s3_clnt.c 82 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330
  1. /* ssl/s3_clnt.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  113. *
  114. * Portions of the attached software ("Contribution") are developed by
  115. * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
  116. *
  117. * The Contribution is licensed pursuant to the OpenSSL open source
  118. * license provided above.
  119. *
  120. * ECC cipher suite support in OpenSSL originally written by
  121. * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
  122. *
  123. */
  124. /* ====================================================================
  125. * Copyright 2005 Nokia. All rights reserved.
  126. *
  127. * The portions of the attached software ("Contribution") is developed by
  128. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  129. * license.
  130. *
  131. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  132. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  133. * support (see RFC 4279) to OpenSSL.
  134. *
  135. * No patent licenses or other rights except those expressly stated in
  136. * the OpenSSL open source license shall be deemed granted or received
  137. * expressly, by implication, estoppel, or otherwise.
  138. *
  139. * No assurances are provided by Nokia that the Contribution does not
  140. * infringe the patent or other intellectual property rights of any third
  141. * party or that the license provides you with all the necessary rights
  142. * to make use of the Contribution.
  143. *
  144. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  145. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  146. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  147. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  148. * OTHERWISE.
  149. */
  150. #include <stdio.h>
  151. #include <openssl/crypto.h>
  152. #include "ssl_locl.h"
  153. #include "kssl_lcl.h"
  154. #include <openssl/buffer.h>
  155. #include <openssl/rand.h>
  156. #include <openssl/objects.h>
  157. #include <openssl/evp.h>
  158. #include <openssl/md5.h>
  159. #ifdef OPENSSL_FIPS
  160. #include <openssl/fips.h>
  161. #endif
  162. #ifndef OPENSSL_NO_DH
  163. #include <openssl/dh.h>
  164. #endif
  165. #include <openssl/bn.h>
  166. #ifndef OPENSSL_NO_ENGINE
  167. #include <openssl/engine.h>
  168. #endif
  169. static const SSL_METHOD *ssl3_get_client_method(int ver);
  170. static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
  171. static const SSL_METHOD *ssl3_get_client_method(int ver)
  172. {
  173. if (ver == SSL3_VERSION)
  174. return(SSLv3_client_method());
  175. else
  176. return(NULL);
  177. }
  178. IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
  179. ssl_undefined_function,
  180. ssl3_connect,
  181. ssl3_get_client_method)
  182. int ssl3_connect(SSL *s)
  183. {
  184. BUF_MEM *buf=NULL;
  185. unsigned long Time=(unsigned long)time(NULL);
  186. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  187. int ret= -1;
  188. int new_state,state,skip=0;
  189. RAND_add(&Time,sizeof(Time),0);
  190. ERR_clear_error();
  191. clear_sys_error();
  192. if (s->info_callback != NULL)
  193. cb=s->info_callback;
  194. else if (s->ctx->info_callback != NULL)
  195. cb=s->ctx->info_callback;
  196. s->in_handshake++;
  197. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  198. for (;;)
  199. {
  200. state=s->state;
  201. switch(s->state)
  202. {
  203. case SSL_ST_RENEGOTIATE:
  204. s->renegotiate=1;
  205. s->state=SSL_ST_CONNECT;
  206. s->ctx->stats.sess_connect_renegotiate++;
  207. /* break */
  208. case SSL_ST_BEFORE:
  209. case SSL_ST_CONNECT:
  210. case SSL_ST_BEFORE|SSL_ST_CONNECT:
  211. case SSL_ST_OK|SSL_ST_CONNECT:
  212. s->server=0;
  213. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  214. if ((s->version & 0xff00 ) != 0x0300)
  215. {
  216. SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
  217. ret = -1;
  218. goto end;
  219. }
  220. /* s->version=SSL3_VERSION; */
  221. s->type=SSL_ST_CONNECT;
  222. if (s->init_buf == NULL)
  223. {
  224. if ((buf=BUF_MEM_new()) == NULL)
  225. {
  226. ret= -1;
  227. goto end;
  228. }
  229. if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
  230. {
  231. ret= -1;
  232. goto end;
  233. }
  234. s->init_buf=buf;
  235. buf=NULL;
  236. }
  237. if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
  238. /* setup buffing BIO */
  239. if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
  240. /* don't push the buffering BIO quite yet */
  241. ssl3_init_finished_mac(s);
  242. s->state=SSL3_ST_CW_CLNT_HELLO_A;
  243. s->ctx->stats.sess_connect++;
  244. s->init_num=0;
  245. break;
  246. case SSL3_ST_CW_CLNT_HELLO_A:
  247. case SSL3_ST_CW_CLNT_HELLO_B:
  248. s->shutdown=0;
  249. ret=ssl3_client_hello(s);
  250. if (ret <= 0) goto end;
  251. s->state=SSL3_ST_CR_SRVR_HELLO_A;
  252. s->init_num=0;
  253. /* turn on buffering for the next lot of output */
  254. if (s->bbio != s->wbio)
  255. s->wbio=BIO_push(s->bbio,s->wbio);
  256. break;
  257. case SSL3_ST_CR_SRVR_HELLO_A:
  258. case SSL3_ST_CR_SRVR_HELLO_B:
  259. ret=ssl3_get_server_hello(s);
  260. #ifndef OPENSSL_NO_SRP
  261. if ((ret == 0) && (s->s3->warn_alert == SSL_AD_MISSING_SRP_USERNAME))
  262. {
  263. if (!SRP_have_to_put_srp_username(s))
  264. {
  265. SSLerr(SSL_F_SSL3_CONNECT,SSL_R_MISSING_SRP_USERNAME);
  266. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_USER_CANCELLED);
  267. goto end;
  268. }
  269. s->state=SSL3_ST_CW_CLNT_HELLO_A;
  270. if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
  271. break;
  272. }
  273. #endif
  274. if (ret <= 0) goto end;
  275. if (s->hit)
  276. {
  277. s->state=SSL3_ST_CR_FINISHED_A;
  278. #ifndef OPENSSL_NO_TLSEXT
  279. if (s->tlsext_ticket_expected)
  280. {
  281. /* receive renewed session ticket */
  282. s->state=SSL3_ST_CR_SESSION_TICKET_A;
  283. }
  284. #endif
  285. }
  286. else
  287. s->state=SSL3_ST_CR_CERT_A;
  288. s->init_num=0;
  289. break;
  290. case SSL3_ST_CR_CERT_A:
  291. case SSL3_ST_CR_CERT_B:
  292. #ifndef OPENSSL_NO_TLSEXT
  293. ret=ssl3_check_finished(s);
  294. if (ret <= 0) goto end;
  295. if (ret == 2)
  296. {
  297. s->hit = 1;
  298. if (s->tlsext_ticket_expected)
  299. s->state=SSL3_ST_CR_SESSION_TICKET_A;
  300. else
  301. s->state=SSL3_ST_CR_FINISHED_A;
  302. s->init_num=0;
  303. break;
  304. }
  305. #endif
  306. /* Check if it is anon DH/ECDH */
  307. /* or PSK */
  308. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
  309. !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  310. {
  311. ret=ssl3_get_server_certificate(s);
  312. if (ret <= 0) goto end;
  313. #ifndef OPENSSL_NO_TLSEXT
  314. if (s->tlsext_status_expected)
  315. s->state=SSL3_ST_CR_CERT_STATUS_A;
  316. else
  317. s->state=SSL3_ST_CR_KEY_EXCH_A;
  318. }
  319. else
  320. {
  321. skip = 1;
  322. s->state=SSL3_ST_CR_KEY_EXCH_A;
  323. }
  324. #else
  325. }
  326. else
  327. skip=1;
  328. s->state=SSL3_ST_CR_KEY_EXCH_A;
  329. #endif
  330. s->init_num=0;
  331. break;
  332. case SSL3_ST_CR_KEY_EXCH_A:
  333. case SSL3_ST_CR_KEY_EXCH_B:
  334. ret=ssl3_get_key_exchange(s);
  335. if (ret <= 0) goto end;
  336. s->state=SSL3_ST_CR_CERT_REQ_A;
  337. s->init_num=0;
  338. /* at this point we check that we have the
  339. * required stuff from the server */
  340. if (!ssl3_check_cert_and_algorithm(s))
  341. {
  342. ret= -1;
  343. goto end;
  344. }
  345. break;
  346. case SSL3_ST_CR_CERT_REQ_A:
  347. case SSL3_ST_CR_CERT_REQ_B:
  348. ret=ssl3_get_certificate_request(s);
  349. if (ret <= 0) goto end;
  350. s->state=SSL3_ST_CR_SRVR_DONE_A;
  351. s->init_num=0;
  352. break;
  353. case SSL3_ST_CR_SRVR_DONE_A:
  354. case SSL3_ST_CR_SRVR_DONE_B:
  355. ret=ssl3_get_server_done(s);
  356. if (ret <= 0) goto end;
  357. #ifndef OPENSSL_NO_SRP
  358. if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP)
  359. {
  360. if ((ret = SRP_Calc_A_param(s))<=0)
  361. {
  362. SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
  363. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
  364. goto end;
  365. }
  366. }
  367. #endif
  368. if (s->s3->tmp.cert_req)
  369. s->state=SSL3_ST_CW_CERT_A;
  370. else
  371. s->state=SSL3_ST_CW_KEY_EXCH_A;
  372. s->init_num=0;
  373. break;
  374. case SSL3_ST_CW_CERT_A:
  375. case SSL3_ST_CW_CERT_B:
  376. case SSL3_ST_CW_CERT_C:
  377. case SSL3_ST_CW_CERT_D:
  378. ret=ssl3_send_client_certificate(s);
  379. if (ret <= 0) goto end;
  380. s->state=SSL3_ST_CW_KEY_EXCH_A;
  381. s->init_num=0;
  382. break;
  383. case SSL3_ST_CW_KEY_EXCH_A:
  384. case SSL3_ST_CW_KEY_EXCH_B:
  385. ret=ssl3_send_client_key_exchange(s);
  386. if (ret <= 0) goto end;
  387. /* EAY EAY EAY need to check for DH fix cert
  388. * sent back */
  389. /* For TLS, cert_req is set to 2, so a cert chain
  390. * of nothing is sent, but no verify packet is sent */
  391. /* XXX: For now, we do not support client
  392. * authentication in ECDH cipher suites with
  393. * ECDH (rather than ECDSA) certificates.
  394. * We need to skip the certificate verify
  395. * message when client's ECDH public key is sent
  396. * inside the client certificate.
