s3_srvr.c 67 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694
  1. /* ssl/s3_srvr.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  113. *
  114. * Portions of the attached software ("Contribution") are developed by
  115. * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
  116. *
  117. * The Contribution is licensed pursuant to the OpenSSL open source
  118. * license provided above.
  119. *
  120. * ECC cipher suite support in OpenSSL originally written by
  121. * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
  122. *
  123. */
  124. /* ====================================================================
  125. * Copyright 2005 Nokia. All rights reserved.
  126. *
  127. * The portions of the attached software ("Contribution") is developed by
  128. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  129. * license.
  130. *
  131. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  132. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  133. * support (see RFC 4279) to OpenSSL.
  134. *
  135. * No patent licenses or other rights except those expressly stated in
  136. * the OpenSSL open source license shall be deemed granted or received
  137. * expressly, by implication, estoppel, or otherwise.
  138. *
  139. * No assurances are provided by Nokia that the Contribution does not
  140. * infringe the patent or other intellectual property rights of any third
  141. * party or that the license provides you with all the necessary rights
  142. * to make use of the Contribution.
  143. *
  144. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  145. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  146. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  147. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  148. * OTHERWISE.
  149. */
  150. #define REUSE_CIPHER_BUG
  151. #define NETSCAPE_HANG_BUG
  152. #include <stdio.h>
  153. #include "ssl_locl.h"
  154. #include "kssl_lcl.h"
  155. #include <openssl/buffer.h>
  156. #include <openssl/rand.h>
  157. #include <openssl/objects.h>
  158. #include <openssl/evp.h>
  159. #include <openssl/x509.h>
  160. #ifndef OPENSSL_NO_DH
  161. #include <openssl/dh.h>
  162. #endif
  163. #include <openssl/bn.h>
  164. #ifndef OPENSSL_NO_KRB5
  165. #include <openssl/krb5_asn.h>
  166. #endif
  167. #include <openssl/md5.h>
  168. static const SSL_METHOD *ssl3_get_server_method(int ver);
  169. static const SSL_METHOD *ssl3_get_server_method(int ver)
  170. {
  171. if (ver == SSL3_VERSION)
  172. return(SSLv3_server_method());
  173. else
  174. return(NULL);
  175. }
  176. IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
  177. ssl3_accept,
  178. ssl_undefined_function,
  179. ssl3_get_server_method)
  180. int ssl3_accept(SSL *s)
  181. {
  182. BUF_MEM *buf;
  183. unsigned long l,Time=(unsigned long)time(NULL);
  184. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  185. long num1;
  186. int ret= -1;
  187. int new_state,state,skip=0;
  188. RAND_add(&Time,sizeof(Time),0);
  189. ERR_clear_error();
  190. clear_sys_error();
  191. if (s->info_callback != NULL)
  192. cb=s->info_callback;
  193. else if (s->ctx->info_callback != NULL)
  194. cb=s->ctx->info_callback;
  195. /* init things to blank */
  196. s->in_handshake++;
  197. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  198. if (s->cert == NULL)
  199. {
  200. SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
  201. return(-1);
  202. }
  203. for (;;)
  204. {
  205. state=s->state;
  206. switch (s->state)
  207. {
  208. case SSL_ST_RENEGOTIATE:
  209. s->new_session=1;
  210. /* s->state=SSL_ST_ACCEPT; */
  211. case SSL_ST_BEFORE:
  212. case SSL_ST_ACCEPT:
  213. case SSL_ST_BEFORE|SSL_ST_ACCEPT:
  214. case SSL_ST_OK|SSL_ST_ACCEPT:
  215. s->server=1;
  216. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  217. if ((s->version>>8) != 3)
  218. {
  219. SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
  220. return -1;
  221. }
  222. s->type=SSL_ST_ACCEPT;
  223. if (s->init_buf == NULL)
  224. {
  225. if ((buf=BUF_MEM_new()) == NULL)
  226. {
  227. ret= -1;
  228. goto end;
  229. }
  230. if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
  231. {
  232. ret= -1;
  233. goto end;
  234. }
  235. s->init_buf=buf;
  236. }
  237. if (!ssl3_setup_buffers(s))
  238. {
  239. ret= -1;
  240. goto end;
  241. }
  242. s->init_num=0;
  243. if (s->state != SSL_ST_RENEGOTIATE)
  244. {
  245. /* Ok, we now need to push on a buffering BIO so that
  246. * the output is sent in a way that TCP likes :-)
  247. */
  248. if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
  249. ssl3_init_finished_mac(s);
  250. s->state=SSL3_ST_SR_CLNT_HELLO_A;
  251. s->ctx->stats.sess_accept++;
  252. }
  253. else
  254. {
  255. /* s->state == SSL_ST_RENEGOTIATE,
  256. * we will just send a HelloRequest */
  257. s->ctx->stats.sess_accept_renegotiate++;
  258. s->state=SSL3_ST_SW_HELLO_REQ_A;
  259. }
  260. break;
  261. case SSL3_ST_SW_HELLO_REQ_A:
  262. case SSL3_ST_SW_HELLO_REQ_B:
  263. s->shutdown=0;
  264. ret=ssl3_send_hello_request(s);
  265. if (ret <= 0) goto end;
  266. s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
  267. s->state=SSL3_ST_SW_FLUSH;
  268. s->init_num=0;
  269. ssl3_init_finished_mac(s);
  270. break;
  271. case SSL3_ST_SW_HELLO_REQ_C:
  272. s->state=SSL_ST_OK;
  273. break;
  274. case SSL3_ST_SR_CLNT_HELLO_A:
  275. case SSL3_ST_SR_CLNT_HELLO_B:
  276. case SSL3_ST_SR_CLNT_HELLO_C:
  277. s->shutdown=0;
  278. ret=ssl3_get_client_hello(s);
  279. if (ret <= 0) goto end;
  280. s->new_session = 2;
  281. s->state=SSL3_ST_SW_SRVR_HELLO_A;
  282. s->init_num=0;
  283. break;
  284. case SSL3_ST_SW_SRVR_HELLO_A:
  285. case SSL3_ST_SW_SRVR_HELLO_B:
  286. ret=ssl3_send_server_hello(s);
  287. if (ret <= 0) goto end;
  288. if (s->hit)
  289. s->state=SSL3_ST_SW_CHANGE_A;
  290. else
  291. s->state=SSL3_ST_SW_CERT_A;
  292. s->init_num=0;
  293. break;
  294. case SSL3_ST_SW_CERT_A:
  295. case SSL3_ST_SW_CERT_B:
  296. /* Check if it is anon DH or anon ECDH */
  297. /* or normal PSK */
  298. if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
  299. && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
  300. {
  301. ret=ssl3_send_server_certificate(s);
  302. if (ret <= 0) goto end;
  303. }
  304. else
  305. skip=1;
  306. s->state=SSL3_ST_SW_KEY_EXCH_A;
  307. s->init_num=0;
  308. break;
  309. case SSL3_ST_SW_KEY_EXCH_A:
  310. case SSL3_ST_SW_KEY_EXCH_B:
  311. l=s->s3->tmp.new_cipher->algorithms;
  312. /* clear this, it may get reset by
  313. * send_server_key_exchange */
  314. if ((s->options & SSL_OP_EPHEMERAL_RSA)
  315. #ifndef OPENSSL_NO_KRB5
  316. && !(l & SSL_KRB5)
  317. #endif /* OPENSSL_NO_KRB5 */
  318. )
  319. /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
  320. * even when forbidden by protocol specs
  321. * (handshake may fail as clients are not required to
  322. * be able to handle this) */
  323. s->s3->tmp.use_rsa_tmp=1;
  324. else
  325. s->s3->tmp.use_rsa_tmp=0;
  326. /* only send if a DH key exchange, fortezza or
  327. * RSA but we have a sign only certificate
  328. *
  329. * PSK: may send PSK identity hints
  330. *
  331. * For ECC ciphersuites, we send a serverKeyExchange
  332. * message only if the cipher suite is either
  333. * ECDH-anon or ECDHE. In other cases, the
  334. * server certificate contains the server's
  335. * public key for key exchange.
