2
0

s3_srvr.c 51 KB


  1. /* ssl/s3_srvr.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. #define REUSE_CIPHER_BUG
  112. #define NETSCAPE_HANG_BUG
  113. #include <stdio.h>
  114. #include "ssl_locl.h"
  115. #include "kssl_lcl.h"
  116. #include <openssl/buffer.h>
  117. #include <openssl/rand.h>
  118. #include <openssl/objects.h>
  119. #include <openssl/evp.h>
  120. #include <openssl/x509.h>
  121. #ifndef OPENSSL_NO_KRB5
  122. #include <openssl/krb5_asn.h>
  123. #endif
  124. #include <openssl/md5.h>
  125. #include <openssl/fips.h>
  126. static SSL_METHOD *ssl3_get_server_method(int ver);
  127. static int ssl3_get_client_hello(SSL *s);
  128. static int ssl3_check_client_hello(SSL *s);
  129. static int ssl3_send_server_hello(SSL *s);
  130. static int ssl3_send_server_key_exchange(SSL *s);
  131. static int ssl3_send_certificate_request(SSL *s);
  132. static int ssl3_send_server_done(SSL *s);
  133. static int ssl3_get_client_key_exchange(SSL *s);
  134. static int ssl3_get_client_certificate(SSL *s);
  135. static int ssl3_get_cert_verify(SSL *s);
  136. static int ssl3_send_hello_request(SSL *s);
  137. static SSL_METHOD *ssl3_get_server_method(int ver)
  138. {
  139. if (ver == SSL3_VERSION)
  140. return(SSLv3_server_method());
  141. else
  142. return(NULL);
  143. }
  144. SSL_METHOD *SSLv3_server_method(void)
  145. {
  146. static int init=1;
  147. static SSL_METHOD SSLv3_server_data;
  148. if (init)
  149. {
  150. CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
  151. if (init)
  152. {
  153. memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
  154. sizeof(SSL_METHOD));
  155. SSLv3_server_data.ssl_accept=ssl3_accept;
  156. SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
  157. init=0;
  158. }
  159. CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
  160. }
  161. return(&SSLv3_server_data);
  162. }
  163. int ssl3_accept(SSL *s)
  164. {
  165. BUF_MEM *buf;
  166. unsigned long l,Time=time(NULL);
  167. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  168. long num1;
  169. int ret= -1;
  170. int new_state,state,skip=0;
  171. RAND_add(&Time,sizeof(Time),0);
  172. ERR_clear_error();
  173. clear_sys_error();
  174. if (s->info_callback != NULL)
  175. cb=s->info_callback;
  176. else if (s->ctx->info_callback != NULL)
  177. cb=s->ctx->info_callback;
  178. /* init things to blank */
  179. s->in_handshake++;
  180. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  181. if (s->cert == NULL)
  182. {
  183. SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
  184. return(-1);
  185. }
  186. for (;;)
  187. {
  188. state=s->state;
  189. switch (s->state)
  190. {
  191. case SSL_ST_RENEGOTIATE:
  192. s->new_session=1;
  193. /* s->state=SSL_ST_ACCEPT; */
  194. case SSL_ST_BEFORE:
  195. case SSL_ST_ACCEPT:
  196. case SSL_ST_BEFORE|SSL_ST_ACCEPT:
  197. case SSL_ST_OK|SSL_ST_ACCEPT:
  198. s->server=1;
  199. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  200. if ((s->version>>8) != 3)
  201. {
  202. SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
  203. return -1;
  204. }
  205. s->type=SSL_ST_ACCEPT;
  206. if (s->init_buf == NULL)
  207. {
  208. if ((buf=BUF_MEM_new()) == NULL)
  209. {
  210. ret= -1;
  211. goto end;
  212. }
  213. if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
  214. {
  215. ret= -1;
  216. goto end;
  217. }
  218. s->init_buf=buf;
  219. }
  220. if (!ssl3_setup_buffers(s))
  221. {
  222. ret= -1;
  223. goto end;
  224. }
  225. s->init_num=0;
  226. if (s->state != SSL_ST_RENEGOTIATE)
  227. {
  228. /* Ok, we now need to push on a buffering BIO so that
  229. * the output is sent in a way that TCP likes :-)
  230. */
  231. if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
  232. ssl3_init_finished_mac(s);
  233. s->state=SSL3_ST_SR_CLNT_HELLO_A;
  234. s->ctx->stats.sess_accept++;
  235. }
  236. else
  237. {
  238. /* s->state == SSL_ST_RENEGOTIATE,
  239. * we will just send a HelloRequest */
  240. s->ctx->stats.sess_accept_renegotiate++;
  241. s->state=SSL3_ST_SW_HELLO_REQ_A;
  242. }
  243. break;
  244. case SSL3_ST_SW_HELLO_REQ_A:
  245. case SSL3_ST_SW_HELLO_REQ_B:
  246. s->shutdown=0;
  247. ret=ssl3_send_hello_request(s);
  248. if (ret <= 0) goto end;
  249. s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
  250. s->state=SSL3_ST_SW_FLUSH;
  251. s->init_num=0;
  252. ssl3_init_finished_mac(s);
  253. break;
  254. case SSL3_ST_SW_HELLO_REQ_C:
  255. s->state=SSL_ST_OK;
  256. break;
  257. case SSL3_ST_SR_CLNT_HELLO_A:
  258. case SSL3_ST_SR_CLNT_HELLO_B:
  259. case SSL3_ST_SR_CLNT_HELLO_C:
  260. s->shutdown=0;
  261. ret=ssl3_get_client_hello(s);
  262. if (ret <= 0) goto end;
  263. s->new_session = 2;
  264. s->state=SSL3_ST_SW_SRVR_HELLO_A;
  265. s->init_num=0;
  266. break;
  267. case SSL3_ST_SW_SRVR_HELLO_A:
  268. case SSL3_ST_SW_SRVR_HELLO_B:
  269. ret=ssl3_send_server_hello(s);
  270. if (ret <= 0) goto end;
  271. if (s->hit)
  272. s->state=SSL3_ST_SW_CHANGE_A;
  273. else
  274. s->state=SSL3_ST_SW_CERT_A;
  275. s->init_num=0;
  276. break;
  277. case SSL3_ST_SW_CERT_A:
  278. case SSL3_ST_SW_CERT_B:
  279. /* Check if it is anon DH */
  280. if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
  281. {
  282. ret=ssl3_send_server_certificate(s);
  283. if (ret <= 0) goto end;
  284. }
  285. else
  286. skip=1;
  287. s->state=SSL3_ST_SW_KEY_EXCH_A;
  288. s->init_num=0;
  289. break;
  290. case SSL3_ST_SW_KEY_EXCH_A:
  291. case SSL3_ST_SW_KEY_EXCH_B:
  292. l=s->s3->tmp.new_cipher->algorithms;
  293. /* clear this, it may get reset by
  294. * send_server_key_exchange */
  295. if ((s->options & SSL_OP_EPHEMERAL_RSA)
  296. #ifndef OPENSSL_NO_KRB5
  297. && !(l & SSL_KRB5)
  298. #endif /* OPENSSL_NO_KRB5 */
  299. )
  300. /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
  301. * even when forbidden by protocol specs
  302. * (handshake may fail as clients are not required to
  303. * be able to handle this) */
  304. s->s3->tmp.use_rsa_tmp=1;
  305. else
  306. s->s3->tmp.use_rsa_tmp=0;
  307. /* only send if a DH key exchange, fortezza or
  308. * RSA but we have a sign only certificate */
  309. if (s->s3->tmp.use_rsa_tmp
  310. || (l & (SSL_DH|SSL_kFZA))
  311. || ((l & SSL_kRSA)
  312. && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
  313. || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
  314. && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
  315. )
  316. )
  317. )
  318. )
  319. {
  320. ret=ssl3_send_server_key_exchange(s);
  321. if (ret <= 0) goto end;
  322. }
  323. else
  324. skip=1;
  325. s->state=SSL3_ST_SW_CERT_REQ_A;
  326. s->init_num=0;
  327. break;
  328. case SSL3_ST_SW_CERT_REQ_A:
  329. case SSL3_ST_SW_CERT_REQ_B:
  330. if (/* don't request cert unless asked for it: */
  331. !(s->verify_mode & SSL_VERIFY_PEER) ||
  332. /* if SSL_VERIFY_CLIENT_ONCE is set,
  333. * don't request cert during re-negotiation: */
  334. ((s->session->peer != NULL) &&
