s3_clnt.c revision 269686
155714Skris/* ssl/s3_clnt.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 58100928Snectar/* ==================================================================== 59238405Sjkim * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60100928Snectar * 61100928Snectar * Redistribution and use in source and binary forms, with or without 62100928Snectar * modification, are permitted provided that the following conditions 63100928Snectar * are met: 64100928Snectar * 65100928Snectar * 1. Redistributions of source code must retain the above copyright 66100928Snectar * notice, this list of conditions and the following disclaimer. 67100928Snectar * 68100928Snectar * 2. Redistributions in binary form must reproduce the above copyright 69100928Snectar * notice, this list of conditions and the following disclaimer in 70100928Snectar * the documentation and/or other materials provided with the 71100928Snectar * distribution. 72100928Snectar * 73100928Snectar * 3. All advertising materials mentioning features or use of this 74100928Snectar * software must display the following acknowledgment: 75100928Snectar * "This product includes software developed by the OpenSSL Project 76100928Snectar * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77100928Snectar * 78100928Snectar * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79100928Snectar * endorse or promote products derived from this software without 80100928Snectar * prior written permission. For written permission, please contact 81100928Snectar * openssl-core@openssl.org. 82100928Snectar * 83100928Snectar * 5. Products derived from this software may not be called "OpenSSL" 84100928Snectar * nor may "OpenSSL" appear in their names without prior written 85100928Snectar * permission of the OpenSSL Project. 86100928Snectar * 87100928Snectar * 6. Redistributions of any form whatsoever must retain the following 88100928Snectar * acknowledgment: 89100928Snectar * "This product includes software developed by the OpenSSL Project 90100928Snectar * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91100928Snectar * 92100928Snectar * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93100928Snectar * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94100928Snectar * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95100928Snectar * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96100928Snectar * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97100928Snectar * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98100928Snectar * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99100928Snectar * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100100928Snectar * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101100928Snectar * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102100928Snectar * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103100928Snectar * OF THE POSSIBILITY OF SUCH DAMAGE. 104100928Snectar * ==================================================================== 105100928Snectar * 106100928Snectar * This product includes cryptographic software written by Eric Young 107100928Snectar * (eay@cryptsoft.com). This product includes software written by Tim 108100928Snectar * Hudson (tjh@cryptsoft.com). 109100928Snectar * 110100928Snectar */ 111160814Ssimon/* ==================================================================== 112160814Ssimon * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113160814Ssimon * 114160814Ssimon * Portions of the attached software ("Contribution") are developed by 115160814Ssimon * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116160814Ssimon * 117160814Ssimon * The Contribution is licensed pursuant to the OpenSSL open source 118160814Ssimon * license provided above. 119160814Ssimon * 120160814Ssimon * ECC cipher suite support in OpenSSL originally written by 121160814Ssimon * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122160814Ssimon * 123160814Ssimon */ 124238405Sjkim/* ==================================================================== 125238405Sjkim * Copyright 2005 Nokia. All rights reserved. 126238405Sjkim * 127238405Sjkim * The portions of the attached software ("Contribution") is developed by 128238405Sjkim * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129238405Sjkim * license. 130238405Sjkim * 131238405Sjkim * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132238405Sjkim * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133238405Sjkim * support (see RFC 4279) to OpenSSL. 134238405Sjkim * 135238405Sjkim * No patent licenses or other rights except those expressly stated in 136238405Sjkim * the OpenSSL open source license shall be deemed granted or received 137238405Sjkim * expressly, by implication, estoppel, or otherwise. 138238405Sjkim * 139238405Sjkim * No assurances are provided by Nokia that the Contribution does not 140238405Sjkim * infringe the patent or other intellectual property rights of any third 141238405Sjkim * party or that the license provides you with all the necessary rights 142238405Sjkim * to make use of the Contribution. 143238405Sjkim * 144238405Sjkim * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145238405Sjkim * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146238405Sjkim * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147238405Sjkim * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148238405Sjkim * OTHERWISE. 149238405Sjkim */ 15055714Skris 15155714Skris#include <stdio.h> 152109998Smarkm#include "ssl_locl.h" 153109998Smarkm#include "kssl_lcl.h" 15455714Skris#include <openssl/buffer.h> 15555714Skris#include <openssl/rand.h> 15655714Skris#include <openssl/objects.h> 157109998Smarkm#include <openssl/evp.h> 15855714Skris#include <openssl/md5.h> 159194206Ssimon#ifdef OPENSSL_FIPS 160194206Ssimon#include <openssl/fips.h> 161194206Ssimon#endif 162160814Ssimon#ifndef OPENSSL_NO_DH 163160814Ssimon#include <openssl/dh.h> 164160814Ssimon#endif 165160814Ssimon#include <openssl/bn.h> 166194206Ssimon#ifndef OPENSSL_NO_ENGINE 167194206Ssimon#include <openssl/engine.h> 168194206Ssimon#endif 16955714Skris 170238405Sjkimstatic const SSL_METHOD *ssl3_get_client_method(int ver); 17168651Skrisstatic int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 172160814Ssimon 173238405Sjkimstatic const SSL_METHOD *ssl3_get_client_method(int ver) 17455714Skris { 17555714Skris if (ver == SSL3_VERSION) 17655714Skris return(SSLv3_client_method()); 17755714Skris else 17855714Skris return(NULL); 17955714Skris } 18055714Skris 181160814SsimonIMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182160814Ssimon ssl_undefined_function, 183160814Ssimon ssl3_connect, 184160814Ssimon ssl3_get_client_method) 18555714Skris 18655714Skrisint ssl3_connect(SSL *s) 18755714Skris { 188109998Smarkm BUF_MEM *buf=NULL; 189215697Ssimon unsigned long Time=(unsigned long)time(NULL); 190109998Smarkm void (*cb)(const SSL *ssl,int type,int val)=NULL; 19155714Skris int ret= -1; 192194206Ssimon int new_state,state,skip=0; 19355714Skris 19459191Skris RAND_add(&Time,sizeof(Time),0); 19555714Skris ERR_clear_error(); 19655714Skris clear_sys_error(); 19755714Skris 19855714Skris if (s->info_callback != NULL) 19955714Skris cb=s->info_callback; 20055714Skris else if (s->ctx->info_callback != NULL) 20155714Skris cb=s->ctx->info_callback; 20255714Skris 20389837Skris s->in_handshake++; 20455714Skris if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 20555714Skris 206238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 207238405Sjkim /* If we're awaiting a HeartbeatResponse, pretend we 208238405Sjkim * already got and don't await it anymore, because 209238405Sjkim * Heartbeats don't make sense during handshakes anyway. 210238405Sjkim */ 211238405Sjkim if (s->tlsext_hb_pending) 212238405Sjkim { 213238405Sjkim s->tlsext_hb_pending = 0; 214238405Sjkim s->tlsext_hb_seq++; 215238405Sjkim } 216238405Sjkim#endif 217238405Sjkim 21855714Skris for (;;) 21955714Skris { 22055714Skris state=s->state; 22155714Skris 22255714Skris switch(s->state) 22355714Skris { 22455714Skris case SSL_ST_RENEGOTIATE: 225238405Sjkim s->renegotiate=1; 22655714Skris s->state=SSL_ST_CONNECT; 22755714Skris s->ctx->stats.sess_connect_renegotiate++; 22855714Skris /* break */ 22955714Skris case SSL_ST_BEFORE: 23055714Skris case SSL_ST_CONNECT: 23155714Skris case SSL_ST_BEFORE|SSL_ST_CONNECT: 23255714Skris case SSL_ST_OK|SSL_ST_CONNECT: 23355714Skris 23455714Skris s->server=0; 23555714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 23655714Skris 23755714Skris if ((s->version & 0xff00 ) != 0x0300) 23868651Skris { 239109998Smarkm SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 24068651Skris ret = -1; 24168651Skris goto end; 24268651Skris } 24368651Skris 24455714Skris /* s->version=SSL3_VERSION; */ 24555714Skris s->type=SSL_ST_CONNECT; 24655714Skris 24755714Skris if (s->init_buf == NULL) 24855714Skris { 24955714Skris if ((buf=BUF_MEM_new()) == NULL) 25055714Skris { 25155714Skris ret= -1; 25255714Skris goto end; 25355714Skris } 25455714Skris if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 25555714Skris { 25655714Skris ret= -1; 25755714Skris goto end; 25855714Skris } 25955714Skris s->init_buf=buf; 260109998Smarkm buf=NULL; 26155714Skris } 26255714Skris 26355714Skris if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 26455714Skris 26555714Skris /* setup buffing BIO */ 26655714Skris if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 26755714Skris 26855714Skris /* don't push the buffering BIO quite yet */ 26955714Skris 27055714Skris ssl3_init_finished_mac(s); 27155714Skris 27255714Skris s->state=SSL3_ST_CW_CLNT_HELLO_A; 27355714Skris s->ctx->stats.sess_connect++; 27455714Skris s->init_num=0; 27555714Skris break; 27655714Skris 27755714Skris case SSL3_ST_CW_CLNT_HELLO_A: 27855714Skris case SSL3_ST_CW_CLNT_HELLO_B: 27955714Skris 28055714Skris s->shutdown=0; 28155714Skris ret=ssl3_client_hello(s); 28255714Skris if (ret <= 0) goto end; 28355714Skris s->state=SSL3_ST_CR_SRVR_HELLO_A; 28455714Skris s->init_num=0; 28555714Skris 28655714Skris /* turn on buffering for the next lot of output */ 28755714Skris if (s->bbio != s->wbio) 28855714Skris s->wbio=BIO_push(s->bbio,s->wbio); 28955714Skris 29055714Skris break; 29155714Skris 29255714Skris case SSL3_ST_CR_SRVR_HELLO_A: 29355714Skris case SSL3_ST_CR_SRVR_HELLO_B: 29455714Skris ret=ssl3_get_server_hello(s); 29555714Skris if (ret <= 0) goto end; 296238405Sjkim 29755714Skris if (s->hit) 298238405Sjkim { 29955714Skris s->state=SSL3_ST_CR_FINISHED_A; 300238405Sjkim#ifndef OPENSSL_NO_TLSEXT 301238405Sjkim if (s->tlsext_ticket_expected) 302238405Sjkim { 303238405Sjkim /* receive renewed session ticket */ 304238405Sjkim s->state=SSL3_ST_CR_SESSION_TICKET_A; 305238405Sjkim } 306238405Sjkim#endif 307238405Sjkim } 30855714Skris else 30955714Skris s->state=SSL3_ST_CR_CERT_A; 31055714Skris s->init_num=0; 31155714Skris break; 31255714Skris 31355714Skris case SSL3_ST_CR_CERT_A: 31455714Skris case SSL3_ST_CR_CERT_B: 315194206Ssimon#ifndef OPENSSL_NO_TLSEXT 316194206Ssimon ret=ssl3_check_finished(s); 317194206Ssimon if (ret <= 0) goto end; 318194206Ssimon if (ret == 2) 319194206Ssimon { 320194206Ssimon s->hit = 1; 321194206Ssimon if (s->tlsext_ticket_expected) 322194206Ssimon s->state=SSL3_ST_CR_SESSION_TICKET_A; 323194206Ssimon else 324194206Ssimon s->state=SSL3_ST_CR_FINISHED_A; 325194206Ssimon s->init_num=0; 326194206Ssimon break; 327194206Ssimon } 328194206Ssimon#endif 329160814Ssimon /* Check if it is anon DH/ECDH */ 330238405Sjkim /* or PSK */ 331238405Sjkim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 332238405Sjkim !