s->state=SSL3_ST_CW_KEY_EXCH_A; 367 s->init_num=0; 368 break; 369 370 case SSL3_ST_CW_KEY_EXCH_A: 371 case SSL3_ST_CW_KEY_EXCH_B: 372 ret=ssl3_send_client_key_exchange(s); 373 if (ret <= 0) goto end; 374 l=s->s3->tmp.new_cipher->algorithms; 375 /* EAY EAY EAY need to check for DH fix cert 376 * sent back */ 377 /* For TLS, cert_req is set to 2, so a cert chain 378 * of nothing is sent, but no verify packet is sent */ 379 /* XXX: For now, we do not support client 380 * authentication in ECDH cipher suites with 381 * ECDH (rather than ECDSA) certificates. 382 * We need to skip the certificate verify 383 * message when client's ECDH public key is sent 384 * inside the client certificate. 385 */ 386 if (s->s3->tmp.cert_req == 1) 387 { 388 s->state=SSL3_ST_CW_CERT_VRFY_A; 389 } 390 else 391 { 392 s->state=SSL3_ST_CW_CHANGE_A; 393 s->s3->change_cipher_spec=0; 394 } 395 396 s->init_num=0; 397 break; 398 399 case SSL3_ST_CW_CERT_VRFY_A: 400 case SSL3_ST_CW_CERT_VRFY_B: 401 ret=ssl3_send_client_verify(s); 402 if (ret <= 0) goto end; 403 s->state=SSL3_ST_CW_CHANGE_A; 404 s->init_num=0; 405 s->s3->change_cipher_spec=0; 406 break; 407 408 case SSL3_ST_CW_CHANGE_A: 409 case SSL3_ST_CW_CHANGE_B: 410 ret=ssl3_send_change_cipher_spec(s, 411 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 412 if (ret <= 0) goto end; 413 s->state=SSL3_ST_CW_FINISHED_A; 414 s->init_num=0; 415 416 s->session->cipher=s->s3->tmp.new_cipher; 417#ifdef OPENSSL_NO_COMP 418 s->session->compress_meth=0; 419#else 420 if (s->s3->tmp.new_compression == NULL) 421 s->session->compress_meth=0; 422 else 423 s->session->compress_meth= 424 s->s3->tmp.new_compression->id; 425#endif 426 if (!s->method->ssl3_enc->setup_key_block(s)) 427 { 428 ret= -1; 429 goto end; 430 } 431 432 if (!s->method->ssl3_enc->change_cipher_state(s, 433 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 434 { 435 ret= -1; 436 goto end; 437 } 438 439 break; 440 441 case SSL3_ST_CW_FINISHED_A: 442 case SSL3_ST_CW_FINISHED_B: 443 ret=ssl3_send_finished(s, 444 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 445 s->method->ssl3_enc->client_finished_label, 446 s->method->ssl3_enc->client_finished_label_len); 447 if (ret <= 0) goto end; 448 s->state=SSL3_ST_CW_FLUSH; 449 450 /* clear flags */ 451 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 452 if (s->hit) 453 { 454 s->s3->tmp.next_state=SSL_ST_OK; 455 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 456 { 457 s->state=SSL_ST_OK; 458 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 459 s->s3->delay_buf_pop_ret=0; 460 } 461 } 462 else 463 { 464 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128) 465 { 466 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 467 { 468 s->state=SSL3_ST_CUTTHROUGH_COMPLETE; 469 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 470 s->s3->delay_buf_pop_ret=0; 471 } 472 else 473 { 474 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE; 475 } 476 } 477 else 478 { 479#ifndef OPENSSL_NO_TLSEXT 480 /* Allow NewSessionTicket if ticket expected */ 481 if (s->tlsext_ticket_expected) 482 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 483 else 484#endif 485 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 486 } 487 } 488 s->init_num=0; 489 break; 490 491#ifndef OPENSSL_NO_TLSEXT 492 case SSL3_ST_CR_SESSION_TICKET_A: 493 case SSL3_ST_CR_SESSION_TICKET_B: 494 ret=ssl3_get_new_session_ticket(s); 495 if (ret <= 0) goto end; 496 s->state=SSL3_ST_CR_FINISHED_A; 497 s->init_num=0; 498 break; 499 500 case SSL3_ST_CR_CERT_STATUS_A: 501 case SSL3_ST_CR_CERT_STATUS_B: 502 ret=ssl3_get_cert_status(s); 503 if (ret <= 0) goto end; 504 s->state=SSL3_ST_CR_KEY_EXCH_A; 505 s->init_num=0; 506 break; 507#endif 508 509 case SSL3_ST_CR_FINISHED_A: 510 case SSL3_ST_CR_FINISHED_B: 511 512 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 513 SSL3_ST_CR_FINISHED_B); 514 if (ret <= 0) goto end; 515 516 if (s->hit) 517 s->state=SSL3_ST_CW_CHANGE_A; 518 else 519 s->state=SSL_ST_OK; 520 s->init_num=0; 521 break; 522 523 case SSL3_ST_CW_FLUSH: 524 /* number of bytes to be flushed */ 525 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 526 if (num1 > 0) 527 { 528 s->rwstate=SSL_WRITING; 529 num1=BIO_flush(s->wbio); 530 if (num1 <= 0) { ret= -1; goto end; } 531 s->rwstate=SSL_NOTHING; 532 } 533 534 s->state=s->s3->tmp.next_state; 535 break; 536 537 case SSL3_ST_CUTTHROUGH_COMPLETE: 538#ifndef OPENSSL_NO_TLSEXT 539 /* Allow NewSessionTicket if ticket expected */ 540 if (s->tlsext_ticket_expected) 541 s->state=SSL3_ST_CR_SESSION_TICKET_A; 542 else 543#endif 544 s->state=SSL3_ST_CR_FINISHED_A; 545 546 /* SSL_write() will take care of flushing buffered data if 547 * DELAY_CLIENT_FINISHED is set. 548 */ 549 if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)) 550 ssl_free_wbio_buffer(s); 551 ret = 1; 552 goto end; 553 /* break; */ 554 555 case SSL_ST_OK: 556 /* clean a few things up */ 557 ssl3_cleanup_key_block(s); 558 559 if (s->init_buf != NULL) 560 { 561 BUF_MEM_free(s->init_buf); 562 s->init_buf=NULL; 563 } 564 565 /* If we are not 'joining' the last two packets, 566 * remove the buffering now */ 567 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 568 ssl_free_wbio_buffer(s); 569 /* else do it later in ssl3_write */ 570 571 s->init_num=0; 572 s->new_session=0; 573 574 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 575 if (s->hit) s->ctx->stats.sess_hit++; 576 577 ret=1; 578 /* s->server=0; */ 579 s->handshake_func=ssl3_connect; 580 s->ctx->stats.sess_connect_good++; 581 582 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 583 584 goto end; 585 /* break; */ 586 587 default: 588 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 589 ret= -1; 590 goto end; 591 /* break; */ 592 } 593 594 /* did we do anything */ 595 if (!s->s3->tmp.reuse_message && !skip) 596 { 597 if (s->debug) 598 { 599 if ((ret=BIO_flush(s->wbio)) <= 0) 600 goto end; 601 } 602 603 if ((cb != NULL) && (s->state != state)) 604 { 605 new_state=s->state; 606 s->state=state; 607 cb(s,SSL_CB_CONNECT_LOOP,1); 608 s->state=new_state; 609 } 610 } 611 skip=0; 612 } 613end: 614 s->in_handshake--; 615 if (buf != NULL) 616 BUF_MEM_free(buf); 617 if (cb != NULL) 618 cb(s,SSL_CB_CONNECT_EXIT,ret); 619 return(ret); 620 } 621 622 623int ssl3_client_hello(SSL *s) 624 { 625 unsigned char *buf; 626 unsigned char *p,*d; 627 int i; 628 unsigned long Time,l; 629#ifndef OPENSSL_NO_COMP 630 int j; 631 SSL_COMP *comp; 632#endif 633 634 buf=(unsigned char *)s->init_buf->data; 635 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 636 { 637 if ((s->session == NULL) || 638 (s->session->ssl_version != s->version) || 639 (s->session->not_resumable)) 640 { 641 if (!ssl_get_new_session(s,0)) 642 goto err; 643 } 644 /* else use the pre-loaded session */ 645 646 p=s->s3->client_random; 647 Time=(unsigned long)time(NULL); /* Time */ 648 l2n(Time,p); 649 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 650 goto err; 651 652 /* Do the message type and length last */ 653 d=p= &(buf[4]); 654 655 *(p++)=s->version>>8; 656 *(p++)=s->version&0xff; 657 s->client_version=s->version; 658 659 /* Random stuff */ 660 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 661 p+=SSL3_RANDOM_SIZE; 662 663 /* Session ID */ 664 if (s->new_session) 665 i=0; 666 else 667 i=s->session->session_id_length; 668 *(p++)=i; 669 if (i != 0) 670 { 671 if (i > (int)sizeof(s->session->session_id)) 672 { 673 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 674 goto err; 675 } 676 memcpy(p,s->session->session_id,i); 677 p+=i; 678 } 679 680 /* Ciphers supported */ 681 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 682 if (i == 0) 683 { 684 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 