1/* ssl/s3_clnt.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124/* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151#include <stdio.h> 152#include "ssl_locl.h" 153#include "kssl_lcl.h" 154#include <openssl/buffer.h> 155#include <openssl/rand.h> 156#include <openssl/objects.h> 157#include <openssl/evp.h> 158#include <openssl/md5.h> 159#ifdef OPENSSL_FIPS 160#include <openssl/fips.h> 161#endif 162#ifndef OPENSSL_NO_DH 163#include <openssl/dh.h> 164#endif 165#include <openssl/bn.h> 166#ifndef OPENSSL_NO_ENGINE 167#include <openssl/engine.h> 168#endif 169 170static const SSL_METHOD *ssl3_get_client_method(int ver); 171static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 172 173static const SSL_METHOD *ssl3_get_client_method(int ver) 174 { 175 if (ver == SSL3_VERSION) 176 return(SSLv3_client_method()); 177 else 178 return(NULL); 179 } 180 181IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182 ssl_undefined_function, 183 ssl3_connect, 184 ssl3_get_client_method) 185 186int ssl3_connect(SSL *s) 187 { 188 BUF_MEM *buf=NULL; 189 unsigned long Time=(unsigned long)time(NULL); 190 void (*cb)(const SSL *ssl,int type,int val)=NULL; 191 int ret= -1; 192 int new_state,state,skip=0; 193 194 RAND_add(&Time,sizeof(Time),0); 195 ERR_clear_error(); 196 clear_sys_error(); 197 198 if (s->info_callback != NULL) 199 cb=s->info_callback; 200 else if (s->ctx->info_callback != NULL) 201 cb=s->ctx->info_callback; 202 203 s->in_handshake++; 204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 205 206#ifndef OPENSSL_NO_HEARTBEATS 207 /* If we're awaiting a HeartbeatResponse, pretend we 208 * already got and don't await it anymore, because 209 * Heartbeats don't make sense during handshakes anyway. 210 */ 211 if (s->tlsext_hb_pending) 212 { 213 s->tlsext_hb_pending = 0; 214 s->tlsext_hb_seq++; 215 } 216#endif 217 218 if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) 219 { 220 /* Send app data along with CCS/Finished */ 221 s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED; 222 } 223 224 for (;;) 225 { 226 state=s->state; 227 228 switch(s->state) 229 { 230 case SSL_ST_RENEGOTIATE: 231 s->renegotiate=1; 232 s->state=SSL_ST_CONNECT; 233 s->ctx->stats.sess_connect_renegotiate++; 234 /* break */ 235 case SSL_ST_BEFORE: 236 case SSL_ST_CONNECT: 237 case SSL_ST_BEFORE|SSL_ST_CONNECT: 238 case SSL_ST_OK|SSL_ST_CONNECT: 239 240 s->server=0; 241 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 242 243 if ((s->version & 0xff00 ) != 0x0300) 244 { 245 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 246 ret = -1; 247 goto end; 248 } 249 250 /* s->version=SSL3_VERSION; */ 251 s->type=SSL_ST_CONNECT; 252 253 if (s->init_buf == NULL) 254 { 255 if ((buf=BUF_MEM_new()) == NULL) 256 { 257 ret= -1; 258 goto end; 259 } 260 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 261 { 262 ret= -1; 263 goto end; 264 } 265 s->init_buf=buf; 266 buf=NULL; 267 } 268 269 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 270 271 /* setup buffing BIO */ 272 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 273 274 /* don't push the buffering BIO quite yet */ 275 276 ssl3_init_finished_mac(s); 277 278 s->state=SSL3_ST_CW_CLNT_HELLO_A; 279 s->ctx->stats.sess_connect++; 280 s->init_num=0; 281 break; 282 283 case SSL3_ST_CW_CLNT_HELLO_A: 284 case SSL3_ST_CW_CLNT_HELLO_B: 285 286 s->shutdown=0; 287 ret=ssl3_client_hello(s); 288 if (ret <= 0) goto end; 289 s->state=SSL3_ST_CR_SRVR_HELLO_A; 290 s->init_num=0; 291 292 /* turn on buffering for the next lot of output */ 293 if (s->bbio != s->wbio) 294 s->wbio=BIO_push(s->bbio,s->wbio); 295 296 break; 297 298 case SSL3_ST_CR_SRVR_HELLO_A: 299 case SSL3_ST_CR_SRVR_HELLO_B: 300 ret=ssl3_get_server_hello(s); 301 if (ret <= 0) goto end; 302 303 if (s->hit) 304 { 305 s->state=SSL3_ST_CR_FINISHED_A; 306#ifndef OPENSSL_NO_TLSEXT 307 if (s->tlsext_ticket_expected) 308 { 309 /* receive renewed session ticket */ 310 s->state=SSL3_ST_CR_SESSION_TICKET_A; 311 } 312#endif 313 } 314 else 315 s->state=SSL3_ST_CR_CERT_A; 316 s->init_num=0; 317 break; 318 319 case SSL3_ST_CR_CERT_A: 320 case SSL3_ST_CR_CERT_B: 321#ifndef OPENSSL_NO_TLSEXT 322 ret=ssl3_check_finished(s); 323 if (ret <= 0) goto end; 324 if (ret == 2) 325 { 326 s->hit = 1; 327 if (s->tlsext_ticket_expected) 328 s->state=SSL3_ST_CR_SESSION_TICKET_A; 329 else 330 s->state=SSL3_ST_CR_FINISHED_A; 331 s->init_num=0; 332 break; 333 } 334#endif 335 /* Check if it is anon DH/ECDH, SRP auth */ 336 /* or non-RSA PSK */ 337 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && 338 !((s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) && 339 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA))) 340 { 341 ret=ssl3_get_server_certificate(s); 342 if (ret <= 0) goto end; 343#ifndef OPENSSL_NO_TLSEXT 344 if (s->tlsext_status_expected) 345 s->state=SSL3_ST_CR_CERT_STATUS_A; 346 else 347 s->state=SSL3_ST_CR_KEY_EXCH_A; 348 } 349 else 350 { 351 skip = 1; 352 s->state=SSL3_ST_CR_KEY_EXCH_A; 353 } 354#else 355 } 356 else 357 skip=1; 358 359 s->state=SSL3_ST_CR_KEY_EXCH_A; 360#endif 361 s->init_num=0; 362 break; 363 364 case SSL3_ST_CR_KEY_EXCH_A: 365 case SSL3_ST_CR_KEY_EXCH_B: 366 ret=ssl3_get_key_exchange(s); 367 if (ret <= 0) goto end; 368 s->state=SSL3_ST_CR_CERT_REQ_A; 369 s->init_num=0; 370 371 /* at this point we check that we have the 372 * required stuff from the server */ 373 if (!ssl3_check_cert_and_algorithm(s)) 374 { 375 ret= -1; 376 goto end; 377 } 378 break; 379 380 case SSL3_ST_CR_CERT_REQ_A: 381 case SSL3_ST_CR_CERT_REQ_B: 382 ret=ssl3_get_certificate_request(s); 383 if (ret <= 0) goto end; 384 s->state=SSL3_ST_CR_SRVR_DONE_A; 385 s->init_num=0; 386 break; 387 388 case SSL3_ST_CR_SRVR_DONE_A: 389 case SSL3_ST_CR_SRVR_DONE_B: 390 ret=ssl3_get_server_done(s); 391 if (ret <= 0) goto end; 392#ifndef OPENSSL_NO_SRP 393 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 394 { 395 if ((ret = SRP_Calc_A_param(s))<=0) 396 { 397 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC); 398 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); 399 goto end; 400 } 401 } 402#endif 403 if (s->s3->tmp.cert_req) 404 s->state=SSL3_ST_CW_CERT_A; 405 else 406 s->state=SSL3_ST_CW_KEY_EXCH_A; 407 s->init_num=0; 408 409 break; 410 411 case SSL3_ST_CW_CERT_A: 412 case SSL3_ST_CW_CERT_B: 413 case SSL3_ST_CW_CERT_C: 414 case SSL3_ST_CW_CERT_D: 415 ret=ssl3_send_client_certificate(s); 416 if (ret <= 0) goto end; 417 s->state=SSL3_ST_CW_KEY_EXCH_A; 418 s->init_num=0; 419 break; 420 421 case SSL3_ST_CW_KEY_EXCH_A: 422 case SSL3_ST_CW_KEY_EXCH_B: 423 ret=ssl3_send_client_key_exchange(s); 424 if (ret <= 0) goto end; 425 /* EAY EAY EAY need to check for DH fix cert 426 * sent back */ 427 /* For TLS, cert_req is set to 2, so a cert chain 428 * of nothing is sent, but no verify packet is sent */ 429 /* XXX: For now, we do not support client 430 * authentication in ECDH cipher suites with 431 * ECDH (rather than ECDSA) certificates. 432 * We need to skip the certificate verify 433 * message when client's ECDH public key is sent 434 * inside the client certificate. 435 */ 436 if (s->s3->tmp.cert_req == 1) 437 { 438 s->state=SSL3_ST_CW_CERT_VRFY_A; 439 } 440 else 441 { 442 s->state=SSL3_ST_CW_CHANGE_A; 443 s->s3->change_cipher_spec=0; 444 } 445 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 446 { 447 s->state=SSL3_ST_CW_CHANGE_A; 448 s->s3->change_cipher_spec=0; 449 } 450 451 s->init_num=0; 452 break; 453 454 case SSL3_ST_CW_CERT_VRFY_A: 455 case SSL3_ST_CW_CERT_VRFY_B: 456 ret=ssl3_send_client_verify(s); 457 if (ret <= 0) goto end; 458 s->state=SSL3_ST_CW_CHANGE_A; 459 s->init_num=0; 460 s->s3->change_cipher_spec=0; 461 break; 462 463 case SSL3_ST_CW_CHANGE_A: 464 case SSL3_ST_CW_CHANGE_B: 465 ret=ssl3_send_change_cipher_spec(s, 466 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 467 if (ret <= 0) goto end; 468 469 s->state=SSL3_ST_CW_FINISHED_A; 470#if !defined(OPENSSL_NO_TLSEXT) 471 if (s->s3->tlsext_channel_id_valid) 472 s->state=SSL3_ST_CW_CHANNEL_ID_A; 473# if !defined(OPENSSL_NO_NEXTPROTONEG) 474 if (s->s3->next_proto_neg_seen) 475 s->state=SSL3_ST_CW_NEXT_PROTO_A; 476# endif 477#endif 478 s->init_num=0; 479 480 s->session->cipher=s->s3->tmp.new_cipher; 481#ifdef OPENSSL_NO_COMP 482 s->session->compress_meth=0; 483#else 484 if (s->s3->tmp.new_compression == NULL) 485 s->session->compress_meth=0; 486 else 487 s->session->compress_meth= 488 s->s3->tmp.new_compression->id; 489#endif 490 if (!s->method->ssl3_enc->setup_key_block(s)) 491 { 492 ret= -1; 493 goto end; 494 } 495 496 if (!s->method->ssl3_enc->change_cipher_state(s, 497 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 498 { 499 ret= -1; 500 goto end; 501 } 502 503 break; 504 505#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 506 case SSL3_ST_CW_NEXT_PROTO_A: 507 case SSL3_ST_CW_NEXT_PROTO_B: 508 ret=ssl3_send_next_proto(s); 509 if (ret <= 0) goto end; 510 if (s->s3->tlsext_channel_id_valid) 511 s->state=SSL3_ST_CW_CHANNEL_ID_A; 512 else 513 s->state=SSL3_ST_CW_FINISHED_A; 514 break; 515#endif 516 517#if !defined(OPENSSL_NO_TLSEXT) 518 case SSL3_ST_CW_CHANNEL_ID_A: 519 case SSL3_ST_CW_CHANNEL_ID_B: 520 ret=ssl3_send_channel_id(s); 521 if (ret <= 0) goto end; 522 s->state=SSL3_ST_CW_FINISHED_A; 523 break; 524#endif 525 526 case SSL3_ST_CW_FINISHED_A: 527 case SSL3_ST_CW_FINISHED_B: 528 ret=ssl3_send_finished(s, 529 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 530 s->method->ssl3_enc->client_finished_label, 531 s->method->ssl3_enc->client_finished_label_len); 532 if (ret <= 0) goto end; 533 s->s3->flags |= SSL3_FLAGS_CCS_OK; 534 s->state=SSL3_ST_CW_FLUSH; 535 536 /* clear flags */ 537 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 538 if (s->hit) 539 { 540 s->s3->tmp.next_state=SSL_ST_OK; 541 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 542 { 543 s->state=SSL_ST_OK; 544 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 545 s->s3->delay_buf_pop_ret=0; 546 } 547 } 548 else 549 { 550 /* This is a non-resumption handshake. If it 551 * involves ChannelID, then record the 552 * handshake hashes at this point in the 553 * session so that any resumption of this 554 * session with ChannelID can sign those 555 * hashes. */ 556 if (s->s3->tlsext_channel_id_new) 557 { 558 ret = tls1_record_handshake_hashes_for_channel_id(s); 559 if (ret <= 0) 560 goto end; 561 } 562 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) 563 && ssl3_can_cutthrough(s) 564 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */ 565 ) 566 { 567 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 568 { 569 s->state=SSL3_ST_CUTTHROUGH_COMPLETE; 570 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 571 s->s3->delay_buf_pop_ret=0; 572 } 573 else 574 { 575 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE; 576 } 577 } 578 else 579 { 580#ifndef OPENSSL_NO_TLSEXT 581 /* Allow NewSessionTicket if ticket expected */ 582 if (s->tlsext_ticket_expected) 583 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 584 else 585#endif 586 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 587 } 588 } 589 s->init_num=0; 590 break; 591 592#ifndef OPENSSL_NO_TLSEXT 593 case SSL3_ST_CR_SESSION_TICKET_A: 594 case SSL3_ST_CR_SESSION_TICKET_B: 595 ret=ssl3_get_new_session_ticket(s); 596 if (ret <= 0) goto end; 597 s->state=SSL3_ST_CR_FINISHED_A; 598 s->init_num=0; 599 break; 600 601 case SSL3_ST_CR_CERT_STATUS_A: 602 case SSL3_ST_CR_CERT_STATUS_B: 603 ret=ssl3_get_cert_status(s); 604 if (ret <= 0) goto end; 605 s->state=SSL3_ST_CR_KEY_EXCH_A; 606 s->init_num=0; 607 break; 608#endif 609 610 case SSL3_ST_CR_FINISHED_A: 611 case SSL3_ST_CR_FINISHED_B: 612 613 s->s3->flags |= SSL3_FLAGS_CCS_OK; 614 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 615 SSL3_ST_CR_FINISHED_B); 616 if (ret <= 0) goto end; 617 618 if (s->hit) 619 s->state=SSL3_ST_CW_CHANGE_A; 620 else 621 s->state=SSL_ST_OK; 622 s->init_num=0; 623 break; 624 625 case SSL3_ST_CW_FLUSH: 626 s->rwstate=SSL_WRITING; 627 if (BIO_flush(s->wbio) <= 