s3_clnt.c revision 238405
155714Skris/* ssl/s3_clnt.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58100928Snectar/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60100928Snectar * 61100928Snectar * Redistribution and use in source and binary forms, with or without 62100928Snectar * modification, are permitted provided that the following conditions 63100928Snectar * are met: 64100928Snectar * 65100928Snectar * 1. Redistributions of source code must retain the above copyright 66100928Snectar * notice, this list of conditions and the following disclaimer. 67100928Snectar * 68100928Snectar * 2. Redistributions in binary form must reproduce the above copyright 69100928Snectar * notice, this list of conditions and the following disclaimer in 70100928Snectar * the documentation and/or other materials provided with the 71100928Snectar * distribution. 72100928Snectar * 73100928Snectar * 3. All advertising materials mentioning features or use of this 74100928Snectar * software must display the following acknowledgment: 75100928Snectar * "This product includes software developed by the OpenSSL Project 76100928Snectar * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77100928Snectar * 78100928Snectar * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79100928Snectar * endorse or promote products derived from this software without 80100928Snectar * prior written permission. For written permission, please contact 81100928Snectar * openssl-core@openssl.org. 82100928Snectar * 83100928Snectar * 5. Products derived from this software may not be called "OpenSSL" 84100928Snectar * nor may "OpenSSL" appear in their names without prior written 85100928Snectar * permission of the OpenSSL Project. 86100928Snectar * 87100928Snectar * 6. Redistributions of any form whatsoever must retain the following 88100928Snectar * acknowledgment: 89100928Snectar * "This product includes software developed by the OpenSSL Project 90100928Snectar * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91100928Snectar * 92100928Snectar * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93100928Snectar * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94100928Snectar * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95100928Snectar * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96100928Snectar * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97100928Snectar * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98100928Snectar * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99100928Snectar * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100100928Snectar * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101100928Snectar * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102100928Snectar * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103100928Snectar * OF THE POSSIBILITY OF SUCH DAMAGE. 104100928Snectar * ==================================================================== 105100928Snectar * 106100928Snectar * This product includes cryptographic software written by Eric Young 107100928Snectar * (eay@cryptsoft.com). This product includes software written by Tim 108100928Snectar * Hudson (tjh@cryptsoft.com). 109100928Snectar * 110100928Snectar */ 111160814Ssimon/* ==================================================================== 112160814Ssimon * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113160814Ssimon * 114160814Ssimon * Portions of the attached software ("Contribution") are developed by 115160814Ssimon * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116160814Ssimon * 117160814Ssimon * The Contribution is licensed pursuant to the OpenSSL open source 118160814Ssimon * license provided above. 119160814Ssimon * 120160814Ssimon * ECC cipher suite support in OpenSSL originally written by 121160814Ssimon * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122160814Ssimon * 123160814Ssimon */ 124238405Sjkim/* ==================================================================== 125238405Sjkim * Copyright 2005 Nokia. All rights reserved. 126238405Sjkim * 127238405Sjkim * The portions of the attached software ("Contribution") is developed by 128238405Sjkim * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129238405Sjkim * license. 130238405Sjkim * 131238405Sjkim * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132238405Sjkim * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133238405Sjkim * support (see RFC 4279) to OpenSSL. 134238405Sjkim * 135238405Sjkim * No patent licenses or other rights except those expressly stated in 136238405Sjkim * the OpenSSL open source license shall be deemed granted or received 137238405Sjkim * expressly, by implication, estoppel, or otherwise. 138238405Sjkim * 139238405Sjkim * No assurances are provided by Nokia that the Contribution does not 140238405Sjkim * infringe the patent or other intellectual property rights of any third 141238405Sjkim * party or that the license provides you with all the necessary rights 142238405Sjkim * to make use of the Contribution. 143238405Sjkim * 144238405Sjkim * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145238405Sjkim * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146238405Sjkim * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147238405Sjkim * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148238405Sjkim * OTHERWISE. 149238405Sjkim */ 15055714Skris 15155714Skris#include <stdio.h> 152109998Smarkm#include "ssl_locl.h" 153109998Smarkm#include "kssl_lcl.h" 15455714Skris#include <openssl/buffer.h> 15555714Skris#include <openssl/rand.h> 15655714Skris#include <openssl/objects.h> 157109998Smarkm#include <openssl/evp.h> 15855714Skris#include <openssl/md5.h> 159194206Ssimon#ifdef OPENSSL_FIPS 160194206Ssimon#include <openssl/fips.h> 161194206Ssimon#endif 162160814Ssimon#ifndef OPENSSL_NO_DH 163160814Ssimon#include <openssl/dh.h> 164160814Ssimon#endif 165160814Ssimon#include <openssl/bn.h> 166194206Ssimon#ifndef OPENSSL_NO_ENGINE 167194206Ssimon#include <openssl/engine.h> 168194206Ssimon#endif 16955714Skris 170238405Sjkimstatic const SSL_METHOD *ssl3_get_client_method(int ver); 17168651Skrisstatic int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 172160814Ssimon 173238405Sjkimstatic const SSL_METHOD *ssl3_get_client_method(int ver) 17455714Skris { 17555714Skris if (ver == SSL3_VERSION) 17655714Skris return(SSLv3_client_method()); 17755714Skris else 17855714Skris return(NULL); 17955714Skris } 18055714Skris 181160814SsimonIMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182160814Ssimon ssl_undefined_function, 183160814Ssimon ssl3_connect, 184160814Ssimon ssl3_get_client_method) 18555714Skris 18655714Skrisint ssl3_connect(SSL *s) 18755714Skris { 188109998Smarkm BUF_MEM *buf=NULL; 189215697Ssimon unsigned long Time=(unsigned long)time(NULL); 190109998Smarkm void (*cb)(const SSL *ssl,int type,int val)=NULL; 19155714Skris int ret= -1; 192194206Ssimon int new_state,state,skip=0; 19355714Skris 19459191Skris RAND_add(&Time,sizeof(Time),0); 19555714Skris ERR_clear_error(); 19655714Skris clear_sys_error(); 19755714Skris 19855714Skris if (s->info_callback != NULL) 19955714Skris cb=s->info_callback; 20055714Skris else if (s->ctx->info_callback != NULL) 20155714Skris cb=s->ctx->info_callback; 20255714Skris 20389837Skris s->in_handshake++; 20455714Skris if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 20555714Skris 206238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 207238405Sjkim /* If we're awaiting a HeartbeatResponse, pretend we 208238405Sjkim * already got and don't await it anymore, because 209238405Sjkim * Heartbeats don't make sense during handshakes anyway. 210238405Sjkim */ 211238405Sjkim if (s->tlsext_hb_pending) 212238405Sjkim { 213238405Sjkim s->tlsext_hb_pending = 0; 214238405Sjkim s->tlsext_hb_seq++; 215238405Sjkim } 216238405Sjkim#endif 217238405Sjkim 21855714Skris for (;;) 21955714Skris { 22055714Skris state=s->state; 22155714Skris 22255714Skris switch(s->state) 22355714Skris { 22455714Skris case SSL_ST_RENEGOTIATE: 225238405Sjkim s->renegotiate=1; 22655714Skris s->state=SSL_ST_CONNECT; 22755714Skris s->ctx->stats.sess_connect_renegotiate++; 22855714Skris /* break */ 22955714Skris case SSL_ST_BEFORE: 23055714Skris case SSL_ST_CONNECT: 23155714Skris case SSL_ST_BEFORE|SSL_ST_CONNECT: 23255714Skris case SSL_ST_OK|SSL_ST_CONNECT: 23355714Skris 23455714Skris s->server=0; 23555714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 23655714Skris 23755714Skris if ((s->version & 0xff00 ) != 0x0300) 23868651Skris { 239109998Smarkm SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 24068651Skris ret = -1; 24168651Skris goto end; 24268651Skris } 24368651Skris 24455714Skris /* s->version=SSL3_VERSION; */ 24555714Skris s->type=SSL_ST_CONNECT; 24655714Skris 24755714Skris if (s->init_buf == NULL) 24855714Skris { 24955714Skris if ((buf=BUF_MEM_new()) == NULL) 25055714Skris { 25155714Skris ret= -1; 25255714Skris goto end; 25355714Skris } 25455714Skris if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 25555714Skris { 25655714Skris ret= -1; 25755714Skris goto end; 25855714Skris } 25955714Skris s->init_buf=buf; 260109998Smarkm buf=NULL; 26155714Skris } 26255714Skris 26355714Skris if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 26455714Skris 26555714Skris /* setup buffing BIO */ 26655714Skris if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 26755714Skris 26855714Skris /* don't push the buffering BIO quite yet */ 26955714Skris 27055714Skris ssl3_init_finished_mac(s); 27155714Skris 27255714Skris s->state=SSL3_ST_CW_CLNT_HELLO_A; 27355714Skris s->ctx->stats.sess_connect++; 27455714Skris s->init_num=0; 27555714Skris break; 27655714Skris 27755714Skris case SSL3_ST_CW_CLNT_HELLO_A: 27855714Skris case SSL3_ST_CW_CLNT_HELLO_B: 27955714Skris 28055714Skris s->shutdown=0; 28155714Skris ret=ssl3_client_hello(s); 28255714Skris if (ret <= 0) goto end; 28355714Skris s->state=SSL3_ST_CR_SRVR_HELLO_A; 28455714Skris s->init_num=0; 28555714Skris 28655714Skris /* turn on buffering for the next lot of output */ 28755714Skris if (s->bbio != s->wbio) 28855714Skris s->wbio=BIO_push(s->bbio,s->wbio); 28955714Skris 29055714Skris break; 29155714Skris 29255714Skris case SSL3_ST_CR_SRVR_HELLO_A: 29355714Skris case SSL3_ST_CR_SRVR_HELLO_B: 29455714Skris ret=ssl3_get_server_hello(s); 29555714Skris if (ret <= 0) goto end; 296238405Sjkim 29755714Skris if (s->hit) 298238405Sjkim { 29955714Skris s->state=SSL3_ST_CR_FINISHED_A; 300238405Sjkim#ifndef OPENSSL_NO_TLSEXT 301238405Sjkim if (s->tlsext_ticket_expected) 302238405Sjkim { 303238405Sjkim /* receive renewed session ticket */ 304238405Sjkim s->state=SSL3_ST_CR_SESSION_TICKET_A; 305238405Sjkim } 306238405Sjkim#endif 307238405Sjkim } 30855714Skris else 30955714Skris s->state=SSL3_ST_CR_CERT_A; 31055714Skris s->init_num=0; 31155714Skris break; 31255714Skris 31355714Skris case SSL3_ST_CR_CERT_A: 31455714Skris case SSL3_ST_CR_CERT_B: 315194206Ssimon#ifndef OPENSSL_NO_TLSEXT 316194206Ssimon ret=ssl3_check_finished(s); 317194206Ssimon if (ret <= 0) goto end; 318194206Ssimon if (ret == 2) 319194206Ssimon { 320194206Ssimon s->hit = 1; 321194206Ssimon if (s->tlsext_ticket_expected) 322194206Ssimon s->state=SSL3_ST_CR_SESSION_TICKET_A; 323194206Ssimon else 324194206Ssimon s->state=SSL3_ST_CR_FINISHED_A; 325194206Ssimon s->init_num=0; 326194206Ssimon break; 327194206Ssimon } 328194206Ssimon#endif 329160814Ssimon /* Check if it is anon DH/ECDH */ 330238405Sjkim /* or PSK */ 331238405Sjkim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 332238405Sjkim !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 33355714Skris { 33455714Skris ret=ssl3_get_server_certificate(s); 33555714Skris if (ret <= 0) goto end; 336194206Ssimon#ifndef OPENSSL_NO_TLSEXT 337194206Ssimon if (s->tlsext_status_expected) 338194206Ssimon s->state=SSL3_ST_CR_CERT_STATUS_A; 339194206Ssimon else 340194206Ssimon s->state=SSL3_ST_CR_KEY_EXCH_A; 34155714Skris } 34255714Skris else 343194206Ssimon { 344194206Ssimon skip = 1; 345194206Ssimon s->state=SSL3_ST_CR_KEY_EXCH_A; 346194206Ssimon } 347194206Ssimon#else 348194206Ssimon } 349194206Ssimon else 35055714Skris skip=1; 351194206Ssimon 35255714Skris s->state=SSL3_ST_CR_KEY_EXCH_A; 353194206Ssimon#endif 35455714Skris s->init_num=0; 35555714Skris break; 35655714Skris 35755714Skris case SSL3_ST_CR_KEY_EXCH_A: 35855714Skris case SSL3_ST_CR_KEY_EXCH_B: 35955714Skris ret=ssl3_get_key_exchange(s); 36055714Skris if (ret <= 0) goto end; 36155714Skris s->state=SSL3_ST_CR_CERT_REQ_A; 36255714Skris s->init_num=0; 36355714Skris 36455714Skris /* at this point we check that we have the 36555714Skris * required stuff from the server */ 36655714Skris if (!ssl3_check_cert_and_algorithm(s)) 36755714Skris { 36855714Skris ret= -1; 36955714Skris goto end; 37055714Skris } 37155714Skris break; 37255714Skris 37355714Skris case SSL3_ST_CR_CERT_REQ_A: 37455714Skris case SSL3_ST_CR_CERT_REQ_B: 37555714Skris ret=ssl3_get_certificate_request(s); 37655714Skris if (ret <= 0) goto end; 37755714Skris s->state=SSL3_ST_CR_SRVR_DONE_A; 37855714Skris s->init_num=0; 37955714Skris break; 38055714Skris 38155714Skris case SSL3_ST_CR_SRVR_DONE_A: 38255714Skris case SSL3_ST_CR_SRVR_DONE_B: 38355714Skris ret=ssl3_get_server_done(s); 38455714Skris if (ret <= 0) goto end; 385238405Sjkim#ifndef OPENSSL_NO_SRP 386238405Sjkim if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 387238405Sjkim { 388238405Sjkim if ((ret = SRP_Calc_A_param(s))<=0) 389238405Sjkim { 390238405Sjkim SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC); 391238405Sjkim ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); 392238405Sjkim goto end; 393238405Sjkim } 394238405Sjkim } 395238405Sjkim#endif 39655714Skris if (s->s3->tmp.cert_req) 39755714Skris s->state=SSL3_ST_CW_CERT_A; 39855714Skris else 39955714Skris s->state=SSL3_ST_CW_KEY_EXCH_A; 40055714Skris s->init_num=0; 40155714Skris 40255714Skris break; 40355714Skris 40455714Skris case SSL3_ST_CW_CERT_A: 40555714Skris case SSL3_ST_CW_CERT_B: 40655714Skris case SSL3_ST_CW_CERT_C: 40755714Skris case SSL3_ST_CW_CERT_D: 40855714Skris ret=ssl3_send_client_certificate(s); 40955714Skris if (ret <= 0) goto end; 41055714Skris s->state=SSL3_ST_CW_KEY_EXCH_A; 41155714Skris s->init_num=0; 41255714Skris break; 41355714Skris 41455714Skris case SSL3_ST_CW_KEY_EXCH_A: 41555714Skris case SSL3_ST_CW_KEY_EXCH_B: 41655714Skris ret=ssl3_send_client_key_exchange(s); 41755714Skris if (ret <= 0) goto end; 41855714Skris /* EAY EAY EAY need to check for DH fix cert 41955714Skris * sent back */ 42055714Skris /* For TLS, cert_req is set to 2, so a cert chain 42155714Skris * of nothing is sent, but no verify packet is sent */ 422160814Ssimon /* XXX: For now, we do not support client 423160814Ssimon * authentication in ECDH cipher suites with 424160814Ssimon * ECDH (rather than ECDSA) certificates. 425160814Ssimon * We need to skip the certificate verify 426160814Ssimon * message when client's ECDH public key is sent 427160814Ssimon * inside the client certificate. 