  335. (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
  336. /* never request cert in anonymous ciphersuites
  337. * (see section "Certificate request" in SSL 3 drafts
  338. * and in RFC 2246): */
  339. ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
  340. /* ... except when the application insists on verification
  341. * (against the specs, but s3_clnt.c accepts this for SSL 3) */
  342. !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
  343. /* never request cert in Kerberos ciphersuites */
  344. (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
  345. {
  346. /* no cert request */
  347. skip=1;
  348. s->s3->tmp.cert_request=0;
  349. s->state=SSL3_ST_SW_SRVR_DONE_A;
  350. }
  351. else
  352. {
  353. s->s3->tmp.cert_request=1;
  354. ret=ssl3_send_certificate_request(s);
  355. if (ret <= 0) goto end;
  356. #ifndef NETSCAPE_HANG_BUG
  357. s->state=SSL3_ST_SW_SRVR_DONE_A;
  358. #else
  359. s->state=SSL3_ST_SW_FLUSH;
  360. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  361. #endif
  362. s->init_num=0;
  363. }
  364. break;
  365. case SSL3_ST_SW_SRVR_DONE_A:
  366. case SSL3_ST_SW_SRVR_DONE_B:
  367. ret=ssl3_send_server_done(s);
  368. if (ret <= 0) goto end;
  369. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  370. s->state=SSL3_ST_SW_FLUSH;
  371. s->init_num=0;
  372. break;
  373. case SSL3_ST_SW_FLUSH:
  374. /* number of bytes to be flushed */
  375. num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
  376. if (num1 > 0)
  377. {
  378. s->rwstate=SSL_WRITING;
  379. num1=BIO_flush(s->wbio);
  380. if (num1 <= 0) { ret= -1; goto end; }
  381. s->rwstate=SSL_NOTHING;
  382. }
  383. s->state=s->s3->tmp.next_state;
  384. break;
  385. case SSL3_ST_SR_CERT_A:
  386. case SSL3_ST_SR_CERT_B:
  387. /* Check for second client hello (MS SGC) */
  388. ret = ssl3_check_client_hello(s);
  389. if (ret <= 0)
  390. goto end;
  391. if (ret == 2)
  392. s->state = SSL3_ST_SR_CLNT_HELLO_C;
  393. else {
  394. if (s->s3->tmp.cert_request)
  395. {
  396. ret=ssl3_get_client_certificate(s);
  397. if (ret <= 0) goto end;
  398. }
  399. s->init_num=0;
  400. s->state=SSL3_ST_SR_KEY_EXCH_A;
  401. }
  402. break;
  403. case SSL3_ST_SR_KEY_EXCH_A:
  404. case SSL3_ST_SR_KEY_EXCH_B:
  405. ret=ssl3_get_client_key_exchange(s);
  406. if (ret <= 0) goto end;
  407. s->state=SSL3_ST_SR_CERT_VRFY_A;
  408. s->init_num=0;
  409. /* We need to get hashes here so if there is
  410. * a client cert, it can be verified */
  411. s->method->ssl3_enc->cert_verify_mac(s,
  412. &(s->s3->finish_dgst1),
  413. &(s->s3->tmp.cert_verify_md[0]));
  414. s->method->ssl3_enc->cert_verify_mac(s,
  415. &(s->s3->finish_dgst2),
  416. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
  417. break;
  418. case SSL3_ST_SR_CERT_VRFY_A:
  419. case SSL3_ST_SR_CERT_VRFY_B:
  420. /* we should decide if we expected this one */
  421. ret=ssl3_get_cert_verify(s);
  422. if (ret <= 0) goto end;
  423. s->state=SSL3_ST_SR_FINISHED_A;
  424. s->init_num=0;
  425. break;
  426. case SSL3_ST_SR_FINISHED_A:
  427. case SSL3_ST_SR_FINISHED_B:
  428. ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
  429. SSL3_ST_SR_FINISHED_B);
  430. if (ret <= 0) goto end;
  431. if (s->hit)
  432. s->state=SSL_ST_OK;
  433. else
  434. s->state=SSL3_ST_SW_CHANGE_A;
  435. s->init_num=0;
  436. break;
  437. case SSL3_ST_SW_CHANGE_A:
  438. case SSL3_ST_SW_CHANGE_B:
  439. s->session->cipher=s->s3->tmp.new_cipher;
  440. if (!s->method->ssl3_enc->setup_key_block(s))
  441. { ret= -1; goto end; }
  442. ret=ssl3_send_change_cipher_spec(s,
  443. SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
  444. if (ret <= 0) goto end;
  445. s->state=SSL3_ST_SW_FINISHED_A;
  446. s->init_num=0;
  447. if (!s->method->ssl3_enc->change_cipher_state(s,
  448. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  449. {
  450. ret= -1;
  451. goto end;
  452. }
  453. break;
  454. case SSL3_ST_SW_FINISHED_A:
  455. case SSL3_ST_SW_FINISHED_B:
  456. ret=ssl3_send_finished(s,
  457. SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
  458. s->method->ssl3_enc->server_finished_label,
  459. s->method->ssl3_enc->server_finished_label_len);
  460. if (ret <= 0) goto end;
  461. s->state=SSL3_ST_SW_FLUSH;
  462. if (s->hit)
  463. s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
  464. else
  465. s->s3->tmp.next_state=SSL_ST_OK;
  466. s->init_num=0;
  467. break;
  468. case SSL_ST_OK:
  469. /* clean a few things up */
  470. ssl3_cleanup_key_block(s);
  471. BUF_MEM_free(s->init_buf);
  472. s->init_buf=NULL;
  473. /* remove buffering on output */
  474. ssl_free_wbio_buffer(s);
  475. s->init_num=0;
  476. if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
  477. {
  478. /* actually not necessarily a 'new' session unless
  479. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
  480. s->new_session=0;
  481. ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
  482. s->ctx->stats.sess_accept_good++;
  483. /* s->server=1; */
  484. s->handshake_func=ssl3_accept;
  485. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  486. }
  487. ret = 1;
  488. goto end;
  489. /* break; */
  490. default:
  491. SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
  492. ret= -1;
  493. goto end;
  494. /* break; */
  495. }
  496. if (!s->s3->tmp.reuse_message && !skip)
  497. {
  498. if (s->debug)
  499. {
  500. if ((ret=BIO_flush(s->wbio)) <= 0)
  501. goto end;
  502. }
  503. if ((cb != NULL) && (s->state != state))
  504. {
  505. new_state=s->state;
  506. s->state=state;
  507. cb(s,SSL_CB_ACCEPT_LOOP,1);
  508. s->state=new_state;
  509. }
  510. }
  511. skip=0;
  512. }
  513. end:
  514. /* BIO_flush(s->wbio); */
  515. s->in_handshake--;
  516. if (cb != NULL)
  517. cb(s,SSL_CB_ACCEPT_EXIT,ret);
  518. return(ret);
  519. }
  520. static int ssl3_send_hello_request(SSL *s)
  521. {
  522. unsigned char *p;
  523. if (s->state == SSL3_ST_SW_HELLO_REQ_A)
  524. {
  525. p=(unsigned char *)s->init_buf->data;
  526. *(p++)=SSL3_MT_HELLO_REQUEST;
  527. *(p++)=0;
  528. *(p++)=0;
  529. *(p++)=0;
  530. s->state=SSL3_ST_SW_HELLO_REQ_B;
  531. /* number of bytes to write */
  532. s->init_num=4;
  533. s->init_off=0;
  534. }
  535. /* SSL3_ST_SW_HELLO_REQ_B */
  536. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  537. }
  538. static int ssl3_check_client_hello(SSL *s)
  539. {
  540. int ok;
  541. long n;
  542. /* this function is called when we really expect a Certificate message,
  543. * so permit appropriate message length */
  544. n=ssl3_get_message(s,
  545. SSL3_ST_SR_CERT_A,
  546. SSL3_ST_SR_CERT_B,
  547. -1,
  548. s->max_cert_list,
  549. &ok);
  550. if (!ok) return((int)n);
  551. s->s3->tmp.reuse_message = 1;
  552. if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
  553. {
  554. /* Throw away what we have done so far in the current handshake,
  555. * which will now be aborted. (A full SSL_clear would be too much.)