  397. */
  398. if (s->s3->tmp.cert_req == 1)
  399. {
  400. s->state=SSL3_ST_CW_CERT_VRFY_A;
  401. }
  402. else
  403. {
  404. s->state=SSL3_ST_CW_CHANGE_A;
  405. s->s3->change_cipher_spec=0;
  406. }
  407. if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
  408. {
  409. s->state=SSL3_ST_CW_CHANGE_A;
  410. s->s3->change_cipher_spec=0;
  411. }
  412. s->init_num=0;
  413. break;
  414. case SSL3_ST_CW_CERT_VRFY_A:
  415. case SSL3_ST_CW_CERT_VRFY_B:
  416. ret=ssl3_send_client_verify(s);
  417. if (ret <= 0) goto end;
  418. s->state=SSL3_ST_CW_CHANGE_A;
  419. s->init_num=0;
  420. s->s3->change_cipher_spec=0;
  421. break;
  422. case SSL3_ST_CW_CHANGE_A:
  423. case SSL3_ST_CW_CHANGE_B:
  424. ret=ssl3_send_change_cipher_spec(s,
  425. SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
  426. if (ret <= 0) goto end;
  427. #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
  428. s->state=SSL3_ST_CW_FINISHED_A;
  429. #else
  430. if (s->next_proto_negotiated)
  431. s->state=SSL3_ST_CW_NEXT_PROTO_A;
  432. else
  433. s->state=SSL3_ST_CW_FINISHED_A;
  434. #endif
  435. s->init_num=0;
  436. s->session->cipher=s->s3->tmp.new_cipher;
  437. #ifdef OPENSSL_NO_COMP
  438. s->session->compress_meth=0;
  439. #else
  440. if (s->s3->tmp.new_compression == NULL)
  441. s->session->compress_meth=0;
  442. else
  443. s->session->compress_meth=
  444. s->s3->tmp.new_compression->id;
  445. #endif
  446. if (!s->method->ssl3_enc->setup_key_block(s))
  447. {
  448. ret= -1;
  449. goto end;
  450. }
  451. if (!s->method->ssl3_enc->change_cipher_state(s,
  452. SSL3_CHANGE_CIPHER_CLIENT_WRITE))
  453. {
  454. ret= -1;
  455. goto end;
  456. }
  457. break;
  458. #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
  459. case SSL3_ST_CW_NEXT_PROTO_A:
  460. case SSL3_ST_CW_NEXT_PROTO_B:
  461. ret=ssl3_send_next_proto(s);
  462. if (ret <= 0) goto end;
  463. s->state=SSL3_ST_CW_FINISHED_A;
  464. break;
  465. #endif
  466. case SSL3_ST_CW_FINISHED_A:
  467. case SSL3_ST_CW_FINISHED_B:
  468. ret=ssl3_send_finished(s,
  469. SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
  470. s->method->ssl3_enc->client_finished_label,
  471. s->method->ssl3_enc->client_finished_label_len);
  472. if (ret <= 0) goto end;
  473. s->state=SSL3_ST_CW_FLUSH;
  474. /* clear flags */
  475. s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
  476. if (s->hit)
  477. {
  478. s->s3->tmp.next_state=SSL_ST_OK;
  479. if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
  480. {
  481. s->state=SSL_ST_OK;
  482. s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
  483. s->s3->delay_buf_pop_ret=0;
  484. }
  485. }
  486. else
  487. {
  488. #ifndef OPENSSL_NO_TLSEXT
  489. /* Allow NewSessionTicket if ticket expected */
  490. if (s->tlsext_ticket_expected)
  491. s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
  492. else
  493. #endif
  494. s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
  495. }
  496. s->init_num=0;
  497. break;
  498. #ifndef OPENSSL_NO_TLSEXT
  499. case SSL3_ST_CR_SESSION_TICKET_A:
  500. case SSL3_ST_CR_SESSION_TICKET_B:
  501. ret=ssl3_get_new_session_ticket(s);
  502. if (ret <= 0) goto end;
  503. s->state=SSL3_ST_CR_FINISHED_A;
  504. s->init_num=0;
  505. break;
  506. case SSL3_ST_CR_CERT_STATUS_A:
  507. case SSL3_ST_CR_CERT_STATUS_B:
  508. ret=ssl3_get_cert_status(s);
  509. if (ret <= 0) goto end;
  510. s->state=SSL3_ST_CR_KEY_EXCH_A;
  511. s->init_num=0;
  512. break;
  513. #endif
  514. case SSL3_ST_CR_FINISHED_A:
  515. case SSL3_ST_CR_FINISHED_B:
  516. ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
  517. SSL3_ST_CR_FINISHED_B);
  518. if (ret <= 0) goto end;
  519. if (s->hit)
  520. s->state=SSL3_ST_CW_CHANGE_A;
  521. else
  522. s->state=SSL_ST_OK;
  523. s->init_num=0;
  524. break;
  525. case SSL3_ST_CW_FLUSH:
  526. s->rwstate=SSL_WRITING;
  527. if (BIO_flush(s->wbio) <= 0)
  528. {
  529. ret= -1;
  530. goto end;
  531. }
  532. s->rwstate=SSL_NOTHING;
  533. s->state=s->s3->tmp.next_state;
  534. break;
  535. case SSL_ST_OK:
  536. /* clean a few things up */
  537. ssl3_cleanup_key_block(s);
  538. if (s->init_buf != NULL)
  539. {
  540. BUF_MEM_free(s->init_buf);
  541. s->init_buf=NULL;
  542. }
  543. /* If we are not 'joining' the last two packets,
  544. * remove the buffering now */
  545. if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
  546. ssl_free_wbio_buffer(s);
  547. /* else do it later in ssl3_write */
  548. s->init_num=0;
  549. s->renegotiate=0;
  550. s->new_session=0;
  551. ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
  552. if (s->hit) s->ctx->stats.sess_hit++;
  553. ret=1;
  554. /* s->server=0; */
  555. s->handshake_func=ssl3_connect;
  556. s->ctx->stats.sess_connect_good++;
  557. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  558. goto end;
  559. /* break; */
  560. default:
  561. SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
  562. ret= -1;
  563. goto end;
  564. /* break; */
  565. }
  566. /* did we do anything */
  567. if (!s->s3->tmp.reuse_message && !skip)
  568. {
  569. if (s->debug)
  570. {
  571. if ((ret=BIO_flush(s->wbio)) <= 0)
  572. goto end;
  573. }
  574. if ((cb != NULL) && (s->state != state))
  575. {
  576. new_state=s->state;
  577. s->state=state;
  578. cb(s,SSL_CB_CONNECT_LOOP,1);
  579. s->state=new_state;
  580. }
  581. }
  582. skip=0;
  583. }
  584. end:
  585. s->in_handshake--;
  586. if (buf != NULL)
  587. BUF_MEM_free(buf);
  588. if (cb != NULL)
  589. cb(s,SSL_CB_CONNECT_EXIT,ret);
  590. return(ret);
  591. }
  592. int ssl3_client_hello(SSL *s)
  593. {
  594. unsigned char *buf;
  595. unsigned char *p,*d;
  596. int i;
  597. unsigned long Time,l;
  598. #ifndef OPENSSL_NO_COMP
  599. int j;
  600. SSL_COMP *comp;
  601. #endif
  602. buf=(unsigned char *)s->init_buf->data;
  603. if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
  604. {
  605. SSL_SESSION *sess = s->session;
  606. if ((sess == NULL) ||
  607. (sess->ssl_version != s->version) ||
  608. #ifdef OPENSSL_NO_TLSEXT
  609. !sess->session_id_length ||
  610. #else
  611. (!sess->session_id_length && !sess->tlsext_tick) ||
  612. #endif
  613. (sess->not_resumable))
  614. {
  615. if (!ssl_get_new_session(s,0))
  616. goto err;
  617. }
  618. /* else use the pre-loaded session */
  619. p=s->s3->client_random;
  620. Time=(unsigned long)time(NULL); /* Time */
  621. l2n(Time,p);
  622. if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
  623. goto err;
  624. /* Do the message type and length last */
  625. d=p= &(buf[4]);
  626. *(p++)=s->version>>8;
  627. *(p++)=s->version&0xff;
  628. s->client_version=s->version;
  629. /* Random stuff */
  630. memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
  631. p+=SSL3_RANDOM_SIZE;
  632. /* Session ID */
  633. if (s->new_session)
  634. i=0;
  635. else
  636. i=s->session->session_id_length;
  637. *(p++)=i;
  638. if (i != 0)
  639. {
  640. if (i > (int)sizeof(s->session->session_id))
  641. {
  642. SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  643. goto err;
  644. }
  645. memcpy(p,s->session->session_id,i);
  646. p+=i;
  647. }
  648. /* Ciphers supported */
  649. i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
  650. if (i == 0)
  651. {
  652. SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
  653. goto err;
  654. }
  655. s2n(i,p);
  656. p+=i;
  657. /* COMPRESSION */
  658. #ifdef OPENSSL_NO_COMP
  659. *(p++)=1;
  660. #else
  661. if ((s->options & SSL_OP_NO_COMPRESSION)
  662. || !s->ctx->comp_methods)
  663. j=0;
  664. else
  665. j=sk_SSL_COMP_num(s->ctx->comp_methods);
  666. *(p++)=1+j;
  667. for (i=0; i<j; i++)
  668. {
  669. comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
  670. *(p++)=comp->id;
  671. }
  672. #endif
  673. *(p++)=0; /* Add the NULL method */
  674. #ifndef OPENSSL_NO_TLSEXT
  675. /* TLS extensions*/
  676. if (ssl_prepare_clienthello_tlsext(s) <= 0)
  677. {
  678. SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
  679. goto err;
  680. }
  681. if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
  682. {
  683. SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
  684. goto err;
  685. }
  686. #endif
  687. l=(p-d);
  688. d=buf;
  689. *(d++)=SSL3_MT_CLIENT_HELLO;
  690. l2n3(l,d);
  691. s->state=SSL3_ST_CW_CLNT_HELLO_B;
  692. /* number of bytes to write */
  693. s->init_num=p-buf;
  694. s->init_off=0;
  695. }
  696. /* SSL3_ST_CW_CLNT_HELLO_B */
  697. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  698. err:
  699. return(-1);
  700. }
  701. int ssl3_get_server_hello(SSL *s)
  702. {
  703. STACK_OF(SSL_CIPHER) *sk;
  704. const SSL_CIPHER *c;
  705. unsigned char *p,*d;
  706. int i,al,ok;
  707. unsigned int j;
  708. long n;
  709. #ifndef OPENSSL_NO_COMP
  710. SSL_COMP *comp;
  711. #endif
  712. n=s->method->ssl_get_message(s,
  713. SSL3_ST_CR_SRVR_HELLO_A,
  714. SSL3_ST_CR_SRVR_HELLO_B,
  715. -1,
  716. 20000, /* ?? */
  717. &ok);
  718. if (!ok) return((int)n);
  719. if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
  720. {
  721. if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
  722. {
  723. if ( s->d1->send_cookie == 0)
  724. {
  725. s->s3->tmp.reuse_message = 1;
  726. return 1;
  727. }
  728. else /* already sent a cookie */
  729. {
  730. al=SSL_AD_UNEXPECTED_MESSAGE;
  731. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
  732. goto f_err;
  733. }
  734. }
  735. }
  736. if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
  737. {
  738. al=SSL_AD_UNEXPECTED_MESSAGE;
  739. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
  740. goto f_err;
  741. }
  742. d=p=(unsigned char *)s->init_msg;
  743. if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
  744. {
  745. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
  746. s->version=(s->version&0xff00)|p[1];
  747. al=SSL_AD_PROTOCOL_VERSION;
  748. goto f_err;
  749. }
  750. p+=2;
  751. /* load the server hello data */
  752. /* load the server random */
  753. memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
  754. p+=SSL3_RANDOM_SIZE;
  755. /* get the session-id */
  756. j= *(p++);
  757. if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
  758. {
  759. al=SSL_AD_ILLEGAL_PARAMETER;
  760. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
  761. goto f_err;
  762. }
  763. #ifndef OPENSSL_NO_TLSEXT
  764. /* check if we want to resume the session based on external pre-shared secret */
  765. if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
  766. {
  767. SSL_CIPHER *pref_cipher=NULL;
  768. s->session->master_key_length=sizeof(s->session->master_key);
  769. if (s->tls_session_secret_cb(s, s->session->master_key,
  770. &s->session->master_key_length,
  771. NULL, &pref_cipher,
  772. s->tls_session_secret_cb_arg))
  773. {
  774. s->session->cipher = pref_cipher ?
  775. pref_cipher : ssl_get_cipher_by_char(s, p+j);
  776. }
  777. }
  778. #endif /* OPENSSL_NO_TLSEXT */
  779. if (j != 0 && j == s->session->session_id_length
  780. && memcmp(p,s->session->session_id,j) == 0)
  781. {
  782. if(s->sid_ctx_length != s->session->sid_ctx_length
  783. || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
  784. {
  785. /* actually a client application bug */
  786. al=SSL_AD_ILLEGAL_PARAMETER;
  787. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
  788. goto f_err;
  789. }
  790. s->hit=1;
  791. }
  792. else /* a miss or crap from the other end */
  793. {
  794. /* If we were trying for session-id reuse, make a new
  795. * SSL_SESSION so we don't stuff up other people */
  796. s->hit=0;
  797. if (s->session->session_id_length > 0)
  798. {
  799. if (!ssl_get_new_session(s,0))
  800. {
  801. al=SSL_AD_INTERNAL_ERROR;
  802. goto f_err;
  803. }
  804. }
  805. s->session->session_id_length=j;
  806. memcpy(s->session->session_id,p,j); /* j could be 0 */
  807. }
  808. p+=j;
  809. c=ssl_get_cipher_by_char(s,p);
  810. if (c == NULL)
  811. {
  812. /* unknown cipher */
  813. al=SSL_AD_ILLEGAL_PARAMETER;
  814. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
  815. goto f_err;
  816. }
  817. /* TLS v1.2 only ciphersuites require v1.2 or later */
  818. if ((c->algorithm_ssl & SSL_TLSV1_2) &&
  819. (TLS1_get_version(s) < TLS1_2_VERSION))
  820. {
  821. al=SSL_AD_ILLEGAL_PARAMETER;
  822. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
  823. goto f_err;
  824. }
  825. p+=ssl_put_cipher_by_char(s,NULL,NULL);
  826. sk=ssl_get_ciphers_by_id(s);
  827. i=sk_SSL_CIPHER_find(sk,c);
  828. if (i < 0)
  829. {
  830. /* we did not say we would use this cipher */
  831. al=SSL_AD_ILLEGAL_PARAMETER;
  832. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
  833. goto f_err;
  834. }
  835. /* Depending on the session caching (internal/external), the cipher
  836. and/or cipher_id values may not be set. Make sure that
  837. cipher_id is set and use it for comparison. */
  838. if (s->session->cipher)
  839. s->session->cipher_id = s->session->cipher->id;
  840. if (s->hit && (s->session->cipher_id != c->id))
  841. {
  842. /* Workaround is now obsolete */
  843. #if 0
  844. if (!(s->options &
  845. SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
  846. #endif
  847. {
  848. al=SSL_AD_ILLEGAL_PARAMETER;
  849. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
  850. goto f_err;
  851. }
  852. }
  853. s->s3->tmp.new_cipher=c;
  854. /* Don't digest cached records if TLS v1.2: we may need them for
  855. * client authentication.