428160814Ssimon */ 42955714Skris if (s->s3->tmp.cert_req == 1) 43055714Skris { 43155714Skris s->state=SSL3_ST_CW_CERT_VRFY_A; 43255714Skris } 43355714Skris else 43455714Skris { 43555714Skris s->state=SSL3_ST_CW_CHANGE_A; 43655714Skris s->s3->change_cipher_spec=0; 43755714Skris } 438238405Sjkim if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 439238405Sjkim { 440238405Sjkim s->state=SSL3_ST_CW_CHANGE_A; 441238405Sjkim s->s3->change_cipher_spec=0; 442238405Sjkim } 44355714Skris 44455714Skris s->init_num=0; 44555714Skris break; 44655714Skris 44755714Skris case SSL3_ST_CW_CERT_VRFY_A: 44855714Skris case SSL3_ST_CW_CERT_VRFY_B: 44955714Skris ret=ssl3_send_client_verify(s); 45055714Skris if (ret <= 0) goto end; 45155714Skris s->state=SSL3_ST_CW_CHANGE_A; 45255714Skris s->init_num=0; 45355714Skris s->s3->change_cipher_spec=0; 45455714Skris break; 45555714Skris 45655714Skris case SSL3_ST_CW_CHANGE_A: 45755714Skris case SSL3_ST_CW_CHANGE_B: 45855714Skris ret=ssl3_send_change_cipher_spec(s, 45955714Skris SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 46055714Skris if (ret <= 0) goto end; 461238405Sjkim 462238405Sjkim 463238405Sjkim#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 46455714Skris s->state=SSL3_ST_CW_FINISHED_A; 465238405Sjkim#else 466238405Sjkim if (s->s3->next_proto_neg_seen) 467238405Sjkim s->state=SSL3_ST_CW_NEXT_PROTO_A; 468238405Sjkim else 469238405Sjkim s->state=SSL3_ST_CW_FINISHED_A; 470238405Sjkim#endif 47155714Skris s->init_num=0; 47255714Skris 47355714Skris s->session->cipher=s->s3->tmp.new_cipher; 474160814Ssimon#ifdef OPENSSL_NO_COMP 475160814Ssimon s->session->compress_meth=0; 476160814Ssimon#else 47755714Skris if (s->s3->tmp.new_compression == NULL) 47855714Skris s->session->compress_meth=0; 47955714Skris else 48055714Skris s->session->compress_meth= 48155714Skris s->s3->tmp.new_compression->id; 482160814Ssimon#endif 48355714Skris if (!s->method->ssl3_enc->setup_key_block(s)) 48455714Skris { 48555714Skris ret= -1; 48655714Skris goto end; 48755714Skris } 48855714Skris 48955714Skris if (!s->method->ssl3_enc->change_cipher_state(s, 49055714Skris SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 49155714Skris { 49255714Skris ret= -1; 49355714Skris goto end; 49455714Skris } 49555714Skris 49655714Skris break; 49755714Skris 498238405Sjkim#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 499238405Sjkim case SSL3_ST_CW_NEXT_PROTO_A: 500238405Sjkim case SSL3_ST_CW_NEXT_PROTO_B: 501238405Sjkim ret=ssl3_send_next_proto(s); 502238405Sjkim if (ret <= 0) goto end; 503238405Sjkim s->state=SSL3_ST_CW_FINISHED_A; 504238405Sjkim break; 505238405Sjkim#endif 506238405Sjkim 50755714Skris case SSL3_ST_CW_FINISHED_A: 50855714Skris case SSL3_ST_CW_FINISHED_B: 50955714Skris ret=ssl3_send_finished(s, 51055714Skris SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 51159191Skris s->method->ssl3_enc->client_finished_label, 51259191Skris s->method->ssl3_enc->client_finished_label_len); 51355714Skris if (ret <= 0) goto end; 51455714Skris s->state=SSL3_ST_CW_FLUSH; 51555714Skris 51655714Skris /* clear flags */ 51755714Skris s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 51855714Skris if (s->hit) 51955714Skris { 52055714Skris s->s3->tmp.next_state=SSL_ST_OK; 52155714Skris if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 52255714Skris { 52355714Skris s->state=SSL_ST_OK; 52455714Skris s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 52555714Skris s->s3->delay_buf_pop_ret=0; 52655714Skris } 52755714Skris } 52855714Skris else 52955714Skris { 530194206Ssimon#ifndef OPENSSL_NO_TLSEXT 531194206Ssimon /* Allow NewSessionTicket if ticket expected */ 532194206Ssimon if (s->tlsext_ticket_expected) 533194206Ssimon s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 534194206Ssimon else 535194206Ssimon#endif 536194206Ssimon 53755714Skris s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 53855714Skris } 53955714Skris s->init_num=0; 54055714Skris break; 54155714Skris 542194206Ssimon#ifndef OPENSSL_NO_TLSEXT 543194206Ssimon case SSL3_ST_CR_SESSION_TICKET_A: 544194206Ssimon case SSL3_ST_CR_SESSION_TICKET_B: 545194206Ssimon ret=ssl3_get_new_session_ticket(s); 546194206Ssimon if (ret <= 0) goto end; 547194206Ssimon s->state=SSL3_ST_CR_FINISHED_A; 548194206Ssimon s->init_num=0; 549194206Ssimon break; 550194206Ssimon 551194206Ssimon case SSL3_ST_CR_CERT_STATUS_A: 552194206Ssimon case SSL3_ST_CR_CERT_STATUS_B: 553194206Ssimon ret=ssl3_get_cert_status(s); 554194206Ssimon if (ret <= 0) goto end; 555194206Ssimon s->state=SSL3_ST_CR_KEY_EXCH_A; 556194206Ssimon s->init_num=0; 557194206Ssimon break; 558194206Ssimon#endif 559194206Ssimon 56055714Skris case SSL3_ST_CR_FINISHED_A: 56155714Skris case SSL3_ST_CR_FINISHED_B: 56255714Skris 56355714Skris ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 56455714Skris SSL3_ST_CR_FINISHED_B); 56555714Skris if (ret <= 0) goto end; 56655714Skris 56755714Skris if (s->hit) 56855714Skris s->state=SSL3_ST_CW_CHANGE_A; 56955714Skris else 57055714Skris s->state=SSL_ST_OK; 57155714Skris s->init_num=0; 57255714Skris break; 57355714Skris 57455714Skris case SSL3_ST_CW_FLUSH: 575205128Ssimon s->rwstate=SSL_WRITING; 576205128Ssimon if (BIO_flush(s->wbio) <= 0) 57755714Skris { 578205128Ssimon ret= -1; 579205128Ssimon goto end; 58055714Skris } 581205128Ssimon s->rwstate=SSL_NOTHING; 58255714Skris s->state=s->s3->tmp.next_state; 58355714Skris break; 58455714Skris 58555714Skris case SSL_ST_OK: 58655714Skris /* clean a few things up */ 58755714Skris ssl3_cleanup_key_block(s); 58855714Skris 58955714Skris if (s->init_buf != NULL) 59055714Skris { 59155714Skris BUF_MEM_free(s->init_buf); 59255714Skris s->init_buf=NULL; 59355714Skris } 59455714Skris 59555714Skris /* If we are not 'joining' the last two packets, 59655714Skris * remove the buffering now */ 59755714Skris if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 59855714Skris ssl_free_wbio_buffer(s); 59955714Skris /* else do it later in ssl3_write */ 60055714Skris 60155714Skris s->init_num=0; 602238405Sjkim s->renegotiate=0; 60355714Skris s->new_session=0; 60455714Skris 60555714Skris ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 60655714Skris if (s->hit) s->ctx->stats.sess_hit++; 60755714Skris 60855714Skris ret=1; 60955714Skris /* s->server=0; */ 61055714Skris s->handshake_func=ssl3_connect; 61155714Skris s->ctx->stats.sess_connect_good++; 61255714Skris 61355714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 61455714Skris 61555714Skris goto end; 61655714Skris /* break; */ 61755714Skris 61855714Skris default: 61955714Skris SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 62055714Skris ret= -1; 62155714Skris goto end; 62255714Skris /* break; */ 62355714Skris } 62455714Skris 62555714Skris /* did we do anything */ 62655714Skris if (!s->s3->tmp.reuse_message && !skip) 62755714Skris { 62855714Skris if (s->debug) 62955714Skris { 63055714Skris if ((ret=BIO_flush(s->wbio)) <= 0) 63155714Skris goto end; 63255714Skris } 63355714Skris 63455714Skris if ((cb != NULL) && (s->state != state)) 63555714Skris { 63655714Skris new_state=s->state; 63755714Skris s->state=state; 63855714Skris cb(s,SSL_CB_CONNECT_LOOP,1); 63955714Skris s->state=new_state; 64055714Skris } 64155714Skris } 64255714Skris skip=0; 64355714Skris } 64455714Skrisend: 64589837Skris s->in_handshake--; 646109998Smarkm if (buf != NULL) 647109998Smarkm BUF_MEM_free(buf); 64855714Skris if (cb != NULL) 64955714Skris cb(s,SSL_CB_CONNECT_EXIT,ret); 65055714Skris return(ret); 65155714Skris } 65255714Skris 65355714Skris 654160814Ssimonint ssl3_client_hello(SSL *s) 65555714Skris { 65655714Skris unsigned char *buf; 65755714Skris unsigned char *p,*d; 658160814Ssimon int i; 65955714Skris unsigned long Time,l; 660160814Ssimon#ifndef OPENSSL_NO_COMP 661160814Ssimon int j; 66255714Skris SSL_COMP *comp; 663160814Ssimon#endif 66455714Skris 66555714Skris buf=(unsigned char *)s->init_buf->data; 66655714Skris if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 66755714Skris { 668205128Ssimon SSL_SESSION *sess = s->session; 669205128Ssimon if ((sess == NULL) || 670205128Ssimon (sess->ssl_version != s->version) || 671205128Ssimon#ifdef OPENSSL_NO_TLSEXT 672205128Ssimon !sess->session_id_length || 673205128Ssimon#else 674205128Ssimon (!sess->session_id_length && !sess->tlsext_tick) || 675205128Ssimon#endif 676205128Ssimon (sess->not_resumable)) 67755714Skris { 67855714Skris if (!ssl_get_new_session(s,0)) 67955714Skris goto err; 68055714Skris } 68155714Skris /* else use the pre-loaded session */ 68255714Skris 68355714Skris p=s->s3->client_random; 684160814Ssimon Time=(unsigned long)time(NULL); /* Time */ 68555714Skris l2n(Time,p); 686160814Ssimon if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 687160814Ssimon goto err; 68855714Skris 68955714Skris /* Do the message type and length last */ 69055714Skris d=p= &(buf[4]); 69155714Skris 692238405Sjkim /* version indicates the negotiated version: for example from 693238405Sjkim * an SSLv2/v3 compatible client hello). The client_version 694238405Sjkim * field is the maximum version we permit and it is also 695238405Sjkim * used in RSA encrypted premaster secrets. Some servers can 696238405Sjkim * choke if we initially report a higher version then 697238405Sjkim * renegotiate to a lower one in the premaster secret. This 698238405Sjkim * didn't happen with TLS 1.0 as most servers supported it 699238405Sjkim * but it can with TLS 1.1 or later if the server only supports 700238405Sjkim * 1.0. 701238405Sjkim * 702238405Sjkim * Possible scenario with previous logic: 703238405Sjkim * 1. Client hello indicates TLS 1.2 704238405Sjkim * 2. Server hello says TLS 1.0 705238405Sjkim * 3. RSA encrypted premaster secret uses 1.2. 706238405Sjkim * 4. Handhaked proceeds using TLS 1.0. 707238405Sjkim * 5. Server sends hello request to renegotiate. 708238405Sjkim * 6. Client hello indicates TLS v1.0 as we now 709238405Sjkim * know that is maximum server supports. 710238405Sjkim * 7. Server chokes on RSA encrypted premaster secret 711238405Sjkim * containing version 1.0. 712238405Sjkim * 713238405Sjkim * For interoperability it should be OK to always use the 714238405Sjkim * maximum version we support in client hello and then rely 715238405Sjkim * on the checking of version to ensure the servers isn't 716238405Sjkim * being inconsistent: for example initially negotiating with 717238405Sjkim * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 718238405Sjkim * client_version in client hello and not resetting it to 719238405Sjkim * the negotiated version. 720238405Sjkim */ 721238405Sjkim#if 0 72255714Skris *(p++)=s->version>>8; 72355714Skris *(p++)=s->version&0xff; 72455714Skris s->client_version=s->version; 725238405Sjkim#else 726238405Sjkim *(p++)=s->client_version>>8; 727238405Sjkim *(p++)=s->client_version&0xff; 728238405Sjkim#endif 72955714Skris 73055714Skris /* Random stuff */ 73155714Skris memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 73255714Skris p+=SSL3_RANDOM_SIZE; 73355714Skris 73455714Skris /* Session ID */ 73555714Skris if (s->new_session) 73655714Skris i=0; 73755714Skris else 73855714Skris i=s->session->session_id_length; 73955714Skris *(p++)=i; 74055714Skris if (i != 0) 74155714Skris { 742160814Ssimon if (i > (int)sizeof(s->session->session_id)) 743101615Snectar { 744109998Smarkm SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 745101615Snectar goto err; 746101615Snectar } 74755714Skris memcpy(p,s->session->session_id,i); 74855714Skris p+=i; 74955714Skris } 75055714Skris 75155714Skris /* Ciphers supported */ 752160814Ssimon i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 75355714Skris if (i == 0) 75455714Skris { 75555714Skris SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 75655714Skris goto err; 75755714Skris } 758238405Sjkim#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 759238405Sjkim /* Some servers hang if client hello > 256 bytes 760238405Sjkim * as hack workaround chop number of supported ciphers 761238405Sjkim * to keep it well below this if we use TLS v1.2 762238405Sjkim */ 763238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION 764238405Sjkim && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 765238405Sjkim i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 766238405Sjkim#endif 76755714Skris s2n(i,p); 76855714Skris p+=i; 76955714Skris 77055714Skris /* COMPRESSION */ 771160814Ssimon#ifdef OPENSSL_NO_COMP 772160814Ssimon *(p++)=1; 773160814Ssimon#else 774238405Sjkim 775238405Sjkim if ((s->options & SSL_OP_NO_COMPRESSION) 776238405Sjkim || !s->ctx->comp_methods) 77755714Skris j=0; 77855714Skris else 77955714Skris j=sk_SSL_COMP_num(s->ctx->comp_methods); 78055714Skris *(p++)=1+j; 78155714Skris for (i=0; i<j; i++) 78255714Skris { 78355714Skris comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 78455714Skris *(p++)=comp->id; 78555714Skris } 786160814Ssimon#endif 78755714Skris *(p++)=0; /* Add the NULL method */ 788238405Sjkim 789194206Ssimon#ifndef OPENSSL_NO_TLSEXT 790238405Sjkim /* TLS extensions*/ 791238405Sjkim if (ssl_prepare_clienthello_tlsext(s) <= 0) 792238405Sjkim { 793238405Sjkim SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 794238405Sjkim goto err; 795238405Sjkim } 796194206Ssimon if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 797194206Ssimon { 798194206Ssimon SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 799194206Ssimon goto err; 800194206Ssimon } 801238405Sjkim#endif 802238405Sjkim 80355714Skris l=(p-d); 80455714Skris d=buf; 80555714Skris *(d++)=SSL3_MT_CLIENT_HELLO; 80655714Skris l2n3(l,d); 80755714Skris 80855714Skris s->state=SSL3_ST_CW_CLNT_HELLO_B; 80955714Skris /* number of bytes to write */ 81055714Skris s->init_num=p-buf; 81155714Skris s->init_off=0; 81255714Skris } 81355714Skris 81455714Skris /* SSL3_ST_CW_CLNT_HELLO_B */ 81555714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 81655714Skriserr: 81755714Skris return(-1); 81855714Skris } 81955714Skris 820160814Ssimonint ssl3_get_server_hello(SSL *s) 82155714Skris { 82255714Skris STACK_OF(SSL_CIPHER) *sk; 823238405Sjkim const SSL_CIPHER *c; 82455714Skris unsigned char *p,*d; 82555714Skris int i,al,ok; 82655714Skris unsigned int j; 82755714Skris long n; 828160814Ssimon#ifndef OPENSSL_NO_COMP 82955714Skris SSL_COMP *comp; 830160814Ssimon#endif 83155714Skris 832160814Ssimon n=s->method->ssl_get_message(s, 83355714Skris SSL3_ST_CR_SRVR_HELLO_A, 83455714Skris SSL3_ST_CR_SRVR_HELLO_B, 835160814Ssimon -1, 836194206Ssimon 20000, /* ?? */ 83755714Skris &ok); 83855714Skris 83955714Skris if (!ok) return((int)n); 840160814Ssimon 841205128Ssimon if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 842160814Ssimon { 843160814Ssimon if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 844160814Ssimon { 845160814Ssimon if ( s->d1->send_cookie == 0) 846160814Ssimon { 847160814Ssimon s->s3->tmp.reuse_message = 1; 848160814Ssimon return 1; 849160814Ssimon } 850160814Ssimon else /* already sent a cookie */ 851160814Ssimon { 852160814Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 853160814Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 854160814Ssimon goto f_err; 855160814Ssimon } 856160814Ssimon } 857160814Ssimon } 858160814Ssimon 859160814Ssimon if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 860160814Ssimon { 861160814Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 862160814Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 863160814Ssimon goto f_err; 864160814Ssimon } 865160814Ssimon 866109998Smarkm d=p=(unsigned char *)s->init_msg; 86755714Skris 86855714Skris if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 86955714Skris { 87055714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 87155714Skris s->version=(s->version&0xff00)|p[1]; 87255714Skris al=SSL_AD_PROTOCOL_VERSION; 87355714Skris goto f_err; 87455714Skris } 87555714Skris p+=2; 87655714Skris 87755714Skris /* load the server hello data */ 87855714Skris /* load the server random */ 87955714Skris memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 88055714Skris p+=SSL3_RANDOM_SIZE; 88155714Skris 88255714Skris /* get the session-id */ 88355714Skris j= *(p++); 88455714Skris 885109998Smarkm if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 88655714Skris { 887109998Smarkm al=SSL_AD_ILLEGAL_PARAMETER; 888109998Smarkm SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); 889109998Smarkm goto f_err; 89055714Skris } 891109998Smarkm 892238405Sjkim#ifndef OPENSSL_NO_TLSEXT 893238405Sjkim /* check if we want to resume the session based on external pre-shared secret */ 894238405Sjkim if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 895238405Sjkim { 896238405Sjkim SSL_CIPHER *pref_cipher=NULL; 897238405Sjkim s->session->master_key_length=sizeof(s->session->master_key); 898238405Sjkim if (s->tls_session_secret_cb(s, s->session->master_key, 899238405Sjkim &s->session->master_key_length, 900238405Sjkim NULL, &pref_cipher, 901238405Sjkim s->tls_session_secret_cb_arg)) 902238405Sjkim { 903238405Sjkim s->session->cipher = pref_cipher ? 