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 33355714Skris { 33455714Skris ret=ssl3_get_server_certificate(s); 33555714Skris if (ret <= 0) goto end; 336194206Ssimon#ifndef OPENSSL_NO_TLSEXT 337194206Ssimon if (s->tlsext_status_expected) 338194206Ssimon s->state=SSL3_ST_CR_CERT_STATUS_A; 339194206Ssimon else 340194206Ssimon s->state=SSL3_ST_CR_KEY_EXCH_A; 34155714Skris } 34255714Skris else 343194206Ssimon { 344194206Ssimon skip = 1; 345194206Ssimon s->state=SSL3_ST_CR_KEY_EXCH_A; 346194206Ssimon } 347194206Ssimon#else 348194206Ssimon } 349194206Ssimon else 35055714Skris skip=1; 351194206Ssimon 35255714Skris s->state=SSL3_ST_CR_KEY_EXCH_A; 353194206Ssimon#endif 35455714Skris s->init_num=0; 35555714Skris break; 35655714Skris 35755714Skris case SSL3_ST_CR_KEY_EXCH_A: 35855714Skris case SSL3_ST_CR_KEY_EXCH_B: 35955714Skris ret=ssl3_get_key_exchange(s); 36055714Skris if (ret <= 0) goto end; 36155714Skris s->state=SSL3_ST_CR_CERT_REQ_A; 36255714Skris s->init_num=0; 36355714Skris 36455714Skris /* at this point we check that we have the 36555714Skris * required stuff from the server */ 36655714Skris if (!ssl3_check_cert_and_algorithm(s)) 36755714Skris { 36855714Skris ret= -1; 36955714Skris goto end; 37055714Skris } 37155714Skris break; 37255714Skris 37355714Skris case SSL3_ST_CR_CERT_REQ_A: 37455714Skris case SSL3_ST_CR_CERT_REQ_B: 37555714Skris ret=ssl3_get_certificate_request(s); 37655714Skris if (ret <= 0) goto end; 37755714Skris s->state=SSL3_ST_CR_SRVR_DONE_A; 37855714Skris s->init_num=0; 37955714Skris break; 38055714Skris 38155714Skris case SSL3_ST_CR_SRVR_DONE_A: 38255714Skris case SSL3_ST_CR_SRVR_DONE_B: 38355714Skris ret=ssl3_get_server_done(s); 38455714Skris if (ret <= 0) goto end; 385238405Sjkim#ifndef OPENSSL_NO_SRP 386238405Sjkim if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 387238405Sjkim { 388238405Sjkim if ((ret = SRP_Calc_A_param(s))<=0) 389238405Sjkim { 390238405Sjkim SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC); 391238405Sjkim ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); 392238405Sjkim goto end; 393238405Sjkim } 394238405Sjkim } 395238405Sjkim#endif 39655714Skris if (s->s3->tmp.cert_req) 39755714Skris s->state=SSL3_ST_CW_CERT_A; 39855714Skris else 39955714Skris s->state=SSL3_ST_CW_KEY_EXCH_A; 40055714Skris s->init_num=0; 40155714Skris 40255714Skris break; 40355714Skris 40455714Skris case SSL3_ST_CW_CERT_A: 40555714Skris case SSL3_ST_CW_CERT_B: 40655714Skris case SSL3_ST_CW_CERT_C: 40755714Skris case SSL3_ST_CW_CERT_D: 40855714Skris ret=ssl3_send_client_certificate(s); 40955714Skris if (ret <= 0) goto end; 41055714Skris s->state=SSL3_ST_CW_KEY_EXCH_A; 41155714Skris s->init_num=0; 41255714Skris break; 41355714Skris 41455714Skris case SSL3_ST_CW_KEY_EXCH_A: 41555714Skris case SSL3_ST_CW_KEY_EXCH_B: 41655714Skris ret=ssl3_send_client_key_exchange(s); 41755714Skris if (ret <= 0) goto end; 41855714Skris /* EAY EAY EAY need to check for DH fix cert 41955714Skris * sent back */ 42055714Skris /* For TLS, cert_req is set to 2, so a cert chain 42155714Skris * of nothing is sent, but no verify packet is sent */ 422160814Ssimon /* XXX: For now, we do not support client 423160814Ssimon * authentication in ECDH cipher suites with 424160814Ssimon * ECDH (rather than ECDSA) certificates. 425160814Ssimon * We need to skip the certificate verify 426160814Ssimon * message when client's ECDH public key is sent 427160814Ssimon * inside the client certificate. 428160814Ssimon */ 42955714Skris if (s->s3->tmp.cert_req == 1) 43055714Skris { 43155714Skris s->state=SSL3_ST_CW_CERT_VRFY_A; 43255714Skris } 43355714Skris else 43455714Skris { 43555714Skris s->state=SSL3_ST_CW_CHANGE_A; 43655714Skris s->s3->change_cipher_spec=0; 43755714Skris } 438238405Sjkim if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 439238405Sjkim { 440238405Sjkim s->state=SSL3_ST_CW_CHANGE_A; 441238405Sjkim s->s3->change_cipher_spec=0; 442238405Sjkim } 44355714Skris 44455714Skris s->init_num=0; 44555714Skris break; 44655714Skris 44755714Skris case SSL3_ST_CW_CERT_VRFY_A: 44855714Skris case SSL3_ST_CW_CERT_VRFY_B: 44955714Skris ret=ssl3_send_client_verify(s); 45055714Skris if (ret <= 0) goto end; 45155714Skris s->state=SSL3_ST_CW_CHANGE_A; 45255714Skris s->init_num=0; 45355714Skris s->s3->change_cipher_spec=0; 45455714Skris break; 45555714Skris 45655714Skris case SSL3_ST_CW_CHANGE_A: 45755714Skris case SSL3_ST_CW_CHANGE_B: 45855714Skris ret=ssl3_send_change_cipher_spec(s, 45955714Skris SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 46055714Skris if (ret <= 0) goto end; 461238405Sjkim 462238405Sjkim#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 46355714Skris s->state=SSL3_ST_CW_FINISHED_A; 464238405Sjkim#else 465238405Sjkim if (s->s3->next_proto_neg_seen) 466238405Sjkim s->state=SSL3_ST_CW_NEXT_PROTO_A; 467238405Sjkim else 468238405Sjkim s->state=SSL3_ST_CW_FINISHED_A; 469238405Sjkim#endif 47055714Skris s->init_num=0; 47155714Skris 47255714Skris s->session->cipher=s->s3->tmp.new_cipher; 473160814Ssimon#ifdef OPENSSL_NO_COMP 474160814Ssimon s->session->compress_meth=0; 475160814Ssimon#else 47655714Skris if (s->s3->tmp.new_compression == NULL) 47755714Skris s->session->compress_meth=0; 47855714Skris else 47955714Skris s->session->compress_meth= 48055714Skris s->s3->tmp.new_compression->id; 481160814Ssimon#endif 48255714Skris if (!s->method->ssl3_enc->setup_key_block(s)) 48355714Skris { 48455714Skris ret= -1; 48555714Skris goto end; 48655714Skris } 48755714Skris 48855714Skris if (!s->method->ssl3_enc->change_cipher_state(s, 48955714Skris SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 49055714Skris { 49155714Skris ret= -1; 49255714Skris goto end; 49355714Skris } 49455714Skris 49555714Skris break; 49655714Skris 497238405Sjkim#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 498238405Sjkim case SSL3_ST_CW_NEXT_PROTO_A: 499238405Sjkim case SSL3_ST_CW_NEXT_PROTO_B: 500238405Sjkim ret=ssl3_send_next_proto(s); 501238405Sjkim if (ret <= 0) goto end; 502238405Sjkim s->state=SSL3_ST_CW_FINISHED_A; 503238405Sjkim break; 504238405Sjkim#endif 505238405Sjkim 50655714Skris case SSL3_ST_CW_FINISHED_A: 50755714Skris case SSL3_ST_CW_FINISHED_B: 50855714Skris ret=ssl3_send_finished(s, 50955714Skris SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 51059191Skris s->method->ssl3_enc->client_finished_label, 51159191Skris s->method->ssl3_enc->client_finished_label_len); 51255714Skris if (ret <= 0) goto end; 513269686Sjkim s->s3->flags |= SSL3_FLAGS_CCS_OK; 51455714Skris s->state=SSL3_ST_CW_FLUSH; 51555714Skris 51655714Skris /* clear flags */ 51755714Skris s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 51855714Skris if (s->hit) 51955714Skris { 52055714Skris s->s3->tmp.next_state=SSL_ST_OK; 52155714Skris if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 52255714Skris { 52355714Skris s->state=SSL_ST_OK; 52455714Skris s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 52555714Skris s->s3->delay_buf_pop_ret=0; 52655714Skris } 52755714Skris } 52855714Skris else 52955714Skris { 530194206Ssimon#ifndef OPENSSL_NO_TLSEXT 531194206Ssimon /* Allow NewSessionTicket if ticket expected */ 532194206Ssimon if (s->tlsext_ticket_expected) 533194206Ssimon s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 534194206Ssimon else 535194206Ssimon#endif 536194206Ssimon 53755714Skris s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 53855714Skris } 53955714Skris s->init_num=0; 54055714Skris break; 54155714Skris 542194206Ssimon#ifndef OPENSSL_NO_TLSEXT 543194206Ssimon case SSL3_ST_CR_SESSION_TICKET_A: 544194206Ssimon case SSL3_ST_CR_SESSION_TICKET_B: 545194206Ssimon ret=ssl3_get_new_session_ticket(s); 546194206Ssimon if (ret <= 0) goto end; 547194206Ssimon s->state=SSL3_ST_CR_FINISHED_A; 548194206Ssimon s->init_num=0; 549194206Ssimon break; 550194206Ssimon 551194206Ssimon case SSL3_ST_CR_CERT_STATUS_A: 552194206Ssimon case SSL3_ST_CR_CERT_STATUS_B: 553194206Ssimon ret=ssl3_get_cert_status(s); 554194206Ssimon if (ret <= 0) goto end; 555194206Ssimon s->state=SSL3_ST_CR_KEY_EXCH_A; 556194206Ssimon s->init_num=0; 557194206Ssimon break; 558194206Ssimon#endif 559194206Ssimon 56055714Skris case SSL3_ST_CR_FINISHED_A: 56155714Skris case SSL3_ST_CR_FINISHED_B: 56255714Skris 563267103Sdelphij s->s3->flags |= SSL3_FLAGS_CCS_OK; 56455714Skris ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 56555714Skris SSL3_ST_CR_FINISHED_B); 56655714Skris if (ret <= 0) goto end; 56755714Skris 56855714Skris if (s->hit) 56955714Skris s->state=SSL3_ST_CW_CHANGE_A; 57055714Skris else 57155714Skris s->state=SSL_ST_OK; 57255714Skris s->init_num=0; 57355714Skris break; 57455714Skris 57555714Skris case SSL3_ST_CW_FLUSH: 576205128Ssimon s->rwstate=SSL_WRITING; 577205128Ssimon if (BIO_flush(s->wbio) <= 0) 57855714Skris { 579205128Ssimon ret= -1; 580205128Ssimon goto end; 58155714Skris } 582205128Ssimon s->rwstate=SSL_NOTHING; 58355714Skris s->state=s->s3->tmp.next_state; 58455714Skris break; 58555714Skris 58655714Skris case SSL_ST_OK: 58755714Skris /* clean a few things up */ 58855714Skris ssl3_cleanup_key_block(s); 58955714Skris 59055714Skris if (s->init_buf != NULL) 59155714Skris { 59255714Skris BUF_MEM_free(s->init_buf); 59355714Skris s->init_buf=NULL; 59455714Skris } 59555714Skris 59655714Skris /* If we are not 'joining' the last two packets, 59755714Skris * remove the buffering now */ 59855714Skris if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 59955714Skris ssl_free_wbio_buffer(s); 60055714Skris /* else do it later in ssl3_write */ 60155714Skris 60255714Skris s->init_num=0; 603238405Sjkim s->renegotiate=0; 60455714Skris s->new_session=0; 60555714Skris 60655714Skris ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 60755714Skris if (s->hit) s->ctx->stats.sess_hit++; 60855714Skris 60955714Skris ret=1; 61055714Skris /* s->server=0; */ 61155714Skris s->handshake_func=ssl3_connect; 61255714Skris s->ctx->stats.sess_connect_good++; 61355714Skris 61455714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 61555714Skris 61655714Skris goto end; 61755714Skris /* break; */ 61855714Skris 61955714Skris default: 62055714Skris SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 62155714Skris ret= -1; 62255714Skris goto end; 62355714Skris /* break; */ 62455714Skris } 62555714Skris 62655714Skris /* did we do anything */ 62755714Skris if (!s->s3->tmp.reuse_message && !skip) 62855714Skris { 62955714Skris if (s->debug) 63055714Skris { 63155714Skris if ((ret=BIO_flush(s->wbio)) <= 0) 63255714Skris goto end; 63355714Skris } 63455714Skris 63555714Skris if ((cb != NULL) && (s->state != state)) 63655714Skris { 63755714Skris new_state=s->state; 63855714Skris s->state=state; 63955714Skris cb(s,SSL_CB_CONNECT_LOOP,1); 64055714Skris s->state=new_state; 64155714Skris } 64255714Skris } 64355714Skris skip=0; 64455714Skris } 64555714Skrisend: 64689837Skris s->in_handshake--; 647109998Smarkm if (buf != NULL) 648109998Smarkm BUF_MEM_free(buf); 64955714Skris if (cb != NULL) 65055714Skris cb(s,SSL_CB_CONNECT_EXIT,ret); 65155714Skris return(ret); 65255714Skris } 65355714Skris 65455714Skris 655160814Ssimonint ssl3_client_hello(SSL *s) 65655714Skris { 65755714Skris unsigned char *buf; 65855714Skris unsigned char *p,*d; 659160814Ssimon int i; 660264331Sjkim unsigned long l; 661160814Ssimon#ifndef OPENSSL_NO_COMP 662160814Ssimon int j; 66355714Skris SSL_COMP *comp; 664160814Ssimon#endif 66555714Skris 66655714Skris buf=(unsigned char *)s->init_buf->data; 66755714Skris if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 66855714Skris { 669205128Ssimon SSL_SESSION *sess = s->session; 670205128Ssimon if ((sess == NULL) || 671205128Ssimon (sess->ssl_version != s->version) || 672205128Ssimon#ifdef OPENSSL_NO_TLSEXT 673205128Ssimon !sess->session_id_length || 674205128Ssimon#else 675205128Ssimon (!sess->session_id_length && !sess->tlsext_tick) || 676205128Ssimon#endif 677205128Ssimon (sess->not_resumable)) 67855714Skris { 67955714Skris if (!ssl_get_new_session(s,0)) 68055714Skris goto err; 68155714Skris } 68255714Skris /* else use the pre-loaded session */ 68355714Skris 68455714Skris p=s->s3->client_random; 685264331Sjkim 686264331Sjkim if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 687160814Ssimon goto err; 68855714Skris 68955714Skris /* Do the message type and length last */ 69055714Skris d=p= &(buf[4]); 69155714Skris 692238405Sjkim /* version indicates the negotiated version: for example from 693238405Sjkim * an SSLv2/v3 compatible client hello). The client_version 694238405Sjkim * field is the maximum version we permit and it is also 695238405Sjkim * used in RSA encrypted premaster secrets. Some servers can 696238405Sjkim * choke if we initially report a higher version then 697238405Sjkim * renegotiate to a lower one in the premaster secret. This 698238405Sjkim * didn't happen with TLS 1.0 as most servers supported it 699238405Sjkim * but it can with TLS 1.1 or later if the server only supports 700238405Sjkim * 1.0. 