1221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */ 2656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * All rights reserved. 4656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This package is an SSL implementation written 6656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * by Eric Young (eay@cryptsoft.com). 7656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The implementation was written so as to conform with Netscapes SSL. 8656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 9656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This library is free for commercial and non-commercial use as long as 10656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the following conditions are aheared to. The following conditions 11656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * apply to all code found in this distribution, be it the RC4, RSA, 12656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * included with this distribution is covered by the same copyright terms 14656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 16656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright remains Eric Young's, and as such any Copyright notices in 17656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the code are not to be removed. 18656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If this package is used in a product, Eric Young should be given attribution 19656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * as the author of the parts of the library used. 20656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This can be in the form of a textual message at program startup or 21656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * in documentation (online or textual) provided with the package. 22656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 23656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 24656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 25656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 26656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the copyright 27656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 28656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 29656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in the 30656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * documentation and/or other materials provided with the distribution. 31656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this software 32656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * must display the following acknowledgement: 33656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes cryptographic software written by 34656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Eric Young (eay@cryptsoft.com)" 35656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The word 'cryptographic' can be left out if the rouines from the library 36656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * being used are not cryptographic related :-). 37656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. If you include any Windows specific code (or a derivative thereof) from 38656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the apps directory (application code) you must include an acknowledgement: 39656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 41656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SUCH DAMAGE. 52656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 53656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The licence and distribution terms for any publically available version or 54656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * derivative of this code cannot be changed. i.e. this code cannot simply be 55656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * copied and put under another distribution licence 56656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [including the GNU Public Licence.] 57656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 58656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* ==================================================================== 59221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 61656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Redistribution and use in source and binary forms, with or without 62656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * modification, are permitted provided that the following conditions 63656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * are met: 64656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 65656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1. Redistributions of source code must retain the above copyright 66656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer. 67656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 68656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 2. Redistributions in binary form must reproduce the above copyright 69656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * notice, this list of conditions and the following disclaimer in 70656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the documentation and/or other materials provided with the 71656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * distribution. 72656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 73656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 3. All advertising materials mentioning features or use of this 74656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * software must display the following acknowledgment: 75656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software developed by the OpenSSL Project 76656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 78656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * endorse or promote products derived from this software without 80656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * prior written permission. For written permission, please contact 81656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * openssl-core@openssl.org. 82656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 83656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 5. Products derived from this software may not be called "OpenSSL" 84656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * nor may "OpenSSL" appear in their names without prior written 85656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * permission of the OpenSSL Project. 86656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 87656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 6. Redistributions of any form whatsoever must retain the following 88656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * acknowledgment: 89656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * "This product includes software developed by the OpenSSL Project 90656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 92656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * OF THE POSSIBILITY OF SUCH DAMAGE. 104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ==================================================================== 105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This product includes cryptographic software written by Eric Young 107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (eay@cryptsoft.com). This product includes software written by Tim 108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Hudson (tjh@cryptsoft.com). 109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project/* ==================================================================== 112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Portions of the attached software ("Contribution") are developed by 115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The Contribution is licensed pursuant to the OpenSSL open source 118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * license provided above. 119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ECC cipher suite support in OpenSSL originally written by 121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 124221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom/* ==================================================================== 125221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * Copyright 2005 Nokia. All rights reserved. 126221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 127221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * The portions of the attached software ("Contribution") is developed by 128221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * license. 130221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 131221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * support (see RFC 4279) to OpenSSL. 134221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 135221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * No patent licenses or other rights except those expressly stated in 136221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * the OpenSSL open source license shall be deemed granted or received 137221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * expressly, by implication, estoppel, or otherwise. 138221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 139221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * No assurances are provided by Nokia that the Contribution does not 140221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * infringe the patent or other intellectual property rights of any third 141221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * party or that the license provides you with all the necessary rights 142221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * to make use of the Contribution. 143221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 144221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * OTHERWISE. 149221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#define REUSE_CIPHER_BUG 152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#define NETSCAPE_HANG_BUG 153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <stdio.h> 155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "ssl_locl.h" 156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include "kssl_lcl.h" 157c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root#include "../crypto/constant_time_locl.h" 158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/buffer.h> 159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/rand.h> 160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/objects.h> 16145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley#include <openssl/ec.h> 16245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley#include <openssl/ecdsa.h> 163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/evp.h> 164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/hmac.h> 16545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley#include <openssl/sha.h> 166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/x509.h> 167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_DH 168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/dh.h> 169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/bn.h> 171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_KRB5 172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/krb5_asn.h> 173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#include <openssl/md5.h> 175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 176221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic const SSL_METHOD *ssl3_get_server_method(int ver); 177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 178221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstromstatic const SSL_METHOD *ssl3_get_server_method(int ver) 179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ver == SSL3_VERSION) 181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(SSLv3_server_method()); 182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(NULL); 184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 186392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_SRP 187392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromstatic int ssl_check_srp_ext_ClientHello(SSL *s, int *al) 188392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 189392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int ret = SSL_ERROR_NONE; 190392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 191392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *al = SSL_AD_UNRECOGNIZED_NAME; 192392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 193392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 194392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) 195392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 196392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if(s->srp_ctx.login == NULL) 197392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 19804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* RFC 5054 says SHOULD reject, 19904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom we do so if There is no srp login name */ 200392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret = SSL3_AL_FATAL; 201392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 202392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 203392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 204392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 205392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret = SSL_srp_server_param_with_username(s,al); 206392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 207392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 208392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return ret; 209392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 210392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 211392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source ProjectIMPLEMENT_ssl3_meth_func(SSLv3_server_method, 213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_accept, 214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl_undefined_function, 215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_get_server_method) 216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_accept(SSL *s) 218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BUF_MEM *buf; 220221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned long alg_k,Time=(unsigned long)time(NULL); 221de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned long alg_a; 222656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project void (*cb)(const SSL *ssl,int type,int val)=NULL; 223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret= -1; 224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int new_state,state,skip=0; 225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RAND_add(&Time,sizeof(Time),0); 227656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_clear_error(); 228656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project clear_sys_error(); 229656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->info_callback != NULL) 231656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb=s->info_callback; 232656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if (s->ctx->info_callback != NULL) 233656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb=s->ctx->info_callback; 234656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 235656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* init things to blank */ 236656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->in_handshake++; 237656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 238656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 239656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->cert == NULL) 240656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 241656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 242656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 243656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 244656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 245392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_HEARTBEATS 246392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* If we're awaiting a HeartbeatResponse, pretend we 247392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * already got and don't await it anymore, because 248392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * Heartbeats don't make sense during handshakes anyway. 249392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom */ 250392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (s->tlsext_hb_pending) 251392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 252392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->tlsext_hb_pending = 0; 253392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->tlsext_hb_seq++; 254392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 255392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 256392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 257656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (;;) 258656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 259656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project state=s->state; 260656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 261656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project switch (s->state) 262656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 263656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL_ST_RENEGOTIATE: 264392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->renegotiate=1; 265656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* s->state=SSL_ST_ACCEPT; */ 266656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 267656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL_ST_BEFORE: 268656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL_ST_ACCEPT: 269656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL_ST_BEFORE|SSL_ST_ACCEPT: 270656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL_ST_OK|SSL_ST_ACCEPT: 271656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 272656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->server=1; 273656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 274656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 275656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((s->version>>8) != 3) 276656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 277656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 278656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 279656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 280656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->type=SSL_ST_ACCEPT; 281656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 282656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->init_buf == NULL) 283656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 284656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((buf=BUF_MEM_new()) == NULL) 285656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 286656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret= -1; 287656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 288656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 289656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 290656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 291656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret= -1; 292656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 293656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 294656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_buf=buf; 295656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 296656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 297656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ssl3_setup_buffers(s)) 298656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 299656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret= -1; 300656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 301656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 302656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 303656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 3047b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 305656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 306656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state != SSL_ST_RENEGOTIATE) 307656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 308656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Ok, we now need to push on a buffering BIO so that 309656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the output is sent in a way that TCP likes :-) 310656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 311656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 312656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 313656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_init_finished_mac(s); 314656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SR_CLNT_HELLO_A; 315656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->ctx->stats.sess_accept++; 316656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 31798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom else if (!s->s3->send_connection_binding && 31898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 31998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom { 32098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom /* Server attempting to renegotiate with 32198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * client that doesn't support secure 32298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * renegotiation. 32398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom */ 32498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 32598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 32698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom ret = -1; 32798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom goto end; 32898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom } 329656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 330656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 331656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* s->state == SSL_ST_RENEGOTIATE, 332656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * we will just send a HelloRequest */ 333656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->ctx->stats.sess_accept_renegotiate++; 334656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_HELLO_REQ_A; 335656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 336656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 337656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 338656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_HELLO_REQ_A: 339656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_HELLO_REQ_B: 340656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 341656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->shutdown=0; 342656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_hello_request(s); 343656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 344656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 345656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_FLUSH; 346656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 347656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 348656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_init_finished_mac(s); 349656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 350656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 351656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_HELLO_REQ_C: 352656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL_ST_OK; 353656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 354656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 355656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_CLNT_HELLO_A: 356656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_CLNT_HELLO_B: 357656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_CLNT_HELLO_C: 358656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 359656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->shutdown=0; 360392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (s->rwstate != SSL_X509_LOOKUP) 361392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 362392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret=ssl3_get_client_hello(s); 363392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (ret <= 0) goto end; 364392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 365392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_SRP 366392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 367392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int al; 368392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0) 369392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 370392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* callback indicates firther work to be done */ 371392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->rwstate=SSL_X509_LOOKUP; 372392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto end; 373392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 374392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (ret != SSL_ERROR_NONE) 375392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 376392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ssl3_send_alert(s,SSL3_AL_FATAL,al); 377392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* This is not really an error but the only means to 378392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom for a client to detect whether srp is supported. */ 379392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 380392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); 381392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret = SSL_TLSEXT_ERR_ALERT_FATAL; 382392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ret= -1; 383392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto end; 384392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 385392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 386392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 38704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 388392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->renegotiate = 2; 389656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_SRVR_HELLO_A; 390656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 391656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 392656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 393656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_SRVR_HELLO_A: 394656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_SRVR_HELLO_B: 395656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_server_hello(s); 396656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 397656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_TLSEXT 398656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->hit) 399656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 400656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->tlsext_ticket_expected) 401656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_SESSION_TICKET_A; 402656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 403656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CHANGE_A; 404656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 405656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#else 406656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->hit) 407656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CHANGE_A; 408656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 409656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 410656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CERT_A; 411656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 412656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 413656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 414656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CERT_A: 415656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CERT_B: 416221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check if it is anon DH or anon ECDH, */ 417de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* non-RSA PSK or KRB5 or SRP */ 418c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aKRB5|SSL_aSRP)) 419de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Among PSK ciphersuites only RSA_PSK uses server certificate */ 420de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK && 421c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA))) 422656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 423656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_server_certificate(s); 424656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 425656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_TLSEXT 426656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->tlsext_status_expected) 427656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CERT_STATUS_A; 428656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 429656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_KEY_EXCH_A; 430656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 431656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 432656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 433656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project skip = 1; 434656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_KEY_EXCH_A; 435656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 436656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#else 437656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 438656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 439656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project skip=1; 440656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 441656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_KEY_EXCH_A; 442656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 443656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 444656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 445656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 446656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_KEY_EXCH_A: 447656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_KEY_EXCH_B: 448221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 449de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin alg_a = s->s3->tmp.new_cipher->algorithm_auth; 450656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 451656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* clear this, it may get reset by 452656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * send_server_key_exchange */ 453656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((s->options & SSL_OP_EPHEMERAL_RSA) 454656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_KRB5 455221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom && !(alg_k & SSL_kKRB5) 456656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif /* OPENSSL_NO_KRB5 */ 457656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ) 458656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 459656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * even when forbidden by protocol specs 460656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (handshake may fail as clients are not required to 461656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * be able to handle this) */ 462656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.use_rsa_tmp=1; 463656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 464656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.use_rsa_tmp=0; 465656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 466656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 467656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* only send if a DH key exchange, fortezza or 468656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * RSA but we have a sign only certificate 469656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 470221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * PSK: may send PSK identity hints 471221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * 472656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * For ECC ciphersuites, we send a serverKeyExchange 473656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * message only if the cipher suite is either 474656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ECDH-anon or ECDHE. In other cases, the 475221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * server certificate contains the server's 476656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * public key for key exchange. 477656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 478656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.use_rsa_tmp 479de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* PSK: send ServerKeyExchange if either: 480de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * - PSK identity hint is provided, or 481de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * - the key exchange is kEECDH. 482de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin */ 483221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#ifndef OPENSSL_NO_PSK 4843355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin || ((alg_a & SSL_aPSK) && ((alg_k & SSL_kEECDH) || s->session->psk_identity_hint)) 485221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#endif 486392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_SRP 487392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* SRP: send ServerKeyExchange */ 488392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom || (alg_k & SSL_kSRP) 489392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 490221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 491221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom || (alg_k & SSL_kEECDH) 492221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom || ((alg_k & SSL_kRSA) 493656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 494656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 495656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 496656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ) 497656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ) 498656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ) 499656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ) 500656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 501656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_server_key_exchange(s); 502656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 503656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 504656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 505656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project skip=1; 506656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 507656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CERT_REQ_A; 508656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 509656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 510656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 511656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CERT_REQ_A: 512656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CERT_REQ_B: 513656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (/* don't request cert unless asked for it: */ 514656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project !