  336. */
  337. if (s->s3->tmp.use_rsa_tmp
  338. /* PSK: send ServerKeyExchange if PSK identity
  339. * hint if provided */
  340. #ifndef OPENSSL_NO_PSK
  341. || ((l & SSL_kPSK) && s->ctx->psk_identity_hint)
  342. #endif
  343. || (l & SSL_kECDHE)
  344. || (l & (SSL_DH|SSL_kFZA))
  345. || ((l & SSL_kRSA)
  346. && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
  347. || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
  348. && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
  349. )
  350. )
  351. )
  352. )
  353. {
  354. ret=ssl3_send_server_key_exchange(s);
  355. if (ret <= 0) goto end;
  356. }
  357. else
  358. skip=1;
  359. s->state=SSL3_ST_SW_CERT_REQ_A;
  360. s->init_num=0;
  361. break;
  362. case SSL3_ST_SW_CERT_REQ_A:
  363. case SSL3_ST_SW_CERT_REQ_B:
  364. if (/* don't request cert unless asked for it: */
  365. !(s->verify_mode & SSL_VERIFY_PEER) ||
  366. /* if SSL_VERIFY_CLIENT_ONCE is set,
  367. * don't request cert during re-negotiation: */
  368. ((s->session->peer != NULL) &&
  369. (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
  370. /* never request cert in anonymous ciphersuites
  371. * (see section "Certificate request" in SSL 3 drafts
  372. * and in RFC 2246): */
  373. ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
  374. /* ... except when the application insists on verification
  375. * (against the specs, but s3_clnt.c accepts this for SSL 3) */
  376. !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
  377. /* never request cert in Kerberos ciphersuites */
  378. (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)
  379. /* With normal PSK Certificates and
  380. * Certificate Requests are omitted */
  381. || (s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
  382. {
  383. /* no cert request */
  384. skip=1;
  385. s->s3->tmp.cert_request=0;
  386. s->state=SSL3_ST_SW_SRVR_DONE_A;
  387. }
  388. else
  389. {
  390. s->s3->tmp.cert_request=1;
  391. ret=ssl3_send_certificate_request(s);
  392. if (ret <= 0) goto end;
  393. #ifndef NETSCAPE_HANG_BUG
  394. s->state=SSL3_ST_SW_SRVR_DONE_A;
  395. #else
  396. s->state=SSL3_ST_SW_FLUSH;
  397. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  398. #endif
  399. s->init_num=0;
  400. }
  401. break;
  402. case SSL3_ST_SW_SRVR_DONE_A:
  403. case SSL3_ST_SW_SRVR_DONE_B:
  404. ret=ssl3_send_server_done(s);
  405. if (ret <= 0) goto end;
  406. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  407. s->state=SSL3_ST_SW_FLUSH;
  408. s->init_num=0;
  409. break;
  410. case SSL3_ST_SW_FLUSH:
  411. /* number of bytes to be flushed */
  412. num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
  413. if (num1 > 0)
  414. {
  415. s->rwstate=SSL_WRITING;
  416. num1=BIO_flush(s->wbio);
  417. if (num1 <= 0) { ret= -1; goto end; }
  418. s->rwstate=SSL_NOTHING;
  419. }
  420. s->state=s->s3->tmp.next_state;
  421. break;
  422. case SSL3_ST_SR_CERT_A:
  423. case SSL3_ST_SR_CERT_B:
  424. /* Check for second client hello (MS SGC) */
  425. ret = ssl3_check_client_hello(s);
  426. if (ret <= 0)
  427. goto end;
  428. if (ret == 2)
  429. s->state = SSL3_ST_SR_CLNT_HELLO_C;
  430. else {
  431. if (s->s3->tmp.cert_request)
  432. {
  433. ret=ssl3_get_client_certificate(s);
  434. if (ret <= 0) goto end;
  435. }
  436. s->init_num=0;
  437. s->state=SSL3_ST_SR_KEY_EXCH_A;
  438. }
  439. break;
  440. case SSL3_ST_SR_KEY_EXCH_A:
  441. case SSL3_ST_SR_KEY_EXCH_B:
  442. ret=ssl3_get_client_key_exchange(s);
  443. if (ret <= 0)
  444. goto end;
  445. if (ret == 2)
  446. {
  447. /* For the ECDH ciphersuites when
  448. * the client sends its ECDH pub key in
  449. * a certificate, the CertificateVerify
  450. * message is not sent.
  451. */
  452. s->state=SSL3_ST_SR_FINISHED_A;
  453. s->init_num = 0;
  454. }
  455. else
  456. {
  457. s->state=SSL3_ST_SR_CERT_VRFY_A;
  458. s->init_num=0;
  459. /* We need to get hashes here so if there is
  460. * a client cert, it can be verified
  461. */
  462. s->method->ssl3_enc->cert_verify_mac(s,
  463. &(s->s3->finish_dgst1),
  464. &(s->s3->tmp.cert_verify_md[0]));
  465. s->method->ssl3_enc->cert_verify_mac(s,
  466. &(s->s3->finish_dgst2),
  467. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
  468. }
  469. break;
  470. case SSL3_ST_SR_CERT_VRFY_A:
  471. case SSL3_ST_SR_CERT_VRFY_B:
  472. /* we should decide if we expected this one */
  473. ret=ssl3_get_cert_verify(s);
  474. if (ret <= 0) goto end;
  475. s->state=SSL3_ST_SR_FINISHED_A;
  476. s->init_num=0;
  477. break;
  478. case SSL3_ST_SR_FINISHED_A:
  479. case SSL3_ST_SR_FINISHED_B:
  480. ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
  481. SSL3_ST_SR_FINISHED_B);
  482. if (ret <= 0) goto end;
  483. if (s->hit)
  484. s->state=SSL_ST_OK;
  485. else
  486. s->state=SSL3_ST_SW_CHANGE_A;
  487. s->init_num=0;
  488. break;
  489. case SSL3_ST_SW_CHANGE_A:
  490. case SSL3_ST_SW_CHANGE_B:
  491. s->session->cipher=s->s3->tmp.new_cipher;
  492. if (!s->method->ssl3_enc->setup_key_block(s))
  493. { ret= -1; goto end; }
  494. ret=ssl3_send_change_cipher_spec(s,
  495. SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
  496. if (ret <= 0) goto end;
  497. s->state=SSL3_ST_SW_FINISHED_A;
  498. s->init_num=0;
  499. if (!s->method->ssl3_enc->change_cipher_state(s,
  500. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  501. {
  502. ret= -1;
  503. goto end;
  504. }
  505. break;
  506. case SSL3_ST_SW_FINISHED_A:
  507. case SSL3_ST_SW_FINISHED_B:
  508. ret=ssl3_send_finished(s,
  509. SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
  510. s->method->ssl3_enc->server_finished_label,
  511. s->method->ssl3_enc->server_finished_label_len);
  512. if (ret <= 0) goto end;
  513. s->state=SSL3_ST_SW_FLUSH;
  514. if (s->hit)
  515. s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
  516. else
  517. s->s3->tmp.next_state=SSL_ST_OK;
  518. s->init_num=0;
  519. break;
  520. case SSL_ST_OK:
  521. /* clean a few things up */
  522. ssl3_cleanup_key_block(s);
  523. BUF_MEM_free(s->init_buf);
  524. s->init_buf=NULL;
  525. /* remove buffering on output */
  526. ssl_free_wbio_buffer(s);
  527. s->init_num=0;
  528. if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
  529. {
  530. /* actually not necessarily a 'new' session unless
  531. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
  532. s->new_session=0;
  533. ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
  534. s->ctx->stats.sess_accept_good++;
  535. /* s->server=1; */
  536. s->handshake_func=ssl3_accept;
  537. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  538. }
  539. ret = 1;
  540. goto end;
  541. /* break; */
  542. default:
  543. SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
  544. ret= -1;
  545. goto end;
  546. /* break; */
  547. }
  548. if (!s->s3->tmp.reuse_message && !skip)
  549. {
  550. if (s->debug)
  551. {
  552. if ((ret=BIO_flush(s->wbio)) <= 0)
  553. goto end;
  554. }
  555. if ((cb != NULL) && (s->state != state))
  556. {
  557. new_state=s->state;
  558. s->state=state;
  559. cb(s,SSL_CB_ACCEPT_LOOP,1);
  560. s->state=new_state;
  561. }
  562. }
  563. skip=0;
  564. }
  565. end:
  566. /* BIO_flush(s->wbio); */
  567. s->in_handshake--;
  568. if (cb != NULL)
  569. cb(s,SSL_CB_ACCEPT_EXIT,ret);
  570. return(ret);
  571. }
  572. int ssl3_send_hello_request(SSL *s)
  573. {
  574. unsigned char *p;
  575. if (s->state == SSL3_ST_SW_HELLO_REQ_A)
  576. {
  577. p=(unsigned char *)s->init_buf->data;
  578. *(p++)=SSL3_MT_HELLO_REQUEST;
  579. *(p++)=0;
  580. *(p++)=0;
  581. *(p++)=0;
  582. s->state=SSL3_ST_SW_HELLO_REQ_B;
  583. /* number of bytes to write */
  584. s->init_num=4;
  585. s->init_off=0;
  586. }
  587. /* SSL3_ST_SW_HELLO_REQ_B */
  588. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  589. }
  590. int ssl3_check_client_hello(SSL *s)
  591. {
  592. int ok;
  593. long n;
  594. /* this function is called when we really expect a Certificate message,
  595. * so permit appropriate message length */
  596. n=s->method->ssl_get_message(s,
  597. SSL3_ST_SR_CERT_A,
  598. SSL3_ST_SR_CERT_B,
  599. -1,
  600. s->max_cert_list,
  601. &ok);
  602. if (!ok) return((int)n);
  603. s->s3->tmp.reuse_message = 1;
  604. if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
  605. {
  606. /* Throw away what we have done so far in the current handshake,
  607. * which will now be aborted. (A full SSL_clear would be too much.)
  608. * I hope that tmp.dh is the only thing that may need to be cleared
  609. * when a handshake is not completed ... */
  610. #ifndef OPENSSL_NO_DH
  611. if (s->s3->tmp.dh != NULL)
  612. {
  613. DH_free(s->s3->tmp.dh);
  614. s->s3->tmp.dh = NULL;
  615. }
  616. #endif
  617. return 2;
  618. }
  619. return 1;
  620. }
  621. int ssl3_get_client_hello(SSL *s)
  622. {
  623. int i,j,ok,al,ret= -1;
  624. unsigned int cookie_len;
  625. long n;
  626. unsigned long id;
  627. unsigned char *p,*d,*q;
  628. SSL_CIPHER *c;
  629. #ifndef OPENSSL_NO_COMP
  630. SSL_COMP *comp=NULL;
  631. #endif
  632. STACK_OF(SSL_CIPHER) *ciphers=NULL;
  633. /* We do this so that we will respond with our native type.
  634. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
  635. * This down switching should be handled by a different method.
  636. * If we are SSLv3, we will respond with SSLv3, even if prompted with
  637. * TLSv1.