904238405Sjkim pref_cipher : ssl_get_cipher_by_char(s, p+j); 905238405Sjkim } 906238405Sjkim } 907238405Sjkim#endif /* OPENSSL_NO_TLSEXT */ 908238405Sjkim 90955714Skris if (j != 0 && j == s->session->session_id_length 91055714Skris && memcmp(p,s->session->session_id,j) == 0) 91155714Skris { 91255714Skris if(s->sid_ctx_length != s->session->sid_ctx_length 91355714Skris || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 91455714Skris { 915109998Smarkm /* actually a client application bug */ 91655714Skris al=SSL_AD_ILLEGAL_PARAMETER; 91755714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 91855714Skris goto f_err; 91955714Skris } 92055714Skris s->hit=1; 92155714Skris } 92255714Skris else /* a miss or crap from the other end */ 92355714Skris { 92455714Skris /* If we were trying for session-id reuse, make a new 92555714Skris * SSL_SESSION so we don't stuff up other people */ 92655714Skris s->hit=0; 92755714Skris if (s->session->session_id_length > 0) 92855714Skris { 92955714Skris if (!ssl_get_new_session(s,0)) 93055714Skris { 93155714Skris al=SSL_AD_INTERNAL_ERROR; 93255714Skris goto f_err; 93355714Skris } 93455714Skris } 93555714Skris s->session->session_id_length=j; 93655714Skris memcpy(s->session->session_id,p,j); /* j could be 0 */ 93755714Skris } 93855714Skris p+=j; 93955714Skris c=ssl_get_cipher_by_char(s,p); 94055714Skris if (c == NULL) 94155714Skris { 94255714Skris /* unknown cipher */ 94355714Skris al=SSL_AD_ILLEGAL_PARAMETER; 94455714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 94555714Skris goto f_err; 94655714Skris } 947238405Sjkim /* TLS v1.2 only ciphersuites require v1.2 or later */ 948238405Sjkim if ((c->algorithm_ssl & SSL_TLSV1_2) && 949238405Sjkim (TLS1_get_version(s) < TLS1_2_VERSION)) 950238405Sjkim { 951238405Sjkim al=SSL_AD_ILLEGAL_PARAMETER; 952238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 953238405Sjkim goto f_err; 954238405Sjkim } 95555714Skris p+=ssl_put_cipher_by_char(s,NULL,NULL); 95655714Skris 95755714Skris sk=ssl_get_ciphers_by_id(s); 95855714Skris i=sk_SSL_CIPHER_find(sk,c); 95955714Skris if (i < 0) 96055714Skris { 96155714Skris /* we did not say we would use this cipher */ 96255714Skris al=SSL_AD_ILLEGAL_PARAMETER; 96355714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 96455714Skris goto f_err; 96555714Skris } 96655714Skris 967109998Smarkm /* Depending on the session caching (internal/external), the cipher 968109998Smarkm and/or cipher_id values may not be set. Make sure that 969109998Smarkm cipher_id is set and use it for comparison. */ 970109998Smarkm if (s->session->cipher) 971109998Smarkm s->session->cipher_id = s->session->cipher->id; 972109998Smarkm if (s->hit && (s->session->cipher_id != c->id)) 97355714Skris { 974216166Ssimon/* Workaround is now obsolete */ 975216166Ssimon#if 0 97655714Skris if (!(s->options & 97755714Skris SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 978216166Ssimon#endif 97955714Skris { 98055714Skris al=SSL_AD_ILLEGAL_PARAMETER; 98155714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 98255714Skris goto f_err; 98355714Skris } 98455714Skris } 98555714Skris s->s3->tmp.new_cipher=c; 986238405Sjkim /* Don't digest cached records if TLS v1.2: we may need them for 987238405Sjkim * client authentication. 988238405Sjkim */ 989238405Sjkim if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 990238405Sjkim goto f_err; 99155714Skris /* lets get the compression algorithm */ 99255714Skris /* COMPRESSION */ 993160814Ssimon#ifdef OPENSSL_NO_COMP 994160814Ssimon if (*(p++) != 0) 995160814Ssimon { 996160814Ssimon al=SSL_AD_ILLEGAL_PARAMETER; 997160814Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 998160814Ssimon goto f_err; 999160814Ssimon } 1000238405Sjkim /* If compression is disabled we'd better not try to resume a session 1001238405Sjkim * using compression. 1002238405Sjkim */ 1003238405Sjkim if (s->session->compress_meth != 0) 1004238405Sjkim { 1005238405Sjkim al=SSL_AD_INTERNAL_ERROR; 1006238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1007238405Sjkim goto f_err; 1008238405Sjkim } 1009160814Ssimon#else 101055714Skris j= *(p++); 1011238405Sjkim if (s->hit && j != s->session->compress_meth) 1012238405Sjkim { 1013238405Sjkim al=SSL_AD_ILLEGAL_PARAMETER; 1014238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1015238405Sjkim goto f_err; 1016238405Sjkim } 101755714Skris if (j == 0) 101855714Skris comp=NULL; 1019238405Sjkim else if (s->options & SSL_OP_NO_COMPRESSION) 1020238405Sjkim { 1021238405Sjkim al=SSL_AD_ILLEGAL_PARAMETER; 1022238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED); 1023238405Sjkim goto f_err; 1024238405Sjkim } 102555714Skris else 102655714Skris comp=ssl3_comp_find(s->ctx->comp_methods,j); 102755714Skris 102855714Skris if ((j != 0) && (comp == NULL)) 102955714Skris { 103055714Skris al=SSL_AD_ILLEGAL_PARAMETER; 103155714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 103255714Skris goto f_err; 103355714Skris } 103455714Skris else 103555714Skris { 103655714Skris s->s3->tmp.new_compression=comp; 103755714Skris } 1038160814Ssimon#endif 1039238405Sjkim 1040194206Ssimon#ifndef OPENSSL_NO_TLSEXT 1041194206Ssimon /* TLS extensions*/ 1042205128Ssimon if (s->version >= SSL3_VERSION) 1043194206Ssimon { 1044194206Ssimon if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) 1045194206Ssimon { 1046194206Ssimon /* 'al' set by ssl_parse_serverhello_tlsext */ 1047194206Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1048194206Ssimon goto f_err; 1049194206Ssimon } 1050194206Ssimon if (ssl_check_serverhello_tlsext(s) <= 0) 1051194206Ssimon { 1052194206Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 1053194206Ssimon goto err; 1054194206Ssimon } 1055194206Ssimon } 1056194206Ssimon#endif 105755714Skris 105855714Skris if (p != (d+n)) 105955714Skris { 106055714Skris /* wrong packet length */ 106155714Skris al=SSL_AD_DECODE_ERROR; 106255714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1063237657Sjkim goto f_err; 106455714Skris } 106555714Skris 106655714Skris return(1); 106755714Skrisf_err: 106855714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 106955714Skriserr: 107055714Skris return(-1); 107155714Skris } 107255714Skris 1073160814Ssimonint ssl3_get_server_certificate(SSL *s) 107455714Skris { 107555714Skris int al,i,ok,ret= -1; 107655714Skris unsigned long n,nc,llen,l; 107755714Skris X509 *x=NULL; 1078160814Ssimon const unsigned char *q,*p; 1079160814Ssimon unsigned char *d; 108055714Skris STACK_OF(X509) *sk=NULL; 108155714Skris SESS_CERT *sc; 108255714Skris EVP_PKEY *pkey=NULL; 1083160814Ssimon int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 108455714Skris 1085160814Ssimon n=s->method->ssl_get_message(s, 108655714Skris SSL3_ST_CR_CERT_A, 108755714Skris SSL3_ST_CR_CERT_B, 108855714Skris -1, 1089109998Smarkm s->max_cert_list, 109055714Skris &ok); 109155714Skris 109255714Skris if (!ok) return((int)n); 109355714Skris 1094194206Ssimon if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1095238405Sjkim ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1096194206Ssimon (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 109755714Skris { 109855714Skris s->s3->tmp.reuse_message=1; 109955714Skris return(1); 110055714Skris } 110155714Skris 110255714Skris if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 110355714Skris { 110455714Skris al=SSL_AD_UNEXPECTED_MESSAGE; 110555714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 110655714Skris goto f_err; 110755714Skris } 1108160814Ssimon p=d=(unsigned char *)s->init_msg; 110955714Skris 111055714Skris if ((sk=sk_X509_new_null()) == NULL) 111155714Skris { 111255714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 111355714Skris goto err; 111455714Skris } 111555714Skris 111655714Skris n2l3(p,llen); 111755714Skris if (llen+3 != n) 111855714Skris { 111955714Skris al=SSL_AD_DECODE_ERROR; 112055714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 112155714Skris goto f_err; 112255714Skris } 112355714Skris for (nc=0; nc<llen; ) 112455714Skris { 112555714Skris n2l3(p,l); 112655714Skris if ((l+nc+3) > llen) 112755714Skris { 112855714Skris al=SSL_AD_DECODE_ERROR; 112955714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 113055714Skris goto f_err; 113155714Skris } 113255714Skris 113355714Skris q=p; 113455714Skris x=d2i_X509(NULL,&q,l); 113555714Skris if (x == NULL) 113655714Skris { 113755714Skris al=SSL_AD_BAD_CERTIFICATE; 113855714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 113955714Skris goto f_err; 114055714Skris } 114155714Skris if (q != (p+l)) 114255714Skris { 114355714Skris al=SSL_AD_DECODE_ERROR; 114455714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 114555714Skris goto f_err; 114655714Skris } 114755714Skris if (!sk_X509_push(sk,x)) 114855714Skris { 114955714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 115055714Skris goto err; 115155714Skris } 115255714Skris x=NULL; 115355714Skris nc+=l+3; 115455714Skris p=q; 115555714Skris } 115655714Skris 115755714Skris i=ssl_verify_cert_chain(s,sk); 1158186872Ssimon if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1159109998Smarkm#ifndef OPENSSL_NO_KRB5 1160238405Sjkim && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1161238405Sjkim (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1162109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 1163238405Sjkim ) 116455714Skris { 116555714Skris al=ssl_verify_alarm_type(s->verify_result); 116655714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 116755714Skris goto f_err; 116855714Skris } 116968651Skris ERR_clear_error(); /* but we keep s->verify_result */ 117055714Skris 117155714Skris sc=ssl_sess_cert_new(); 117255714Skris if (sc == NULL) goto err; 117355714Skris 117455714Skris if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 117555714Skris s->session->sess_cert=sc; 117655714Skris 117755714Skris sc->cert_chain=sk; 117859191Skris /* Inconsistency alert: cert_chain does include the peer's 117959191Skris * certificate, which we don't include in s3_srvr.c */ 118055714Skris x=sk_X509_value(sk,0); 118155714Skris sk=NULL; 1182109998Smarkm /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 118355714Skris 118455714Skris pkey=X509_get_pubkey(x); 118555714Skris 1186160814Ssimon /* VRS: allow null cert if auth == KRB5 */ 1187238405Sjkim need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1188238405Sjkim (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1189238405Sjkim ? 0 : 1; 1190109998Smarkm 1191109998Smarkm#ifdef KSSL_DEBUG 1192238405Sjkim printf("pkey,x = %p, %p\n", pkey,x); 1193109998Smarkm printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1194238405Sjkim printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1195238405Sjkim s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1196109998Smarkm#endif /* KSSL_DEBUG */ 1197109998Smarkm 1198109998Smarkm if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 119955714Skris { 120055714Skris x=NULL; 120155714Skris al=SSL3_AL_FATAL; 1202109998Smarkm SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1203109998Smarkm SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 120455714Skris goto f_err; 120555714Skris } 120655714Skris 120755714Skris i=ssl_cert_type(x,pkey); 1208109998Smarkm if (need_cert && i < 0) 120955714Skris { 121055714Skris x=NULL; 121155714Skris al=SSL3_AL_FATAL; 1212109998Smarkm SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1213109998Smarkm SSL_R_UNKNOWN_CERTIFICATE_TYPE); 121455714Skris goto f_err; 121555714Skris } 121655714Skris 1217160814Ssimon if (need_cert) 1218160814Ssimon { 1219160814Ssimon sc->peer_cert_type=i; 1220160814Ssimon CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1221160814Ssimon /* Why would the following ever happen? 1222160814Ssimon * We just created sc a couple of lines ago. */ 1223160814Ssimon if (sc->peer_pkeys[i].x509 != NULL) 1224160814Ssimon X509_free(sc->peer_pkeys[i].x509); 1225160814Ssimon sc->peer_pkeys[i].x509=x; 1226160814Ssimon sc->peer_key= &(sc->peer_pkeys[i]); 122755714Skris 1228160814Ssimon if (s->session->peer != NULL) 1229160814Ssimon X509_free(s->session->peer); 1230160814Ssimon CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1231160814Ssimon s->session->peer=x; 1232160814Ssimon } 1233160814Ssimon else 1234160814Ssimon { 1235160814Ssimon sc->peer_cert_type=i; 1236160814Ssimon sc->peer_key= NULL; 1237109998Smarkm 1238160814Ssimon if (s->session->peer != NULL) 1239160814Ssimon X509_free(s->session->peer); 1240160814Ssimon s->session->peer=NULL; 1241160814Ssimon } 124272613Skris s->session->verify_result = s->verify_result; 124355714Skris 124455714Skris x=NULL; 124555714Skris ret=1; 124655714Skris 124755714Skris if (0) 124855714Skris { 124955714Skrisf_err: 125055714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 125155714Skris } 125255714Skriserr: 125355714Skris EVP_PKEY_free(pkey); 125455714Skris X509_free(x); 125555714Skris sk_X509_pop_free(sk,X509_free); 125655714Skris return(ret); 125755714Skris } 125855714Skris 1259160814Ssimonint ssl3_get_key_exchange(SSL *s) 126055714Skris { 1261109998Smarkm#ifndef OPENSSL_NO_RSA 126255714Skris unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 126355714Skris#endif 126455714Skris EVP_MD_CTX md_ctx; 126555714Skris unsigned char *param,*p; 126655714Skris int al,i,j,param_len,ok; 1267238405Sjkim long n,alg_k,alg_a; 126855714Skris EVP_PKEY *pkey=NULL; 1269238405Sjkim const EVP_MD *md = NULL; 1270109998Smarkm#ifndef OPENSSL_NO_RSA 127155714Skris RSA *rsa=NULL; 127255714Skris#endif 1273109998Smarkm#ifndef OPENSSL_NO_DH 127455714Skris DH *dh=NULL; 127555714Skris#endif 1276160814Ssimon#ifndef OPENSSL_NO_ECDH 1277160814Ssimon EC_KEY *ecdh = NULL; 1278160814Ssimon BN_CTX *bn_ctx = NULL; 1279160814Ssimon EC_POINT *srvr_ecpoint = NULL; 1280160814Ssimon int curve_nid = 0; 1281160814Ssimon int encoded_pt_len = 0; 1282160814Ssimon#endif 128355714Skris 128489837Skris /* use same message size as in ssl3_get_certificate_request() 128589837Skris * as ServerKeyExchange message may be skipped */ 1286160814Ssimon n=s->method->ssl_get_message(s, 128755714Skris SSL3_ST_CR_KEY_EXCH_A, 128855714Skris SSL3_ST_CR_KEY_EXCH_B, 128955714Skris -1, 1290109998Smarkm s->max_cert_list, 129155714Skris &ok); 129255714Skris if (!ok) return((int)n); 129355714Skris 129455714Skris if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 129555714Skris { 1296238405Sjkim#ifndef OPENSSL_NO_PSK 1297238405Sjkim /* In plain PSK ciphersuite, ServerKeyExchange can be 1298238405Sjkim omitted if no identity hint is sent. Set 1299238405Sjkim session->sess_cert anyway to avoid problems 1300238405Sjkim later.