  856. */
  857. if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
  858. goto f_err;
  859. /* lets get the compression algorithm */
  860. /* COMPRESSION */
  861. #ifdef OPENSSL_NO_COMP
  862. if (*(p++) != 0)
  863. {
  864. al=SSL_AD_ILLEGAL_PARAMETER;
  865. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
  866. goto f_err;
  867. }
  868. /* If compression is disabled we'd better not try to resume a session
  869. * using compression.
  870. */
  871. if (s->session->compress_meth != 0)
  872. {
  873. al=SSL_AD_INTERNAL_ERROR;
  874. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
  875. goto f_err;
  876. }
  877. #else
  878. j= *(p++);
  879. if (s->hit && j != s->session->compress_meth)
  880. {
  881. al=SSL_AD_ILLEGAL_PARAMETER;
  882. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
  883. goto f_err;
  884. }
  885. if (j == 0)
  886. comp=NULL;
  887. else if (s->options & SSL_OP_NO_COMPRESSION)
  888. {
  889. al=SSL_AD_ILLEGAL_PARAMETER;
  890. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
  891. goto f_err;
  892. }
  893. else
  894. comp=ssl3_comp_find(s->ctx->comp_methods,j);
  895. if ((j != 0) && (comp == NULL))
  896. {
  897. al=SSL_AD_ILLEGAL_PARAMETER;
  898. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
  899. goto f_err;
  900. }
  901. else
  902. {
  903. s->s3->tmp.new_compression=comp;
  904. }
  905. #endif
  906. #ifndef OPENSSL_NO_TLSEXT
  907. /* TLS extensions*/
  908. if (s->version >= SSL3_VERSION)
  909. {
  910. if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
  911. {
  912. /* 'al' set by ssl_parse_serverhello_tlsext */
  913. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
  914. goto f_err;
  915. }
  916. if (ssl_check_serverhello_tlsext(s) <= 0)
  917. {
  918. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
  919. goto err;
  920. }
  921. }
  922. #endif
  923. if (p != (d+n))
  924. {
  925. /* wrong packet length */
  926. al=SSL_AD_DECODE_ERROR;
  927. SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
  928. goto err;
  929. }
  930. return(1);
  931. f_err:
  932. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  933. err:
  934. return(-1);
  935. }
  936. int ssl3_get_server_certificate(SSL *s)
  937. {
  938. int al,i,ok,ret= -1;
  939. unsigned long n,nc,llen,l;
  940. X509 *x=NULL;
  941. const unsigned char *q,*p;
  942. unsigned char *d;
  943. STACK_OF(X509) *sk=NULL;
  944. SESS_CERT *sc;
  945. EVP_PKEY *pkey=NULL;
  946. int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
  947. n=s->method->ssl_get_message(s,
  948. SSL3_ST_CR_CERT_A,
  949. SSL3_ST_CR_CERT_B,
  950. -1,
  951. s->max_cert_list,
  952. &ok);
  953. if (!ok) return((int)n);
  954. if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
  955. ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
  956. (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
  957. {
  958. s->s3->tmp.reuse_message=1;
  959. return(1);
  960. }
  961. if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
  962. {
  963. al=SSL_AD_UNEXPECTED_MESSAGE;
  964. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
  965. goto f_err;
  966. }
  967. p=d=(unsigned char *)s->init_msg;
  968. if ((sk=sk_X509_new_null()) == NULL)
  969. {
  970. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  971. goto err;
  972. }
  973. n2l3(p,llen);
  974. if (llen+3 != n)
  975. {
  976. al=SSL_AD_DECODE_ERROR;
  977. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
  978. goto f_err;
  979. }
  980. for (nc=0; nc<llen; )
  981. {
  982. n2l3(p,l);
  983. if ((l+nc+3) > llen)
  984. {
  985. al=SSL_AD_DECODE_ERROR;
  986. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
  987. goto f_err;
  988. }
  989. q=p;
  990. x=d2i_X509(NULL,&q,l);
  991. if (x == NULL)
  992. {
  993. al=SSL_AD_BAD_CERTIFICATE;
  994. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
  995. goto f_err;
  996. }
  997. if (q != (p+l))
  998. {
  999. al=SSL_AD_DECODE_ERROR;
  1000. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
  1001. goto f_err;
  1002. }
  1003. if (!sk_X509_push(sk,x))
  1004. {
  1005. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  1006. goto err;
  1007. }
  1008. x=NULL;
  1009. nc+=l+3;
  1010. p=q;
  1011. }
  1012. i=ssl_verify_cert_chain(s,sk);
  1013. if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
  1014. #ifndef OPENSSL_NO_KRB5
  1015. && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
  1016. (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
  1017. #endif /* OPENSSL_NO_KRB5 */
  1018. )
  1019. {
  1020. al=ssl_verify_alarm_type(s->verify_result);
  1021. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
  1022. goto f_err;
  1023. }
  1024. ERR_clear_error(); /* but we keep s->verify_result */
  1025. sc=ssl_sess_cert_new();
  1026. if (sc == NULL) goto err;
  1027. if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
  1028. s->session->sess_cert=sc;
  1029. sc->cert_chain=sk;
  1030. /* Inconsistency alert: cert_chain does include the peer's
  1031. * certificate, which we don't include in s3_srvr.c */
  1032. x=sk_X509_value(sk,0);
  1033. sk=NULL;
  1034. /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
  1035. pkey=X509_get_pubkey(x);
  1036. /* VRS: allow null cert if auth == KRB5 */
  1037. need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
  1038. (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
  1039. ? 0 : 1;
  1040. #ifdef KSSL_DEBUG
  1041. printf("pkey,x = %p, %p\n", pkey,x);
  1042. printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
  1043. printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
  1044. s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
  1045. #endif /* KSSL_DEBUG */
  1046. if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
  1047. {
  1048. x=NULL;
  1049. al=SSL3_AL_FATAL;
  1050. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
  1051. SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
  1052. goto f_err;
  1053. }
  1054. i=ssl_cert_type(x,pkey);
  1055. if (need_cert && i < 0)
  1056. {
  1057. x=NULL;
  1058. al=SSL3_AL_FATAL;
  1059. SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
  1060. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  1061. goto f_err;
  1062. }
  1063. if (need_cert)
  1064. {
  1065. sc->peer_cert_type=i;
  1066. CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
  1067. /* Why would the following ever happen?
  1068. * We just created sc a couple of lines ago. */
  1069. if (sc->peer_pkeys[i].x509 != NULL)
  1070. X509_free(sc->peer_pkeys[i].x509);
  1071. sc->peer_pkeys[i].x509=x;
  1072. sc->peer_key= &(sc->peer_pkeys[i]);
  1073. if (s->session->peer != NULL)
  1074. X509_free(s->session->peer);
  1075. CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
  1076. s->session->peer=x;
  1077. }
  1078. else
  1079. {
  1080. sc->peer_cert_type=i;
  1081. sc->peer_key= NULL;
  1082. if (s->session->peer != NULL)
  1083. X509_free(s->session->peer);
  1084. s->session->peer=NULL;
  1085. }
  1086. s->session->verify_result = s->verify_result;
  1087. x=NULL;
  1088. ret=1;
  1089. if (0)
  1090. {
  1091. f_err:
  1092. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1093. }
  1094. err:
  1095. EVP_PKEY_free(pkey);
  1096. X509_free(x);
  1097. sk_X509_pop_free(sk,X509_free);
  1098. return(ret);
  1099. }
  1100. int ssl3_get_key_exchange(SSL *s)
  1101. {
  1102. #ifndef OPENSSL_NO_RSA
  1103. unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
  1104. #endif
  1105. EVP_MD_CTX md_ctx;
  1106. unsigned char *param,*p;
  1107. int al,i,j,param_len,ok;
  1108. long n,alg_k,alg_a;
  1109. EVP_PKEY *pkey=NULL;
  1110. const EVP_MD *md = NULL;
  1111. #ifndef OPENSSL_NO_RSA
  1112. RSA *rsa=NULL;
  1113. #endif
  1114. #ifndef OPENSSL_NO_DH
  1115. DH *dh=NULL;
  1116. #endif
  1117. #ifndef OPENSSL_NO_ECDH
  1118. EC_KEY *ecdh = NULL;
  1119. BN_CTX *bn_ctx = NULL;
  1120. EC_POINT *srvr_ecpoint = NULL;
  1121. int curve_nid = 0;
  1122. int encoded_pt_len = 0;
  1123. #endif
  1124. /* use same message size as in ssl3_get_certificate_request()
  1125. * as ServerKeyExchange message may be skipped */
  1126. n=s->method->ssl_get_message(s,
  1127. SSL3_ST_CR_KEY_EXCH_A,
  1128. SSL3_ST_CR_KEY_EXCH_B,
  1129. -1,
  1130. s->max_cert_list,
  1131. &ok);
  1132. if (!ok) return((int)n);
  1133. if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
  1134. {
  1135. #ifndef OPENSSL_NO_PSK
  1136. /* In plain PSK ciphersuite, ServerKeyExchange can be
  1137. omitted if no identity hint is sent. Set
  1138. session->sess_cert anyway to avoid problems
  1139. later.*/
  1140. if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
  1141. {
  1142. s->session->sess_cert=ssl_sess_cert_new();
  1143. if (s->ctx->psk_identity_hint)
  1144. OPENSSL_free(s->ctx->psk_identity_hint);
  1145. s->ctx->psk_identity_hint = NULL;
  1146. }
  1147. #endif
  1148. s->s3->tmp.reuse_message=1;
  1149. return(1);
  1150. }
  1151. param=p=(unsigned char *)s->init_msg;
  1152. if (s->session->sess_cert != NULL)
  1153. {
  1154. #ifndef OPENSSL_NO_RSA
  1155. if (s->session->sess_cert->peer_rsa_tmp != NULL)
  1156. {
  1157. RSA_free(s->session->sess_cert->peer_rsa_tmp);
  1158. s->session->sess_cert->peer_rsa_tmp=NULL;
  1159. }
  1160. #endif
  1161. #ifndef OPENSSL_NO_DH
  1162. if (s->session->sess_cert->peer_dh_tmp)
  1163. {
  1164. DH_free(s->session->sess_cert->peer_dh_tmp);
  1165. s->session->sess_cert->peer_dh_tmp=NULL;
  1166. }
  1167. #endif
  1168. #ifndef OPENSSL_NO_ECDH
  1169. if (s->session->sess_cert->peer_ecdh_tmp)
  1170. {
  1171. EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
  1172. s->session->sess_cert->peer_ecdh_tmp=NULL;