  556. * I hope that tmp.dh is the only thing that may need to be cleared
  557. * when a handshake is not completed ... */
  558. #ifndef OPENSSL_NO_DH
  559. if (s->s3->tmp.dh != NULL)
  560. {
  561. DH_free(s->s3->tmp.dh);
  562. s->s3->tmp.dh = NULL;
  563. }
  564. #endif
  565. return 2;
  566. }
  567. return 1;
  568. }
  569. static int ssl3_get_client_hello(SSL *s)
  570. {
  571. int i,j,ok,al,ret= -1;
  572. long n;
  573. unsigned long id;
  574. unsigned char *p,*d,*q;
  575. SSL_CIPHER *c;
  576. SSL_COMP *comp=NULL;
  577. STACK_OF(SSL_CIPHER) *ciphers=NULL;
  578. /* We do this so that we will respond with our native type.
  579. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
  580. * This down switching should be handled by a different method.
  581. * If we are SSLv3, we will respond with SSLv3, even if prompted with
  582. * TLSv1.
  583. */
  584. if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
  585. {
  586. s->first_packet=1;
  587. s->state=SSL3_ST_SR_CLNT_HELLO_B;
  588. }
  589. n=ssl3_get_message(s,
  590. SSL3_ST_SR_CLNT_HELLO_B,
  591. SSL3_ST_SR_CLNT_HELLO_C,
  592. SSL3_MT_CLIENT_HELLO,
  593. SSL3_RT_MAX_PLAIN_LENGTH,
  594. &ok);
  595. if (!ok) return((int)n);
  596. d=p=(unsigned char *)s->init_msg;
  597. /* use version from inside client hello, not from record header
  598. * (may differ: see RFC 2246, Appendix E, second paragraph) */
  599. s->client_version=(((int)p[0])<<8)|(int)p[1];
  600. p+=2;
  601. if (s->client_version < s->version)
  602. {
  603. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
  604. if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
  605. {
  606. /* similar to ssl3_get_record, send alert using remote version number */
  607. s->version = s->client_version;
  608. }
  609. al = SSL_AD_PROTOCOL_VERSION;
  610. goto f_err;
  611. }
  612. /* load the client random */
  613. memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
  614. p+=SSL3_RANDOM_SIZE;
  615. /* get the session-id */
  616. j= *(p++);
  617. s->hit=0;
  618. /* Versions before 0.9.7 always allow session reuse during renegotiation
  619. * (i.e. when s->new_session is true), option
  620. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
  621. * Maybe this optional behaviour should always have been the default,
  622. * but we cannot safely change the default behaviour (or new applications
  623. * might be written that become totally unsecure when compiled with
  624. * an earlier library version)
  625. */
  626. if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
  627. {
  628. if (!ssl_get_new_session(s,1))
  629. goto err;
  630. }
  631. else
  632. {
  633. i=ssl_get_prev_session(s,p,j);
  634. if (i == 1)
  635. { /* previous session */
  636. s->hit=1;
  637. }
  638. else if (i == -1)
  639. goto err;
  640. else /* i == 0 */
  641. {
  642. if (!ssl_get_new_session(s,1))
  643. goto err;
  644. }
  645. }
  646. p+=j;
  647. n2s(p,i);
  648. if ((i == 0) && (j != 0))
  649. {
  650. /* we need a cipher if we are not resuming a session */
  651. al=SSL_AD_ILLEGAL_PARAMETER;
  652. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
  653. goto f_err;
  654. }
  655. if ((p+i) >= (d+n))
  656. {
  657. /* not enough data */
  658. al=SSL_AD_DECODE_ERROR;
  659. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
  660. goto f_err;
  661. }
  662. if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
  663. == NULL))
  664. {
  665. goto err;
  666. }
  667. p+=i;
  668. /* If it is a hit, check that the cipher is in the list */
  669. if ((s->hit) && (i > 0))
  670. {
  671. j=0;
  672. id=s->session->cipher->id;
  673. #ifdef CIPHER_DEBUG
  674. printf("client sent %d ciphers\n",sk_num(ciphers));
  675. #endif
  676. for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
  677. {
  678. c=sk_SSL_CIPHER_value(ciphers,i);
  679. #ifdef CIPHER_DEBUG
  680. printf("client [%2d of %2d]:%s\n",
  681. i,sk_num(ciphers),SSL_CIPHER_get_name(c));
  682. #endif
  683. if (c->id == id)
  684. {
  685. j=1;
  686. break;
  687. }
  688. }
  689. if (j == 0)
  690. {
  691. if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
  692. {
  693. /* Very bad for multi-threading.... */
  694. s->session->cipher=sk_SSL_CIPHER_value(ciphers,
  695. 0);
  696. }
  697. else
  698. {
  699. /* we need to have the cipher in the cipher
  700. * list if we are asked to reuse it */
  701. al=SSL_AD_ILLEGAL_PARAMETER;
  702. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
  703. goto f_err;
  704. }
  705. }
  706. }
  707. /* compression */
  708. i= *(p++);
  709. if ((p+i) > (d+n))
  710. {
  711. /* not enough data */
  712. al=SSL_AD_DECODE_ERROR;
  713. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
  714. goto f_err;
  715. }
  716. q=p;
  717. for (j=0; j<i; j++)
  718. {
  719. if (p[j] == 0) break;
  720. }
  721. p+=i;
  722. if (j >= i)
  723. {
  724. /* no compress */
  725. al=SSL_AD_DECODE_ERROR;
  726. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
  727. goto f_err;
  728. }
  729. /* Worst case, we will use the NULL compression, but if we have other
  730. * options, we will now look for them. We have i-1 compression
  731. * algorithms from the client, starting at q. */
  732. s->s3->tmp.new_compression=NULL;
  733. if (s->ctx->comp_methods != NULL)
  734. { /* See if we have a match */
  735. int m,nn,o,v,done=0;
  736. nn=sk_SSL_COMP_num(s->ctx->comp_methods);
  737. for (m=0; m<nn; m++)
  738. {
  739. comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
  740. v=comp->id;
  741. for (o=0; o<i; o++)
  742. {
  743. if (v == q[o])
  744. {
  745. done=1;
  746. break;
  747. }
  748. }
  749. if (done) break;
  750. }
  751. if (done)
  752. s->s3->tmp.new_compression=comp;
  753. else
  754. comp=NULL;
  755. }
  756. /* TLS does not mind if there is extra stuff */
  757. #if 0 /* SSL 3.0 does not mind either, so we should disable this test
  758. * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
  759. * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
  760. if (s->version == SSL3_VERSION)
  761. {
  762. if (p < (d+n))
  763. {
  764. /* wrong number of bytes,
  765. * there could be more to follow */
  766. al=SSL_AD_DECODE_ERROR;
  767. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
  768. goto f_err;
  769. }
  770. }
  771. #endif
  772. /* Given s->session->ciphers and SSL_get_ciphers, we must
  773. * pick a cipher */
  774. if (!s->hit)
  775. {