*/ 1301238405Sjkim if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1302238405Sjkim { 1303238405Sjkim s->session->sess_cert=ssl_sess_cert_new(); 1304238405Sjkim if (s->ctx->psk_identity_hint) 1305238405Sjkim OPENSSL_free(s->ctx->psk_identity_hint); 1306238405Sjkim s->ctx->psk_identity_hint = NULL; 1307238405Sjkim } 1308238405Sjkim#endif 130955714Skris s->s3->tmp.reuse_message=1; 131055714Skris return(1); 131155714Skris } 131255714Skris 1313109998Smarkm param=p=(unsigned char *)s->init_msg; 131455714Skris if (s->session->sess_cert != NULL) 131555714Skris { 1316109998Smarkm#ifndef OPENSSL_NO_RSA 131755714Skris if (s->session->sess_cert->peer_rsa_tmp != NULL) 131855714Skris { 131955714Skris RSA_free(s->session->sess_cert->peer_rsa_tmp); 132055714Skris s->session->sess_cert->peer_rsa_tmp=NULL; 132155714Skris } 132255714Skris#endif 1323109998Smarkm#ifndef OPENSSL_NO_DH 132455714Skris if (s->session->sess_cert->peer_dh_tmp) 132555714Skris { 132655714Skris DH_free(s->session->sess_cert->peer_dh_tmp); 132755714Skris s->session->sess_cert->peer_dh_tmp=NULL; 132855714Skris } 132955714Skris#endif 1330160814Ssimon#ifndef OPENSSL_NO_ECDH 1331160814Ssimon if (s->session->sess_cert->peer_ecdh_tmp) 1332160814Ssimon { 1333160814Ssimon EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1334160814Ssimon s->session->sess_cert->peer_ecdh_tmp=NULL; 1335160814Ssimon } 1336160814Ssimon#endif 133755714Skris } 133855714Skris else 133955714Skris { 134055714Skris s->session->sess_cert=ssl_sess_cert_new(); 134155714Skris } 134255714Skris 134355714Skris param_len=0; 1344238405Sjkim alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1345238405Sjkim alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1346109998Smarkm EVP_MD_CTX_init(&md_ctx); 134755714Skris 1348238405Sjkim#ifndef OPENSSL_NO_PSK 1349238405Sjkim if (alg_k & SSL_kPSK) 1350238405Sjkim { 1351238405Sjkim char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; 1352238405Sjkim 1353238405Sjkim al=SSL_AD_HANDSHAKE_FAILURE; 1354238405Sjkim n2s(p,i); 1355238405Sjkim param_len=i+2; 1356238405Sjkim /* Store PSK identity hint for later use, hint is used 1357238405Sjkim * in ssl3_send_client_key_exchange. Assume that the 1358238405Sjkim * maximum length of a PSK identity hint can be as 1359238405Sjkim * long as the maximum length of a PSK identity. */ 1360238405Sjkim if (i > PSK_MAX_IDENTITY_LEN) 1361238405Sjkim { 1362238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1363238405Sjkim SSL_R_DATA_LENGTH_TOO_LONG); 1364238405Sjkim goto f_err; 1365238405Sjkim } 1366238405Sjkim if (param_len > n) 1367238405Sjkim { 1368238405Sjkim al=SSL_AD_DECODE_ERROR; 1369238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1370238405Sjkim SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1371238405Sjkim goto f_err; 1372238405Sjkim } 1373238405Sjkim /* If received PSK identity hint contains NULL 1374238405Sjkim * characters, the hint is truncated from the first 1375238405Sjkim * NULL. p may not be ending with NULL, so create a 1376238405Sjkim * NULL-terminated string. */ 1377238405Sjkim memcpy(tmp_id_hint, p, i); 1378238405Sjkim memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1379238405Sjkim if (s->ctx->psk_identity_hint != NULL) 1380238405Sjkim OPENSSL_free(s->ctx->psk_identity_hint); 1381238405Sjkim s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1382238405Sjkim if (s->ctx->psk_identity_hint == NULL) 1383238405Sjkim { 1384238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1385238405Sjkim goto f_err; 1386238405Sjkim } 1387238405Sjkim 1388238405Sjkim p+=i; 1389238405Sjkim n-=param_len; 1390238405Sjkim } 1391238405Sjkim else 1392238405Sjkim#endif /* !OPENSSL_NO_PSK */ 1393238405Sjkim#ifndef OPENSSL_NO_SRP 1394238405Sjkim if (alg_k & SSL_kSRP) 1395238405Sjkim { 1396238405Sjkim n2s(p,i); 1397238405Sjkim param_len=i+2; 1398238405Sjkim if (param_len > n) 1399238405Sjkim { 1400238405Sjkim al=SSL_AD_DECODE_ERROR; 1401238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH); 1402238405Sjkim goto f_err; 1403238405Sjkim } 1404238405Sjkim if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1405238405Sjkim { 1406238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1407238405Sjkim goto err; 1408238405Sjkim } 1409238405Sjkim p+=i; 1410238405Sjkim 1411238405Sjkim n2s(p,i); 1412238405Sjkim param_len+=i+2; 1413238405Sjkim if (param_len > n) 1414238405Sjkim { 1415238405Sjkim al=SSL_AD_DECODE_ERROR; 1416238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH); 1417238405Sjkim goto f_err; 1418238405Sjkim } 1419238405Sjkim if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1420238405Sjkim { 1421238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1422238405Sjkim goto err; 1423238405Sjkim } 1424238405Sjkim p+=i; 1425238405Sjkim 1426238405Sjkim i = (unsigned int)(p[0]); 1427238405Sjkim p++; 1428238405Sjkim param_len+=i+1; 1429238405Sjkim if (param_len > n) 1430238405Sjkim { 1431238405Sjkim al=SSL_AD_DECODE_ERROR; 1432238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH); 1433238405Sjkim goto f_err; 1434238405Sjkim } 1435238405Sjkim if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1436238405Sjkim { 1437238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1438238405Sjkim goto err; 1439238405Sjkim } 1440238405Sjkim p+=i; 1441238405Sjkim 1442238405Sjkim n2s(p,i); 1443238405Sjkim param_len+=i+2; 1444238405Sjkim if (param_len > n) 1445238405Sjkim { 1446238405Sjkim al=SSL_AD_DECODE_ERROR; 1447238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH); 1448238405Sjkim goto f_err; 1449238405Sjkim } 1450238405Sjkim if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1451238405Sjkim { 1452238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1453238405Sjkim goto err; 1454238405Sjkim } 1455238405Sjkim p+=i; 1456238405Sjkim n-=param_len; 1457238405Sjkim 1458238405Sjkim/* We must check if there is a certificate */ 1459109998Smarkm#ifndef OPENSSL_NO_RSA 1460238405Sjkim if (alg_a & SSL_aRSA) 1461238405Sjkim pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1462238405Sjkim#else 1463238405Sjkim if (0) 1464238405Sjkim ; 1465238405Sjkim#endif 1466238405Sjkim#ifndef OPENSSL_NO_DSA 1467238405Sjkim else if (alg_a & SSL_aDSS) 1468238405Sjkim pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1469238405Sjkim#endif 1470238405Sjkim } 1471238405Sjkim else 1472238405Sjkim#endif /* !OPENSSL_NO_SRP */ 1473238405Sjkim#ifndef OPENSSL_NO_RSA 1474238405Sjkim if (alg_k & SSL_kRSA) 147555714Skris { 147655714Skris if ((rsa=RSA_new()) == NULL) 147755714Skris { 147855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 147955714Skris goto err; 148055714Skris } 148155714Skris n2s(p,i); 148255714Skris param_len=i+2; 148355714Skris if (param_len > n) 148455714Skris { 148555714Skris al=SSL_AD_DECODE_ERROR; 148655714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 148755714Skris goto f_err; 148855714Skris } 148955714Skris if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 149055714Skris { 149155714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 149255714Skris goto err; 149355714Skris } 149455714Skris p+=i; 149555714Skris 149655714Skris n2s(p,i); 149755714Skris param_len+=i+2; 149855714Skris if (param_len > n) 149955714Skris { 150055714Skris al=SSL_AD_DECODE_ERROR; 150155714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 150255714Skris goto f_err; 150355714Skris } 150455714Skris if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 150555714Skris { 150655714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 150755714Skris goto err; 150855714Skris } 150955714Skris p+=i; 151055714Skris n-=param_len; 151155714Skris 151255714Skris /* this should be because we are using an export cipher */ 1513238405Sjkim if (alg_a & SSL_aRSA) 151455714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 151555714Skris else 151655714Skris { 1517109998Smarkm SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 151855714Skris goto err; 151955714Skris } 152055714Skris s->session->sess_cert->peer_rsa_tmp=rsa; 152155714Skris rsa=NULL; 152255714Skris } 1523109998Smarkm#else /* OPENSSL_NO_RSA */ 152468651Skris if (0) 152568651Skris ; 152655714Skris#endif 1527109998Smarkm#ifndef OPENSSL_NO_DH 1528238405Sjkim else if (alg_k & SSL_kEDH) 152955714Skris { 153055714Skris if ((dh=DH_new()) == NULL) 153155714Skris { 153255714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 153355714Skris goto err; 153455714Skris } 153555714Skris n2s(p,i); 153655714Skris param_len=i+2; 153755714Skris if (param_len > n) 153855714Skris { 153955714Skris al=SSL_AD_DECODE_ERROR; 154055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 154155714Skris goto f_err; 154255714Skris } 154355714Skris if (!(dh->p=BN_bin2bn(p,i,NULL))) 154455714Skris { 154555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 154655714Skris goto err; 154755714Skris } 154855714Skris p+=i; 154955714Skris 155055714Skris n2s(p,i); 155155714Skris param_len+=i+2; 155255714Skris if (param_len > n) 155355714Skris { 155455714Skris al=SSL_AD_DECODE_ERROR; 155555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 155655714Skris goto f_err; 155755714Skris } 155855714Skris if (!(dh->g=BN_bin2bn(p,i,NULL))) 155955714Skris { 156055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 156155714Skris goto err; 156255714Skris } 156355714Skris p+=i; 156455714Skris 156555714Skris n2s(p,i); 156655714Skris param_len+=i+2; 156755714Skris if (param_len > n) 156855714Skris { 156955714Skris al=SSL_AD_DECODE_ERROR; 157055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 157155714Skris goto f_err; 157255714Skris } 157355714Skris if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 157455714Skris { 157555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 157655714Skris goto err; 157755714Skris } 157855714Skris p+=i; 157955714Skris n-=param_len; 158055714Skris 1581109998Smarkm#ifndef OPENSSL_NO_RSA 1582238405Sjkim if (alg_a & SSL_aRSA) 158355714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 158468651Skris#else 158568651Skris if (0) 158668651Skris ; 158755714Skris#endif 1588109998Smarkm#ifndef OPENSSL_NO_DSA 1589238405Sjkim else if (alg_a & SSL_aDSS) 159055714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 159155714Skris#endif 159255714Skris /* else anonymous DH, so no certificate or pkey. */ 159355714Skris 159455714Skris s->session->sess_cert->peer_dh_tmp=dh; 159555714Skris dh=NULL; 159655714Skris } 1597238405Sjkim else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 159855714Skris { 159955714Skris al=SSL_AD_ILLEGAL_PARAMETER; 160055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 160155714Skris goto f_err; 160255714Skris } 1603109998Smarkm#endif /* !OPENSSL_NO_DH */ 1604160814Ssimon 1605160814Ssimon#ifndef OPENSSL_NO_ECDH 1606238405Sjkim else if (alg_k & SSL_kEECDH) 1607160814Ssimon { 1608160814Ssimon EC_GROUP *ngroup; 1609160814Ssimon const EC_GROUP *group; 1610160814Ssimon 1611160814Ssimon if ((ecdh=EC_KEY_new()) == NULL) 1612160814Ssimon { 1613160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1614160814Ssimon goto err; 1615160814Ssimon } 1616160814Ssimon 1617160814Ssimon /* Extract elliptic curve parameters and the 1618160814Ssimon * server's ephemeral ECDH public key. 1619160814Ssimon * Keep accumulating lengths of various components in 1620160814Ssimon * param_len and make sure it never exceeds n. 1621160814Ssimon */ 1622160814Ssimon 1623160814Ssimon /* XXX: For now we only support named (not generic) curves 1624160814Ssimon * and the ECParameters in this case is just three bytes. 1625160814Ssimon */ 1626160814Ssimon param_len=3; 1627160814Ssimon if ((param_len > n) || 1628160814Ssimon (*p != NAMED_CURVE_TYPE) || 1629238405Sjkim ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1630160814Ssimon { 1631160814Ssimon al=SSL_AD_INTERNAL_ERROR; 1632160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1633160814Ssimon goto f_err; 1634160814Ssimon } 1635160814Ssimon 1636160814Ssimon ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1637160814Ssimon if (ngroup == NULL) 1638160814Ssimon { 1639160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1640160814Ssimon goto err; 1641160814Ssimon } 1642160814Ssimon if (EC_KEY_set_group(ecdh, ngroup) == 0) 1643160814Ssimon { 1644160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1645160814Ssimon goto err; 1646160814Ssimon } 1647160814Ssimon EC_GROUP_free(ngroup); 1648160814Ssimon 1649160814Ssimon group = EC_KEY_get0_group(ecdh); 1650160814Ssimon 1651160814Ssimon if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1652160814Ssimon (EC_GROUP_get_degree(group) > 163)) 1653160814Ssimon { 1654160814Ssimon al=SSL_AD_EXPORT_RESTRICTION; 1655160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1656160814Ssimon goto f_err; 1657160814Ssimon } 1658160814Ssimon 1659160814Ssimon p+=3; 1660160814Ssimon 1661160814Ssimon /* Next, get the encoded ECPoint */ 1662160814Ssimon if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1663160814Ssimon ((bn_ctx = BN_CTX_new()) == NULL)) 1664160814Ssimon { 1665160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1666160814Ssimon goto err; 1667160814Ssimon } 1668160814Ssimon 1669160814Ssimon encoded_pt_len = *p; /* length of encoded point */ 1670160814Ssimon p+=1; 1671160814Ssimon param_len += (1 + encoded_pt_len); 1672160814Ssimon if ((param_len > n) || 1673160814Ssimon (EC_POINT_oct2point(group, srvr_ecpoint, 1674160814Ssimon p, encoded_pt_len, bn_ctx) == 0)) 1675160814Ssimon { 1676160814Ssimon al=SSL_AD_DECODE_ERROR; 1677160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); 1678160814Ssimon goto f_err; 1679160814Ssimon } 1680160814Ssimon 1681160814Ssimon n-=param_len; 1682160814Ssimon p+=encoded_pt_len; 1683160814Ssimon 1684160814Ssimon /* The ECC/TLS specification does not mention 1685160814Ssimon * the use of DSA to sign ECParameters in the server 1686160814Ssimon * key exchange message. We do support RSA and ECDSA. 