  638. */
  639. if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
  640. {
  641. s->first_packet=1;
  642. s->state=SSL3_ST_SR_CLNT_HELLO_B;
  643. }
  644. n=s->method->ssl_get_message(s,
  645. SSL3_ST_SR_CLNT_HELLO_B,
  646. SSL3_ST_SR_CLNT_HELLO_C,
  647. SSL3_MT_CLIENT_HELLO,
  648. SSL3_RT_MAX_PLAIN_LENGTH,
  649. &ok);
  650. if (!ok) return((int)n);
  651. d=p=(unsigned char *)s->init_msg;
  652. /* use version from inside client hello, not from record header
  653. * (may differ: see RFC 2246, Appendix E, second paragraph) */
  654. s->client_version=(((int)p[0])<<8)|(int)p[1];
  655. p+=2;
  656. if (s->client_version < s->version)
  657. {
  658. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
  659. if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
  660. {
  661. /* similar to ssl3_get_record, send alert using remote version number */
  662. s->version = s->client_version;
  663. }
  664. al = SSL_AD_PROTOCOL_VERSION;
  665. goto f_err;
  666. }
  667. /* load the client random */
  668. memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
  669. p+=SSL3_RANDOM_SIZE;
  670. /* get the session-id */
  671. j= *(p++);
  672. s->hit=0;
  673. /* Versions before 0.9.7 always allow session reuse during renegotiation
  674. * (i.e. when s->new_session is true), option
  675. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
  676. * Maybe this optional behaviour should always have been the default,
  677. * but we cannot safely change the default behaviour (or new applications
  678. * might be written that become totally unsecure when compiled with
  679. * an earlier library version)
  680. */
  681. if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
  682. {
  683. if (!ssl_get_new_session(s,1))
  684. goto err;
  685. }
  686. else
  687. {
  688. i=ssl_get_prev_session(s,p,j);
  689. if (i == 1)
  690. { /* previous session */
  691. s->hit=1;
  692. }
  693. else if (i == -1)
  694. goto err;
  695. else /* i == 0 */
  696. {
  697. if (!ssl_get_new_session(s,1))
  698. goto err;
  699. }
  700. }
  701. p+=j;
  702. if (SSL_version(s) == DTLS1_VERSION)
  703. {
  704. /* cookie stuff */
  705. cookie_len = *(p++);
  706. if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
  707. s->d1->send_cookie == 0)
  708. {
  709. /* HelloVerifyMessage has already been sent */
  710. if ( cookie_len != s->d1->cookie_len)
  711. {
  712. al = SSL_AD_HANDSHAKE_FAILURE;
  713. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
  714. goto f_err;
  715. }
  716. }
  717. /*
  718. * The ClientHello may contain a cookie even if the
  719. * HelloVerify message has not been sent--make sure that it
  720. * does not cause an overflow.
  721. */
  722. if ( cookie_len > sizeof(s->d1->rcvd_cookie))
  723. {
  724. /* too much data */
  725. al = SSL_AD_DECODE_ERROR;
  726. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
  727. goto f_err;
  728. }
  729. /* verify the cookie if appropriate option is set. */
  730. if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
  731. cookie_len > 0)
  732. {
  733. memcpy(s->d1->rcvd_cookie, p, cookie_len);
  734. if ( s->ctx->app_verify_cookie_cb != NULL)
  735. {
  736. if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
  737. cookie_len) == 0)
  738. {
  739. al=SSL_AD_HANDSHAKE_FAILURE;
  740. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  741. SSL_R_COOKIE_MISMATCH);
  742. goto f_err;
  743. }
  744. /* else cookie verification succeeded */
  745. }
  746. else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
  747. s->d1->cookie_len) != 0) /* default verification */
  748. {
  749. al=SSL_AD_HANDSHAKE_FAILURE;
  750. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
  751. SSL_R_COOKIE_MISMATCH);
  752. goto f_err;
  753. }
  754. }
  755. p += cookie_len;
  756. }
  757. n2s(p,i);
  758. if ((i == 0) && (j != 0))
  759. {
  760. /* we need a cipher if we are not resuming a session */
  761. al=SSL_AD_ILLEGAL_PARAMETER;
  762. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
  763. goto f_err;
  764. }
  765. if ((p+i) >= (d+n))
  766. {
  767. /* not enough data */
  768. al=SSL_AD_DECODE_ERROR;
  769. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
  770. goto f_err;
  771. }
  772. if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
  773. == NULL))
  774. {
  775. goto err;
  776. }
  777. p+=i;
  778. /* If it is a hit, check that the cipher is in the list */
  779. if ((s->hit) && (i > 0))
  780. {
  781. j=0;
  782. id=s->session->cipher->id;
  783. #ifdef CIPHER_DEBUG
  784. printf("client sent %d ciphers\n",sk_num(ciphers));
  785. #endif
  786. for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
  787. {
  788. c=sk_SSL_CIPHER_value(ciphers,i);
  789. #ifdef CIPHER_DEBUG
  790. printf("client [%2d of %2d]:%s\n",
  791. i,sk_num(ciphers),SSL_CIPHER_get_name(c));
  792. #endif
  793. if (c->id == id)
  794. {
  795. j=1;
  796. break;
  797. }
  798. }
  799. if (j == 0)
  800. {
  801. if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
  802. {
  803. /* Very bad for multi-threading.... */
  804. s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
  805. }
  806. else
  807. {
  808. /* we need to have the cipher in the cipher
  809. * list if we are asked to reuse it */
  810. al=SSL_AD_ILLEGAL_PARAMETER;
  811. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
  812. goto f_err;
  813. }
  814. }
  815. }
  816. /* compression */
  817. i= *(p++);
  818. if ((p+i) > (d+n))
  819. {
  820. /* not enough data */
  821. al=SSL_AD_DECODE_ERROR;
  822. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
  823. goto f_err;
  824. }
  825. q=p;
  826. for (j=0; j<i; j++)
  827. {
  828. if (p[j] == 0) break;
  829. }
  830. p+=i;
  831. if (j >= i)
  832. {
  833. /* no compress */
  834. al=SSL_AD_DECODE_ERROR;
  835. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
  836. goto f_err;
  837. }
  838. #ifndef OPENSSL_NO_TLSEXT
  839. /* TLS extensions*/
  840. if (s->version > SSL3_VERSION)
  841. {
  842. if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
  843. {
  844. /* 'al' set by ssl_parse_clienthello_tlsext */
  845. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
  846. goto f_err;
  847. }
  848. }
  849. if (ssl_check_clienthello_tlsext(s) <= 0) {
  850. SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
  851. goto err;
  852. }
  853. #endif
  854. /* Worst case, we will use the NULL compression, but if we have other
  855. * options, we will now look for them. We have i-1 compression
  856. * algorithms from the client, starting at q. */
  857. s->s3->tmp.new_compression=NULL;
  858. #ifndef OPENSSL_NO_COMP
  859. if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
  860. { /* See if we have a match */
  861. int m,nn,o,v,done=0;
  862. nn=sk_SSL_COMP_num(s->ctx->comp_methods);
  863. for (m=0; m<nn; m++)
  864. {
  865. comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
  866. v=comp->id;
  867. for (o=0; o<i; o++)
  868. {
  869. if (v == q[o])
  870. {
  871. done=1;
  872. break;
  873. }
  874. }
  875. if (done) break;
  876. }
  877. if (done)
  878. s->s3->tmp.new_compression=comp;
  879. else
  880. comp=NULL;
  881. }
  882. #endif
  883. /* Given s->session->ciphers and SSL_get_ciphers, we must
  884. * pick a cipher */
  885. if (!s->hit)
  886. {
  887. #ifdef OPENSSL_NO_COMP
  888. s->session->compress_meth=0;
  889. #else
  890. s->session->compress_meth=(comp == NULL)?0:comp->id;
  891. #endif
  892. if (s->session->ciphers != NULL)
  893. sk_SSL_CIPHER_free(s->session->ciphers);
  894. s->session->ciphers=ciphers;
  895. if (ciphers == NULL)
  896. {
  897. al=SSL_AD_ILLEGAL_PARAMETER;
  898. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
  899. goto f_err;
  900. }
  901. ciphers=NULL;
  902. c=ssl3_choose_cipher(s,s->session->ciphers,
  903. SSL_get_ciphers(s));
  904. if (c == NULL)
  905. {
  906. al=SSL_AD_HANDSHAKE_FAILURE;
  907. SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
  908. goto f_err;
  909. }
  910. s->s3->tmp.new_cipher=c;
  911. }
  912. else
  913. {
  914. /* Session-id reuse */
  915. #ifdef REUSE_CIPHER_BUG
  916. STACK_OF(SSL_CIPHER) *sk;
  917. SSL_CIPHER *nc=NULL;
  918. SSL_CIPHER *ec=NULL;
  919. if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
  920. {
  921. sk=s->session->ciphers;
  922. for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
  923. {
  924. c=sk_SSL_CIPHER_value(sk,i);
  925. if (c->algorithms & SSL_eNULL)
  926. nc=c;
  927. if (SSL_C_IS_EXPORT(c))
  928. ec=c;
  929. }
  930. if (nc != NULL)
  931. s->s3->tmp.new_cipher=nc;
  932. else if (ec != NULL)
  933. s->s3->tmp.new_cipher=ec;
  934. else
  935. s->s3->tmp.new_cipher=s->session->cipher;
  936. }
  937. else
  938. #endif
  939. s->s3->tmp.new_cipher=s->session->cipher;
  940. }
  941. /* we now have the following setup.
  942. * client_random
  943. * cipher_list - our prefered list of ciphers
  944. * ciphers - the clients prefered list of ciphers
  945. * compression - basically ignored right now
  946. * ssl version is set - sslv3
  947. * s->session - The ssl session has been setup.
  948. * s->hit - session reuse flag
  949. * s->tmp.new_cipher - the new cipher to use.
  950. */
  951. ret=1;
  952. if (0)
  953. {
  954. f_err:
  955. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  956. }
  957. err:
  958. if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
  959. return(ret);
  960. }
  961. int ssl3_send_server_hello(SSL *s)
  962. {
  963. unsigned char *buf;
  964. unsigned char *p,*d;
  965. int i,sl;
  966. unsigned long l,Time;
  967. if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
  968. {
  969. buf=(unsigned char *)s->init_buf->data;
  970. p=s->s3->server_random;
  971. Time=(unsigned long)time(NULL); /* Time */
  972. l2n(Time,p);
  973. if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
  974. return -1;
  975. /* Do the message type and length last */
  976. d=p= &(buf[4]);
  977. *(p++)=s->version>>8;
  978. *(p++)=s->version&0xff;
  979. /* Random stuff */
  980. memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
  981. p+=SSL3_RANDOM_SIZE;
  982. /* now in theory we have 3 options to sending back the
  983. * session id. If it is a re-use, we send back the
  984. * old session-id, if it is a new session, we send
  985. * back the new session-id or we send back a 0 length
  986. * session-id if we want it to be single use.