  1173. }
  1174. #endif
  1175. }
  1176. else
  1177. {
  1178. s->session->sess_cert=ssl_sess_cert_new();
  1179. }
  1180. param_len=0;
  1181. alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
  1182. alg_a=s->s3->tmp.new_cipher->algorithm_auth;
  1183. EVP_MD_CTX_init(&md_ctx);
  1184. #ifndef OPENSSL_NO_PSK
  1185. if (alg_k & SSL_kPSK)
  1186. {
  1187. char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
  1188. al=SSL_AD_HANDSHAKE_FAILURE;
  1189. n2s(p,i);
  1190. param_len=i+2;
  1191. /* Store PSK identity hint for later use, hint is used
  1192. * in ssl3_send_client_key_exchange. Assume that the
  1193. * maximum length of a PSK identity hint can be as
  1194. * long as the maximum length of a PSK identity. */
  1195. if (i > PSK_MAX_IDENTITY_LEN)
  1196. {
  1197. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
  1198. SSL_R_DATA_LENGTH_TOO_LONG);
  1199. goto f_err;
  1200. }
  1201. if (param_len > n)
  1202. {
  1203. al=SSL_AD_DECODE_ERROR;
  1204. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
  1205. SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
  1206. goto f_err;
  1207. }
  1208. /* If received PSK identity hint contains NULL
  1209. * characters, the hint is truncated from the first
  1210. * NULL. p may not be ending with NULL, so create a
  1211. * NULL-terminated string. */
  1212. memcpy(tmp_id_hint, p, i);
  1213. memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
  1214. if (s->ctx->psk_identity_hint != NULL)
  1215. OPENSSL_free(s->ctx->psk_identity_hint);
  1216. s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
  1217. if (s->ctx->psk_identity_hint == NULL)
  1218. {
  1219. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  1220. goto f_err;
  1221. }
  1222. p+=i;
  1223. n-=param_len;
  1224. }
  1225. else
  1226. #endif /* !OPENSSL_NO_PSK */
  1227. #ifndef OPENSSL_NO_SRP
  1228. if (alg_k & SSL_kSRP)
  1229. {
  1230. n2s(p,i);
  1231. param_len=i+2;
  1232. if (param_len > n)
  1233. {
  1234. al=SSL_AD_DECODE_ERROR;
  1235. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
  1236. goto f_err;
  1237. }
  1238. if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL)))
  1239. {
  1240. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1241. goto err;
  1242. }
  1243. p+=i;
  1244. n2s(p,i);
  1245. param_len+=i+2;
  1246. if (param_len > n)
  1247. {
  1248. al=SSL_AD_DECODE_ERROR;
  1249. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
  1250. goto f_err;
  1251. }
  1252. if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL)))
  1253. {
  1254. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1255. goto err;
  1256. }
  1257. p+=i;
  1258. i = (unsigned int)(p[0]);
  1259. p++;
  1260. param_len+=i+1;
  1261. if (param_len > n)
  1262. {
  1263. al=SSL_AD_DECODE_ERROR;
  1264. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
  1265. goto f_err;
  1266. }
  1267. if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL)))
  1268. {
  1269. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1270. goto err;
  1271. }
  1272. p+=i;
  1273. n2s(p,i);
  1274. param_len+=i+2;
  1275. if (param_len > n)
  1276. {
  1277. al=SSL_AD_DECODE_ERROR;
  1278. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
  1279. goto f_err;
  1280. }
  1281. if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL)))
  1282. {
  1283. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1284. goto err;
  1285. }
  1286. p+=i;
  1287. n-=param_len;
  1288. /* We must check if there is a certificate */
  1289. #ifndef OPENSSL_NO_RSA
  1290. if (alg_a & SSL_aRSA)
  1291. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
  1292. #else
  1293. if (0)
  1294. ;
  1295. #endif
  1296. #ifndef OPENSSL_NO_DSA
  1297. else if (alg_a & SSL_aDSS)
  1298. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
  1299. #endif
  1300. }
  1301. else
  1302. #endif /* !OPENSSL_NO_SRP */
  1303. #ifndef OPENSSL_NO_RSA
  1304. if (alg_k & SSL_kRSA)
  1305. {
  1306. if ((rsa=RSA_new()) == NULL)
  1307. {
  1308. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  1309. goto err;
  1310. }
  1311. n2s(p,i);
  1312. param_len=i+2;
  1313. if (param_len > n)
  1314. {
  1315. al=SSL_AD_DECODE_ERROR;
  1316. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
  1317. goto f_err;
  1318. }
  1319. if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
  1320. {
  1321. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1322. goto err;
  1323. }
  1324. p+=i;
  1325. n2s(p,i);
  1326. param_len+=i+2;
  1327. if (param_len > n)
  1328. {
  1329. al=SSL_AD_DECODE_ERROR;
  1330. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
  1331. goto f_err;
  1332. }
  1333. if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
  1334. {
  1335. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1336. goto err;
  1337. }
  1338. p+=i;
  1339. n-=param_len;
  1340. /* this should be because we are using an export cipher */
  1341. if (alg_a & SSL_aRSA)
  1342. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
  1343. else
  1344. {
  1345. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  1346. goto err;
  1347. }
  1348. s->session->sess_cert->peer_rsa_tmp=rsa;
  1349. rsa=NULL;
  1350. }
  1351. #else /* OPENSSL_NO_RSA */
  1352. if (0)
  1353. ;
  1354. #endif
  1355. #ifndef OPENSSL_NO_DH
  1356. else if (alg_k & SSL_kEDH)
  1357. {
  1358. if ((dh=DH_new()) == NULL)
  1359. {
  1360. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
  1361. goto err;
  1362. }
  1363. n2s(p,i);
  1364. param_len=i+2;
  1365. if (param_len > n)
  1366. {
  1367. al=SSL_AD_DECODE_ERROR;
  1368. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
  1369. goto f_err;
  1370. }
  1371. if (!(dh->p=BN_bin2bn(p,i,NULL)))
  1372. {
  1373. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1374. goto err;
  1375. }
  1376. p+=i;
  1377. n2s(p,i);
  1378. param_len+=i+2;
  1379. if (param_len > n)
  1380. {
  1381. al=SSL_AD_DECODE_ERROR;
  1382. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
  1383. goto f_err;
  1384. }
  1385. if (!(dh->g=BN_bin2bn(p,i,NULL)))
  1386. {
  1387. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1388. goto err;
  1389. }
  1390. p+=i;
  1391. n2s(p,i);
  1392. param_len+=i+2;
  1393. if (param_len > n)
  1394. {
  1395. al=SSL_AD_DECODE_ERROR;
  1396. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
  1397. goto f_err;
  1398. }
  1399. if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
  1400. {
  1401. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
  1402. goto err;
  1403. }
  1404. p+=i;
  1405. n-=param_len;
  1406. #ifndef OPENSSL_NO_RSA
  1407. if (alg_a & SSL_aRSA)
  1408. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
  1409. #else
  1410. if (0)
  1411. ;
  1412. #endif
  1413. #ifndef OPENSSL_NO_DSA
  1414. else if (alg_a & SSL_aDSS)
  1415. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
  1416. #endif
  1417. /* else anonymous DH, so no certificate or pkey. */
  1418. s->session->sess_cert->peer_dh_tmp=dh;
  1419. dh=NULL;
  1420. }
  1421. else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
  1422. {
  1423. al=SSL_AD_ILLEGAL_PARAMETER;
  1424. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
  1425. goto f_err;
  1426. }
  1427. #endif /* !OPENSSL_NO_DH */
  1428. #ifndef OPENSSL_NO_ECDH
  1429. else if (alg_k & SSL_kEECDH)
  1430. {
  1431. EC_GROUP *ngroup;
  1432. const EC_GROUP *group;
  1433. if ((ecdh=EC_KEY_new()) == NULL)
  1434. {
  1435. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  1436. goto err;
  1437. }
  1438. /* Extract elliptic curve parameters and the
  1439. * server's ephemeral ECDH public key.
  1440. * Keep accumulating lengths of various components in
  1441. * param_len and make sure it never exceeds n.
  1442. */
  1443. /* XXX: For now we only support named (not generic) curves
  1444. * and the ECParameters in this case is just three bytes.
  1445. */
  1446. param_len=3;
  1447. if ((param_len > n) ||
  1448. (*p != NAMED_CURVE_TYPE) ||
  1449. ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0))
  1450. {
  1451. al=SSL_AD_INTERNAL_ERROR;
  1452. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
  1453. goto f_err;
  1454. }
  1455. ngroup = EC_GROUP_new_by_curve_name(curve_nid);
  1456. if (ngroup == NULL)
  1457. {
  1458. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
  1459. goto err;
  1460. }
  1461. if (EC_KEY_set_group(ecdh, ngroup) == 0)
  1462. {
  1463. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
  1464. goto err;
  1465. }
  1466. EC_GROUP_free(ngroup);
  1467. group = EC_KEY_get0_group(ecdh);
  1468. if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
  1469. (EC_GROUP_get_degree(group) > 163))
  1470. {
  1471. al=SSL_AD_EXPORT_RESTRICTION;
  1472. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
  1473. goto f_err;
  1474. }
  1475. p+=3;
  1476. /* Next, get the encoded ECPoint */
  1477. if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
  1478. ((bn_ctx = BN_CTX_new()) == NULL))
  1479. {
  1480. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  1481. goto err;
  1482. }
  1483. encoded_pt_len = *p; /* length of encoded point */
  1484. p+=1;
  1485. param_len += (1 + encoded_pt_len);
  1486. if ((param_len > n) ||
  1487. (EC_POINT_oct2point(group, srvr_ecpoint,
  1488. p, encoded_pt_len, bn_ctx) == 0))
  1489. {
  1490. al=SSL_AD_DECODE_ERROR;
  1491. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
  1492. goto f_err;
  1493. }
  1494. n-=param_len;
  1495. p+=encoded_pt_len;
  1496. /* The ECC/TLS specification does not mention
  1497. * the use of DSA to sign ECParameters in the server
  1498. * key exchange message. We do support RSA and ECDSA.