701238405Sjkim * 702238405Sjkim * Possible scenario with previous logic: 703238405Sjkim * 1. Client hello indicates TLS 1.2 704238405Sjkim * 2. Server hello says TLS 1.0 705238405Sjkim * 3. RSA encrypted premaster secret uses 1.2. 706238405Sjkim * 4. Handhaked proceeds using TLS 1.0. 707238405Sjkim * 5. Server sends hello request to renegotiate. 708238405Sjkim * 6. Client hello indicates TLS v1.0 as we now 709238405Sjkim * know that is maximum server supports. 710238405Sjkim * 7. Server chokes on RSA encrypted premaster secret 711238405Sjkim * containing version 1.0. 712238405Sjkim * 713238405Sjkim * For interoperability it should be OK to always use the 714238405Sjkim * maximum version we support in client hello and then rely 715238405Sjkim * on the checking of version to ensure the servers isn't 716238405Sjkim * being inconsistent: for example initially negotiating with 717238405Sjkim * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 718238405Sjkim * client_version in client hello and not resetting it to 719238405Sjkim * the negotiated version. 720238405Sjkim */ 721238405Sjkim#if 0 72255714Skris *(p++)=s->version>>8; 72355714Skris *(p++)=s->version&0xff; 72455714Skris s->client_version=s->version; 725238405Sjkim#else 726238405Sjkim *(p++)=s->client_version>>8; 727238405Sjkim *(p++)=s->client_version&0xff; 728238405Sjkim#endif 72955714Skris 73055714Skris /* Random stuff */ 73155714Skris memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 73255714Skris p+=SSL3_RANDOM_SIZE; 73355714Skris 73455714Skris /* Session ID */ 73555714Skris if (s->new_session) 73655714Skris i=0; 73755714Skris else 73855714Skris i=s->session->session_id_length; 73955714Skris *(p++)=i; 74055714Skris if (i != 0) 74155714Skris { 742160814Ssimon if (i > (int)sizeof(s->session->session_id)) 743101615Snectar { 744109998Smarkm SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 745101615Snectar goto err; 746101615Snectar } 74755714Skris memcpy(p,s->session->session_id,i); 74855714Skris p+=i; 74955714Skris } 75055714Skris 75155714Skris /* Ciphers supported */ 752160814Ssimon i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 75355714Skris if (i == 0) 75455714Skris { 75555714Skris SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 75655714Skris goto err; 75755714Skris } 758238405Sjkim#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 759238405Sjkim /* Some servers hang if client hello > 256 bytes 760238405Sjkim * as hack workaround chop number of supported ciphers 761238405Sjkim * to keep it well below this if we use TLS v1.2 762238405Sjkim */ 763238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION 764238405Sjkim && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 765238405Sjkim i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 766238405Sjkim#endif 76755714Skris s2n(i,p); 76855714Skris p+=i; 76955714Skris 77055714Skris /* COMPRESSION */ 771160814Ssimon#ifdef OPENSSL_NO_COMP 772160814Ssimon *(p++)=1; 773160814Ssimon#else 774238405Sjkim 775238405Sjkim if ((s->options & SSL_OP_NO_COMPRESSION) 776238405Sjkim || !s->ctx->comp_methods) 77755714Skris j=0; 77855714Skris else 77955714Skris j=sk_SSL_COMP_num(s->ctx->comp_methods); 78055714Skris *(p++)=1+j; 78155714Skris for (i=0; i<j; i++) 78255714Skris { 78355714Skris comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 78455714Skris *(p++)=comp->id; 78555714Skris } 786160814Ssimon#endif 78755714Skris *(p++)=0; /* Add the NULL method */ 788238405Sjkim 789194206Ssimon#ifndef OPENSSL_NO_TLSEXT 790238405Sjkim /* TLS extensions*/ 791238405Sjkim if (ssl_prepare_clienthello_tlsext(s) <= 0) 792238405Sjkim { 793238405Sjkim SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 794238405Sjkim goto err; 795238405Sjkim } 796194206Ssimon if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 797194206Ssimon { 798194206Ssimon SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 799194206Ssimon goto err; 800194206Ssimon } 801238405Sjkim#endif 802238405Sjkim 80355714Skris l=(p-d); 80455714Skris d=buf; 80555714Skris *(d++)=SSL3_MT_CLIENT_HELLO; 80655714Skris l2n3(l,d); 80755714Skris 80855714Skris s->state=SSL3_ST_CW_CLNT_HELLO_B; 80955714Skris /* number of bytes to write */ 81055714Skris s->init_num=p-buf; 81155714Skris s->init_off=0; 81255714Skris } 81355714Skris 81455714Skris /* SSL3_ST_CW_CLNT_HELLO_B */ 81555714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 81655714Skriserr: 81755714Skris return(-1); 81855714Skris } 81955714Skris 820160814Ssimonint ssl3_get_server_hello(SSL *s) 82155714Skris { 82255714Skris STACK_OF(SSL_CIPHER) *sk; 823238405Sjkim const SSL_CIPHER *c; 82455714Skris unsigned char *p,*d; 82555714Skris int i,al,ok; 82655714Skris unsigned int j; 82755714Skris long n; 828160814Ssimon#ifndef OPENSSL_NO_COMP 82955714Skris SSL_COMP *comp; 830160814Ssimon#endif 83155714Skris 832160814Ssimon n=s->method->ssl_get_message(s, 83355714Skris SSL3_ST_CR_SRVR_HELLO_A, 83455714Skris SSL3_ST_CR_SRVR_HELLO_B, 835160814Ssimon -1, 836194206Ssimon 20000, /* ?? */ 83755714Skris &ok); 83855714Skris 83955714Skris if (!ok) return((int)n); 840160814Ssimon 841205128Ssimon if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 842160814Ssimon { 843160814Ssimon if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 844160814Ssimon { 845160814Ssimon if ( s->d1->send_cookie == 0) 846160814Ssimon { 847160814Ssimon s->s3->tmp.reuse_message = 1; 848160814Ssimon return 1; 849160814Ssimon } 850160814Ssimon else /* already sent a cookie */ 851160814Ssimon { 852160814Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 853160814Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 854160814Ssimon goto f_err; 855160814Ssimon } 856160814Ssimon } 857160814Ssimon } 858160814Ssimon 859160814Ssimon if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 860160814Ssimon { 861160814Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 862160814Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 863160814Ssimon goto f_err; 864160814Ssimon } 865160814Ssimon 866109998Smarkm d=p=(unsigned char *)s->init_msg; 86755714Skris 86855714Skris if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 86955714Skris { 87055714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 87155714Skris s->version=(s->version&0xff00)|p[1]; 87255714Skris al=SSL_AD_PROTOCOL_VERSION; 87355714Skris goto f_err; 87455714Skris } 87555714Skris p+=2; 87655714Skris 87755714Skris /* load the server hello data */ 87855714Skris /* load the server random */ 87955714Skris memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 88055714Skris p+=SSL3_RANDOM_SIZE; 88155714Skris 88255714Skris /* get the session-id */ 88355714Skris j= *(p++); 88455714Skris 885109998Smarkm if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 88655714Skris { 887109998Smarkm al=SSL_AD_ILLEGAL_PARAMETER; 888109998Smarkm SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); 889109998Smarkm goto f_err; 89055714Skris } 891109998Smarkm 892238405Sjkim#ifndef OPENSSL_NO_TLSEXT 893238405Sjkim /* check if we want to resume the session based on external pre-shared secret */ 894238405Sjkim if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 895238405Sjkim { 896238405Sjkim SSL_CIPHER *pref_cipher=NULL; 897238405Sjkim s->session->master_key_length=sizeof(s->session->master_key); 898238405Sjkim if (s->tls_session_secret_cb(s, s->session->master_key, 899238405Sjkim &s->session->master_key_length, 900238405Sjkim NULL, &pref_cipher, 901238405Sjkim s->tls_session_secret_cb_arg)) 902238405Sjkim { 903238405Sjkim s->session->cipher = pref_cipher ? 904238405Sjkim pref_cipher : ssl_get_cipher_by_char(s, p+j); 905269686Sjkim s->s3->flags |= SSL3_FLAGS_CCS_OK; 906238405Sjkim } 907238405Sjkim } 908238405Sjkim#endif /* OPENSSL_NO_TLSEXT */ 909238405Sjkim 91055714Skris if (j != 0 && j == s->session->session_id_length 91155714Skris && memcmp(p,s->session->session_id,j) == 0) 91255714Skris { 91355714Skris if(s->sid_ctx_length != s->session->sid_ctx_length 91455714Skris || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 91555714Skris { 916109998Smarkm /* actually a client application bug */ 91755714Skris al=SSL_AD_ILLEGAL_PARAMETER; 91855714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 91955714Skris goto f_err; 92055714Skris } 921267103Sdelphij s->s3->flags |= SSL3_FLAGS_CCS_OK; 92255714Skris s->hit=1; 92355714Skris } 92455714Skris else /* a miss or crap from the other end */ 92555714Skris { 92655714Skris /* If we were trying for session-id reuse, make a new 92755714Skris * SSL_SESSION so we don't stuff up other people */ 92855714Skris s->hit=0; 92955714Skris if (s->session->session_id_length > 0) 93055714Skris { 93155714Skris if (!ssl_get_new_session(s,0)) 93255714Skris { 93355714Skris al=SSL_AD_INTERNAL_ERROR; 93455714Skris goto f_err; 93555714Skris } 93655714Skris } 93755714Skris s->session->session_id_length=j; 93855714Skris memcpy(s->session->session_id,p,j); /* j could be 0 */ 93955714Skris } 94055714Skris p+=j; 94155714Skris c=ssl_get_cipher_by_char(s,p); 94255714Skris if (c == NULL) 94355714Skris { 94455714Skris /* unknown cipher */ 94555714Skris al=SSL_AD_ILLEGAL_PARAMETER; 94655714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 94755714Skris goto f_err; 94855714Skris } 949238405Sjkim /* TLS v1.2 only ciphersuites require v1.2 or later */ 950238405Sjkim if ((c->algorithm_ssl & SSL_TLSV1_2) && 951238405Sjkim (TLS1_get_version(s) < TLS1_2_VERSION)) 952238405Sjkim { 953238405Sjkim al=SSL_AD_ILLEGAL_PARAMETER; 954238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 955238405Sjkim goto f_err; 956238405Sjkim } 957269686Sjkim#ifndef OPENSSL_NO_SRP 958269686Sjkim if (((c->algorithm_mkey & SSL_kSRP) || (c->algorithm_auth & SSL_aSRP)) && 959269686Sjkim !