(s->verify_mode & SSL_VERIFY_PEER) || 515656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* if SSL_VERIFY_CLIENT_ONCE is set, 516656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * don't request cert during re-negotiation: */ 517656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ((s->session->peer != NULL) && 518656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 519656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* never request cert in anonymous ciphersuites 520656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (see section "Certificate request" in SSL 3 drafts 521656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * and in RFC 2246): */ 522221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 523656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* ... except when the application insists on verification 524656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 525656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 526221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* never request cert in Kerberos ciphersuites */ 527c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) || 528c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* don't request certificate for SRP auth */ 529c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP) 530221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* With normal PSK Certificates and 531221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * Certificate Requests are omitted */ 532221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 533656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 534656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* no cert request */ 535656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project skip=1; 536656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.cert_request=0; 537656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_SRVR_DONE_A; 538392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (s->s3->handshake_buffer) 539392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!ssl3_digest_cached_records(s)) 540392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 541656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 542656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 543656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 544656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.cert_request=1; 545656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_certificate_request(s); 546656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 547656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef NETSCAPE_HANG_BUG 548656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_SRVR_DONE_A; 549656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#else 550656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_FLUSH; 551656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 552656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 553656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 554656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 555656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 556656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 557656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_SRVR_DONE_A: 558656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_SRVR_DONE_B: 559656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_server_done(s); 560656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 561656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 562656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_FLUSH; 563656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 564656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 565656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 566656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_FLUSH: 56798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 56898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom /* This code originally checked to see if 56998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * any data was pending using BIO_CTRL_INFO 57098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * and then flushed. This caused problems 57198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * as documented in PR#1939. The proposed 57298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * fix doesn't completely resolve this issue 57398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * as buggy implementations of BIO_CTRL_PENDING 57498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * still exist. So instead we just flush 57598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * unconditionally. 57698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom */ 57798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 57898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom s->rwstate=SSL_WRITING; 57998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (BIO_flush(s->wbio) <= 0) 580656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 58198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom ret= -1; 58298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom goto end; 583656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 58498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom s->rwstate=SSL_NOTHING; 585656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 586656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=s->s3->tmp.next_state; 587656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 588656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 589656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_CERT_A: 590656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_CERT_B: 591656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Check for second client hello (MS SGC) */ 592656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = ssl3_check_client_hello(s); 593656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) 594656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 595656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == 2) 596656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state = SSL3_ST_SR_CLNT_HELLO_C; 597656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else { 598656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.cert_request) 599656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 600656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_get_client_certificate(s); 601656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 602656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 603656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 604656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SR_KEY_EXCH_A; 605656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 606656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 607656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 608656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_KEY_EXCH_A: 609656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_KEY_EXCH_B: 610656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_get_client_key_exchange(s); 611221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ret <= 0) 612656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 613656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret == 2) 614656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 615656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* For the ECDH ciphersuites when 616656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the client sends its ECDH pub key in 617656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * a certificate, the CertificateVerify 618656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * message is not sent. 619221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * Also for GOST ciphersuites when 620221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * the client uses its key from the certificate 621221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * for key exchange. 622656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 623656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num = 0; 62445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->state=SSL3_ST_SR_POST_CLIENT_CERT; 625656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 626392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else if (TLS1_get_version(s) >= TLS1_2_VERSION) 627392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 628392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->state=SSL3_ST_SR_CERT_VRFY_A; 629392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->init_num=0; 630392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!s->session->peer) 631392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom break; 632392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* For TLS v1.2 freeze the handshake buffer 633392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * at this point and digest cached records. 634392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom */ 635392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!s->s3->handshake_buffer) 636392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 637392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR); 638392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 639392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 640392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 641392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!ssl3_digest_cached_records(s)) 642392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 643392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 644221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 645656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 646221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int offset=0; 647221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int dgst_num; 648221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 649656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SR_CERT_VRFY_A; 650656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 651656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 652656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We need to get hashes here so if there is 653656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * a client cert, it can be verified 654221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * FIXME - digest processing for CertificateVerify 655221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * should be generalized. But it is next step 656221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 657221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->s3->handshake_buffer) 658221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!ssl3_digest_cached_records(s)) 659221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return -1; 660221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) 661221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->s3->handshake_dgst[dgst_num]) 662221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 663221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int dgst_size; 664221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 665221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); 666221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 667221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (dgst_size < 0) 668221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 669221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ret = -1; 670221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto end; 671221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 672221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom offset+=dgst_size; 673221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 674656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 675656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 676656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 677656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_CERT_VRFY_A: 678656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_CERT_VRFY_B: 679656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 6809ab523cb95e7ef674e9c41438d9f524063d14234Brian Carlstrom s->s3->flags |= SSL3_FLAGS_CCS_OK; 68177c6be7176c48d2ce4d5979a84876d34204eedafKenny Root /* we should decide if we expected this one */ 682656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_get_cert_verify(s); 683656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 684656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 68545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->state=SSL3_ST_SR_POST_CLIENT_CERT; 68645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->init_num=0; 68745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley break; 68845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 68945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley case SSL3_ST_SR_POST_CLIENT_CERT: { 69045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley char next_proto_neg = 0; 69145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley char channel_id = 0; 69245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley#if !defined(OPENSSL_NO_TLSEXT) 69345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley# if !defined(OPENSSL_NO_NEXTPROTONEG) 69445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley next_proto_neg = s->s3->next_proto_neg_seen; 69545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley# endif 69645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley channel_id = s->s3->tlsext_channel_id_valid; 69745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley#endif 69845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 69945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (next_proto_neg) 700bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen s->state=SSL3_ST_SR_NEXT_PROTO_A; 70145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley else if (channel_id) 70245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->state=SSL3_ST_SR_CHANNEL_ID_A; 703bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen else 704bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen s->state=SSL3_ST_SR_FINISHED_A; 705656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 70645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 707656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 708bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 709bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen case SSL3_ST_SR_NEXT_PROTO_A: 710bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen case SSL3_ST_SR_NEXT_PROTO_B: 711bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen ret=ssl3_get_next_proto(s); 712bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (ret <= 0) goto end; 713bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen s->init_num = 0; 71445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (s->s3->tlsext_channel_id_valid) 71545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->state=SSL3_ST_SR_CHANNEL_ID_A; 71645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley else 71745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->state=SSL3_ST_SR_FINISHED_A; 71845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley break; 71945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley#endif 72045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 72145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley#if !defined(OPENSSL_NO_TLSEXT) 72245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley case SSL3_ST_SR_CHANNEL_ID_A: 72345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley case SSL3_ST_SR_CHANNEL_ID_B: 72445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley ret=ssl3_get_channel_id(s); 72545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (ret <= 0) goto end; 72645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->init_num = 0; 727bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen s->state=SSL3_ST_SR_FINISHED_A; 728bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen break; 729bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen#endif 730bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 731656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_FINISHED_A: 732656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SR_FINISHED_B: 73377c6be7176c48d2ce4d5979a84876d34204eedafKenny Root s->s3->flags |= SSL3_FLAGS_CCS_OK; 734656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 735656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_FINISHED_B); 736656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 737221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->hit) 738221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->state=SSL_ST_OK; 739392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_TLSEXT 740392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else if (s->tlsext_ticket_expected) 741392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->state=SSL3_ST_SW_SESSION_TICKET_A; 742656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 743656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 744656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CHANGE_A; 74577c6be7176c48d2ce4d5979a84876d34204eedafKenny Root /* If this is a full handshake with ChannelID then 74677c6be7176c48d2ce4d5979a84876d34204eedafKenny Root * record the hashshake hashes in |s->session| in case 74777c6be7176c48d2ce4d5979a84876d34204eedafKenny Root * we need them to verify a ChannelID signature on a 74877c6be7176c48d2ce4d5979a84876d34204eedafKenny Root * resumption of this session in the future. */ 74977c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (!s->hit && s->s3->tlsext_channel_id_new) 75077c6be7176c48d2ce4d5979a84876d34204eedafKenny Root { 75177c6be7176c48d2ce4d5979a84876d34204eedafKenny Root ret = tls1_record_handshake_hashes_for_channel_id(s); 75277c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (ret <= 0) goto end; 75377c6be7176c48d2ce4d5979a84876d34204eedafKenny Root } 754656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 755656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 756656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 757656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_TLSEXT 758656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_SESSION_TICKET_A: 759656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_SESSION_TICKET_B: 760656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_newsession_ticket(s); 761656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 762656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CHANGE_A; 763656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 764656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 765656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 766656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CERT_STATUS_A: 767656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CERT_STATUS_B: 768656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_cert_status(s); 769656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 770656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_KEY_EXCH_A; 771656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 772656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 773656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 774656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 775656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 776656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CHANGE_A: 777656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_CHANGE_B: 778656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 779656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->cipher=s->s3->tmp.new_cipher; 780656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!s->method->ssl3_enc->setup_key_block(s)) 781656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { ret= -1; goto end; } 782656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 783656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_change_cipher_spec(s, 784656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 785656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 786656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 787656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_FINISHED_A; 788656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 789656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 790656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!s->method->ssl3_enc->change_cipher_state(s, 791656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_CHANGE_CIPHER_SERVER_WRITE)) 792656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 793656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret= -1; 794656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 795656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 796656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 797656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 798656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 799656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_FINISHED_A: 800656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL3_ST_SW_FINISHED_B: 801656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=ssl3_send_finished(s, 802656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 803656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->method->ssl3_enc->server_finished_label, 804656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->method->ssl3_enc->server_finished_label_len); 805656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ret <= 0) goto end; 806656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_FLUSH; 807656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->hit) 80845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->s3->tmp.next_state=SSL3_ST_SR_POST_CLIENT_CERT; 809656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 810656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.next_state=SSL_ST_OK; 811656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 812656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 813656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 814656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project case SSL_ST_OK: 815656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* clean a few things up */ 816656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_cleanup_key_block(s); 817656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 818656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BUF_MEM_free(s->init_buf); 819656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_buf=NULL; 820656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 821656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* remove buffering on output */ 822656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl_free_wbio_buffer(s); 823656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 824656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=0; 825656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 826392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 827656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 828392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->renegotiate=0; 829656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->new_session=0; 830656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 831656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 832656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 833656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->ctx->stats.sess_accept_good++; 834656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* s->server=1; */ 835656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->handshake_func=ssl3_accept; 836656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 837656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 838656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 839656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 840656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret = 1; 841656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 842656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* break; */ 843656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 844656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project default: 845656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 846656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret= -1; 847656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 848656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* break; */ 849656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 850656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 851656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!s->s3->tmp.reuse_message && !skip) 852656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 853656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->debug) 854656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 855656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ret=BIO_flush(s->wbio)) <= 0) 856656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 857656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 858656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 859656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 860656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((cb != NULL) && (s->state != state)) 861656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 862656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project new_state=s->state; 863656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=state; 864656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb(s,SSL_CB_ACCEPT_LOOP,1); 865656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=new_state; 866656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 867656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 868656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project skip=0; 869656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 870656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectend: 871656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* BIO_flush(s->wbio); */ 872656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 873656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->in_handshake--; 874656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (cb != NULL) 875656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cb(s,SSL_CB_ACCEPT_EXIT,ret); 876656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ret); 877656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 878656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 879656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_hello_request(SSL *s) 880656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 881656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 882656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 883656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_HELLO_REQ_A) 884656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 885656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_buf->data; 886656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=SSL3_MT_HELLO_REQUEST; 887656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 888656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 889656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 890656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 891656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_HELLO_REQ_B; 892656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* number of bytes to write */ 893656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=4; 894656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off=0; 895656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 896656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 897656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* SSL3_ST_SW_HELLO_REQ_B */ 898656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 899656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 900656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 901656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_check_client_hello(SSL *s) 902656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 903656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ok; 904656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project long n; 905656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 906656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* this function is called when we really expect a Certificate message, 907656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * so permit appropriate message length */ 908656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=s->method->ssl_get_message(s, 909656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CERT_A, 910656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CERT_B, 911656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project -1, 912656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->max_cert_list, 913656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &ok); 914656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) return((int)n); 915656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.reuse_message = 1; 916656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 917656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 91821c841450af61d0a9119cdc863e93d019127bfe1Brian Carlstrom /* We only allow the client to restart the handshake once per 91921c841450af61d0a9119cdc863e93d019127bfe1Brian Carlstrom * negotiation. */ 92021c841450af61d0a9119cdc863e93d019127bfe1Brian Carlstrom if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 92121c841450af61d0a9119cdc863e93d019127bfe1Brian Carlstrom { 92221c841450af61d0a9119cdc863e93d019127bfe1Brian Carlstrom SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 92321c841450af61d0a9119cdc863e93d019127bfe1Brian Carlstrom return -1; 92421c841450af61d0a9119cdc863e93d019127bfe1Brian Carlstrom } 925656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Throw away what we have done so far in the current handshake, 926ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom * which will now be aborted. (A full SSL_clear would be too much.) */ 927656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_DH 928656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.dh != NULL) 929656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 930656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project DH_free(s->s3->tmp.dh); 931656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.dh = NULL; 932656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 933656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 934ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom#ifndef OPENSSL_NO_ECDH 935ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom if (s->s3->tmp.ecdh != NULL) 936ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom { 937ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom EC_KEY_free(s->s3->tmp.ecdh); 938ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom s->s3->tmp.ecdh = NULL; 939ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom } 940ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom#endif 9417b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 942656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 2; 943656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 944656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return 1; 945656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project} 946656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 947656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_get_client_hello(SSL *s) 948656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 949656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j,ok,al,ret= -1; 950656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned int cookie_len; 951656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project long n; 952656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned long id; 953656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p,*d,*q; 954656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_CIPHER *c; 955656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_COMP 956656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_COMP *comp=NULL; 957656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 958656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project STACK_OF(SSL_CIPHER) *ciphers=NULL; 959656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 960656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We do this so that we will respond with our native type. 961656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 962656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * This down switching should be handled by a different method. 963656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If we are SSLv3, we will respond with SSLv3, even if prompted with 964656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * TLSv1. 