0) 628 { 629 ret= -1; 630 goto end; 631 } 632 s->rwstate=SSL_NOTHING; 633 s->state=s->s3->tmp.next_state; 634 break; 635 636 case SSL3_ST_CUTTHROUGH_COMPLETE: 637#ifndef OPENSSL_NO_TLSEXT 638 /* Allow NewSessionTicket if ticket expected */ 639 if (s->tlsext_ticket_expected) 640 s->state=SSL3_ST_CR_SESSION_TICKET_A; 641 else 642#endif 643 s->state=SSL3_ST_CR_FINISHED_A; 644 645 /* SSL_write() will take care of flushing buffered data if 646 * DELAY_CLIENT_FINISHED is set. 647 */ 648 if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)) 649 ssl_free_wbio_buffer(s); 650 ret = 1; 651 goto end; 652 /* break; */ 653 654 case SSL_ST_OK: 655 /* clean a few things up */ 656 ssl3_cleanup_key_block(s); 657 658 if (s->init_buf != NULL) 659 { 660 BUF_MEM_free(s->init_buf); 661 s->init_buf=NULL; 662 } 663 664 /* If we are not 'joining' the last two packets, 665 * remove the buffering now */ 666 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 667 ssl_free_wbio_buffer(s); 668 /* else do it later in ssl3_write */ 669 670 s->init_num=0; 671 s->renegotiate=0; 672 s->new_session=0; 673 674 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 675 if (s->hit) s->ctx->stats.sess_hit++; 676 677 ret=1; 678 /* s->server=0; */ 679 s->handshake_func=ssl3_connect; 680 s->ctx->stats.sess_connect_good++; 681 682 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 683 684 goto end; 685 /* break; */ 686 687 default: 688 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 689 ret= -1; 690 goto end; 691 /* break; */ 692 } 693 694 /* did we do anything */ 695 if (!s->s3->tmp.reuse_message && !skip) 696 { 697 if (s->debug) 698 { 699 if ((ret=BIO_flush(s->wbio)) <= 0) 700 goto end; 701 } 702 703 if ((cb != NULL) && (s->state != state)) 704 { 705 new_state=s->state; 706 s->state=state; 707 cb(s,SSL_CB_CONNECT_LOOP,1); 708 s->state=new_state; 709 } 710 } 711 skip=0; 712 } 713end: 714 s->in_handshake--; 715 if (buf != NULL) 716 BUF_MEM_free(buf); 717 if (cb != NULL) 718 cb(s,SSL_CB_CONNECT_EXIT,ret); 719 return(ret); 720 } 721 722 723int ssl3_client_hello(SSL *s) 724 { 725 unsigned char *buf; 726 unsigned char *p,*d; 727 int i; 728 unsigned long l; 729#ifndef OPENSSL_NO_COMP 730 int j; 731 SSL_COMP *comp; 732#endif 733 734 buf=(unsigned char *)s->init_buf->data; 735 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 736 { 737 SSL_SESSION *sess = s->session; 738 if ((sess == NULL) || 739 (sess->ssl_version != s->version) || 740#ifdef OPENSSL_NO_TLSEXT 741 !sess->session_id_length || 742#else 743 (!sess->session_id_length && !sess->tlsext_tick) || 744#endif 745 (sess->not_resumable)) 746 { 747 if (!s->session_creation_enabled) 748 { 749 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 750 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 751 goto err; 752 } 753 if (!ssl_get_new_session(s,0)) 754 goto err; 755 } 756 /* else use the pre-loaded session */ 757 758 p=s->s3->client_random; 759 760 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 761 goto err; 762 763 /* Do the message type and length last */ 764 d=p= &(buf[4]); 765 766 /* version indicates the negotiated version: for example from 767 * an SSLv2/v3 compatible client hello). The client_version 768 * field is the maximum version we permit and it is also 769 * used in RSA encrypted premaster secrets. Some servers can 770 * choke if we initially report a higher version then 771 * renegotiate to a lower one in the premaster secret. This 772 * didn't happen with TLS 1.0 as most servers supported it 773 * but it can with TLS 1.1 or later if the server only supports 774 * 1.0. 775 * 776 * Possible scenario with previous logic: 777 * 1. Client hello indicates TLS 1.2 778 * 2. Server hello says TLS 1.0 779 * 3. RSA encrypted premaster secret uses 1.2. 780 * 4. Handhaked proceeds using TLS 1.0. 781 * 5. Server sends hello request to renegotiate. 782 * 6. Client hello indicates TLS v1.0 as we now 783 * know that is maximum server supports. 784 * 7. Server chokes on RSA encrypted premaster secret 785 * containing version 1.0. 786 * 787 * For interoperability it should be OK to always use the 788 * maximum version we support in client hello and then rely 789 * on the checking of version to ensure the servers isn't 790 * being inconsistent: for example initially negotiating with 791 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 792 * client_version in client hello and not resetting it to 793 * the negotiated version. 794 */ 795#if 0 796 *(p++)=s->version>>8; 797 *(p++)=s->version&0xff; 798 s->client_version=s->version; 799#else 800 *(p++)=s->client_version>>8; 801 *(p++)=s->client_version&0xff; 802#endif 803 804 /* Random stuff */ 805 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 806 p+=SSL3_RANDOM_SIZE; 807 808 /* Session ID */ 809 if (s->new_session) 810 i=0; 811 else 812 i=s->session->session_id_length; 813 *(p++)=i; 814 if (i != 0) 815 { 816 if (i > (int)sizeof(s->session->session_id)) 817 { 818 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 819 goto err; 820 } 821 memcpy(p,s->session->session_id,i); 822 p+=i; 823 } 824 825 /* Ciphers supported */ 826 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 827 if (i == 0) 828 { 829 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 830 goto err; 831 } 832#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 833 /* Some servers hang if client hello > 256 bytes 834 * as hack workaround chop number of supported ciphers 835 * to keep it well below this if we use TLS v1.2 836 */ 837 if (TLS1_get_version(s) >= TLS1_2_VERSION 838 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 839 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 840#endif 841 s2n(i,p); 842 p+=i; 843 844 /* COMPRESSION */ 845#ifdef OPENSSL_NO_COMP 846 *(p++)=1; 847#else 848 849 if ((s->options & SSL_OP_NO_COMPRESSION) 850 || !s->ctx->comp_methods) 851 j=0; 852 else 853 j=sk_SSL_COMP_num(s->ctx->comp_methods); 854 *(p++)=1+j; 855 for (i=0; i<j; i++) 856 { 857 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 858 *(p++)=comp->id; 859 } 860#endif 861 *(p++)=0; /* Add the NULL method */ 862 863#ifndef OPENSSL_NO_TLSEXT 864 /* TLS extensions*/ 865 if (ssl_prepare_clienthello_tlsext(s) <= 0) 866 { 867 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 868 goto err; 869 } 870 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 871 { 872 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 873 goto err; 874 } 875#endif 876 877 l=(p-d); 878 d=buf; 879 *(d++)=SSL3_MT_CLIENT_HELLO; 880 l2n3(l,d); 881 882 s->state=SSL3_ST_CW_CLNT_HELLO_B; 883 /* number of bytes to write */ 884 s->init_num=p-buf; 885 s->init_off=0; 886 } 887 888 /* SSL3_ST_CW_CLNT_HELLO_B */ 889 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 890err: 891 return(-1); 892 } 893 894int ssl3_get_server_hello(SSL *s) 895 { 896 STACK_OF(SSL_CIPHER) *sk; 897 const SSL_CIPHER *c; 898 unsigned char *p,*d; 899 int i,al,ok; 900 unsigned int j; 901 long n; 902#ifndef OPENSSL_NO_COMP 903 SSL_COMP *comp; 904#endif 905 906 n=s->method->ssl_get_message(s, 907 SSL3_ST_CR_SRVR_HELLO_A, 908 SSL3_ST_CR_SRVR_HELLO_B, 909 -1, 910 20000, /* ?? */ 911 &ok); 912 913 if (!ok) return((int)n); 914 915 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 916 { 917 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 918 { 919 if ( s->d1->send_cookie == 0) 920 { 921 s->s3->tmp.reuse_message = 1; 922 return 1; 923 } 924 else /* already sent a cookie */ 925 { 926 al=SSL_AD_UNEXPECTED_MESSAGE; 927 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 928 goto f_err; 929 } 930 } 931 } 932 933 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 934 { 935 al=SSL_AD_UNEXPECTED_MESSAGE; 936 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 937 goto f_err; 938 } 939 940 d=p=(unsigned char *)s->init_msg; 941 942 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 943 { 944 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 945 s->version=(s->version&0xff00)|p[1]; 946 al=SSL_AD_PROTOCOL_VERSION; 947 goto f_err; 948 } 949 p+=2; 950 951 /* load the server hello data */ 952 /* load the server random */ 953 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 954 p+=SSL3_RANDOM_SIZE; 955 956 /* get the session-id */ 957 j= *(p++); 958 959 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 960 { 961 al=SSL_AD_ILLEGAL_PARAMETER; 962 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); 963 goto f_err; 964 } 965 966#ifndef OPENSSL_NO_TLSEXT 967 /* check if we want to resume the session based on external pre-shared secret */ 968 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 969 { 970 SSL_CIPHER *pref_cipher=NULL; 971 s->session->master_key_length=sizeof(s->session->master_key); 972 if (s->tls_session_secret_cb(s, s->session->master_key, 973 &s->session->master_key_length, 974 NULL, &pref_cipher, 975 s->tls_session_secret_cb_arg)) 976 { 977 s->session->cipher = pref_cipher ? 978 pref_cipher : ssl_get_cipher_by_char(s, p+j); 979 s->s3->flags |= SSL3_FLAGS_CCS_OK; 980 } 981 } 982#endif /* OPENSSL_NO_TLSEXT */ 983 984 if (j != 0 && j == s->session->session_id_length 985 && memcmp(p,s->session->session_id,j) == 0) 986 { 987 if(s->sid_ctx_length != s->session->sid_ctx_length 988 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 989 { 990 /* actually a client application bug */ 991 al=SSL_AD_ILLEGAL_PARAMETER; 992 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 993 goto f_err; 994 } 995 s->s3->flags |= SSL3_FLAGS_CCS_OK; 996 s->hit=1; 997 } 998 else /* a miss or crap from the other end */ 999 { 1000 /* If we were trying for session-id reuse, make a new 1001 * SSL_SESSION so we don't stuff up other people */ 1002 s->hit=0; 1003 if (s->session->session_id_length > 0) 1004 { 1005 if (!s->session_creation_enabled) 1006 { 1007 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1008 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 1009 goto err; 1010 } 1011 if (!ssl_get_new_session(s,0)) 1012 { 1013 al=SSL_AD_INTERNAL_ERROR; 1014 goto f_err; 1015 } 1016 } 1017 s->session->session_id_length=j; 1018 memcpy(s->session->session_id,p,j); /* j could be 0 */ 1019 } 1020 p+=j; 1021 c=ssl_get_cipher_by_char(s,p); 1022 if (c == NULL) 1023 { 1024 /* unknown cipher */ 1025 al=SSL_AD_ILLEGAL_PARAMETER; 1026 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 1027 goto f_err; 1028 } 1029 /* TLS v1.2 only ciphersuites require v1.2 or later */ 1030 if ((c->algorithm_ssl & SSL_TLSV1_2) && 1031 (TLS1_get_version(s) < TLS1_2_VERSION)) 1032 { 1033 al=SSL_AD_ILLEGAL_PARAMETER; 1034 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 1035 goto f_err; 1036 } 1037#ifndef OPENSSL_NO_SRP 1038 if (((c->algorithm_mkey & SSL_kSRP) || (c->algorithm_auth & SSL_aSRP)) && 1039 !(s->srp_ctx.srp_Mask & SSL_kSRP)) 1040 { 1041 al=SSL_AD_ILLEGAL_PARAMETER; 1042 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 1043 goto f_err; 1044 } 1045#endif /* OPENSSL_NO_SRP */ 1046 p+=ssl_put_cipher_by_char(s,NULL,NULL); 1047 1048 sk=ssl_get_ciphers_by_id(s); 1049 i=sk_SSL_CIPHER_find(sk,c); 1050 if (i < 0) 1051 { 1052 /* we did not say we would use this cipher */ 1053 al=SSL_AD_ILLEGAL_PARAMETER; 1054 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 1055 goto f_err; 1056 } 1057 1058 /* Depending on the session caching (internal/external), the cipher 1059 and/or cipher_id values may not be set. Make sure that 1060 cipher_id is set and use it for comparison. */ 1061 if (s->session->cipher) 1062 s->session->cipher_id = s->session->cipher->id; 1063 if (s->hit && (s->session->cipher_id != c->id)) 1064 { 1065/* Workaround is now obsolete */ 1066#if 0 1067 if (!(s->options & 1068 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 1069#endif 1070 { 1071 al=SSL_AD_ILLEGAL_PARAMETER; 1072 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1073 goto f_err; 1074 } 1075 } 1076 s->s3->tmp.new_cipher=c; 1077 /* Don't digest cached records if TLS v1.2: we may need them for 1078 * client authentication. 