685 goto err; 686 } 687 s2n(i,p); 688 p+=i; 689 690 /* COMPRESSION */ 691#ifdef OPENSSL_NO_COMP 692 *(p++)=1; 693#else 694 if (s->ctx->comp_methods == NULL) 695 j=0; 696 else 697 j=sk_SSL_COMP_num(s->ctx->comp_methods); 698 *(p++)=1+j; 699 for (i=0; i<j; i++) 700 { 701 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 702 *(p++)=comp->id; 703 } 704#endif 705 *(p++)=0; /* Add the NULL method */ 706#ifndef OPENSSL_NO_TLSEXT 707 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 708 { 709 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 710 goto err; 711 } 712#endif 713 l=(p-d); 714 d=buf; 715 *(d++)=SSL3_MT_CLIENT_HELLO; 716 l2n3(l,d); 717 718 s->state=SSL3_ST_CW_CLNT_HELLO_B; 719 /* number of bytes to write */ 720 s->init_num=p-buf; 721 s->init_off=0; 722 } 723 724 /* SSL3_ST_CW_CLNT_HELLO_B */ 725 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 726err: 727 return(-1); 728 } 729 730int ssl3_get_server_hello(SSL *s) 731 { 732 STACK_OF(SSL_CIPHER) *sk; 733 SSL_CIPHER *c; 734 unsigned char *p,*d; 735 int i,al,ok; 736 unsigned int j; 737 long n; 738#ifndef OPENSSL_NO_COMP 739 SSL_COMP *comp; 740#endif 741 742 n=s->method->ssl_get_message(s, 743 SSL3_ST_CR_SRVR_HELLO_A, 744 SSL3_ST_CR_SRVR_HELLO_B, 745 -1, 746 20000, /* ?? */ 747 &ok); 748 749 if (!ok) return((int)n); 750 751 if ( SSL_version(s) == DTLS1_VERSION) 752 { 753 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 754 { 755 if ( s->d1->send_cookie == 0) 756 { 757 s->s3->tmp.reuse_message = 1; 758 return 1; 759 } 760 else /* already sent a cookie */ 761 { 762 al=SSL_AD_UNEXPECTED_MESSAGE; 763 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 764 goto f_err; 765 } 766 } 767 } 768 769 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 770 { 771 al=SSL_AD_UNEXPECTED_MESSAGE; 772 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 773 goto f_err; 774 } 775 776 d=p=(unsigned char *)s->init_msg; 777 778 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 779 { 780 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 781 s->version=(s->version&0xff00)|p[1]; 782 al=SSL_AD_PROTOCOL_VERSION; 783 goto f_err; 784 } 785 p+=2; 786 787 /* load the server hello data */ 788 /* load the server random */ 789 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 790 p+=SSL3_RANDOM_SIZE; 791 792 /* get the session-id */ 793 j= *(p++); 794 795 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 796 { 797 al=SSL_AD_ILLEGAL_PARAMETER; 798 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); 799 goto f_err; 800 } 801 802 if (j != 0 && j == s->session->session_id_length 803 && memcmp(p,s->session->session_id,j) == 0) 804 { 805 if(s->sid_ctx_length != s->session->sid_ctx_length 806 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 807 { 808 /* actually a client application bug */ 809 al=SSL_AD_ILLEGAL_PARAMETER; 810 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 811 goto f_err; 812 } 813 s->hit=1; 814 } 815 else /* a miss or crap from the other end */ 816 { 817 /* If we were trying for session-id reuse, make a new 818 * SSL_SESSION so we don't stuff up other people */ 819 s->hit=0; 820 if (s->session->session_id_length > 0) 821 { 822 if (!ssl_get_new_session(s,0)) 823 { 824 al=SSL_AD_INTERNAL_ERROR; 825 goto f_err; 826 } 827 } 828 s->session->session_id_length=j; 829 memcpy(s->session->session_id,p,j); /* j could be 0 */ 830 } 831 p+=j; 832 c=ssl_get_cipher_by_char(s,p); 833 if (c == NULL) 834 { 835 /* unknown cipher */ 836 al=SSL_AD_ILLEGAL_PARAMETER; 837 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 838 goto f_err; 839 } 840 p+=ssl_put_cipher_by_char(s,NULL,NULL); 841 842 sk=ssl_get_ciphers_by_id(s); 843 i=sk_SSL_CIPHER_find(sk,c); 844 if (i < 0) 845 { 846 /* we did not say we would use this cipher */ 847 al=SSL_AD_ILLEGAL_PARAMETER; 848 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 849 goto f_err; 850 } 851 852 /* Depending on the session caching (internal/external), the cipher 853 and/or cipher_id values may not be set. Make sure that 854 cipher_id is set and use it for comparison. */ 855 if (s->session->cipher) 856 s->session->cipher_id = s->session->cipher->id; 857 if (s->hit && (s->session->cipher_id != c->id)) 858 { 859 if (!(s->options & 860 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 861 { 862 al=SSL_AD_ILLEGAL_PARAMETER; 863 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 864 goto f_err; 865 } 866 } 867 s->s3->tmp.new_cipher=c; 868 869 /* lets get the compression algorithm */ 870 /* COMPRESSION */ 871#ifdef OPENSSL_NO_COMP 872 if (*(p++) != 0) 873 { 874 al=SSL_AD_ILLEGAL_PARAMETER; 875 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 876 goto f_err; 877 } 878#else 879 j= *(p++); 880 if (j == 0) 881 comp=NULL; 882 else 883 comp=ssl3_comp_find(s->ctx->comp_methods,j); 884 885 if ((j != 0) && (comp == NULL)) 886 { 887 al=SSL_AD_ILLEGAL_PARAMETER; 888 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 889 goto f_err; 890 } 891 else 892 { 893 s->s3->tmp.new_compression=comp; 894 } 895#endif 896#ifndef OPENSSL_NO_TLSEXT 897 /* TLS extensions*/ 898 if (s->version > SSL3_VERSION) 899 { 900 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) 901 { 902 /* 'al' set by ssl_parse_serverhello_tlsext */ 903 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 904 goto f_err; 905 } 906 if (ssl_check_serverhello_tlsext(s) <= 0) 907 { 908 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 909 goto err; 910 } 911 } 912#endif 913 914 915 if (p != (d+n)) 916 { 917 /* wrong packet length */ 918 al=SSL_AD_DECODE_ERROR; 919 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 920 goto err; 921 } 922 923 return(1); 924f_err: 925 ssl3_send_alert(s,SSL3_AL_FATAL,al); 926err: 927 return(-1); 928 } 929 930int ssl3_get_server_certificate(SSL *s) 931 { 932 int al,i,ok,ret= -1; 933 unsigned long n,nc,llen,l; 934 X509 *x=NULL; 935 const unsigned char *q,*p; 936 unsigned char *d; 937 STACK_OF(X509) *sk=NULL; 938 SESS_CERT *sc; 939 EVP_PKEY *pkey=NULL; 940 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 941 942 n=s->method->ssl_get_message(s, 943 SSL3_ST_CR_CERT_A, 944 SSL3_ST_CR_CERT_B, 945 -1, 946 s->max_cert_list, 947 &ok); 948 949 if (!ok) return((int)n); 950 951 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 952 ((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) && 953 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 954 { 955 s->s3->tmp.reuse_message=1; 956 return(1); 957 } 958 959 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 960 { 961 al=SSL_AD_UNEXPECTED_MESSAGE; 962 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 963 goto f_err; 964 } 965 p=d=(unsigned char *)s->init_msg; 966 967 if ((sk=sk_X509_new_null()) == NULL) 968 { 969 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 970 goto err; 971 } 972 973 n2l3(p,llen); 974 if (llen+3 != n) 975 { 976 al=SSL_AD_DECODE_ERROR; 977 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 978 goto f_err; 979 } 980 for (nc=0; nc<llen; ) 981 { 982 n2l3(p,l); 983 if ((l+nc+3) > llen) 984 { 985 al=SSL_AD_DECODE_ERROR; 986 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 987 goto f_err; 988 } 989 990 q=p; 991 x=d2i_X509(NULL,&q,l); 992 if (x == NULL) 993 { 994 al=SSL_AD_BAD_CERTIFICATE; 995 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 996 goto f_err; 997 } 998 if (q != (p+l)) 999 { 1000 al=SSL_AD_DECODE_ERROR; 1001 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1002 goto f_err; 1003 } 1004 if (!sk_X509_push(sk,x)) 1005 { 1006 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1007 goto err; 1008 } 1009 x=NULL; 1010 nc+=l+3; 1011 p=q; 1012 } 1013 1014 i=ssl_verify_cert_chain(s,sk); 1015 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1016#ifndef OPENSSL_NO_KRB5 1017 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 1018 != (SSL_aKRB5|SSL_kKRB5) 1019#endif /* OPENSSL_NO_KRB5 */ 1020 ) 1021 { 1022 al=ssl_verify_alarm_type(s->verify_result); 1023 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1024 goto f_err; 1025 } 1026 ERR_clear_error(); /* but we keep s->verify_result */ 1027 1028 sc=ssl_sess_cert_new(); 1029 if (sc == NULL) goto err; 1030 1031 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1032 s->session->sess_cert=sc; 1033 1034 sc->cert_chain=sk; 1035 /* Inconsistency alert: cert_chain does include the peer's 1036 * certificate, which we don't include in s3_srvr.c */ 1037 x=sk_X509_value(sk,0); 1038 sk=NULL; 1039 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1040 1041 pkey=X509_get_pubkey(x); 1042 1043 /* VRS: allow null cert if auth == KRB5 */ 1044 need_cert = ((s->s3->tmp.new_cipher->algorithms 1045 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 1046 == (SSL_aKRB5|SSL_kKRB5))? 