965656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 966392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (s->state == SSL3_ST_SR_CLNT_HELLO_A 967392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom ) 968656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 969656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SR_CLNT_HELLO_B; 970656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 971656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->first_packet=1; 972656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=s->method->ssl_get_message(s, 973656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CLNT_HELLO_B, 974656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CLNT_HELLO_C, 975656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_MT_CLIENT_HELLO, 976656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_RT_MAX_PLAIN_LENGTH, 977656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &ok); 978656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 979656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) return((int)n); 980656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->first_packet=0; 981656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d=p=(unsigned char *)s->init_msg; 982656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 983656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* use version from inside client hello, not from record header 984656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (may differ: see RFC 2246, Appendix E, second paragraph) */ 985656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->client_version=(((int)p[0])<<8)|(int)p[1]; 986656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=2; 987656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 988656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 989656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (s->version != DTLS1_VERSION && s->client_version < s->version)) 990656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 991656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 992ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 993ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root !s->enc_write_ctx && !s->write_hash) 994656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 995656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* similar to ssl3_get_record, send alert using remote version number */ 996656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->version = s->client_version; 997656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 998656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al = SSL_AD_PROTOCOL_VERSION; 999656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1000656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1001656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 100298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom /* If we require cookies and this ClientHello doesn't 100398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * contain one, just return since we do not want to 100498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom * allocate any memory yet. So check cookie length... 100598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom */ 100698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 100798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom { 100898d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom unsigned int session_length, cookie_length; 100998d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 101098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom session_length = *(p + SSL3_RANDOM_SIZE); 101198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 101298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 101398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (cookie_length == 0) 101498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom return 1; 101598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom } 101698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 1017656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* load the client random */ 1018656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 1019656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=SSL3_RANDOM_SIZE; 1020656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1021656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* get the session-id */ 1022656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j= *(p++); 1023656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1024656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->hit=0; 1025392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 1026392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 0.9.7 and later allow this by default, but optionally ignore resumption requests 1027392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 1028392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * than a change to default behavior so that applications relying on this for security 1029392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * won't even compile against older library versions). 1030392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 1031392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to request 1032392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * renegotiation but not a new session (s->new_session remains unset): for servers, 1033392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1034392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * setting will be ignored. 1035656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1036656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 1037656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1038fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom if (!s->session_creation_enabled) 1039fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom { 1040fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1041fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 1042fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom goto err; 1043fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom } 1044656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ssl_get_new_session(s,1)) 1045656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1046656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1047656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1048656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1049656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=ssl_get_prev_session(s, p, j, d + n); 1050656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == 1) 1051656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { /* previous session */ 1052656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->hit=1; 1053656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1054656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if (i == -1) 1055656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1056656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else /* i == 0 */ 1057656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1058fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom if (!s->session_creation_enabled) 1059fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom { 1060fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1061fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 1062fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom goto err; 1063fd113c07c3c2a6b07f8ab69dfae7d104e769f469Brian Carlstrom } 1064656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ssl_get_new_session(s,1)) 1065656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1066656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1067656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1068656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1069656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=j; 1070656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 107198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1072656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1073656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* cookie stuff */ 1074656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cookie_len = *(p++); 1075656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1076656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* 1077656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * The ClientHello may contain a cookie even if the 1078656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * HelloVerify message has not been sent--make sure that it 1079656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * does not cause an overflow. 1080656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1081656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 1082656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1083656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* too much data */ 1084656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al = SSL_AD_DECODE_ERROR; 1085656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1086656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1087656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1088656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1089656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* verify the cookie if appropriate option is set. */ 109098d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 1091656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cookie_len > 0) 1092656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1093656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(s->d1->rcvd_cookie, p, cookie_len); 1094656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1095656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( s->ctx->app_verify_cookie_cb != NULL) 1096656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1097656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1098656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cookie_len) == 0) 1099656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_COOKIE_MISMATCH); 1103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* else cookie verification succeeded */ 1106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 1108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->d1->cookie_len) != 0) /* default verification */ 1109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_COOKIE_MISMATCH); 1113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 111598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom 111698d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom ret = 2; 1117656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1118656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1119656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += cookie_len; 1120656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1121656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1122656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2s(p,i); 1123656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((i == 0) && (j != 0)) 1124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* we need a cipher if we are not resuming a session */ 1126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_ILLEGAL_PARAMETER; 1127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 1128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((p+i) >= (d+n)) 1131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* not enough data */ 1133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 1134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 1138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project == NULL)) 1139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=i; 1143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If it is a hit, check that the cipher is in the list */ 1145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((s->hit) && (i > 0)) 1146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=0; 1148656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project id=s->session->cipher->id; 1149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef CIPHER_DEBUG 1151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project printf("client sent %d ciphers\n",sk_num(ciphers)); 1152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 1154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project c=sk_SSL_CIPHER_value(ciphers,i); 1156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef CIPHER_DEBUG 1157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project printf("client [%2d of %2d]:%s\n", 1158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 1159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (c->id == id) 1161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=1; 1163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 1164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1166976a034585c7e8ff9dda5ebe032f399b78887f70Brian Carlstrom/* Disabled because it can be used in a ciphersuite downgrade 1167976a034585c7e8ff9dda5ebe032f399b78887f70Brian Carlstrom * attack: CVE-2010-4180. 1168976a034585c7e8ff9dda5ebe032f399b78887f70Brian Carlstrom */ 1169976a034585c7e8ff9dda5ebe032f399b78887f70Brian Carlstrom#if 0 1170e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 1171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1172e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu /* Special case as client bug workaround: the previously used cipher may 1173e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * not be in the current list, the client instead might be trying to 1174e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * continue using a cipher that before wasn't chosen due to server 1175e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * preferences. We'll have to reject the connection if the cipher is not 1176e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * enabled, though. */ 1177e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu c = sk_SSL_CIPHER_value(ciphers, 0); 1178e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 1179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1180e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu s->session->cipher = c; 1181e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu j = 1; 1182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1184976a034585c7e8ff9dda5ebe032f399b78887f70Brian Carlstrom#endif 1185e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu if (j == 0) 1186e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu { 1187e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu /* we need to have the cipher in the cipher 1188e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu * list if we are asked to reuse it */ 1189e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu al=SSL_AD_ILLEGAL_PARAMETER; 1190e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 1191e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu goto f_err; 1192e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu } 1193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* compression */ 1196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i= *(p++); 1197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((p+i) > (d+n)) 1198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* not enough data */ 1200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 1201656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1202656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project q=p; 1205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (j=0; j<i; j++) 1206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (p[j] == 0) break; 1208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=i; 1211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (j >= i) 1212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* no compress */ 1214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 1215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 1216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_TLSEXT 1220656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* TLS extensions*/ 122198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (s->version >= SSL3_VERSION) 1222656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1223656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) 1224656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* 'al' set by ssl_parse_clienthello_tlsext */ 1226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 1227656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1228656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1229656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 123004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (ssl_check_clienthello_tlsext_early(s) <= 0) { 1231656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1232656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1233656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1234221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1235221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check if we want to use external pre-shared secret for this 1236221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * handshake for not reused session only. We need to generate 1237221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * server_random before calling tls_session_secret_cb in order to allow 1238221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * SessionTicket processing to use it in key derivation. */ 1239221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1240221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned char *pos; 1241221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom pos=s->s3->server_random; 1242ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) 1243221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1244221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 1245221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 1246221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1247221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1248221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1249221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) 1250221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1251221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSL_CIPHER *pref_cipher=NULL; 1252221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1253221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->session->master_key_length=sizeof(s->session->master_key); 1254221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1255221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) 1256221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1257221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->hit=1; 1258221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->session->ciphers=ciphers; 1259221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->session->verify_result=X509_V_OK; 1260221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1261221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ciphers=NULL; 1262221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1263221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* check if some cipher was preferred by call back */ 1264221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1265221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (pref_cipher == NULL) 1266221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1267221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_HANDSHAKE_FAILURE; 1268221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 1269221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 1270221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1271221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1272221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->session->cipher=pref_cipher; 1273221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1274221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->cipher_list) 1275221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom sk_SSL_CIPHER_free(s->cipher_list); 1276221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1277221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->cipher_list_by_id) 1278221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom sk_SSL_CIPHER_free(s->cipher_list_by_id); 1279221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1280221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1281221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1282221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1283221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1284656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1285221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1286656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Worst case, we will use the NULL compression, but if we have other 1287656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * options, we will now look for them. We have i-1 compression 1288656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * algorithms from the client, starting at q. */ 1289656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.new_compression=NULL; 1290656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_COMP 1291221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* This only happens if we have a cache hit */ 1292221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->session->compress_meth != 0) 1293221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1294221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int m, comp_id = s->session->compress_meth; 1295221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Perform sanity checks on resumed compression algorithm */ 1296221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Can't disable compression */ 1297221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->options & SSL_OP_NO_COMPRESSION) 1298221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1299221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 1300221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1301221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 1302221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1303221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Look for resumed compression method */ 1304221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) 1305221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1306221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1307221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (comp_id == comp->id) 1308221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1309221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->s3->tmp.new_compression=comp; 1310221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom break; 1311221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1312221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1313221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->s3->tmp.new_compression == NULL) 1314221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1315221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 1316221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); 1317221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 1318221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1319221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Look for resumed method in compression list */ 1320221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (m = 0; m < i; m++) 1321221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1322221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (q[m] == comp_id) 1323221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom break; 1324221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1325221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (m >= i) 1326221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1327221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_ILLEGAL_PARAMETER; 1328221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); 1329221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 1330221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1331221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1332221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else if (s->hit) 1333221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom comp = NULL; 1334221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) 1335656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { /* See if we have a match */ 1336656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int m,nn,o,v,done=0; 1337656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1338656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1339656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (m=0; m<nn; m++) 1340656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1341656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1342656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project v=comp->id; 1343656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (o=0; o<i; o++) 1344656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1345656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (v == q[o]) 1346656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1347656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project done=1; 1348656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project break; 1349656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1350656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1351656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (done) break; 1352656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1353656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (done) 1354656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.new_compression=comp; 1355656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1356656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project comp=NULL; 1357656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1358221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#else 1359221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If compression is disabled we'd better not try to resume a session 1360221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * using compression. 1361221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 1362221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->session->compress_meth != 0) 1363656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1364221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 1365221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1366221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 1367656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1368656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1369656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1370656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Given s->session->ciphers and SSL_get_ciphers, we must 1371656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * pick a cipher */ 1372656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1373656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!s->hit) 1374656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1375656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef OPENSSL_NO_COMP 1376656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->compress_meth=0; 1377656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#else 1378656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->compress_meth=(comp == NULL)?0:comp->id; 1379656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1380656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->session->ciphers != NULL) 1381656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sk_SSL_CIPHER_free(s->session->ciphers); 1382656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->ciphers=ciphers; 1383656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ciphers == NULL) 1384656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1385656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_ILLEGAL_PARAMETER; 1386656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); 1387656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1388656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1389656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ciphers=NULL; 1390656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project c=ssl3_choose_cipher(s,s->session->ciphers, 1391656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_get_ciphers(s)); 1392656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1393656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (c == NULL) 1394656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1395656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1396656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 1397656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1398656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1399656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.new_cipher=c; 1400656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1401656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1402656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1403656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Session-id reuse */ 1404656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef REUSE_CIPHER_BUG 1405656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project STACK_OF(SSL_CIPHER) *sk; 1406656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_CIPHER *nc=NULL; 1407656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_CIPHER *ec=NULL; 1408656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1409656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1410656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1411656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sk=s->session->ciphers; 1412656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1413656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1414656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project c=sk_SSL_CIPHER_value(sk,i); 1415221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (c->algorithm_enc & SSL_eNULL) 1416656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project nc=c; 1417656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (SSL_C_IS_EXPORT(c)) 1418656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ec=c; 1419656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1420656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (nc != NULL) 1421656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.new_cipher=nc; 1422656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if (ec != NULL) 1423656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.new_cipher=ec; 1424656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1425656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.new_cipher=s->session->cipher; 1426656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1427656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1428656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1429656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.new_cipher=s->session->cipher; 1430656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1431221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1432392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1433392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 1434392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!ssl3_digest_cached_records(s)) 1435eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom { 1436eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom al = SSL_AD_INTERNAL_ERROR; 1437392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 1438eeffacea337ec6a275e4c496acd12ca67a244533Brian Carlstrom } 1439392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 1440656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1441656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* we now have the following setup. 1442656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * client_random 1443656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * cipher_list - our prefered list of ciphers 1444656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ciphers - the clients prefered list of ciphers 1445656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * compression - basically ignored right now 1446656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ssl version is set - sslv3 1447656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * s->session - The ssl session has been setup. 