1079 */ 1080 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 1081 { 1082 al = SSL_AD_INTERNAL_ERROR; 1083 goto f_err; 1084 } 1085 /* lets get the compression algorithm */ 1086 /* COMPRESSION */ 1087#ifdef OPENSSL_NO_COMP 1088 if (*(p++) != 0) 1089 { 1090 al=SSL_AD_ILLEGAL_PARAMETER; 1091 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1092 goto f_err; 1093 } 1094 /* If compression is disabled we'd better not try to resume a session 1095 * using compression. 1096 */ 1097 if (s->session->compress_meth != 0) 1098 { 1099 al=SSL_AD_INTERNAL_ERROR; 1100 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1101 goto f_err; 1102 } 1103#else 1104 j= *(p++); 1105 if (s->hit && j != s->session->compress_meth) 1106 { 1107 al=SSL_AD_ILLEGAL_PARAMETER; 1108 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1109 goto f_err; 1110 } 1111 if (j == 0) 1112 comp=NULL; 1113 else if (s->options & SSL_OP_NO_COMPRESSION) 1114 { 1115 al=SSL_AD_ILLEGAL_PARAMETER; 1116 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED); 1117 goto f_err; 1118 } 1119 else 1120 comp=ssl3_comp_find(s->ctx->comp_methods,j); 1121 1122 if ((j != 0) && (comp == NULL)) 1123 { 1124 al=SSL_AD_ILLEGAL_PARAMETER; 1125 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1126 goto f_err; 1127 } 1128 else 1129 { 1130 s->s3->tmp.new_compression=comp; 1131 } 1132#endif 1133 1134#ifndef OPENSSL_NO_TLSEXT 1135 /* TLS extensions*/ 1136 if (s->version >= SSL3_VERSION) 1137 { 1138 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) 1139 { 1140 /* 'al' set by ssl_parse_serverhello_tlsext */ 1141 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1142 goto f_err; 1143 } 1144 if (ssl_check_serverhello_tlsext(s) <= 0) 1145 { 1146 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 1147 goto err; 1148 } 1149 } 1150#endif 1151 1152 if (p != (d+n)) 1153 { 1154 /* wrong packet length */ 1155 al=SSL_AD_DECODE_ERROR; 1156 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1157 goto f_err; 1158 } 1159 1160 return(1); 1161f_err: 1162 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1163err: 1164 return(-1); 1165 } 1166 1167int ssl3_get_server_certificate(SSL *s) 1168 { 1169 int al,i,ok,ret= -1; 1170 unsigned long n,nc,llen,l; 1171 X509 *x=NULL; 1172 const unsigned char *q,*p; 1173 unsigned char *d; 1174 STACK_OF(X509) *sk=NULL; 1175 SESS_CERT *sc; 1176 EVP_PKEY *pkey=NULL; 1177 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1178 1179 n=s->method->ssl_get_message(s, 1180 SSL3_ST_CR_CERT_A, 1181 SSL3_ST_CR_CERT_B, 1182 -1, 1183 s->max_cert_list, 1184 &ok); 1185 1186 if (!ok) return((int)n); 1187 1188 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1189 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1190 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 1191 { 1192 s->s3->tmp.reuse_message=1; 1193 return(1); 1194 } 1195 1196 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 1197 { 1198 al=SSL_AD_UNEXPECTED_MESSAGE; 1199 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 1200 goto f_err; 1201 } 1202 p=d=(unsigned char *)s->init_msg; 1203 1204 if ((sk=sk_X509_new_null()) == NULL) 1205 { 1206 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1207 goto err; 1208 } 1209 1210 n2l3(p,llen); 1211 if (llen+3 != n) 1212 { 1213 al=SSL_AD_DECODE_ERROR; 1214 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 1215 goto f_err; 1216 } 1217 for (nc=0; nc<llen; ) 1218 { 1219 n2l3(p,l); 1220 if ((l+nc+3) > llen) 1221 { 1222 al=SSL_AD_DECODE_ERROR; 1223 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1224 goto f_err; 1225 } 1226 1227 q=p; 1228 x=d2i_X509(NULL,&q,l); 1229 if (x == NULL) 1230 { 1231 al=SSL_AD_BAD_CERTIFICATE; 1232 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 1233 goto f_err; 1234 } 1235 if (q != (p+l)) 1236 { 1237 al=SSL_AD_DECODE_ERROR; 1238 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1239 goto f_err; 1240 } 1241 if (!sk_X509_push(sk,x)) 1242 { 1243 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1244 goto err; 1245 } 1246 x=NULL; 1247 nc+=l+3; 1248 p=q; 1249 } 1250 1251 i=ssl_verify_cert_chain(s,sk); 1252 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1253#ifndef OPENSSL_NO_KRB5 1254 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1255 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1256#endif /* OPENSSL_NO_KRB5 */ 1257 ) 1258 { 1259 al=ssl_verify_alarm_type(s->verify_result); 1260 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1261 goto f_err; 1262 } 1263 ERR_clear_error(); /* but we keep s->verify_result */ 1264 1265 sc=ssl_sess_cert_new(); 1266 if (sc == NULL) goto err; 1267 1268 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1269 s->session->sess_cert=sc; 1270 1271 sc->cert_chain=sk; 1272 /* Inconsistency alert: cert_chain does include the peer's 1273 * certificate, which we don't include in s3_srvr.c */ 1274 x=sk_X509_value(sk,0); 1275 sk=NULL; 1276 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1277 1278 pkey=X509_get_pubkey(x); 1279 1280 /* VRS: allow null cert if auth == KRB5 */ 1281 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1282 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1283 ? 0 : 1; 1284 1285#ifdef KSSL_DEBUG 1286 printf("pkey,x = %p, %p\n", pkey,x); 1287 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1288 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1289 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1290#endif /* KSSL_DEBUG */ 1291 1292 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1293 { 1294 x=NULL; 1295 al=SSL3_AL_FATAL; 1296 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1297 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1298 goto f_err; 1299 } 1300 1301 i=ssl_cert_type(x,pkey); 1302 if (need_cert && i < 0) 1303 { 1304 x=NULL; 1305 al=SSL3_AL_FATAL; 1306 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1307 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1308 goto f_err; 1309 } 1310 1311 if (need_cert) 1312 { 1313 sc->peer_cert_type=i; 1314 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1315 /* Why would the following ever happen? 1316 * We just created sc a couple of lines ago. */ 1317 if (sc->peer_pkeys[i].x509 != NULL) 1318 X509_free(sc->peer_pkeys[i].x509); 1319 sc->peer_pkeys[i].x509=x; 1320 sc->peer_key= &(sc->peer_pkeys[i]); 1321 1322 if (s->session->peer != NULL) 1323 X509_free(s->session->peer); 1324 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1325 s->session->peer=x; 1326 } 1327 else 1328 { 1329 sc->peer_cert_type=i; 1330 sc->peer_key= NULL; 1331 1332 if (s->session->peer != NULL) 1333 X509_free(s->session->peer); 1334 s->session->peer=NULL; 1335 } 1336 s->session->verify_result = s->verify_result; 1337 1338 x=NULL; 1339 ret=1; 1340 1341 if (0) 1342 { 1343f_err: 1344 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1345 } 1346err: 1347 EVP_PKEY_free(pkey); 1348 X509_free(x); 1349 sk_X509_pop_free(sk,X509_free); 1350 return(ret); 1351 } 1352 1353int ssl3_get_key_exchange(SSL *s) 1354 { 1355#ifndef OPENSSL_NO_RSA 1356 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1357#endif 1358 EVP_MD_CTX md_ctx; 1359 unsigned char *param,*p; 1360 int al,j,ok; 1361 long i,param_len,n,alg_k,alg_a; 1362 EVP_PKEY *pkey=NULL; 1363 const EVP_MD *md = NULL; 1364#ifndef OPENSSL_NO_RSA 1365 RSA *rsa=NULL; 1366#endif 1367#ifndef OPENSSL_NO_DH 1368 DH *dh=NULL; 1369#endif 1370#ifndef OPENSSL_NO_ECDH 1371 EC_KEY *ecdh = NULL; 1372 BN_CTX *bn_ctx = NULL; 1373 EC_POINT *srvr_ecpoint = NULL; 1374 int curve_nid = 0; 1375 int encoded_pt_len = 0; 1376#endif 1377 1378 /* use same message size as in ssl3_get_certificate_request() 1379 * as ServerKeyExchange message may be skipped */ 1380 n=s->method->ssl_get_message(s, 1381 SSL3_ST_CR_KEY_EXCH_A, 1382 SSL3_ST_CR_KEY_EXCH_B, 1383 -1, 1384 s->max_cert_list, 1385 &ok); 1386 if (!ok) return((int)n); 1387 1388 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 1389 { 1390#ifndef OPENSSL_NO_PSK 1391 /* In plain PSK ciphersuite, ServerKeyExchange can be 1392 omitted if no identity hint is sent. Set 1393 session->sess_cert anyway to avoid problems 1394 later.*/ 1395 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) 1396 { 1397 s->session->sess_cert=ssl_sess_cert_new(); 1398 if (s->session->psk_identity_hint) 1399 { 1400 OPENSSL_free(s->session->psk_identity_hint); 1401 s->session->psk_identity_hint = NULL; 1402 } 1403 } 1404#endif 1405 s->s3->tmp.reuse_message=1; 1406 return(1); 1407 } 1408 1409 param=p=(unsigned char *)s->init_msg; 1410 if (s->session->sess_cert != NULL) 1411 { 1412#ifndef OPENSSL_NO_RSA 1413 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1414 { 1415 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1416 s->session->sess_cert->peer_rsa_tmp=NULL; 1417 } 1418#endif 1419#ifndef OPENSSL_NO_DH 1420 if (s->session->sess_cert->peer_dh_tmp) 1421 { 1422 DH_free(s->session->sess_cert->peer_dh_tmp); 1423 s->session->sess_cert->peer_dh_tmp=NULL; 1424 } 1425#endif 1426#ifndef OPENSSL_NO_ECDH 1427 if (s->session->sess_cert->peer_ecdh_tmp) 1428 { 1429 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1430 s->session->sess_cert->peer_ecdh_tmp=NULL; 1431 } 1432#endif 1433 } 1434 else 1435 { 1436 s->session->sess_cert=ssl_sess_cert_new(); 1437 } 1438 1439 /* Total length of the parameters including the length prefix */ 1440 param_len=0; 1441 1442 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1443 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1444 EVP_MD_CTX_init(&md_ctx); 1445 1446 al=SSL_AD_DECODE_ERROR; 1447 1448#ifndef OPENSSL_NO_PSK 1449 if (alg_a & SSL_aPSK) 1450 { 1451 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; 1452 1453 param_len = 2; 1454 if (param_len > n) 1455 { 1456 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1457 SSL_R_LENGTH_TOO_SHORT); 1458 goto f_err; 1459 } 1460 n2s(p,i); 1461 1462 if (s->session->psk_identity_hint) 1463 { 1464 OPENSSL_free(s->session->psk_identity_hint); 1465 s->session->psk_identity_hint = NULL; 1466 } 1467 if (i != 0) 1468 { 1469 /* Store PSK identity hint for later use, hint is used 1470 * in ssl3_send_client_key_exchange. Assume that the 1471 * maximum length of a PSK identity hint can be as 1472 * long as the maximum length of a PSK identity. */ 1473 if (i > PSK_MAX_IDENTITY_LEN) 1474 { 1475 al=SSL_AD_HANDSHAKE_FAILURE; 1476 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1477 SSL_R_DATA_LENGTH_TOO_LONG); 1478 goto f_err; 1479 } 1480 if (i > n - param_len) 1481 { 1482 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1483 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1484 goto f_err; 1485 } 1486 param_len += i; 1487 1488 /* If received PSK identity hint contains NULL 1489 * characters, the hint is truncated from the first 1490 * NULL. p may not be ending with NULL, so create a 1491 * NULL-terminated string. */ 1492 memcpy(tmp_id_hint, p, i); 1493 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1494 s->session->psk_identity_hint = BUF_strdup(tmp_id_hint); 1495 if (s->session->psk_identity_hint == NULL) 1496 { 1497 al=SSL_AD_HANDSHAKE_FAILURE; 1498 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1499 goto f_err; 1500 } 1501 } 1502 p+=i; 1503 n-=param_len; 1504 } 1505#endif /* !OPENSSL_NO_PSK */ 1506 1507 if (0) {} 1508#ifndef OPENSSL_NO_SRP 1509 else if (alg_k & SSL_kSRP) 1510 { 1511 param_len = 2; 1512 if (param_len > n) 1513 { 1514 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1515 SSL_R_LENGTH_TOO_SHORT); 1516 goto f_err; 1517 } 1518 n2s(p,i); 1519 1520 if (i > n - param_len) 1521 { 1522 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH); 1523 goto f_err; 1524 } 1525 param_len += i; 1526 1527 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1528 { 1529 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1530 goto err; 1531 } 1532 p+=i; 1533 1534 1535 if (2 > n - param_len) 1536 { 1537 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1538 SSL_R_LENGTH_TOO_SHORT); 1539 goto f_err; 1540 } 1541 param_len += 2; 1542 1543 n2s(p,i); 1544 1545 if (i > n - param_len) 