(s->srp_ctx.srp_Mask & SSL_kSRP)) 960269686Sjkim { 961269686Sjkim al=SSL_AD_ILLEGAL_PARAMETER; 962269686Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 963269686Sjkim goto f_err; 964269686Sjkim } 965269686Sjkim#endif /* OPENSSL_NO_SRP */ 96655714Skris p+=ssl_put_cipher_by_char(s,NULL,NULL); 96755714Skris 96855714Skris sk=ssl_get_ciphers_by_id(s); 96955714Skris i=sk_SSL_CIPHER_find(sk,c); 97055714Skris if (i < 0) 97155714Skris { 97255714Skris /* we did not say we would use this cipher */ 97355714Skris al=SSL_AD_ILLEGAL_PARAMETER; 97455714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 97555714Skris goto f_err; 97655714Skris } 97755714Skris 978109998Smarkm /* Depending on the session caching (internal/external), the cipher 979109998Smarkm and/or cipher_id values may not be set. Make sure that 980109998Smarkm cipher_id is set and use it for comparison. */ 981109998Smarkm if (s->session->cipher) 982109998Smarkm s->session->cipher_id = s->session->cipher->id; 983109998Smarkm if (s->hit && (s->session->cipher_id != c->id)) 98455714Skris { 985216166Ssimon/* Workaround is now obsolete */ 986216166Ssimon#if 0 98755714Skris if (!(s->options & 98855714Skris SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 989216166Ssimon#endif 99055714Skris { 99155714Skris al=SSL_AD_ILLEGAL_PARAMETER; 99255714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 99355714Skris goto f_err; 99455714Skris } 99555714Skris } 99655714Skris s->s3->tmp.new_cipher=c; 997238405Sjkim /* Don't digest cached records if TLS v1.2: we may need them for 998238405Sjkim * client authentication. 999238405Sjkim */ 1000238405Sjkim if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 1001246772Sjkim { 1002246772Sjkim al = SSL_AD_INTERNAL_ERROR; 1003238405Sjkim goto f_err; 1004246772Sjkim } 100555714Skris /* lets get the compression algorithm */ 100655714Skris /* COMPRESSION */ 1007160814Ssimon#ifdef OPENSSL_NO_COMP 1008160814Ssimon if (*(p++) != 0) 1009160814Ssimon { 1010160814Ssimon al=SSL_AD_ILLEGAL_PARAMETER; 1011160814Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1012160814Ssimon goto f_err; 1013160814Ssimon } 1014238405Sjkim /* If compression is disabled we'd better not try to resume a session 1015238405Sjkim * using compression. 1016238405Sjkim */ 1017238405Sjkim if (s->session->compress_meth != 0) 1018238405Sjkim { 1019238405Sjkim al=SSL_AD_INTERNAL_ERROR; 1020238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1021238405Sjkim goto f_err; 1022238405Sjkim } 1023160814Ssimon#else 102455714Skris j= *(p++); 1025238405Sjkim if (s->hit && j != s->session->compress_meth) 1026238405Sjkim { 1027238405Sjkim al=SSL_AD_ILLEGAL_PARAMETER; 1028238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1029238405Sjkim goto f_err; 1030238405Sjkim } 103155714Skris if (j == 0) 103255714Skris comp=NULL; 1033238405Sjkim else if (s->options & SSL_OP_NO_COMPRESSION) 1034238405Sjkim { 1035238405Sjkim al=SSL_AD_ILLEGAL_PARAMETER; 1036238405Sjkim SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED); 1037238405Sjkim goto f_err; 1038238405Sjkim } 103955714Skris else 104055714Skris comp=ssl3_comp_find(s->ctx->comp_methods,j); 104155714Skris 104255714Skris if ((j != 0) && (comp == NULL)) 104355714Skris { 104455714Skris al=SSL_AD_ILLEGAL_PARAMETER; 104555714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 104655714Skris goto f_err; 104755714Skris } 104855714Skris else 104955714Skris { 105055714Skris s->s3->tmp.new_compression=comp; 105155714Skris } 1052160814Ssimon#endif 1053238405Sjkim 1054194206Ssimon#ifndef OPENSSL_NO_TLSEXT 1055194206Ssimon /* TLS extensions*/ 1056205128Ssimon if (s->version >= SSL3_VERSION) 1057194206Ssimon { 1058194206Ssimon if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) 1059194206Ssimon { 1060194206Ssimon /* 'al' set by ssl_parse_serverhello_tlsext */ 1061194206Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1062194206Ssimon goto f_err; 1063194206Ssimon } 1064194206Ssimon if (ssl_check_serverhello_tlsext(s) <= 0) 1065194206Ssimon { 1066194206Ssimon SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 1067194206Ssimon goto err; 1068194206Ssimon } 1069194206Ssimon } 1070194206Ssimon#endif 107155714Skris 107255714Skris if (p != (d+n)) 107355714Skris { 107455714Skris /* wrong packet length */ 107555714Skris al=SSL_AD_DECODE_ERROR; 107655714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1077237657Sjkim goto f_err; 107855714Skris } 107955714Skris 108055714Skris return(1); 108155714Skrisf_err: 108255714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 108355714Skriserr: 108455714Skris return(-1); 108555714Skris } 108655714Skris 1087160814Ssimonint ssl3_get_server_certificate(SSL *s) 108855714Skris { 108955714Skris int al,i,ok,ret= -1; 109055714Skris unsigned long n,nc,llen,l; 109155714Skris X509 *x=NULL; 1092160814Ssimon const unsigned char *q,*p; 1093160814Ssimon unsigned char *d; 109455714Skris STACK_OF(X509) *sk=NULL; 109555714Skris SESS_CERT *sc; 109655714Skris EVP_PKEY *pkey=NULL; 1097160814Ssimon int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 109855714Skris 1099160814Ssimon n=s->method->ssl_get_message(s, 110055714Skris SSL3_ST_CR_CERT_A, 110155714Skris SSL3_ST_CR_CERT_B, 110255714Skris -1, 1103109998Smarkm s->max_cert_list, 110455714Skris &ok); 110555714Skris 110655714Skris if (!ok) return((int)n); 110755714Skris 1108194206Ssimon if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1109238405Sjkim ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1110194206Ssimon (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 111155714Skris { 111255714Skris s->s3->tmp.reuse_message=1; 111355714Skris return(1); 111455714Skris } 111555714Skris 111655714Skris if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 111755714Skris { 111855714Skris al=SSL_AD_UNEXPECTED_MESSAGE; 111955714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 112055714Skris goto f_err; 112155714Skris } 1122160814Ssimon p=d=(unsigned char *)s->init_msg; 112355714Skris 112455714Skris if ((sk=sk_X509_new_null()) == NULL) 112555714Skris { 112655714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 112755714Skris goto err; 112855714Skris } 112955714Skris 113055714Skris n2l3(p,llen); 113155714Skris if (llen+3 != n) 113255714Skris { 113355714Skris al=SSL_AD_DECODE_ERROR; 113455714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 113555714Skris goto f_err; 113655714Skris } 113755714Skris for (nc=0; nc<llen; ) 113855714Skris { 113955714Skris n2l3(p,l); 114055714Skris if ((l+nc+3) > llen) 114155714Skris { 114255714Skris al=SSL_AD_DECODE_ERROR; 114355714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 114455714Skris goto f_err; 114555714Skris } 114655714Skris 114755714Skris q=p; 114855714Skris x=d2i_X509(NULL,&q,l); 114955714Skris if (x == NULL) 115055714Skris { 115155714Skris al=SSL_AD_BAD_CERTIFICATE; 115255714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 115355714Skris goto f_err; 115455714Skris } 115555714Skris if (q != (p+l)) 115655714Skris { 115755714Skris al=SSL_AD_DECODE_ERROR; 115855714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 115955714Skris goto f_err; 116055714Skris } 116155714Skris if (!sk_X509_push(sk,x)) 116255714Skris { 116355714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 116455714Skris goto err; 116555714Skris } 116655714Skris x=NULL; 116755714Skris nc+=l+3; 116855714Skris p=q; 116955714Skris } 117055714Skris 117155714Skris i=ssl_verify_cert_chain(s,sk); 1172186872Ssimon if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1173109998Smarkm#ifndef OPENSSL_NO_KRB5 1174238405Sjkim && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1175238405Sjkim (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1176109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 1177238405Sjkim ) 117855714Skris { 117955714Skris al=ssl_verify_alarm_type(s->verify_result); 118055714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 118155714Skris goto f_err; 118255714Skris } 118368651Skris ERR_clear_error(); /* but we keep s->verify_result */ 118455714Skris 118555714Skris sc=ssl_sess_cert_new(); 118655714Skris if (sc == NULL) goto err; 118755714Skris 118855714Skris if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 118955714Skris s->session->sess_cert=sc; 119055714Skris 119155714Skris sc->cert_chain=sk; 119259191Skris /* Inconsistency alert: cert_chain does include the peer's 119359191Skris * certificate, which we don't include in s3_srvr.c */ 119455714Skris x=sk_X509_value(sk,0); 119555714Skris sk=NULL; 1196109998Smarkm /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 119755714Skris 119855714Skris pkey=X509_get_pubkey(x); 119955714Skris 1200160814Ssimon /* VRS: allow null cert if auth == KRB5 */ 1201238405Sjkim need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1202238405Sjkim (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1203238405Sjkim ? 0 : 1; 1204109998Smarkm 1205109998Smarkm#ifdef KSSL_DEBUG 1206238405Sjkim printf("pkey,x = %p, %p\n", pkey,x); 1207109998Smarkm printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1208238405Sjkim printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1209238405Sjkim s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1210109998Smarkm#endif /* KSSL_DEBUG */ 1211109998Smarkm 1212109998Smarkm if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 121355714Skris { 121455714Skris x=NULL; 121555714Skris al=SSL3_AL_FATAL; 1216109998Smarkm SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1217109998Smarkm SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 121855714Skris goto f_err; 121955714Skris } 122055714Skris 122155714Skris i=ssl_cert_type(x,pkey); 1222109998Smarkm if (need_cert && i < 0) 122355714Skris { 122455714Skris x=NULL; 122555714Skris al=SSL3_AL_FATAL; 1226109998Smarkm SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1227109998Smarkm SSL_R_UNKNOWN_CERTIFICATE_TYPE); 122855714Skris goto f_err; 122955714Skris } 123055714Skris 1231160814Ssimon if (need_cert) 1232160814Ssimon { 1233160814Ssimon sc->peer_cert_type=i; 1234160814Ssimon CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1235160814Ssimon /* Why would the following ever happen? 