0: 1; 1047 1048#ifdef KSSL_DEBUG 1049 printf("pkey,x = %p, %p\n", (void *)pkey,(void *)x); 1050 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1051 printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, 1052 s->s3->tmp.new_cipher->algorithms, need_cert); 1053#endif /* KSSL_DEBUG */ 1054 1055 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1056 { 1057 x=NULL; 1058 al=SSL3_AL_FATAL; 1059 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1060 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1061 goto f_err; 1062 } 1063 1064 i=ssl_cert_type(x,pkey); 1065 if (need_cert && i < 0) 1066 { 1067 x=NULL; 1068 al=SSL3_AL_FATAL; 1069 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1070 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1071 goto f_err; 1072 } 1073 1074 if (need_cert) 1075 { 1076 sc->peer_cert_type=i; 1077 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1078 /* Why would the following ever happen? 1079 * We just created sc a couple of lines ago. */ 1080 if (sc->peer_pkeys[i].x509 != NULL) 1081 X509_free(sc->peer_pkeys[i].x509); 1082 sc->peer_pkeys[i].x509=x; 1083 sc->peer_key= &(sc->peer_pkeys[i]); 1084 1085 if (s->session->peer != NULL) 1086 X509_free(s->session->peer); 1087 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1088 s->session->peer=x; 1089 } 1090 else 1091 { 1092 sc->peer_cert_type=i; 1093 sc->peer_key= NULL; 1094 1095 if (s->session->peer != NULL) 1096 X509_free(s->session->peer); 1097 s->session->peer=NULL; 1098 } 1099 s->session->verify_result = s->verify_result; 1100 1101 x=NULL; 1102 ret=1; 1103 1104 if (0) 1105 { 1106f_err: 1107 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1108 } 1109err: 1110 EVP_PKEY_free(pkey); 1111 X509_free(x); 1112 sk_X509_pop_free(sk,X509_free); 1113 return(ret); 1114 } 1115 1116int ssl3_get_key_exchange(SSL *s) 1117 { 1118#ifndef OPENSSL_NO_RSA 1119 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1120#endif 1121 EVP_MD_CTX md_ctx; 1122 unsigned char *param,*p; 1123 int al,i,j,param_len,ok; 1124 long n,alg; 1125 EVP_PKEY *pkey=NULL; 1126#ifndef OPENSSL_NO_RSA 1127 RSA *rsa=NULL; 1128#endif 1129#ifndef OPENSSL_NO_DH 1130 DH *dh=NULL; 1131#endif 1132#ifndef OPENSSL_NO_ECDH 1133 EC_KEY *ecdh = NULL; 1134 BN_CTX *bn_ctx = NULL; 1135 EC_POINT *srvr_ecpoint = NULL; 1136 int curve_nid = 0; 1137 int encoded_pt_len = 0; 1138#endif 1139 1140 /* use same message size as in ssl3_get_certificate_request() 1141 * as ServerKeyExchange message may be skipped */ 1142 n=s->method->ssl_get_message(s, 1143 SSL3_ST_CR_KEY_EXCH_A, 1144 SSL3_ST_CR_KEY_EXCH_B, 1145 -1, 1146 s->max_cert_list, 1147 &ok); 1148 1149 if (!ok) return((int)n); 1150 1151 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 1152 { 1153 s->s3->tmp.reuse_message=1; 1154 return(1); 1155 } 1156 1157 param=p=(unsigned char *)s->init_msg; 1158 1159 if (s->session->sess_cert != NULL) 1160 { 1161#ifndef OPENSSL_NO_RSA 1162 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1163 { 1164 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1165 s->session->sess_cert->peer_rsa_tmp=NULL; 1166 } 1167#endif 1168#ifndef OPENSSL_NO_DH 1169 if (s->session->sess_cert->peer_dh_tmp) 1170 { 1171 DH_free(s->session->sess_cert->peer_dh_tmp); 1172 s->session->sess_cert->peer_dh_tmp=NULL; 1173 } 1174#endif 1175#ifndef OPENSSL_NO_ECDH 1176 if (s->session->sess_cert->peer_ecdh_tmp) 1177 { 1178 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1179 s->session->sess_cert->peer_ecdh_tmp=NULL; 1180 } 1181#endif 1182 } 1183 else 1184 { 1185 s->session->sess_cert=ssl_sess_cert_new(); 1186 } 1187 1188 param_len=0; 1189 alg=s->s3->tmp.new_cipher->algorithms; 1190 EVP_MD_CTX_init(&md_ctx); 1191 1192#ifndef OPENSSL_NO_RSA 1193 if (alg & SSL_kRSA) 1194 { 1195 if ((rsa=RSA_new()) == NULL) 1196 { 1197 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1198 goto err; 1199 } 1200 n2s(p,i); 1201 param_len=i+2; 1202 if (param_len > n) 1203 { 1204 al=SSL_AD_DECODE_ERROR; 1205 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 1206 goto f_err; 1207 } 1208 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1209 { 1210 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1211 goto err; 1212 } 1213 p+=i; 1214 1215 n2s(p,i); 1216 param_len+=i+2; 1217 if (param_len > n) 1218 { 1219 al=SSL_AD_DECODE_ERROR; 1220 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 1221 goto f_err; 1222 } 1223 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1224 { 1225 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1226 goto err; 1227 } 1228 p+=i; 1229 n-=param_len; 1230 1231 /* this should be because we are using an export cipher */ 1232 if (alg & SSL_aRSA) 1233 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1234 else 1235 { 1236 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1237 goto err; 1238 } 1239 s->session->sess_cert->peer_rsa_tmp=rsa; 1240 rsa=NULL; 1241 } 1242#else /* OPENSSL_NO_RSA */ 1243 if (0) 1244 ; 1245#endif 1246#ifndef OPENSSL_NO_DH 1247 else if (alg & SSL_kEDH) 1248 { 1249 if ((dh=DH_new()) == NULL) 1250 { 1251 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 1252 goto err; 1253 } 1254 n2s(p,i); 1255 param_len=i+2; 1256 if (param_len > n) 1257 { 1258 al=SSL_AD_DECODE_ERROR; 1259 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 1260 goto f_err; 1261 } 1262 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1263 { 1264 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1265 goto err; 1266 } 1267 p+=i; 1268 1269 n2s(p,i); 1270 param_len+=i+2; 1271 if (param_len > n) 1272 { 1273 al=SSL_AD_DECODE_ERROR; 1274 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 1275 goto f_err; 1276 } 1277 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1278 { 1279 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1280 goto err; 1281 } 1282 p+=i; 1283 1284 n2s(p,i); 1285 param_len+=i+2; 1286 if (param_len > n) 1287 { 1288 al=SSL_AD_DECODE_ERROR; 1289 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 1290 goto f_err; 1291 } 1292 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1293 { 1294 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1295 goto err; 1296 } 1297 p+=i; 1298 n-=param_len; 1299 1300#ifndef OPENSSL_NO_RSA 1301 if (alg & SSL_aRSA) 1302 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1303#else 1304 if (0) 1305 ; 1306#endif 1307#ifndef OPENSSL_NO_DSA 1308 else if (alg & SSL_aDSS) 1309 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1310#endif 1311 /* else anonymous DH, so no certificate or pkey. */ 1312 1313 s->session->sess_cert->peer_dh_tmp=dh; 1314 dh=NULL; 1315 } 1316 else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) 1317 { 1318 al=SSL_AD_ILLEGAL_PARAMETER; 1319 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1320 goto f_err; 1321 } 1322#endif /* !OPENSSL_NO_DH */ 1323 1324#ifndef OPENSSL_NO_ECDH 1325 else if (alg & SSL_kECDHE) 1326 { 1327 EC_GROUP *ngroup; 1328 const EC_GROUP *group; 1329 1330 if ((ecdh=EC_KEY_new()) == NULL) 1331 { 1332 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1333 goto err; 1334 } 1335 1336 /* Extract elliptic curve parameters and the 1337 * server's ephemeral ECDH public key. 1338 * Keep accumulating lengths of various components in 1339 * param_len and make sure it never exceeds n. 1340 */ 1341 1342 /* XXX: For now we only support named (not generic) curves 1343 * and the ECParameters in this case is just three bytes. 