1546 { 1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH); 1548 goto f_err; 1549 } 1550 param_len += i; 1551 1552 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1553 { 1554 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1555 goto err; 1556 } 1557 p+=i; 1558 1559 1560 if (1 > n - param_len) 1561 { 1562 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1563 SSL_R_LENGTH_TOO_SHORT); 1564 goto f_err; 1565 } 1566 param_len += 1; 1567 1568 i = (unsigned int)(p[0]); 1569 p++; 1570 1571 if (i > n - param_len) 1572 { 1573 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH); 1574 goto f_err; 1575 } 1576 param_len += i; 1577 1578 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1579 { 1580 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1581 goto err; 1582 } 1583 p+=i; 1584 1585 if (2 > n - param_len) 1586 { 1587 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1588 SSL_R_LENGTH_TOO_SHORT); 1589 goto f_err; 1590 } 1591 param_len += 2; 1592 1593 n2s(p,i); 1594 1595 if (i > n - param_len) 1596 { 1597 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH); 1598 goto f_err; 1599 } 1600 param_len += i; 1601 1602 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1603 { 1604 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1605 goto err; 1606 } 1607 p+=i; 1608 n-=param_len; 1609 1610 if (!srp_verify_server_param(s, &al)) 1611 { 1612 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS); 1613 goto f_err; 1614 } 1615 1616/* We must check if there is a certificate */ 1617#ifndef OPENSSL_NO_RSA 1618 if (alg_a & SSL_aRSA) 1619 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1620#else 1621 if (0) 1622 ; 1623#endif 1624#ifndef OPENSSL_NO_DSA 1625 else if (alg_a & SSL_aDSS) 1626 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1627#endif 1628 } 1629#endif /* !OPENSSL_NO_SRP */ 1630#ifndef OPENSSL_NO_RSA 1631 else if (alg_k & SSL_kRSA) 1632 { 1633 if ((rsa=RSA_new()) == NULL) 1634 { 1635 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1636 goto err; 1637 } 1638 1639 param_len = 2; 1640 if (param_len > n) 1641 { 1642 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1643 SSL_R_LENGTH_TOO_SHORT); 1644 goto f_err; 1645 } 1646 n2s(p,i); 1647 1648 if (i > n - param_len) 1649 { 1650 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 1651 goto f_err; 1652 } 1653 param_len += i; 1654 1655 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1656 { 1657 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1658 goto err; 1659 } 1660 p+=i; 1661 1662 if (2 > n - param_len) 1663 { 1664 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1665 SSL_R_LENGTH_TOO_SHORT); 1666 goto f_err; 1667 } 1668 param_len += 2; 1669 1670 n2s(p,i); 1671 1672 if (i > n - param_len) 1673 { 1674 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 1675 goto f_err; 1676 } 1677 param_len += i; 1678 1679 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1680 { 1681 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1682 goto err; 1683 } 1684 p+=i; 1685 n-=param_len; 1686 1687 /* this should be because we are using an export cipher */ 1688 if (alg_a & SSL_aRSA) 1689 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1690 else 1691 { 1692 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1693 goto err; 1694 } 1695 s->session->sess_cert->peer_rsa_tmp=rsa; 1696 rsa=NULL; 1697 } 1698#endif 1699#ifndef OPENSSL_NO_DH 1700 else if (alg_k & SSL_kEDH) 1701 { 1702 if ((dh=DH_new()) == NULL) 1703 { 1704 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 1705 goto err; 1706 } 1707 1708 param_len = 2; 1709 if (param_len > n) 1710 { 1711 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1712 SSL_R_LENGTH_TOO_SHORT); 1713 goto f_err; 1714 } 1715 n2s(p,i); 1716 1717 if (i > n - param_len) 1718 { 1719 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 1720 goto f_err; 1721 } 1722 param_len += i; 1723 1724 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1725 { 1726 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1727 goto err; 1728 } 1729 p+=i; 1730 1731 if (2 > n - param_len) 1732 { 1733 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1734 SSL_R_LENGTH_TOO_SHORT); 1735 goto f_err; 1736 } 1737 param_len += 2; 1738 1739 n2s(p,i); 1740 1741 if (i > n - param_len) 1742 { 1743 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 1744 goto f_err; 1745 } 1746 param_len += i; 1747 1748 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1749 { 1750 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1751 goto err; 1752 } 1753 p+=i; 1754 1755 if (2 > n - param_len) 1756 { 1757 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1758 SSL_R_LENGTH_TOO_SHORT); 1759 goto f_err; 1760 } 1761 param_len += 2; 1762 1763 n2s(p,i); 1764 1765 if (i > n - param_len) 1766 { 1767 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 1768 goto f_err; 1769 } 1770 param_len += i; 1771 1772 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1773 { 1774 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1775 goto err; 1776 } 1777 p+=i; 1778 n-=param_len; 1779 1780#ifndef OPENSSL_NO_RSA 1781 if (alg_a & SSL_aRSA) 1782 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1783#else 1784 if (0) 1785 ; 1786#endif 1787#ifndef OPENSSL_NO_DSA 1788 else if (alg_a & SSL_aDSS) 1789 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1790#endif 1791 /* else anonymous DH, so no certificate or pkey. */ 1792 1793 s->session->sess_cert->peer_dh_tmp=dh; 1794 dh=NULL; 1795 } 1796 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1797 { 1798 al=SSL_AD_ILLEGAL_PARAMETER; 1799 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1800 goto f_err; 1801 } 1802#endif /* !OPENSSL_NO_DH */ 1803 1804#ifndef OPENSSL_NO_ECDH 1805 else if (alg_k & SSL_kEECDH) 1806 { 1807 EC_GROUP *ngroup; 1808 const EC_GROUP *group; 1809 1810 if ((ecdh=EC_KEY_new()) == NULL) 1811 { 1812 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1813 goto err; 1814 } 1815 1816 /* Extract elliptic curve parameters and the 1817 * server's ephemeral ECDH public key. 1818 * Keep accumulating lengths of various components in 1819 * param_len and make sure it never exceeds n. 1820 */ 1821 1822 /* XXX: For now we only support named (not generic) curves 1823 * and the ECParameters in this case is just three bytes. We 1824 * also need one byte for the length of the encoded point 1825 */ 1826 param_len=4; 1827 if (param_len > n) 1828 { 1829 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1830 SSL_R_LENGTH_TOO_SHORT); 1831 goto f_err; 1832 } 1833 1834 if ((*p != NAMED_CURVE_TYPE) || 1835 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1836 { 1837 al=SSL_AD_INTERNAL_ERROR; 1838 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1839 goto f_err; 1840 } 1841 1842 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1843 if (ngroup == NULL) 1844 { 1845 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1846 goto err; 1847 } 1848 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1849 { 1850 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1851 goto err; 1852 } 1853 EC_GROUP_free(ngroup); 1854 1855 group = EC_KEY_get0_group(ecdh); 1856 1857 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1858 (EC_GROUP_get_degree(group) > 163)) 1859 { 1860 al=SSL_AD_EXPORT_RESTRICTION; 1861 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1862 goto f_err; 1863 } 1864 1865 p+=3; 1866 1867 /* Next, get the encoded ECPoint */ 1868 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1869 ((bn_ctx = BN_CTX_new()) == NULL)) 1870 { 1871 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1872 goto err; 1873 } 1874 1875 encoded_pt_len = *p; /* length of encoded point */ 1876 p+=1; 1877 1878 if ((encoded_pt_len > n - param_len) || 1879 (EC_POINT_oct2point(group, srvr_ecpoint, 1880 p, encoded_pt_len, bn_ctx) == 0)) 1881 { 1882 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); 1883 goto f_err; 1884 } 1885 param_len += encoded_pt_len; 1886 1887 n-=param_len; 1888 p+=encoded_pt_len; 1889 1890 /* The ECC/TLS specification does not mention 1891 * the use of DSA to sign ECParameters in the server 1892 * key exchange message. We do support RSA and ECDSA. 1893 */ 1894 if (0) ; 1895#ifndef OPENSSL_NO_RSA 1896 else if (alg_a & SSL_aRSA) 1897 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1898#endif 1899#ifndef OPENSSL_NO_ECDSA 1900 else if (alg_a & SSL_aECDSA) 1901 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1902#endif 1903 /* else anonymous ECDH, so no certificate or pkey. */ 1904 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1905 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1906 ecdh=NULL; 1907 BN_CTX_free(bn_ctx); 1908 bn_ctx = NULL; 1909 EC_POINT_free(srvr_ecpoint); 1910 srvr_ecpoint = NULL; 1911 } 1912#endif /* !OPENSSL_NO_ECDH */ 1913 1914 else if (!(alg_k & SSL_kPSK)) 1915 { 1916 al=SSL_AD_UNEXPECTED_MESSAGE; 1917 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1918 goto f_err; 1919 } 1920 1921 /* p points to the next byte, there are 'n' bytes left */ 1922 1923 /* if it was signed, check the signature */ 1924 if (pkey != NULL) 1925 { 1926 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1927 { 1928 int sigalg; 1929 if (2 > n) 1930 { 1931 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1932 SSL_R_LENGTH_TOO_SHORT); 1933 goto f_err; 1934 } 1935 1936 sigalg = tls12_get_sigid(pkey); 1937 /* Should never happen */ 1938 if (sigalg == -1) 1939 { 1940 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1941 goto err; 1942 } 1943 /* Check key type is consistent with signature */ 1944 if (sigalg != (int)p[1]) 1945 { 1946 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1947 al=SSL_AD_DECODE_ERROR; 1948 goto f_err; 1949 } 1950 md = tls12_get_hash(p[0]); 1951 if (md == NULL) 1952 { 1953 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1954 goto f_err; 1955 } 1956#ifdef SSL_DEBUG 1957fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1958#endif 1959 p += 2; 1960 n -= 2; 1961 } 1962 else 1963 md = EVP_sha1(); 1964 1965 if (2 > n) 1966 { 1967 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1968 SSL_R_LENGTH_TOO_SHORT); 1969 goto f_err; 1970 } 1971 n2s(p,i); 1972 n-=2; 1973 j=EVP_PKEY_size(pkey); 1974 1975 /* Check signature length. If n is 0 then signature is empty */ 1976 if ((i != n) || (n > j) || (n <= 0)) 1977 { 1978 /* wrong packet length */ 1979 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1980 goto f_err; 1981 } 1982 1983#ifndef OPENSSL_NO_RSA 1984 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 1985 { 1986 int num; 1987 unsigned int size; 1988 1989 j=0; 1990 q=md_buf; 1991 for (num=2; num > 0; num--) 1992 { 1993 EVP_MD_CTX_set_flags(&md_ctx, 1994 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1995 EVP_DigestInit_ex(&md_ctx,(num == 2) 1996 ?s->ctx->md5:s->ctx->sha1, NULL); 1997 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1998 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1999 EVP_DigestUpdate(&md_ctx,param,param_len); 2000 EVP_DigestFinal_ex(&md_ctx,q,&size); 2001 q+=size; 2002 j+=size; 2003 } 2004 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 2005 pkey->pkey.rsa); 2006 if (i < 0) 2007 { 2008 al=SSL_AD_DECRYPT_ERROR; 2009 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 2010 goto f_err; 2011 } 2012 if (i == 0) 2013 { 2014 /* bad signature */ 2015 al=SSL_AD_DECRYPT_ERROR; 2016 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 2017 goto f_err; 2018 } 2019 } 2020 else 2021#endif 2022 { 2023 EVP_VerifyInit_ex(&md_ctx, md, NULL); 2024 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 2025 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 2026 EVP_VerifyUpdate(&md_ctx,param,param_len); 2027 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 2028 { 2029 /* bad signature */ 2030 al=SSL_AD_DECRYPT_ERROR; 2031 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 2032 goto f_err; 2033 } 2034 } 2035 } 2036 else 2037 { 2038 if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && 2039 /* Among PSK ciphers only RSA_PSK needs a public key */ 2040 !