  776. s->session->compress_meth=(comp == NULL)?0:comp->id;
  777. if (s->session->ciphers != NULL)
  778. sk_SSL_CIPHER_free(s->session->ciphers);
  779. s->session->ciphers=ciphers;
  780. if (ciphers == NULL)
  781. {
  782. al=SSL_AD_ILLEGAL_PARAMETER;
  783. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
  784. goto f_err;
  785. }
  786. ciphers=NULL;
  787. c=ssl3_choose_cipher(s,s->session->ciphers,
  788. SSL_get_ciphers(s));
  789. if (c == NULL)
  790. {
  791. al=SSL_AD_HANDSHAKE_FAILURE;
  792. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
  793. goto f_err;
  794. }
  795. s->s3->tmp.new_cipher=c;
  796. }
  797. else
  798. {
  799. /* Session-id reuse */
  800. #ifdef REUSE_CIPHER_BUG
  801. STACK_OF(SSL_CIPHER) *sk;
  802. SSL_CIPHER *nc=NULL;
  803. SSL_CIPHER *ec=NULL;
  804. if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
  805. {
  806. sk=s->session->ciphers;
  807. for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
  808. {
  809. c=sk_SSL_CIPHER_value(sk,i);
  810. if (c->algorithms & SSL_eNULL)
  811. nc=c;
  812. if (SSL_C_IS_EXPORT(c))
  813. ec=c;
  814. }
  815. if (nc != NULL)
  816. s->s3->tmp.new_cipher=nc;
  817. else if (ec != NULL)
  818. s->s3->tmp.new_cipher=ec;
  819. else
  820. s->s3->tmp.new_cipher=s->session->cipher;
  821. }
  822. else
  823. #endif
  824. s->s3->tmp.new_cipher=s->session->cipher;
  825. }
  826. /* we now have the following setup.
  827. * client_random
  828. * cipher_list - our prefered list of ciphers
  829. * ciphers - the clients prefered list of ciphers
  830. * compression - basically ignored right now
  831. * ssl version is set - sslv3
  832. * s->session - The ssl session has been setup.
  833. * s->hit - session reuse flag
  834. * s->tmp.new_cipher - the new cipher to use.
  835. */
  836. ret=1;
  837. if (0)
  838. {
  839. f_err:
  840. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  841. }
  842. err:
  843. if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
  844. return(ret);
  845. }
  846. static int ssl3_send_server_hello(SSL *s)
  847. {
  848. unsigned char *buf;
  849. unsigned char *p,*d;
  850. int i,sl;
  851. unsigned long l,Time;
  852. if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
  853. {
  854. buf=(unsigned char *)s->init_buf->data;
  855. p=s->s3->server_random;
  856. Time=time(NULL); /* Time */
  857. l2n(Time,p);
  858. RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
  859. /* Do the message type and length last */
  860. d=p= &(buf[4]);
  861. *(p++)=s->version>>8;
  862. *(p++)=s->version&0xff;
  863. /* Random stuff */
  864. memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
  865. p+=SSL3_RANDOM_SIZE;
  866. /* now in theory we have 3 options to sending back the
  867. * session id. If it is a re-use, we send back the
  868. * old session-id, if it is a new session, we send
  869. * back the new session-id or we send back a 0 length
  870. * session-id if we want it to be single use.
  871. * Currently I will not implement the '0' length session-id
  872. * 12-Jan-98 - I'll now support the '0' length stuff.
  873. */
  874. if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
  875. s->session->session_id_length=0;
  876. sl=s->session->session_id_length;
  877. if (sl > sizeof s->session->session_id)
  878. {
  879. SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
  880. return -1;
  881. }
  882. *(p++)=sl;
  883. memcpy(p,s->session->session_id,sl);
  884. p+=sl;
  885. /* put the cipher */
  886. i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
  887. p+=i;
  888. /* put the compression method */
  889. if (s->s3->tmp.new_compression == NULL)
  890. *(p++)=0;
  891. else
  892. *(p++)=s->s3->tmp.new_compression->id;
  893. /* do the header */
  894. l=(p-d);
  895. d=buf;
  896. *(d++)=SSL3_MT_SERVER_HELLO;
  897. l2n3(l,d);
  898. s->state=SSL3_ST_CW_CLNT_HELLO_B;
  899. /* number of bytes to write */
  900. s->init_num=p-buf;
  901. s->init_off=0;
  902. }
  903. /* SSL3_ST_CW_CLNT_HELLO_B */
  904. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  905. }
  906. static int ssl3_send_server_done(SSL *s)
  907. {
  908. unsigned char *p;
  909. if (s->state == SSL3_ST_SW_SRVR_DONE_A)
  910. {
  911. p=(unsigned char *)s->init_buf->data;
  912. /* do the header */
  913. *(p++)=SSL3_MT_SERVER_DONE;
  914. *(p++)=0;
  915. *(p++)=0;
  916. *(p++)=0;
  917. s->state=SSL3_ST_SW_SRVR_DONE_B;
  918. /* number of bytes to write */
  919. s->init_num=4;
  920. s->init_off=0;
  921. }
  922. /* SSL3_ST_CW_CLNT_HELLO_B */
  923. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  924. }
  925. static int ssl3_send_server_key_exchange(SSL *s)
  926. {
  927. #ifndef OPENSSL_NO_RSA
  928. unsigned char *q;
  929. int j,num;
  930. RSA *rsa;
  931. unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
  932. unsigned int u;
  933. #endif
  934. #ifndef OPENSSL_NO_DH
  935. DH *dh=NULL,*dhp;
  936. #endif
  937. EVP_PKEY *pkey;
  938. unsigned char *p,*d;
  939. int al,i;
  940. unsigned long type;
  941. int n;
  942. CERT *cert;
  943. BIGNUM *r[4];
  944. int nr[4],kn;
  945. BUF_MEM *buf;
  946. EVP_MD_CTX md_ctx;
  947. EVP_MD_CTX_init(&md_ctx);
  948. if (s->state == SSL3_ST_SW_KEY_EXCH_A)
  949. {
  950. type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
  951. cert=s->cert;
  952. buf=s->init_buf;
  953. r[0]=r[1]=r[2]=r[3]=NULL;
  954. n=0;
  955. #ifndef OPENSSL_NO_RSA
  956. if (type & SSL_kRSA)
  957. {
  958. rsa=cert->rsa_tmp;
  959. if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
  960. {
  961. rsa=s->cert->rsa_tmp_cb(s,
  962. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  963. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  964. if(rsa == NULL)
  965. {
  966. al=SSL_AD_HANDSHAKE_FAILURE;
  967. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
  968. goto f_err;
  969. }
  970. RSA_up_ref(rsa);
  971. cert->rsa_tmp=rsa;
  972. }
  973. if (rsa == NULL)
  974. {
  975. al=SSL_AD_HANDSHAKE_FAILURE;
  976. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
  977. goto f_err;
  978. }
  979. r[0]=rsa->n;
  980. r[1]=rsa->e;
  981. s->s3->tmp.use_rsa_tmp=1;
  982. }
  983. else
  984. #endif
  985. #ifndef OPENSSL_NO_DH
  986. if (type & SSL_kEDH)
  987. {
  988. dhp=cert->dh_tmp;
  989. if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
  990. dhp=s->cert->dh_tmp_cb(s,
  991. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  992. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  993. if (dhp == NULL)