  987. * Currently I will not implement the '0' length session-id
  988. * 12-Jan-98 - I'll now support the '0' length stuff.
  989. */
  990. if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
  991. s->session->session_id_length=0;
  992. sl=s->session->session_id_length;
  993. if (sl > (int)sizeof(s->session->session_id))
  994. {
  995. SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
  996. return -1;
  997. }
  998. *(p++)=sl;
  999. memcpy(p,s->session->session_id,sl);
  1000. p+=sl;
  1001. /* put the cipher */
  1002. i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
  1003. p+=i;
  1004. /* put the compression method */
  1005. #ifdef OPENSSL_NO_COMP
  1006. *(p++)=0;
  1007. #else
  1008. if (s->s3->tmp.new_compression == NULL)
  1009. *(p++)=0;
  1010. else
  1011. *(p++)=s->s3->tmp.new_compression->id;
  1012. #endif
  1013. #ifndef OPENSSL_NO_TLSEXT
  1014. if (ssl_prepare_serverhello_tlsext(s) <= 0)
  1015. {
  1016. SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
  1017. return -1;
  1018. }
  1019. if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
  1020. {
  1021. SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
  1022. return -1;
  1023. }
  1024. #endif
  1025. /* do the header */
  1026. l=(p-d);
  1027. d=buf;
  1028. *(d++)=SSL3_MT_SERVER_HELLO;
  1029. l2n3(l,d);
  1030. s->state=SSL3_ST_CW_CLNT_HELLO_B;
  1031. /* number of bytes to write */
  1032. s->init_num=p-buf;
  1033. s->init_off=0;
  1034. }
  1035. /* SSL3_ST_CW_CLNT_HELLO_B */
  1036. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  1037. }
  1038. int ssl3_send_server_done(SSL *s)
  1039. {
  1040. unsigned char *p;
  1041. if (s->state == SSL3_ST_SW_SRVR_DONE_A)
  1042. {
  1043. p=(unsigned char *)s->init_buf->data;
  1044. /* do the header */
  1045. *(p++)=SSL3_MT_SERVER_DONE;
  1046. *(p++)=0;
  1047. *(p++)=0;
  1048. *(p++)=0;
  1049. s->state=SSL3_ST_SW_SRVR_DONE_B;
  1050. /* number of bytes to write */
  1051. s->init_num=4;
  1052. s->init_off=0;
  1053. }
  1054. /* SSL3_ST_CW_CLNT_HELLO_B */
  1055. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  1056. }
  1057. int ssl3_send_server_key_exchange(SSL *s)
  1058. {
  1059. #ifndef OPENSSL_NO_RSA
  1060. unsigned char *q;
  1061. int j,num;
  1062. RSA *rsa;
  1063. unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
  1064. unsigned int u;
  1065. #endif
  1066. #ifndef OPENSSL_NO_DH
  1067. DH *dh=NULL,*dhp;
  1068. #endif
  1069. #ifndef OPENSSL_NO_ECDH
  1070. EC_KEY *ecdh=NULL, *ecdhp;
  1071. unsigned char *encodedPoint = NULL;
  1072. int encodedlen = 0;
  1073. int curve_id = 0;
  1074. BN_CTX *bn_ctx = NULL;
  1075. #endif
  1076. EVP_PKEY *pkey;
  1077. unsigned char *p,*d;
  1078. int al,i;
  1079. unsigned long type;
  1080. int n;
  1081. CERT *cert;
  1082. BIGNUM *r[4];
  1083. int nr[4],kn;
  1084. BUF_MEM *buf;
  1085. EVP_MD_CTX md_ctx;
  1086. EVP_MD_CTX_init(&md_ctx);
  1087. if (s->state == SSL3_ST_SW_KEY_EXCH_A)
  1088. {
  1089. type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
  1090. cert=s->cert;
  1091. buf=s->init_buf;
  1092. r[0]=r[1]=r[2]=r[3]=NULL;
  1093. n=0;
  1094. #ifndef OPENSSL_NO_RSA
  1095. if (type & SSL_kRSA)
  1096. {
  1097. rsa=cert->rsa_tmp;
  1098. if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
  1099. {
  1100. rsa=s->cert->rsa_tmp_cb(s,
  1101. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  1102. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  1103. if(rsa == NULL)
  1104. {
  1105. al=SSL_AD_HANDSHAKE_FAILURE;
  1106. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
  1107. goto f_err;
  1108. }
  1109. RSA_up_ref(rsa);
  1110. cert->rsa_tmp=rsa;
  1111. }
  1112. if (rsa == NULL)
  1113. {
  1114. al=SSL_AD_HANDSHAKE_FAILURE;
  1115. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
  1116. goto f_err;
  1117. }
  1118. r[0]=rsa->n;
  1119. r[1]=rsa->e;
  1120. s->s3->tmp.use_rsa_tmp=1;
  1121. }
  1122. else
  1123. #endif
  1124. #ifndef OPENSSL_NO_DH
  1125. if (type & SSL_kEDH)
  1126. {
  1127. dhp=cert->dh_tmp;
  1128. if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
  1129. dhp=s->cert->dh_tmp_cb(s,
  1130. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  1131. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  1132. if (dhp == NULL)
  1133. {
  1134. al=SSL_AD_HANDSHAKE_FAILURE;
  1135. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
  1136. goto f_err;
  1137. }
  1138. if (s->s3->tmp.dh != NULL)
  1139. {
  1140. DH_free(dh);
  1141. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  1142. goto err;
  1143. }
  1144. if ((dh=DHparams_dup(dhp)) == NULL)
  1145. {
  1146. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  1147. goto err;
  1148. }
  1149. s->s3->tmp.dh=dh;
  1150. if ((dhp->pub_key == NULL ||
  1151. dhp->priv_key == NULL ||
  1152. (s->options & SSL_OP_SINGLE_DH_USE)))
  1153. {
  1154. if(!DH_generate_key(dh))
  1155. {
  1156. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
  1157. ERR_R_DH_LIB);
  1158. goto err;
  1159. }
  1160. }
  1161. else
  1162. {
  1163. dh->pub_key=BN_dup(dhp->pub_key);
  1164. dh->priv_key=BN_dup(dhp->priv_key);
  1165. if ((dh->pub_key == NULL) ||
  1166. (dh->priv_key == NULL))
  1167. {
  1168. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  1169. goto err;
  1170. }
  1171. }
  1172. r[0]=dh->p;
  1173. r[1]=dh->g;
  1174. r[2]=dh->pub_key;
  1175. }
  1176. else
  1177. #endif
  1178. #ifndef OPENSSL_NO_ECDH
  1179. if (type & SSL_kECDHE)
  1180. {
  1181. const EC_GROUP *group;
  1182. ecdhp=cert->ecdh_tmp;
  1183. if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
  1184. {
  1185. ecdhp=s->cert->ecdh_tmp_cb(s,
  1186. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  1187. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  1188. }
  1189. if (ecdhp == NULL)
  1190. {
  1191. al=SSL_AD_HANDSHAKE_FAILURE;
  1192. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
  1193. goto f_err;
  1194. }
  1195. if (s->s3->tmp.ecdh != NULL)
  1196. {
  1197. EC_KEY_free(s->s3->tmp.ecdh);
  1198. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  1199. goto err;
  1200. }
  1201. /* Duplicate the ECDH structure. */
  1202. if (ecdhp == NULL)
  1203. {
  1204. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  1205. goto err;
  1206. }
  1207. if (!EC_KEY_up_ref(ecdhp))
  1208. {
  1209. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  1210. goto err;
  1211. }
  1212. ecdh = ecdhp;
  1213. s->s3->tmp.ecdh=ecdh;
  1214. if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
  1215. (EC_KEY_get0_private_key(ecdh) == NULL) ||
  1216. (s->options & SSL_OP_SINGLE_ECDH_USE))
  1217. {
  1218. if(!EC_KEY_generate_key(ecdh))
  1219. {
  1220. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  1221. goto err;
  1222. }
  1223. }
  1224. if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
  1225. (EC_KEY_get0_public_key(ecdh) == NULL) ||
  1226. (EC_KEY_get0_private_key(ecdh) == NULL))
  1227. {
  1228. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  1229. goto err;
  1230. }
  1231. if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
  1232. (EC_GROUP_get_degree(group) > 163))
  1233. {
  1234. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
  1235. goto err;
  1236. }
  1237. /* XXX: For now, we only support ephemeral ECDH
  1238. * keys over named (not generic) curves. For
  1239. * supported named curves, curve_id is non-zero.
  1240. */
  1241. if ((curve_id =
  1242. tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
  1243. == 0)
  1244. {
  1245. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  1246. goto err;
  1247. }
  1248. /* Encode the public key.
  1249. * First check the size of encoding and
  1250. * allocate memory accordingly.
  1251. */
  1252. encodedlen = EC_POINT_point2oct(group,
  1253. EC_KEY_get0_public_key(ecdh),
  1254. POINT_CONVERSION_UNCOMPRESSED,
  1255. NULL, 0, NULL);
  1256. encodedPoint = (unsigned char *)
  1257. OPENSSL_malloc(encodedlen*sizeof(unsigned char));
  1258. bn_ctx = BN_CTX_new();
  1259. if ((encodedPoint == NULL) || (bn_ctx == NULL))
  1260. {
  1261. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  1262. goto err;
  1263. }
  1264. encodedlen = EC_POINT_point2oct(group,
  1265. EC_KEY_get0_public_key(ecdh),
  1266. POINT_CONVERSION_UNCOMPRESSED,
  1267. encodedPoint, encodedlen, bn_ctx);
  1268. if (encodedlen == 0)
  1269. {
  1270. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  1271. goto err;
  1272. }
  1273. BN_CTX_free(bn_ctx); bn_ctx=NULL;
  1274. /* XXX: For now, we only support named (not
  1275. * generic) curves in ECDH ephemeral key exchanges.
  1276. * In this situation, we need four additional bytes
  1277. * to encode the entire ServerECDHParams
  1278. * structure.