((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA))) 2041 { 2042 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2043 goto err; 2044 } 2045 /* still data left over */ 2046 if (n != 0) 2047 { 2048 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 2049 goto f_err; 2050 } 2051 } 2052 EVP_PKEY_free(pkey); 2053 EVP_MD_CTX_cleanup(&md_ctx); 2054 return(1); 2055f_err: 2056 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2057err: 2058 EVP_PKEY_free(pkey); 2059#ifndef OPENSSL_NO_RSA 2060 if (rsa != NULL) 2061 RSA_free(rsa); 2062#endif 2063#ifndef OPENSSL_NO_DH 2064 if (dh != NULL) 2065 DH_free(dh); 2066#endif 2067#ifndef OPENSSL_NO_ECDH 2068 BN_CTX_free(bn_ctx); 2069 EC_POINT_free(srvr_ecpoint); 2070 if (ecdh != NULL) 2071 EC_KEY_free(ecdh); 2072#endif 2073 EVP_MD_CTX_cleanup(&md_ctx); 2074 return(-1); 2075 } 2076 2077int ssl3_get_certificate_request(SSL *s) 2078 { 2079 int ok,ret=0; 2080 unsigned long n,nc,l; 2081 unsigned int llen, ctype_num,i; 2082 X509_NAME *xn=NULL; 2083 const unsigned char *p,*q; 2084 unsigned char *d; 2085 STACK_OF(X509_NAME) *ca_sk=NULL; 2086 2087 n=s->method->ssl_get_message(s, 2088 SSL3_ST_CR_CERT_REQ_A, 2089 SSL3_ST_CR_CERT_REQ_B, 2090 -1, 2091 s->max_cert_list, 2092 &ok); 2093 2094 if (!ok) return((int)n); 2095 2096 s->s3->tmp.cert_req=0; 2097 2098 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 2099 { 2100 s->s3->tmp.reuse_message=1; 2101 /* If we get here we don't need any cached handshake records 2102 * as we wont be doing client auth. 2103 */ 2104 if (s->s3->handshake_buffer) 2105 { 2106 if (!ssl3_digest_cached_records(s)) 2107 goto err; 2108 } 2109 return(1); 2110 } 2111 2112 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 2113 { 2114 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2115 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 2116 goto err; 2117 } 2118 2119 /* TLS does not like anon-DH with client cert */ 2120 if (s->version > SSL3_VERSION) 2121 { 2122 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 2123 { 2124 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2125 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 2126 goto err; 2127 } 2128 } 2129 2130 p=d=(unsigned char *)s->init_msg; 2131 2132 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 2133 { 2134 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 2135 goto err; 2136 } 2137 2138 /* get the certificate types */ 2139 ctype_num= *(p++); 2140 if (ctype_num > SSL3_CT_NUMBER) 2141 ctype_num=SSL3_CT_NUMBER; 2142 for (i=0; i<ctype_num; i++) 2143 s->s3->tmp.ctype[i]= p[i]; 2144 p+=ctype_num; 2145 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2146 { 2147 n2s(p, llen); 2148 /* Check we have enough room for signature algorithms and 2149 * following length value. 2150 */ 2151 if ((unsigned long)(p - d + llen + 2) > n) 2152 { 2153 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2154 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG); 2155 goto err; 2156 } 2157 if (llen & 1) 2158 { 2159 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2160 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2161 goto err; 2162 } 2163 tls1_process_sigalgs(s, p, llen); 2164 p += llen; 2165 } 2166 2167 /* get the CA RDNs */ 2168 n2s(p,llen); 2169#if 0 2170{ 2171FILE *out; 2172out=fopen("/tmp/vsign.der","w"); 2173fwrite(p,1,llen,out); 2174fclose(out); 2175} 2176#endif 2177 2178 if ((unsigned long)(p - d + llen) != n) 2179 { 2180 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2181 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 2182 goto err; 2183 } 2184 2185 for (nc=0; nc<llen; ) 2186 { 2187 n2s(p,l); 2188 if ((l+nc+2) > llen) 2189 { 2190 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 2191 goto cont; /* netscape bugs */ 2192 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2193 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 2194 goto err; 2195 } 2196 2197 q=p; 2198 2199 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 2200 { 2201 /* If netscape tolerance is on, ignore errors */ 2202 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 2203 goto cont; 2204 else 2205 { 2206 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2207 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 2208 goto err; 2209 } 2210 } 2211 2212 if (q != (p+l)) 2213 { 2214 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2215 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 2216 goto err; 2217 } 2218 if (!sk_X509_NAME_push(ca_sk,xn)) 2219 { 2220 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 2221 goto err; 2222 } 2223 2224 p+=l; 2225 nc+=l+2; 2226 } 2227 2228 if (0) 2229 { 2230cont: 2231 ERR_clear_error(); 2232 } 2233 2234 /* we should setup a certificate to return.... */ 2235 s->s3->tmp.cert_req=1; 2236 s->s3->tmp.ctype_num=ctype_num; 2237 if (s->s3->tmp.ca_names != NULL) 2238 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 2239 s->s3->tmp.ca_names=ca_sk; 2240 ca_sk=NULL; 2241 2242 ret=1; 2243err: 2244 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 2245 return(ret); 2246 } 2247 2248static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 2249 { 2250 return(X509_NAME_cmp(*a,*b)); 2251 } 2252#ifndef OPENSSL_NO_TLSEXT 2253int ssl3_get_new_session_ticket(SSL *s) 2254 { 2255 int ok,al,ret=0, ticklen; 2256 long n; 2257 const unsigned char *p; 2258 unsigned char *d; 2259 2260 n=s->method->ssl_get_message(s, 2261 SSL3_ST_CR_SESSION_TICKET_A, 2262 SSL3_ST_CR_SESSION_TICKET_B, 2263 -1, 2264 16384, 2265 &ok); 2266 2267 if (!ok) 2268 return((int)n); 2269 2270 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 2271 { 2272 s->s3->tmp.reuse_message=1; 2273 return(1); 2274 } 2275 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 2276 { 2277 al=SSL_AD_UNEXPECTED_MESSAGE; 2278 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); 2279 goto f_err; 2280 } 2281 if (n < 6) 2282 { 2283 /* need at least ticket_lifetime_hint + ticket length */ 2284 al = SSL_AD_DECODE_ERROR; 2285 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2286 goto f_err; 2287 } 2288 2289 p=d=(unsigned char *)s->init_msg; 2290 n2l(p, s->session->tlsext_tick_lifetime_hint); 2291 n2s(p, ticklen); 2292 /* ticket_lifetime_hint + ticket_length + ticket */ 2293 if (ticklen + 6 != n) 2294 { 2295 al = SSL_AD_DECODE_ERROR; 2296 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2297 goto f_err; 2298 } 2299 if (s->session->tlsext_tick) 2300 { 2301 OPENSSL_free(s->session->tlsext_tick); 2302 s->session->tlsext_ticklen = 0; 2303 } 2304 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 2305 if (!s->session->tlsext_tick) 2306 { 2307 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); 2308 goto err; 2309 } 2310 memcpy(s->session->tlsext_tick, p, ticklen); 2311 s->session->tlsext_ticklen = ticklen; 2312 /* There are two ways to detect a resumed ticket sesion. 2313 * One is to set an appropriate session ID and then the server 2314 * must return a match in ServerHello. This allows the normal 2315 * client session ID matching to work and we know much 2316 * earlier that the ticket has been accepted. 2317 * 2318 * The other way is to set zero length session ID when the 2319 * ticket is presented and rely on the handshake to determine 2320 * session resumption. 2321 * 2322 * We choose the former approach because this fits in with 2323 * assumptions elsewhere in OpenSSL. The session ID is set 2324 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 2325 * ticket. 2326 */ 2327 EVP_Digest(p, ticklen, 2328 s->session->session_id, &s->session->session_id_length, 2329#ifndef OPENSSL_NO_SHA256 2330 EVP_sha256(), NULL); 2331#else 2332 EVP_sha1(), NULL); 2333#endif 2334 ret=1; 2335 return(ret); 2336f_err: 2337 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2338err: 2339 return(-1); 2340 } 2341 2342int ssl3_get_cert_status(SSL *s) 2343 { 2344 int ok, al; 2345 unsigned long resplen,n; 2346 const unsigned char *p; 2347 2348 n=s->method->ssl_get_message(s, 2349 SSL3_ST_CR_CERT_STATUS_A, 2350 SSL3_ST_CR_CERT_STATUS_B, 2351 SSL3_MT_CERTIFICATE_STATUS, 2352 16384, 2353 &ok); 2354 2355 if (!ok) return((int)n); 2356 if (n < 4) 2357 { 2358 /* need at least status type + length */ 2359 al = SSL_AD_DECODE_ERROR; 2360 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2361 goto f_err; 2362 } 2363 p = (unsigned char *)s->init_msg; 2364 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 2365 { 2366 al = SSL_AD_DECODE_ERROR; 2367 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 2368 goto f_err; 2369 } 2370 n2l3(p, resplen); 2371 if (resplen + 4 != n) 2372 { 2373 al = SSL_AD_DECODE_ERROR; 2374 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2375 goto f_err; 2376 } 2377 if (s->tlsext_ocsp_resp) 2378 OPENSSL_free(s->tlsext_ocsp_resp); 2379 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2380 if (!s->tlsext_ocsp_resp) 2381 { 2382 al = SSL_AD_INTERNAL_ERROR; 2383 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2384 goto f_err; 2385 } 2386 s->tlsext_ocsp_resplen = resplen; 2387 if (s->ctx->tlsext_status_cb) 2388 { 2389 int ret; 2390 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2391 if (ret == 0) 2392 { 2393 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2394 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2395 goto f_err; 2396 } 2397 if (ret < 0) 2398 { 2399 al = SSL_AD_INTERNAL_ERROR; 2400 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2401 goto f_err; 2402 } 2403 } 2404 return 1; 2405f_err: 2406 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2407 return(-1); 2408 } 2409#endif 2410 2411int ssl3_get_server_done(SSL *s) 2412 { 2413 int ok,ret=0; 2414 long n; 2415 2416 n=s->method->ssl_get_message(s, 2417 SSL3_ST_CR_SRVR_DONE_A, 2418 SSL3_ST_CR_SRVR_DONE_B, 2419 SSL3_MT_SERVER_DONE, 2420 30, /* should be very small, like 0 :-) */ 2421 &ok); 2422 2423 if (!ok) return((int)n); 2424 if (n > 0) 2425 { 2426 /* should contain no data */ 2427 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2428 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2429 return -1; 2430 } 2431 ret=1; 2432 return(ret); 2433 } 2434 2435 2436int ssl3_send_client_key_exchange(SSL *s) 2437 { 2438 unsigned char *p,*d; 2439 int n = 0; 2440 unsigned long alg_k; 2441 unsigned long alg_a; 2442#ifndef OPENSSL_NO_RSA 2443 unsigned char *q; 2444 EVP_PKEY *pkey=NULL; 2445#endif 2446#ifndef OPENSSL_NO_KRB5 2447 KSSL_ERR kssl_err; 2448#endif /* OPENSSL_NO_KRB5 */ 2449#ifndef OPENSSL_NO_ECDH 2450 EC_KEY *clnt_ecdh = NULL; 2451 const EC_POINT *srvr_ecpoint = NULL; 2452 EVP_PKEY *srvr_pub_pkey = NULL; 2453 unsigned char *encodedPoint = NULL; 2454 int encoded_pt_len = 0; 2455 BN_CTX * bn_ctx = NULL; 2456#ifndef OPENSSL_NO_PSK 2457 unsigned int psk_len = 0; 2458 unsigned char psk[PSK_MAX_PSK_LEN]; 2459#endif /* OPENSSL_NO_PSK */ 2460#endif /* OPENSSL_NO_ECDH */ 2461 2462 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 2463 { 2464 d=(unsigned char *)s->init_buf->data; 2465 p= &(d[4]); 2466 2467 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2468 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 2469 2470#ifndef OPENSSL_NO_PSK 2471 if (alg_a & SSL_aPSK) 2472 { 2473 /* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes 2474 * to return a \0-terminated identity. The last byte 2475 * is for us for simulating strnlen. */ 2476 char identity[PSK_MAX_IDENTITY_LEN + 2]; 2477 size_t identity_len; 2478 unsigned char *t = NULL; 2479 unsigned char pre_ms[PSK_MAX_PSK_LEN*2+4]; 2480 unsigned int pre_ms_len = 0; 2481 int psk_err = 1; 2482 2483 n = 0; 2484 if (s->psk_client_callback == NULL) 2485 { 2486 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2487 SSL_R_PSK_NO_CLIENT_CB); 2488 goto err; 2489 } 2490 2491 memset(identity, 0, sizeof(identity)); 2492 psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, 2493 identity, sizeof(identity) - 1, psk, sizeof(psk)); 2494 if (psk_len > PSK_MAX_PSK_LEN) 2495 { 2496 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2497 ERR_R_INTERNAL_ERROR); 2498 goto psk_err; 2499 } 2500 else if (psk_len == 0) 2501 { 2502 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2503 SSL_R_PSK_IDENTITY_NOT_FOUND); 2504 goto psk_err; 2505 } 2506 identity[PSK_MAX_IDENTITY_LEN + 1] = '\0'; 2507 identity_len = strlen(identity); 2508 if (identity_len > PSK_MAX_IDENTITY_LEN) 2509 { 2510 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2511 ERR_R_INTERNAL_ERROR); 2512 goto psk_err; 2513 } 2514 if (!