  994. {
  995. al=SSL_AD_HANDSHAKE_FAILURE;
  996. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
  997. goto f_err;
  998. }
  999. if (s->s3->tmp.dh != NULL)
  1000. {
  1001. DH_free(dh);
  1002. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  1003. goto err;
  1004. }
  1005. if ((dh=DHparams_dup(dhp)) == NULL)
  1006. {
  1007. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  1008. goto err;
  1009. }
  1010. s->s3->tmp.dh=dh;
  1011. if ((dhp->pub_key == NULL ||
  1012. dhp->priv_key == NULL ||
  1013. (s->options & SSL_OP_SINGLE_DH_USE)))
  1014. {
  1015. if(!DH_generate_key(dh))
  1016. {
  1017. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1018. ERR_R_DH_LIB);
  1019. goto err;
  1020. }
  1021. }
  1022. else
  1023. {
  1024. dh->pub_key=BN_dup(dhp->pub_key);
  1025. dh->priv_key=BN_dup(dhp->priv_key);
  1026. if ((dh->pub_key == NULL) ||
  1027. (dh->priv_key == NULL))
  1028. {
  1029. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  1030. goto err;
  1031. }
  1032. }
  1033. r[0]=dh->p;
  1034. r[1]=dh->g;
  1035. r[2]=dh->pub_key;
  1036. }
  1037. else
  1038. #endif
  1039. {
  1040. al=SSL_AD_HANDSHAKE_FAILURE;
  1041. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  1042. goto f_err;
  1043. }
  1044. for (i=0; r[i] != NULL; i++)
  1045. {
  1046. nr[i]=BN_num_bytes(r[i]);
  1047. n+=2+nr[i];
  1048. }
  1049. if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
  1050. {
  1051. if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
  1052. == NULL)
  1053. {
  1054. al=SSL_AD_DECODE_ERROR;
  1055. goto f_err;
  1056. }
  1057. kn=EVP_PKEY_size(pkey);
  1058. }
  1059. else
  1060. {
  1061. pkey=NULL;
  1062. kn=0;
  1063. }
  1064. if (!BUF_MEM_grow_clean(buf,n+4+kn))
  1065. {
  1066. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
  1067. goto err;
  1068. }
  1069. d=(unsigned char *)s->init_buf->data;
  1070. p= &(d[4]);
  1071. for (i=0; r[i] != NULL; i++)
  1072. {
  1073. s2n(nr[i],p);
  1074. BN_bn2bin(r[i],p);
  1075. p+=nr[i];
  1076. }
  1077. /* not anonymous */
  1078. if (pkey != NULL)
  1079. {
  1080. /* n is the length of the params, they start at &(d[4])
  1081. * and p points to the space at the end. */
  1082. #ifndef OPENSSL_NO_RSA
  1083. if (pkey->type == EVP_PKEY_RSA)
  1084. {
  1085. q=md_buf;
  1086. j=0;
  1087. for (num=2; num > 0; num--)
  1088. {
  1089. EVP_DigestInit_ex(&md_ctx,(num == 2)
  1090. ?s->ctx->md5:s->ctx->sha1, NULL);
  1091. EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1092. EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1093. EVP_DigestUpdate(&md_ctx,&(d[4]),n);
  1094. #ifdef OPENSSL_FIPS
  1095. if(s->version == TLS1_VERSION && num == 2)
  1096. FIPS_allow_md5(1);
  1097. #endif
  1098. EVP_DigestFinal_ex(&md_ctx,q,
  1099. (unsigned int *)&i);
  1100. #ifdef OPENSSL_FIPS
  1101. if(s->version == TLS1_VERSION && num == 2)
  1102. FIPS_allow_md5(0);
  1103. #endif
  1104. q+=i;
  1105. j+=i;
  1106. }
  1107. if (RSA_sign(NID_md5_sha1, md_buf, j,
  1108. &(p[2]), &u, pkey->pkey.rsa) <= 0)
  1109. {
  1110. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
  1111. goto err;
  1112. }
  1113. s2n(u,p);
  1114. n+=u+2;
  1115. }
  1116. else
  1117. #endif
  1118. #if !defined(OPENSSL_NO_DSA)
  1119. if (pkey->type == EVP_PKEY_DSA)
  1120. {
  1121. /* lets do DSS */
  1122. EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
  1123. EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1124. EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1125. EVP_SignUpdate(&md_ctx,&(d[4]),n);
  1126. if (!EVP_SignFinal(&md_ctx,&(p[2]),
  1127. (unsigned int *)&i,pkey))
  1128. {
  1129. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
  1130. goto err;
  1131. }
  1132. s2n(i,p);
  1133. n+=i+2;
  1134. }
  1135. else
  1136. #endif
  1137. {
  1138. /* Is this error check actually needed? */
  1139. al=SSL_AD_HANDSHAKE_FAILURE;
  1140. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
  1141. goto f_err;
  1142. }
  1143. }
  1144. *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
  1145. l2n3(n,d);
  1146. /* we should now have things packed up, so lets send
  1147. * it off */
  1148. s->init_num=n+4;
  1149. s->init_off=0;
  1150. }
  1151. s->state = SSL3_ST_SW_KEY_EXCH_B;
  1152. EVP_MD_CTX_cleanup(&md_ctx);
  1153. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  1154. f_err:
  1155. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1156. err:
  1157. EVP_MD_CTX_cleanup(&md_ctx);
  1158. return(-1);
  1159. }
  1160. static int ssl3_send_certificate_request(SSL *s)
  1161. {
  1162. unsigned char *p,*d;
  1163. int i,j,nl,off,n;
  1164. STACK_OF(X509_NAME) *sk=NULL;
  1165. X509_NAME *name;
  1166. BUF_MEM *buf;
  1167. if (s->state == SSL3_ST_SW_CERT_REQ_A)
  1168. {
  1169. buf=s->init_buf;
  1170. d=p=(unsigned char *)&(buf->data[4]);
  1171. /* get the list of acceptable cert types */
  1172. p++;
  1173. n=ssl3_get_req_cert_type(s,p);
  1174. d[0]=n;
  1175. p+=n;
  1176. n++;
  1177. off=n;
  1178. p+=2;
  1179. n+=2;
  1180. sk=SSL_get_client_CA_list(s);
  1181. nl=0;
  1182. if (sk != NULL)
  1183. {
  1184. for (i=0; i<sk_X509_NAME_num(sk); i++)
  1185. {
  1186. name=sk_X509_NAME_value(sk,i);
  1187. j=i2d_X509_NAME(name,NULL);
  1188. if (!BUF_MEM_grow_clean(buf,4+n+j+2))
  1189. {
  1190. SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
  1191. goto err;
  1192. }
  1193. p=(unsigned char *)&(buf->data[4+n]);
  1194. if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
  1195. {
  1196. s2n(j,p);
  1197. i2d_X509_NAME(name,&p);
  1198. n+=2+j;
  1199. nl+=2+j;
  1200. }
  1201. else
  1202. {
  1203. d=p;
  1204. i2d_X509_NAME(name,&p);
  1205. j-=2; s2n(j,d); j+=2;
  1206. n+=j;
  1207. nl+=j;
  1208. }
  1209. }
  1210. }
  1211. /* else no CA names */
  1212. p=(unsigned char *)&(buf->data[4+off]);
  1213. s2n(nl,p);
  1214. d=(unsigned char *)buf->data;
  1215. *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
  1216. l2n3(n,d);
  1217. /* we should now have things packed up, so lets send
  1218. * it off */
  1219. s->init_num=n+4;
  1220. s->init_off=0;
  1221. #ifdef NETSCAPE_HANG_BUG
  1222. p=(unsigned char *)s->init_buf->data + s->init_num;
  1223. /* do the header */
  1224. *(p++)=SSL3_MT_SERVER_DONE;
  1225. *(p++)=0;
  1226. *(p++)=0;
  1227. *(p++)=0;
  1228. s->init_num += 4;
  1229. #endif
  1230. s->state = SSL3_ST_SW_CERT_REQ_B;