1344 */ 1345 param_len=3; 1346 if ((param_len > n) || 1347 (*p != NAMED_CURVE_TYPE) || 1348 ((curve_nid = curve_id2nid(*(p + 2))) == 0)) 1349 { 1350 al=SSL_AD_INTERNAL_ERROR; 1351 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1352 goto f_err; 1353 } 1354 1355 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1356 if (ngroup == NULL) 1357 { 1358 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1359 goto err; 1360 } 1361 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1362 { 1363 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1364 goto err; 1365 } 1366 EC_GROUP_free(ngroup); 1367 1368 group = EC_KEY_get0_group(ecdh); 1369 1370 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1371 (EC_GROUP_get_degree(group) > 163)) 1372 { 1373 al=SSL_AD_EXPORT_RESTRICTION; 1374 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1375 goto f_err; 1376 } 1377 1378 p+=3; 1379 1380 /* Next, get the encoded ECPoint */ 1381 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1382 ((bn_ctx = BN_CTX_new()) == NULL)) 1383 { 1384 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1385 goto err; 1386 } 1387 1388 encoded_pt_len = *p; /* length of encoded point */ 1389 p+=1; 1390 param_len += (1 + encoded_pt_len); 1391 if ((param_len > n) || 1392 (EC_POINT_oct2point(group, srvr_ecpoint, 1393 p, encoded_pt_len, bn_ctx) == 0)) 1394 { 1395 al=SSL_AD_DECODE_ERROR; 1396 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); 1397 goto f_err; 1398 } 1399 1400 n-=param_len; 1401 p+=encoded_pt_len; 1402 1403 /* The ECC/TLS specification does not mention 1404 * the use of DSA to sign ECParameters in the server 1405 * key exchange message. We do support RSA and ECDSA. 1406 */ 1407 if (0) ; 1408#ifndef OPENSSL_NO_RSA 1409 else if (alg & SSL_aRSA) 1410 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1411#endif 1412#ifndef OPENSSL_NO_ECDSA 1413 else if (alg & SSL_aECDSA) 1414 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1415#endif 1416 /* else anonymous ECDH, so no certificate or pkey. */ 1417 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1418 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1419 ecdh=NULL; 1420 BN_CTX_free(bn_ctx); 1421 EC_POINT_free(srvr_ecpoint); 1422 srvr_ecpoint = NULL; 1423 } 1424 else if (alg & SSL_kECDH) 1425 { 1426 al=SSL_AD_UNEXPECTED_MESSAGE; 1427 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1428 goto f_err; 1429 } 1430#endif /* !OPENSSL_NO_ECDH */ 1431 if (alg & SSL_aFZA) 1432 { 1433 al=SSL_AD_HANDSHAKE_FAILURE; 1434 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1435 goto f_err; 1436 } 1437 1438 1439 /* p points to the next byte, there are 'n' bytes left */ 1440 1441 /* if it was signed, check the signature */ 1442 if (pkey != NULL) 1443 { 1444 n2s(p,i); 1445 n-=2; 1446 j=EVP_PKEY_size(pkey); 1447 1448 if ((i != n) || (n > j) || (n <= 0)) 1449 { 1450 /* wrong packet length */ 1451 al=SSL_AD_DECODE_ERROR; 1452 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1453 goto f_err; 1454 } 1455 1456#ifndef OPENSSL_NO_RSA 1457 if (pkey->type == EVP_PKEY_RSA) 1458 { 1459 int num; 1460 1461 j=0; 1462 q=md_buf; 1463 for (num=2; num > 0; num--) 1464 { 1465 EVP_MD_CTX_set_flags(&md_ctx, 1466 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1467 EVP_DigestInit_ex(&md_ctx,(num == 2) 1468 ?s->ctx->md5:s->ctx->sha1, NULL); 1469 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1470 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1471 EVP_DigestUpdate(&md_ctx,param,param_len); 1472 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1473 q+=i; 1474 j+=i; 1475 } 1476 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1477 pkey->pkey.rsa); 1478 if (i < 0) 1479 { 1480 al=SSL_AD_DECRYPT_ERROR; 1481 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1482 goto f_err; 1483 } 1484 if (i == 0) 1485 { 1486 /* bad signature */ 1487 al=SSL_AD_DECRYPT_ERROR; 1488 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1489 goto f_err; 1490 } 1491 } 1492 else 1493#endif 1494#ifndef OPENSSL_NO_DSA 1495 if (pkey->type == EVP_PKEY_DSA) 1496 { 1497 /* lets do DSS */ 1498 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); 1499 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1500 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1501 EVP_VerifyUpdate(&md_ctx,param,param_len); 1502 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1503 { 1504 /* bad signature */ 1505 al=SSL_AD_DECRYPT_ERROR; 1506 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1507 goto f_err; 1508 } 1509 } 1510 else 1511#endif 1512#ifndef OPENSSL_NO_ECDSA 1513 if (pkey->type == EVP_PKEY_EC) 1514 { 1515 /* let's do ECDSA */ 1516 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1517 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1518 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1519 EVP_VerifyUpdate(&md_ctx,param,param_len); 1520 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1521 { 1522 /* bad signature */ 1523 al=SSL_AD_DECRYPT_ERROR; 1524 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1525 goto f_err; 1526 } 1527 } 1528 else 1529#endif 1530 { 1531 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1532 goto err; 1533 } 1534 } 1535 else 1536 { 1537 /* still data left over */ 1538 if (!(alg & SSL_aNULL)) 1539 { 1540 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1541 goto err; 1542 } 1543 if (n != 0) 1544 { 1545 al=SSL_AD_DECODE_ERROR; 1546 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 1547 goto f_err; 1548 } 1549 } 1550 EVP_PKEY_free(pkey); 1551 EVP_MD_CTX_cleanup(&md_ctx); 1552 return(1); 1553f_err: 1554 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1555err: 1556 EVP_PKEY_free(pkey); 1557#ifndef OPENSSL_NO_RSA 1558 if (rsa != NULL) 1559 RSA_free(rsa); 1560#endif 1561#ifndef OPENSSL_NO_DH 1562 if (dh != NULL) 1563 DH_free(dh); 1564#endif 1565#ifndef OPENSSL_NO_ECDH 1566 BN_CTX_free(bn_ctx); 1567 EC_POINT_free(srvr_ecpoint); 1568 if (ecdh != NULL) 1569 EC_KEY_free(ecdh); 1570#endif 1571 EVP_MD_CTX_cleanup(&md_ctx); 1572 return(-1); 1573 } 1574 1575int ssl3_get_certificate_request(SSL *s) 1576 { 1577 int ok,ret=0; 1578 unsigned long n,nc,l; 1579 unsigned int llen,ctype_num,i; 1580 X509_NAME *xn=NULL; 1581 const unsigned char *p,*q; 1582 unsigned char *d; 1583 STACK_OF(X509_NAME) *ca_sk=NULL; 1584 1585 n=s->method->ssl_get_message(s, 1586 SSL3_ST_CR_CERT_REQ_A, 1587 SSL3_ST_CR_CERT_REQ_B, 1588 -1, 1589 s->max_cert_list, 1590 &ok); 1591 1592 if (!ok) return((int)n); 1593 1594 s->s3->tmp.cert_req=0; 1595 1596 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1597 { 1598 s->s3->tmp.reuse_message=1; 1599 return(1); 1600 } 1601 1602 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1603 { 1604 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1605 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 1606 goto err; 1607 } 1608 1609 /* TLS does not like anon-DH with client cert */ 1610 if (s->version > SSL3_VERSION) 1611 { 1612 l=s->s3->tmp.new_cipher->algorithms; 1613 if (l & SSL_aNULL) 1614 { 1615 