  1279. */
  1280. n = 4 + encodedlen;
  1281. /* We'll generate the serverKeyExchange message
  1282. * explicitly so we can set these to NULLs
  1283. */
  1284. r[0]=NULL;
  1285. r[1]=NULL;
  1286. r[2]=NULL;
  1287. r[3]=NULL;
  1288. }
  1289. else
  1290. #endif /* !OPENSSL_NO_ECDH */
  1291. #ifndef OPENSSL_NO_PSK
  1292. if (type & SSL_kPSK)
  1293. {
  1294. /* reserve size for record length and PSK identity hint*/
  1295. n+=2+strlen(s->ctx->psk_identity_hint);
  1296. }
  1297. else
  1298. #endif /* !OPENSSL_NO_PSK */
  1299. {
  1300. al=SSL_AD_HANDSHAKE_FAILURE;
  1301. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  1302. goto f_err;
  1303. }
  1304. for (i=0; r[i] != NULL; i++)
  1305. {
  1306. nr[i]=BN_num_bytes(r[i]);
  1307. n+=2+nr[i];
  1308. }
  1309. if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
  1310. && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
  1311. {
  1312. if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
  1313. == NULL)
  1314. {
  1315. al=SSL_AD_DECODE_ERROR;
  1316. goto f_err;
  1317. }
  1318. kn=EVP_PKEY_size(pkey);
  1319. }
  1320. else
  1321. {
  1322. pkey=NULL;
  1323. kn=0;
  1324. }
  1325. if (!BUF_MEM_grow_clean(buf,n+4+kn))
  1326. {
  1327. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
  1328. goto err;
  1329. }
  1330. d=(unsigned char *)s->init_buf->data;
  1331. p= &(d[4]);
  1332. for (i=0; r[i] != NULL; i++)
  1333. {
  1334. s2n(nr[i],p);
  1335. BN_bn2bin(r[i],p);
  1336. p+=nr[i];
  1337. }
  1338. #ifndef OPENSSL_NO_ECDH
  1339. if (type & SSL_kECDHE)
  1340. {
  1341. /* XXX: For now, we only support named (not generic) curves.
  1342. * In this situation, the serverKeyExchange message has:
  1343. * [1 byte CurveType], [2 byte CurveName]
  1344. * [1 byte length of encoded point], followed by
  1345. * the actual encoded point itself
  1346. */
  1347. *p = NAMED_CURVE_TYPE;
  1348. p += 1;
  1349. *p = 0;
  1350. p += 1;
  1351. *p = curve_id;
  1352. p += 1;
  1353. *p = encodedlen;
  1354. p += 1;
  1355. memcpy((unsigned char*)p,
  1356. (unsigned char *)encodedPoint,
  1357. encodedlen);
  1358. OPENSSL_free(encodedPoint);
  1359. p += encodedlen;
  1360. }
  1361. #endif
  1362. #ifndef OPENSSL_NO_PSK
  1363. if (type & SSL_kPSK)
  1364. {
  1365. /* copy PSK identity hint */
  1366. s2n(strlen(s->ctx->psk_identity_hint), p);
  1367. strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
  1368. p+=strlen(s->ctx->psk_identity_hint);
  1369. }
  1370. #endif
  1371. /* not anonymous */
  1372. if (pkey != NULL)
  1373. {
  1374. /* n is the length of the params, they start at &(d[4])
  1375. * and p points to the space at the end. */
  1376. #ifndef OPENSSL_NO_RSA
  1377. if (pkey->type == EVP_PKEY_RSA)
  1378. {
  1379. q=md_buf;
  1380. j=0;
  1381. for (num=2; num > 0; num--)
  1382. {
  1383. EVP_DigestInit_ex(&md_ctx,(num == 2)
  1384. ?s->ctx->md5:s->ctx->sha1, NULL);
  1385. EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1386. EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1387. EVP_DigestUpdate(&md_ctx,&(d[4]),n);
  1388. EVP_DigestFinal_ex(&md_ctx,q,
  1389. (unsigned int *)&i);
  1390. q+=i;
  1391. j+=i;
  1392. }
  1393. if (RSA_sign(NID_md5_sha1, md_buf, j,
  1394. &(p[2]), &u, pkey->pkey.rsa) <= 0)
  1395. {
  1396. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
  1397. goto err;
  1398. }
  1399. s2n(u,p);
  1400. n+=u+2;
  1401. }
  1402. else
  1403. #endif
  1404. #if !defined(OPENSSL_NO_DSA)
  1405. if (pkey->type == EVP_PKEY_DSA)
  1406. {
  1407. /* lets do DSS */
  1408. EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
  1409. EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1410. EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1411. EVP_SignUpdate(&md_ctx,&(d[4]),n);
  1412. if (!EVP_SignFinal(&md_ctx,&(p[2]),
  1413. (unsigned int *)&i,pkey))
  1414. {
  1415. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
  1416. goto err;
  1417. }
  1418. s2n(i,p);
  1419. n+=i+2;
  1420. }
  1421. else
  1422. #endif
  1423. #if !defined(OPENSSL_NO_ECDSA)
  1424. if (pkey->type == EVP_PKEY_EC)
  1425. {
  1426. /* let's do ECDSA */
  1427. EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
  1428. EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1429. EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1430. EVP_SignUpdate(&md_ctx,&(d[4]),n);
  1431. if (!EVP_SignFinal(&md_ctx,&(p[2]),
  1432. (unsigned int *)&i,pkey))
  1433. {
  1434. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
  1435. goto err;
  1436. }
  1437. s2n(i,p);
  1438. n+=i+2;
  1439. }
  1440. else
  1441. #endif
  1442. {
  1443. /* Is this error check actually needed? */
  1444. al=SSL_AD_HANDSHAKE_FAILURE;
  1445. SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
  1446. goto f_err;
  1447. }
  1448. }
  1449. *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
  1450. l2n3(n,d);
  1451. /* we should now have things packed up, so lets send
  1452. * it off */
  1453. s->init_num=n+4;
  1454. s->init_off=0;
  1455. }
  1456. s->state = SSL3_ST_SW_KEY_EXCH_B;
  1457. EVP_MD_CTX_cleanup(&md_ctx);
  1458. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  1459. f_err:
  1460. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1461. err:
  1462. #ifndef OPENSSL_NO_ECDH
  1463. if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
  1464. BN_CTX_free(bn_ctx);
  1465. #endif
  1466. EVP_MD_CTX_cleanup(&md_ctx);
  1467. return(-1);
  1468. }
  1469. int ssl3_send_certificate_request(SSL *s)
  1470. {
  1471. unsigned char *p,*d;
  1472. int i,j,nl,off,n;
  1473. STACK_OF(X509_NAME) *sk=NULL;
  1474. X509_NAME *name;
  1475. BUF_MEM *buf;
  1476. if (s->state == SSL3_ST_SW_CERT_REQ_A)
  1477. {
  1478. buf=s->init_buf;
  1479. d=p=(unsigned char *)&(buf->data[4]);
  1480. /* get the list of acceptable cert types */
  1481. p++;
  1482. n=ssl3_get_req_cert_type(s,p);
  1483. d[0]=n;
  1484. p+=n;
  1485. n++;
  1486. off=n;
  1487. p+=2;
  1488. n+=2;
  1489. sk=SSL_get_client_CA_list(s);
  1490. nl=0;
  1491. if (sk != NULL)
  1492. {
  1493. for (i=0; i<sk_X509_NAME_num(sk); i++)
  1494. {
  1495. name=sk_X509_NAME_value(sk,i);
  1496. j=i2d_X509_NAME(name,NULL);
  1497. if (!BUF_MEM_grow_clean(buf,4+n+j+2))
  1498. {
  1499. SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
  1500. goto err;
  1501. }
  1502. p=(unsigned char *)&(buf->data[4+n]);
  1503. if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
  1504. {
  1505. s2n(j,p);
  1506. i2d_X509_NAME(name,&p);
  1507. n+=2+j;
  1508. nl+=2+j;
  1509. }
  1510. else
  1511. {
  1512. d=p;
  1513. i2d_X509_NAME(name,&p);
  1514. j-=2; s2n(j,d); j+=2;
  1515. n+=j;
  1516. nl+=j;
  1517. }
  1518. }
  1519. }
  1520. /* else no CA names */
  1521. p=(unsigned char *)&(buf->data[4+off]);
  1522. s2n(nl,p);
  1523. d=(unsigned char *)buf->data;
  1524. *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
  1525. l2n3(n,d);
  1526. /* we should now have things packed up, so lets send
  1527. * it off */
  1528. s->init_num=n+4;
  1529. s->init_off=0;
  1530. #ifdef NETSCAPE_HANG_BUG
  1531. p=(unsigned char *)s->init_buf->data + s->init_num;
  1532. /* do the header */
  1533. *(p++)=SSL3_MT_SERVER_DONE;
  1534. *(p++)=0;
  1535. *(p++)=0;
  1536. *(p++)=0;
  1537. s->init_num += 4;
  1538. #endif
  1539. s->state = SSL3_ST_SW_CERT_REQ_B;
  1540. }
  1541. /* SSL3_ST_SW_CERT_REQ_B */
  1542. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  1543. err:
  1544. return(-1);
  1545. }
  1546. int ssl3_get_client_key_exchange(SSL *s)
  1547. {
  1548. int i,al,ok;
  1549. long n;
  1550. unsigned long l;
  1551. unsigned char *p;
  1552. #ifndef OPENSSL_NO_RSA
  1553. RSA *rsa=NULL;
  1554. EVP_PKEY *pkey=NULL;
  1555. #endif
  1556. #ifndef OPENSSL_NO_DH
  1557. BIGNUM *pub=NULL;
  1558. DH *dh_srvr;
  1559. #endif
  1560. #ifndef OPENSSL_NO_KRB5
  1561. KSSL_ERR kssl_err;
  1562. #endif /* OPENSSL_NO_KRB5 */
  1563. #ifndef OPENSSL_NO_ECDH
  1564. EC_KEY *srvr_ecdh = NULL;
  1565. EVP_PKEY *clnt_pub_pkey = NULL;
  1566. EC_POINT *clnt_ecpoint = NULL;
  1567. BN_CTX *bn_ctx = NULL;
  1568. #endif
  1569. n=s->method->ssl_get_message(s,
  1570. SSL3_ST_SR_KEY_EXCH_A,
  1571. SSL3_ST_SR_KEY_EXCH_B,
  1572. SSL3_MT_CLIENT_KEY_EXCHANGE,
  1573. 2048, /* ??? */
  1574. &ok);
  1575. if (!ok) return((int)n);
  1576. p=(unsigned char *)s->init_msg;
  1577. l=s->s3->tmp.new_cipher->algorithms;
  1578. #ifndef OPENSSL_NO_RSA
  1579. if (l & SSL_kRSA)
  1580. {
  1581. /* FIX THIS UP EAY EAY EAY EAY */
  1582. if (s->s3->tmp.use_rsa_tmp)
  1583. {
  1584. if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
  1585. rsa=s->cert->rsa_tmp;
  1586. /* Don't do a callback because rsa_tmp should
  1587. * be sent already */
  1588. if (rsa == NULL)
  1589. {
  1590. al=SSL_AD_HANDSHAKE_FAILURE;
  1591. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
  1592. goto f_err;
  1593. }
  1594. }
  1595. else
  1596. {
  1597. pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
  1598. if ( (pkey == NULL) ||
  1599. (pkey->type != EVP_PKEY_RSA) ||
  1600. (pkey->pkey.rsa == NULL))
  1601. {
  1602. al=SSL_AD_HANDSHAKE_FAILURE;
  1603. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
  1604. goto f_err;
  1605. }
  1606. rsa=pkey->pkey.rsa;
  1607. }
  1608. /* TLS */
  1609. if (s->version > SSL3_VERSION)
  1610. {
  1611. n2s(p,i);
  1612. if (n != i+2)
  1613. {
  1614. if (!(s->options & SSL_OP_TLS_D5_BUG))
  1615. {
  1616. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
  1617. goto err;
  1618. }
  1619. else
  1620. p-=2;
  1621. }
  1622. else
  1623. n=i;
  1624. }
  1625. i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
  1626. al = -1;
  1627. if (i != SSL_MAX_MASTER_KEY_LENGTH)
  1628. {
  1629. al=SSL_AD_DECODE_ERROR;
  1630. /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
  1631. }
  1632. if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
  1633. {
  1634. /* The premaster secret must contain the same version number as the
  1635. * ClientHello to detect version rollback attacks (strangely, the
  1636. * protocol does not offer such protection for DH ciphersuites).