(alg_k & SSL_kEECDH)) 2515 { 2516 /* Create the shared secret now if we're not using ECDHE-PSK.*/ 2517 pre_ms_len = 2+psk_len+2+psk_len; 2518 t = pre_ms; 2519 s2n(psk_len, t); 2520 memset(t, 0, psk_len); 2521 t+=psk_len; 2522 s2n(psk_len, t); 2523 memcpy(t, psk, psk_len); 2524 2525 s->session->master_key_length = 2526 s->method->ssl3_enc->generate_master_secret(s, 2527 s->session->master_key, 2528 pre_ms, pre_ms_len); 2529 s2n(identity_len, p); 2530 memcpy(p, identity, identity_len); 2531 n = 2 + identity_len; 2532 } 2533 2534 if (s->session->psk_identity != NULL) 2535 OPENSSL_free(s->session->psk_identity); 2536 s->session->psk_identity = BUF_strdup(identity); 2537 if (s->session->psk_identity == NULL) 2538 { 2539 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2540 ERR_R_MALLOC_FAILURE); 2541 goto psk_err; 2542 } 2543 psk_err = 0; 2544 psk_err: 2545 OPENSSL_cleanse(identity, sizeof(identity)); 2546 OPENSSL_cleanse(pre_ms, sizeof(pre_ms)); 2547 if (psk_err != 0) 2548 { 2549 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2550 goto err; 2551 } 2552 } 2553#endif 2554 /* Fool emacs indentation */ 2555 if (0) {} 2556#ifndef OPENSSL_NO_RSA 2557 else if (alg_k & SSL_kRSA) 2558 { 2559 RSA *rsa; 2560 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2561 2562 if (s->session->sess_cert == NULL) 2563 { 2564 /* We should always have a server certificate with SSL_kRSA. */ 2565 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2566 goto err; 2567 } 2568 2569 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2570 rsa=s->session->sess_cert->peer_rsa_tmp; 2571 else 2572 { 2573 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 2574 if ((pkey == NULL) || 2575 (pkey->type != EVP_PKEY_RSA) || 2576 (pkey->pkey.rsa == NULL)) 2577 { 2578 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2579 goto err; 2580 } 2581 rsa=pkey->pkey.rsa; 2582 EVP_PKEY_free(pkey); 2583 } 2584 2585 tmp_buf[0]=s->client_version>>8; 2586 tmp_buf[1]=s->client_version&0xff; 2587 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2588 goto err; 2589 2590 s->session->master_key_length=sizeof tmp_buf; 2591 2592 q=p; 2593 /* Fix buf for TLS and beyond */ 2594 if (s->version > SSL3_VERSION) 2595 p+=2; 2596 n=RSA_public_encrypt(sizeof tmp_buf, 2597 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2598#ifdef PKCS1_CHECK 2599 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2600 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2601#endif 2602 if (n <= 0) 2603 { 2604 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 2605 goto err; 2606 } 2607 2608 /* Fix buf for TLS and beyond */ 2609 if (s->version > SSL3_VERSION) 2610 { 2611 s2n(n,q); 2612 n+=2; 2613 } 2614 2615 s->session->master_key_length= 2616 s->method->ssl3_enc->generate_master_secret(s, 2617 s->session->master_key, 2618 tmp_buf,sizeof tmp_buf); 2619 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 2620 } 2621#endif 2622#ifndef OPENSSL_NO_KRB5 2623 else if (alg_k & SSL_kKRB5) 2624 { 2625 krb5_error_code krb5rc; 2626 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2627 /* krb5_data krb5_ap_req; */ 2628 krb5_data *enc_ticket; 2629 krb5_data authenticator, *authp = NULL; 2630 EVP_CIPHER_CTX ciph_ctx; 2631 const EVP_CIPHER *enc = NULL; 2632 unsigned char iv[EVP_MAX_IV_LENGTH]; 2633 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2634 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2635 + EVP_MAX_IV_LENGTH]; 2636 int padl, outl = sizeof(epms); 2637 2638 EVP_CIPHER_CTX_init(&ciph_ctx); 2639 2640#ifdef KSSL_DEBUG 2641 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2642 alg_k, SSL_kKRB5); 2643#endif /* KSSL_DEBUG */ 2644 2645 authp = NULL; 2646#ifdef KRB5SENDAUTH 2647 if (KRB5SENDAUTH) authp = &authenticator; 2648#endif /* KRB5SENDAUTH */ 2649 2650 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2651 &kssl_err); 2652 enc = kssl_map_enc(kssl_ctx->enctype); 2653 if (enc == NULL) 2654 goto err; 2655#ifdef KSSL_DEBUG 2656 { 2657 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2658 if (krb5rc && kssl_err.text) 2659 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2660 } 2661#endif /* KSSL_DEBUG */ 2662 2663 if (krb5rc) 2664 { 2665 ssl3_send_alert(s,SSL3_AL_FATAL, 2666 SSL_AD_HANDSHAKE_FAILURE); 2667 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2668 kssl_err.reason); 2669 goto err; 2670 } 2671 2672 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2673 ** in place of RFC 2712 KerberosWrapper, as in: 2674 ** 2675 ** Send ticket (copy to *p, set n = length) 2676 ** n = krb5_ap_req.length; 2677 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2678 ** if (krb5_ap_req.data) 2679 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2680 ** 2681 ** Now using real RFC 2712 KerberosWrapper 2682 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 2683 ** Note: 2712 "opaque" types are here replaced 2684 ** with a 2-byte length followed by the value. 2685 ** Example: 2686 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2687 ** Where "xx xx" = length bytes. Shown here with 2688 ** optional authenticator omitted. 2689 */ 2690 2691 /* KerberosWrapper.Ticket */ 2692 s2n(enc_ticket->length,p); 2693 memcpy(p, enc_ticket->data, enc_ticket->length); 2694 p+= enc_ticket->length; 2695 n = enc_ticket->length + 2; 2696 2697 /* KerberosWrapper.Authenticator */ 2698 if (authp && authp->length) 2699 { 2700 s2n(authp->length,p); 2701 memcpy(p, authp->data, authp->length); 2702 p+= authp->length; 2703 n+= authp->length + 2; 2704 2705 free(authp->data); 2706 authp->data = NULL; 2707 authp->length = 0; 2708 } 2709 else 2710 { 2711 s2n(0,p);/* null authenticator length */ 2712 n+=2; 2713 } 2714 2715 tmp_buf[0]=s->client_version>>8; 2716 tmp_buf[1]=s->client_version&0xff; 2717 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2718 goto err; 2719 2720 /* 20010420 VRS. Tried it this way; failed. 2721 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2722 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2723 ** kssl_ctx->length); 2724 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2725 */ 2726 2727 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2728 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2729 kssl_ctx->key,iv); 2730 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2731 sizeof tmp_buf); 2732 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2733 outl += padl; 2734 if (outl > (int)sizeof epms) 2735 { 2736 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2737 goto err; 2738 } 2739 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2740 2741 /* KerberosWrapper.EncryptedPreMasterSecret */ 2742 s2n(outl,p); 2743 memcpy(p, epms, outl); 2744 p+=outl; 2745 n+=outl + 2; 2746 2747 s->session->master_key_length= 2748 s->method->ssl3_enc->generate_master_secret(s, 2749 s->session->master_key, 2750 tmp_buf, sizeof tmp_buf); 2751 2752 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2753 OPENSSL_cleanse(epms, outl); 2754 } 2755#endif 2756#ifndef OPENSSL_NO_DH 2757 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2758 { 2759 DH *dh_srvr,*dh_clnt; 2760 2761 if (s->session->sess_cert == NULL) 2762 { 2763 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2764 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2765 goto err; 2766 } 2767 2768 if (s->session->sess_cert->peer_dh_tmp != NULL) 2769 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2770 else 2771 { 2772 /* we get them from the cert */ 2773 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2774 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2775 goto err; 2776 } 2777 2778 /* generate a new random key */ 2779 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2780 { 2781 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2782 goto err; 2783 } 2784 if (!DH_generate_key(dh_clnt)) 2785 { 2786 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2787 DH_free(dh_clnt); 2788 goto err; 2789 } 2790 2791 /* use the 'p' output buffer for the DH key, but 2792 * make sure to clear it out afterwards */ 2793 2794 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2795 2796 if (n <= 0) 2797 { 2798 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2799 DH_free(dh_clnt); 2800 goto err; 2801 } 2802 2803 /* generate master key from the result */ 2804 s->session->master_key_length= 2805 s->method->ssl3_enc->generate_master_secret(s, 2806 s->session->master_key,p,n); 2807 /* clean up */ 2808 memset(p,0,n); 2809 2810 /* send off the data */ 2811 n=BN_num_bytes(dh_clnt->pub_key); 2812 s2n(n,p); 2813 BN_bn2bin(dh_clnt->pub_key,p); 2814 n+=2; 2815 2816 DH_free(dh_clnt); 2817 2818 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2819 } 2820#endif 2821#ifndef OPENSSL_NO_ECDH 2822 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2823 { 2824 const EC_GROUP *srvr_group = NULL; 2825 EC_KEY *tkey; 2826 int ecdh_clnt_cert = 0; 2827 int field_size = 0; 2828#ifndef OPENSSL_NO_PSK 2829 unsigned char *pre_ms; 2830 unsigned char *t; 2831 unsigned int pre_ms_len; 2832 unsigned int i; 2833#endif 2834 2835 if (s->session->sess_cert == NULL) 2836 { 2837 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2838 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2839 goto err; 2840 } 2841 2842 /* Did we send out the client's 2843 * ECDH share for use in premaster 2844 * computation as part of client certificate? 2845 * If so, set ecdh_clnt_cert to 1. 2846 */ 2847 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2848 { 2849 /* XXX: For now, we do not support client 2850 * authentication using ECDH certificates. 2851 * To add such support, one needs to add 2852 * code that checks for appropriate 2853 * conditions and sets ecdh_clnt_cert to 1. 2854 * For example, the cert have an ECC 2855 * key on the same curve as the server's 2856 * and the key should be authorized for 2857 * key agreement. 2858 * 2859 * One also needs to add code in ssl3_connect 2860 * to skip sending the certificate verify 2861 * message. 2862 * 2863 * if ((s->cert->key->privatekey != NULL) && 2864 * (s->cert->key->privatekey->type == 2865 * EVP_PKEY_EC) && ...) 2866 * ecdh_clnt_cert = 1; 2867 */ 2868 } 2869 2870 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2871 { 2872 tkey = s->session->sess_cert->peer_ecdh_tmp; 2873 } 2874 else 2875 { 2876 /* Get the Server Public Key from Cert */ 2877 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2878 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2879 if ((srvr_pub_pkey == NULL) || 2880 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2881 (srvr_pub_pkey->pkey.ec == NULL)) 2882 { 2883 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2884 ERR_R_INTERNAL_ERROR); 2885 goto err; 2886 } 2887 2888 tkey = srvr_pub_pkey->pkey.ec; 2889 } 2890 2891 srvr_group = EC_KEY_get0_group(tkey); 2892 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2893 2894 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2895 { 2896 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2897 ERR_R_INTERNAL_ERROR); 2898 goto err; 2899 } 2900 2901 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2902 { 2903 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2904 goto err; 2905 } 2906 2907 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2908 { 2909 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2910 goto err; 2911 } 2912 if (ecdh_clnt_cert) 2913 { 2914 /* Reuse key info from our certificate 2915 * We only need our private key to perform 2916 * the ECDH computation. 