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1616 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1617 goto err; 1618 } 1619 } 1620 1621 p=d=(unsigned char *)s->init_msg; 1622 1623 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1624 { 1625 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1626 goto err; 1627 } 1628 1629 /* get the certificate types */ 1630 ctype_num= *(p++); 1631 if (ctype_num > SSL3_CT_NUMBER) 1632 ctype_num=SSL3_CT_NUMBER; 1633 for (i=0; i<ctype_num; i++) 1634 s->s3->tmp.ctype[i]= p[i]; 1635 p+=ctype_num; 1636 1637 /* get the CA RDNs */ 1638 n2s(p,llen); 1639#if 0 1640{ 1641FILE *out; 1642out=fopen("/tmp/vsign.der","w"); 1643fwrite(p,1,llen,out); 1644fclose(out); 1645} 1646#endif 1647 1648 if ((llen+ctype_num+2+1) != n) 1649 { 1650 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1651 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 1652 goto err; 1653 } 1654 1655 for (nc=0; nc<llen; ) 1656 { 1657 n2s(p,l); 1658 if ((l+nc+2) > llen) 1659 { 1660 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1661 goto cont; /* netscape bugs */ 1662 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1663 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1664 goto err; 1665 } 1666 1667 q=p; 1668 1669 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1670 { 1671 /* If netscape tolerance is on, ignore errors */ 1672 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1673 goto cont; 1674 else 1675 { 1676 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1677 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 1678 goto err; 1679 } 1680 } 1681 1682 if (q != (p+l)) 1683 { 1684 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1685 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 1686 goto err; 1687 } 1688 if (!sk_X509_NAME_push(ca_sk,xn)) 1689 { 1690 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1691 goto err; 1692 } 1693 1694 p+=l; 1695 nc+=l+2; 1696 } 1697 1698 if (0) 1699 { 1700cont: 1701 ERR_clear_error(); 1702 } 1703 1704 /* we should setup a certificate to return.... */ 1705 s->s3->tmp.cert_req=1; 1706 s->s3->tmp.ctype_num=ctype_num; 1707 if (s->s3->tmp.ca_names != NULL) 1708 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1709 s->s3->tmp.ca_names=ca_sk; 1710 ca_sk=NULL; 1711 1712 ret=1; 1713err: 1714 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1715 return(ret); 1716 } 1717 1718static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 1719 { 1720 return(X509_NAME_cmp(*a,*b)); 1721 } 1722#ifndef OPENSSL_NO_TLSEXT 1723int ssl3_get_new_session_ticket(SSL *s) 1724 { 1725 int ok,al,ret=0, ticklen; 1726 long n; 1727 const unsigned char *p; 1728 unsigned char *d; 1729 1730 n=s->method->ssl_get_message(s, 1731 SSL3_ST_CR_SESSION_TICKET_A, 1732 SSL3_ST_CR_SESSION_TICKET_B, 1733 -1, 1734 16384, 1735 &ok); 1736 1737 if (!ok) 1738 return((int)n); 1739 1740 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 1741 { 1742 s->s3->tmp.reuse_message=1; 1743 return(1); 1744 } 1745 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 1746 { 1747 al=SSL_AD_UNEXPECTED_MESSAGE; 1748 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); 1749 goto f_err; 1750 } 1751 if (n < 6) 1752 { 1753 /* need at least ticket_lifetime_hint + ticket length */ 1754 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1755 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1756 goto f_err; 1757 } 1758 p=d=(unsigned char *)s->init_msg; 1759 n2l(p, s->session->tlsext_tick_lifetime_hint); 1760 n2s(p, ticklen); 1761 /* ticket_lifetime_hint + ticket_length + ticket */ 1762 if (ticklen + 6 != n) 1763 { 1764 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1765 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1766 goto f_err; 1767 } 1768 if (s->session->tlsext_tick) 1769 { 1770 OPENSSL_free(s->session->tlsext_tick); 1771 s->session->tlsext_ticklen = 0; 1772 } 1773 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1774 if (!s->session->tlsext_tick) 1775 { 1776 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); 1777 goto err; 1778 } 1779 memcpy(s->session->tlsext_tick, p, ticklen); 1780 s->session->tlsext_ticklen = ticklen; 1781 1782 ret=1; 1783 return(ret); 1784f_err: 1785 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1786err: 1787 return(-1); 1788 } 1789 1790int ssl3_get_cert_status(SSL *s) 1791 { 1792 int ok, al; 1793 unsigned long resplen; 1794 long n; 1795 const unsigned char *p; 1796 1797 n=s->method->ssl_get_message(s, 1798 SSL3_ST_CR_CERT_STATUS_A, 1799 SSL3_ST_CR_CERT_STATUS_B, 1800 SSL3_MT_CERTIFICATE_STATUS, 1801 16384, 1802 &ok); 1803 1804 if (!ok) return((int)n); 1805 if (n < 4) 1806 { 1807 /* need at least status type + length */ 1808 al = SSL_AD_DECODE_ERROR; 1809 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1810 goto f_err; 1811 } 1812 p = (unsigned char *)s->init_msg; 1813 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 1814 { 1815 al = SSL_AD_DECODE_ERROR; 1816 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 1817 goto f_err; 1818 } 1819 n2l3(p, resplen); 1820 if (resplen + 4 != (unsigned long)n) 1821 { 1822 al = SSL_AD_DECODE_ERROR; 1823 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1824 goto f_err; 1825 } 1826 if (s->tlsext_ocsp_resp) 1827 OPENSSL_free(s->tlsext_ocsp_resp); 1828 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 1829 if (!s->tlsext_ocsp_resp) 1830 { 1831 al = SSL_AD_INTERNAL_ERROR; 1832 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 1833 goto f_err; 1834 } 1835 s->tlsext_ocsp_resplen = resplen; 1836 if (s->ctx->tlsext_status_cb) 1837 { 1838 int ret; 1839 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1840 if (ret == 0) 1841 { 1842 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1843 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 1844 goto f_err; 1845 } 1846 if (ret < 0) 1847 { 1848 al = SSL_AD_INTERNAL_ERROR; 1849 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 1850 goto f_err; 1851 } 1852 } 1853 return 1; 1854f_err: 1855 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1856 return(-1); 1857 } 1858#endif 1859 1860int ssl3_get_server_done(SSL *s) 1861 { 1862 int ok,ret=0; 1863 long n; 1864 1865 n=s->method->ssl_get_message(s, 1866 SSL3_ST_CR_SRVR_DONE_A, 1867 SSL3_ST_CR_SRVR_DONE_B, 1868 SSL3_MT_SERVER_DONE, 1869 30, /* should be very small, like 0 :-) */ 1870 &ok); 1871 1872 if (!ok) return((int)n); 1873 if (n > 0) 1874 { 1875 /* should contain no data */ 1876 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1877 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 1878 return -1; 1879 } 1880 ret=1; 1881 return(ret); 1882 } 1883 1884 1885int ssl3_send_client_key_exchange(SSL *s) 1886 { 1887 unsigned char *p,*d; 1888 int n; 1889 unsigned long l; 1890#ifndef OPENSSL_NO_RSA 1891 unsigned char *q; 1892 EVP_PKEY *pkey=NULL; 1893#endif 1894#ifndef OPENSSL_NO_KRB5 1895 KSSL_ERR kssl_err; 1896#endif /* OPENSSL_NO_KRB5 */ 1897#ifndef OPENSSL_NO_ECDH 1898 EC_KEY *clnt_ecdh = NULL; 1899 const EC_POINT *srvr_ecpoint = NULL; 1900 EVP_PKEY *srvr_pub_pkey = NULL; 1901 unsigned char *encodedPoint = NULL; 1902 int encoded_pt_len = 0; 1903 BN_CTX * bn_ctx = NULL; 1904#endif 1905 1906 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 1907 { 1908 d=(unsigned char *)s->init_buf->data; 1909 p= &(d[4]); 1910 1911 l=s->s3->tmp.new_cipher->algorithms; 1912 1913 /* Fool emacs indentation */ 1914 if (0) {} 1915#ifndef OPENSSL_NO_RSA 1916 else if (l & SSL_kRSA) 1917 { 1918 RSA *rsa; 1919 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 1920 1921 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1922 rsa=s->session->sess_cert->peer_rsa_tmp; 1923 else 1924 { 1925 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1926 