1448656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * s->hit - session reuse flag 1449656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * s->tmp.new_cipher - the new cipher to use. 1450656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1451656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 145204ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom /* Handles TLS extensions that we couldn't check earlier */ 145304ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (s->version >= SSL3_VERSION) 145404ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom { 145504ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom if (ssl_check_clienthello_tlsext_late(s) <= 0) 145604ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom { 145704ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 145804ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom goto err; 145904ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 146004ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom } 146104ef91b390dfcc6125913e2f2af502d23d7a5112Brian Carlstrom 146298d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (ret < 0) ret=1; 1463656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (0) 1464656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1465656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectf_err: 1466656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_send_alert(s,SSL3_AL_FATAL,al); 1467656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1468656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 1469656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); 1470656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ret); 1471656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1472656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1473656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_server_hello(SSL *s) 1474656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1475656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *buf; 1476656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p,*d; 1477656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,sl; 1478221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned long l; 1479656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1480656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1481656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 148277c6be7176c48d2ce4d5979a84876d34204eedafKenny Root /* We only accept ChannelIDs on connections with ECDHE in order 148377c6be7176c48d2ce4d5979a84876d34204eedafKenny Root * to avoid a known attack while we fix ChannelID itself. */ 148477c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (s->s3 && 148577c6be7176c48d2ce4d5979a84876d34204eedafKenny Root s->s3->tlsext_channel_id_valid && 148677c6be7176c48d2ce4d5979a84876d34204eedafKenny Root (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kEECDH) == 0) 148777c6be7176c48d2ce4d5979a84876d34204eedafKenny Root s->s3->tlsext_channel_id_valid = 0; 148877c6be7176c48d2ce4d5979a84876d34204eedafKenny Root 148977c6be7176c48d2ce4d5979a84876d34204eedafKenny Root /* If this is a resumption and the original handshake didn't 149077c6be7176c48d2ce4d5979a84876d34204eedafKenny Root * support ChannelID then we didn't record the original 149177c6be7176c48d2ce4d5979a84876d34204eedafKenny Root * handshake hashes in the session and so cannot resume with 149277c6be7176c48d2ce4d5979a84876d34204eedafKenny Root * ChannelIDs. */ 149377c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (s->hit && 149477c6be7176c48d2ce4d5979a84876d34204eedafKenny Root s->s3->tlsext_channel_id_new && 149577c6be7176c48d2ce4d5979a84876d34204eedafKenny Root s->session->original_handshake_hash_len == 0) 149677c6be7176c48d2ce4d5979a84876d34204eedafKenny Root s->s3->tlsext_channel_id_valid = 0; 149777c6be7176c48d2ce4d5979a84876d34204eedafKenny Root 1498656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf=(unsigned char *)s->init_buf->data; 1499221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#ifdef OPENSSL_NO_TLSEXT 1500656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=s->s3->server_random; 1501ff41a4bc41ae1e1391f9b05117623ff70b985983Kenny Root if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1502656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 1503221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#endif 1504656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Do the message type and length last */ 1505656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d=p= &(buf[4]); 1506656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1507656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=s->version>>8; 1508656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=s->version&0xff; 1509656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1510656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Random stuff */ 1511656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1512656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=SSL3_RANDOM_SIZE; 1513656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1514392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* There are several cases for the session ID to send 1515392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * back in the server hello: 1516392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * - For session reuse from the session cache, 1517392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * we send back the old session ID. 1518392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * - If stateless session reuse (using a session ticket) 1519392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * is successful, we send back the client's "session ID" 1520392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * (which doesn't actually identify the session). 1521392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * - If it is a new session, we send back the new 1522392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * session ID. 1523392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * - However, if we want the new session to be single-use, 1524392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * we send back a 0-length session ID. 1525392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * s->hit is non-zero in either case of session reuse, 1526392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * so the following won't overwrite an ID that we're supposed 1527392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * to send back. 1528656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1529656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1530656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project && !s->hit) 1531656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->session_id_length=0; 1532656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1533656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sl=s->session->session_id_length; 1534656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (sl > (int)sizeof(s->session->session_id)) 1535656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1536656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1537656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 1538656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1539656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=sl; 1540656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p,s->session->session_id,sl); 1541656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=sl; 1542656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1543656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* put the cipher */ 1544656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1545656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=i; 1546656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1547656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* put the compression method */ 1548656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef OPENSSL_NO_COMP 1549656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 1550656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#else 1551656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.new_compression == NULL) 1552656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 1553656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1554656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=s->s3->tmp.new_compression->id; 1555656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1556656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_TLSEXT 1557221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (ssl_prepare_serverhello_tlsext(s) <= 0) 1558221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 1559221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 1560221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return -1; 1561221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 1562656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1563656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1564656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 1565656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 1566656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1567656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1568656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* do the header */ 1569656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l=(p-d); 1570656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d=buf; 1571656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(d++)=SSL3_MT_SERVER_HELLO; 1572656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l2n3(l,d); 1573656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1574e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu s->state=SSL3_ST_SW_SRVR_HELLO_B; 1575656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* number of bytes to write */ 1576656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=p-buf; 1577656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off=0; 1578656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1579656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1580e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu /* SSL3_ST_SW_SRVR_HELLO_B */ 1581656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1582656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1583656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1584656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_server_done(SSL *s) 1585656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1586656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 1587656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1588656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1589656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1590656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_buf->data; 1591656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1592656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* do the header */ 1593656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=SSL3_MT_SERVER_DONE; 1594656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 1595656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 1596656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 1597656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1598656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_SRVR_DONE_B; 1599656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* number of bytes to write */ 1600656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=4; 1601656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off=0; 1602656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1603656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1604e45f106cb6b47af1f21efe76e933bdea2f5dd1caNagendra Modadugu /* SSL3_ST_SW_SRVR_DONE_B */ 1605656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1606656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1607656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1608656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_server_key_exchange(SSL *s) 1609656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1610656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_RSA 1611656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *q; 1612656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int j,num; 1613656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA *rsa; 1614656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1615656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned int u; 1616656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1617656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_DH 1618656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project DH *dh=NULL,*dhp; 1619656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1620656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDH 1621656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_KEY *ecdh=NULL, *ecdhp; 1622656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *encodedPoint = NULL; 1623656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int encodedlen = 0; 1624656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int curve_id = 0; 1625656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX *bn_ctx = NULL; 1626656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 16273355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin#ifndef OPENSSL_NO_PSK 16283355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin const char* psk_identity_hint; 16293355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin size_t psk_identity_hint_len; 16303355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin#endif 1631656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY *pkey; 1632392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const EVP_MD *md = NULL; 1633656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p,*d; 1634656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int al,i; 1635de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned long alg_k; 1636de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned long alg_a; 1637656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int n; 1638656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project CERT *cert; 1639656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *r[4]; 1640656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int nr[4],kn; 1641656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BUF_MEM *buf; 1642656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_MD_CTX md_ctx; 1643656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1644656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_MD_CTX_init(&md_ctx); 1645656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1646656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1647de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1648de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1649656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cert=s->cert; 1650656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1651656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf=s->init_buf; 1652656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1653656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[0]=r[1]=r[2]=r[3]=NULL; 1654656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=0; 1655de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#ifndef OPENSSL_NO_PSK 1656de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (alg_a & SSL_aPSK) 1657de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 1658de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* size for PSK identity hint */ 16593355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin psk_identity_hint = s->session->psk_identity_hint; 16603355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin if (psk_identity_hint) 16613355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin psk_identity_hint_len = strlen(psk_identity_hint); 16623355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin else 16633355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin psk_identity_hint_len = 0; 16643355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin n+=2+psk_identity_hint_len; 1665de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 1666de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* !OPENSSL_NO_PSK */ 1667656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_RSA 1668de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (alg_k & SSL_kRSA) 1669656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1670656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa=cert->rsa_tmp; 1671656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1672656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1673656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa=s->cert->rsa_tmp_cb(s, 1674656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1675656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1676656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(rsa == NULL) 1677656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1678656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1679656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1680656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1681656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1682656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA_up_ref(rsa); 1683656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project cert->rsa_tmp=rsa; 1684656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1685656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa == NULL) 1686656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1687656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1688656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 1689656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1690656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1691656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[0]=rsa->n; 1692656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[1]=rsa->e; 1693656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.use_rsa_tmp=1; 1694656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1695656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1696656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_DH 1697de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & SSL_kEDH) 1698656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1699656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dhp=cert->dh_tmp; 1700656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1701656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dhp=s->cert->dh_tmp_cb(s, 1702656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1703656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1704656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (dhp == NULL) 1705656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1706656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1707656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1708656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1709656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1710656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1711656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.dh != NULL) 1712656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1713656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1714656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1715656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1716656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1717656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((dh=DHparams_dup(dhp)) == NULL) 1718656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1719656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1720656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1721656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1722656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1723656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.dh=dh; 1724656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((dhp->pub_key == NULL || 1725656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dhp->priv_key == NULL || 1726656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (s->options & SSL_OP_SINGLE_DH_USE))) 1727656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1728656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!DH_generate_key(dh)) 1729656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1730656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1731656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_DH_LIB); 1732656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1733656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1734656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1735656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1736656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1737656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dh->pub_key=BN_dup(dhp->pub_key); 1738656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dh->priv_key=BN_dup(dhp->priv_key); 1739656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((dh->pub_key == NULL) || 1740656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (dh->priv_key == NULL)) 1741656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1742656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1743656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1744656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1745656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1746656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[0]=dh->p; 1747656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[1]=dh->g; 1748656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[2]=dh->pub_key; 1749656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1750656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 1751656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDH 1752de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & SSL_kEECDH) 1753656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1754656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const EC_GROUP *group; 1755656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1756656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ecdhp=cert->ecdh_tmp; 1757656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1758656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1759656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ecdhp=s->cert->ecdh_tmp_cb(s, 1760656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1761656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1762656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1763656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ecdhp == NULL) 1764656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1765656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1766656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 1767656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1768656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1769656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1770656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.ecdh != NULL) 1771656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1772656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1773656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1774656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1775656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1776656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Duplicate the ECDH structure. */ 1777656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (ecdhp == NULL) 1778656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1779656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1780656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1781656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1782ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1783656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1784656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1785656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1786656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1787656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1788656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.ecdh=ecdh; 1789656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1790656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (EC_KEY_get0_private_key(ecdh) == NULL) || 1791656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (s->options & SSL_OP_SINGLE_ECDH_USE)) 1792656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1793656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(!EC_KEY_generate_key(ecdh)) 1794656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1795656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1796656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1797656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1798656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1799656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1800656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1801656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (EC_KEY_get0_public_key(ecdh) == NULL) || 1802656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (EC_KEY_get0_private_key(ecdh) == NULL)) 1803656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1804656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1805656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1806656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1807656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1808656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1809656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (EC_GROUP_get_degree(group) > 163)) 1810656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1811656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1812656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1813656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1814656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1815656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* XXX: For now, we only support ephemeral ECDH 1816656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * keys over named (not generic) curves. For 1817656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * supported named curves, curve_id is non-zero. 1818656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1819656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((curve_id = 1820221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1821656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project == 0) 1822656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1823656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1824656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1825656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1826656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1827656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Encode the public key. 1828656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * First check the size of encoding and 1829656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * allocate memory accordingly. 1830656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1831656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project encodedlen = EC_POINT_point2oct(group, 1832656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_KEY_get0_public_key(ecdh), 1833656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project POINT_CONVERSION_UNCOMPRESSED, 1834656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project NULL, 0, NULL); 1835656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1836656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project encodedPoint = (unsigned char *) 1837656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1838656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project bn_ctx = BN_CTX_new(); 1839656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1840656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1841656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1842656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1843656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1844656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1845656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1846656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project encodedlen = EC_POINT_point2oct(group, 1847656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_KEY_get0_public_key(ecdh), 1848656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project POINT_CONVERSION_UNCOMPRESSED, 1849656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project encodedPoint, encodedlen, bn_ctx); 1850656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1851656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (encodedlen == 0) 1852656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1853656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1854656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1855656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1856656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1857656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(bn_ctx); bn_ctx=NULL; 1858656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1859656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* XXX: For now, we only support named (not 1860656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * generic) curves in ECDH ephemeral key exchanges. 1861656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * In this situation, we need four additional bytes 1862656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * to encode the entire ServerECDHParams 1863656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * structure. 1864656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1865de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin n += 4 + encodedlen; 1866656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1867656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* We'll generate the serverKeyExchange message 1868656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * explicitly so we can set these to NULLs 1869656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1870656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[0]=NULL; 1871656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[1]=NULL; 1872656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[2]=NULL; 1873656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project r[3]=NULL; 1874656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1875656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif /* !OPENSSL_NO_ECDH */ 1876392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_SRP 1877de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & SSL_kSRP) 1878392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 1879392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((s->srp_ctx.N == NULL) || 1880392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom (s->srp_ctx.g == NULL) || 1881392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom (s->srp_ctx.s == NULL) || 1882392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom (s->srp_ctx.B == NULL)) 1883392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 1884392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM); 1885392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto err; 1886392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 1887392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom r[0]=s->srp_ctx.N; 1888392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom r[1]=s->srp_ctx.g; 1889392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom r[2]=s->srp_ctx.s; 1890392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom r[3]=s->srp_ctx.B; 1891392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 1892392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 1893de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (!(alg_k & SSL_kPSK)) 1894656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1895656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 1896656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1897656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1898656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 18997f7ea2d72f2e316ba518e82f06513e3477840c15Kenny Root for (i=0; i < 4 && r[i] != NULL; i++) 1900656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1901656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project nr[i]=BN_num_bytes(r[i]); 1902392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_SRP 1903de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if ((i == 2) && (alg_k & SSL_kSRP)) 1904392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom n+=1+nr[i]; 1905392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 1906392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 1907656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n+=2+nr[i]; 1908656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1909656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1910c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (!(alg_a & (SSL_aNULL|SSL_aSRP)) 1911de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Among PSK ciphersuites only RSA uses a certificate */ 1912de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin && !((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA))) 1913656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1914392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) 1915656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project == NULL) 1916656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1917656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 1918656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 1919656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1920656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project kn=EVP_PKEY_size(pkey); 1921656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1922656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 1923656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1924656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pkey=NULL; 1925656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project kn=0; 1926656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1927656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1928656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1929656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1930656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 1931656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 1932656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1933656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d=(unsigned char *)s->init_buf->data; 1934656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p= &(d[4]); 1935656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 19367f7ea2d72f2e316ba518e82f06513e3477840c15Kenny Root for (i=0; i < 4 && r[i] != NULL; i++) 1937656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1938392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_SRP 1939de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if ((i == 2) && (alg_k & SSL_kSRP)) 1940392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 1941392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom *p = nr[i]; 1942392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p++; 1943392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 1944392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 1945392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 1946656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s2n(nr[i],p); 1947656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_bn2bin(r[i],p); 1948656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=nr[i]; 1949656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1950656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 1951de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin/* Note: ECDHE PSK ciphersuites use SSL_kEECDH and SSL_aPSK. 1952de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * When one of them is used, the server key exchange record needs to have both 1953de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * the psk_identity_hint and the ServerECDHParams. */ 1954de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#ifndef OPENSSL_NO_PSK 1955de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (alg_a & SSL_aPSK) 1956de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 19573355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin /* copy PSK identity hint (if provided) */ 19583355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin s2n(psk_identity_hint_len, p); 19593355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin if (psk_identity_hint_len > 0) 1960de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 19613355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin memcpy(p, psk_identity_hint, psk_identity_hint_len); 19623355e0f024c4cd610fbb32fdf148a6f376e9e74eAlex Klyubin p+=psk_identity_hint_len; 1963de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 1964de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 1965de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_PSK */ 1966de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 1967656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDH 1968de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (alg_k & SSL_kEECDH) 1969656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1970656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* XXX: For now, we only support named (not generic) curves. 