2917 */ 2918 const BIGNUM *priv_key; 2919 tkey = s->cert->key->privatekey->pkey.ec; 2920 priv_key = EC_KEY_get0_private_key(tkey); 2921 if (priv_key == NULL) 2922 { 2923 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2924 goto err; 2925 } 2926 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2927 { 2928 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2929 goto err; 2930 } 2931 } 2932 else 2933 { 2934 /* Generate a new ECDH key pair */ 2935 if (!(EC_KEY_generate_key(clnt_ecdh))) 2936 { 2937 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2938 goto err; 2939 } 2940 } 2941 2942 /* use the 'p' output buffer for the ECDH key, but 2943 * make sure to clear it out afterwards 2944 */ 2945 2946 field_size = EC_GROUP_get_degree(srvr_group); 2947 if (field_size <= 0) 2948 { 2949 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2950 ERR_R_ECDH_LIB); 2951 goto err; 2952 } 2953 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2954 if (n <= 0) 2955 { 2956 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2957 ERR_R_ECDH_LIB); 2958 goto err; 2959 } 2960 2961#ifndef OPENSSL_NO_PSK 2962 /* ECDHE PSK ciphersuites from RFC 5489 */ 2963 if ((alg_a & SSL_aPSK) && psk_len != 0) 2964 { 2965 pre_ms_len = 2+n+2+psk_len; 2966 pre_ms = OPENSSL_malloc(pre_ms_len); 2967 if (pre_ms == NULL) 2968 { 2969 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2970 ERR_R_MALLOC_FAILURE); 2971 goto err; 2972 } 2973 memset(pre_ms, 0, pre_ms_len); 2974 t = pre_ms; 2975 s2n(n, t); 2976 memcpy(t, p, n); 2977 t += n; 2978 s2n(psk_len, t); 2979 memcpy(t, psk, psk_len); 2980 s->session->master_key_length = s->method->ssl3_enc \ 2981 -> generate_master_secret(s, 2982 s->session->master_key, pre_ms, pre_ms_len); 2983 OPENSSL_cleanse(pre_ms, pre_ms_len); 2984 OPENSSL_free(pre_ms); 2985 } 2986#endif /* OPENSSL_NO_PSK */ 2987 if (!(alg_a & SSL_aPSK)) 2988 { 2989 /* generate master key from the result */ 2990 s->session->master_key_length = s->method->ssl3_enc \ 2991 -> generate_master_secret(s, 2992 s->session->master_key, p, n); 2993 } 2994 memset(p, 0, n); /* clean up */ 2995 if (ecdh_clnt_cert) 2996 { 2997 /* Send empty client key exch message */ 2998 n = 0; 2999 } 3000 else 3001 { 3002 /* First check the size of encoding and 3003 * allocate memory accordingly. 3004 */ 3005 encoded_pt_len = 3006 EC_POINT_point2oct(srvr_group, 3007 EC_KEY_get0_public_key(clnt_ecdh), 3008 POINT_CONVERSION_UNCOMPRESSED, 3009 NULL, 0, NULL); 3010 3011 encodedPoint = (unsigned char *) 3012 OPENSSL_malloc(encoded_pt_len * 3013 sizeof(unsigned char)); 3014 bn_ctx = BN_CTX_new(); 3015 if ((encodedPoint == NULL) || 3016 (bn_ctx == NULL)) 3017 { 3018 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 3019 goto err; 3020 } 3021 3022 /* Encode the public key */ 3023 encoded_pt_len = EC_POINT_point2oct(srvr_group, 3024 EC_KEY_get0_public_key(clnt_ecdh), 3025 POINT_CONVERSION_UNCOMPRESSED, 3026 encodedPoint, encoded_pt_len, bn_ctx); 3027 3028 n = 0; 3029#ifndef OPENSSL_NO_PSK 3030 if ((alg_a & SSL_aPSK) && psk_len != 0) 3031 { 3032 i = strlen(s->session->psk_identity); 3033 s2n(i, p); 3034 memcpy(p, s->session->psk_identity, i); 3035 p += i; 3036 n = i + 2; 3037 } 3038#endif 3039 3040 *p = encoded_pt_len; /* length of encoded point */ 3041 /* Encoded point will be copied here */ 3042 p += 1; 3043 n += 1; 3044 /* copy the point */ 3045 memcpy((unsigned char *)p, encodedPoint, encoded_pt_len); 3046 /* increment n to account for length field */ 3047 n += encoded_pt_len; 3048 } 3049 3050 /* Free allocated memory */ 3051 BN_CTX_free(bn_ctx); 3052 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 3053 if (clnt_ecdh != NULL) 3054 EC_KEY_free(clnt_ecdh); 3055 EVP_PKEY_free(srvr_pub_pkey); 3056 } 3057#endif /* !OPENSSL_NO_ECDH */ 3058 else if (alg_k & SSL_kGOST) 3059 { 3060 /* GOST key exchange message creation */ 3061 EVP_PKEY_CTX *pkey_ctx; 3062 X509 *peer_cert; 3063 size_t msglen; 3064 unsigned int md_len; 3065 int keytype; 3066 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 3067 EVP_MD_CTX *ukm_hash; 3068 EVP_PKEY *pub_key; 3069 3070 /* Get server sertificate PKEY and create ctx from it */ 3071 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 3072 if (!peer_cert) 3073 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 3074 if (!peer_cert) { 3075 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3076 goto err; 3077 } 3078 3079 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 3080 /* If we have send a certificate, and certificate key 3081 3082 * parameters match those of server certificate, use 3083 * certificate key for key exchange 3084 */ 3085 3086 /* Otherwise, generate ephemeral key pair */ 3087 3088 EVP_PKEY_encrypt_init(pkey_ctx); 3089 /* Generate session key */ 3090 RAND_bytes(premaster_secret,32); 3091 /* If we have client certificate, use its secret as peer key */ 3092 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 3093 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 3094 /* If there was an error - just ignore it. Ephemeral key 3095 * would be used 3096 */ 3097 ERR_clear_error(); 3098 } 3099 } 3100 /* Compute shared IV and store it in algorithm-specific 3101 * context data */ 3102 ukm_hash = EVP_MD_CTX_create(); 3103 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 3104 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 3105 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 3106 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 3107 EVP_MD_CTX_destroy(ukm_hash); 3108 if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 3109 8,shared_ukm)<0) { 3110 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 3111 SSL_R_LIBRARY_BUG); 3112 goto err; 3113 } 3114 /* Make GOST keytransport blob message */ 3115 /*Encapsulate it into sequence */ 3116 *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 3117 msglen=255; 3118 if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 3119 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 3120 SSL_R_LIBRARY_BUG); 3121 goto err; 3122 } 3123 if (msglen >= 0x80) 3124 { 3125 *(p++)=0x81; 3126 *(p++)= msglen & 0xff; 3127 n=msglen+3; 3128 } 3129 else 3130 { 3131 *(p++)= msglen & 0xff; 3132 n=msglen+2; 3133 } 3134 memcpy(p, tmp, msglen); 3135 /* Check if pubkey from client certificate was used */ 3136 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 3137 { 3138 /* Set flag "skip certificate verify" */ 3139 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 3140 } 3141 EVP_PKEY_CTX_free(pkey_ctx); 3142 s->session->master_key_length= 3143 s->method->ssl3_enc->generate_master_secret(s, 3144 s->session->master_key,premaster_secret,32); 3145 EVP_PKEY_free(pub_key); 3146 3147 } 3148#ifndef OPENSSL_NO_SRP 3149 else if (alg_k & SSL_kSRP) 3150 { 3151 if (s->srp_ctx.A != NULL) 3152 { 3153 /* send off the data */ 3154 n=BN_num_bytes(s->srp_ctx.A); 3155 s2n(n,p); 3156 BN_bn2bin(s->srp_ctx.A,p); 3157 n+=2; 3158 } 3159 else 3160 { 3161 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 3162 goto err; 3163 } 3164 if (s->session->srp_username != NULL) 3165 OPENSSL_free(s->session->srp_username); 3166 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 3167 if (s->session->srp_username == NULL) 3168 { 3169 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 3170 ERR_R_MALLOC_FAILURE); 3171 goto err; 3172 } 3173 3174 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 3175 { 3176 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 3177 goto err; 3178 } 3179 } 3180#endif 3181 else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK))) 3182 { 3183 ssl3_send_alert(s, SSL3_AL_FATAL, 3184 SSL_AD_HANDSHAKE_FAILURE); 3185 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 3186 ERR_R_INTERNAL_ERROR); 3187 goto err; 3188 } 3189 3190 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 3191 l2n3(n,d); 3192 3193 s->state=SSL3_ST_CW_KEY_EXCH_B; 3194 /* number of bytes to write */ 3195 s->init_num=n+4; 3196 s->init_off=0; 3197 } 3198 3199 /* SSL3_ST_CW_KEY_EXCH_B */ 3200 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3201err: 3202#ifndef OPENSSL_NO_ECDH 3203 BN_CTX_free(bn_ctx); 3204 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 3205 if (clnt_ecdh != NULL) 3206 EC_KEY_free(clnt_ecdh); 3207 EVP_PKEY_free(srvr_pub_pkey); 3208#endif 3209 return(-1); 3210 } 3211 3212int ssl3_send_client_verify(SSL *s) 3213 { 3214 unsigned char *p,*d; 3215 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 3216 EVP_PKEY *pkey; 3217 EVP_PKEY_CTX *pctx=NULL; 3218 EVP_MD_CTX mctx; 3219 unsigned u=0; 3220 unsigned long n; 3221 int j; 3222 3223 EVP_MD_CTX_init(&mctx); 3224 3225 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 3226 { 3227 d=(unsigned char *)s->init_buf->data; 3228 p= &(d[4]); 3229 pkey=s->cert->key->privatekey; 3230/* Create context from key and test if sha1 is allowed as digest */ 3231 pctx = EVP_PKEY_CTX_new(pkey,NULL); 3232 EVP_PKEY_sign_init(pctx); 3233 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 3234 { 3235 if (TLS1_get_version(s) < TLS1_2_VERSION) 3236 s->method->ssl3_enc->cert_verify_mac(s, 3237 NID_sha1, 3238 &(data[MD5_DIGEST_LENGTH])); 3239 } 3240 else 3241 { 3242 ERR_clear_error(); 3243 } 3244 /* For TLS v1.2 send signature algorithm and signature 3245 * using agreed digest and cached handshake records. 3246 */ 3247 if (TLS1_get_version(s) >= TLS1_2_VERSION) 3248 { 3249 long hdatalen = 0; 3250 void *hdata; 3251 const EVP_MD *md; 3252 switch (ssl_cert_type(NULL, pkey)) 3253 { 3254 case SSL_PKEY_RSA_ENC: 3255 md = s->s3->digest_rsa; 3256 break; 3257 case SSL_PKEY_DSA_SIGN: 3258 md = s->s3->digest_dsa; 3259 break; 3260 case SSL_PKEY_ECC: 3261 md = s->s3->digest_ecdsa; 3262 break; 3263 default: 3264 md = NULL; 3265 } 3266 if (!md) 3267 /* Unlike with the SignatureAlgorithm extension (sent by clients), 3268 * there are no default algorithms for the CertificateRequest message 3269 * (sent by servers). However, now that we've sent a certificate 3270 * for which we don't really know what hash to use for signing, the 3271 * best we can do is try a default algorithm. */ 3272 md = EVP_sha1(); 3273 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 3274 &hdata); 3275 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 3276 { 3277 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3278 ERR_R_INTERNAL_ERROR); 3279 goto err; 3280 } 3281 p += 2; 3282#ifdef SSL_DEBUG 3283 fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 3284 EVP_MD_name(md)); 3285#endif 3286 if (!EVP_SignInit_ex(&mctx, md, NULL) 3287 || !EVP_SignUpdate(&mctx, hdata, hdatalen) 3288 || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 3289 { 3290 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3291 ERR_R_EVP_LIB); 3292 goto err; 3293 } 3294 s2n(u,p); 3295 n = u + 4; 3296 if (!ssl3_digest_cached_records(s)) 3297 goto err; 3298 } 3299 else 3300#ifndef OPENSSL_NO_RSA 3301 if (pkey->type == EVP_PKEY_RSA) 3302 { 3303 s->method->ssl3_enc->cert_verify_mac(s, 3304 NID_md5, 3305 &(data[0])); 3306 if (RSA_sign(NID_md5_sha1, data, 3307 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 3308 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 3309 { 3310 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 3311 goto err; 3312 } 3313 s2n(u,p); 3314 n=u+2; 3315 } 3316 else 3317#endif 3318#ifndef OPENSSL_NO_DSA 3319 if (pkey->type == EVP_PKEY_DSA) 3320 { 3321 if (!DSA_sign(pkey->save_type, 3322 &(data[MD5_DIGEST_LENGTH]), 3323 SHA_DIGEST_LENGTH,&(p[2]), 3324 (unsigned int *)&j,pkey->pkey.dsa)) 3325 { 3326 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 3327 goto err; 3328 } 3329 s2n(j,p); 3330 n=j+2; 3331 } 3332 else 3333#endif 3334#ifndef OPENSSL_NO_ECDSA 3335 if (pkey->type == EVP_PKEY_EC) 3336 { 3337 if (!ECDSA_sign(pkey->save_type, 3338 &(data[MD5_DIGEST_LENGTH]), 3339 SHA_DIGEST_LENGTH,&(p[2]), 3340 (unsigned int *)&j,pkey->pkey.ec)) 3341 { 3342 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3343 ERR_R_ECDSA_LIB); 3344 goto err; 3345 } 3346 s2n(j,p); 3347 n=j+2; 3348 } 3349 else 3350#endif 3351 