  1499. */
  1500. if (0) ;
  1501. #ifndef OPENSSL_NO_RSA
  1502. else if (alg_a & SSL_aRSA)
  1503. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
  1504. #endif
  1505. #ifndef OPENSSL_NO_ECDSA
  1506. else if (alg_a & SSL_aECDSA)
  1507. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
  1508. #endif
  1509. /* else anonymous ECDH, so no certificate or pkey. */
  1510. EC_KEY_set_public_key(ecdh, srvr_ecpoint);
  1511. s->session->sess_cert->peer_ecdh_tmp=ecdh;
  1512. ecdh=NULL;
  1513. BN_CTX_free(bn_ctx);
  1514. bn_ctx = NULL;
  1515. EC_POINT_free(srvr_ecpoint);
  1516. srvr_ecpoint = NULL;
  1517. }
  1518. else if (alg_k)
  1519. {
  1520. al=SSL_AD_UNEXPECTED_MESSAGE;
  1521. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
  1522. goto f_err;
  1523. }
  1524. #endif /* !OPENSSL_NO_ECDH */
  1525. /* p points to the next byte, there are 'n' bytes left */
  1526. /* if it was signed, check the signature */
  1527. if (pkey != NULL)
  1528. {
  1529. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  1530. {
  1531. int sigalg = tls12_get_sigid(pkey);
  1532. /* Should never happen */
  1533. if (sigalg == -1)
  1534. {
  1535. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  1536. goto err;
  1537. }
  1538. /* Check key type is consistent with signature */
  1539. if (sigalg != (int)p[1])
  1540. {
  1541. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE);
  1542. al=SSL_AD_DECODE_ERROR;
  1543. goto f_err;
  1544. }
  1545. md = tls12_get_hash(p[0]);
  1546. if (md == NULL)
  1547. {
  1548. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST);
  1549. al=SSL_AD_DECODE_ERROR;
  1550. goto f_err;
  1551. }
  1552. #ifdef SSL_DEBUG
  1553. fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
  1554. #endif
  1555. p += 2;
  1556. n -= 2;
  1557. }
  1558. else
  1559. md = EVP_sha1();
  1560. n2s(p,i);
  1561. n-=2;
  1562. j=EVP_PKEY_size(pkey);
  1563. if ((i != n) || (n > j) || (n <= 0))
  1564. {
  1565. /* wrong packet length */
  1566. al=SSL_AD_DECODE_ERROR;
  1567. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
  1568. goto f_err;
  1569. }
  1570. #ifndef OPENSSL_NO_RSA
  1571. if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
  1572. {
  1573. int num;
  1574. j=0;
  1575. q=md_buf;
  1576. for (num=2; num > 0; num--)
  1577. {
  1578. EVP_MD_CTX_set_flags(&md_ctx,
  1579. EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  1580. EVP_DigestInit_ex(&md_ctx,(num == 2)
  1581. ?s->ctx->md5:s->ctx->sha1, NULL);
  1582. EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1583. EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1584. EVP_DigestUpdate(&md_ctx,param,param_len);
  1585. EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
  1586. q+=i;
  1587. j+=i;
  1588. }
  1589. i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
  1590. pkey->pkey.rsa);
  1591. if (i < 0)
  1592. {
  1593. al=SSL_AD_DECRYPT_ERROR;
  1594. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
  1595. goto f_err;
  1596. }
  1597. if (i == 0)
  1598. {
  1599. /* bad signature */
  1600. al=SSL_AD_DECRYPT_ERROR;
  1601. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
  1602. goto f_err;
  1603. }
  1604. }
  1605. else
  1606. #endif
  1607. {
  1608. EVP_VerifyInit_ex(&md_ctx, md, NULL);
  1609. EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1610. EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1611. EVP_VerifyUpdate(&md_ctx,param,param_len);
  1612. if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
  1613. {
  1614. /* bad signature */
  1615. al=SSL_AD_DECRYPT_ERROR;
  1616. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
  1617. goto f_err;
  1618. }
  1619. }
  1620. }
  1621. else
  1622. {
  1623. if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
  1624. /* aNULL or kPSK do not need public keys */
  1625. {
  1626. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  1627. goto err;
  1628. }
  1629. /* still data left over */
  1630. if (n != 0)
  1631. {
  1632. al=SSL_AD_DECODE_ERROR;
  1633. SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
  1634. goto f_err;
  1635. }
  1636. }
  1637. EVP_PKEY_free(pkey);
  1638. EVP_MD_CTX_cleanup(&md_ctx);
  1639. return(1);
  1640. f_err:
  1641. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1642. err:
  1643. EVP_PKEY_free(pkey);
  1644. #ifndef OPENSSL_NO_RSA
  1645. if (rsa != NULL)
  1646. RSA_free(rsa);
  1647. #endif
  1648. #ifndef OPENSSL_NO_DH
  1649. if (dh != NULL)
  1650. DH_free(dh);
  1651. #endif
  1652. #ifndef OPENSSL_NO_ECDH
  1653. BN_CTX_free(bn_ctx);
  1654. EC_POINT_free(srvr_ecpoint);
  1655. if (ecdh != NULL)
  1656. EC_KEY_free(ecdh);
  1657. #endif
  1658. EVP_MD_CTX_cleanup(&md_ctx);
  1659. return(-1);
  1660. }
  1661. int ssl3_get_certificate_request(SSL *s)
  1662. {
  1663. int ok,ret=0;
  1664. unsigned long n,nc,l;
  1665. unsigned int llen, ctype_num,i;
  1666. X509_NAME *xn=NULL;
  1667. const unsigned char *p,*q;
  1668. unsigned char *d;
  1669. STACK_OF(X509_NAME) *ca_sk=NULL;
  1670. n=s->method->ssl_get_message(s,
  1671. SSL3_ST_CR_CERT_REQ_A,
  1672. SSL3_ST_CR_CERT_REQ_B,
  1673. -1,
  1674. s->max_cert_list,
  1675. &ok);
  1676. if (!ok) return((int)n);
  1677. s->s3->tmp.cert_req=0;
  1678. if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
  1679. {
  1680. s->s3->tmp.reuse_message=1;
  1681. /* If we get here we don't need any cached handshake records
  1682. * as we wont be doing client auth.
  1683. */
  1684. if (s->s3->handshake_buffer)
  1685. {
  1686. if (!ssl3_digest_cached_records(s))
  1687. goto err;
  1688. }
  1689. return(1);
  1690. }
  1691. if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
  1692. {
  1693. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
  1694. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
  1695. goto err;
  1696. }
  1697. /* TLS does not like anon-DH with client cert */
  1698. if (s->version > SSL3_VERSION)
  1699. {
  1700. if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  1701. {
  1702. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
  1703. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
  1704. goto err;
  1705. }
  1706. }
  1707. p=d=(unsigned char *)s->init_msg;
  1708. if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
  1709. {
  1710. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
  1711. goto err;
  1712. }
  1713. /* get the certificate types */
  1714. ctype_num= *(p++);
  1715. if (ctype_num > SSL3_CT_NUMBER)
  1716. ctype_num=SSL3_CT_NUMBER;
  1717. for (i=0; i<ctype_num; i++)
  1718. s->s3->tmp.ctype[i]= p[i];
  1719. p+=ctype_num;
  1720. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  1721. {
  1722. n2s(p, llen);
  1723. /* Check we have enough room for signature algorithms and
  1724. * following length value.
  1725. */
  1726. if ((unsigned long)(p - d + llen + 2) > n)
  1727. {
  1728. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
  1729. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
  1730. goto err;
  1731. }
  1732. if ((llen & 1) || !tls1_process_sigalgs(s, p, llen))
  1733. {
  1734. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
  1735. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
  1736. goto err;
  1737. }
  1738. p += llen;
  1739. }
  1740. /* get the CA RDNs */
  1741. n2s(p,llen);
  1742. #if 0
  1743. {
  1744. FILE *out;
  1745. out=fopen("/tmp/vsign.der","w");
  1746. fwrite(p,1,llen,out);
  1747. fclose(out);
  1748. }
  1749. #endif
  1750. if ((unsigned long)(p - d + llen) != n)
  1751. {
  1752. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
  1753. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
  1754. goto err;
  1755. }
  1756. for (nc=0; nc<llen; )
  1757. {
  1758. n2s(p,l);
  1759. if ((l+nc+2) > llen)
  1760. {
  1761. if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
  1762. goto cont; /* netscape bugs */
  1763. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
  1764. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
  1765. goto err;
  1766. }
  1767. q=p;
  1768. if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
  1769. {
  1770. /* If netscape tolerance is on, ignore errors */
  1771. if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
  1772. goto cont;
  1773. else
  1774. {
  1775. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
  1776. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
  1777. goto err;
  1778. }
  1779. }
  1780. if (q != (p+l))
  1781. {
  1782. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
  1783. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
  1784. goto err;
  1785. }
  1786. if (!sk_X509_NAME_push(ca_sk,xn))
  1787. {
  1788. SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
  1789. goto err;
  1790. }
  1791. p+=l;
  1792. nc+=l+2;
  1793. }
  1794. if (0)
  1795. {
  1796. cont:
  1797. ERR_clear_error();
  1798. }
  1799. /* we should setup a certificate to return.... */
  1800. s->s3->tmp.cert_req=1;
  1801. s->s3->tmp.ctype_num=ctype_num;
  1802. if (s->s3->tmp.ca_names != NULL)
  1803. sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
  1804. s->s3->tmp.ca_names=ca_sk;
  1805. ca_sk=NULL;
  1806. ret=1;
  1807. err:
  1808. if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
  1809. return(ret);
  1810. }
  1811. static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
  1812. {
  1813. return(X509_NAME_cmp(*a,*b));
  1814. }
  1815. #ifndef OPENSSL_NO_TLSEXT
  1816. int ssl3_get_new_session_ticket(SSL *s)
  1817. {
  1818. int ok,al,ret=0, ticklen;
  1819. long n;
  1820. const unsigned char *p;
  1821. unsigned char *d;
  1822. n=s->method->ssl_get_message(s,
  1823. SSL3_ST_CR_SESSION_TICKET_A,
  1824. SSL3_ST_CR_SESSION_TICKET_B,
  1825. -1,
  1826. 16384,
  1827. &ok);
  1828. if (!ok)
  1829. return((int)n);
  1830. if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
  1831. {
  1832. s->s3->tmp.reuse_message=1;
  1833. return(1);
  1834. }
  1835. if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
  1836. {
  1837. al=SSL_AD_UNEXPECTED_MESSAGE;
  1838. SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
  1839. goto f_err;
  1840. }
  1841. if (n < 6)
  1842. {
  1843. /* need at least ticket_lifetime_hint + ticket length */
  1844. al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
  1845. SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
  1846. goto f_err;
  1847. }
  1848. p=d=(unsigned char *)s->init_msg;
  1849. n2l(p, s->session->tlsext_tick_lifetime_hint);
  1850. n2s(p, ticklen);
  1851. /* ticket_lifetime_hint + ticket_length + ticket */
  1852. if (ticklen + 6 != n)
  1853. {
  1854. al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
  1855. SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
  1856. goto f_err;
  1857. }
  1858. if (s->session->tlsext_tick)
  1859. {
  1860. OPENSSL_free(s->session->tlsext_tick);
  1861. s->session->tlsext_ticklen = 0;
  1862. }
  1863. s->session->tlsext_tick = OPENSSL_malloc(ticklen);
  1864. if (!s->session->tlsext_tick)
  1865. {
  1866. SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
  1867. goto err;
  1868. }
  1869. memcpy(s->session->tlsext_tick, p, ticklen);
  1870. s->session->tlsext_ticklen = ticklen;
  1871. /* There are two ways to detect a resumed ticket sesion.
  1872. * One is to set an appropriate session ID and then the server
  1873. * must return a match in ServerHello. This allows the normal
  1874. * client session ID matching to work and we know much
  1875. * earlier that the ticket has been accepted.
  1876. *
  1877. * The other way is to set zero length session ID when the
  1878. * ticket is presented and rely on the handshake to determine
  1879. * session resumption.
  1880. *
  1881. * We choose the former approach because this fits in with
  1882. * assumptions elsewhere in OpenSSL. The session ID is set
  1883. * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
  1884. * ticket.