if ((pkey == NULL) || 1927 (pkey->type != EVP_PKEY_RSA) || 1928 (pkey->pkey.rsa == NULL)) 1929 { 1930 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1931 goto err; 1932 } 1933 rsa=pkey->pkey.rsa; 1934 EVP_PKEY_free(pkey); 1935 } 1936 1937 tmp_buf[0]=s->client_version>>8; 1938 tmp_buf[1]=s->client_version&0xff; 1939 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 1940 goto err; 1941 1942 s->session->master_key_length=sizeof tmp_buf; 1943 1944 q=p; 1945 /* Fix buf for TLS and beyond */ 1946 if (s->version > SSL3_VERSION) 1947 p+=2; 1948 n=RSA_public_encrypt(sizeof tmp_buf, 1949 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 1950#ifdef PKCS1_CHECK 1951 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 1952 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 1953#endif 1954 if (n <= 0) 1955 { 1956 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 1957 goto err; 1958 } 1959 1960 /* Fix buf for TLS and beyond */ 1961 if (s->version > SSL3_VERSION) 1962 { 1963 s2n(n,q); 1964 n+=2; 1965 } 1966 1967 s->session->master_key_length= 1968 s->method->ssl3_enc->generate_master_secret(s, 1969 s->session->master_key, 1970 tmp_buf,sizeof tmp_buf); 1971 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 1972 } 1973#endif 1974#ifndef OPENSSL_NO_KRB5 1975 else if (l & SSL_kKRB5) 1976 { 1977 krb5_error_code krb5rc; 1978 KSSL_CTX *kssl_ctx = s->kssl_ctx; 1979 /* krb5_data krb5_ap_req; */ 1980 krb5_data *enc_ticket; 1981 krb5_data authenticator, *authp = NULL; 1982 EVP_CIPHER_CTX ciph_ctx; 1983 EVP_CIPHER *enc = NULL; 1984 unsigned char iv[EVP_MAX_IV_LENGTH]; 1985 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 1986 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 1987 + EVP_MAX_IV_LENGTH]; 1988 int padl, outl = sizeof(epms); 1989 1990 EVP_CIPHER_CTX_init(&ciph_ctx); 1991 1992#ifdef KSSL_DEBUG 1993 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 1994 l, SSL_kKRB5); 1995#endif /* KSSL_DEBUG */ 1996 1997 authp = NULL; 1998#ifdef KRB5SENDAUTH 1999 if (KRB5SENDAUTH) authp = &authenticator; 2000#endif /* KRB5SENDAUTH */ 2001 2002 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2003 &kssl_err); 2004 enc = kssl_map_enc(kssl_ctx->enctype); 2005 if (enc == NULL) 2006 goto err; 2007#ifdef KSSL_DEBUG 2008 { 2009 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2010 if (krb5rc && kssl_err.text) 2011 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2012 } 2013#endif /* KSSL_DEBUG */ 2014 2015 if (krb5rc) 2016 { 2017 ssl3_send_alert(s,SSL3_AL_FATAL, 2018 SSL_AD_HANDSHAKE_FAILURE); 2019 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2020 kssl_err.reason); 2021 goto err; 2022 } 2023 2024 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2025 ** in place of RFC 2712 KerberosWrapper, as in: 2026 ** 2027 ** Send ticket (copy to *p, set n = length) 2028 ** n = krb5_ap_req.length; 2029 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2030 ** if (krb5_ap_req.data) 2031 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2032 ** 2033 ** Now using real RFC 2712 KerberosWrapper 2034 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 2035 ** Note: 2712 "opaque" types are here replaced 2036 ** with a 2-byte length followed by the value. 2037 ** Example: 2038 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2039 ** Where "xx xx" = length bytes. Shown here with 2040 ** optional authenticator omitted. 2041 */ 2042 2043 /* KerberosWrapper.Ticket */ 2044 s2n(enc_ticket->length,p); 2045 memcpy(p, enc_ticket->data, enc_ticket->length); 2046 p+= enc_ticket->length; 2047 n = enc_ticket->length + 2; 2048 2049 /* KerberosWrapper.Authenticator */ 2050 if (authp && authp->length) 2051 { 2052 s2n(authp->length,p); 2053 memcpy(p, authp->data, authp->length); 2054 p+= authp->length; 2055 n+= authp->length + 2; 2056 2057 free(authp->data); 2058 authp->data = NULL; 2059 authp->length = 0; 2060 } 2061 else 2062 { 2063 s2n(0,p);/* null authenticator length */ 2064 n+=2; 2065 } 2066 2067 tmp_buf[0]=s->client_version>>8; 2068 tmp_buf[1]=s->client_version&0xff; 2069 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2070 goto err; 2071 2072 /* 20010420 VRS. Tried it this way; failed. 2073 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2074 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2075 ** kssl_ctx->length); 2076 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2077 */ 2078 2079 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2080 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2081 kssl_ctx->key,iv); 2082 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2083 sizeof tmp_buf); 2084 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2085 outl += padl; 2086 if (outl > sizeof epms) 2087 { 2088 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2089 goto err; 2090 } 2091 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2092 2093 /* KerberosWrapper.EncryptedPreMasterSecret */ 2094 s2n(outl,p); 2095 memcpy(p, epms, outl); 2096 p+=outl; 2097 n+=outl + 2; 2098 2099 s->session->master_key_length= 2100 s->method->ssl3_enc->generate_master_secret(s, 2101 s->session->master_key, 2102 tmp_buf, sizeof tmp_buf); 2103 2104 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2105 OPENSSL_cleanse(epms, outl); 2106 } 2107#endif 2108#ifndef OPENSSL_NO_DH 2109 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2110 { 2111 DH *dh_srvr,*dh_clnt; 2112 2113 if (s->session->sess_cert == NULL) 2114 { 2115 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2116 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2117 goto err; 2118 } 2119 2120 if (s->session->sess_cert->peer_dh_tmp != NULL) 2121 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2122 else 2123 { 2124 /* we get them from the cert */ 2125 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2126 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2127 goto err; 2128 } 2129 2130 /* generate a new random key */ 2131 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2132 { 2133 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2134 goto err; 2135 } 2136 if (!DH_generate_key(dh_clnt)) 2137 { 2138 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2139 goto err; 2140 } 2141 2142 /* use the 'p' output buffer for the DH key, but 2143 * make sure to clear it out afterwards */ 2144 2145 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2146 2147 if (n <= 0) 2148 { 2149 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2150 goto err; 2151 } 2152 2153 /* generate master key from the result */ 2154 s->session->master_key_length= 2155 s->method->ssl3_enc->generate_master_secret(s, 2156 s->session->master_key,p,n); 2157 /* clean up */ 2158 memset(p,0,n); 2159 2160 /* send off the data */ 2161 n=BN_num_bytes(dh_clnt->pub_key); 2162 s2n(n,p); 2163 BN_bn2bin(dh_clnt->pub_key,p); 2164 n+=2; 2165 2166 DH_free(dh_clnt); 2167 2168 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2169 } 2170#endif 2171 2172#ifndef OPENSSL_NO_ECDH 2173 else if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2174 { 2175 const EC_GROUP *srvr_group = NULL; 2176 EC_KEY *tkey; 2177 int ecdh_clnt_cert = 0; 2178 int field_size = 0; 2179 2180 /* Did we send out the client's 2181 * ECDH share for use in premaster 2182 * computation as part of client certificate? 2183 * If so, set ecdh_clnt_cert to 1. 2184 */ 2185 if ((l & SSL_kECDH) && (s->cert != NULL)) 2186 { 2187 /* XXX: For now, we do not support client 2188 * authentication using ECDH certificates. 2189 * To add such support, one needs to add 2190 * code that checks for appropriate 2191 * conditions and sets ecdh_clnt_cert to 1. 2192 * For example, the cert have an ECC 2193 * key on the same curve as the server's 2194 * and the key should be authorized for 2195 * key agreement. 