  1231. }
  1232. /* SSL3_ST_SW_CERT_REQ_B */
  1233. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  1234. err:
  1235. return(-1);
  1236. }
  1237. static int ssl3_get_client_key_exchange(SSL *s)
  1238. {
  1239. int i,al,ok;
  1240. long n;
  1241. unsigned long l;
  1242. unsigned char *p;
  1243. #ifndef OPENSSL_NO_RSA
  1244. RSA *rsa=NULL;
  1245. EVP_PKEY *pkey=NULL;
  1246. #endif
  1247. #ifndef OPENSSL_NO_DH
  1248. BIGNUM *pub=NULL;
  1249. DH *dh_srvr;
  1250. #endif
  1251. #ifndef OPENSSL_NO_KRB5
  1252. KSSL_ERR kssl_err;
  1253. #endif /* OPENSSL_NO_KRB5 */
  1254. n=ssl3_get_message(s,
  1255. SSL3_ST_SR_KEY_EXCH_A,
  1256. SSL3_ST_SR_KEY_EXCH_B,
  1257. SSL3_MT_CLIENT_KEY_EXCHANGE,
  1258. 2048, /* ??? */
  1259. &ok);
  1260. if (!ok) return((int)n);
  1261. p=(unsigned char *)s->init_msg;
  1262. l=s->s3->tmp.new_cipher->algorithms;
  1263. #ifndef OPENSSL_NO_RSA
  1264. if (l & SSL_kRSA)
  1265. {
  1266. /* FIX THIS UP EAY EAY EAY EAY */
  1267. if (s->s3->tmp.use_rsa_tmp)
  1268. {
  1269. if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
  1270. rsa=s->cert->rsa_tmp;
  1271. /* Don't do a callback because rsa_tmp should
  1272. * be sent already */
  1273. if (rsa == NULL)
  1274. {
  1275. al=SSL_AD_HANDSHAKE_FAILURE;
  1276. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
  1277. goto f_err;
  1278. }
  1279. }
  1280. else
  1281. {
  1282. pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
  1283. if ( (pkey == NULL) ||
  1284. (pkey->type != EVP_PKEY_RSA) ||
  1285. (pkey->pkey.rsa == NULL))
  1286. {
  1287. al=SSL_AD_HANDSHAKE_FAILURE;
  1288. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
  1289. goto f_err;
  1290. }
  1291. rsa=pkey->pkey.rsa;
  1292. }
  1293. /* TLS */
  1294. if (s->version > SSL3_VERSION)
  1295. {
  1296. n2s(p,i);
  1297. if (n != i+2)
  1298. {
  1299. if (!(s->options & SSL_OP_TLS_D5_BUG))
  1300. {
  1301. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
  1302. goto err;
  1303. }
  1304. else
  1305. p-=2;
  1306. }
  1307. else
  1308. n=i;
  1309. }
  1310. i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
  1311. al = -1;
  1312. if (i != SSL_MAX_MASTER_KEY_LENGTH)
  1313. {
  1314. al=SSL_AD_DECODE_ERROR;
  1315. /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
  1316. }
  1317. if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
  1318. {
  1319. /* The premaster secret must contain the same version number as the
  1320. * ClientHello to detect version rollback attacks (strangely, the
  1321. * protocol does not offer such protection for DH ciphersuites).
  1322. * However, buggy clients exist that send the negotiated protocol
  1323. * version instead if the server does not support the requested
  1324. * protocol version.
  1325. * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
  1326. if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
  1327. (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
  1328. {
  1329. al=SSL_AD_DECODE_ERROR;
  1330. /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
  1331. /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
  1332. * (http://eprint.iacr.org/2003/052/) exploits the version
  1333. * number check as a "bad version oracle" -- an alert would
  1334. * reveal that the plaintext corresponding to some ciphertext
  1335. * made up by the adversary is properly formatted except
  1336. * that the version number is wrong. To avoid such attacks,
  1337. * we should treat this just like any other decryption error. */
  1338. }
  1339. }
  1340. if (al != -1)
  1341. {
  1342. /* Some decryption failure -- use random value instead as countermeasure
  1343. * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
  1344. * (see RFC 2246, section 7.4.7.1). */
  1345. ERR_clear_error();
  1346. i = SSL_MAX_MASTER_KEY_LENGTH;
  1347. p[0] = s->client_version >> 8;
  1348. p[1] = s->client_version & 0xff;
  1349. RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
  1350. }
  1351. s->session->master_key_length=
  1352. s->method->ssl3_enc->generate_master_secret(s,
  1353. s->session->master_key,
  1354. p,i);
  1355. OPENSSL_cleanse(p,i);
  1356. }
  1357. else
  1358. #endif
  1359. #ifndef OPENSSL_NO_DH
  1360. if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  1361. {
  1362. n2s(p,i);
  1363. if (n != i+2)
  1364. {
  1365. if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
  1366. {
  1367. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  1368. goto err;
  1369. }
  1370. else
  1371. {
  1372. p-=2;
  1373. i=(int)n;
  1374. }
  1375. }
  1376. if (n == 0L) /* the parameters are in the cert */
  1377. {
  1378. al=SSL_AD_HANDSHAKE_FAILURE;
  1379. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
  1380. goto f_err;
  1381. }
  1382. else
  1383. {
  1384. if (s->s3->tmp.dh == NULL)
  1385. {
  1386. al=SSL_AD_HANDSHAKE_FAILURE;
  1387. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
  1388. goto f_err;
  1389. }
  1390. else
  1391. dh_srvr=s->s3->tmp.dh;
  1392. }
  1393. pub=BN_bin2bn(p,i,NULL);
  1394. if (pub == NULL)
  1395. {
  1396. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
  1397. goto err;
  1398. }
  1399. i=DH_compute_key(p,pub,dh_srvr);
  1400. if (i <= 0)
  1401. {
  1402. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  1403. goto err;
  1404. }
  1405. DH_free(s->s3->tmp.dh);
  1406. s->s3->tmp.dh=NULL;
  1407. BN_clear_free(pub);
  1408. pub=NULL;
  1409. s->session->master_key_length=
  1410. s->method->ssl3_enc->generate_master_secret(s,
  1411. s->session->master_key,p,i);
  1412. OPENSSL_cleanse(p,i);
  1413. }
  1414. else
  1415. #endif
  1416. #ifndef OPENSSL_NO_KRB5
  1417. if (l & SSL_kKRB5)
  1418. {
  1419. krb5_error_code krb5rc;
  1420. krb5_data enc_ticket;
  1421. krb5_data authenticator;
  1422. krb5_data enc_pms;
  1423. KSSL_CTX *kssl_ctx = s->kssl_ctx;
  1424. EVP_CIPHER_CTX ciph_ctx;
  1425. EVP_CIPHER *enc = NULL;
  1426. unsigned char iv[EVP_MAX_IV_LENGTH];
  1427. unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
  1428. + EVP_MAX_BLOCK_LENGTH];
  1429. int padl, outl;
  1430. krb5_timestamp authtime = 0;
  1431. krb5_ticket_times ttimes;
  1432. EVP_CIPHER_CTX_init(&ciph_ctx);
  1433. if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
  1434. n2s(p,i);
  1435. enc_ticket.length = i;
  1436. if (n < enc_ticket.length + 6)
  1437. {
  1438. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1439. SSL_R_DATA_LENGTH_TOO_LONG);