  1885. */
  1886. EVP_Digest(p, ticklen,
  1887. s->session->session_id, &s->session->session_id_length,
  1888. #ifndef OPENSSL_NO_SHA256
  1889. EVP_sha256(), NULL);
  1890. #else
  1891. EVP_sha1(), NULL);
  1892. #endif
  1893. ret=1;
  1894. return(ret);
  1895. f_err:
  1896. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1897. err:
  1898. return(-1);
  1899. }
  1900. int ssl3_get_cert_status(SSL *s)
  1901. {
  1902. int ok, al;
  1903. unsigned long resplen,n;
  1904. const unsigned char *p;
  1905. n=s->method->ssl_get_message(s,
  1906. SSL3_ST_CR_CERT_STATUS_A,
  1907. SSL3_ST_CR_CERT_STATUS_B,
  1908. SSL3_MT_CERTIFICATE_STATUS,
  1909. 16384,
  1910. &ok);
  1911. if (!ok) return((int)n);
  1912. if (n < 4)
  1913. {
  1914. /* need at least status type + length */
  1915. al = SSL_AD_DECODE_ERROR;
  1916. SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
  1917. goto f_err;
  1918. }
  1919. p = (unsigned char *)s->init_msg;
  1920. if (*p++ != TLSEXT_STATUSTYPE_ocsp)
  1921. {
  1922. al = SSL_AD_DECODE_ERROR;
  1923. SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE);
  1924. goto f_err;
  1925. }
  1926. n2l3(p, resplen);
  1927. if (resplen + 4 != n)
  1928. {
  1929. al = SSL_AD_DECODE_ERROR;
  1930. SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
  1931. goto f_err;
  1932. }
  1933. if (s->tlsext_ocsp_resp)
  1934. OPENSSL_free(s->tlsext_ocsp_resp);
  1935. s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
  1936. if (!s->tlsext_ocsp_resp)
  1937. {
  1938. al = SSL_AD_INTERNAL_ERROR;
  1939. SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
  1940. goto f_err;
  1941. }
  1942. s->tlsext_ocsp_resplen = resplen;
  1943. if (s->ctx->tlsext_status_cb)
  1944. {
  1945. int ret;
  1946. ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
  1947. if (ret == 0)
  1948. {
  1949. al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
  1950. SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE);
  1951. goto f_err;
  1952. }
  1953. if (ret < 0)
  1954. {
  1955. al = SSL_AD_INTERNAL_ERROR;
  1956. SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
  1957. goto f_err;
  1958. }
  1959. }
  1960. return 1;
  1961. f_err:
  1962. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1963. return(-1);
  1964. }
  1965. #endif
  1966. int ssl3_get_server_done(SSL *s)
  1967. {
  1968. int ok,ret=0;
  1969. long n;
  1970. n=s->method->ssl_get_message(s,
  1971. SSL3_ST_CR_SRVR_DONE_A,
  1972. SSL3_ST_CR_SRVR_DONE_B,
  1973. SSL3_MT_SERVER_DONE,
  1974. 30, /* should be very small, like 0 :-) */
  1975. &ok);
  1976. if (!ok) return((int)n);
  1977. if (n > 0)
  1978. {
  1979. /* should contain no data */
  1980. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
  1981. SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
  1982. return -1;
  1983. }
  1984. ret=1;
  1985. return(ret);
  1986. }
  1987. int ssl3_send_client_key_exchange(SSL *s)
  1988. {
  1989. unsigned char *p,*d;
  1990. int n;
  1991. unsigned long alg_k;
  1992. #ifndef OPENSSL_NO_RSA
  1993. unsigned char *q;
  1994. EVP_PKEY *pkey=NULL;
  1995. #endif
  1996. #ifndef OPENSSL_NO_KRB5
  1997. KSSL_ERR kssl_err;
  1998. #endif /* OPENSSL_NO_KRB5 */
  1999. #ifndef OPENSSL_NO_ECDH
  2000. EC_KEY *clnt_ecdh = NULL;
  2001. const EC_POINT *srvr_ecpoint = NULL;
  2002. EVP_PKEY *srvr_pub_pkey = NULL;
  2003. unsigned char *encodedPoint = NULL;
  2004. int encoded_pt_len = 0;
  2005. BN_CTX * bn_ctx = NULL;
  2006. #endif
  2007. if (s->state == SSL3_ST_CW_KEY_EXCH_A)
  2008. {
  2009. d=(unsigned char *)s->init_buf->data;
  2010. p= &(d[4]);
  2011. alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
  2012. /* Fool emacs indentation */
  2013. if (0) {}
  2014. #ifndef OPENSSL_NO_RSA
  2015. else if (alg_k & SSL_kRSA)
  2016. {
  2017. RSA *rsa;
  2018. unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  2019. if (s->session->sess_cert->peer_rsa_tmp != NULL)
  2020. rsa=s->session->sess_cert->peer_rsa_tmp;
  2021. else
  2022. {
  2023. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
  2024. if ((pkey == NULL) ||
  2025. (pkey->type != EVP_PKEY_RSA) ||
  2026. (pkey->pkey.rsa == NULL))
  2027. {
  2028. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  2029. goto err;
  2030. }
  2031. rsa=pkey->pkey.rsa;
  2032. EVP_PKEY_free(pkey);
  2033. }
  2034. tmp_buf[0]=s->client_version>>8;
  2035. tmp_buf[1]=s->client_version&0xff;
  2036. if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
  2037. goto err;
  2038. s->session->master_key_length=sizeof tmp_buf;
  2039. q=p;
  2040. /* Fix buf for TLS and beyond */
  2041. if (s->version > SSL3_VERSION)
  2042. p+=2;
  2043. n=RSA_public_encrypt(sizeof tmp_buf,
  2044. tmp_buf,p,rsa,RSA_PKCS1_PADDING);
  2045. #ifdef PKCS1_CHECK
  2046. if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
  2047. if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
  2048. #endif
  2049. if (n <= 0)
  2050. {
  2051. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
  2052. goto err;
  2053. }
  2054. /* Fix buf for TLS and beyond */
  2055. if (s->version > SSL3_VERSION)
  2056. {
  2057. s2n(n,q);
  2058. n+=2;
  2059. }
  2060. s->session->master_key_length=
  2061. s->method->ssl3_enc->generate_master_secret(s,
  2062. s->session->master_key,
  2063. tmp_buf,sizeof tmp_buf);
  2064. OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
  2065. }
  2066. #endif
  2067. #ifndef OPENSSL_NO_KRB5
  2068. else if (alg_k & SSL_kKRB5)
  2069. {
  2070. krb5_error_code krb5rc;
  2071. KSSL_CTX *kssl_ctx = s->kssl_ctx;
  2072. /* krb5_data krb5_ap_req; */
  2073. krb5_data *enc_ticket;
  2074. krb5_data authenticator, *authp = NULL;
  2075. EVP_CIPHER_CTX ciph_ctx;
  2076. const EVP_CIPHER *enc = NULL;
  2077. unsigned char iv[EVP_MAX_IV_LENGTH];
  2078. unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  2079. unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
  2080. + EVP_MAX_IV_LENGTH];
  2081. int padl, outl = sizeof(epms);
  2082. EVP_CIPHER_CTX_init(&ciph_ctx);
  2083. #ifdef KSSL_DEBUG
  2084. printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
  2085. alg_k, SSL_kKRB5);
  2086. #endif /* KSSL_DEBUG */
  2087. authp = NULL;
  2088. #ifdef KRB5SENDAUTH
  2089. if (KRB5SENDAUTH) authp = &authenticator;
  2090. #endif /* KRB5SENDAUTH */
  2091. krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
  2092. &kssl_err);
  2093. enc = kssl_map_enc(kssl_ctx->enctype);
  2094. if (enc == NULL)
  2095. goto err;
  2096. #ifdef KSSL_DEBUG
  2097. {
  2098. printf("kssl_cget_tkt rtn %d\n", krb5rc);
  2099. if (krb5rc && kssl_err.text)
  2100. printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
  2101. }
  2102. #endif /* KSSL_DEBUG */
  2103. if (krb5rc)
  2104. {
  2105. ssl3_send_alert(s,SSL3_AL_FATAL,
  2106. SSL_AD_HANDSHAKE_FAILURE);
  2107. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2108. kssl_err.reason);
  2109. goto err;
  2110. }
  2111. /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
  2112. ** in place of RFC 2712 KerberosWrapper, as in:
  2113. **
  2114. ** Send ticket (copy to *p, set n = length)
  2115. ** n = krb5_ap_req.length;
  2116. ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
  2117. ** if (krb5_ap_req.data)
  2118. ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
  2119. **
  2120. ** Now using real RFC 2712 KerberosWrapper
  2121. ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
  2122. ** Note: 2712 "opaque" types are here replaced
  2123. ** with a 2-byte length followed by the value.
  2124. ** Example:
  2125. ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
  2126. ** Where "xx xx" = length bytes. Shown here with
  2127. ** optional authenticator omitted.
  2128. */
  2129. /* KerberosWrapper.Ticket */
  2130. s2n(enc_ticket->length,p);
  2131. memcpy(p, enc_ticket->data, enc_ticket->length);
  2132. p+= enc_ticket->length;
  2133. n = enc_ticket->length + 2;
  2134. /* KerberosWrapper.Authenticator */
  2135. if (authp && authp->length)
  2136. {
  2137. s2n(authp->length,p);
  2138. memcpy(p, authp->data, authp->length);
  2139. p+= authp->length;
  2140. n+= authp->length + 2;
  2141. free(authp->data);
  2142. authp->data = NULL;
  2143. authp->length = 0;
  2144. }
  2145. else
  2146. {
  2147. s2n(0,p);/* null authenticator length */
  2148. n+=2;
  2149. }
  2150. tmp_buf[0]=s->client_version>>8;
  2151. tmp_buf[1]=s->client_version&0xff;
  2152. if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
  2153. goto err;
  2154. /* 20010420 VRS. Tried it this way; failed.
  2155. ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
  2156. ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
  2157. ** kssl_ctx->length);
  2158. ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
  2159. */
  2160. memset(iv, 0, sizeof iv); /* per RFC 1510 */
  2161. EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
  2162. kssl_ctx->key,iv);
  2163. EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
  2164. sizeof tmp_buf);
  2165. EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
  2166. outl += padl;
  2167. if (outl > (int)sizeof epms)
  2168. {
  2169. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2170. goto err;
  2171. }
  2172. EVP_CIPHER_CTX_cleanup(&ciph_ctx);
  2173. /* KerberosWrapper.EncryptedPreMasterSecret */
  2174. s2n(outl,p);
  2175. memcpy(p, epms, outl);
  2176. p+=outl;
  2177. n+=outl + 2;
  2178. s->session->master_key_length=
  2179. s->method->ssl3_enc->generate_master_secret(s,
  2180. s->session->master_key,
  2181. tmp_buf, sizeof tmp_buf);
  2182. OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
  2183. OPENSSL_cleanse(epms, outl);
  2184. }
  2185. #endif
  2186. #ifndef OPENSSL_NO_DH
  2187. else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  2188. {
  2189. DH *dh_srvr,*dh_clnt;
  2190. if (s->session->sess_cert == NULL)
  2191. {
  2192. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
  2193. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
  2194. goto err;
  2195. }
  2196. if (s->session->sess_cert->peer_dh_tmp != NULL)
  2197. dh_srvr=s->session->sess_cert->peer_dh_tmp;
  2198. else
  2199. {
  2200. /* we get them from the cert */
  2201. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
  2202. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
  2203. goto err;
  2204. }
  2205. /* generate a new random key */
  2206. if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
  2207. {
  2208. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  2209. goto err;
  2210. }
  2211. if (!DH_generate_key(dh_clnt))
  2212. {
  2213. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  2214. DH_free(dh_clnt);
  2215. goto err;
  2216. }
  2217. /* use the 'p' output buffer for the DH key, but
  2218. * make sure to clear it out afterwards */
  2219. n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
  2220. if (n <= 0)
  2221. {
  2222. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  2223. DH_free(dh_clnt);
  2224. goto err;
  2225. }
  2226. /* generate master key from the result */
  2227. s->session->master_key_length=
  2228. s->method->ssl3_enc->generate_master_secret(s,
  2229. s->session->master_key,p,n);
  2230. /* clean up */
  2231. memset(p,0,n);
  2232. /* send off the data */
  2233. n=BN_num_bytes(dh_clnt->pub_key);
  2234. s2n(n,p);
  2235. BN_bn2bin(dh_clnt->pub_key,p);
  2236. n+=2;
  2237. DH_free(dh_clnt);
  2238. /* perhaps clean things up a bit EAY EAY EAY EAY*/
  2239. }
  2240. #endif
  2241. #ifndef OPENSSL_NO_ECDH
  2242. else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
  2243. {
  2244. const EC_GROUP *srvr_group = NULL;
  2245. EC_KEY *tkey;
  2246. int ecdh_clnt_cert = 0;
  2247. int field_size = 0;
  2248. /* Did we send out the client's
  2249. * ECDH share for use in premaster
  2250. * computation as part of client certificate?
  2251. * If so, set ecdh_clnt_cert to 1.
  2252. */
  2253. if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
  2254. {
  2255. /* XXX: For now, we do not support client
  2256. * authentication using ECDH certificates.
  2257. * To add such support, one needs to add
  2258. * code that checks for appropriate
  2259. * conditions and sets ecdh_clnt_cert to 1.
  2260. * For example, the cert have an ECC
  2261. * key on the same curve as the server's
  2262. * and the key should be authorized for
  2263. * key agreement.
  2264. *
  2265. * One also needs to add code in ssl3_connect
  2266. * to skip sending the certificate verify
  2267. * message.
  2268. *
  2269. * if ((s->cert->key->privatekey != NULL) &&
  2270. * (s->cert->key->privatekey->type ==
  2271. * EVP_PKEY_EC) && ...)
  2272. * ecdh_clnt_cert = 1;
  2273. */
  2274. }
  2275. if (s->session->sess_cert->peer_ecdh_tmp != NULL)
  2276. {
  2277. tkey = s->session->sess_cert->peer_ecdh_tmp;
  2278. }
  2279. else
  2280. {
  2281. /* Get the Server Public Key from Cert */
  2282. srvr_pub_pkey = X509_get_pubkey(s->session-> \
  2283. sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
  2284. if ((srvr_pub_pkey == NULL) ||
  2285. (srvr_pub_pkey->type != EVP_PKEY_EC) ||
  2286. (srvr_pub_pkey->pkey.ec == NULL))
  2287. {
  2288. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2289. ERR_R_INTERNAL_ERROR);
  2290. goto err;
  2291. }
  2292. tkey = srvr_pub_pkey->pkey.ec;
  2293. }
  2294. srvr_group = EC_KEY_get0_group(tkey);
  2295. srvr_ecpoint = EC_KEY_get0_public_key(tkey);
  2296. if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
  2297. {
  2298. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2299. ERR_R_INTERNAL_ERROR);
  2300. goto err;
  2301. }
  2302. if ((clnt_ecdh=EC_KEY_new()) == NULL)
  2303. {
  2304. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  2305. goto err;
  2306. }
  2307. if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
  2308. {
  2309. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
  2310. goto err;
  2311. }
  2312. if (ecdh_clnt_cert)
  2313. {
  2314. /* Reuse key info from our certificate
  2315. * We only need our private key to perform
  2316. * the ECDH computation.