1687160814Ssimon */ 1688160814Ssimon if (0) ; 1689160814Ssimon#ifndef OPENSSL_NO_RSA 1690238405Sjkim else if (alg_a & SSL_aRSA) 1691160814Ssimon pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1692160814Ssimon#endif 1693160814Ssimon#ifndef OPENSSL_NO_ECDSA 1694238405Sjkim else if (alg_a & SSL_aECDSA) 1695160814Ssimon pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1696160814Ssimon#endif 1697160814Ssimon /* else anonymous ECDH, so no certificate or pkey. */ 1698160814Ssimon EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1699160814Ssimon s->session->sess_cert->peer_ecdh_tmp=ecdh; 1700160814Ssimon ecdh=NULL; 1701160814Ssimon BN_CTX_free(bn_ctx); 1702215288Ssimon bn_ctx = NULL; 1703160814Ssimon EC_POINT_free(srvr_ecpoint); 1704160814Ssimon srvr_ecpoint = NULL; 1705160814Ssimon } 1706238405Sjkim else if (alg_k) 1707160814Ssimon { 1708160814Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 1709160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1710160814Ssimon goto f_err; 1711160814Ssimon } 1712160814Ssimon#endif /* !OPENSSL_NO_ECDH */ 171355714Skris 171455714Skris 171555714Skris /* p points to the next byte, there are 'n' bytes left */ 171655714Skris 171755714Skris /* if it was signed, check the signature */ 171855714Skris if (pkey != NULL) 171955714Skris { 1720238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION) 1721238405Sjkim { 1722238405Sjkim int sigalg = tls12_get_sigid(pkey); 1723238405Sjkim /* Should never happen */ 1724238405Sjkim if (sigalg == -1) 1725238405Sjkim { 1726238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1727238405Sjkim goto err; 1728238405Sjkim } 1729238405Sjkim /* Check key type is consistent with signature */ 1730238405Sjkim if (sigalg != (int)p[1]) 1731238405Sjkim { 1732238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1733238405Sjkim al=SSL_AD_DECODE_ERROR; 1734238405Sjkim goto f_err; 1735238405Sjkim } 1736238405Sjkim md = tls12_get_hash(p[0]); 1737238405Sjkim if (md == NULL) 1738238405Sjkim { 1739238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1740238405Sjkim al=SSL_AD_DECODE_ERROR; 1741238405Sjkim goto f_err; 1742238405Sjkim } 1743238405Sjkim#ifdef SSL_DEBUG 1744238405Sjkimfprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1745238405Sjkim#endif 1746238405Sjkim p += 2; 1747238405Sjkim n -= 2; 1748238405Sjkim } 1749238405Sjkim else 1750238405Sjkim md = EVP_sha1(); 1751238405Sjkim 175255714Skris n2s(p,i); 175355714Skris n-=2; 175455714Skris j=EVP_PKEY_size(pkey); 175555714Skris 175655714Skris if ((i != n) || (n > j) || (n <= 0)) 175755714Skris { 175855714Skris /* wrong packet length */ 175955714Skris al=SSL_AD_DECODE_ERROR; 176055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 176155714Skris goto f_err; 176255714Skris } 176355714Skris 1764109998Smarkm#ifndef OPENSSL_NO_RSA 1765238405Sjkim if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 176655714Skris { 176755714Skris int num; 176855714Skris 176955714Skris j=0; 177055714Skris q=md_buf; 177155714Skris for (num=2; num > 0; num--) 177255714Skris { 1773194206Ssimon EVP_MD_CTX_set_flags(&md_ctx, 1774194206Ssimon EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1775109998Smarkm EVP_DigestInit_ex(&md_ctx,(num == 2) 1776109998Smarkm ?s->ctx->md5:s->ctx->sha1, NULL); 177755714Skris EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 177855714Skris EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 177955714Skris EVP_DigestUpdate(&md_ctx,param,param_len); 1780109998Smarkm EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 178155714Skris q+=i; 178255714Skris j+=i; 178355714Skris } 178459191Skris i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 178559191Skris pkey->pkey.rsa); 178659191Skris if (i < 0) 178755714Skris { 178855714Skris al=SSL_AD_DECRYPT_ERROR; 178955714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 179055714Skris goto f_err; 179155714Skris } 179259191Skris if (i == 0) 179355714Skris { 179455714Skris /* bad signature */ 179555714Skris al=SSL_AD_DECRYPT_ERROR; 179655714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 179755714Skris goto f_err; 179855714Skris } 179955714Skris } 180055714Skris else 180155714Skris#endif 180255714Skris { 1803238405Sjkim EVP_VerifyInit_ex(&md_ctx, md, NULL); 180455714Skris EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 180555714Skris EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 180655714Skris EVP_VerifyUpdate(&md_ctx,param,param_len); 1807186872Ssimon if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 180855714Skris { 180955714Skris /* bad signature */ 181055714Skris al=SSL_AD_DECRYPT_ERROR; 181155714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 181255714Skris goto f_err; 181355714Skris } 181455714Skris } 181555714Skris } 181655714Skris else 181755714Skris { 1818238405Sjkim if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1819238405Sjkim /* aNULL or kPSK do not need public keys */ 182055714Skris { 1821109998Smarkm SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 182255714Skris goto err; 182355714Skris } 1824238405Sjkim /* still data left over */ 182555714Skris if (n != 0) 182655714Skris { 182755714Skris al=SSL_AD_DECODE_ERROR; 182855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 182955714Skris goto f_err; 183055714Skris } 183155714Skris } 183255714Skris EVP_PKEY_free(pkey); 1833109998Smarkm EVP_MD_CTX_cleanup(&md_ctx); 183455714Skris return(1); 183555714Skrisf_err: 183655714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 183755714Skriserr: 183855714Skris EVP_PKEY_free(pkey); 1839109998Smarkm#ifndef OPENSSL_NO_RSA 184055714Skris if (rsa != NULL) 184155714Skris RSA_free(rsa); 184255714Skris#endif 1843109998Smarkm#ifndef OPENSSL_NO_DH 184455714Skris if (dh != NULL) 184555714Skris DH_free(dh); 184655714Skris#endif 1847160814Ssimon#ifndef OPENSSL_NO_ECDH 1848160814Ssimon BN_CTX_free(bn_ctx); 1849160814Ssimon EC_POINT_free(srvr_ecpoint); 1850160814Ssimon if (ecdh != NULL) 1851160814Ssimon EC_KEY_free(ecdh); 1852160814Ssimon#endif 1853109998Smarkm EVP_MD_CTX_cleanup(&md_ctx); 185455714Skris return(-1); 185555714Skris } 185655714Skris 1857160814Ssimonint ssl3_get_certificate_request(SSL *s) 185855714Skris { 185955714Skris int ok,ret=0; 186055714Skris unsigned long n,nc,l; 1861238405Sjkim unsigned int llen, ctype_num,i; 186255714Skris X509_NAME *xn=NULL; 1863160814Ssimon const unsigned char *p,*q; 1864160814Ssimon unsigned char *d; 186555714Skris STACK_OF(X509_NAME) *ca_sk=NULL; 186655714Skris 1867160814Ssimon n=s->method->ssl_get_message(s, 186855714Skris SSL3_ST_CR_CERT_REQ_A, 186955714Skris SSL3_ST_CR_CERT_REQ_B, 187055714Skris -1, 1871109998Smarkm s->max_cert_list, 187255714Skris &ok); 187355714Skris 187455714Skris if (!ok) return((int)n); 187555714Skris 187655714Skris s->s3->tmp.cert_req=0; 187755714Skris 187855714Skris if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 187955714Skris { 188055714Skris s->s3->tmp.reuse_message=1; 1881238405Sjkim /* If we get here we don't need any cached handshake records 1882238405Sjkim * as we wont be doing client auth. 1883238405Sjkim */ 1884238405Sjkim if (s->s3->handshake_buffer) 1885238405Sjkim { 1886238405Sjkim if (!ssl3_digest_cached_records(s)) 1887238405Sjkim goto err; 1888238405Sjkim } 188955714Skris return(1); 189055714Skris } 189155714Skris 189255714Skris if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 189355714Skris { 189455714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 189555714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 189655714Skris goto err; 189755714Skris } 189855714Skris 189955714Skris /* TLS does not like anon-DH with client cert */ 190055714Skris if (s->version > SSL3_VERSION) 190155714Skris { 1902238405Sjkim if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 190355714Skris { 190455714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 190555714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 190655714Skris goto err; 190755714Skris } 190855714Skris } 190955714Skris 1910160814Ssimon p=d=(unsigned char *)s->init_msg; 191155714Skris 191255714Skris if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 191355714Skris { 191455714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 191555714Skris goto err; 191655714Skris } 191755714Skris 191855714Skris /* get the certificate types */ 191955714Skris ctype_num= *(p++); 192055714Skris if (ctype_num > SSL3_CT_NUMBER) 192155714Skris ctype_num=SSL3_CT_NUMBER; 192255714Skris for (i=0; i<ctype_num; i++) 192355714Skris s->s3->tmp.ctype[i]= p[i]; 192455714Skris p+=ctype_num; 1925238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION) 1926238405Sjkim { 1927238405Sjkim n2s(p, llen); 1928238405Sjkim /* Check we have enough room for signature algorithms and 1929238405Sjkim * following length value. 1930238405Sjkim */ 1931238405Sjkim if ((unsigned long)(p - d + llen + 2) > n) 1932238405Sjkim { 1933238405Sjkim ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1934238405Sjkim SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG); 1935238405Sjkim goto err; 1936238405Sjkim } 1937238405Sjkim if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 1938238405Sjkim { 1939238405Sjkim ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1940238405Sjkim SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR); 1941238405Sjkim goto err; 1942238405Sjkim } 1943238405Sjkim p += llen; 1944238405Sjkim } 194555714Skris 194655714Skris /* get the CA RDNs */ 194755714Skris n2s(p,llen); 194855714Skris#if 0 194955714Skris{ 195055714SkrisFILE *out; 195155714Skrisout=fopen("/tmp/vsign.der","w"); 195255714Skrisfwrite(p,1,llen,out); 195355714Skrisfclose(out); 195455714Skris} 195555714Skris#endif 195655714Skris 1957238405Sjkim if ((unsigned long)(p - d + llen) != n) 195855714Skris { 195955714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 196055714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 196155714Skris goto err; 196255714Skris } 196355714Skris 196455714Skris for (nc=0; nc<llen; ) 196555714Skris { 196655714Skris n2s(p,l); 196755714Skris if ((l+nc+2) > llen) 196855714Skris { 196955714Skris if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 197055714Skris goto cont; /* netscape bugs */ 197155714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 197255714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 197355714Skris goto err; 197455714Skris } 197555714Skris 197655714Skris q=p; 197755714Skris 197855714Skris if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 197955714Skris { 198059191Skris /* If netscape tolerance is on, ignore errors */ 198155714Skris if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 198255714Skris goto cont; 198355714Skris else 198455714Skris { 198555714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 198655714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 198755714Skris goto err; 198855714Skris } 198955714Skris } 199055714Skris 199155714Skris if (q != (p+l)) 199255714Skris { 199355714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 199455714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 199555714Skris goto err; 199655714Skris } 199755714Skris if (!sk_X509_NAME_push(ca_sk,xn)) 199855714Skris { 199955714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 200055714Skris goto err; 200155714Skris } 200255714Skris 200355714Skris p+=l; 200455714Skris nc+=l+2; 200555714Skris } 200655714Skris 200755714Skris if (0) 200855714Skris { 200955714Skriscont: 201055714Skris ERR_clear_error(); 201155714Skris } 201255714Skris 201359191Skris /* we should setup a certificate to return.... */ 201455714Skris s->s3->tmp.cert_req=1; 201555714Skris s->s3->tmp.ctype_num=ctype_num; 201655714Skris if (s->s3->tmp.ca_names != NULL) 201755714Skris sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 201855714Skris s->s3->tmp.ca_names=ca_sk; 201955714Skris ca_sk=NULL; 202055714Skris 202155714Skris ret=1; 202255714Skriserr: 202355714Skris if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 202455714Skris return(ret); 202555714Skris } 202655714Skris 202768651Skrisstatic int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 202855714Skris { 202955714Skris return(X509_NAME_cmp(*a,*b)); 203055714Skris } 2031194206Ssimon#ifndef OPENSSL_NO_TLSEXT 2032194206Ssimonint ssl3_get_new_session_ticket(SSL *s) 2033194206Ssimon { 2034194206Ssimon int ok,al,ret=0, ticklen; 2035194206Ssimon long n; 2036194206Ssimon const unsigned char *p; 2037194206Ssimon unsigned char *d; 203855714Skris 2039194206Ssimon n=s->method->ssl_get_message(s, 2040194206Ssimon SSL3_ST_CR_SESSION_TICKET_A, 2041194206Ssimon SSL3_ST_CR_SESSION_TICKET_B, 2042194206Ssimon -1, 2043194206Ssimon 16384, 2044194206Ssimon &ok); 2045194206Ssimon 2046194206Ssimon if (!ok) 2047194206Ssimon return((int)n); 2048194206Ssimon 2049194206Ssimon if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 2050194206Ssimon { 2051194206Ssimon s->s3->tmp.reuse_message=1; 2052194206Ssimon return(1); 2053194206Ssimon } 2054194206Ssimon if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 2055194206Ssimon { 2056194206Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 2057194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); 2058194206Ssimon goto f_err; 2059194206Ssimon } 2060194206Ssimon if (n < 6) 2061194206Ssimon { 2062194206Ssimon /* need at least ticket_lifetime_hint + ticket length */ 2063237657Sjkim al = SSL_AD_DECODE_ERROR; 2064194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2065194206Ssimon goto f_err; 2066194206Ssimon } 2067205128Ssimon 2068194206Ssimon p=d=(unsigned char *)s->init_msg; 2069194206Ssimon n2l(p, s->session->tlsext_tick_lifetime_hint); 2070194206Ssimon n2s(p, ticklen); 2071194206Ssimon /* ticket_lifetime_hint + ticket_length + ticket */ 2072194206Ssimon if (ticklen + 6 != n) 2073194206Ssimon { 2074237657Sjkim al = SSL_AD_DECODE_ERROR; 2075194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2076194206Ssimon goto f_err; 2077194206Ssimon } 2078194206Ssimon if (s->session->tlsext_tick) 2079194206Ssimon { 2080194206Ssimon OPENSSL_free(s->session->tlsext_tick); 2081194206Ssimon s->session->tlsext_ticklen = 0; 2082194206Ssimon } 2083194206Ssimon s->session->tlsext_tick = OPENSSL_malloc(ticklen); 2084194206Ssimon if (!s->session->tlsext_tick) 2085194206Ssimon { 2086194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); 2087194206Ssimon goto err; 2088194206Ssimon } 2089194206Ssimon memcpy(s->session->tlsext_tick, p, ticklen); 2090194206Ssimon s->session->tlsext_ticklen = ticklen; 2091205128Ssimon /* There are two ways to detect a resumed ticket sesion. 2092205128Ssimon * One is to set an appropriate session ID and then the server 2093205128Ssimon * must return a match in ServerHello. This allows the normal 2094205128Ssimon * client session ID matching to work and we know much 2095205128Ssimon * earlier that the ticket has been accepted. 2096205128Ssimon * 2097205128Ssimon * The other way is to set zero length session ID when the 2098205128Ssimon * ticket is presented and rely on the handshake to determine 2099205128Ssimon * session resumption. 2100205128Ssimon * 2101205128Ssimon * We choose the former approach because this fits in with 2102205128Ssimon * assumptions elsewhere in OpenSSL. The session ID is set 2103205128Ssimon * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 2104205128Ssimon * ticket. 