1236160814Ssimon * We just created sc a couple of lines ago. */ 1237160814Ssimon if (sc->peer_pkeys[i].x509 != NULL) 1238160814Ssimon X509_free(sc->peer_pkeys[i].x509); 1239160814Ssimon sc->peer_pkeys[i].x509=x; 1240160814Ssimon sc->peer_key= &(sc->peer_pkeys[i]); 124155714Skris 1242160814Ssimon if (s->session->peer != NULL) 1243160814Ssimon X509_free(s->session->peer); 1244160814Ssimon CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1245160814Ssimon s->session->peer=x; 1246160814Ssimon } 1247160814Ssimon else 1248160814Ssimon { 1249160814Ssimon sc->peer_cert_type=i; 1250160814Ssimon sc->peer_key= NULL; 1251109998Smarkm 1252160814Ssimon if (s->session->peer != NULL) 1253160814Ssimon X509_free(s->session->peer); 1254160814Ssimon s->session->peer=NULL; 1255160814Ssimon } 125672613Skris s->session->verify_result = s->verify_result; 125755714Skris 125855714Skris x=NULL; 125955714Skris ret=1; 126055714Skris 126155714Skris if (0) 126255714Skris { 126355714Skrisf_err: 126455714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 126555714Skris } 126655714Skriserr: 126755714Skris EVP_PKEY_free(pkey); 126855714Skris X509_free(x); 126955714Skris sk_X509_pop_free(sk,X509_free); 127055714Skris return(ret); 127155714Skris } 127255714Skris 1273160814Ssimonint ssl3_get_key_exchange(SSL *s) 127455714Skris { 1275109998Smarkm#ifndef OPENSSL_NO_RSA 127655714Skris unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 127755714Skris#endif 127855714Skris EVP_MD_CTX md_ctx; 127955714Skris unsigned char *param,*p; 128055714Skris int al,i,j,param_len,ok; 1281238405Sjkim long n,alg_k,alg_a; 128255714Skris EVP_PKEY *pkey=NULL; 1283238405Sjkim const EVP_MD *md = NULL; 1284109998Smarkm#ifndef OPENSSL_NO_RSA 128555714Skris RSA *rsa=NULL; 128655714Skris#endif 1287109998Smarkm#ifndef OPENSSL_NO_DH 128855714Skris DH *dh=NULL; 128955714Skris#endif 1290160814Ssimon#ifndef OPENSSL_NO_ECDH 1291160814Ssimon EC_KEY *ecdh = NULL; 1292160814Ssimon BN_CTX *bn_ctx = NULL; 1293160814Ssimon EC_POINT *srvr_ecpoint = NULL; 1294160814Ssimon int curve_nid = 0; 1295160814Ssimon int encoded_pt_len = 0; 1296160814Ssimon#endif 129755714Skris 129889837Skris /* use same message size as in ssl3_get_certificate_request() 129989837Skris * as ServerKeyExchange message may be skipped */ 1300160814Ssimon n=s->method->ssl_get_message(s, 130155714Skris SSL3_ST_CR_KEY_EXCH_A, 130255714Skris SSL3_ST_CR_KEY_EXCH_B, 130355714Skris -1, 1304109998Smarkm s->max_cert_list, 130555714Skris &ok); 130655714Skris if (!ok) return((int)n); 130755714Skris 130855714Skris if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 130955714Skris { 1310238405Sjkim#ifndef OPENSSL_NO_PSK 1311238405Sjkim /* In plain PSK ciphersuite, ServerKeyExchange can be 1312238405Sjkim omitted if no identity hint is sent. Set 1313238405Sjkim session->sess_cert anyway to avoid problems 1314238405Sjkim later.*/ 1315238405Sjkim if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1316238405Sjkim { 1317238405Sjkim s->session->sess_cert=ssl_sess_cert_new(); 1318238405Sjkim if (s->ctx->psk_identity_hint) 1319238405Sjkim OPENSSL_free(s->ctx->psk_identity_hint); 1320238405Sjkim s->ctx->psk_identity_hint = NULL; 1321238405Sjkim } 1322238405Sjkim#endif 132355714Skris s->s3->tmp.reuse_message=1; 132455714Skris return(1); 132555714Skris } 132655714Skris 1327109998Smarkm param=p=(unsigned char *)s->init_msg; 132855714Skris if (s->session->sess_cert != NULL) 132955714Skris { 1330109998Smarkm#ifndef OPENSSL_NO_RSA 133155714Skris if (s->session->sess_cert->peer_rsa_tmp != NULL) 133255714Skris { 133355714Skris RSA_free(s->session->sess_cert->peer_rsa_tmp); 133455714Skris s->session->sess_cert->peer_rsa_tmp=NULL; 133555714Skris } 133655714Skris#endif 1337109998Smarkm#ifndef OPENSSL_NO_DH 133855714Skris if (s->session->sess_cert->peer_dh_tmp) 133955714Skris { 134055714Skris DH_free(s->session->sess_cert->peer_dh_tmp); 134155714Skris s->session->sess_cert->peer_dh_tmp=NULL; 134255714Skris } 134355714Skris#endif 1344160814Ssimon#ifndef OPENSSL_NO_ECDH 1345160814Ssimon if (s->session->sess_cert->peer_ecdh_tmp) 1346160814Ssimon { 1347160814Ssimon EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1348160814Ssimon s->session->sess_cert->peer_ecdh_tmp=NULL; 1349160814Ssimon } 1350160814Ssimon#endif 135155714Skris } 135255714Skris else 135355714Skris { 135455714Skris s->session->sess_cert=ssl_sess_cert_new(); 135555714Skris } 135655714Skris 135755714Skris param_len=0; 1358238405Sjkim alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1359238405Sjkim alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1360109998Smarkm EVP_MD_CTX_init(&md_ctx); 136155714Skris 1362238405Sjkim#ifndef OPENSSL_NO_PSK 1363238405Sjkim if (alg_k & SSL_kPSK) 1364238405Sjkim { 1365238405Sjkim char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; 1366238405Sjkim 1367238405Sjkim al=SSL_AD_HANDSHAKE_FAILURE; 1368238405Sjkim n2s(p,i); 1369238405Sjkim param_len=i+2; 1370238405Sjkim /* Store PSK identity hint for later use, hint is used 1371238405Sjkim * in ssl3_send_client_key_exchange. Assume that the 1372238405Sjkim * maximum length of a PSK identity hint can be as 1373238405Sjkim * long as the maximum length of a PSK identity. */ 1374238405Sjkim if (i > PSK_MAX_IDENTITY_LEN) 1375238405Sjkim { 1376238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1377238405Sjkim SSL_R_DATA_LENGTH_TOO_LONG); 1378238405Sjkim goto f_err; 1379238405Sjkim } 1380238405Sjkim if (param_len > n) 1381238405Sjkim { 1382238405Sjkim al=SSL_AD_DECODE_ERROR; 1383238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1384238405Sjkim SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1385238405Sjkim goto f_err; 1386238405Sjkim } 1387238405Sjkim /* If received PSK identity hint contains NULL 1388238405Sjkim * characters, the hint is truncated from the first 1389238405Sjkim * NULL. p may not be ending with NULL, so create a 1390238405Sjkim * NULL-terminated string. */ 1391238405Sjkim memcpy(tmp_id_hint, p, i); 1392238405Sjkim memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1393238405Sjkim if (s->ctx->psk_identity_hint != NULL) 1394238405Sjkim OPENSSL_free(s->ctx->psk_identity_hint); 1395238405Sjkim s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1396238405Sjkim if (s->ctx->psk_identity_hint == NULL) 1397238405Sjkim { 1398238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1399238405Sjkim goto f_err; 1400238405Sjkim } 1401238405Sjkim 1402238405Sjkim p+=i; 1403238405Sjkim n-=param_len; 1404238405Sjkim } 1405238405Sjkim else 1406238405Sjkim#endif /* !OPENSSL_NO_PSK */ 1407238405Sjkim#ifndef OPENSSL_NO_SRP 1408238405Sjkim if (alg_k & SSL_kSRP) 1409238405Sjkim { 1410238405Sjkim n2s(p,i); 1411238405Sjkim param_len=i+2; 1412238405Sjkim if (param_len > n) 1413238405Sjkim { 1414238405Sjkim al=SSL_AD_DECODE_ERROR; 1415238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH); 1416238405Sjkim goto f_err; 1417238405Sjkim } 1418238405Sjkim if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1419238405Sjkim { 1420238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1421238405Sjkim goto err; 1422238405Sjkim } 1423238405Sjkim p+=i; 1424238405Sjkim 1425238405Sjkim n2s(p,i); 1426238405Sjkim param_len+=i+2; 1427238405Sjkim if (param_len > n) 1428238405Sjkim { 1429238405Sjkim al=SSL_AD_DECODE_ERROR; 1430238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH); 1431238405Sjkim goto f_err; 1432238405Sjkim } 1433238405Sjkim if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1434238405Sjkim { 1435238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1436238405Sjkim goto err; 1437238405Sjkim } 1438238405Sjkim p+=i; 1439238405Sjkim 1440238405Sjkim i = (unsigned int)(p[0]); 1441238405Sjkim p++; 1442238405Sjkim param_len+=i+1; 1443238405Sjkim if (param_len > n) 1444238405Sjkim { 1445238405Sjkim al=SSL_AD_DECODE_ERROR; 1446238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH); 1447238405Sjkim goto f_err; 1448238405Sjkim } 1449238405Sjkim if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1450238405Sjkim { 1451238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1452238405Sjkim goto err; 1453238405Sjkim } 1454238405Sjkim p+=i; 1455238405Sjkim 1456238405Sjkim n2s(p,i); 1457238405Sjkim param_len+=i+2; 1458238405Sjkim if (param_len > n) 1459238405Sjkim { 1460238405Sjkim al=SSL_AD_DECODE_ERROR; 1461238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH); 1462238405Sjkim goto f_err; 1463238405Sjkim } 1464238405Sjkim if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1465238405Sjkim { 1466238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1467238405Sjkim goto err; 1468238405Sjkim } 1469238405Sjkim p+=i; 1470238405Sjkim n-=param_len; 1471238405Sjkim 1472269686Sjkim if (!srp_verify_server_param(s, &al)) 1473269686Sjkim { 1474269686Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS); 1475269686Sjkim goto f_err; 1476269686Sjkim } 1477269686Sjkim 1478238405Sjkim/* We must check if there is a certificate */ 1479109998Smarkm#ifndef OPENSSL_NO_RSA 1480238405Sjkim if (alg_a & SSL_aRSA) 1481238405Sjkim pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1482238405Sjkim#else 1483238405Sjkim if (0) 1484238405Sjkim ; 1485238405Sjkim#endif 1486238405Sjkim#ifndef OPENSSL_NO_DSA 1487238405Sjkim else if (alg_a & SSL_aDSS) 1488238405Sjkim pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1489238405Sjkim#endif 1490238405Sjkim } 1491238405Sjkim else 1492238405Sjkim#endif /* !OPENSSL_NO_SRP */ 1493238405Sjkim#ifndef OPENSSL_NO_RSA 1494238405Sjkim if (alg_k & SSL_kRSA) 149555714Skris { 149655714Skris if ((rsa=RSA_new()) == NULL) 149755714Skris { 149855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 149955714Skris goto err; 150055714Skris } 150155714Skris n2s(p,i); 150255714Skris param_len=i+2; 150355714Skris if (param_len > n) 150455714Skris { 150555714Skris al=SSL_AD_DECODE_ERROR; 150655714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 150755714Skris goto f_err; 150855714Skris } 150955714Skris if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 151055714Skris { 151155714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 151255714Skris goto err; 151355714Skris } 151455714Skris p+=i; 151555714Skris 151655714Skris n2s(p,i); 151755714Skris param_len+=i+2; 151855714Skris if (param_len > n) 151955714Skris { 152055714Skris al=SSL_AD_DECODE_ERROR; 152155714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 152255714Skris goto f_err; 152355714Skris } 152455714Skris if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 152555714Skris { 152655714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 152755714Skris goto err; 152855714Skris } 152955714Skris p+=i; 153055714Skris n-=param_len; 153155714Skris 153255714Skris /* this should be because we are using an export cipher */ 1533238405Sjkim if (alg_a & SSL_aRSA) 153455714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 153555714Skris else 153655714Skris { 1537109998Smarkm SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 153855714Skris goto err; 153955714Skris } 154055714Skris s->session->sess_cert->peer_rsa_tmp=rsa; 154155714Skris rsa=NULL; 154255714Skris } 1543109998Smarkm#else /* OPENSSL_NO_RSA */ 154468651Skris if (0) 154568651Skris ; 154655714Skris#endif 1547109998Smarkm#ifndef OPENSSL_NO_DH 1548238405Sjkim else if (alg_k & SSL_kEDH) 154955714Skris { 155055714Skris if ((dh=DH_new()) == NULL) 155155714Skris { 155255714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 155355714Skris goto err; 155455714Skris } 155555714Skris n2s(p,i); 155655714Skris param_len=i+2; 155755714Skris if (param_len > n) 155855714Skris { 155955714Skris al=SSL_AD_DECODE_ERROR; 156055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 156155714Skris goto f_err; 156255714Skris } 156355714Skris if (!(dh->p=BN_bin2bn(p,i,NULL))) 156455714Skris { 156555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 156655714Skris goto err; 156755714Skris } 156855714Skris p+=i; 156955714Skris 157055714Skris n2s(p,i); 157155714Skris param_len+=i+2; 157255714Skris if (param_len > n) 157355714Skris { 157455714Skris al=SSL_AD_DECODE_ERROR; 157555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 157655714Skris goto f_err; 157755714Skris } 157855714Skris if (!