  2317. */
  2318. const BIGNUM *priv_key;
  2319. tkey = s->cert->key->privatekey->pkey.ec;
  2320. priv_key = EC_KEY_get0_private_key(tkey);
  2321. if (priv_key == NULL)
  2322. {
  2323. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  2324. goto err;
  2325. }
  2326. if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
  2327. {
  2328. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
  2329. goto err;
  2330. }
  2331. }
  2332. else
  2333. {
  2334. /* Generate a new ECDH key pair */
  2335. if (!(EC_KEY_generate_key(clnt_ecdh)))
  2336. {
  2337. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
  2338. goto err;
  2339. }
  2340. }
  2341. /* use the 'p' output buffer for the ECDH key, but
  2342. * make sure to clear it out afterwards
  2343. */
  2344. field_size = EC_GROUP_get_degree(srvr_group);
  2345. if (field_size <= 0)
  2346. {
  2347. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2348. ERR_R_ECDH_LIB);
  2349. goto err;
  2350. }
  2351. n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
  2352. if (n <= 0)
  2353. {
  2354. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2355. ERR_R_ECDH_LIB);
  2356. goto err;
  2357. }
  2358. /* generate master key from the result */
  2359. s->session->master_key_length = s->method->ssl3_enc \
  2360. -> generate_master_secret(s,
  2361. s->session->master_key,
  2362. p, n);
  2363. memset(p, 0, n); /* clean up */
  2364. if (ecdh_clnt_cert)
  2365. {
  2366. /* Send empty client key exch message */
  2367. n = 0;
  2368. }
  2369. else
  2370. {
  2371. /* First check the size of encoding and
  2372. * allocate memory accordingly.
  2373. */
  2374. encoded_pt_len =
  2375. EC_POINT_point2oct(srvr_group,
  2376. EC_KEY_get0_public_key(clnt_ecdh),
  2377. POINT_CONVERSION_UNCOMPRESSED,
  2378. NULL, 0, NULL);
  2379. encodedPoint = (unsigned char *)
  2380. OPENSSL_malloc(encoded_pt_len *
  2381. sizeof(unsigned char));
  2382. bn_ctx = BN_CTX_new();
  2383. if ((encodedPoint == NULL) ||
  2384. (bn_ctx == NULL))
  2385. {
  2386. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  2387. goto err;
  2388. }
  2389. /* Encode the public key */
  2390. n = EC_POINT_point2oct(srvr_group,
  2391. EC_KEY_get0_public_key(clnt_ecdh),
  2392. POINT_CONVERSION_UNCOMPRESSED,
  2393. encodedPoint, encoded_pt_len, bn_ctx);
  2394. *p = n; /* length of encoded point */
  2395. /* Encoded point will be copied here */
  2396. p += 1;
  2397. /* copy the point */
  2398. memcpy((unsigned char *)p, encodedPoint, n);
  2399. /* increment n to account for length field */
  2400. n += 1;
  2401. }
  2402. /* Free allocated memory */
  2403. BN_CTX_free(bn_ctx);
  2404. if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
  2405. if (clnt_ecdh != NULL)
  2406. EC_KEY_free(clnt_ecdh);
  2407. EVP_PKEY_free(srvr_pub_pkey);
  2408. }
  2409. #endif /* !OPENSSL_NO_ECDH */
  2410. else if (alg_k & SSL_kGOST)
  2411. {
  2412. /* GOST key exchange message creation */
  2413. EVP_PKEY_CTX *pkey_ctx;
  2414. X509 *peer_cert;
  2415. size_t msglen;
  2416. unsigned int md_len;
  2417. int keytype;
  2418. unsigned char premaster_secret[32],shared_ukm[32], tmp[256];
  2419. EVP_MD_CTX *ukm_hash;
  2420. EVP_PKEY *pub_key;
  2421. /* Get server sertificate PKEY and create ctx from it */
  2422. peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509;
  2423. if (!peer_cert)
  2424. peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509;
  2425. if (!peer_cert) {
  2426. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
  2427. goto err;
  2428. }
  2429. pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL);
  2430. /* If we have send a certificate, and certificate key
  2431. * parameters match those of server certificate, use
  2432. * certificate key for key exchange
  2433. */
  2434. /* Otherwise, generate ephemeral key pair */
  2435. EVP_PKEY_encrypt_init(pkey_ctx);
  2436. /* Generate session key */
  2437. RAND_bytes(premaster_secret,32);
  2438. /* If we have client certificate, use its secret as peer key */
  2439. if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
  2440. if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) {
  2441. /* If there was an error - just ignore it. Ephemeral key
  2442. * would be used
  2443. */
  2444. ERR_clear_error();
  2445. }
  2446. }
  2447. /* Compute shared IV and store it in algorithm-specific
  2448. * context data */
  2449. ukm_hash = EVP_MD_CTX_create();
  2450. EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94));
  2451. EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE);
  2452. EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE);
  2453. EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
  2454. EVP_MD_CTX_destroy(ukm_hash);
  2455. if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV,
  2456. 8,shared_ukm)<0) {
  2457. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2458. SSL_R_LIBRARY_BUG);
  2459. goto err;
  2460. }
  2461. /* Make GOST keytransport blob message */
  2462. /*Encapsulate it into sequence */
  2463. *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
  2464. msglen=255;
  2465. if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) {
  2466. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2467. SSL_R_LIBRARY_BUG);
  2468. goto err;
  2469. }
  2470. if (msglen >= 0x80)
  2471. {
  2472. *(p++)=0x81;
  2473. *(p++)= msglen & 0xff;
  2474. n=msglen+3;
  2475. }
  2476. else
  2477. {
  2478. *(p++)= msglen & 0xff;
  2479. n=msglen+2;
  2480. }
  2481. memcpy(p, tmp, msglen);
  2482. /* Check if pubkey from client certificate was used */
  2483. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
  2484. {
  2485. /* Set flag "skip certificate verify" */
  2486. s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
  2487. }
  2488. EVP_PKEY_CTX_free(pkey_ctx);
  2489. s->session->master_key_length=
  2490. s->method->ssl3_enc->generate_master_secret(s,
  2491. s->session->master_key,premaster_secret,32);
  2492. EVP_PKEY_free(pub_key);
  2493. }
  2494. #ifndef OPENSSL_NO_SRP
  2495. else if (alg_k & SSL_kSRP)
  2496. {
  2497. if (s->srp_ctx.A != NULL)
  2498. {
  2499. /* send off the data */
  2500. n=BN_num_bytes(s->srp_ctx.A);
  2501. s2n(n,p);
  2502. BN_bn2bin(s->srp_ctx.A,p);
  2503. n+=2;
  2504. }
  2505. else
  2506. {
  2507. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  2508. goto err;
  2509. }
  2510. if (s->session->srp_username != NULL)
  2511. OPENSSL_free(s->session->srp_username);
  2512. s->session->srp_username = BUF_strdup(s->srp_ctx.login);
  2513. if (s->session->srp_username == NULL)
  2514. {
  2515. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2516. ERR_R_MALLOC_FAILURE);
  2517. goto err;
  2518. }
  2519. if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0)
  2520. {
  2521. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  2522. goto err;
  2523. }
  2524. }
  2525. #endif
  2526. #ifndef OPENSSL_NO_PSK
  2527. else if (alg_k & SSL_kPSK)
  2528. {
  2529. char identity[PSK_MAX_IDENTITY_LEN];
  2530. unsigned char *t = NULL;
  2531. unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
  2532. unsigned int pre_ms_len = 0, psk_len = 0;
  2533. int psk_err = 1;
  2534. n = 0;
  2535. if (s->psk_client_callback == NULL)
  2536. {
  2537. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2538. SSL_R_PSK_NO_CLIENT_CB);
  2539. goto err;
  2540. }
  2541. psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
  2542. identity, PSK_MAX_IDENTITY_LEN,
  2543. psk_or_pre_ms, sizeof(psk_or_pre_ms));
  2544. if (psk_len > PSK_MAX_PSK_LEN)
  2545. {
  2546. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2547. ERR_R_INTERNAL_ERROR);
  2548. goto psk_err;
  2549. }
  2550. else if (psk_len == 0)
  2551. {
  2552. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2553. SSL_R_PSK_IDENTITY_NOT_FOUND);
  2554. goto psk_err;
  2555. }
  2556. /* create PSK pre_master_secret */
  2557. pre_ms_len = 2+psk_len+2+psk_len;
  2558. t = psk_or_pre_ms;
  2559. memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
  2560. s2n(psk_len, t);
  2561. memset(t, 0, psk_len);
  2562. t+=psk_len;
  2563. s2n(psk_len, t);
  2564. if (s->session->psk_identity_hint != NULL)
  2565. OPENSSL_free(s->session->psk_identity_hint);
  2566. s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
  2567. if (s->ctx->psk_identity_hint != NULL &&
  2568. s->session->psk_identity_hint == NULL)
  2569. {
  2570. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2571. ERR_R_MALLOC_FAILURE);
  2572. goto psk_err;
  2573. }
  2574. if (s->session->psk_identity != NULL)
  2575. OPENSSL_free(s->session->psk_identity);
  2576. s->session->psk_identity = BUF_strdup(identity);
  2577. if (s->session->psk_identity == NULL)
  2578. {
  2579. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2580. ERR_R_MALLOC_FAILURE);
  2581. goto psk_err;
  2582. }
  2583. s->session->master_key_length =
  2584. s->method->ssl3_enc->generate_master_secret(s,
  2585. s->session->master_key,
  2586. psk_or_pre_ms, pre_ms_len);
  2587. n = strlen(identity);
  2588. s2n(n, p);
  2589. memcpy(p, identity, n);
  2590. n+=2;
  2591. psk_err = 0;
  2592. psk_err:
  2593. OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
  2594. OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
  2595. if (psk_err != 0)
  2596. {
  2597. ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
  2598. goto err;
  2599. }
  2600. }
  2601. #endif
  2602. else
  2603. {
  2604. ssl3_send_alert(s, SSL3_AL_FATAL,
  2605. SSL_AD_HANDSHAKE_FAILURE);
  2606. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  2607. ERR_R_INTERNAL_ERROR);
  2608. goto err;
  2609. }
  2610. *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
  2611. l2n3(n,d);
  2612. s->state=SSL3_ST_CW_KEY_EXCH_B;
  2613. /* number of bytes to write */
  2614. s->init_num=n+4;
  2615. s->init_off=0;
  2616. }
  2617. /* SSL3_ST_CW_KEY_EXCH_B */
  2618. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  2619. err:
  2620. #ifndef OPENSSL_NO_ECDH
  2621. BN_CTX_free(bn_ctx);
  2622. if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
  2623. if (clnt_ecdh != NULL)
  2624. EC_KEY_free(clnt_ecdh);
  2625. EVP_PKEY_free(srvr_pub_pkey);
  2626. #endif
  2627. return(-1);
  2628. }
  2629. int ssl3_send_client_verify(SSL *s)
  2630. {
  2631. unsigned char *p,*d;
  2632. unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
  2633. EVP_PKEY *pkey;
  2634. EVP_PKEY_CTX *pctx=NULL;
  2635. EVP_MD_CTX mctx;
  2636. unsigned u=0;
  2637. unsigned long n;
  2638. int j;
  2639. EVP_MD_CTX_init(&mctx);
  2640. if (s->state == SSL3_ST_CW_CERT_VRFY_A)
  2641. {
  2642. d=(unsigned char *)s->init_buf->data;
  2643. p= &(d[4]);
  2644. pkey=s->cert->key->privatekey;
  2645. /* Create context from key and test if sha1 is allowed as digest */
  2646. pctx = EVP_PKEY_CTX_new(pkey,NULL);
  2647. EVP_PKEY_sign_init(pctx);
  2648. if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
  2649. {
  2650. if (TLS1_get_version(s) < TLS1_2_VERSION)
  2651. s->method->ssl3_enc->cert_verify_mac(s,
  2652. NID_sha1,
  2653. &(data[MD5_DIGEST_LENGTH]));
  2654. }
  2655. else
  2656. {
  2657. ERR_clear_error();
  2658. }
  2659. /* For TLS v1.2 send signature algorithm and signature
  2660. * using agreed digest and cached handshake records.