2105205128Ssimon */ 2106205128Ssimon EVP_Digest(p, ticklen, 2107205128Ssimon s->session->session_id, &s->session->session_id_length, 2108205128Ssimon#ifndef OPENSSL_NO_SHA256 2109205128Ssimon EVP_sha256(), NULL); 2110205128Ssimon#else 2111205128Ssimon EVP_sha1(), NULL); 2112205128Ssimon#endif 2113194206Ssimon ret=1; 2114194206Ssimon return(ret); 2115194206Ssimonf_err: 2116194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,al); 2117194206Ssimonerr: 2118194206Ssimon return(-1); 2119194206Ssimon } 2120194206Ssimon 2121194206Ssimonint ssl3_get_cert_status(SSL *s) 2122194206Ssimon { 2123194206Ssimon int ok, al; 2124238405Sjkim unsigned long resplen,n; 2125194206Ssimon const unsigned char *p; 2126194206Ssimon 2127194206Ssimon n=s->method->ssl_get_message(s, 2128194206Ssimon SSL3_ST_CR_CERT_STATUS_A, 2129194206Ssimon SSL3_ST_CR_CERT_STATUS_B, 2130194206Ssimon SSL3_MT_CERTIFICATE_STATUS, 2131194206Ssimon 16384, 2132194206Ssimon &ok); 2133194206Ssimon 2134194206Ssimon if (!ok) return((int)n); 2135194206Ssimon if (n < 4) 2136194206Ssimon { 2137194206Ssimon /* need at least status type + length */ 2138194206Ssimon al = SSL_AD_DECODE_ERROR; 2139194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2140194206Ssimon goto f_err; 2141194206Ssimon } 2142194206Ssimon p = (unsigned char *)s->init_msg; 2143194206Ssimon if (*p++ != TLSEXT_STATUSTYPE_ocsp) 2144194206Ssimon { 2145194206Ssimon al = SSL_AD_DECODE_ERROR; 2146194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 2147194206Ssimon goto f_err; 2148194206Ssimon } 2149194206Ssimon n2l3(p, resplen); 2150238405Sjkim if (resplen + 4 != n) 2151194206Ssimon { 2152194206Ssimon al = SSL_AD_DECODE_ERROR; 2153194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2154194206Ssimon goto f_err; 2155194206Ssimon } 2156194206Ssimon if (s->tlsext_ocsp_resp) 2157194206Ssimon OPENSSL_free(s->tlsext_ocsp_resp); 2158194206Ssimon s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2159194206Ssimon if (!s->tlsext_ocsp_resp) 2160194206Ssimon { 2161194206Ssimon al = SSL_AD_INTERNAL_ERROR; 2162194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2163194206Ssimon goto f_err; 2164194206Ssimon } 2165194206Ssimon s->tlsext_ocsp_resplen = resplen; 2166194206Ssimon if (s->ctx->tlsext_status_cb) 2167194206Ssimon { 2168194206Ssimon int ret; 2169194206Ssimon ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2170194206Ssimon if (ret == 0) 2171194206Ssimon { 2172194206Ssimon al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2173194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2174194206Ssimon goto f_err; 2175194206Ssimon } 2176194206Ssimon if (ret < 0) 2177194206Ssimon { 2178194206Ssimon al = SSL_AD_INTERNAL_ERROR; 2179194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2180194206Ssimon goto f_err; 2181194206Ssimon } 2182194206Ssimon } 2183194206Ssimon return 1; 2184194206Ssimonf_err: 2185194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,al); 2186194206Ssimon return(-1); 2187194206Ssimon } 2188194206Ssimon#endif 2189194206Ssimon 2190160814Ssimonint ssl3_get_server_done(SSL *s) 219155714Skris { 219255714Skris int ok,ret=0; 219355714Skris long n; 219455714Skris 2195160814Ssimon n=s->method->ssl_get_message(s, 219655714Skris SSL3_ST_CR_SRVR_DONE_A, 219755714Skris SSL3_ST_CR_SRVR_DONE_B, 219855714Skris SSL3_MT_SERVER_DONE, 219955714Skris 30, /* should be very small, like 0 :-) */ 220055714Skris &ok); 220155714Skris 220255714Skris if (!ok) return((int)n); 220355714Skris if (n > 0) 220455714Skris { 220555714Skris /* should contain no data */ 220655714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 220755714Skris SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2208100928Snectar return -1; 220955714Skris } 221055714Skris ret=1; 221155714Skris return(ret); 221255714Skris } 221355714Skris 2214160814Ssimon 2215160814Ssimonint ssl3_send_client_key_exchange(SSL *s) 221655714Skris { 221755714Skris unsigned char *p,*d; 221855714Skris int n; 2219238405Sjkim unsigned long alg_k; 2220109998Smarkm#ifndef OPENSSL_NO_RSA 222155714Skris unsigned char *q; 222255714Skris EVP_PKEY *pkey=NULL; 222355714Skris#endif 2224109998Smarkm#ifndef OPENSSL_NO_KRB5 2225160814Ssimon KSSL_ERR kssl_err; 2226109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 2227160814Ssimon#ifndef OPENSSL_NO_ECDH 2228160814Ssimon EC_KEY *clnt_ecdh = NULL; 2229160814Ssimon const EC_POINT *srvr_ecpoint = NULL; 2230160814Ssimon EVP_PKEY *srvr_pub_pkey = NULL; 2231160814Ssimon unsigned char *encodedPoint = NULL; 2232160814Ssimon int encoded_pt_len = 0; 2233160814Ssimon BN_CTX * bn_ctx = NULL; 2234160814Ssimon#endif 223555714Skris 223655714Skris if (s->state == SSL3_ST_CW_KEY_EXCH_A) 223755714Skris { 223855714Skris d=(unsigned char *)s->init_buf->data; 223955714Skris p= &(d[4]); 224055714Skris 2241238405Sjkim alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 224255714Skris 2243160814Ssimon /* Fool emacs indentation */ 2244160814Ssimon if (0) {} 2245109998Smarkm#ifndef OPENSSL_NO_RSA 2246238405Sjkim else if (alg_k & SSL_kRSA) 224755714Skris { 224855714Skris RSA *rsa; 224955714Skris unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 225055714Skris 225155714Skris if (s->session->sess_cert->peer_rsa_tmp != NULL) 225255714Skris rsa=s->session->sess_cert->peer_rsa_tmp; 225355714Skris else 225455714Skris { 225555714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 225655714Skris if ((pkey == NULL) || 225755714Skris (pkey->type != EVP_PKEY_RSA) || 225855714Skris (pkey->pkey.rsa == NULL)) 225955714Skris { 2260109998Smarkm SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 226155714Skris goto err; 226255714Skris } 226355714Skris rsa=pkey->pkey.rsa; 226455714Skris EVP_PKEY_free(pkey); 226555714Skris } 226655714Skris 226755714Skris tmp_buf[0]=s->client_version>>8; 226855714Skris tmp_buf[1]=s->client_version&0xff; 2269109998Smarkm if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 227059191Skris goto err; 227155714Skris 2272109998Smarkm s->session->master_key_length=sizeof tmp_buf; 227355714Skris 227455714Skris q=p; 227555714Skris /* Fix buf for TLS and beyond */ 227655714Skris if (s->version > SSL3_VERSION) 227755714Skris p+=2; 2278109998Smarkm n=RSA_public_encrypt(sizeof tmp_buf, 227955714Skris tmp_buf,p,rsa,RSA_PKCS1_PADDING); 228055714Skris#ifdef PKCS1_CHECK 228155714Skris if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 228255714Skris if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 228355714Skris#endif 228455714Skris if (n <= 0) 228555714Skris { 228655714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 228755714Skris goto err; 228855714Skris } 228955714Skris 229055714Skris /* Fix buf for TLS and beyond */ 229155714Skris if (s->version > SSL3_VERSION) 229255714Skris { 229355714Skris s2n(n,q); 229455714Skris n+=2; 229555714Skris } 229655714Skris 229755714Skris s->session->master_key_length= 229855714Skris s->method->ssl3_enc->generate_master_secret(s, 229955714Skris s->session->master_key, 2300109998Smarkm tmp_buf,sizeof tmp_buf); 2301109998Smarkm OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 230255714Skris } 230355714Skris#endif 2304109998Smarkm#ifndef OPENSSL_NO_KRB5 2305238405Sjkim else if (alg_k & SSL_kKRB5) 2306160814Ssimon { 2307160814Ssimon krb5_error_code krb5rc; 2308160814Ssimon KSSL_CTX *kssl_ctx = s->kssl_ctx; 2309160814Ssimon /* krb5_data krb5_ap_req; */ 2310160814Ssimon krb5_data *enc_ticket; 2311160814Ssimon krb5_data authenticator, *authp = NULL; 2312109998Smarkm EVP_CIPHER_CTX ciph_ctx; 2313238405Sjkim const EVP_CIPHER *enc = NULL; 2314109998Smarkm unsigned char iv[EVP_MAX_IV_LENGTH]; 2315109998Smarkm unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2316109998Smarkm unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2317109998Smarkm + EVP_MAX_IV_LENGTH]; 2318109998Smarkm int padl, outl = sizeof(epms); 2319109998Smarkm 2320109998Smarkm EVP_CIPHER_CTX_init(&ciph_ctx); 2321109998Smarkm 2322109998Smarkm#ifdef KSSL_DEBUG 2323160814Ssimon printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2324238405Sjkim alg_k, SSL_kKRB5); 2325109998Smarkm#endif /* KSSL_DEBUG */ 2326109998Smarkm 2327109998Smarkm authp = NULL; 2328109998Smarkm#ifdef KRB5SENDAUTH 2329109998Smarkm if (KRB5SENDAUTH) authp = &authenticator; 2330109998Smarkm#endif /* KRB5SENDAUTH */ 2331109998Smarkm 2332160814Ssimon krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2333109998Smarkm &kssl_err); 2334109998Smarkm enc = kssl_map_enc(kssl_ctx->enctype); 2335160814Ssimon if (enc == NULL) 2336160814Ssimon goto err; 2337109998Smarkm#ifdef KSSL_DEBUG 2338160814Ssimon { 2339160814Ssimon printf("kssl_cget_tkt rtn %d\n", krb5rc); 2340160814Ssimon if (krb5rc && kssl_err.text) 2341109998Smarkm printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2342160814Ssimon } 2343109998Smarkm#endif /* KSSL_DEBUG */ 2344109998Smarkm 2345160814Ssimon if (krb5rc) 2346160814Ssimon { 2347160814Ssimon ssl3_send_alert(s,SSL3_AL_FATAL, 2348109998Smarkm SSL_AD_HANDSHAKE_FAILURE); 2349160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2350109998Smarkm kssl_err.reason); 2351160814Ssimon goto err; 2352160814Ssimon } 2353109998Smarkm 2354109998Smarkm /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2355109998Smarkm ** in place of RFC 2712 KerberosWrapper, as in: 2356109998Smarkm ** 2357160814Ssimon ** Send ticket (copy to *p, set n = length) 2358160814Ssimon ** n = krb5_ap_req.length; 2359160814Ssimon ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2360160814Ssimon ** if (krb5_ap_req.data) 2361160814Ssimon ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2362160814Ssimon ** 2363109998Smarkm ** Now using real RFC 2712 KerberosWrapper 2364109998Smarkm ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 2365109998Smarkm ** Note: 2712 "opaque" types are here replaced 2366109998Smarkm ** with a 2-byte length followed by the value. 2367109998Smarkm ** Example: 2368109998Smarkm ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2369109998Smarkm ** Where "xx xx" = length bytes. Shown here with 2370109998Smarkm ** optional authenticator omitted. 2371109998Smarkm */ 2372109998Smarkm 2373109998Smarkm /* KerberosWrapper.Ticket */ 2374109998Smarkm s2n(enc_ticket->length,p); 2375109998Smarkm memcpy(p, enc_ticket->data, enc_ticket->length); 2376109998Smarkm p+= enc_ticket->length; 2377109998Smarkm n = enc_ticket->length + 2; 2378109998Smarkm 2379109998Smarkm /* KerberosWrapper.Authenticator */ 2380109998Smarkm if (authp && authp->length) 2381109998Smarkm { 2382109998Smarkm s2n(authp->length,p); 2383109998Smarkm memcpy(p, authp->data, authp->length); 2384109998Smarkm p+= authp->length; 2385109998Smarkm n+= authp->length + 2; 2386109998Smarkm 2387109998Smarkm free(authp->data); 2388109998Smarkm authp->data = NULL; 2389109998Smarkm authp->length = 0; 2390109998Smarkm } 2391109998Smarkm else 2392109998Smarkm { 2393109998Smarkm s2n(0,p);/* null authenticator length */ 2394109998Smarkm n+=2; 2395109998Smarkm } 2396109998Smarkm 2397167612Ssimon tmp_buf[0]=s->client_version>>8; 2398167612Ssimon tmp_buf[1]=s->client_version&0xff; 2399167612Ssimon if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2400167612Ssimon goto err; 2401109998Smarkm 2402109998Smarkm /* 20010420 VRS. Tried it this way; failed. 2403109998Smarkm ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2404109998Smarkm ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2405109998Smarkm ** kssl_ctx->length); 2406109998Smarkm ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2407109998Smarkm */ 2408109998Smarkm 2409109998Smarkm memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2410109998Smarkm EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2411109998Smarkm kssl_ctx->key,iv); 2412109998Smarkm EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2413109998Smarkm sizeof tmp_buf); 2414109998Smarkm EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2415109998Smarkm outl += padl; 2416238405Sjkim if (outl > (int)sizeof epms) 2417109998Smarkm { 2418109998Smarkm SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2419109998Smarkm goto err; 2420109998Smarkm } 2421109998Smarkm EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2422109998Smarkm 2423109998Smarkm /* KerberosWrapper.EncryptedPreMasterSecret */ 2424109998Smarkm s2n(outl,p); 2425109998Smarkm memcpy(p, epms, outl); 2426109998Smarkm p+=outl; 2427109998Smarkm n+=outl + 2; 2428109998Smarkm 2429160814Ssimon s->session->master_key_length= 2430238405Sjkim s->method->ssl3_enc->generate_master_secret(s, 2431109998Smarkm s->session->master_key, 2432109998Smarkm tmp_buf, sizeof tmp_buf); 2433109998Smarkm 2434109998Smarkm OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2435109998Smarkm OPENSSL_cleanse(epms, outl); 2436160814Ssimon } 2437109998Smarkm#endif 2438109998Smarkm#ifndef OPENSSL_NO_DH 2439238405Sjkim else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 244055714Skris { 244155714Skris DH *dh_srvr,*dh_clnt; 244255714Skris 2443194206Ssimon if (s->session->sess_cert == NULL) 2444194206Ssimon { 2445194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2446194206Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2447194206Ssimon goto err; 2448238405Sjkim } 2449194206Ssimon 245055714Skris if (s->session->sess_cert->peer_dh_tmp != NULL) 245155714Skris dh_srvr=s->session->sess_cert->peer_dh_tmp; 245255714Skris else 245355714Skris { 245455714Skris /* we get them from the cert */ 245555714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 245655714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 245755714Skris goto err; 245855714Skris } 245955714Skris 246055714Skris /* generate a new random key */ 246155714Skris if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 246255714Skris { 246355714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 246455714Skris goto err; 246555714Skris } 246655714Skris if (!DH_generate_key(dh_clnt)) 246755714Skris { 246855714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2469238405Sjkim DH_free(dh_clnt); 247055714Skris goto err; 247155714Skris } 247255714Skris 247355714Skris /* use the 'p' output buffer for the DH key, but 247455714Skris * make sure to clear it out afterwards */ 247555714Skris 247655714Skris n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 247755714Skris 247855714Skris if (n <= 0) 247955714Skris { 248055714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2481238405Sjkim DH_free(dh_clnt); 248255714Skris goto err; 248355714Skris } 248455714Skris 248555714Skris /* generate master key from the result */ 248655714Skris s->session->master_key_length= 248755714Skris s->method->ssl3_enc->generate_master_secret(s, 248855714Skris s->session->master_key,p,n); 248955714Skris /* clean up */ 249055714Skris memset(p,0,n); 249155714Skris 249255714Skris /* send off the data */ 249355714Skris n=BN_num_bytes(dh_clnt->pub_key); 249455714Skris s2n(n,p); 249555714Skris BN_bn2bin(dh_clnt->pub_key,p); 249655714Skris n+=2; 249755714Skris 249855714Skris DH_free(dh_clnt); 249955714Skris 250055714Skris /* perhaps clean things up a bit EAY EAY EAY EAY*/ 250155714Skris } 2502109998Smarkm#endif 2503160814Ssimon 2504160814Ssimon#ifndef OPENSSL_NO_ECDH 2505238405Sjkim else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2506160814Ssimon { 2507160814Ssimon const EC_GROUP *srvr_group = NULL; 2508160814Ssimon EC_KEY *tkey; 2509160814Ssimon int ecdh_clnt_cert = 0; 2510160814Ssimon int field_size = 0; 2511160814Ssimon 2512160814Ssimon /* Did we send out the client's 2513160814Ssimon * ECDH share for use in premaster 2514160814Ssimon * computation as part of client certificate? 2515160814Ssimon * If so, set ecdh_clnt_cert to 1. 2516160814Ssimon */ 2517238405Sjkim if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2518160814Ssimon { 2519160814Ssimon /* XXX: For now, we do not support client 2520160814Ssimon * authentication using ECDH certificates. 2521160814Ssimon * To add such support, one needs to add 2522160814Ssimon * code that checks for appropriate 2523160814Ssimon * conditions and sets ecdh_clnt_cert to 1. 2524160814Ssimon * For example, the cert have an ECC 2525160814Ssimon * key on the same curve as the server's 2526160814Ssimon * and the key should be authorized for 2527160814Ssimon * key agreement. 2528160814Ssimon * 2529160814Ssimon * One also needs to add code in ssl3_connect 2530160814Ssimon * to skip sending the certificate verify 2531160814Ssimon * message. 2532160814Ssimon * 2533160814Ssimon * if ((s->cert->key->privatekey != NULL) && 2534160814Ssimon * (s->cert->key->privatekey->type == 2535160814Ssimon * EVP_PKEY_EC) && ...) 