2196 * 2197 * One also needs to add code in ssl3_connect 2198 * to skip sending the certificate verify 2199 * message. 2200 * 2201 * if ((s->cert->key->privatekey != NULL) && 2202 * (s->cert->key->privatekey->type == 2203 * EVP_PKEY_EC) && ...) 2204 * ecdh_clnt_cert = 1; 2205 */ 2206 } 2207 2208 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2209 { 2210 tkey = s->session->sess_cert->peer_ecdh_tmp; 2211 } 2212 else 2213 { 2214 /* Get the Server Public Key from Cert */ 2215 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2216 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2217 if ((srvr_pub_pkey == NULL) || 2218 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2219 (srvr_pub_pkey->pkey.ec == NULL)) 2220 { 2221 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2222 ERR_R_INTERNAL_ERROR); 2223 goto err; 2224 } 2225 2226 tkey = srvr_pub_pkey->pkey.ec; 2227 } 2228 2229 srvr_group = EC_KEY_get0_group(tkey); 2230 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2231 2232 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2233 { 2234 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2235 ERR_R_INTERNAL_ERROR); 2236 goto err; 2237 } 2238 2239 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2240 { 2241 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2242 goto err; 2243 } 2244 2245 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2246 { 2247 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2248 goto err; 2249 } 2250 if (ecdh_clnt_cert) 2251 { 2252 /* Reuse key info from our certificate 2253 * We only need our private key to perform 2254 * the ECDH computation. 2255 */ 2256 const BIGNUM *priv_key; 2257 tkey = s->cert->key->privatekey->pkey.ec; 2258 priv_key = EC_KEY_get0_private_key(tkey); 2259 if (priv_key == NULL) 2260 { 2261 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2262 goto err; 2263 } 2264 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2265 { 2266 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2267 goto err; 2268 } 2269 } 2270 else 2271 { 2272 /* Generate a new ECDH key pair */ 2273 if (!(EC_KEY_generate_key(clnt_ecdh))) 2274 { 2275 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2276 goto err; 2277 } 2278 } 2279 2280 /* use the 'p' output buffer for the ECDH key, but 2281 * make sure to clear it out afterwards 2282 */ 2283 2284 field_size = EC_GROUP_get_degree(srvr_group); 2285 if (field_size <= 0) 2286 { 2287 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2288 ERR_R_ECDH_LIB); 2289 goto err; 2290 } 2291 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2292 if (n <= 0) 2293 { 2294 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2295 ERR_R_ECDH_LIB); 2296 goto err; 2297 } 2298 2299 /* generate master key from the result */ 2300 s->session->master_key_length = s->method->ssl3_enc \ 2301 -> generate_master_secret(s, 2302 s->session->master_key, 2303 p, n); 2304 2305 memset(p, 0, n); /* clean up */ 2306 2307 if (ecdh_clnt_cert) 2308 { 2309 /* Send empty client key exch message */ 2310 n = 0; 2311 } 2312 else 2313 { 2314 /* First check the size of encoding and 2315 * allocate memory accordingly. 2316 */ 2317 encoded_pt_len = 2318 EC_POINT_point2oct(srvr_group, 2319 EC_KEY_get0_public_key(clnt_ecdh), 2320 POINT_CONVERSION_UNCOMPRESSED, 2321 NULL, 0, NULL); 2322 2323 encodedPoint = (unsigned char *) 2324 OPENSSL_malloc(encoded_pt_len * 2325 sizeof(unsigned char)); 2326 bn_ctx = BN_CTX_new(); 2327 if ((encodedPoint == NULL) || 2328 (bn_ctx == NULL)) 2329 { 2330 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2331 goto err; 2332 } 2333 2334 /* Encode the public key */ 2335 n = EC_POINT_point2oct(srvr_group, 2336 EC_KEY_get0_public_key(clnt_ecdh), 2337 POINT_CONVERSION_UNCOMPRESSED, 2338 encodedPoint, encoded_pt_len, bn_ctx); 2339 2340 *p = n; /* length of encoded point */ 2341 /* Encoded point will be copied here */ 2342 p += 1; 2343 /* copy the point */ 2344 memcpy((unsigned char *)p, encodedPoint, n); 2345 /* increment n to account for length field */ 2346 n += 1; 2347 } 2348 2349 /* Free allocated memory */ 2350 BN_CTX_free(bn_ctx); 2351 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2352 if (clnt_ecdh != NULL) 2353 EC_KEY_free(clnt_ecdh); 2354 EVP_PKEY_free(srvr_pub_pkey); 2355 } 2356#endif /* !OPENSSL_NO_ECDH */ 2357 else 2358 { 2359 ssl3_send_alert(s, SSL3_AL_FATAL, 2360 SSL_AD_HANDSHAKE_FAILURE); 2361 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2362 ERR_R_INTERNAL_ERROR); 2363 goto err; 2364 } 2365 2366 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 2367 l2n3(n,d); 2368 2369 s->state=SSL3_ST_CW_KEY_EXCH_B; 2370 /* number of bytes to write */ 2371 s->init_num=n+4; 2372 s->init_off=0; 2373 } 2374 2375 /* SSL3_ST_CW_KEY_EXCH_B */ 2376 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2377err: 2378#ifndef OPENSSL_NO_ECDH 2379 BN_CTX_free(bn_ctx); 2380 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2381 if (clnt_ecdh != NULL) 2382 EC_KEY_free(clnt_ecdh); 2383 EVP_PKEY_free(srvr_pub_pkey); 2384#endif 2385 return(-1); 2386 } 2387 2388int ssl3_send_client_verify(SSL *s) 2389 { 2390 unsigned char *p,*d; 2391 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2392 EVP_PKEY *pkey; 2393#ifndef OPENSSL_NO_RSA 2394 unsigned u=0; 2395#endif 2396 unsigned long n; 2397#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) 2398 int j; 2399#endif 2400 2401 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2402 { 2403 d=(unsigned char *)s->init_buf->data; 2404 p= &(d[4]); 2405 pkey=s->cert->key->privatekey; 2406 2407 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2), 2408 &(data[MD5_DIGEST_LENGTH])); 2409 2410#ifndef OPENSSL_NO_RSA 2411 if (pkey->type == EVP_PKEY_RSA) 2412 { 2413 s->method->ssl3_enc->cert_verify_mac(s, 2414 &(s->s3->finish_dgst1),&(data[0])); 2415 if (RSA_sign(NID_md5_sha1, data, 2416 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 2417 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 2418 { 2419 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 2420 goto err; 2421 } 2422 s2n(u,p); 2423 n=u+2; 2424 } 2425 else 2426#endif 2427#ifndef OPENSSL_NO_DSA 2428 if (pkey->type == EVP_PKEY_DSA) 2429 { 2430 if (!DSA_sign(pkey->save_type, 2431 &(data[MD5_DIGEST_LENGTH]), 2432 SHA_DIGEST_LENGTH,&(p[2]), 2433 (unsigned int *)&j,pkey->pkey.dsa)) 2434 { 2435 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 2436 goto err; 2437 } 2438 s2n(j,p); 2439 n=j+2; 2440 } 2441 else 2442#endif 2443#ifndef OPENSSL_NO_ECDSA 2444 if (pkey->type == EVP_PKEY_EC) 2445 { 2446 if (!ECDSA_sign(pkey->save_type, 2447 &(data[MD5_DIGEST_LENGTH]), 2448 SHA_DIGEST_LENGTH,&(p[2]), 2449 (unsigned int *)&j,pkey->pkey.ec)) 2450 { 2451 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2452 ERR_R_ECDSA_LIB); 2453 goto err; 2454 } 2455 s2n(j,p); 2456 n=j+2; 2457 } 2458 else 2459#endif 2460 { 2461 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 2462 goto err; 2463 } 2464 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 2465 l2n3(n,d); 2466 2467 s->state=SSL3_ST_CW_CERT_VRFY_B; 2468 s->init_num=(int)n+4; 2469 s->init_off=0; 2470 } 2471 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2472err: 2473 return(-1); 2474 } 2475 2476int ssl3_send_client_certificate(SSL *s) 2477 { 2478 X509 *x509=NULL; 2479 EVP_PKEY *pkey=NULL; 2480 int i; 2481 unsigned long l; 2482 2483 if (s->state == SSL3_ST_CW_CERT_A) 2484 { 2485 if ((s->cert == NULL) || 2486 (s->cert->key->x509 == NULL) || 2487 (s->cert->key->privatekey == NULL)) 2488 s->state=SSL3_ST_CW_CERT_B; 2489 else 2490 s->state=SSL3_ST_CW_CERT_C; 2491 } 2492 2493 /* We need to get a client cert */ 2494 if (s->state == SSL3_ST_CW_CERT_B) 