  2661. */
  2662. if (TLS1_get_version(s) >= TLS1_2_VERSION)
  2663. {
  2664. long hdatalen = 0;
  2665. void *hdata;
  2666. const EVP_MD *md = s->cert->key->digest;
  2667. hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
  2668. &hdata);
  2669. if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md))
  2670. {
  2671. SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
  2672. ERR_R_INTERNAL_ERROR);
  2673. goto err;
  2674. }
  2675. p += 2;
  2676. #ifdef SSL_DEBUG
  2677. fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
  2678. EVP_MD_name(md));
  2679. #endif
  2680. if (!EVP_SignInit_ex(&mctx, md, NULL)
  2681. || !EVP_SignUpdate(&mctx, hdata, hdatalen)
  2682. || !EVP_SignFinal(&mctx, p + 2, &u, pkey))
  2683. {
  2684. SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
  2685. ERR_R_EVP_LIB);
  2686. goto err;
  2687. }
  2688. s2n(u,p);
  2689. n = u + 4;
  2690. if (!ssl3_digest_cached_records(s))
  2691. goto err;
  2692. }
  2693. else
  2694. #ifndef OPENSSL_NO_RSA
  2695. if (pkey->type == EVP_PKEY_RSA)
  2696. {
  2697. s->method->ssl3_enc->cert_verify_mac(s,
  2698. NID_md5,
  2699. &(data[0]));
  2700. if (RSA_sign(NID_md5_sha1, data,
  2701. MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
  2702. &(p[2]), &u, pkey->pkey.rsa) <= 0 )
  2703. {
  2704. SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
  2705. goto err;
  2706. }
  2707. s2n(u,p);
  2708. n=u+2;
  2709. }
  2710. else
  2711. #endif
  2712. #ifndef OPENSSL_NO_DSA
  2713. if (pkey->type == EVP_PKEY_DSA)
  2714. {
  2715. if (!DSA_sign(pkey->save_type,
  2716. &(data[MD5_DIGEST_LENGTH]),
  2717. SHA_DIGEST_LENGTH,&(p[2]),
  2718. (unsigned int *)&j,pkey->pkey.dsa))
  2719. {
  2720. SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
  2721. goto err;
  2722. }
  2723. s2n(j,p);
  2724. n=j+2;
  2725. }
  2726. else
  2727. #endif
  2728. #ifndef OPENSSL_NO_ECDSA
  2729. if (pkey->type == EVP_PKEY_EC)
  2730. {
  2731. if (!ECDSA_sign(pkey->save_type,
  2732. &(data[MD5_DIGEST_LENGTH]),
  2733. SHA_DIGEST_LENGTH,&(p[2]),
  2734. (unsigned int *)&j,pkey->pkey.ec))
  2735. {
  2736. SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
  2737. ERR_R_ECDSA_LIB);
  2738. goto err;
  2739. }
  2740. s2n(j,p);
  2741. n=j+2;
  2742. }
  2743. else
  2744. #endif
  2745. if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001)
  2746. {
  2747. unsigned char signbuf[64];
  2748. int i;
  2749. size_t sigsize=64;
  2750. s->method->ssl3_enc->cert_verify_mac(s,
  2751. NID_id_GostR3411_94,
  2752. data);
  2753. if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
  2754. SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
  2755. ERR_R_INTERNAL_ERROR);
  2756. goto err;
  2757. }
  2758. for (i=63,j=0; i>=0; j++, i--) {
  2759. p[2+j]=signbuf[i];
  2760. }
  2761. s2n(j,p);
  2762. n=j+2;
  2763. }
  2764. else
  2765. {
  2766. SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
  2767. goto err;
  2768. }
  2769. *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
  2770. l2n3(n,d);
  2771. s->state=SSL3_ST_CW_CERT_VRFY_B;
  2772. s->init_num=(int)n+4;
  2773. s->init_off=0;
  2774. }
  2775. EVP_MD_CTX_cleanup(&mctx);
  2776. EVP_PKEY_CTX_free(pctx);
  2777. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  2778. err:
  2779. EVP_MD_CTX_cleanup(&mctx);
  2780. EVP_PKEY_CTX_free(pctx);
  2781. return(-1);
  2782. }
  2783. int ssl3_send_client_certificate(SSL *s)
  2784. {
  2785. X509 *x509=NULL;
  2786. EVP_PKEY *pkey=NULL;
  2787. int i;
  2788. unsigned long l;
  2789. if (s->state == SSL3_ST_CW_CERT_A)
  2790. {
  2791. if ((s->cert == NULL) ||
  2792. (s->cert->key->x509 == NULL) ||
  2793. (s->cert->key->privatekey == NULL))
  2794. s->state=SSL3_ST_CW_CERT_B;
  2795. else
  2796. s->state=SSL3_ST_CW_CERT_C;
  2797. }
  2798. /* We need to get a client cert */
  2799. if (s->state == SSL3_ST_CW_CERT_B)
  2800. {
  2801. /* If we get an error, we need to
  2802. * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
  2803. * We then get retied later */
  2804. i=0;
  2805. i = ssl_do_client_cert_cb(s, &x509, &pkey);
  2806. if (i < 0)
  2807. {
  2808. s->rwstate=SSL_X509_LOOKUP;
  2809. return(-1);
  2810. }
  2811. s->rwstate=SSL_NOTHING;
  2812. if ((i == 1) && (pkey != NULL) && (x509 != NULL))
  2813. {
  2814. s->state=SSL3_ST_CW_CERT_B;
  2815. if ( !SSL_use_certificate(s,x509) ||
  2816. !SSL_use_PrivateKey(s,pkey))
  2817. i=0;
  2818. }
  2819. else if (i == 1)
  2820. {
  2821. i=0;
  2822. SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
  2823. }
  2824. if (x509 != NULL) X509_free(x509);
  2825. if (pkey != NULL) EVP_PKEY_free(pkey);
  2826. if (i == 0)
  2827. {
  2828. if (s->version == SSL3_VERSION)
  2829. {
  2830. s->s3->tmp.cert_req=0;
  2831. ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
  2832. return(1);
  2833. }
  2834. else
  2835. {
  2836. s->s3->tmp.cert_req=2;
  2837. }
  2838. }
  2839. /* Ok, we have a cert */
  2840. s->state=SSL3_ST_CW_CERT_C;
  2841. }
  2842. if (s->state == SSL3_ST_CW_CERT_C)
  2843. {
  2844. s->state=SSL3_ST_CW_CERT_D;
  2845. l=ssl3_output_cert_chain(s,
  2846. (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
  2847. s->init_num=(int)l;
  2848. s->init_off=0;
  2849. }
  2850. /* SSL3_ST_CW_CERT_D */
  2851. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  2852. }
  2853. #define has_bits(i,m) (((i)&(m)) == (m))
  2854. int ssl3_check_cert_and_algorithm(SSL *s)
  2855. {
  2856. int i,idx;
  2857. long alg_k,alg_a;
  2858. EVP_PKEY *pkey=NULL;
  2859. SESS_CERT *sc;
  2860. #ifndef OPENSSL_NO_RSA
  2861. RSA *rsa;
  2862. #endif
  2863. #ifndef OPENSSL_NO_DH
  2864. DH *dh;
  2865. #endif
  2866. alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
  2867. alg_a=s->s3->tmp.new_cipher->algorithm_auth;
  2868. /* we don't have a certificate */
  2869. if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
  2870. return(1);
  2871. sc=s->session->sess_cert;
  2872. if (sc == NULL)
  2873. {
  2874. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
  2875. goto err;
  2876. }
  2877. #ifndef OPENSSL_NO_RSA
  2878. rsa=s->session->sess_cert->peer_rsa_tmp;
  2879. #endif
  2880. #ifndef OPENSSL_NO_DH
  2881. dh=s->session->sess_cert->peer_dh_tmp;
  2882. #endif
  2883. /* This is the passed certificate */
  2884. idx=sc->peer_cert_type;
  2885. #ifndef OPENSSL_NO_ECDH
  2886. if (idx == SSL_PKEY_ECC)
  2887. {
  2888. if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
  2889. s) == 0)
  2890. { /* check failed */
  2891. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
  2892. goto f_err;
  2893. }
  2894. else
  2895. {
  2896. return 1;
  2897. }
  2898. }
  2899. #endif
  2900. pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
  2901. i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
  2902. EVP_PKEY_free(pkey);
  2903. /* Check that we have a certificate if we require one */
  2904. if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
  2905. {
  2906. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
  2907. goto f_err;
  2908. }
  2909. #ifndef OPENSSL_NO_DSA
  2910. else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
  2911. {
  2912. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
  2913. goto f_err;
  2914. }
  2915. #endif
  2916. #ifndef OPENSSL_NO_RSA
  2917. if ((alg_k & SSL_kRSA) &&
  2918. !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
  2919. {
  2920. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
  2921. goto f_err;
  2922. }
  2923. #endif
  2924. #ifndef OPENSSL_NO_DH
  2925. if ((alg_k & SSL_kEDH) &&
  2926. !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
  2927. {
  2928. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
  2929. goto f_err;
  2930. }
  2931. else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
  2932. {
  2933. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
  2934. goto f_err;
  2935. }
  2936. #ifndef OPENSSL_NO_DSA
  2937. else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
  2938. {
  2939. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
  2940. goto f_err;
  2941. }
  2942. #endif
  2943. #endif
  2944. if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
  2945. {
  2946. #ifndef OPENSSL_NO_RSA
  2947. if (alg_k & SSL_kRSA)
  2948. {
  2949. if (rsa == NULL
  2950. || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
  2951. {
  2952. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
  2953. goto f_err;
  2954. }
  2955. }
  2956. else
  2957. #endif
  2958. #ifndef OPENSSL_NO_DH
  2959. if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  2960. {
  2961. if (dh == NULL
  2962. || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
  2963. {
  2964. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
  2965. goto f_err;
  2966. }
  2967. }
  2968. else
  2969. #endif
  2970. {
  2971. SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2972. goto f_err;
  2973. }
  2974. }
  2975. return(1);
  2976. f_err:
  2977. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
  2978. err:
  2979. return(0);
  2980. }
  2981. /* Check to see if handshake is full or resumed. Usually this is just a
  2982. * case of checking to see if a cache hit has occurred. In the case of
  2983. * session tickets we have to check the next message to be sure.
  2984. */
  2985. #ifndef OPENSSL_NO_TLSEXT
  2986. # ifndef OPENSSL_NO_NEXTPROTONEG
  2987. int ssl3_send_next_proto(SSL *s)
  2988. {
  2989. unsigned int len, padding_len;
  2990. unsigned char *d;
  2991. if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
  2992. {
  2993. len = s->next_proto_negotiated_len;
  2994. padding_len = 32 - ((len + 2) % 32);
  2995. d = (unsigned char *)s->init_buf->data;
  2996. d[4] = len;
  2997. memcpy(d + 5, s->next_proto_negotiated, len);
  2998. d[5 + len] = padding_len;
  2999. memset(d + 6 + len, 0, padding_len);
  3000. *(d++)=SSL3_MT_NEXT_PROTO;
  3001. l2n3(2 + len + padding_len, d);
  3002. s->state = SSL3_ST_CW_NEXT_PROTO_B;
  3003. s->init_num = 4 + 2 + len + padding_len;
  3004. s->init_off = 0;
  3005. }
  3006. return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
  3007. }
  3008. # endif
  3009. int ssl3_check_finished(SSL *s)
  3010. {
  3011. int ok;
  3012. long n;
  3013. /* If we have no ticket it cannot be a resumed session. */
  3014. if (!s->session->tlsext_tick)
  3015. return 1;
  3016. /* this function is called when we really expect a Certificate
  3017. * message, so permit appropriate message length */
  3018. n=s->method->ssl_get_message(s,
  3019. SSL3_ST_CR_CERT_A,
  3020. SSL3_ST_CR_CERT_B,
  3021. -1,
  3022. s->max_cert_list,
  3023. &ok);
  3024. if (!ok) return((int)n);
  3025. s->s3->tmp.reuse_message = 1;
  3026. if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
  3027. || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
  3028. return 2;
  3029. return 1;
  3030. }
  3031. #endif
  3032. int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
  3033. {
  3034. int i = 0;
  3035. #ifndef OPENSSL_NO_ENGINE
  3036. if (s->ctx->client_cert_engine)
  3037. {
  3038. i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
  3039. SSL_get_client_CA_list(s),
  3040. px509, ppkey, NULL, NULL, NULL);
  3041. if (i != 0)
  3042. return i;
  3043. }
  3044. #endif
  3045. if (s->ctx->client_cert_cb)
  3046. i = s->ctx->client_cert_cb(s,px509,ppkey);
  3047. return i;
  3048. }