(dh->g=BN_bin2bn(p,i,NULL))) 157955714Skris { 158055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 158155714Skris goto err; 158255714Skris } 158355714Skris p+=i; 158455714Skris 158555714Skris n2s(p,i); 158655714Skris param_len+=i+2; 158755714Skris if (param_len > n) 158855714Skris { 158955714Skris al=SSL_AD_DECODE_ERROR; 159055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 159155714Skris goto f_err; 159255714Skris } 159355714Skris if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 159455714Skris { 159555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 159655714Skris goto err; 159755714Skris } 159855714Skris p+=i; 159955714Skris n-=param_len; 160055714Skris 1601109998Smarkm#ifndef OPENSSL_NO_RSA 1602238405Sjkim if (alg_a & SSL_aRSA) 160355714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 160468651Skris#else 160568651Skris if (0) 160668651Skris ; 160755714Skris#endif 1608109998Smarkm#ifndef OPENSSL_NO_DSA 1609238405Sjkim else if (alg_a & SSL_aDSS) 161055714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 161155714Skris#endif 161255714Skris /* else anonymous DH, so no certificate or pkey. */ 161355714Skris 161455714Skris s->session->sess_cert->peer_dh_tmp=dh; 161555714Skris dh=NULL; 161655714Skris } 1617238405Sjkim else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 161855714Skris { 161955714Skris al=SSL_AD_ILLEGAL_PARAMETER; 162055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 162155714Skris goto f_err; 162255714Skris } 1623109998Smarkm#endif /* !OPENSSL_NO_DH */ 1624160814Ssimon 1625160814Ssimon#ifndef OPENSSL_NO_ECDH 1626238405Sjkim else if (alg_k & SSL_kEECDH) 1627160814Ssimon { 1628160814Ssimon EC_GROUP *ngroup; 1629160814Ssimon const EC_GROUP *group; 1630160814Ssimon 1631160814Ssimon if ((ecdh=EC_KEY_new()) == NULL) 1632160814Ssimon { 1633160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1634160814Ssimon goto err; 1635160814Ssimon } 1636160814Ssimon 1637160814Ssimon /* Extract elliptic curve parameters and the 1638160814Ssimon * server's ephemeral ECDH public key. 1639160814Ssimon * Keep accumulating lengths of various components in 1640160814Ssimon * param_len and make sure it never exceeds n. 1641160814Ssimon */ 1642160814Ssimon 1643160814Ssimon /* XXX: For now we only support named (not generic) curves 1644160814Ssimon * and the ECParameters in this case is just three bytes. 1645160814Ssimon */ 1646160814Ssimon param_len=3; 1647160814Ssimon if ((param_len > n) || 1648160814Ssimon (*p != NAMED_CURVE_TYPE) || 1649238405Sjkim ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1650160814Ssimon { 1651160814Ssimon al=SSL_AD_INTERNAL_ERROR; 1652160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1653160814Ssimon goto f_err; 1654160814Ssimon } 1655160814Ssimon 1656160814Ssimon ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1657160814Ssimon if (ngroup == NULL) 1658160814Ssimon { 1659160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1660160814Ssimon goto err; 1661160814Ssimon } 1662160814Ssimon if (EC_KEY_set_group(ecdh, ngroup) == 0) 1663160814Ssimon { 1664160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1665160814Ssimon goto err; 1666160814Ssimon } 1667160814Ssimon EC_GROUP_free(ngroup); 1668160814Ssimon 1669160814Ssimon group = EC_KEY_get0_group(ecdh); 1670160814Ssimon 1671160814Ssimon if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1672160814Ssimon (EC_GROUP_get_degree(group) > 163)) 1673160814Ssimon { 1674160814Ssimon al=SSL_AD_EXPORT_RESTRICTION; 1675160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1676160814Ssimon goto f_err; 1677160814Ssimon } 1678160814Ssimon 1679160814Ssimon p+=3; 1680160814Ssimon 1681160814Ssimon /* Next, get the encoded ECPoint */ 1682160814Ssimon if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1683160814Ssimon ((bn_ctx = BN_CTX_new()) == NULL)) 1684160814Ssimon { 1685160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1686160814Ssimon goto err; 1687160814Ssimon } 1688160814Ssimon 1689160814Ssimon encoded_pt_len = *p; /* length of encoded point */ 1690160814Ssimon p+=1; 1691160814Ssimon param_len += (1 + encoded_pt_len); 1692160814Ssimon if ((param_len > n) || 1693160814Ssimon (EC_POINT_oct2point(group, srvr_ecpoint, 1694160814Ssimon p, encoded_pt_len, bn_ctx) == 0)) 1695160814Ssimon { 1696160814Ssimon al=SSL_AD_DECODE_ERROR; 1697160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); 1698160814Ssimon goto f_err; 1699160814Ssimon } 1700160814Ssimon 1701160814Ssimon n-=param_len; 1702160814Ssimon p+=encoded_pt_len; 1703160814Ssimon 1704160814Ssimon /* The ECC/TLS specification does not mention 1705160814Ssimon * the use of DSA to sign ECParameters in the server 1706160814Ssimon * key exchange message. We do support RSA and ECDSA. 1707160814Ssimon */ 1708160814Ssimon if (0) ; 1709160814Ssimon#ifndef OPENSSL_NO_RSA 1710238405Sjkim else if (alg_a & SSL_aRSA) 1711160814Ssimon pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1712160814Ssimon#endif 1713160814Ssimon#ifndef OPENSSL_NO_ECDSA 1714238405Sjkim else if (alg_a & SSL_aECDSA) 1715160814Ssimon pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1716160814Ssimon#endif 1717160814Ssimon /* else anonymous ECDH, so no certificate or pkey. */ 1718160814Ssimon EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1719160814Ssimon s->session->sess_cert->peer_ecdh_tmp=ecdh; 1720160814Ssimon ecdh=NULL; 1721160814Ssimon BN_CTX_free(bn_ctx); 1722215288Ssimon bn_ctx = NULL; 1723160814Ssimon EC_POINT_free(srvr_ecpoint); 1724160814Ssimon srvr_ecpoint = NULL; 1725160814Ssimon } 1726238405Sjkim else if (alg_k) 1727160814Ssimon { 1728160814Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 1729160814Ssimon SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1730160814Ssimon goto f_err; 1731160814Ssimon } 1732160814Ssimon#endif /* !OPENSSL_NO_ECDH */ 173355714Skris 173455714Skris 173555714Skris /* p points to the next byte, there are 'n' bytes left */ 173655714Skris 173755714Skris /* if it was signed, check the signature */ 173855714Skris if (pkey != NULL) 173955714Skris { 1740238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION) 1741238405Sjkim { 1742238405Sjkim int sigalg = tls12_get_sigid(pkey); 1743238405Sjkim /* Should never happen */ 1744238405Sjkim if (sigalg == -1) 1745238405Sjkim { 1746238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1747238405Sjkim goto err; 1748238405Sjkim } 1749238405Sjkim /* Check key type is consistent with signature */ 1750238405Sjkim if (sigalg != (int)p[1]) 1751238405Sjkim { 1752238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1753238405Sjkim al=SSL_AD_DECODE_ERROR; 1754238405Sjkim goto f_err; 1755238405Sjkim } 1756238405Sjkim md = tls12_get_hash(p[0]); 1757238405Sjkim if (md == NULL) 1758238405Sjkim { 1759238405Sjkim SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1760238405Sjkim al=SSL_AD_DECODE_ERROR; 1761238405Sjkim goto f_err; 1762238405Sjkim } 1763238405Sjkim#ifdef SSL_DEBUG 1764238405Sjkimfprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1765238405Sjkim#endif 1766238405Sjkim p += 2; 1767238405Sjkim n -= 2; 1768238405Sjkim } 1769238405Sjkim else 1770238405Sjkim md = EVP_sha1(); 1771238405Sjkim 177255714Skris n2s(p,i); 177355714Skris n-=2; 177455714Skris j=EVP_PKEY_size(pkey); 177555714Skris 177655714Skris if ((i != n) || (n > j) || (n <= 0)) 177755714Skris { 177855714Skris /* wrong packet length */ 177955714Skris al=SSL_AD_DECODE_ERROR; 178055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 178155714Skris goto f_err; 178255714Skris } 178355714Skris 1784109998Smarkm#ifndef OPENSSL_NO_RSA 1785238405Sjkim if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 178655714Skris { 178755714Skris int num; 178855714Skris 178955714Skris j=0; 179055714Skris q=md_buf; 179155714Skris for (num=2; num > 0; num--) 179255714Skris { 1793194206Ssimon EVP_MD_CTX_set_flags(&md_ctx, 1794194206Ssimon EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1795109998Smarkm EVP_DigestInit_ex(&md_ctx,(num == 2) 1796109998Smarkm ?s->ctx->md5:s->ctx->sha1, NULL); 179755714Skris EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 179855714Skris EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 179955714Skris EVP_DigestUpdate(&md_ctx,param,param_len); 1800109998Smarkm EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 180155714Skris q+=i; 180255714Skris j+=i; 180355714Skris } 180459191Skris i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 180559191Skris pkey->pkey.rsa); 180659191Skris if (i < 0) 180755714Skris { 180855714Skris al=SSL_AD_DECRYPT_ERROR; 180955714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 181055714Skris goto f_err; 181155714Skris } 181259191Skris if (i == 0) 181355714Skris { 181455714Skris /* bad signature */ 181555714Skris al=SSL_AD_DECRYPT_ERROR; 181655714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 181755714Skris goto f_err; 181855714Skris } 181955714Skris } 182055714Skris else 182155714Skris#endif 182255714Skris { 1823238405Sjkim EVP_VerifyInit_ex(&md_ctx, md, NULL); 182455714Skris EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 182555714Skris EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 182655714Skris EVP_VerifyUpdate(&md_ctx,param,param_len); 1827186872Ssimon if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 182855714Skris { 182955714Skris /* bad signature */ 183055714Skris al=SSL_AD_DECRYPT_ERROR; 183155714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 183255714Skris goto f_err; 183355714Skris } 183455714Skris } 183555714Skris } 183655714Skris else 183755714Skris { 1838238405Sjkim if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1839238405Sjkim /* aNULL or kPSK do not need public keys */ 184055714Skris { 1841109998Smarkm SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 184255714Skris goto err; 184355714Skris } 1844238405Sjkim /* still data left over */ 184555714Skris if (n != 0) 184655714Skris { 184755714Skris al=SSL_AD_DECODE_ERROR; 184855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 184955714Skris goto f_err; 185055714Skris } 185155714Skris } 185255714Skris EVP_PKEY_free(pkey); 1853109998Smarkm EVP_MD_CTX_cleanup(&md_ctx); 185455714Skris return(1); 185555714Skrisf_err: 185655714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 185755714Skriserr: 185855714Skris EVP_PKEY_free(pkey); 1859109998Smarkm#ifndef OPENSSL_NO_RSA 186055714Skris if (rsa != NULL) 186155714Skris RSA_free(rsa); 186255714Skris#endif 1863109998Smarkm#ifndef OPENSSL_NO_DH 186455714Skris if (dh != NULL) 186555714Skris DH_free(dh); 186655714Skris#endif 1867160814Ssimon#ifndef OPENSSL_NO_ECDH 1868160814Ssimon BN_CTX_free(bn_ctx); 1869160814Ssimon EC_POINT_free(srvr_ecpoint); 1870160814Ssimon if (ecdh != NULL) 1871160814Ssimon EC_KEY_free(ecdh); 1872160814Ssimon#endif 1873109998Smarkm EVP_MD_CTX_cleanup(&md_ctx); 187455714Skris return(-1); 187555714Skris } 187655714Skris 1877160814Ssimonint ssl3_get_certificate_request(SSL *s) 187855714Skris { 187955714Skris int ok,ret=0; 188055714Skris unsigned long n,nc,l; 1881238405Sjkim unsigned int llen, ctype_num,i; 188255714Skris X509_NAME *xn=NULL; 1883160814Ssimon const unsigned char *p,*q; 1884160814Ssimon unsigned char *d; 188555714Skris STACK_OF(X509_NAME) *ca_sk=NULL; 188655714Skris 1887160814Ssimon n=s->method->ssl_get_message(s, 188855714Skris SSL3_ST_CR_CERT_REQ_A, 188955714Skris SSL3_ST_CR_CERT_REQ_B, 189055714Skris -1, 1891109998Smarkm s->max_cert_list, 189255714Skris &ok); 189355714Skris 189455714Skris if (!ok) return((int)n); 189555714Skris 189655714Skris s->s3->tmp.cert_req=0; 189755714Skris 189855714Skris if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 189955714Skris { 190055714Skris s->s3->tmp.reuse_message=1; 1901238405Sjkim /* If we get here we don't need any cached handshake records 1902238405Sjkim * as we wont be doing client auth. 1903238405Sjkim */ 1904238405Sjkim if (s->s3->handshake_buffer) 1905238405Sjkim { 1906238405Sjkim if (!ssl3_digest_cached_records(s)) 1907238405Sjkim goto err; 1908238405Sjkim } 190955714Skris return(1); 191055714Skris } 191155714Skris 191255714Skris if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 191355714Skris { 191455714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 191555714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 191655714Skris goto err; 191755714Skris } 191855714Skris 191955714Skris /* TLS does not like anon-DH with client cert */ 192055714Skris if (s->version > SSL3_VERSION) 192155714Skris { 1922238405Sjkim if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 192355714Skris { 192455714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 192555714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 192655714Skris goto err; 192755714Skris } 192855714Skris } 192955714Skris 1930160814Ssimon p=d=(unsigned char *)s->init_msg; 193155714Skris 193255714Skris if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 193355714Skris { 193455714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 193555714Skris goto err; 193655714Skris } 193755714Skris 193855714Skris /* get the certificate types */ 193955714Skris ctype_num= *(p++); 194055714Skris if (ctype_num > SSL3_CT_NUMBER) 194155714Skris ctype_num=SSL3_CT_NUMBER; 194255714Skris for (i=0; i<ctype_num; i++) 194355714Skris s->s3->tmp.ctype[i]= p[i]; 194455714Skris p+=ctype_num; 1945238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION) 1946238405Sjkim { 1947238405Sjkim n2s(p, llen); 1948238405Sjkim /* Check we have enough room for signature algorithms and 1949238405Sjkim * following length value. 