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 3352 { 3353 unsigned char signbuf[64]; 3354 int i; 3355 size_t sigsize=64; 3356 s->method->ssl3_enc->cert_verify_mac(s, 3357 NID_id_GostR3411_94, 3358 data); 3359 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 3360 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3361 ERR_R_INTERNAL_ERROR); 3362 goto err; 3363 } 3364 for (i=63,j=0; i>=0; j++, i--) { 3365 p[2+j]=signbuf[i]; 3366 } 3367 s2n(j,p); 3368 n=j+2; 3369 } 3370 else 3371 { 3372 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 3373 goto err; 3374 } 3375 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 3376 l2n3(n,d); 3377 3378 s->state=SSL3_ST_CW_CERT_VRFY_B; 3379 s->init_num=(int)n+4; 3380 s->init_off=0; 3381 } 3382 EVP_MD_CTX_cleanup(&mctx); 3383 EVP_PKEY_CTX_free(pctx); 3384 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3385err: 3386 EVP_MD_CTX_cleanup(&mctx); 3387 EVP_PKEY_CTX_free(pctx); 3388 return(-1); 3389 } 3390 3391int ssl3_send_client_certificate(SSL *s) 3392 { 3393 X509 *x509=NULL; 3394 EVP_PKEY *pkey=NULL; 3395 int i; 3396 unsigned long l; 3397 3398 if (s->state == SSL3_ST_CW_CERT_A) 3399 { 3400 if ((s->cert == NULL) || 3401 (s->cert->key->x509 == NULL) || 3402 (s->cert->key->privatekey == NULL)) 3403 s->state=SSL3_ST_CW_CERT_B; 3404 else 3405 s->state=SSL3_ST_CW_CERT_C; 3406 } 3407 3408 /* We need to get a client cert */ 3409 if (s->state == SSL3_ST_CW_CERT_B) 3410 { 3411 /* If we get an error, we need to 3412 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 3413 * We then get retied later */ 3414 i=0; 3415 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3416 if (i < 0) 3417 { 3418 s->rwstate=SSL_X509_LOOKUP; 3419 return(-1); 3420 } 3421 s->rwstate=SSL_NOTHING; 3422 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 3423 { 3424 s->state=SSL3_ST_CW_CERT_B; 3425 if ( !SSL_use_certificate(s,x509) || 3426 !SSL_use_PrivateKey(s,pkey)) 3427 i=0; 3428 } 3429 else if (i == 1) 3430 { 3431 i=0; 3432 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3433 } 3434 3435 if (x509 != NULL) X509_free(x509); 3436 if (pkey != NULL) EVP_PKEY_free(pkey); 3437 if (i == 0) 3438 { 3439 if (s->version == SSL3_VERSION) 3440 { 3441 s->s3->tmp.cert_req=0; 3442 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 3443 return(1); 3444 } 3445 else 3446 { 3447 s->s3->tmp.cert_req=2; 3448 } 3449 } 3450 3451 /* Ok, we have a cert */ 3452 s->state=SSL3_ST_CW_CERT_C; 3453 } 3454 3455 if (s->state == SSL3_ST_CW_CERT_C) 3456 { 3457 s->state=SSL3_ST_CW_CERT_D; 3458 l=ssl3_output_cert_chain(s, 3459 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 3460 s->init_num=(int)l; 3461 s->init_off=0; 3462 } 3463 /* SSL3_ST_CW_CERT_D */ 3464 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3465 } 3466 3467#define has_bits(i,m) (((i)&(m)) == (m)) 3468 3469int ssl3_check_cert_and_algorithm(SSL *s) 3470 { 3471 int i,idx; 3472 long alg_k,alg_a; 3473 EVP_PKEY *pkey=NULL; 3474 SESS_CERT *sc; 3475#ifndef OPENSSL_NO_RSA 3476 RSA *rsa; 3477#endif 3478#ifndef OPENSSL_NO_DH 3479 DH *dh; 3480#endif 3481 3482 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 3483 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 3484 3485 /* we don't have a certificate */ 3486 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 3487 return(1); 3488 3489 sc=s->session->sess_cert; 3490 if (sc == NULL) 3491 { 3492 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); 3493 goto err; 3494 } 3495 3496#ifndef OPENSSL_NO_RSA 3497 rsa=s->session->sess_cert->peer_rsa_tmp; 3498#endif 3499#ifndef OPENSSL_NO_DH 3500 dh=s->session->sess_cert->peer_dh_tmp; 3501#endif 3502 3503 /* This is the passed certificate */ 3504 3505 idx=sc->peer_cert_type; 3506#ifndef OPENSSL_NO_ECDH 3507 if (idx == SSL_PKEY_ECC) 3508 { 3509 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 3510 s) == 0) 3511 { /* check failed */ 3512 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 3513 goto f_err; 3514 } 3515 else 3516 { 3517 return 1; 3518 } 3519 } 3520#endif 3521 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 3522 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 3523 EVP_PKEY_free(pkey); 3524 3525 3526 /* Check that we have a certificate if we require one */ 3527 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 3528 { 3529 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 3530 goto f_err; 3531 } 3532#ifndef OPENSSL_NO_DSA 3533 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 3534 { 3535 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 3536 goto f_err; 3537 } 3538#endif 3539#ifndef OPENSSL_NO_RSA 3540 if ((alg_k & SSL_kRSA) && 3541 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 3542 { 3543 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3544 goto f_err; 3545 } 3546#endif 3547#ifndef OPENSSL_NO_DH 3548 if ((alg_k & SSL_kEDH) && 3549 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 3550 { 3551 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 3552 goto f_err; 3553 } 3554 else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 3555 { 3556 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 3557 goto f_err; 3558 } 3559#ifndef OPENSSL_NO_DSA 3560 else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 3561 { 3562 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 3563 goto f_err; 3564 } 3565#endif 3566#endif 3567 3568 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 3569 { 3570#ifndef OPENSSL_NO_RSA 3571 if (alg_k & SSL_kRSA) 3572 { 3573 if (rsa == NULL 3574 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3575 { 3576 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 3577 goto f_err; 3578 } 3579 } 3580 else 3581#endif 3582#ifndef OPENSSL_NO_DH 3583 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 3584 { 3585 if (dh == NULL 3586 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3587 { 3588 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 3589 goto f_err; 3590 } 3591 } 3592 else 3593#endif 3594 { 3595 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 3596 goto f_err; 3597 } 3598 } 3599 return(1); 3600f_err: 3601 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 3602err: 3603 return(0); 3604 } 3605 3606#if !defined(OPENSSL_NO_TLSEXT) 3607# if !defined(OPENSSL_NO_NEXTPROTONEG) 3608int ssl3_send_next_proto(SSL *s) 3609 { 3610 unsigned int len, padding_len; 3611 unsigned char *d; 3612 3613 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3614 { 3615 len = s->next_proto_negotiated_len; 3616 padding_len = 32 - ((len + 2) % 32); 3617 d = (unsigned char *)s->init_buf->data; 3618 d[4] = len; 3619 memcpy(d + 5, s->next_proto_negotiated, len); 3620 d[5 + len] = padding_len; 3621 memset(d + 6 + len, 0, padding_len); 3622 *(d++)=SSL3_MT_NEXT_PROTO; 3623 l2n3(2 + len + padding_len, d); 3624 s->state = SSL3_ST_CW_NEXT_PROTO_B; 3625 s->init_num = 4 + 2 + len + padding_len; 3626 s->init_off = 0; 3627 } 3628 3629 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3630} 3631# endif /* !OPENSSL_NO_NEXTPROTONEG */ 3632 3633int ssl3_send_channel_id(SSL *s) 3634 { 3635 unsigned char *d; 3636 int ret = -1, public_key_len; 3637 EVP_MD_CTX md_ctx; 3638 size_t sig_len; 3639 ECDSA_SIG *sig = NULL; 3640 unsigned char *public_key = NULL, *derp, *der_sig = NULL; 3641 3642 if (s->state != SSL3_ST_CW_CHANNEL_ID_A) 3643 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3644 3645 if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb) 3646 { 3647 EVP_PKEY *key = NULL; 3648 s->ctx->channel_id_cb(s, &key); 3649 if (key != NULL) 3650 { 3651 s->tlsext_channel_id_private = key; 3652 } 3653 } 3654 if (!s->tlsext_channel_id_private) 3655 { 3656 s->rwstate=SSL_CHANNEL_ID_LOOKUP; 3657 return (-1); 3658 } 3659 s->rwstate=SSL_NOTHING; 3660 3661 d = (unsigned char *)s->init_buf->data; 3662 *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS; 3663 l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d); 3664 if (s->s3->tlsext_channel_id_new) 3665 s2n(TLSEXT_TYPE_channel_id_new, d); 3666 else 3667 s2n(TLSEXT_TYPE_channel_id, d); 3668 s2n(TLSEXT_CHANNEL_ID_SIZE, d); 3669 3670 EVP_MD_CTX_init(&md_ctx); 3671 3672 public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL); 3673 if (public_key_len <= 0) 3674 { 3675 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY); 3676 goto err; 3677 } 3678 /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a 3679 * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y 3680 * field elements as 32-byte, big-endian numbers. */ 3681 if (public_key_len != 65) 3682 { 3683 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CHANNEL_ID_NOT_P256); 3684 goto err; 3685 } 3686 public_key = OPENSSL_malloc(public_key_len); 3687 if (!public_key) 3688 { 3689 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); 3690 goto err; 3691 } 3692 3693 derp = public_key; 3694 i2d_PublicKey(s->tlsext_channel_id_private, &derp); 3695 3696 if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, 3697 s->tlsext_channel_id_private) != 1) 3698 { 3699 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNINIT_FAILED); 3700 goto err; 3701 } 3702 3703 if (!tls1_channel_id_hash(&md_ctx, s)) 3704 goto err; 3705 3706 if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) 3707 { 3708 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); 3709 goto err; 3710 } 3711 3712 der_sig = OPENSSL_malloc(sig_len); 3713 if (!der_sig) 3714 { 3715 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); 3716 goto err; 3717 } 3718 3719 if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len)) 3720 { 3721 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); 3722 goto err; 3723 } 3724 3725 derp = der_sig; 3726 sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len); 3727 if (sig == NULL) 3728 { 3729 SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_D2I_ECDSA_SIG); 3730 goto err; 3731 } 3732 3733 /* The first byte of public_key will be 0x4, denoting an uncompressed key. */ 3734 memcpy(d, public_key + 1, 64); 3735 d += 64; 3736 memset(d, 0, 2 * 32); 3737 BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r)); 3738 d += 32; 3739 BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s)); 3740 d += 32; 3741 3742 s->state = SSL3_ST_CW_CHANNEL_ID_B; 3743 s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE; 3744 s->init_off = 0; 3745 3746 ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3747 3748err: 3749 EVP_MD_CTX_cleanup(&md_ctx); 3750 if (public_key) 3751 OPENSSL_free(public_key); 3752 if (der_sig) 3753 OPENSSL_free(der_sig); 3754 if (sig) 3755 ECDSA_SIG_free(sig); 3756 3757 return ret; 3758 } 3759#endif /* !OPENSSL_NO_TLSEXT */ 3760 3761/* Check to see if handshake is full or resumed. Usually this is just a 3762 * case of checking to see if a cache hit has occurred. In the case of 3763 * session tickets we have to check the next message to be sure. 3764 */ 3765 3766#ifndef OPENSSL_NO_TLSEXT 3767int ssl3_check_finished(SSL *s) 3768 { 3769 int ok; 3770 long n; 3771 /* If we have no ticket it cannot be a resumed session. */ 3772 if (!s->session->tlsext_tick) 3773 return 1; 3774 /* this function is called when we really expect a Certificate 3775 * message, so permit appropriate message length */ 3776 n=s->method->ssl_get_message(s, 3777 SSL3_ST_CR_CERT_A, 3778 SSL3_ST_CR_CERT_B, 3779 -1, 3780 s->max_cert_list, 3781 &ok); 3782 if (!ok) return((int)n); 3783 s->s3->tmp.reuse_message = 1; 3784 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3785 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3786 return 2; 3787 3788 return 1; 3789 } 3790#endif 3791 3792int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3793 { 3794 int i = 0; 3795#ifndef OPENSSL_NO_ENGINE 3796 if (s->ctx->client_cert_engine) 3797 { 3798 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3799 SSL_get_client_CA_list(s), 3800 px509, ppkey, NULL, NULL, NULL); 3801 if (i != 0) 3802 return i; 3803 } 3804#endif 3805 if (s->ctx->client_cert_cb) 3806 i = s->ctx->client_cert_cb(s,px509,ppkey); 3807 return i; 3808 } 3809