2536160814Ssimon * ecdh_clnt_cert = 1; 2537160814Ssimon */ 2538160814Ssimon } 2539160814Ssimon 2540160814Ssimon if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2541160814Ssimon { 2542160814Ssimon tkey = s->session->sess_cert->peer_ecdh_tmp; 2543160814Ssimon } 2544160814Ssimon else 2545160814Ssimon { 2546160814Ssimon /* Get the Server Public Key from Cert */ 2547160814Ssimon srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2548160814Ssimon sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2549160814Ssimon if ((srvr_pub_pkey == NULL) || 2550160814Ssimon (srvr_pub_pkey->type != EVP_PKEY_EC) || 2551160814Ssimon (srvr_pub_pkey->pkey.ec == NULL)) 2552160814Ssimon { 2553160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2554160814Ssimon ERR_R_INTERNAL_ERROR); 2555160814Ssimon goto err; 2556160814Ssimon } 2557160814Ssimon 2558160814Ssimon tkey = srvr_pub_pkey->pkey.ec; 2559160814Ssimon } 2560160814Ssimon 2561160814Ssimon srvr_group = EC_KEY_get0_group(tkey); 2562160814Ssimon srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2563160814Ssimon 2564160814Ssimon if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2565160814Ssimon { 2566160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2567160814Ssimon ERR_R_INTERNAL_ERROR); 2568160814Ssimon goto err; 2569160814Ssimon } 2570160814Ssimon 2571160814Ssimon if ((clnt_ecdh=EC_KEY_new()) == NULL) 2572160814Ssimon { 2573160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2574160814Ssimon goto err; 2575160814Ssimon } 2576160814Ssimon 2577160814Ssimon if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2578160814Ssimon { 2579160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2580160814Ssimon goto err; 2581160814Ssimon } 2582160814Ssimon if (ecdh_clnt_cert) 2583160814Ssimon { 2584160814Ssimon /* Reuse key info from our certificate 2585160814Ssimon * We only need our private key to perform 2586160814Ssimon * the ECDH computation. 2587160814Ssimon */ 2588160814Ssimon const BIGNUM *priv_key; 2589160814Ssimon tkey = s->cert->key->privatekey->pkey.ec; 2590160814Ssimon priv_key = EC_KEY_get0_private_key(tkey); 2591160814Ssimon if (priv_key == NULL) 2592160814Ssimon { 2593160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2594160814Ssimon goto err; 2595160814Ssimon } 2596160814Ssimon if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2597160814Ssimon { 2598160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2599160814Ssimon goto err; 2600160814Ssimon } 2601160814Ssimon } 2602160814Ssimon else 2603160814Ssimon { 2604160814Ssimon /* Generate a new ECDH key pair */ 2605160814Ssimon if (!(EC_KEY_generate_key(clnt_ecdh))) 2606160814Ssimon { 2607160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2608160814Ssimon goto err; 2609160814Ssimon } 2610160814Ssimon } 2611160814Ssimon 2612160814Ssimon /* use the 'p' output buffer for the ECDH key, but 2613160814Ssimon * make sure to clear it out afterwards 2614160814Ssimon */ 2615160814Ssimon 2616160814Ssimon field_size = EC_GROUP_get_degree(srvr_group); 2617160814Ssimon if (field_size <= 0) 2618160814Ssimon { 2619160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2620160814Ssimon ERR_R_ECDH_LIB); 2621160814Ssimon goto err; 2622160814Ssimon } 2623160814Ssimon n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2624160814Ssimon if (n <= 0) 2625160814Ssimon { 2626160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2627160814Ssimon ERR_R_ECDH_LIB); 2628160814Ssimon goto err; 2629160814Ssimon } 2630160814Ssimon 2631160814Ssimon /* generate master key from the result */ 2632160814Ssimon s->session->master_key_length = s->method->ssl3_enc \ 2633160814Ssimon -> generate_master_secret(s, 2634160814Ssimon s->session->master_key, 2635160814Ssimon p, n); 2636160814Ssimon 2637160814Ssimon memset(p, 0, n); /* clean up */ 2638160814Ssimon 2639160814Ssimon if (ecdh_clnt_cert) 2640160814Ssimon { 2641160814Ssimon /* Send empty client key exch message */ 2642160814Ssimon n = 0; 2643160814Ssimon } 2644160814Ssimon else 2645160814Ssimon { 2646160814Ssimon /* First check the size of encoding and 2647160814Ssimon * allocate memory accordingly. 2648160814Ssimon */ 2649160814Ssimon encoded_pt_len = 2650160814Ssimon EC_POINT_point2oct(srvr_group, 2651160814Ssimon EC_KEY_get0_public_key(clnt_ecdh), 2652160814Ssimon POINT_CONVERSION_UNCOMPRESSED, 2653160814Ssimon NULL, 0, NULL); 2654160814Ssimon 2655160814Ssimon encodedPoint = (unsigned char *) 2656160814Ssimon OPENSSL_malloc(encoded_pt_len * 2657160814Ssimon sizeof(unsigned char)); 2658160814Ssimon bn_ctx = BN_CTX_new(); 2659160814Ssimon if ((encodedPoint == NULL) || 2660160814Ssimon (bn_ctx == NULL)) 2661160814Ssimon { 2662160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2663160814Ssimon goto err; 2664160814Ssimon } 2665160814Ssimon 2666160814Ssimon /* Encode the public key */ 2667160814Ssimon n = EC_POINT_point2oct(srvr_group, 2668160814Ssimon EC_KEY_get0_public_key(clnt_ecdh), 2669160814Ssimon POINT_CONVERSION_UNCOMPRESSED, 2670160814Ssimon encodedPoint, encoded_pt_len, bn_ctx); 2671160814Ssimon 2672160814Ssimon *p = n; /* length of encoded point */ 2673160814Ssimon /* Encoded point will be copied here */ 2674160814Ssimon p += 1; 2675160814Ssimon /* copy the point */ 2676160814Ssimon memcpy((unsigned char *)p, encodedPoint, n); 2677160814Ssimon /* increment n to account for length field */ 2678160814Ssimon n += 1; 2679160814Ssimon } 2680160814Ssimon 2681160814Ssimon /* Free allocated memory */ 2682160814Ssimon BN_CTX_free(bn_ctx); 2683160814Ssimon if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2684160814Ssimon if (clnt_ecdh != NULL) 2685160814Ssimon EC_KEY_free(clnt_ecdh); 2686160814Ssimon EVP_PKEY_free(srvr_pub_pkey); 2687160814Ssimon } 2688160814Ssimon#endif /* !OPENSSL_NO_ECDH */ 2689238405Sjkim else if (alg_k & SSL_kGOST) 2690238405Sjkim { 2691238405Sjkim /* GOST key exchange message creation */ 2692238405Sjkim EVP_PKEY_CTX *pkey_ctx; 2693238405Sjkim X509 *peer_cert; 2694238405Sjkim size_t msglen; 2695238405Sjkim unsigned int md_len; 2696238405Sjkim int keytype; 2697238405Sjkim unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2698238405Sjkim EVP_MD_CTX *ukm_hash; 2699238405Sjkim EVP_PKEY *pub_key; 2700238405Sjkim 2701238405Sjkim /* Get server sertificate PKEY and create ctx from it */ 2702238405Sjkim peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2703238405Sjkim if (!peer_cert) 2704238405Sjkim peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2705238405Sjkim if (!peer_cert) { 2706238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2707238405Sjkim goto err; 2708238405Sjkim } 2709238405Sjkim 2710238405Sjkim pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2711238405Sjkim /* If we have send a certificate, and certificate key 2712238405Sjkim 2713238405Sjkim * parameters match those of server certificate, use 2714238405Sjkim * certificate key for key exchange 2715238405Sjkim */ 2716238405Sjkim 2717238405Sjkim /* Otherwise, generate ephemeral key pair */ 2718238405Sjkim 2719238405Sjkim EVP_PKEY_encrypt_init(pkey_ctx); 2720238405Sjkim /* Generate session key */ 2721238405Sjkim RAND_bytes(premaster_secret,32); 2722238405Sjkim /* If we have client certificate, use its secret as peer key */ 2723238405Sjkim if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2724238405Sjkim if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2725238405Sjkim /* If there was an error - just ignore it. Ephemeral key 2726238405Sjkim * would be used 2727238405Sjkim */ 2728238405Sjkim ERR_clear_error(); 2729238405Sjkim } 2730238405Sjkim } 2731238405Sjkim /* Compute shared IV and store it in algorithm-specific 2732238405Sjkim * context data */ 2733238405Sjkim ukm_hash = EVP_MD_CTX_create(); 2734238405Sjkim EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2735238405Sjkim EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2736238405Sjkim EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2737238405Sjkim EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2738238405Sjkim EVP_MD_CTX_destroy(ukm_hash); 2739238405Sjkim if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2740238405Sjkim 8,shared_ukm)<0) { 2741238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2742238405Sjkim SSL_R_LIBRARY_BUG); 2743238405Sjkim goto err; 2744238405Sjkim } 2745238405Sjkim /* Make GOST keytransport blob message */ 2746238405Sjkim /*Encapsulate it into sequence */ 2747238405Sjkim *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2748238405Sjkim msglen=255; 2749238405Sjkim if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2750238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2751238405Sjkim SSL_R_LIBRARY_BUG); 2752238405Sjkim goto err; 2753238405Sjkim } 2754238405Sjkim if (msglen >= 0x80) 2755238405Sjkim { 2756238405Sjkim *(p++)=0x81; 2757238405Sjkim *(p++)= msglen & 0xff; 2758238405Sjkim n=msglen+3; 2759238405Sjkim } 2760238405Sjkim else 2761238405Sjkim { 2762238405Sjkim *(p++)= msglen & 0xff; 2763238405Sjkim n=msglen+2; 2764238405Sjkim } 2765238405Sjkim memcpy(p, tmp, msglen); 2766238405Sjkim /* Check if pubkey from client certificate was used */ 2767238405Sjkim if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2768238405Sjkim { 2769238405Sjkim /* Set flag "skip certificate verify" */ 2770238405Sjkim s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2771238405Sjkim } 2772238405Sjkim EVP_PKEY_CTX_free(pkey_ctx); 2773238405Sjkim s->session->master_key_length= 2774238405Sjkim s->method->ssl3_enc->generate_master_secret(s, 2775238405Sjkim s->session->master_key,premaster_secret,32); 2776238405Sjkim EVP_PKEY_free(pub_key); 2777238405Sjkim 2778238405Sjkim } 2779238405Sjkim#ifndef OPENSSL_NO_SRP 2780238405Sjkim else if (alg_k & SSL_kSRP) 2781238405Sjkim { 2782238405Sjkim if (s->srp_ctx.A != NULL) 2783238405Sjkim { 2784238405Sjkim /* send off the data */ 2785238405Sjkim n=BN_num_bytes(s->srp_ctx.A); 2786238405Sjkim s2n(n,p); 2787238405Sjkim BN_bn2bin(s->srp_ctx.A,p); 2788238405Sjkim n+=2; 2789238405Sjkim } 2790238405Sjkim else 2791238405Sjkim { 2792238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2793238405Sjkim goto err; 2794238405Sjkim } 2795238405Sjkim if (s->session->srp_username != NULL) 2796238405Sjkim OPENSSL_free(s->session->srp_username); 2797238405Sjkim s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2798238405Sjkim if (s->session->srp_username == NULL) 2799238405Sjkim { 2800238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2801238405Sjkim ERR_R_MALLOC_FAILURE); 2802238405Sjkim goto err; 2803238405Sjkim } 2804238405Sjkim 2805238405Sjkim if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 2806238405Sjkim { 2807238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2808238405Sjkim goto err; 2809238405Sjkim } 2810238405Sjkim } 2811238405Sjkim#endif 2812238405Sjkim#ifndef OPENSSL_NO_PSK 2813238405Sjkim else if (alg_k & SSL_kPSK) 2814238405Sjkim { 2815238405Sjkim char identity[PSK_MAX_IDENTITY_LEN]; 2816238405Sjkim unsigned char *t = NULL; 2817238405Sjkim unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2818238405Sjkim unsigned int pre_ms_len = 0, psk_len = 0; 2819238405Sjkim int psk_err = 1; 2820238405Sjkim 2821238405Sjkim n = 0; 2822238405Sjkim if (s->psk_client_callback == NULL) 2823238405Sjkim { 2824238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2825238405Sjkim SSL_R_PSK_NO_CLIENT_CB); 2826238405Sjkim goto err; 2827238405Sjkim } 2828238405Sjkim 2829238405Sjkim psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2830238405Sjkim identity, PSK_MAX_IDENTITY_LEN, 2831238405Sjkim psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2832238405Sjkim if (psk_len > PSK_MAX_PSK_LEN) 2833238405Sjkim { 2834238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2835238405Sjkim ERR_R_INTERNAL_ERROR); 2836238405Sjkim goto psk_err; 2837238405Sjkim } 2838238405Sjkim else if (psk_len == 0) 2839238405Sjkim { 2840238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2841238405Sjkim SSL_R_PSK_IDENTITY_NOT_FOUND); 2842238405Sjkim goto psk_err; 2843238405Sjkim } 2844238405Sjkim 2845238405Sjkim /* create PSK pre_master_secret */ 2846238405Sjkim pre_ms_len = 2+psk_len+2+psk_len; 2847238405Sjkim t = psk_or_pre_ms; 2848238405Sjkim memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2849238405Sjkim s2n(psk_len, t); 2850238405Sjkim memset(t, 0, psk_len); 2851238405Sjkim t+=psk_len; 2852238405Sjkim s2n(psk_len, t); 2853238405Sjkim 2854238405Sjkim if (s->session->psk_identity_hint != NULL) 2855238405Sjkim OPENSSL_free(s->session->psk_identity_hint); 2856238405Sjkim s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2857238405Sjkim if (s->ctx->psk_identity_hint != NULL && 2858238405Sjkim s->session->psk_identity_hint == NULL) 2859238405Sjkim { 2860238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2861238405Sjkim ERR_R_MALLOC_FAILURE); 2862238405Sjkim goto psk_err; 2863238405Sjkim } 2864238405Sjkim 2865238405Sjkim if (s->session->psk_identity != NULL) 2866238405Sjkim OPENSSL_free(s->session->psk_identity); 2867238405Sjkim s->session->psk_identity = BUF_strdup(identity); 2868238405Sjkim if (s->session->psk_identity == NULL) 2869238405Sjkim { 2870238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2871238405Sjkim ERR_R_MALLOC_FAILURE); 2872238405Sjkim goto psk_err; 2873238405Sjkim } 2874238405Sjkim 2875238405Sjkim s->session->master_key_length = 2876238405Sjkim s->method->ssl3_enc->generate_master_secret(s, 2877238405Sjkim s->session->master_key, 2878238405Sjkim psk_or_pre_ms, pre_ms_len); 2879238405Sjkim n = strlen(identity); 2880238405Sjkim s2n(n, p); 2881238405Sjkim memcpy(p, identity, n); 2882238405Sjkim n+=2; 2883238405Sjkim psk_err = 0; 2884238405Sjkim psk_err: 2885238405Sjkim OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2886238405Sjkim OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2887238405Sjkim if (psk_err != 0) 2888238405Sjkim { 2889238405Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2890238405Sjkim goto err; 2891238405Sjkim } 2892238405Sjkim } 2893238405Sjkim#endif 289455714Skris else 289555714Skris { 2896160814Ssimon ssl3_send_alert(s, SSL3_AL_FATAL, 2897160814Ssimon SSL_AD_HANDSHAKE_FAILURE); 2898160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2899160814Ssimon ERR_R_INTERNAL_ERROR); 290055714Skris goto err; 290155714Skris } 290255714Skris 290355714Skris *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 290455714Skris l2n3(n,d); 290555714Skris 290655714Skris s->state=SSL3_ST_CW_KEY_EXCH_B; 290755714Skris /* number of bytes to write */ 290855714Skris s->init_num=n+4; 290955714Skris s->init_off=0; 291055714Skris } 291155714Skris 291255714Skris /* SSL3_ST_CW_KEY_EXCH_B */ 291355714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 291455714Skriserr: 2915160814Ssimon#ifndef OPENSSL_NO_ECDH 2916160814Ssimon BN_CTX_free(bn_ctx); 2917160814Ssimon if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2918160814Ssimon if (clnt_ecdh != NULL) 2919160814Ssimon EC_KEY_free(clnt_ecdh); 2920160814Ssimon EVP_PKEY_free(srvr_pub_pkey); 2921160814Ssimon#endif 292255714Skris return(-1); 292355714Skris } 292455714Skris 2925160814Ssimonint ssl3_send_client_verify(SSL *s) 292655714Skris { 292755714Skris unsigned char *p,*d; 292855714Skris unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 292955714Skris EVP_PKEY *pkey; 2930238405Sjkim EVP_PKEY_CTX *pctx=NULL; 2931238405Sjkim EVP_MD_CTX mctx; 293259191Skris unsigned u=0; 293355714Skris unsigned long n; 293455714Skris int j; 293555714Skris 2936238405Sjkim EVP_MD_CTX_init(&mctx); 2937238405Sjkim 293855714Skris if (s->state == SSL3_ST_CW_CERT_VRFY_A) 293955714Skris { 294055714Skris d=(unsigned char *)s->init_buf->data; 294155714Skris p= &(d[4]); 294255714Skris pkey=s->cert->key->privatekey; 2943238405Sjkim/* Create context from key and test if sha1 is allowed as digest */ 2944238405Sjkim pctx = EVP_PKEY_CTX_new(pkey,NULL); 2945238405Sjkim EVP_PKEY_sign_init(pctx); 2946238405Sjkim if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2947238405Sjkim { 2948238405Sjkim if (TLS1_get_version(s) < TLS1_2_VERSION) 2949238405Sjkim s->method->ssl3_enc->cert_verify_mac(s, 2950238405Sjkim NID_sha1, 2951238405Sjkim &(data[MD5_DIGEST_LENGTH])); 2952238405Sjkim } 2953238405Sjkim else 2954238405Sjkim { 2955238405Sjkim ERR_clear_error(); 2956238405Sjkim } 2957238405Sjkim /* For TLS v1.2 send signature algorithm and signature 2958238405Sjkim * using agreed digest and cached handshake records. 