1971656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * In this situation, the serverKeyExchange message has: 1972656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [1 byte CurveType], [2 byte CurveName] 1973656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * [1 byte length of encoded point], followed by 1974656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the actual encoded point itself 1975656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 1976656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *p = NAMED_CURVE_TYPE; 1977656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 1; 1978656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *p = 0; 1979656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 1; 1980656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *p = curve_id; 1981656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 1; 1982656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *p = encodedlen; 1983656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 1; 1984656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy((unsigned char*)p, 1985656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (unsigned char *)encodedPoint, 1986656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project encodedlen); 1987656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(encodedPoint); 1988ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom encodedPoint = NULL; 1989656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += encodedlen; 1990656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 1991de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_ECDH */ 1992221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom 1993656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* not anonymous */ 1994656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pkey != NULL) 1995656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 1996656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* n is the length of the params, they start at &(d[4]) 1997656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * and p points to the space at the end. */ 1998656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_RSA 1999392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (pkey->type == EVP_PKEY_RSA 2000392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom && TLS1_get_version(s) < TLS1_2_VERSION) 2001656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2002656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project q=md_buf; 2003656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=0; 2004656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (num=2; num > 0; num--) 2005656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2006392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_MD_CTX_set_flags(&md_ctx, 2007392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 2008656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_DigestInit_ex(&md_ctx,(num == 2) 2009656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ?s->ctx->md5:s->ctx->sha1, NULL); 2010656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 2011656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 2012656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_DigestUpdate(&md_ctx,&(d[4]),n); 2013656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_DigestFinal_ex(&md_ctx,q, 2014656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (unsigned int *)&i); 2015656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project q+=i; 2016656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j+=i; 2017656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2018656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (RSA_sign(NID_md5_sha1, md_buf, j, 2019656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &(p[2]), &u, pkey->pkey.rsa) <= 0) 2020656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2021656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 2022656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2023656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2024656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s2n(u,p); 2025656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n+=u+2; 2026656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2027656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2028de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_RSA */ 2029392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (md) 2030656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2031392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* For TLS1.2 and later send signature 2032392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * algorithm */ 2033392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (TLS1_get_version(s) >= TLS1_2_VERSION) 2034656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2035392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!tls12_get_sigandhash(p, pkey, md)) 2036392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 2037392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* Should never happen */ 2038392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 2039392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2040392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 2041392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 2042392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p+=2; 2043656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2044392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef SSL_DEBUG 2045392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom fprintf(stderr, "Using hash %s\n", 2046392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_MD_name(md)); 2047656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2048392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_SignInit_ex(&md_ctx, md, NULL); 2049656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 2050656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 2051656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_SignUpdate(&md_ctx,&(d[4]),n); 2052656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!EVP_SignFinal(&md_ctx,&(p[2]), 2053656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (unsigned int *)&i,pkey)) 2054656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2055392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP); 2056656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2057656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2058656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s2n(i,p); 2059656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n+=i+2; 2060392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (TLS1_get_version(s) >= TLS1_2_VERSION) 2061392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom n+= 2; 2062656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2063656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2064656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2065656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Is this error check actually needed? */ 2066656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 2067656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 2068656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 2069656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2070656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2071656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2072656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 2073656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l2n3(n,d); 2074656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2075656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* we should now have things packed up, so lets send 2076656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * it off */ 2077656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=n+4; 2078656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off=0; 2079656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2080656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2081656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state = SSL3_ST_SW_KEY_EXCH_B; 2082656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_MD_CTX_cleanup(&md_ctx); 2083656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2084656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectf_err: 2085656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_send_alert(s,SSL3_AL_FATAL,al); 2086656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 2087656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDH 2088656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2089656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(bn_ctx); 2090656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2091656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_MD_CTX_cleanup(&md_ctx); 2092656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 2093656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2094656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2095656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_certificate_request(SSL *s) 2096656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2097656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p,*d; 2098656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,j,nl,off,n; 2099656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project STACK_OF(X509_NAME) *sk=NULL; 2100656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_NAME *name; 2101656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BUF_MEM *buf; 2102656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2103656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_CERT_REQ_A) 2104656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2105656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project buf=s->init_buf; 2106656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2107656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d=p=(unsigned char *)&(buf->data[4]); 2108656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2109656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* get the list of acceptable cert types */ 2110656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p++; 2111656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=ssl3_get_req_cert_type(s,p); 2112656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d[0]=n; 2113656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=n; 2114656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n++; 2115656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2116392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (TLS1_get_version(s) >= TLS1_2_VERSION) 2117392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 2118392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom nl = tls12_get_req_sig_algs(s, p + 2); 2119392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s2n(nl, p); 2120392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p += nl + 2; 2121392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom n += nl + 2; 2122392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 2123392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 2124656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project off=n; 2125656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=2; 2126656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n+=2; 2127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sk=SSL_get_client_CA_list(s); 2129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project nl=0; 2130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (sk != NULL) 2131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (i=0; i<sk_X509_NAME_num(sk); i++) 2133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project name=sk_X509_NAME_value(sk,i); 2135656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=i2d_X509_NAME(name,NULL); 2136656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 2137656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2138656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 2139656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2140656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2141656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)&(buf->data[4+n]); 2142656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 2143656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2144656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s2n(j,p); 2145656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i2d_X509_NAME(name,&p); 2146656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n+=2+j; 2147656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project nl+=2+j; 2148656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2149656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2150656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2151656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d=p; 2152656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i2d_X509_NAME(name,&p); 2153656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j-=2; s2n(j,d); j+=2; 2154656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n+=j; 2155656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project nl+=j; 2156656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2157656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2158656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2159656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* else no CA names */ 2160656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)&(buf->data[4+off]); 2161656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s2n(nl,p); 2162656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2163656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project d=(unsigned char *)buf->data; 2164656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 2165656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l2n3(n,d); 2166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* we should now have things packed up, so lets send 2168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * it off */ 2169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=n+4; 2171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off=0; 2172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef NETSCAPE_HANG_BUG 217377c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (!BUF_MEM_grow_clean(buf, s->init_num + 4)) 217477c6be7176c48d2ce4d5979a84876d34204eedafKenny Root { 217577c6be7176c48d2ce4d5979a84876d34204eedafKenny Root SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 217677c6be7176c48d2ce4d5979a84876d34204eedafKenny Root goto err; 217777c6be7176c48d2ce4d5979a84876d34204eedafKenny Root } 2178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_buf->data + s->init_num; 2179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* do the header */ 2181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=SSL3_MT_SERVER_DONE; 2182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 2183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 2184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=0; 2185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num += 4; 2186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2188656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state = SSL3_ST_SW_CERT_REQ_B; 2189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* SSL3_ST_SW_CERT_REQ_B */ 2192656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 2194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 2195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_get_client_key_exchange(SSL *s) 2198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,al,ok; 2200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project long n; 2201221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom unsigned long alg_k; 2202de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned long alg_a; 2203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 2204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_RSA 2205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RSA *rsa=NULL; 2206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY *pkey=NULL; 2207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_DH 2209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BIGNUM *pub=NULL; 2210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project DH *dh_srvr; 2211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_KRB5 2213221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom KSSL_ERR kssl_err; 2214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif /* OPENSSL_NO_KRB5 */ 2215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDH 2217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_KEY *srvr_ecdh = NULL; 2218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY *clnt_pub_pkey = NULL; 2219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_POINT *clnt_ecpoint = NULL; 2220de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin BN_CTX *bn_ctx = NULL; 2221de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#ifndef OPENSSL_NO_PSK 2222de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned int psk_len = 0; 2223de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned char psk[PSK_MAX_PSK_LEN]; 2224de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_PSK */ 2225656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2226656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2227656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=s->method->ssl_get_message(s, 2228656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_KEY_EXCH_A, 2229656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_KEY_EXCH_B, 2230656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_MT_CLIENT_KEY_EXCHANGE, 2231656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2048, /* ??? */ 2232656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &ok); 2233656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2234656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) return((int)n); 2235656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_msg; 2236656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2237221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2238de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin alg_a=s->s3->tmp.new_cipher->algorithm_auth; 2239de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2240de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#ifndef OPENSSL_NO_PSK 2241de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (alg_a & SSL_aPSK) 2242de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2243de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned char *t = NULL; 2244de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned char pre_ms[PSK_MAX_PSK_LEN*2+4]; 2245de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned int pre_ms_len = 0; 2246de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin int psk_err = 1; 2247de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin char tmp_id[PSK_MAX_IDENTITY_LEN+1]; 2248de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2249de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin al=SSL_AD_HANDSHAKE_FAILURE; 2250de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2251de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin n2s(p, i); 2252de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (n != i+2 && !(alg_k & SSL_kEECDH)) 2253de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2254de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2255de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSL_R_LENGTH_MISMATCH); 2256de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto psk_err; 2257de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2258de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (i > PSK_MAX_IDENTITY_LEN) 2259de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2260de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2261de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSL_R_DATA_LENGTH_TOO_LONG); 2262de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto psk_err; 2263de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2264de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (s->psk_server_callback == NULL) 2265de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2266de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2267de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSL_R_PSK_NO_SERVER_CB); 2268de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto psk_err; 2269de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2270de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2271de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Create guaranteed NUL-terminated identity 2272de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * string for the callback */ 2273de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin memcpy(tmp_id, p, i); 2274de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 2275de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin psk_len = s->psk_server_callback(s, tmp_id, psk, sizeof(psk)); 2276656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2277de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (psk_len > PSK_MAX_PSK_LEN) 2278de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2279de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2280de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin ERR_R_INTERNAL_ERROR); 2281de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto psk_err; 2282de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2283de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (psk_len == 0) 2284de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2285de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* PSK related to the given identity not found */ 2286de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2287de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSL_R_PSK_IDENTITY_NOT_FOUND); 2288de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin al=SSL_AD_UNKNOWN_PSK_IDENTITY; 2289de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto psk_err; 2290de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2291de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (!(alg_k & SSL_kEECDH)) 2292de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2293de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Create the shared secret now if we're not using ECDHE-PSK.*/ 2294de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin pre_ms_len=2+psk_len+2+psk_len; 2295de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin t = pre_ms; 2296de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s2n(psk_len, t); 2297de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin memset(t, 0, psk_len); 2298de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin t+=psk_len; 2299de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s2n(psk_len, t); 2300de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin memcpy(t, psk, psk_len); 2301de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2302de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key_length= 2303de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->method->ssl3_enc->generate_master_secret(s, 2304de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key, pre_ms, pre_ms_len); 2305de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2306de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (s->session->psk_identity != NULL) 2307de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin OPENSSL_free(s->session->psk_identity); 2308de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->psk_identity = BUF_strdup(tmp_id); 2309de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 2310de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (s->session->psk_identity == NULL) 2311de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2312de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2313de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin ERR_R_MALLOC_FAILURE); 2314de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto psk_err; 2315de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2316de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2317de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin p += i; 2318de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin n -= (i + 2); 2319de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin psk_err = 0; 2320de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin psk_err: 2321de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin OPENSSL_cleanse(pre_ms, sizeof(pre_ms)); 2322de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (psk_err != 0) 2323de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto f_err; 2324de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2325de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_PSK */ 2326de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (0) {} 2327656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_RSA 2328221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (alg_k & SSL_kRSA) 2329656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2330c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 2331c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root int decrypt_len; 2332c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root unsigned char decrypt_good, version_good; 2333c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 2334656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* FIX THIS UP EAY EAY EAY EAY */ 2335656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.use_rsa_tmp) 2336656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2337656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2338656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa=s->cert->rsa_tmp; 2339656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Don't do a callback because rsa_tmp should 2340656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * be sent already */ 2341656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (rsa == NULL) 2342656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2343656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 2344656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); 2345656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 2346656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2347656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2348656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2349656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2350656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2351656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 2352656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( (pkey == NULL) || 2353656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (pkey->type != EVP_PKEY_RSA) || 2354656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (pkey->pkey.rsa == NULL)) 2355656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2356656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 2357656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); 2358656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 2359656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2360656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project rsa=pkey->pkey.rsa; 2361656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2362656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2363221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* TLS and [incidentally] DTLS{0xFEFF} */ 2364221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) 2365656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2366656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2s(p,i); 2367656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (n != i+2) 2368656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2369656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(s->options & SSL_OP_TLS_D5_BUG)) 2370656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2371656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 2372656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2373656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2374656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2375656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p-=2; 2376656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2377656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2378656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=i; 2379656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2380656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2381c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* We must not leak whether a decryption failure occurs because 2382c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see 2383c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * RFC 2246, section 7.4.7.1). The code follows that advice of 2384c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * the TLS RFC and generates a random premaster secret for the 2385c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * case that the decrypt fails. See 2386c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ 2387656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2388c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* should be RAND_bytes, but we cannot work around a failure. */ 2389c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (RAND_pseudo_bytes(rand_premaster_secret, 2390c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root sizeof(rand_premaster_secret)) <= 0) 2391c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root goto err; 2392c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root decrypt_len = RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 2393c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root ERR_clear_error(); 2394c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 2395c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. 