  1440. goto err;
  1441. }
  1442. enc_ticket.data = (char *)p;
  1443. p+=enc_ticket.length;
  1444. n2s(p,i);
  1445. authenticator.length = i;
  1446. if (n < enc_ticket.length + authenticator.length + 6)
  1447. {
  1448. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1449. SSL_R_DATA_LENGTH_TOO_LONG);
  1450. goto err;
  1451. }
  1452. authenticator.data = (char *)p;
  1453. p+=authenticator.length;
  1454. n2s(p,i);
  1455. enc_pms.length = i;
  1456. enc_pms.data = (char *)p;
  1457. p+=enc_pms.length;
  1458. /* Note that the length is checked again below,
  1459. ** after decryption
  1460. */
  1461. if(enc_pms.length > sizeof pms)
  1462. {
  1463. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1464. SSL_R_DATA_LENGTH_TOO_LONG);
  1465. goto err;
  1466. }
  1467. if (n != enc_ticket.length + authenticator.length +
  1468. enc_pms.length + 6)
  1469. {
  1470. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1471. SSL_R_DATA_LENGTH_TOO_LONG);
  1472. goto err;
  1473. }
  1474. if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
  1475. &kssl_err)) != 0)
  1476. {
  1477. #ifdef KSSL_DEBUG
  1478. printf("kssl_sget_tkt rtn %d [%d]\n",
  1479. krb5rc, kssl_err.reason);
  1480. if (kssl_err.text)
  1481. printf("kssl_err text= %s\n", kssl_err.text);
  1482. #endif /* KSSL_DEBUG */
  1483. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  1484. kssl_err.reason);
  1485. goto err;
  1486. }
  1487. /* Note: no authenticator is not considered an error,
  1488. ** but will return authtime == 0.
  1489. */
  1490. if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
  1491. &authtime, &kssl_err)) != 0)
  1492. {
  1493. #ifdef KSSL_DEBUG
  1494. printf("kssl_check_authent rtn %d [%d]\n",
  1495. krb5rc, kssl_err.reason);
  1496. if (kssl_err.text)
  1497. printf("kssl_err text= %s\n", kssl_err.text);
  1498. #endif /* KSSL_DEBUG */
  1499. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
  1500. kssl_err.reason);
  1501. goto err;
  1502. }
  1503. if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
  1504. {
  1505. SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
  1506. goto err;
  1507. }
  1508. #ifdef KSSL_DEBUG
  1509. kssl_ctx_show(kssl_ctx);
  1510. #endif /* KSSL_DEBUG */
  1511. enc = kssl_map_enc(kssl_ctx->enctype);
  1512. if (enc == NULL)
  1513. goto err;
  1514. memset(iv, 0, sizeof iv); /* per RFC 1510 */
  1515. if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
  1516. {
  1517. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1518. SSL_R_DECRYPTION_FAILED);
  1519. goto err;
  1520. }
  1521. if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
  1522. (unsigned char *)enc_pms.data, enc_pms.length))
  1523. {
  1524. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1525. SSL_R_DECRYPTION_FAILED);
  1526. goto err;
  1527. }
  1528. if (outl > SSL_MAX_MASTER_KEY_LENGTH)
  1529. {
  1530. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1531. SSL_R_DATA_LENGTH_TOO_LONG);
  1532. goto err;
  1533. }
  1534. if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl))
  1535. {
  1536. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1537. SSL_R_DECRYPTION_FAILED);
  1538. goto err;
  1539. }
  1540. outl += padl;
  1541. if (outl > SSL_MAX_MASTER_KEY_LENGTH)
  1542. {
  1543. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1544. SSL_R_DATA_LENGTH_TOO_LONG);
  1545. goto err;
  1546. }
  1547. EVP_CIPHER_CTX_cleanup(&ciph_ctx);
  1548. s->session->master_key_length=
  1549. s->method->ssl3_enc->generate_master_secret(s,
  1550. s->session->master_key, pms, outl);
  1551. if (kssl_ctx->client_princ)
  1552. {
  1553. int len = strlen(kssl_ctx->client_princ);
  1554. if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
  1555. {
  1556. s->session->krb5_client_princ_len = len;
  1557. memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
  1558. }
  1559. }
  1560. /* Was doing kssl_ctx_free() here,
  1561. ** but it caused problems for apache.
  1562. ** kssl_ctx = kssl_ctx_free(kssl_ctx);
  1563. ** if (s->kssl_ctx) s->kssl_ctx = NULL;
  1564. */
  1565. }
  1566. else
  1567. #endif /* OPENSSL_NO_KRB5 */
  1568. {
  1569. al=SSL_AD_HANDSHAKE_FAILURE;
  1570. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1571. SSL_R_UNKNOWN_CIPHER_TYPE);
  1572. goto f_err;
  1573. }
  1574. return(1);
  1575. f_err:
  1576. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1577. #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA)
  1578. err:
  1579. #endif
  1580. return(-1);
  1581. }
  1582. static int ssl3_get_cert_verify(SSL *s)
  1583. {
  1584. EVP_PKEY *pkey=NULL;
  1585. unsigned char *p;
  1586. int al,ok,ret=0;
  1587. long n;
  1588. int type=0,i,j;
  1589. X509 *peer;
  1590. n=ssl3_get_message(s,
  1591. SSL3_ST_SR_CERT_VRFY_A,
  1592. SSL3_ST_SR_CERT_VRFY_B,
  1593. -1,
  1594. 514, /* 514? */
  1595. &ok);
  1596. if (!ok) return((int)n);
  1597. if (s->session->peer != NULL)
  1598. {
  1599. peer=s->session->peer;
  1600. pkey=X509_get_pubkey(peer);
  1601. type=X509_certificate_type(peer,pkey);
  1602. }
  1603. else
  1604. {
  1605. peer=NULL;
  1606. pkey=NULL;
  1607. }
  1608. if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
  1609. {
  1610. s->s3->tmp.reuse_message=1;
  1611. if ((peer != NULL) && (type | EVP_PKT_SIGN))
  1612. {
  1613. al=SSL_AD_UNEXPECTED_MESSAGE;
  1614. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
  1615. goto f_err;
  1616. }
  1617. ret=1;
  1618. goto end;
  1619. }
  1620. if (peer == NULL)
  1621. {
  1622. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
  1623. al=SSL_AD_UNEXPECTED_MESSAGE;
  1624. goto f_err;
  1625. }
  1626. if (!(type & EVP_PKT_SIGN))
  1627. {
  1628. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
  1629. al=SSL_AD_ILLEGAL_PARAMETER;
  1630. goto f_err;
  1631. }
  1632. if (s->s3->change_cipher_spec)
  1633. {
  1634. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
  1635. al=SSL_AD_UNEXPECTED_MESSAGE;
  1636. goto f_err;
  1637. }
  1638. /* we now have a signature that we need to verify */
  1639. p=(unsigned char *)s->init_msg;
  1640. n2s(p,i);
  1641. n-=2;
  1642. if (i > n)
  1643. {
  1644. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
  1645. al=SSL_AD_DECODE_ERROR;
  1646. goto f_err;
  1647. }
  1648. j=EVP_PKEY_size(pkey);
  1649. if ((i > j) || (n > j) || (n <= 0))
  1650. {
  1651. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