2959238405Sjkim */ 2960238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION) 2961238405Sjkim { 2962238405Sjkim long hdatalen = 0; 2963238405Sjkim void *hdata; 2964238405Sjkim const EVP_MD *md = s->cert->key->digest; 2965238405Sjkim hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 2966238405Sjkim &hdata); 2967238405Sjkim if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 2968238405Sjkim { 2969238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2970238405Sjkim ERR_R_INTERNAL_ERROR); 2971238405Sjkim goto err; 2972238405Sjkim } 2973238405Sjkim p += 2; 2974238405Sjkim#ifdef SSL_DEBUG 2975238405Sjkim fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 2976238405Sjkim EVP_MD_name(md)); 2977238405Sjkim#endif 2978238405Sjkim if (!EVP_SignInit_ex(&mctx, md, NULL) 2979238405Sjkim || !EVP_SignUpdate(&mctx, hdata, hdatalen) 2980238405Sjkim || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 2981238405Sjkim { 2982238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2983238405Sjkim ERR_R_EVP_LIB); 2984238405Sjkim goto err; 2985238405Sjkim } 2986238405Sjkim s2n(u,p); 2987238405Sjkim n = u + 4; 2988238405Sjkim if (!ssl3_digest_cached_records(s)) 2989238405Sjkim goto err; 2990238405Sjkim } 2991238405Sjkim else 2992109998Smarkm#ifndef OPENSSL_NO_RSA 299355714Skris if (pkey->type == EVP_PKEY_RSA) 299455714Skris { 299555714Skris s->method->ssl3_enc->cert_verify_mac(s, 2996238405Sjkim NID_md5, 2997238405Sjkim &(data[0])); 299859191Skris if (RSA_sign(NID_md5_sha1, data, 299959191Skris MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 300059191Skris &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 300155714Skris { 300255714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 300355714Skris goto err; 300455714Skris } 300559191Skris s2n(u,p); 300659191Skris n=u+2; 300755714Skris } 300855714Skris else 300955714Skris#endif 3010109998Smarkm#ifndef OPENSSL_NO_DSA 301155714Skris if (pkey->type == EVP_PKEY_DSA) 301255714Skris { 301355714Skris if (!DSA_sign(pkey->save_type, 301455714Skris &(data[MD5_DIGEST_LENGTH]), 301555714Skris SHA_DIGEST_LENGTH,&(p[2]), 301655714Skris (unsigned int *)&j,pkey->pkey.dsa)) 301755714Skris { 301855714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 301955714Skris goto err; 302055714Skris } 302155714Skris s2n(j,p); 302255714Skris n=j+2; 302355714Skris } 302455714Skris else 302555714Skris#endif 3026160814Ssimon#ifndef OPENSSL_NO_ECDSA 3027160814Ssimon if (pkey->type == EVP_PKEY_EC) 302855714Skris { 3029160814Ssimon if (!ECDSA_sign(pkey->save_type, 3030160814Ssimon &(data[MD5_DIGEST_LENGTH]), 3031160814Ssimon SHA_DIGEST_LENGTH,&(p[2]), 3032160814Ssimon (unsigned int *)&j,pkey->pkey.ec)) 3033160814Ssimon { 3034160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3035160814Ssimon ERR_R_ECDSA_LIB); 3036160814Ssimon goto err; 3037160814Ssimon } 3038160814Ssimon s2n(j,p); 3039160814Ssimon n=j+2; 3040160814Ssimon } 3041160814Ssimon else 3042160814Ssimon#endif 3043238405Sjkim if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 3044238405Sjkim { 3045238405Sjkim unsigned char signbuf[64]; 3046238405Sjkim int i; 3047238405Sjkim size_t sigsize=64; 3048238405Sjkim s->method->ssl3_enc->cert_verify_mac(s, 3049238405Sjkim NID_id_GostR3411_94, 3050238405Sjkim data); 3051238405Sjkim if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 3052238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3053238405Sjkim ERR_R_INTERNAL_ERROR); 3054238405Sjkim goto err; 3055238405Sjkim } 3056238405Sjkim for (i=63,j=0; i>=0; j++, i--) { 3057238405Sjkim p[2+j]=signbuf[i]; 3058238405Sjkim } 3059238405Sjkim s2n(j,p); 3060238405Sjkim n=j+2; 3061238405Sjkim } 3062238405Sjkim else 3063238405Sjkim { 3064109998Smarkm SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 306555714Skris goto err; 3066238405Sjkim } 306755714Skris *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 306855714Skris l2n3(n,d); 306955714Skris 3070120631Snectar s->state=SSL3_ST_CW_CERT_VRFY_B; 307155714Skris s->init_num=(int)n+4; 307255714Skris s->init_off=0; 307355714Skris } 3074238405Sjkim EVP_MD_CTX_cleanup(&mctx); 3075238405Sjkim EVP_PKEY_CTX_free(pctx); 307655714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 307755714Skriserr: 3078238405Sjkim EVP_MD_CTX_cleanup(&mctx); 3079238405Sjkim EVP_PKEY_CTX_free(pctx); 308055714Skris return(-1); 308155714Skris } 308255714Skris 3083160814Ssimonint ssl3_send_client_certificate(SSL *s) 308455714Skris { 308555714Skris X509 *x509=NULL; 308655714Skris EVP_PKEY *pkey=NULL; 308755714Skris int i; 308855714Skris unsigned long l; 308955714Skris 309055714Skris if (s->state == SSL3_ST_CW_CERT_A) 309155714Skris { 309255714Skris if ((s->cert == NULL) || 309355714Skris (s->cert->key->x509 == NULL) || 309455714Skris (s->cert->key->privatekey == NULL)) 309555714Skris s->state=SSL3_ST_CW_CERT_B; 309655714Skris else 309755714Skris s->state=SSL3_ST_CW_CERT_C; 309855714Skris } 309955714Skris 310055714Skris /* We need to get a client cert */ 310155714Skris if (s->state == SSL3_ST_CW_CERT_B) 310255714Skris { 310355714Skris /* If we get an error, we need to 310455714Skris * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 310555714Skris * We then get retied later */ 310655714Skris i=0; 3107194206Ssimon i = ssl_do_client_cert_cb(s, &x509, &pkey); 310855714Skris if (i < 0) 310955714Skris { 311055714Skris s->rwstate=SSL_X509_LOOKUP; 311155714Skris return(-1); 311255714Skris } 311355714Skris s->rwstate=SSL_NOTHING; 311455714Skris if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 311555714Skris { 311655714Skris s->state=SSL3_ST_CW_CERT_B; 311755714Skris if ( !SSL_use_certificate(s,x509) || 311855714Skris !SSL_use_PrivateKey(s,pkey)) 311955714Skris i=0; 312055714Skris } 312155714Skris else if (i == 1) 312255714Skris { 312355714Skris i=0; 312455714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 312555714Skris } 312655714Skris 312755714Skris if (x509 != NULL) X509_free(x509); 312855714Skris if (pkey != NULL) EVP_PKEY_free(pkey); 312955714Skris if (i == 0) 313055714Skris { 313155714Skris if (s->version == SSL3_VERSION) 313255714Skris { 313355714Skris s->s3->tmp.cert_req=0; 313455714Skris ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 313555714Skris return(1); 313655714Skris } 313755714Skris else 313855714Skris { 313955714Skris s->s3->tmp.cert_req=2; 314055714Skris } 314155714Skris } 314255714Skris 314355714Skris /* Ok, we have a cert */ 314455714Skris s->state=SSL3_ST_CW_CERT_C; 314555714Skris } 314655714Skris 314755714Skris if (s->state == SSL3_ST_CW_CERT_C) 314855714Skris { 314955714Skris s->state=SSL3_ST_CW_CERT_D; 315055714Skris l=ssl3_output_cert_chain(s, 315155714Skris (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 315255714Skris s->init_num=(int)l; 315355714Skris s->init_off=0; 315455714Skris } 315555714Skris /* SSL3_ST_CW_CERT_D */ 315655714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 315755714Skris } 315855714Skris 315955714Skris#define has_bits(i,m) (((i)&(m)) == (m)) 316055714Skris 3161160814Ssimonint ssl3_check_cert_and_algorithm(SSL *s) 316255714Skris { 316355714Skris int i,idx; 3164238405Sjkim long alg_k,alg_a; 316555714Skris EVP_PKEY *pkey=NULL; 316655714Skris SESS_CERT *sc; 3167109998Smarkm#ifndef OPENSSL_NO_RSA 316855714Skris RSA *rsa; 316955714Skris#endif 3170109998Smarkm#ifndef OPENSSL_NO_DH 317155714Skris DH *dh; 317255714Skris#endif 317355714Skris 3174238405Sjkim alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 3175238405Sjkim alg_a=s->s3->tmp.new_cipher->algorithm_auth; 317655714Skris 3177194206Ssimon /* we don't have a certificate */ 3178238405Sjkim if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 3179194206Ssimon return(1); 3180194206Ssimon 3181238405Sjkim sc=s->session->sess_cert; 318255714Skris if (sc == NULL) 318355714Skris { 3184109998Smarkm SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); 318555714Skris goto err; 318655714Skris } 318755714Skris 3188109998Smarkm#ifndef OPENSSL_NO_RSA 318955714Skris rsa=s->session->sess_cert->peer_rsa_tmp; 319055714Skris#endif 3191109998Smarkm#ifndef OPENSSL_NO_DH 319255714Skris dh=s->session->sess_cert->peer_dh_tmp; 319355714Skris#endif 319455714Skris 319555714Skris /* This is the passed certificate */ 319655714Skris 319755714Skris idx=sc->peer_cert_type; 3198160814Ssimon#ifndef OPENSSL_NO_ECDH 3199160814Ssimon if (idx == SSL_PKEY_ECC) 3200160814Ssimon { 3201238405Sjkim if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 3202238405Sjkim s) == 0) 3203160814Ssimon { /* check failed */ 3204160814Ssimon SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 3205238405Sjkim goto f_err; 3206160814Ssimon } 3207160814Ssimon else 3208160814Ssimon { 3209160814Ssimon return 1; 3210160814Ssimon } 3211160814Ssimon } 3212160814Ssimon#endif 321355714Skris pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 321455714Skris i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 321555714Skris EVP_PKEY_free(pkey); 321655714Skris 321755714Skris 321855714Skris /* Check that we have a certificate if we require one */ 3219238405Sjkim if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 322055714Skris { 322155714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 322255714Skris goto f_err; 322355714Skris } 3224109998Smarkm#ifndef OPENSSL_NO_DSA 3225238405Sjkim else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 322655714Skris { 322755714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 322855714Skris goto f_err; 322955714Skris } 323055714Skris#endif 3231109998Smarkm#ifndef OPENSSL_NO_RSA 3232238405Sjkim if ((alg_k & SSL_kRSA) && 323355714Skris !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 323455714Skris { 323555714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 323655714Skris goto f_err; 323755714Skris } 323855714Skris#endif 3239109998Smarkm#ifndef OPENSSL_NO_DH 3240238405Sjkim if ((alg_k & SSL_kEDH) && 324155714Skris !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 324255714Skris { 324355714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 324455714Skris goto f_err; 324555714Skris } 3246238405Sjkim else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 324755714Skris { 324855714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 324955714Skris goto f_err; 325055714Skris } 3251109998Smarkm#ifndef OPENSSL_NO_DSA 3252238405Sjkim else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 325355714Skris { 325455714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 325555714Skris goto f_err; 325655714Skris } 325755714Skris#endif 325855714Skris#endif 325955714Skris 326059191Skris if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 326155714Skris { 3262109998Smarkm#ifndef OPENSSL_NO_RSA 3263238405Sjkim if (alg_k & SSL_kRSA) 326455714Skris { 326555714Skris if (rsa == NULL 3266127128Snectar || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 326755714Skris { 326855714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 326955714Skris goto f_err; 327055714Skris } 327155714Skris } 327255714Skris else 327355714Skris#endif 3274109998Smarkm#ifndef OPENSSL_NO_DH 3275238405Sjkim if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 327655714Skris { 327755714Skris if (dh == NULL 3278127128Snectar || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 327955714Skris { 328055714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 328155714Skris goto f_err; 328255714Skris } 328355714Skris } 328455714Skris else 328555714Skris#endif 328655714Skris { 328755714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 328855714Skris goto f_err; 328955714Skris } 329055714Skris } 329155714Skris return(1); 329255714Skrisf_err: 329355714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 329455714Skriserr: 329555714Skris return(0); 329655714Skris } 329755714Skris 3298238405Sjkim#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 3299238405Sjkimint ssl3_send_next_proto(SSL *s) 3300160814Ssimon { 3301238405Sjkim unsigned int len, padding_len; 3302238405Sjkim unsigned char *d; 3303160814Ssimon 3304238405Sjkim if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3305238405Sjkim { 3306238405Sjkim len = s->next_proto_negotiated_len; 3307238405Sjkim padding_len = 32 - ((len + 2) % 32); 3308238405Sjkim d = (unsigned char *)s->init_buf->data; 3309238405Sjkim d[4] = len; 3310238405Sjkim memcpy(d + 5, s->next_proto_negotiated, len); 3311238405Sjkim d[5 + len] = padding_len; 3312238405Sjkim memset(d + 6 + len, 0, padding_len); 3313238405Sjkim *(d++)=SSL3_MT_NEXT_PROTO; 3314238405Sjkim l2n3(2 + len + padding_len, d); 3315238405Sjkim s->state = SSL3_ST_CW_NEXT_PROTO_B; 3316238405Sjkim s->init_num = 4 + 2 + len + padding_len; 3317238405Sjkim s->init_off = 0; 3318238405Sjkim } 3319238405Sjkim 3320238405Sjkim return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3321160814Ssimon} 3322238405Sjkim#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 3323194206Ssimon 3324194206Ssimon/* Check to see if handshake is full or resumed. Usually this is just a 3325194206Ssimon * case of checking to see if a cache hit has occurred. In the case of 3326194206Ssimon * session tickets we have to check the next message to be sure. 3327194206Ssimon */ 3328194206Ssimon 3329194206Ssimon#ifndef OPENSSL_NO_TLSEXT 3330205128Ssimonint ssl3_check_finished(SSL *s) 3331194206Ssimon { 3332194206Ssimon int ok; 3333194206Ssimon long n; 3334238405Sjkim /* If we have no ticket it cannot be a resumed session. */ 3335238405Sjkim if (!s->session->tlsext_tick) 3336194206Ssimon return 1; 3337194206Ssimon /* this function is called when we really expect a Certificate 3338194206Ssimon * message, so permit appropriate message length */ 3339194206Ssimon n=s->method->ssl_get_message(s, 3340194206Ssimon SSL3_ST_CR_CERT_A, 3341194206Ssimon SSL3_ST_CR_CERT_B, 3342194206Ssimon -1, 3343194206Ssimon s->max_cert_list, 3344194206Ssimon &ok); 3345194206Ssimon if (!ok) return((int)n); 3346194206Ssimon s->s3->tmp.reuse_message = 1; 3347194206Ssimon if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3348194206Ssimon || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3349194206Ssimon return 2; 3350194206Ssimon 3351194206Ssimon return 1; 3352194206Ssimon } 3353194206Ssimon#endif 3354194206Ssimon 3355194206Ssimonint ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3356194206Ssimon { 3357194206Ssimon int i = 0; 3358194206Ssimon#ifndef OPENSSL_NO_ENGINE 3359194206Ssimon if (s->ctx->client_cert_engine) 3360194206Ssimon { 3361194206Ssimon i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3362194206Ssimon SSL_get_client_CA_list(s), 3363194206Ssimon px509, ppkey, NULL, NULL, NULL); 3364194206Ssimon if (i != 0) 3365194206Ssimon return i; 3366194206Ssimon } 3367194206Ssimon#endif 3368194206Ssimon if (s->ctx->client_cert_cb) 3369194206Ssimon i = s->ctx->client_cert_cb(s,px509,ppkey); 3370194206Ssimon return i; 3371194206Ssimon } 3372