2396c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * decrypt_good will be 0xff if so and zero otherwise. */ 2397c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root decrypt_good = constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH); 2398c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 2399c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* If the version in the decrypted pre-master secret is correct 2400c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * then version_good will be 0xff, otherwise it'll be zero. 2401c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2402c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * (http://eprint.iacr.org/2003/052/) exploits the version 2403c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * number check as a "bad version oracle". Thus version checks 2404c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * are done in constant time and are treated like any other 2405c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * decryption error. */ 2406c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root version_good = constant_time_eq_8(p[0], (unsigned)(s->client_version>>8)); 2407c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root version_good &= constant_time_eq_8(p[1], (unsigned)(s->client_version&0xff)); 2408c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 2409c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* The premaster secret must contain the same version number as 2410c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * the ClientHello to detect version rollback attacks 2411c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * (strangely, the protocol does not offer such protection for 2412c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * DH ciphersuites). However, buggy clients exist that send the 2413c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * negotiated protocol version instead if the server does not 2414c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * support the requested protocol version. If 2415c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2416c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root if (s->options & SSL_OP_TLS_ROLLBACK_BUG) 2417c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root { 2418c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root unsigned char workaround_good; 2419c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root workaround_good = constant_time_eq_8(p[0], (unsigned)(s->version>>8)); 2420c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root workaround_good &= constant_time_eq_8(p[1], (unsigned)(s->version&0xff)); 2421c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root version_good |= workaround_good; 2422c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root } 2423c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 2424c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* Both decryption and version must be good for decrypt_good 2425c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * to remain non-zero (0xff). */ 2426c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root decrypt_good &= version_good; 2427c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root 2428c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root /* Now copy rand_premaster_secret over p using 2429c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root * decrypt_good_mask. */ 2430c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root for (i = 0; i < (int) sizeof(rand_premaster_secret); i++) 2431c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root { 2432c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root p[i] = constant_time_select_8(decrypt_good, p[i], 2433c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root rand_premaster_secret[i]); 2434656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2435656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2436656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->master_key_length= 2437656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->method->ssl3_enc->generate_master_secret(s, 2438656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->master_key, 2439656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p,i); 2440656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_cleanse(p,i); 2441656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2442656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2443656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_DH 2444de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2445656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2446656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2s(p,i); 2447656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (n != i+2) 2448656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2449656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) 2450656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2451656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 2452656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2453656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2454656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2455656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2456656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p-=2; 2457656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=(int)n; 2458656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2459656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2460656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2461656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (n == 0L) /* the parameters are in the cert */ 2462656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2463656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 2464656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2465656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 2466656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2467656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2468656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2469656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.dh == NULL) 2470656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2471656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 2472656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 2473656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 2474656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2475656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2476656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project dh_srvr=s->s3->tmp.dh; 2477656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2478656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2479656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pub=BN_bin2bn(p,i,NULL); 2480656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pub == NULL) 2481656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2482656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); 2483656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2484656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2485656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2486656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=DH_compute_key(p,pub,dh_srvr); 2487656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2488656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i <= 0) 2489656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2490656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 24917b476c43f6a45574eb34697244b592e7b09f05a3Brian Carlstrom BN_clear_free(pub); 2492656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2493656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2494656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2495656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project DH_free(s->s3->tmp.dh); 2496656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.dh=NULL; 2497656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2498656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_clear_free(pub); 2499656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pub=NULL; 2500656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->master_key_length= 2501656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->method->ssl3_enc->generate_master_secret(s, 2502656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->master_key,p,i); 2503656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_cleanse(p,i); 2504656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2505656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2506656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_KRB5 2507de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & SSL_kKRB5) 2508221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2509221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom krb5_error_code krb5rc; 2510656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project krb5_data enc_ticket; 2511656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project krb5_data authenticator; 2512656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project krb5_data enc_pms; 2513221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom KSSL_CTX *kssl_ctx = s->kssl_ctx; 2514656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_CIPHER_CTX ciph_ctx; 2515221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom const EVP_CIPHER *enc = NULL; 2516656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char iv[EVP_MAX_IV_LENGTH]; 2517656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2518221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom + EVP_MAX_BLOCK_LENGTH]; 2519221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int padl, outl; 2520656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project krb5_timestamp authtime = 0; 2521656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project krb5_ticket_times ttimes; 2522656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2523656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_CIPHER_CTX_init(&ciph_ctx); 2524656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2525221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2526656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2527656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2s(p,i); 2528656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project enc_ticket.length = i; 2529656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2530221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (n < (long)(enc_ticket.length + 6)) 2531656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2532656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2533656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DATA_LENGTH_TOO_LONG); 2534656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2535656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2536656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2537656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project enc_ticket.data = (char *)p; 2538656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=enc_ticket.length; 2539656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2540656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2s(p,i); 2541656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project authenticator.length = i; 2542656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2543221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (n < (long)(enc_ticket.length + authenticator.length + 6)) 2544656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2545656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2546656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DATA_LENGTH_TOO_LONG); 2547656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2548656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2549656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2550656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project authenticator.data = (char *)p; 2551656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=authenticator.length; 2552656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2553656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2s(p,i); 2554656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project enc_pms.length = i; 2555656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project enc_pms.data = (char *)p; 2556656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p+=enc_pms.length; 2557656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2558656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Note that the length is checked again below, 2559656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ** after decryption 2560656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2561656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if(enc_pms.length > sizeof pms) 2562656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2563656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2564656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DATA_LENGTH_TOO_LONG); 2565656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2566656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2567656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2568656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (n != (long)(enc_ticket.length + authenticator.length + 2569656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project enc_pms.length + 6)) 2570656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2571656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2572656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DATA_LENGTH_TOO_LONG); 2573656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2574656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2575656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2576221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2577656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &kssl_err)) != 0) 2578221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2579656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef KSSL_DEBUG 2580221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom printf("kssl_sget_tkt rtn %d [%d]\n", 2581221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom krb5rc, kssl_err.reason); 2582221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (kssl_err.text) 2583221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom printf("kssl_err text= %s\n", kssl_err.text); 2584656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif /* KSSL_DEBUG */ 2585221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2586221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom kssl_err.reason); 2587221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 2588221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2589656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2590656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Note: no authenticator is not considered an error, 2591656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ** but will return authtime == 0. 2592656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2593656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2594656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &authtime, &kssl_err)) != 0) 2595656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2596656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef KSSL_DEBUG 2597221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom printf("kssl_check_authent rtn %d [%d]\n", 2598221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom krb5rc, kssl_err.reason); 2599221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (kssl_err.text) 2600221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom printf("kssl_err text= %s\n", kssl_err.text); 2601656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif /* KSSL_DEBUG */ 2602221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2603221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom kssl_err.reason); 2604221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 2605656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2606656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2607656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2608656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2609656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2610221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 2611656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2612656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2613656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifdef KSSL_DEBUG 2614221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom kssl_ctx_show(kssl_ctx); 2615656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif /* KSSL_DEBUG */ 2616656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2617656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project enc = kssl_map_enc(kssl_ctx->enctype); 2618221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (enc == NULL) 2619221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 2620656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2621656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2622656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2623656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2624656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2625656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2626656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DECRYPTION_FAILED); 2627656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2628656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2629656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2630656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (unsigned char *)enc_pms.data, enc_pms.length)) 2631656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2632656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2633656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DECRYPTION_FAILED); 2634656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2635656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2636656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2637656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2638656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2639656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DATA_LENGTH_TOO_LONG); 2640656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2641656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2642656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2643656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2644656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2645656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DECRYPTION_FAILED); 2646656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2647656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2648656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project outl += padl; 2649656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2650656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2651656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2652656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_DATA_LENGTH_TOO_LONG); 2653656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2654656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2655656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2656656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2657656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* The premaster secret must contain the same version number as the 2658656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ClientHello to detect version rollback attacks (strangely, the 2659656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * protocol does not offer such protection for DH ciphersuites). 2660656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * However, buggy clients exist that send random bytes instead of 2661656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the protocol version. 2662656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2663656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2664656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2665656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2666221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2667656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2668656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_AD_DECODE_ERROR); 2669656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2670656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2671656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2672656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2673656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2674656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2675221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->session->master_key_length= 2676221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->method->ssl3_enc->generate_master_secret(s, 2677221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->session->master_key, pms, outl); 2678656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2679221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (kssl_ctx->client_princ) 2680221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2681221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom size_t len = strlen(kssl_ctx->client_princ); 2682221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2683221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2684221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom s->session->krb5_client_princ_len = len; 2685221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2686221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2687221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2688656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2689656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2690221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Was doing kssl_ctx_free() here, 2691656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ** but it caused problems for apache. 2692221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2693221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2694221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 2695221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2696656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif /* OPENSSL_NO_KRB5 */ 2697656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDH 2698de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2699656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2700656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int ret = 1; 2701656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int field_size = 0; 2702656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const EC_KEY *tkey; 2703656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const EC_GROUP *group; 2704656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const BIGNUM *priv_key; 2705de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#ifndef OPENSSL_NO_PSK 2706de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned char *pre_ms; 2707de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned int pre_ms_len; 2708de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned char *t; 2709de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_PSK */ 2710656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2711221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* initialize structures for server's ECDH key pair */ 2712656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((srvr_ecdh = EC_KEY_new()) == NULL) 2713656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2714221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2715656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_MALLOC_FAILURE); 2716221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 2717656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2718656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2719656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Let's get server private key and group information */ 2720221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (alg_k & (SSL_kECDHr|SSL_kECDHe)) 2721656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2722221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* use the certificate */ 2723656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2724656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2725656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 2726656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2727656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* use the ephermeral values we saved when 2728656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * generating the ServerKeyExchange msg. 2729656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2730656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project tkey = s->s3->tmp.ecdh; 2731656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2732656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2733656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project group = EC_KEY_get0_group(tkey); 2734656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project priv_key = EC_KEY_get0_private_key(tkey); 2735656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2736656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!EC_KEY_set_group(srvr_ecdh, group) || 2737656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2738656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2739656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2740656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_EC_LIB); 2741656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2742656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2743656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2744656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Let's get client's public key */ 2745656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2746656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2747656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2748656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_MALLOC_FAILURE); 2749656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2750656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2751656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2752221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (n == 0L) 2753221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2754656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Client Publickey was in Client Certificate */ 2755656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2756221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (alg_k & SSL_kEECDH) 2757656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2758656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 2759656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2760656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 2761656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2762221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2763656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project == NULL) || 2764656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (clnt_pub_pkey->type != EVP_PKEY_EC)) 2765221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2766656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* XXX: For now, we do not support client 2767656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * authentication using ECDH certificates 2768656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * so this branch (n == 0L) of the code is 2769656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * never executed. When that support is 2770656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * added, we ought to ensure the key 2771656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * received in the certificate is 2772656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * authorized for key agreement. 2773656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * ECDH_compute_key implicitly checks that 2774656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * the two ECDH shares are for the same 2775656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * group. 2776656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2777221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_HANDSHAKE_FAILURE; 2778221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2779656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2780221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 2781221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2782656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2783656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (EC_POINT_copy(clnt_ecpoint, 2784656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2785656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2786656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2787656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_EC_LIB); 2788656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2789656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2790221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ret = 2; /* Skip certificate verify processing */ 2791221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2792221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 2793221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2794656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Get client's public key from encoded point 2795656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * in the ClientKeyExchange message. 2796656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 2797656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((bn_ctx = BN_CTX_new()) == NULL) 2798656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2799656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2800656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_MALLOC_FAILURE); 2801656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2802656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2803656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2804221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Get encoded point length */ 2805de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin i = *p; 2806656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 1; 2807ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom if (n != 1 + i) 2808ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom { 2809ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2810ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom ERR_R_EC_LIB); 2811ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom goto err; 2812ee7afb3c942c4eefef6ed06201eafaf8ec58e2e3Brian Carlstrom } 2813221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (EC_POINT_oct2point(group, 2814656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project clnt_ecpoint, p, i, bn_ctx) == 0) 2815656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2816656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2817656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_EC_LIB); 2818656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2819656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2820221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* p is pointing to somewhere in the buffer 2821221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * currently, so set it to the start 2822221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom */ 2823221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom p=(unsigned char *)s->init_buf->data; 2824221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2825656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2826656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Compute the shared pre-master secret */ 2827656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project field_size = EC_GROUP_get_degree(group); 2828656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (field_size <= 0) 2829656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2830656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2831656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_ECDH_LIB); 2832656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 2833656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2834656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2835221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (i <= 0) 2836221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2837221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2838656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ERR_R_ECDH_LIB); 2839221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto err; 2840221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2841656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2842656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(clnt_pub_pkey); 2843656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_POINT_free(clnt_ecpoint); 2844221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom EC_KEY_free(srvr_ecdh); 2845656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(bn_ctx); 2846221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom EC_KEY_free(s->s3->tmp.ecdh); 2847de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->s3->tmp.ecdh = NULL; 2848656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2849221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#ifndef OPENSSL_NO_PSK 2850de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* ECDHE PSK ciphersuites from RFC 5489 */ 2851de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if ((alg_a & SSL_aPSK) && psk_len != 0) 2852221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2853f8195e11d1b3ab7252f1a54dbf727cfa660b6450David Benjamin pre_ms_len = 2+i+2+psk_len; 2854de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin pre_ms = OPENSSL_malloc(pre_ms_len); 2855de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (pre_ms == NULL) 2856221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2857221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2858221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom ERR_R_MALLOC_FAILURE); 2859de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto err; 2860221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2861de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin memset(pre_ms, 0, pre_ms_len); 2862de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin t = pre_ms; 2863de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s2n(i, t); 2864de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin memcpy(t, p, i); 2865f8195e11d1b3ab7252f1a54dbf727cfa660b6450David Benjamin t += i; 2866f8195e11d1b3ab7252f1a54dbf727cfa660b6450David Benjamin s2n(psk_len, t); 2867f8195e11d1b3ab7252f1a54dbf727cfa660b6450David Benjamin memcpy(t, psk, psk_len); 2868de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key_length = s->method->ssl3_enc \ 2869de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin -> generate_master_secret(s, 2870de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key, pre_ms, pre_ms_len); 2871de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin OPENSSL_cleanse(pre_ms, pre_ms_len); 2872de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin OPENSSL_free(pre_ms); 2873221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2874de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_PSK */ 2875de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (!(alg_a & SSL_aPSK)) 2876de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2877de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Compute the master secret */ 2878de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key_length = s->method->ssl3_enc \ 2879de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin -> generate_master_secret(s, 2880de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key, p, i); 2881de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2882de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2883de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin OPENSSL_cleanse(p, i); 2884de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2885221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom#endif 2886392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifndef OPENSSL_NO_SRP 2887de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & SSL_kSRP) 2888de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2889de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin int param_len; 2890de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2891de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin n2s(p,i); 2892de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin param_len=i+2; 2893de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (param_len > n) 2894392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 2895de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin al=SSL_AD_DECODE_ERROR; 2896de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH); 2897de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto f_err; 2898de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2899de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL))) 2900de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2901de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB); 2902de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto err; 2903de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2904de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (s->session->srp_username != NULL) 2905de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin OPENSSL_free(s->session->srp_username); 2906de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2907de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (s->session->srp_username == NULL) 2908de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2909de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2910de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin ERR_R_MALLOC_FAILURE); 2911de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto err; 2912de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2913392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 2914de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 2915de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2916de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2917de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto err; 2918de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2919392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 2920de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin p+=i; 2921de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2922de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin#endif /* OPENSSL_NO_SRP */ 2923de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_k & SSL_kGOST) 2924de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2925de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin int ret = 0; 2926de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin EVP_PKEY_CTX *pkey_ctx; 2927de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 2928de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned char premaster_secret[32], *start; 2929de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin size_t outlen=32, inlen; 2930de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin unsigned long alg_a; 293177c6be7176c48d2ce4d5979a84876d34204eedafKenny Root int Ttag, Tclass; 293277c6be7176c48d2ce4d5979a84876d34204eedafKenny Root long Tlen; 2933de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin 2934de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Get our certificate private key*/ 2935de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2936de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (alg_a & SSL_aGOST94) 2937de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 2938de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (alg_a & SSL_aGOST01) 2939de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2940392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 2941de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 2942de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin EVP_PKEY_decrypt_init(pkey_ctx); 2943de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* If client certificate is present and is of the same type, maybe 2944de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * use it for key exchange. Don't mind errors from 2945de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * EVP_PKEY_derive_set_peer, because it is completely valid to use 2946de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin * a client certificate for authorization only. */ 2947de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin client_pub_pkey = X509_get_pubkey(s->session->peer); 2948de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (client_pub_pkey) 2949de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2950de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2951de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin ERR_clear_error(); 2952de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2953de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Decrypt session key */ 295477c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, n) != V_ASN1_CONSTRUCTED || 295577c6be7176c48d2ce4d5979a84876d34204eedafKenny Root Ttag != V_ASN1_SEQUENCE || 295677c6be7176c48d2ce4d5979a84876d34204eedafKenny Root Tclass != V_ASN1_UNIVERSAL) 2957221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 2958de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2959de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto gerr; 2960de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 296177c6be7176c48d2ce4d5979a84876d34204eedafKenny Root start = p; 296277c6be7176c48d2ce4d5979a84876d34204eedafKenny Root inlen = Tlen; 2963de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 2964de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin { 2965de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2966de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto gerr; 2967221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 2968de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Generate master secret */ 2969de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key_length= 2970de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->method->ssl3_enc->generate_master_secret(s, 2971de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin s->session->master_key,premaster_secret,32); 2972de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin /* Check if pubkey from client certificate was used */ 2973de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2974de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin ret = 2; 2975de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else 2976de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin ret = 1; 2977de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin gerr: 2978de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin EVP_PKEY_free(client_pub_pkey); 2979de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin EVP_PKEY_CTX_free(pkey_ctx); 2980de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin if (ret) 2981de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin return ret; 2982221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 2983de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin goto err; 2984de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin } 2985de9675dad342fcf6fe0ed86d083c027e88e44b6bAlex Klyubin else if (!(alg_k & SSL_kPSK)) 2986656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 2987656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 2988656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2989656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_UNKNOWN_CIPHER_TYPE); 2990656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 2991656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 2992656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 2993656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(1); 2994656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectf_err: 2995656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_send_alert(s,SSL3_AL_FATAL,al); 2996392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP) 2997656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 2998656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 2999656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDH 3000656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(clnt_pub_pkey); 3001656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_POINT_free(clnt_ecpoint); 3002656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (srvr_ecdh != NULL) 3003656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EC_KEY_free(srvr_ecdh); 3004656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project BN_CTX_free(bn_ctx); 3005656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 3006656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(-1); 3007656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3008656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3009656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_get_cert_verify(SSL *s) 3010656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3011656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY *pkey=NULL; 3012656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 3013656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int al,ok,ret=0; 3014656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project long n; 3015656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int type=0,i,j; 3016656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *peer; 3017392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const EVP_MD *md = NULL; 3018392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_MD_CTX mctx; 3019392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_MD_CTX_init(&mctx); 3020656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3021656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=s->method->ssl_get_message(s, 3022656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CERT_VRFY_A, 3023656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CERT_VRFY_B, 3024656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project -1, 3025c64f6fe2be99cb3fa8e491b5bede9a217de87a4cKenny Root SSL3_RT_MAX_PLAIN_LENGTH, 3026656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &ok); 3027656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3028656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) return((int)n); 3029656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3030656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->session->peer != NULL) 3031656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3032656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project peer=s->session->peer; 3033656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pkey=X509_get_pubkey(peer); 3034656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project type=X509_certificate_type(peer,pkey); 3035656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3036656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 3037656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3038656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project peer=NULL; 3039656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pkey=NULL; 3040656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3041656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3042656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 3043656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3044656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.reuse_message=1; 3045a1a5710c055e139ea00e785f9eb55b3af3e4dab1Brian Carlstrom if ((peer != NULL) && (type & EVP_PKT_SIGN)) 3046656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3047656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_UNEXPECTED_MESSAGE; 3048656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 3049656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3050656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3051656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=1; 3052656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto end; 3053656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3054656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3055656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (peer == NULL) 3056656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3057656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 3058656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_UNEXPECTED_MESSAGE; 3059656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3060656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3061656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3062656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!(type & EVP_PKT_SIGN)) 3063656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3064656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 3065656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_ILLEGAL_PARAMETER; 3066656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3067656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3068656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3069656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->change_cipher_spec) 3070656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3071656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 3072656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_UNEXPECTED_MESSAGE; 3073656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3074656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3075656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3076656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* we now have a signature that we need to verify */ 3077656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_msg; 3078221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* Check for broken implementations of GOST ciphersuites */ 3079221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* If key is GOST and n is exactly 64, it is bare 3080221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom * signature without length field */ 3081221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (n==64 && (pkey->type==NID_id_GostR3410_94 || 3082221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom pkey->type == NID_id_GostR3410_2001) ) 3083656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3084221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom i=64; 3085221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3086221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 3087221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 3088392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (TLS1_get_version(s) >= TLS1_2_VERSION) 3089392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3090392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int sigalg = tls12_get_sigid(pkey); 3091392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* Should never happen */ 3092392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (sigalg == -1) 3093392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3094392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 3095392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 3096392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 3097392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3098392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* Check key type is consistent with signature */ 3099392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (sigalg != (int)p[1]) 3100392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3101392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE); 3102392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_DECODE_ERROR; 3103392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 3104392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3105392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom md = tls12_get_hash(p[0]); 3106392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (md == NULL) 3107392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3108392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST); 3109392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_DECODE_ERROR; 3110392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 3111392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3112392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef SSL_DEBUG 3113392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstromfprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 3114392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 3115392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p += 2; 3116392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom n -= 2; 3117392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3118221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom n2s(p,i); 3119221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom n-=2; 3120221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (i > n) 3121221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 3122221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 3123221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_DECODE_ERROR; 3124221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 3125221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3126221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3127656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=EVP_PKEY_size(pkey); 3128656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((i > j) || (n > j) || (n <= 0)) 3129656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3130656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); 3131656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 3132656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3133656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3134656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3135392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (TLS1_get_version(s) >= TLS1_2_VERSION) 3136392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3137392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom long hdatalen = 0; 3138392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom void *hdata; 3139392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 3140392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (hdatalen <= 0) 3141392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3142392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 3143392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 3144392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 3145392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3146392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#ifdef SSL_DEBUG 3147392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 3148392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_MD_name(md)); 3149392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom#endif 3150392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!EVP_VerifyInit_ex(&mctx, md, NULL) 3151392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) 3152392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3153392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 3154392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 3155392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 3156392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3157392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 3158392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) 3159392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3160392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_DECRYPT_ERROR; 3161392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE); 3162392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 3163392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3164392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3165392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom else 3166656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_RSA 3167656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pkey->type == EVP_PKEY_RSA) 3168656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3169656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 3170656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 3171656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project pkey->pkey.rsa); 3172656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i < 0) 3173656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3174656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECRYPT_ERROR; 3175656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); 3176656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3177656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3178656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i == 0) 3179656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3180656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECRYPT_ERROR; 3181656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); 3182656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3183656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3184656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3185656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 3186656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 3187656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_DSA 3188656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pkey->type == EVP_PKEY_DSA) 3189656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3190656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=DSA_verify(pkey->save_type, 3191656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3192656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 3193656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (j <= 0) 3194656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3195656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* bad signature */ 3196656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECRYPT_ERROR; 3197656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 3198656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3199656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3200656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3201656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 3202656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 3203656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_ECDSA 3204656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (pkey->type == EVP_PKEY_EC) 3205656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3206656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project j=ECDSA_verify(pkey->save_type, 3207656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3208656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 3209656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (j <= 0) 3210656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3211656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* bad signature */ 3212656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECRYPT_ERROR; 3213656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3214656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL_R_BAD_ECDSA_SIGNATURE); 3215656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3216656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3217656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3218656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 3219656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 3220221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 3221221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { unsigned char signature[64]; 3222221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom int idx; 3223221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL); 3224221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom EVP_PKEY_verify_init(pctx); 3225221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (i!=64) { 3226221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom fprintf(stderr,"GOST signature length is %d",i); 3227221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3228221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom for (idx=0;idx<64;idx++) { 3229221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom signature[63-idx]=p[idx]; 3230221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3231221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32); 3232221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom EVP_PKEY_CTX_free(pctx); 3233221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (j<=0) 3234221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 3235221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom al=SSL_AD_DECRYPT_ERROR; 3236221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3237221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSL_R_BAD_ECDSA_SIGNATURE); 3238221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom goto f_err; 3239221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3240221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3241221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom else 3242656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3243656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 3244656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_UNSUPPORTED_CERTIFICATE; 3245656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3246656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3247656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3248656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3249656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=1; 3250656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (0) 3251656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3252656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectf_err: 3253656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_send_alert(s,SSL3_AL_FATAL,al); 3254656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3255656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectend: 3256392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (s->s3->handshake_buffer) 3257392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3258392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom BIO_free(s->s3->handshake_buffer); 3259392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->s3->handshake_buffer = NULL; 3260392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; 3261392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3262392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom EVP_MD_CTX_cleanup(&mctx); 3263656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_PKEY_free(pkey); 3264656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ret); 3265656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3266656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3267656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_get_client_certificate(SSL *s) 3268656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3269656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project int i,ok,al,ret= -1; 3270656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x=NULL; 3271656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned long l,nc,llen,n; 3272656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project const unsigned char *p,*q; 3273656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *d; 3274656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project STACK_OF(X509) *sk=NULL; 3275656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3276656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n=s->method->ssl_get_message(s, 3277656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CERT_A, 3278656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSL3_ST_SR_CERT_B, 3279656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project -1, 3280656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->max_cert_list, 3281656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &ok); 3282656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3283656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!ok) return((int)n); 3284656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3285656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 3286656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3287656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ( (s->verify_mode & SSL_VERIFY_PEER) && 3288656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 3289656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3290656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3291656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 3292656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3293656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3294656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* If tls asked for a client cert, the client must return a 0 list */ 3295656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 3296656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3297656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 3298656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_UNEXPECTED_MESSAGE; 3299656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3300656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3301656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->s3->tmp.reuse_message=1; 3302656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(1); 3303656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3304656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3305656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 3306656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3307656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_UNEXPECTED_MESSAGE; 3308656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 3309656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3310656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3311656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=d=(unsigned char *)s->init_msg; 3312656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3313656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((sk=sk_X509_new_null()) == NULL) 3314656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3315656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 3316656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 3317656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3318656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3319656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2l3(p,llen); 3320656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (llen+3 != n) 3321656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3322656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 3323656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 3324656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3325656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3326656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project for (nc=0; nc<llen; ) 3327656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3328656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project n2l3(p,l); 3329656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if ((l+nc+3) > llen) 3330656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3331656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 3332656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 3333656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3334656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3335656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3336656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project q=p; 3337656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x=d2i_X509(NULL,&p,l); 3338656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (x == NULL) 3339656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3340656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); 3341656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 3342656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3343656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (p != (q+l)) 3344656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3345656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_DECODE_ERROR; 3346656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 3347656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3348656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3349656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!sk_X509_push(sk,x)) 3350656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3351656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 3352656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 3353656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3354656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x=NULL; 3355656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project nc+=l+3; 3356656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3357656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3358656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (sk_X509_num(sk) <= 0) 3359656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3360656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* TLS does not mind 0 certs returned */ 3361656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->version == SSL3_VERSION) 3362656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3363656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 3364656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); 3365656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3366656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3367656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Fail for TLS only if we required a certificate */ 3368656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else if ((s->verify_mode & SSL_VERIFY_PEER) && 3369656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 3370656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3371656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3372656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=SSL_AD_HANDSHAKE_FAILURE; 3373656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3374656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3375392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* No client certificate so digest cached records */ 3376392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) 3377392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3378392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom al=SSL_AD_INTERNAL_ERROR; 3379392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom goto f_err; 3380392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3381656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3382656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 3383656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3384656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project i=ssl_verify_cert_chain(s,sk); 3385656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (i <= 0) 3386656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3387656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project al=ssl_verify_alarm_type(s->verify_result); 3388656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); 3389656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto f_err; 3390656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3391656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3392656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3393656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->session->peer != NULL) /* This should not be needed */ 3394656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509_free(s->session->peer); 3395656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->peer=sk_X509_shift(sk); 3396656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->verify_result = s->verify_result; 3397656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3398656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* With the current implementation, sess_cert will always be NULL 3399656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * when we arrive here. */ 3400656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->session->sess_cert == NULL) 3401656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3402656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->sess_cert = ssl_sess_cert_new(); 3403656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->session->sess_cert == NULL) 3404656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3405656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3406656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project goto err; 3407656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3408656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3409656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->session->sess_cert->cert_chain != NULL) 3410656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 3411656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->session->sess_cert->cert_chain=sk; 3412656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Inconsistency alert: cert_chain does *not* include the 3413656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * peer's own certificate, while we do include it in s3_clnt.c */ 3414656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3415656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project sk=NULL; 3416656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3417656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ret=1; 3418656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (0) 3419656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3420656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectf_err: 3421656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project ssl3_send_alert(s,SSL3_AL_FATAL,al); 3422656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3423656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projecterr: 3424656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (x != NULL) X509_free(x); 3425656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (sk != NULL) sk_X509_pop_free(sk,X509_free); 3426656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ret); 3427656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3428656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3429656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_server_certificate(SSL *s) 3430656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3431656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned long l; 3432656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project X509 *x; 3433656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3434656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_CERT_A) 3435656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3436656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project x=ssl_get_server_send_cert(s); 3437221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if (x == NULL) 3438656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3439221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom /* VRS: allow null cert if auth == KRB5 */ 3440221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3441221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) 3442221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom { 3443221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3444221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom return(0); 3445221304ee937bc0910948a8be1320cb8cc4eb6d36Brian Carlstrom } 3446656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3447656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3448656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l=ssl3_output_cert_chain(s,x); 3449656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CERT_B; 3450656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num=(int)l; 3451656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off=0; 3452656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3453656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3454656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* SSL3_ST_SW_CERT_B */ 3455656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3456656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3457392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 3458656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#ifndef OPENSSL_NO_TLSEXT 3459392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom/* send a new session ticket (not necessarily for a new session) */ 3460656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_newsession_ticket(SSL *s) 3461656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3462656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3463656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3464656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p, *senc, *macstart; 3465392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const unsigned char *const_p; 3466392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int len, slen_full, slen; 3467392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSL_SESSION *sess; 3468656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned int hlen; 3469656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_CIPHER_CTX ctx; 3470656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project HMAC_CTX hctx; 347198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom SSL_CTX *tctx = s->initial_ctx; 3472656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char iv[EVP_MAX_IV_LENGTH]; 3473656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char key_name[16]; 3474656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3475656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* get session encoding length */ 3476392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom slen_full = i2d_SSL_SESSION(s->session, NULL); 3477656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Some length values are 16 bits, so forget it if session is 3478656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * too long 3479656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 3480392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (slen_full > 0xFF00) 3481656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 3482392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom senc = OPENSSL_malloc(slen_full); 3483392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (!senc) 3484392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 3485392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p = senc; 3486392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom i2d_SSL_SESSION(s->session, &p); 3487392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 3488392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* create a fresh copy (not shared with other threads) to clean up */ 3489392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom const_p = senc; 3490392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3491392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (sess == NULL) 3492392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3493392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom OPENSSL_free(senc); 3494392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 3495392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3496392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3497392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 3498392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom slen = i2d_SSL_SESSION(sess, NULL); 3499392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom if (slen > slen_full) /* shouldn't ever happen */ 3500392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom { 3501392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom OPENSSL_free(senc); 3502392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom return -1; 3503392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom } 3504392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom p = senc; 3505392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom i2d_SSL_SESSION(sess, &p); 3506392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom SSL_SESSION_free(sess); 3507392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 3508656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Grow buffer if need be: the length calculation is as 3509656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * follows 1 (size of message name) + 3 (message length 3510656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3511656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 16 (key name) + max_iv_len (iv length) + 3512656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * session_length + max_enc_block_size (max encrypted session 3513656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * length) + max_md_size (HMAC). 3514656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 3515656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BUF_MEM_grow(s->init_buf, 3516656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3517656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_MAX_MD_SIZE + slen)) 3518656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 3519656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3520656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_buf->data; 3521656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* do the header */ 3522656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=SSL3_MT_NEWSESSION_TICKET; 3523656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Skip message length for now */ 3524656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 3; 3525656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_CIPHER_CTX_init(&ctx); 3526656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project HMAC_CTX_init(&hctx); 3527656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Initialize HMAC and cipher contexts. If callback present 3528656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * it does all the work otherwise use generated values 3529656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * from parent ctx. 3530656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 353198d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (tctx->tlsext_ticket_key_cb) 3532656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 353398d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3534656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project &hctx, 1) < 0) 3535656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3536656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(senc); 3537656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 3538656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3539656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3540656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project else 3541656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3542656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project RAND_pseudo_bytes(iv, 16); 3543656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 354498d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom tctx->tlsext_tick_aes_key, iv); 354598d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3546656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project tlsext_tick_md(), NULL); 354798d58bb80c64b02a33662f0ea80351d4a1535267Brian Carlstrom memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3548656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3549392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 3550392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom /* Ticket lifetime hint (advisory only): 3551392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * We leave this unspecified for resumed session (for simplicity), 3552392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * and guess that tickets for new sessions will live as long 3553392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom * as their sessions. */ 3554392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom l2n(s->hit ? 0 : s->session->timeout, p); 3555392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom 3556656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Skip ticket length for now */ 3557656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 2; 3558656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Output key name */ 3559656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project macstart = p; 3560656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p, key_name, 16); 3561656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 16; 3562656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* output IV */ 3563656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 3564656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += EVP_CIPHER_CTX_iv_length(&ctx); 3565656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Encrypt session data */ 3566656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_EncryptUpdate(&ctx, p, &len, senc, slen); 3567656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += len; 3568656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_EncryptFinal(&ctx, p, &len); 3569656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += len; 3570656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project EVP_CIPHER_CTX_cleanup(&ctx); 3571656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3572656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project HMAC_Update(&hctx, macstart, p - macstart); 3573656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project HMAC_Final(&hctx, p, &hlen); 3574656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project HMAC_CTX_cleanup(&hctx); 3575656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3576656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += hlen; 3577656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Now write out lengths: p points to end of data written */ 3578656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Total length */ 3579656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project len = p - (unsigned char *)s->init_buf->data; 3580656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_buf->data + 1; 3581656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l2n3(len - 4, p); /* Message length */ 3582656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p += 4; 3583656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s2n(len - 10, p); /* Ticket length */ 3584656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3585656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* number of bytes to write */ 3586656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num= len; 3587656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_SESSION_TICKET_B; 3588656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off=0; 3589656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project OPENSSL_free(senc); 3590656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3591656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3592656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* SSL3_ST_SW_SESSION_TICKET_B */ 3593656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3594656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3595656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3596656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Projectint ssl3_send_cert_status(SSL *s) 3597656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3598656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (s->state == SSL3_ST_SW_CERT_STATUS_A) 3599656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project { 3600656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project unsigned char *p; 3601656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* Grow buffer if need be: the length calculation is as 3602656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * follows 1 (message type) + 3 (message length) + 3603656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * 1 (ocsp response type) + 3 (ocsp response length) 3604656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project * + (ocsp response) 3605656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project */ 3606656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3607656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return -1; 3608656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3609656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project p=(unsigned char *)s->init_buf->data; 3610656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3611656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* do the header */ 3612656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)=SSL3_MT_CERTIFICATE_STATUS; 3613656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* message length */ 3614656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l2n3(s->tlsext_ocsp_resplen + 4, p); 3615656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* status type */ 3616656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project *(p++)= s->tlsext_status_type; 3617656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* length of OCSP response */ 3618656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project l2n3(s->tlsext_ocsp_resplen, p); 3619656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* actual response */ 3620656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3621656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* number of bytes to write */ 3622656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_num = 8 + s->tlsext_ocsp_resplen; 3623656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->state=SSL3_ST_SW_CERT_STATUS_B; 3624656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project s->init_off = 0; 3625656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3626656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project 3627656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project /* SSL3_ST_SW_CERT_STATUS_B */ 3628656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3629656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project } 3630bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3631392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom# ifndef OPENSSL_NO_NEXTPROTONEG 3632bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3633bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * sets the next_proto member in s if found */ 3634bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsenint ssl3_get_next_proto(SSL *s) 3635bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen { 3636bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen int ok; 3637392aa7cc7d2b122614c5393c3e357da07fd07af3Brian Carlstrom int proto_len, padding_len; 3638bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen long n; 3639bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen const unsigned char *p; 3640bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3641bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen /* Clients cannot send a NextProtocol message if we didn't see the 3642bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * extension in their ClientHello */ 3643bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (!s->s3->next_proto_neg_seen) 3644bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen { 3645bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); 3646bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return -1; 3647bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen } 3648bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3649bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen n=s->method->ssl_get_message(s, 3650bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen SSL3_ST_SR_NEXT_PROTO_A, 3651bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen SSL3_ST_SR_NEXT_PROTO_B, 3652bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen SSL3_MT_NEXT_PROTO, 3653bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 514, /* See the payload format below */ 3654bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen &ok); 3655bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3656bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (!ok) 3657bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return((int)n); 3658bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3659bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen /* s->state doesn't reflect whether ChangeCipherSpec has been received 3660bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * in this handshake, but s->s3->change_cipher_spec does (will be reset 3661bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * by ssl3_get_finished). */ 3662bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (!s->s3->change_cipher_spec) 3663bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen { 3664bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); 3665bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return -1; 3666bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen } 3667bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3668bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (n < 2) 3669bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return 0; /* The body must be > 1 bytes long */ 3670bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3671bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen p=(unsigned char *)s->init_msg; 3672bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3673bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen /* The payload looks like: 3674bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * uint8 proto_len; 3675bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * uint8 proto[proto_len]; 3676bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * uint8 padding_len; 3677bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen * uint8 padding[padding_len]; 3678bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen */ 3679bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen proto_len = p[0]; 3680bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (proto_len + 2 > s->init_num) 3681bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return 0; 3682bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen padding_len = p[proto_len + 1]; 3683bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (proto_len + padding_len + 2 != s->init_num) 3684bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return 0; 3685bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3686bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen s->next_proto_negotiated = OPENSSL_malloc(proto_len); 3687bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen if (!s->next_proto_negotiated) 3688bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen { 3689bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE); 3690bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return 0; 3691bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen } 3692bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen memcpy(s->next_proto_negotiated, p + 1, proto_len); 3693bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen s->next_proto_negotiated_len = proto_len; 3694bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen 3695bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen return 1; 3696bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen } 3697bf9ac266e34f910ace31880ea92b8deaf6212aa6Kristian Monsen# endif 369845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 369945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */ 370045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langleyint ssl3_get_channel_id(SSL *s) 370145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley { 370245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley int ret = -1, ok; 370345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley long n; 370445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley const unsigned char *p; 370545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley unsigned short extension_type, extension_len; 370645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EC_GROUP* p256 = NULL; 370745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EC_KEY* key = NULL; 370845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EC_POINT* point = NULL; 370945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley ECDSA_SIG sig; 371045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BIGNUM x, y; 371177c6be7176c48d2ce4d5979a84876d34204eedafKenny Root unsigned short expected_extension_type; 371245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 371345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (s->state == SSL3_ST_SR_CHANNEL_ID_A && s->init_num == 0) 371445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley { 371545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley /* The first time that we're called we take the current 371645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * handshake hash and store it. */ 371745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EVP_MD_CTX md_ctx; 371845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley unsigned int len; 371945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 372045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EVP_MD_CTX_init(&md_ctx); 372145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EVP_DigestInit_ex(&md_ctx, EVP_sha256(), NULL); 372245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (!tls1_channel_id_hash(&md_ctx, s)) 372345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley return -1; 372445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley len = sizeof(s->s3->tlsext_channel_id); 372545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EVP_DigestFinal(&md_ctx, s->s3->tlsext_channel_id, &len); 372645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EVP_MD_CTX_cleanup(&md_ctx); 372745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 372845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 372945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley n = s->method->ssl_get_message(s, 373045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSL3_ST_SR_CHANNEL_ID_A, 373145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSL3_ST_SR_CHANNEL_ID_B, 373245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSL3_MT_ENCRYPTED_EXTENSIONS, 373345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 2 + 2 + TLSEXT_CHANNEL_ID_SIZE, 373445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley &ok); 373545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 373645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (!ok) 373745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley return((int)n); 373845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 373945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley ssl3_finish_mac(s, (unsigned char*)s->init_buf->data, s->init_num + 4); 374045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 374145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley /* s->state doesn't reflect whether ChangeCipherSpec has been received 374245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * in this handshake, but s->s3->change_cipher_spec does (will be reset 374345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * by ssl3_get_finished). */ 374445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (!s->s3->change_cipher_spec) 374545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley { 374645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS); 374745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley return -1; 374845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 374945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 375045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (n != 2 + 2 + TLSEXT_CHANNEL_ID_SIZE) 375145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley { 375245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); 375345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley return -1; 375445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 375545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 375645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley p = (unsigned char *)s->init_msg; 375745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 375845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley /* The payload looks like: 375945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * uint16 extension_type 376045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * uint16 extension_len; 376145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * uint8 x[32]; 376245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * uint8 y[32]; 376345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * uint8 r[32]; 376445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * uint8 s[32]; 376545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley */ 376645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley n2s(p, extension_type); 376745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley n2s(p, extension_len); 376845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 376977c6be7176c48d2ce4d5979a84876d34204eedafKenny Root expected_extension_type = TLSEXT_TYPE_channel_id; 377077c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (s->s3->tlsext_channel_id_new) 377177c6be7176c48d2ce4d5979a84876d34204eedafKenny Root expected_extension_type = TLSEXT_TYPE_channel_id_new; 377277c6be7176c48d2ce4d5979a84876d34204eedafKenny Root 377377c6be7176c48d2ce4d5979a84876d34204eedafKenny Root if (extension_type != expected_extension_type || 377445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley extension_len != TLSEXT_CHANNEL_ID_SIZE) 377545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley { 377645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); 377745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley return -1; 377845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 377945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 378045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); 378145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (!p256) 378245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley { 378345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_NO_P256_SUPPORT); 378445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley return -1; 378545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 378645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 378745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_init(&x); 378845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_init(&y); 378945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley sig.r = BN_new(); 379045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley sig.s = BN_new(); 379145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 379245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (BN_bin2bn(p + 0, 32, &x) == NULL || 379345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_bin2bn(p + 32, 32, &y) == NULL || 379445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_bin2bn(p + 64, 32, sig.r) == NULL || 379545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_bin2bn(p + 96, 32, sig.s) == NULL) 379645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley goto err; 379745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 379845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley point = EC_POINT_new(p256); 379945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (!point || 380045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) 380145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley goto err; 380245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 380345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley key = EC_KEY_new(); 380445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (!key || 380545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley !EC_KEY_set_group(key, p256) || 380645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley !EC_KEY_set_public_key(key, point)) 380745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley goto err; 380845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 380945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley /* We stored the handshake hash in |tlsext_channel_id| the first time 381045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley * that we were called. */ 381145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley switch (ECDSA_do_verify(s->s3->tlsext_channel_id, SHA256_DIGEST_LENGTH, &sig, key)) { 381245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley case 1: 381345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley break; 381445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley case 0: 381545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_CHANNEL_ID_SIGNATURE_INVALID); 381645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->s3->tlsext_channel_id_valid = 0; 381745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley goto err; 381845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley default: 381945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley s->s3->tlsext_channel_id_valid = 0; 382045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley goto err; 382145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 382245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 382345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley memcpy(s->s3->tlsext_channel_id, p, 64); 382445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley ret = 1; 382545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley 382645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langleyerr: 382745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_free(&x); 382845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_free(&y); 382945bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_free(sig.r); 383045bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley BN_free(sig.s); 383145bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (key) 383245bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EC_KEY_free(key); 383345bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (point) 383445bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EC_POINT_free(point); 383545bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley if (p256) 383645bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley EC_GROUP_free(p256); 383745bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley return ret; 383845bcfbcc39acc2213abd00ebcc794dcc40be39f7Adam Langley } 3839656d9c7f52f88b3a3daccafa7655dec086c4756eThe Android Open Source Project#endif 3840