  1637. * However, buggy clients exist that send the negotiated protocol
  1638. * version instead if the server does not support the requested
  1639. * protocol version.
  1640. * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
  1641. if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
  1642. (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
  1643. {
  1644. al=SSL_AD_DECODE_ERROR;
  1645. /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
  1646. /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
  1647. * (http://eprint.iacr.org/2003/052/) exploits the version
  1648. * number check as a "bad version oracle" -- an alert would
  1649. * reveal that the plaintext corresponding to some ciphertext
  1650. * made up by the adversary is properly formatted except
  1651. * that the version number is wrong. To avoid such attacks,
  1652. * we should treat this just like any other decryption error. */
  1653. }
  1654. }
  1655. if (al != -1)
  1656. {
  1657. /* Some decryption failure -- use random value instead as countermeasure
  1658. * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
  1659. * (see RFC 2246, section 7.4.7.1). */
  1660. ERR_clear_error();
  1661. i = SSL_MAX_MASTER_KEY_LENGTH;
  1662. p[0] = s->client_version >> 8;
  1663. p[1] = s->client_version & 0xff;
  1664. if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
  1665. goto err;
  1666. }
  1667. s->session->master_key_length=
  1668. s->method->ssl3_enc->generate_master_secret(s,
  1669. s->session->master_key,
  1670. p,i);
  1671. OPENSSL_cleanse(p,i);
  1672. }
  1673. else
  1674. #endif
  1675. #ifndef OPENSSL_NO_DH
  1676. if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  1677. {
  1678. n2s(p,i);
  1679. if (n != i+2)
  1680. {
  1681. if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
  1682. {
  1683. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  1684. goto err;
  1685. }
  1686. else
  1687. {
  1688. p-=2;
  1689. i=(int)n;
  1690. }
  1691. }
  1692. if (n == 0L) /* the parameters are in the cert */
  1693. {
  1694. al=SSL_AD_HANDSHAKE_FAILURE;
  1695. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
  1696. goto f_err;
  1697. }
  1698. else
  1699. {
  1700. if (s->s3->tmp.dh == NULL)
  1701. {
  1702. al=SSL_AD_HANDSHAKE_FAILURE;
  1703. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
  1704. goto f_err;
  1705. }
  1706. else
  1707. dh_srvr=s->s3->tmp.dh;
  1708. }
  1709. pub=BN_bin2bn(p,i,NULL);
  1710. if (pub == NULL)
  1711. {
  1712. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
  1713. goto err;
  1714. }
  1715. i=DH_compute_key(p,pub,dh_srvr);
  1716. if (i <= 0)
  1717. {
  1718. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  1719. goto err;
  1720. }
  1721. DH_free(s->s3->tmp.dh);
  1722. s->s3->tmp.dh=NULL;
  1723. BN_clear_free(pub);
  1724. pub=NULL;
  1725. s->session->master_key_length=
  1726. s->method->ssl3_enc->generate_master_secret(s,
  1727. s->session->master_key,p,i);
  1728. OPENSSL_cleanse(p,i);
  1729. }
  1730. else
  1731. #endif
  1732. #ifndef OPENSSL_NO_KRB5
  1733. if (l & SSL_kKRB5)
  1734. {
  1735. krb5_error_code krb5rc;
  1736. krb5_data enc_ticket;
  1737. krb5_data authenticator;
  1738. krb5_data enc_pms;
  1739. KSSL_CTX *kssl_ctx = s->kssl_ctx;
  1740. EVP_CIPHER_CTX ciph_ctx;
  1741. EVP_CIPHER *enc = NULL;
  1742. unsigned char iv[EVP_MAX_IV_LENGTH];
  1743. unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
  1744. + EVP_MAX_BLOCK_LENGTH];
  1745. int padl, outl;
  1746. krb5_timestamp authtime = 0;
  1747. krb5_ticket_times ttimes;
  1748. EVP_CIPHER_CTX_init(&ciph_ctx);
  1749. if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
  1750. n2s(p,i);
  1751. enc_ticket.length = i;
  1752. if (n < enc_ticket.length + 6)
  1753. {
  1754. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1755. SSL_R_DATA_LENGTH_TOO_LONG);
  1756. goto err;
  1757. }
  1758. enc_ticket.data = (char *)p;
  1759. p+=enc_ticket.length;
  1760. n2s(p,i);
  1761. authenticator.length = i;
  1762. if (n < enc_ticket.length + authenticator.length + 6)
  1763. {
  1764. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1765. SSL_R_DATA_LENGTH_TOO_LONG);
  1766. goto err;
  1767. }
  1768. authenticator.data = (char *)p;
  1769. p+=authenticator.length;
  1770. n2s(p,i);
  1771. enc_pms.length = i;
  1772. enc_pms.data = (char *)p;
  1773. p+=enc_pms.length;
  1774. /* Note that the length is checked again below,
  1775. ** after decryption
  1776. */
  1777. if(enc_pms.length > sizeof pms)
  1778. {
  1779. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1780. SSL_R_DATA_LENGTH_TOO_LONG);
  1781. goto err;
  1782. }
  1783. if (n != (long)(enc_ticket.length + authenticator.length +
  1784. enc_pms.length + 6))
  1785. {
  1786. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1787. SSL_R_DATA_LENGTH_TOO_LONG);
  1788. goto err;
  1789. }
  1790. if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
  1791. &kssl_err)) != 0)
  1792. {
  1793. #ifdef KSSL_DEBUG
  1794. printf("kssl_sget_tkt rtn %d [%d]\n",
  1795. krb5rc, kssl_err.reason);
  1796. if (kssl_err.text)
  1797. printf("kssl_err text= %s\n", kssl_err.text);
  1798. #endif /* KSSL_DEBUG */
  1799. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1800. kssl_err.reason);
  1801. goto err;
  1802. }
  1803. /* Note: no authenticator is not considered an error,
  1804. ** but will return authtime == 0.
  1805. */
  1806. if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
  1807. &authtime, &kssl_err)) != 0)
  1808. {
  1809. #ifdef KSSL_DEBUG
  1810. printf("kssl_check_authent rtn %d [%d]\n",
  1811. krb5rc, kssl_err.reason);
  1812. if (kssl_err.text)
  1813. printf("kssl_err text= %s\n", kssl_err.text);
  1814. #endif /* KSSL_DEBUG */
  1815. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1816. kssl_err.reason);
  1817. goto err;
  1818. }
  1819. if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
  1820. {
  1821. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
  1822. goto err;
  1823. }
  1824. #ifdef KSSL_DEBUG
  1825. kssl_ctx_show(kssl_ctx);
  1826. #endif /* KSSL_DEBUG */
  1827. enc = kssl_map_enc(kssl_ctx->enctype);
  1828. if (enc == NULL)
  1829. goto err;
  1830. memset(iv, 0, sizeof iv); /* per RFC 1510 */
  1831. if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
  1832. {
  1833. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1834. SSL_R_DECRYPTION_FAILED);
  1835. goto err;
  1836. }
  1837. if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
  1838. (unsigned char *)enc_pms.data, enc_pms.length))
  1839. {
  1840. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1841. SSL_R_DECRYPTION_FAILED);
  1842. goto err;
  1843. }
  1844. if (outl > SSL_MAX_MASTER_KEY_LENGTH)
  1845. {
  1846. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1847. SSL_R_DATA_LENGTH_TOO_LONG);
  1848. goto err;
  1849. }
  1850. if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl))
  1851. {
  1852. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1853. SSL_R_DECRYPTION_FAILED);
  1854. goto err;
  1855. }
  1856. outl += padl;
  1857. if (outl > SSL_MAX_MASTER_KEY_LENGTH)
  1858. {
  1859. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1860. SSL_R_DATA_LENGTH_TOO_LONG);
  1861. goto err;
  1862. }
  1863. EVP_CIPHER_CTX_cleanup(&ciph_ctx);
  1864. s->session->master_key_length=
  1865. s->method->ssl3_enc->generate_master_secret(s,
  1866. s->session->master_key, pms, outl);
  1867. if (kssl_ctx->client_princ)
  1868. {
  1869. int len = strlen(kssl_ctx->client_princ);
  1870. if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
  1871. {
  1872. s->session->krb5_client_princ_len = len;
  1873. memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
  1874. }
  1875. }
  1876. /* Was doing kssl_ctx_free() here,
  1877. ** but it caused problems for apache.