2495 { 2496 /* If we get an error, we need to 2497 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 2498 * We then get retied later */ 2499 i=0; 2500 i = ssl_do_client_cert_cb(s, &x509, &pkey); 2501 if (i < 0) 2502 { 2503 s->rwstate=SSL_X509_LOOKUP; 2504 return(-1); 2505 } 2506 s->rwstate=SSL_NOTHING; 2507 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 2508 { 2509 s->state=SSL3_ST_CW_CERT_B; 2510 if ( !SSL_use_certificate(s,x509) || 2511 !SSL_use_PrivateKey(s,pkey)) 2512 i=0; 2513 } 2514 else if (i == 1) 2515 { 2516 i=0; 2517 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 2518 } 2519 2520 if (x509 != NULL) X509_free(x509); 2521 if (pkey != NULL) EVP_PKEY_free(pkey); 2522 if (i == 0) 2523 { 2524 if (s->version == SSL3_VERSION) 2525 { 2526 s->s3->tmp.cert_req=0; 2527 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 2528 return(1); 2529 } 2530 else 2531 { 2532 s->s3->tmp.cert_req=2; 2533 } 2534 } 2535 2536 /* Ok, we have a cert */ 2537 s->state=SSL3_ST_CW_CERT_C; 2538 } 2539 2540 if (s->state == SSL3_ST_CW_CERT_C) 2541 { 2542 s->state=SSL3_ST_CW_CERT_D; 2543 l=ssl3_output_cert_chain(s, 2544 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 2545 s->init_num=(int)l; 2546 s->init_off=0; 2547 } 2548 /* SSL3_ST_CW_CERT_D */ 2549 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2550 } 2551 2552#define has_bits(i,m) (((i)&(m)) == (m)) 2553 2554int ssl3_check_cert_and_algorithm(SSL *s) 2555 { 2556 int i,idx; 2557 long algs; 2558 EVP_PKEY *pkey=NULL; 2559 SESS_CERT *sc; 2560#ifndef OPENSSL_NO_RSA 2561 RSA *rsa; 2562#endif 2563#ifndef OPENSSL_NO_DH 2564 DH *dh; 2565#endif 2566 2567 sc=s->session->sess_cert; 2568 2569 algs=s->s3->tmp.new_cipher->algorithms; 2570 2571 /* we don't have a certificate */ 2572 if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) 2573 return(1); 2574 2575 if (sc == NULL) 2576 { 2577 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); 2578 goto err; 2579 } 2580 2581#ifndef OPENSSL_NO_RSA 2582 rsa=s->session->sess_cert->peer_rsa_tmp; 2583#endif 2584#ifndef OPENSSL_NO_DH 2585 dh=s->session->sess_cert->peer_dh_tmp; 2586#endif 2587 2588 /* This is the passed certificate */ 2589 2590 idx=sc->peer_cert_type; 2591#ifndef OPENSSL_NO_ECDH 2592 if (idx == SSL_PKEY_ECC) 2593 { 2594 if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2595 s->s3->tmp.new_cipher) == 0) 2596 { /* check failed */ 2597 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 2598 goto f_err; 2599 } 2600 else 2601 { 2602 return 1; 2603 } 2604 } 2605#endif 2606 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 2607 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 2608 EVP_PKEY_free(pkey); 2609 2610 2611 /* Check that we have a certificate if we require one */ 2612 if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 2613 { 2614 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 2615 goto f_err; 2616 } 2617#ifndef OPENSSL_NO_DSA 2618 else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 2619 { 2620 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 2621 goto f_err; 2622 } 2623#endif 2624#ifndef OPENSSL_NO_RSA 2625 if ((algs & SSL_kRSA) && 2626 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 2627 { 2628 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2629 goto f_err; 2630 } 2631#endif 2632#ifndef OPENSSL_NO_DH 2633 if ((algs & SSL_kEDH) && 2634 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 2635 { 2636 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 2637 goto f_err; 2638 } 2639 else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 2640 { 2641 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 2642 goto f_err; 2643 } 2644#ifndef OPENSSL_NO_DSA 2645 else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 2646 { 2647 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 2648 goto f_err; 2649 } 2650#endif 2651#endif 2652 2653 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 2654 { 2655#ifndef OPENSSL_NO_RSA 2656 if (algs & SSL_kRSA) 2657 { 2658 if (rsa == NULL 2659 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 2660 { 2661 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 2662 goto f_err; 2663 } 2664 } 2665 else 2666#endif 2667#ifndef OPENSSL_NO_DH 2668 if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2669 { 2670 if (dh == NULL 2671 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 2672 { 2673 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 2674 goto f_err; 2675 } 2676 } 2677 else 2678#endif 2679 { 2680 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 2681 goto f_err; 2682 } 2683 } 2684 return(1); 2685f_err: 2686 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2687err: 2688 return(0); 2689 } 2690 2691 2692#ifndef OPENSSL_NO_ECDH 2693/* This is the complement of nid2curve_id in s3_srvr.c. */ 2694static int curve_id2nid(int curve_id) 2695{ 2696 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) 2697 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ 2698 static int nid_list[26] = 2699 { 2700 0, 2701 NID_sect163k1, /* sect163k1 (1) */ 2702 NID_sect163r1, /* sect163r1 (2) */ 2703 NID_sect163r2, /* sect163r2 (3) */ 2704 NID_sect193r1, /* sect193r1 (4) */ 2705 NID_sect193r2, /* sect193r2 (5) */ 2706 NID_sect233k1, /* sect233k1 (6) */ 2707 NID_sect233r1, /* sect233r1 (7) */ 2708 NID_sect239k1, /* sect239k1 (8) */ 2709 NID_sect283k1, /* sect283k1 (9) */ 2710 NID_sect283r1, /* sect283r1 (10) */ 2711 NID_sect409k1, /* sect409k1 (11) */ 2712 NID_sect409r1, /* sect409r1 (12) */ 2713 NID_sect571k1, /* sect571k1 (13) */ 2714 NID_sect571r1, /* sect571r1 (14) */ 2715 NID_secp160k1, /* secp160k1 (15) */ 2716 NID_secp160r1, /* secp160r1 (16) */ 2717 NID_secp160r2, /* secp160r2 (17) */ 2718 NID_secp192k1, /* secp192k1 (18) */ 2719 NID_X9_62_prime192v1, /* secp192r1 (19) */ 2720 NID_secp224k1, /* secp224k1 (20) */ 2721 NID_secp224r1, /* secp224r1 (21) */ 2722 NID_secp256k1, /* secp256k1 (22) */ 2723 NID_X9_62_prime256v1, /* secp256r1 (23) */ 2724 NID_secp384r1, /* secp384r1 (24) */ 2725 NID_secp521r1 /* secp521r1 (25) */ 2726 }; 2727 2728 if ((curve_id < 1) || (curve_id > 25)) return 0; 2729 2730 return nid_list[curve_id]; 2731} 2732#endif 2733 2734/* Check to see if handshake is full or resumed. Usually this is just a 2735 * case of checking to see if a cache hit has occurred. In the case of 2736 * session tickets we have to check the next message to be sure. 2737 */ 2738 2739#ifndef OPENSSL_NO_TLSEXT 2740static int ssl3_check_finished(SSL *s) 2741 { 2742 int ok; 2743 long n; 2744 /* If we have no ticket or session ID is non-zero length (a match of 2745 * a non-zero session length would never reach here) it cannot be a 2746 * resumed session. 2747 */ 2748 if (!s->session->tlsext_tick || s->session->session_id_length) 2749 return 1; 2750 /* this function is called when we really expect a Certificate 2751 * message, so permit appropriate message length */ 2752 n=s->method->ssl_get_message(s, 2753 SSL3_ST_CR_CERT_A, 2754 SSL3_ST_CR_CERT_B, 2755 -1, 2756 s->max_cert_list, 2757 &ok); 2758 if (!ok) return((int)n); 2759 s->s3->tmp.reuse_message = 1; 2760 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 2761 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 2762 return 2; 2763 2764 return 1; 2765 } 2766#endif 2767 2768int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 2769 { 2770 int i = 0; 2771#ifndef OPENSSL_NO_ENGINE 2772 if (s->ctx->client_cert_engine) 2773 { 2774 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 2775 SSL_get_client_CA_list(s), 2776 px509, ppkey, NULL, NULL, NULL); 2777 if (i != 0) 2778 return i; 2779 } 2780#endif 2781 if (s->ctx->client_cert_cb) 2782 i = s->ctx->client_cert_cb(s,px509,ppkey); 2783 return i; 2784 } 2785