  1652. al=SSL_AD_DECODE_ERROR;
  1653. goto f_err;
  1654. }
  1655. #ifndef OPENSSL_NO_RSA
  1656. if (pkey->type == EVP_PKEY_RSA)
  1657. {
  1658. i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
  1659. MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i,
  1660. pkey->pkey.rsa);
  1661. if (i < 0)
  1662. {
  1663. al=SSL_AD_DECRYPT_ERROR;
  1664. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
  1665. goto f_err;
  1666. }
  1667. if (i == 0)
  1668. {
  1669. al=SSL_AD_DECRYPT_ERROR;
  1670. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
  1671. goto f_err;
  1672. }
  1673. }
  1674. else
  1675. #endif
  1676. #ifndef OPENSSL_NO_DSA
  1677. if (pkey->type == EVP_PKEY_DSA)
  1678. {
  1679. j=DSA_verify(pkey->save_type,
  1680. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
  1681. SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
  1682. if (j <= 0)
  1683. {
  1684. /* bad signature */
  1685. al=SSL_AD_DECRYPT_ERROR;
  1686. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
  1687. goto f_err;
  1688. }
  1689. }
  1690. else
  1691. #endif
  1692. {
  1693. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
  1694. al=SSL_AD_UNSUPPORTED_CERTIFICATE;
  1695. goto f_err;
  1696. }
  1697. ret=1;
  1698. if (0)
  1699. {
  1700. f_err:
  1701. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1702. }
  1703. end:
  1704. EVP_PKEY_free(pkey);
  1705. return(ret);
  1706. }
  1707. static int ssl3_get_client_certificate(SSL *s)
  1708. {
  1709. int i,ok,al,ret= -1;
  1710. X509 *x=NULL;
  1711. unsigned long l,nc,llen,n;
  1712. unsigned char *p,*d,*q;
  1713. STACK_OF(X509) *sk=NULL;
  1714. n=ssl3_get_message(s,
  1715. SSL3_ST_SR_CERT_A,
  1716. SSL3_ST_SR_CERT_B,
  1717. -1,
  1718. s->max_cert_list,
  1719. &ok);
  1720. if (!ok) return((int)n);
  1721. if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
  1722. {
  1723. if ( (s->verify_mode & SSL_VERIFY_PEER) &&
  1724. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  1725. {
  1726. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  1727. al=SSL_AD_HANDSHAKE_FAILURE;
  1728. goto f_err;
  1729. }
  1730. /* If tls asked for a client cert, the client must return a 0 list */
  1731. if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
  1732. {
  1733. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
  1734. al=SSL_AD_UNEXPECTED_MESSAGE;
  1735. goto f_err;
  1736. }
  1737. s->s3->tmp.reuse_message=1;
  1738. return(1);
  1739. }
  1740. if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
  1741. {
  1742. al=SSL_AD_UNEXPECTED_MESSAGE;
  1743. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
  1744. goto f_err;
  1745. }
  1746. d=p=(unsigned char *)s->init_msg;
  1747. if ((sk=sk_X509_new_null()) == NULL)
  1748. {
  1749. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  1750. goto err;
  1751. }
  1752. n2l3(p,llen);
  1753. if (llen+3 != n)
  1754. {
  1755. al=SSL_AD_DECODE_ERROR;
  1756. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
  1757. goto f_err;
  1758. }
  1759. for (nc=0; nc<llen; )
  1760. {
  1761. n2l3(p,l);
  1762. if ((l+nc+3) > llen)
  1763. {
  1764. al=SSL_AD_DECODE_ERROR;
  1765. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
  1766. goto f_err;
  1767. }
  1768. q=p;
  1769. x=d2i_X509(NULL,&p,l);
  1770. if (x == NULL)
  1771. {
  1772. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
  1773. goto err;
  1774. }
  1775. if (p != (q+l))
  1776. {
  1777. al=SSL_AD_DECODE_ERROR;
  1778. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
  1779. goto f_err;
  1780. }
  1781. if (!sk_X509_push(sk,x))
  1782. {
  1783. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  1784. goto err;
  1785. }
  1786. x=NULL;
  1787. nc+=l+3;
  1788. }
  1789. if (sk_X509_num(sk) <= 0)
  1790. {
  1791. /* TLS does not mind 0 certs returned */
  1792. if (s->version == SSL3_VERSION)
  1793. {
  1794. al=SSL_AD_HANDSHAKE_FAILURE;
  1795. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
  1796. goto f_err;
  1797. }
  1798. /* Fail for TLS only if we required a certificate */
  1799. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  1800. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  1801. {
  1802. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  1803. al=SSL_AD_HANDSHAKE_FAILURE;
  1804. goto f_err;
  1805. }
  1806. }
  1807. else
  1808. {
  1809. i=ssl_verify_cert_chain(s,sk);
  1810. if (!i)
  1811. {
  1812. al=ssl_verify_alarm_type(s->verify_result);
  1813. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
  1814. goto f_err;
  1815. }
  1816. }
  1817. if (s->session->peer != NULL) /* This should not be needed */
  1818. X509_free(s->session->peer);
  1819. s->session->peer=sk_X509_shift(sk);
  1820. s->session->verify_result = s->verify_result;
  1821. /* With the current implementation, sess_cert will always be NULL
  1822. * when we arrive here. */
  1823. if (s->session->sess_cert == NULL)
  1824. {
  1825. s->session->sess_cert = ssl_sess_cert_new();
  1826. if (s->session->sess_cert == NULL)
  1827. {
  1828. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  1829. goto err;
  1830. }
  1831. }
  1832. if (s->session->sess_cert->cert_chain != NULL)
  1833. sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
  1834. s->session->sess_cert->cert_chain=sk;
  1835. /* Inconsistency alert: cert_chain does *not* include the
  1836. * peer's own certificate, while we do include it in s3_clnt.c */
  1837. sk=NULL;
  1838. ret=1;
  1839. if (0)
  1840. {
  1841. f_err:
  1842. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1843. }
  1844. err:
  1845. if (x != NULL) X509_free(x);
  1846. if (sk != NULL) sk_X509_pop_free(sk,X509_free);
  1847. return(ret);
  1848. }
  1849. int ssl3_send_server_certificate(SSL *s)
  1850. {
  1851. unsigned long l;
  1852. X509 *x;
  1853. if (s->state == SSL3_ST_SW_CERT_A)
  1854. {
  1855. x=ssl_get_server_send_cert(s);
  1856. if (x == NULL &&
  1857. /* VRS: allow null cert if auth == KRB5 */
  1858. (s->s3->tmp.new_cipher->algorithms
  1859. & (SSL_MKEY_MASK|SSL_AUTH_MASK))
  1860. != (SSL_aKRB5|SSL_kKRB5))
  1861. {
  1862. SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
  1863. return(0);
  1864. }
  1865. l=ssl3_output_cert_chain(s,x);
  1866. s->state=SSL3_ST_SW_CERT_B;
  1867. s->init_num=(int)l;
  1868. s->init_off=0;
  1869. }
  1870. /* SSL3_ST_SW_CERT_B */
  1871. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  1872. }