  1878. ** kssl_ctx = kssl_ctx_free(kssl_ctx);
  1879. ** if (s->kssl_ctx) s->kssl_ctx = NULL;
  1880. */
  1881. }
  1882. else
  1883. #endif /* OPENSSL_NO_KRB5 */
  1884. #ifndef OPENSSL_NO_ECDH
  1885. if ((l & SSL_kECDH) || (l & SSL_kECDHE))
  1886. {
  1887. int ret = 1;
  1888. int field_size = 0;
  1889. const EC_KEY *tkey;
  1890. const EC_GROUP *group;
  1891. const BIGNUM *priv_key;
  1892. /* initialize structures for server's ECDH key pair */
  1893. if ((srvr_ecdh = EC_KEY_new()) == NULL)
  1894. {
  1895. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1896. ERR_R_MALLOC_FAILURE);
  1897. goto err;
  1898. }
  1899. /* Let's get server private key and group information */
  1900. if (l & SSL_kECDH)
  1901. {
  1902. /* use the certificate */
  1903. tkey = s->cert->key->privatekey->pkey.ec;
  1904. }
  1905. else
  1906. {
  1907. /* use the ephermeral values we saved when
  1908. * generating the ServerKeyExchange msg.
  1909. */
  1910. tkey = s->s3->tmp.ecdh;
  1911. }
  1912. group = EC_KEY_get0_group(tkey);
  1913. priv_key = EC_KEY_get0_private_key(tkey);
  1914. if (!EC_KEY_set_group(srvr_ecdh, group) ||
  1915. !EC_KEY_set_private_key(srvr_ecdh, priv_key))
  1916. {
  1917. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1918. ERR_R_EC_LIB);
  1919. goto err;
  1920. }
  1921. /* Let's get client's public key */
  1922. if ((clnt_ecpoint = EC_POINT_new(group)) == NULL)
  1923. {
  1924. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1925. ERR_R_MALLOC_FAILURE);
  1926. goto err;
  1927. }
  1928. if (n == 0L)
  1929. {
  1930. /* Client Publickey was in Client Certificate */
  1931. if (l & SSL_kECDHE)
  1932. {
  1933. al=SSL_AD_HANDSHAKE_FAILURE;
  1934. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
  1935. goto f_err;
  1936. }
  1937. if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
  1938. == NULL) ||
  1939. (clnt_pub_pkey->type != EVP_PKEY_EC))
  1940. {
  1941. /* XXX: For now, we do not support client
  1942. * authentication using ECDH certificates
  1943. * so this branch (n == 0L) of the code is
  1944. * never executed. When that support is
  1945. * added, we ought to ensure the key
  1946. * received in the certificate is
  1947. * authorized for key agreement.
  1948. * ECDH_compute_key implicitly checks that
  1949. * the two ECDH shares are for the same
  1950. * group.
  1951. */
  1952. al=SSL_AD_HANDSHAKE_FAILURE;
  1953. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1954. SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
  1955. goto f_err;
  1956. }
  1957. if (EC_POINT_copy(clnt_ecpoint,
  1958. EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
  1959. {
  1960. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1961. ERR_R_EC_LIB);
  1962. goto err;
  1963. }
  1964. ret = 2; /* Skip certificate verify processing */
  1965. }
  1966. else
  1967. {
  1968. /* Get client's public key from encoded point
  1969. * in the ClientKeyExchange message.
  1970. */
  1971. if ((bn_ctx = BN_CTX_new()) == NULL)
  1972. {
  1973. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1974. ERR_R_MALLOC_FAILURE);
  1975. goto err;
  1976. }
  1977. /* Get encoded point length */
  1978. i = *p;
  1979. p += 1;
  1980. if (EC_POINT_oct2point(group,
  1981. clnt_ecpoint, p, i, bn_ctx) == 0)
  1982. {
  1983. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1984. ERR_R_EC_LIB);
  1985. goto err;
  1986. }
  1987. /* p is pointing to somewhere in the buffer
  1988. * currently, so set it to the start
  1989. */
  1990. p=(unsigned char *)s->init_buf->data;
  1991. }
  1992. /* Compute the shared pre-master secret */
  1993. field_size = EC_GROUP_get_degree(group);
  1994. if (field_size <= 0)
  1995. {
  1996. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  1997. ERR_R_ECDH_LIB);
  1998. goto err;
  1999. }
  2000. i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
  2001. if (i <= 0)
  2002. {
  2003. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2004. ERR_R_ECDH_LIB);
  2005. goto err;
  2006. }
  2007. EVP_PKEY_free(clnt_pub_pkey);
  2008. EC_POINT_free(clnt_ecpoint);
  2009. if (srvr_ecdh != NULL)
  2010. EC_KEY_free(srvr_ecdh);
  2011. BN_CTX_free(bn_ctx);
  2012. /* Compute the master secret */
  2013. s->session->master_key_length = s->method->ssl3_enc-> \
  2014. generate_master_secret(s, s->session->master_key, p, i);
  2015. OPENSSL_cleanse(p, i);
  2016. return (ret);
  2017. }
  2018. else
  2019. #endif
  2020. #ifndef OPENSSL_NO_PSK
  2021. if (l & SSL_kPSK)
  2022. {
  2023. unsigned char *t = NULL;
  2024. unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
  2025. unsigned int pre_ms_len = 0, psk_len = 0;
  2026. int psk_err = 1;
  2027. char tmp_id[PSK_MAX_IDENTITY_LEN+1];
  2028. al=SSL_AD_HANDSHAKE_FAILURE;
  2029. n2s(p,i);
  2030. if (n != i+2)
  2031. {
  2032. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2033. SSL_R_LENGTH_MISMATCH);
  2034. goto psk_err;
  2035. }
  2036. if (i > PSK_MAX_IDENTITY_LEN)
  2037. {
  2038. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2039. SSL_R_DATA_LENGTH_TOO_LONG);
  2040. goto psk_err;
  2041. }
  2042. if (s->psk_server_callback == NULL)
  2043. {
  2044. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2045. SSL_R_PSK_NO_SERVER_CB);
  2046. goto psk_err;
  2047. }
  2048. /* Create guaranteed NULL-terminated identity
  2049. * string for the callback */
  2050. memcpy(tmp_id, p, i);
  2051. memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
  2052. psk_len = s->psk_server_callback(s, tmp_id,
  2053. psk_or_pre_ms, sizeof(psk_or_pre_ms));
  2054. OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1);
  2055. if (psk_len > PSK_MAX_PSK_LEN)
  2056. {
  2057. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2058. ERR_R_INTERNAL_ERROR);
  2059. goto psk_err;
  2060. }
  2061. else if (psk_len == 0)
  2062. {
  2063. /* PSK related to the given identity not found */
  2064. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2065. SSL_R_PSK_IDENTITY_NOT_FOUND);
  2066. al=SSL_AD_UNKNOWN_PSK_IDENTITY;
  2067. goto psk_err;
  2068. }
  2069. /* create PSK pre_master_secret */
  2070. pre_ms_len=2+psk_len+2+psk_len;
  2071. t = psk_or_pre_ms;
  2072. memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
  2073. s2n(psk_len, t);
  2074. memset(t, 0, psk_len);
  2075. t+=psk_len;
  2076. s2n(psk_len, t);
  2077. if (s->session->psk_identity != NULL)
  2078. OPENSSL_free(s->session->psk_identity);
  2079. s->session->psk_identity = BUF_strdup((char *)p);
  2080. if (s->session->psk_identity == NULL)
  2081. {
  2082. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2083. ERR_R_MALLOC_FAILURE);
  2084. goto psk_err;
  2085. }
  2086. if (s->session->psk_identity_hint != NULL)
  2087. OPENSSL_free(s->session->psk_identity_hint);
  2088. s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
  2089. if (s->ctx->psk_identity_hint != NULL &&
  2090. s->session->psk_identity_hint == NULL)
  2091. {
  2092. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2093. ERR_R_MALLOC_FAILURE);
  2094. goto psk_err;
  2095. }
  2096. s->session->master_key_length=
  2097. s->method->ssl3_enc->generate_master_secret(s,
  2098. s->session->master_key, psk_or_pre_ms, pre_ms_len);
  2099. psk_err = 0;
  2100. psk_err:
  2101. OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
  2102. if (psk_err != 0)
  2103. goto f_err;
  2104. }
  2105. else
  2106. #endif
  2107. {
  2108. al=SSL_AD_HANDSHAKE_FAILURE;
  2109. SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
  2110. SSL_R_UNKNOWN_CIPHER_TYPE);
  2111. goto f_err;
  2112. }
  2113. return(1);
  2114. f_err:
  2115. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  2116. #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH)
  2117. err:
  2118. #endif
  2119. #ifndef OPENSSL_NO_ECDH
  2120. EVP_PKEY_free(clnt_pub_pkey);
  2121. EC_POINT_free(clnt_ecpoint);
  2122. if (srvr_ecdh != NULL)
  2123. EC_KEY_free(srvr_ecdh);
  2124. BN_CTX_free(bn_ctx);
  2125. #endif
  2126. return(-1);
  2127. }
  2128. int ssl3_get_cert_verify(SSL *s)
  2129. {
  2130. EVP_PKEY *pkey=NULL;
  2131. unsigned char *p;
  2132. int al,ok,ret=0;
  2133. long n;
  2134. int type=0,i,j;
  2135. X509 *peer;
  2136. n=s->method->ssl_get_message(s,
  2137. SSL3_ST_SR_CERT_VRFY_A,
  2138. SSL3_ST_SR_CERT_VRFY_B,
  2139. -1,
  2140. 514, /* 514? */
  2141. &ok);
  2142. if (!ok) return((int)n);
  2143. if (s->session->peer != NULL)
  2144. {
  2145. peer=s->session->peer;
  2146. pkey=X509_get_pubkey(peer);
  2147. type=X509_certificate_type(peer,pkey);
  2148. }
  2149. else
  2150. {
  2151. peer=NULL;
  2152. pkey=NULL;
  2153. }
  2154. if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
  2155. {
  2156. s->s3->tmp.reuse_message=1;
  2157. if ((peer != NULL) && (type | EVP_PKT_SIGN))
  2158. {
  2159. al=SSL_AD_UNEXPECTED_MESSAGE;
  2160. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
  2161. goto f_err;
  2162. }
  2163. ret=1;
  2164. goto end;
  2165. }
  2166. if (peer == NULL)
  2167. {
  2168. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
  2169. al=SSL_AD_UNEXPECTED_MESSAGE;
  2170. goto f_err;
  2171. }
  2172. if (!(type & EVP_PKT_SIGN))
  2173. {
  2174. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
  2175. al=SSL_AD_ILLEGAL_PARAMETER;
  2176. goto f_err;
  2177. }
  2178. if (s->s3->change_cipher_spec)
  2179. {
  2180. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
  2181. al=SSL_AD_UNEXPECTED_MESSAGE;
  2182. goto f_err;
  2183. }
  2184. /* we now have a signature that we need to verify */
  2185. p=(unsigned char *)s->init_msg;
  2186. n2s(p,i);
  2187. n-=2;
  2188. if (i > n)
  2189. {
  2190. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
  2191. al=SSL_AD_DECODE_ERROR;
  2192. goto f_err;
  2193. }
  2194. j=EVP_PKEY_size(pkey);
  2195. if ((i > j) || (n > j) || (n <= 0))
  2196. {
  2197. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
  2198. al=SSL_AD_DECODE_ERROR;
  2199. goto f_err;
  2200. }
  2201. #ifndef OPENSSL_NO_RSA
  2202. if (pkey->type == EVP_PKEY_RSA)
  2203. {
  2204. i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
  2205. MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i,
  2206. pkey->pkey.rsa);
  2207. if (i < 0)
  2208. {
  2209. al=SSL_AD_DECRYPT_ERROR;
  2210. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
  2211. goto f_err;
  2212. }
  2213. if (i == 0)
  2214. {
  2215. al=SSL_AD_DECRYPT_ERROR;
  2216. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
  2217. goto f_err;
  2218. }
  2219. }
  2220. else
  2221. #endif
  2222. #ifndef OPENSSL_NO_DSA
  2223. if (pkey->type == EVP_PKEY_DSA)
  2224. {
  2225. j=DSA_verify(pkey->save_type,
  2226. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
  2227. SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
  2228. if (j <= 0)
  2229. {
  2230. /* bad signature */
  2231. al=SSL_AD_DECRYPT_ERROR;
  2232. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
  2233. goto f_err;
  2234. }
  2235. }
  2236. else
  2237. #endif
  2238. #ifndef OPENSSL_NO_ECDSA
  2239. if (pkey->type == EVP_PKEY_EC)
  2240. {
  2241. j=ECDSA_verify(pkey->save_type,
  2242. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
  2243. SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec);
  2244. if (j <= 0)
  2245. {
  2246. /* bad signature */
  2247. al=SSL_AD_DECRYPT_ERROR;
  2248. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
  2249. SSL_R_BAD_ECDSA_SIGNATURE);
  2250. goto f_err;
  2251. }
  2252. }
  2253. else
  2254. #endif
  2255. {
  2256. SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
  2257. al=SSL_AD_UNSUPPORTED_CERTIFICATE;
  2258. goto f_err;
  2259. }
  2260. ret=1;
  2261. if (0)
  2262. {
  2263. f_err:
  2264. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  2265. }
  2266. end:
  2267. EVP_PKEY_free(pkey);
  2268. return(ret);
  2269. }
  2270. int ssl3_get_client_certificate(SSL *s)
  2271. {
  2272. int i,ok,al,ret= -1;
  2273. X509 *x=NULL;
  2274. unsigned long l,nc,llen,n;
  2275. const unsigned char *p,*q;
  2276. unsigned char *d;
  2277. STACK_OF(X509) *sk=NULL;
  2278. n=s->method->ssl_get_message(s,
  2279. SSL3_ST_SR_CERT_A,
  2280. SSL3_ST_SR_CERT_B,
  2281. -1,
  2282. s->max_cert_list,
  2283. &ok);
  2284. if (!ok) return((int)n);
  2285. if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
  2286. {
  2287. if ( (s->verify_mode & SSL_VERIFY_PEER) &&
  2288. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  2289. {
  2290. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  2291. al=SSL_AD_HANDSHAKE_FAILURE;
  2292. goto f_err;
  2293. }
  2294. /* If tls asked for a client cert, the client must return a 0 list */
  2295. if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
  2296. {
  2297. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
  2298. al=SSL_AD_UNEXPECTED_MESSAGE;
  2299. goto f_err;
  2300. }
  2301. s->s3->tmp.reuse_message=1;
  2302. return(1);
  2303. }
  2304. if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
  2305. {
  2306. al=SSL_AD_UNEXPECTED_MESSAGE;
  2307. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
  2308. goto f_err;
  2309. }
  2310. p=d=(unsigned char *)s->init_msg;
  2311. if ((sk=sk_X509_new_null()) == NULL)
  2312. {
  2313. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  2314. goto err;
  2315. }
  2316. n2l3(p,llen);
  2317. if (llen+3 != n)
  2318. {
  2319. al=SSL_AD_DECODE_ERROR;
  2320. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
  2321. goto f_err;
  2322. }
  2323. for (nc=0; nc<llen; )
  2324. {
  2325. n2l3(p,l);
  2326. if ((l+nc+3) > llen)
  2327. {
  2328. al=SSL_AD_DECODE_ERROR;
  2329. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
  2330. goto f_err;
  2331. }
  2332. q=p;
  2333. x=d2i_X509(NULL,&p,l);
  2334. if (x == NULL)
  2335. {
  2336. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
  2337. goto err;
  2338. }
  2339. if (p != (q+l))
  2340. {
  2341. al=SSL_AD_DECODE_ERROR;
  2342. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
  2343. goto f_err;
  2344. }
  2345. if (!sk_X509_push(sk,x))
  2346. {
  2347. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
  2348. goto err;
  2349. }
  2350. x=NULL;
  2351. nc+=l+3;
  2352. }
  2353. if (sk_X509_num(sk) <= 0)
  2354. {
  2355. /* TLS does not mind 0 certs returned */
  2356. if (s->version == SSL3_VERSION)
  2357. {
  2358. al=SSL_AD_HANDSHAKE_FAILURE;
  2359. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
  2360. goto f_err;
  2361. }
  2362. /* Fail for TLS only if we required a certificate */
  2363. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  2364. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  2365. {
  2366. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  2367. al=SSL_AD_HANDSHAKE_FAILURE;
  2368. goto f_err;
  2369. }
  2370. }
  2371. else
  2372. {
  2373. i=ssl_verify_cert_chain(s,sk);
  2374. if (!i)
  2375. {
  2376. al=ssl_verify_alarm_type(s->verify_result);
  2377. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
  2378. goto f_err;
  2379. }
  2380. }
  2381. if (s->session->peer != NULL) /* This should not be needed */
  2382. X509_free(s->session->peer);
  2383. s->session->peer=sk_X509_shift(sk);
  2384. s->session->verify_result = s->verify_result;
  2385. /* With the current implementation, sess_cert will always be NULL
  2386. * when we arrive here. */
  2387. if (s->session->sess_cert == NULL)
  2388. {
  2389. s->session->sess_cert = ssl_sess_cert_new();
  2390. if (s->session->sess_cert == NULL)
  2391. {
  2392. SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
  2393. goto err;
  2394. }
  2395. }
  2396. if (s->session->sess_cert->cert_chain != NULL)
  2397. sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
  2398. s->session->sess_cert->cert_chain=sk;
  2399. /* Inconsistency alert: cert_chain does *not* include the
  2400. * peer's own certificate, while we do include it in s3_clnt.c */
  2401. sk=NULL;
  2402. ret=1;
  2403. if (0)
  2404. {
  2405. f_err:
  2406. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  2407. }
  2408. err:
  2409. if (x != NULL) X509_free(x);
  2410. if (sk != NULL) sk_X509_pop_free(sk,X509_free);
  2411. return(ret);
  2412. }
  2413. int ssl3_send_server_certificate(SSL *s)
  2414. {
  2415. unsigned long l;
  2416. X509 *x;
  2417. if (s->state == SSL3_ST_SW_CERT_A)
  2418. {
  2419. x=ssl_get_server_send_cert(s);
  2420. if (x == NULL &&
  2421. /* VRS: allow null cert if auth == KRB5 */
  2422. (s->s3->tmp.new_cipher->algorithms
  2423. & (SSL_MKEY_MASK|SSL_AUTH_MASK))
  2424. != (SSL_aKRB5|SSL_kKRB5))
  2425. {
  2426. SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
  2427. return(0);
  2428. }
  2429. l=ssl3_output_cert_chain(s,x);
  2430. s->state=SSL3_ST_SW_CERT_B;
  2431. s->init_num=(int)l;
  2432. s->init_off=0;
  2433. }
  2434. /* SSL3_ST_SW_CERT_B */
  2435. return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
  2436. }