1950238405Sjkim */ 1951238405Sjkim if ((unsigned long)(p - d + llen + 2) > n) 1952238405Sjkim { 1953238405Sjkim ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1954238405Sjkim SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG); 1955238405Sjkim goto err; 1956238405Sjkim } 1957238405Sjkim if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 1958238405Sjkim { 1959238405Sjkim ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1960238405Sjkim SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR); 1961238405Sjkim goto err; 1962238405Sjkim } 1963238405Sjkim p += llen; 1964238405Sjkim } 196555714Skris 196655714Skris /* get the CA RDNs */ 196755714Skris n2s(p,llen); 196855714Skris#if 0 196955714Skris{ 197055714SkrisFILE *out; 197155714Skrisout=fopen("/tmp/vsign.der","w"); 197255714Skrisfwrite(p,1,llen,out); 197355714Skrisfclose(out); 197455714Skris} 197555714Skris#endif 197655714Skris 1977238405Sjkim if ((unsigned long)(p - d + llen) != n) 197855714Skris { 197955714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 198055714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 198155714Skris goto err; 198255714Skris } 198355714Skris 198455714Skris for (nc=0; nc<llen; ) 198555714Skris { 198655714Skris n2s(p,l); 198755714Skris if ((l+nc+2) > llen) 198855714Skris { 198955714Skris if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 199055714Skris goto cont; /* netscape bugs */ 199155714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 199255714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 199355714Skris goto err; 199455714Skris } 199555714Skris 199655714Skris q=p; 199755714Skris 199855714Skris if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 199955714Skris { 200059191Skris /* If netscape tolerance is on, ignore errors */ 200155714Skris if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 200255714Skris goto cont; 200355714Skris else 200455714Skris { 200555714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 200655714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 200755714Skris goto err; 200855714Skris } 200955714Skris } 201055714Skris 201155714Skris if (q != (p+l)) 201255714Skris { 201355714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 201455714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 201555714Skris goto err; 201655714Skris } 201755714Skris if (!sk_X509_NAME_push(ca_sk,xn)) 201855714Skris { 201955714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 202055714Skris goto err; 202155714Skris } 202255714Skris 202355714Skris p+=l; 202455714Skris nc+=l+2; 202555714Skris } 202655714Skris 202755714Skris if (0) 202855714Skris { 202955714Skriscont: 203055714Skris ERR_clear_error(); 203155714Skris } 203255714Skris 203359191Skris /* we should setup a certificate to return.... */ 203455714Skris s->s3->tmp.cert_req=1; 203555714Skris s->s3->tmp.ctype_num=ctype_num; 203655714Skris if (s->s3->tmp.ca_names != NULL) 203755714Skris sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 203855714Skris s->s3->tmp.ca_names=ca_sk; 203955714Skris ca_sk=NULL; 204055714Skris 204155714Skris ret=1; 204255714Skriserr: 204355714Skris if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 204455714Skris return(ret); 204555714Skris } 204655714Skris 204768651Skrisstatic int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 204855714Skris { 204955714Skris return(X509_NAME_cmp(*a,*b)); 205055714Skris } 2051194206Ssimon#ifndef OPENSSL_NO_TLSEXT 2052194206Ssimonint ssl3_get_new_session_ticket(SSL *s) 2053194206Ssimon { 2054194206Ssimon int ok,al,ret=0, ticklen; 2055194206Ssimon long n; 2056194206Ssimon const unsigned char *p; 2057194206Ssimon unsigned char *d; 205855714Skris 2059194206Ssimon n=s->method->ssl_get_message(s, 2060194206Ssimon SSL3_ST_CR_SESSION_TICKET_A, 2061194206Ssimon SSL3_ST_CR_SESSION_TICKET_B, 2062194206Ssimon -1, 2063194206Ssimon 16384, 2064194206Ssimon &ok); 2065194206Ssimon 2066194206Ssimon if (!ok) 2067194206Ssimon return((int)n); 2068194206Ssimon 2069194206Ssimon if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 2070194206Ssimon { 2071194206Ssimon s->s3->tmp.reuse_message=1; 2072194206Ssimon return(1); 2073194206Ssimon } 2074194206Ssimon if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 2075194206Ssimon { 2076194206Ssimon al=SSL_AD_UNEXPECTED_MESSAGE; 2077194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); 2078194206Ssimon goto f_err; 2079194206Ssimon } 2080194206Ssimon if (n < 6) 2081194206Ssimon { 2082194206Ssimon /* need at least ticket_lifetime_hint + ticket length */ 2083237657Sjkim al = SSL_AD_DECODE_ERROR; 2084194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2085194206Ssimon goto f_err; 2086194206Ssimon } 2087205128Ssimon 2088194206Ssimon p=d=(unsigned char *)s->init_msg; 2089194206Ssimon n2l(p, s->session->tlsext_tick_lifetime_hint); 2090194206Ssimon n2s(p, ticklen); 2091194206Ssimon /* ticket_lifetime_hint + ticket_length + ticket */ 2092194206Ssimon if (ticklen + 6 != n) 2093194206Ssimon { 2094237657Sjkim al = SSL_AD_DECODE_ERROR; 2095194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2096194206Ssimon goto f_err; 2097194206Ssimon } 2098194206Ssimon if (s->session->tlsext_tick) 2099194206Ssimon { 2100194206Ssimon OPENSSL_free(s->session->tlsext_tick); 2101194206Ssimon s->session->tlsext_ticklen = 0; 2102194206Ssimon } 2103194206Ssimon s->session->tlsext_tick = OPENSSL_malloc(ticklen); 2104194206Ssimon if (!s->session->tlsext_tick) 2105194206Ssimon { 2106194206Ssimon SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); 2107194206Ssimon goto err; 2108194206Ssimon } 2109194206Ssimon memcpy(s->session->tlsext_tick, p, ticklen); 2110194206Ssimon s->session->tlsext_ticklen = ticklen; 2111205128Ssimon /* There are two ways to detect a resumed ticket sesion. 2112205128Ssimon * One is to set an appropriate session ID and then the server 2113205128Ssimon * must return a match in ServerHello. This allows the normal 2114205128Ssimon * client session ID matching to work and we know much 2115205128Ssimon * earlier that the ticket has been accepted. 2116205128Ssimon * 2117205128Ssimon * The other way is to set zero length session ID when the 2118205128Ssimon * ticket is presented and rely on the handshake to determine 2119205128Ssimon * session resumption. 2120205128Ssimon * 2121205128Ssimon * We choose the former approach because this fits in with 2122205128Ssimon * assumptions elsewhere in OpenSSL. The session ID is set 2123205128Ssimon * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 2124205128Ssimon * ticket. 2125205128Ssimon */ 2126205128Ssimon EVP_Digest(p, ticklen, 2127205128Ssimon s->session->session_id, &s->session->session_id_length, 2128205128Ssimon#ifndef OPENSSL_NO_SHA256 2129205128Ssimon EVP_sha256(), NULL); 2130205128Ssimon#else 2131205128Ssimon EVP_sha1(), NULL); 2132205128Ssimon#endif 2133194206Ssimon ret=1; 2134194206Ssimon return(ret); 2135194206Ssimonf_err: 2136194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,al); 2137194206Ssimonerr: 2138194206Ssimon return(-1); 2139194206Ssimon } 2140194206Ssimon 2141194206Ssimonint ssl3_get_cert_status(SSL *s) 2142194206Ssimon { 2143194206Ssimon int ok, al; 2144238405Sjkim unsigned long resplen,n; 2145194206Ssimon const unsigned char *p; 2146194206Ssimon 2147194206Ssimon n=s->method->ssl_get_message(s, 2148194206Ssimon SSL3_ST_CR_CERT_STATUS_A, 2149194206Ssimon SSL3_ST_CR_CERT_STATUS_B, 2150194206Ssimon SSL3_MT_CERTIFICATE_STATUS, 2151194206Ssimon 16384, 2152194206Ssimon &ok); 2153194206Ssimon 2154194206Ssimon if (!ok) return((int)n); 2155194206Ssimon if (n < 4) 2156194206Ssimon { 2157194206Ssimon /* need at least status type + length */ 2158194206Ssimon al = SSL_AD_DECODE_ERROR; 2159194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2160194206Ssimon goto f_err; 2161194206Ssimon } 2162194206Ssimon p = (unsigned char *)s->init_msg; 2163194206Ssimon if (*p++ != TLSEXT_STATUSTYPE_ocsp) 2164194206Ssimon { 2165194206Ssimon al = SSL_AD_DECODE_ERROR; 2166194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 2167194206Ssimon goto f_err; 2168194206Ssimon } 2169194206Ssimon n2l3(p, resplen); 2170238405Sjkim if (resplen + 4 != n) 2171194206Ssimon { 2172194206Ssimon al = SSL_AD_DECODE_ERROR; 2173194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2174194206Ssimon goto f_err; 2175194206Ssimon } 2176194206Ssimon if (s->tlsext_ocsp_resp) 2177194206Ssimon OPENSSL_free(s->tlsext_ocsp_resp); 2178194206Ssimon s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2179194206Ssimon if (!s->tlsext_ocsp_resp) 2180194206Ssimon { 2181194206Ssimon al = SSL_AD_INTERNAL_ERROR; 2182194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2183194206Ssimon goto f_err; 2184194206Ssimon } 2185194206Ssimon s->tlsext_ocsp_resplen = resplen; 2186194206Ssimon if (s->ctx->tlsext_status_cb) 2187194206Ssimon { 2188194206Ssimon int ret; 2189194206Ssimon ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2190194206Ssimon if (ret == 0) 2191194206Ssimon { 2192194206Ssimon al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2193194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2194194206Ssimon goto f_err; 2195194206Ssimon } 2196194206Ssimon if (ret < 0) 2197194206Ssimon { 2198194206Ssimon al = SSL_AD_INTERNAL_ERROR; 2199194206Ssimon SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2200194206Ssimon goto f_err; 2201194206Ssimon } 2202194206Ssimon } 2203194206Ssimon return 1; 2204194206Ssimonf_err: 2205194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,al); 2206194206Ssimon return(-1); 2207194206Ssimon } 2208194206Ssimon#endif 2209194206Ssimon 2210160814Ssimonint ssl3_get_server_done(SSL *s) 221155714Skris { 221255714Skris int ok,ret=0; 221355714Skris long n; 221455714Skris 2215160814Ssimon n=s->method->ssl_get_message(s, 221655714Skris SSL3_ST_CR_SRVR_DONE_A, 221755714Skris SSL3_ST_CR_SRVR_DONE_B, 221855714Skris SSL3_MT_SERVER_DONE, 221955714Skris 30, /* should be very small, like 0 :-) */ 222055714Skris &ok); 222155714Skris 222255714Skris if (!ok) return((int)n); 222355714Skris if (n > 0) 222455714Skris { 222555714Skris /* should contain no data */ 222655714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 222755714Skris SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2228100928Snectar return -1; 222955714Skris } 223055714Skris ret=1; 223155714Skris return(ret); 223255714Skris } 223355714Skris 2234160814Ssimon 2235160814Ssimonint ssl3_send_client_key_exchange(SSL *s) 223655714Skris { 223755714Skris unsigned char *p,*d; 223855714Skris int n; 2239238405Sjkim unsigned long alg_k; 2240109998Smarkm#ifndef OPENSSL_NO_RSA 224155714Skris unsigned char *q; 224255714Skris EVP_PKEY *pkey=NULL; 224355714Skris#endif 2244109998Smarkm#ifndef OPENSSL_NO_KRB5 2245160814Ssimon KSSL_ERR kssl_err; 2246109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 2247160814Ssimon#ifndef OPENSSL_NO_ECDH 2248160814Ssimon EC_KEY *clnt_ecdh = NULL; 2249160814Ssimon const EC_POINT *srvr_ecpoint = NULL; 2250160814Ssimon EVP_PKEY *srvr_pub_pkey = NULL; 2251160814Ssimon unsigned char *encodedPoint = NULL; 2252160814Ssimon int encoded_pt_len = 0; 2253160814Ssimon BN_CTX * bn_ctx = NULL; 2254160814Ssimon#endif 225555714Skris 225655714Skris if (s->state == SSL3_ST_CW_KEY_EXCH_A) 225755714Skris { 225855714Skris d=(unsigned char *)s->init_buf->data; 225955714Skris p= &(d[4]); 226055714Skris 2261238405Sjkim alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 226255714Skris 2263160814Ssimon /* Fool emacs indentation */ 2264160814Ssimon if (0) {} 2265109998Smarkm#ifndef OPENSSL_NO_RSA 2266238405Sjkim else if (alg_k & SSL_kRSA) 226755714Skris { 226855714Skris RSA *rsa; 226955714Skris unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 227055714Skris 2271269686Sjkim if (s->session->sess_cert == NULL) 2272269686Sjkim { 2273269686Sjkim /* We should always have a server certificate with SSL_kRSA. */ 2274269686Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2275269686Sjkim goto err; 2276269686Sjkim } 2277269686Sjkim 227855714Skris if (s->session->sess_cert->peer_rsa_tmp != NULL) 227955714Skris rsa=s->session->sess_cert->peer_rsa_tmp; 228055714Skris else 228155714Skris { 228255714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 228355714Skris if ((pkey == NULL) || 228455714Skris (pkey->type != EVP_PKEY_RSA) || 228555714Skris (pkey->pkey.rsa == NULL)) 228655714Skris { 2287109998Smarkm SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 228855714Skris goto err; 228955714Skris } 229055714Skris rsa=pkey->pkey.rsa; 229155714Skris EVP_PKEY_free(pkey); 229255714Skris } 229355714Skris 229455714Skris tmp_buf[0]=s->client_version>>8; 229555714Skris tmp_buf[1]=s->client_version&0xff; 2296109998Smarkm if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 229759191Skris goto err; 229855714Skris 2299109998Smarkm s->session->master_key_length=sizeof tmp_buf; 230055714Skris 230155714Skris q=p; 230255714Skris /* Fix buf for TLS and beyond */ 230355714Skris if (s->version > SSL3_VERSION) 230455714Skris p+=2; 2305109998Smarkm n=RSA_public_encrypt(sizeof tmp_buf, 230655714Skris tmp_buf,p,rsa,RSA_PKCS1_PADDING); 230755714Skris#ifdef PKCS1_CHECK 230855714Skris if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 230955714Skris if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 231055714Skris#endif 231155714Skris if (n <= 0) 231255714Skris { 231355714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 231455714Skris goto err; 231555714Skris } 231655714Skris 231755714Skris /* Fix buf for TLS and beyond */ 231855714Skris if (s->version > SSL3_VERSION) 231955714Skris { 232055714Skris s2n(n,q); 232155714Skris n+=2; 232255714Skris } 232355714Skris 232455714Skris s->session->master_key_length= 232555714Skris s->method->ssl3_enc->generate_master_secret(s, 232655714Skris s->session->master_key, 2327109998Smarkm tmp_buf,sizeof tmp_buf); 2328109998Smarkm OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 232955714Skris } 233055714Skris#endif 2331109998Smarkm#ifndef OPENSSL_NO_KRB5 2332238405Sjkim else if (alg_k & SSL_kKRB5) 2333160814Ssimon { 2334160814Ssimon krb5_error_code krb5rc; 2335160814Ssimon KSSL_CTX *kssl_ctx = s->kssl_ctx; 2336160814Ssimon /* krb5_data krb5_ap_req; */ 2337160814Ssimon krb5_data *enc_ticket; 2338160814Ssimon krb5_data authenticator, *authp = NULL; 2339109998Smarkm EVP_CIPHER_CTX ciph_ctx; 2340238405Sjkim const EVP_CIPHER *enc = NULL; 2341109998Smarkm unsigned char iv[EVP_MAX_IV_LENGTH]; 2342109998Smarkm unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2343109998Smarkm unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2344109998Smarkm + EVP_MAX_IV_LENGTH]; 2345109998Smarkm int padl, outl = sizeof(epms); 2346109998Smarkm 2347109998Smarkm EVP_CIPHER_CTX_init(&ciph_ctx); 2348109998Smarkm 2349109998Smarkm#ifdef KSSL_DEBUG 2350160814Ssimon printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2351238405Sjkim alg_k, SSL_kKRB5); 2352109998Smarkm#endif /* KSSL_DEBUG */ 2353109998Smarkm 2354109998Smarkm authp = NULL; 2355109998Smarkm#ifdef KRB5SENDAUTH 2356109998Smarkm if (KRB5SENDAUTH) authp = &authenticator; 2357109998Smarkm#endif /* KRB5SENDAUTH */ 2358109998Smarkm 2359160814Ssimon krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2360109998Smarkm &kssl_err); 2361109998Smarkm enc = kssl_map_enc(kssl_ctx->enctype); 2362160814Ssimon if (enc == NULL) 2363160814Ssimon goto err; 2364109998Smarkm#ifdef KSSL_DEBUG 2365160814Ssimon { 2366160814Ssimon printf("kssl_cget_tkt rtn %d\n", krb5rc); 2367160814Ssimon if (krb5rc && kssl_err.text) 2368109998Smarkm printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2369160814Ssimon } 2370109998Smarkm#endif /* KSSL_DEBUG */ 2371109998Smarkm 2372160814Ssimon if (krb5rc) 2373160814Ssimon { 2374160814Ssimon ssl3_send_alert(s,SSL3_AL_FATAL, 2375109998Smarkm SSL_AD_HANDSHAKE_FAILURE); 2376160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2377109998Smarkm kssl_err.reason); 2378160814Ssimon goto err; 2379160814Ssimon } 2380109998Smarkm 2381109998Smarkm /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2382109998Smarkm ** in place of RFC 2712 KerberosWrapper, as in: 2383109998Smarkm ** 2384160814Ssimon ** Send ticket (copy to *p, set n = length) 2385160814Ssimon ** n = krb5_ap_req.length; 2386160814Ssimon ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2387160814Ssimon ** if (krb5_ap_req.data) 2388160814Ssimon ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2389160814Ssimon ** 2390109998Smarkm ** Now using real RFC 2712 KerberosWrapper 2391109998Smarkm ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 2392109998Smarkm ** Note: 2712 "opaque" types are here replaced 2393109998Smarkm ** with a 2-byte length followed by the value. 2394109998Smarkm ** Example: 2395109998Smarkm ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2396109998Smarkm ** Where "xx xx" = length bytes. Shown here with 2397109998Smarkm ** optional authenticator omitted. 2398109998Smarkm */ 2399109998Smarkm 2400109998Smarkm /* KerberosWrapper.Ticket */ 2401109998Smarkm s2n(enc_ticket->length,p); 2402109998Smarkm memcpy(p, enc_ticket->data, enc_ticket->length); 2403109998Smarkm p+= enc_ticket->length; 2404109998Smarkm n = enc_ticket->length + 2; 2405109998Smarkm 2406109998Smarkm /* KerberosWrapper.Authenticator */ 2407109998Smarkm if (authp && authp->length) 2408109998Smarkm { 2409109998Smarkm s2n(authp->length,p); 2410109998Smarkm memcpy(p, authp->data, authp->length); 2411109998Smarkm p+= authp->length; 2412109998Smarkm n+= authp->length + 2; 2413109998Smarkm 2414109998Smarkm free(authp->data); 2415109998Smarkm authp->data = NULL; 2416109998Smarkm authp->length = 0; 2417109998Smarkm } 2418109998Smarkm else 2419109998Smarkm { 2420109998Smarkm s2n(0,p);/* null authenticator length */ 2421109998Smarkm n+=2; 2422109998Smarkm } 2423109998Smarkm 2424167612Ssimon tmp_buf[0]=s->client_version>>8; 2425167612Ssimon tmp_buf[1]=s->client_version&0xff; 2426167612Ssimon if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2427167612Ssimon goto err; 2428109998Smarkm 2429109998Smarkm /* 20010420 VRS. Tried it this way; failed. 2430109998Smarkm ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2431109998Smarkm ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2432109998Smarkm ** kssl_ctx->length); 2433109998Smarkm ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2434109998Smarkm */ 2435109998Smarkm 2436109998Smarkm memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2437109998Smarkm EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2438109998Smarkm kssl_ctx->key,iv); 2439109998Smarkm EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2440109998Smarkm sizeof tmp_buf); 2441109998Smarkm EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2442109998Smarkm outl += padl; 2443238405Sjkim if (outl > (int)sizeof epms) 2444109998Smarkm { 2445109998Smarkm SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2446109998Smarkm goto err; 2447109998Smarkm } 2448109998Smarkm EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2449109998Smarkm 2450109998Smarkm /* KerberosWrapper.EncryptedPreMasterSecret */ 2451109998Smarkm s2n(outl,p); 2452109998Smarkm memcpy(p, epms, outl); 2453109998Smarkm p+=outl; 2454109998Smarkm n+=outl + 2; 2455109998Smarkm 2456160814Ssimon s->session->master_key_length= 2457238405Sjkim s->method->ssl3_enc->generate_master_secret(s, 2458109998Smarkm s->session->master_key, 2459109998Smarkm tmp_buf, sizeof tmp_buf); 2460109998Smarkm 2461109998Smarkm OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2462109998Smarkm OPENSSL_cleanse(epms, outl); 2463160814Ssimon } 2464109998Smarkm#endif 2465109998Smarkm#ifndef OPENSSL_NO_DH 2466238405Sjkim else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 246755714Skris { 246855714Skris DH *dh_srvr,*dh_clnt; 246955714Skris 2470194206Ssimon if (s->session->sess_cert == NULL) 2471194206Ssimon { 2472194206Ssimon ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2473194206Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2474194206Ssimon goto err; 2475238405Sjkim } 2476194206Ssimon 247755714Skris if (s->session->sess_cert->peer_dh_tmp != NULL) 247855714Skris dh_srvr=s->session->sess_cert->peer_dh_tmp; 247955714Skris else 248055714Skris { 248155714Skris /* we get them from the cert */ 248255714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 248355714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 248455714Skris goto err; 248555714Skris } 248655714Skris 248755714Skris /* generate a new random key */ 248855714Skris if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 248955714Skris { 249055714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 249155714Skris goto err; 249255714Skris } 249355714Skris if (!DH_generate_key(dh_clnt)) 249455714Skris { 249555714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2496238405Sjkim DH_free(dh_clnt); 249755714Skris goto err; 249855714Skris } 249955714Skris 250055714Skris /* use the 'p' output buffer for the DH key, but 250155714Skris * make sure to clear it out afterwards */ 250255714Skris 250355714Skris n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 250455714Skris 250555714Skris if (n <= 0) 250655714Skris { 250755714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2508238405Sjkim DH_free(dh_clnt); 250955714Skris goto err; 251055714Skris } 251155714Skris 251255714Skris /* generate master key from the result */ 251355714Skris s->session->master_key_length= 251455714Skris s->method->ssl3_enc->generate_master_secret(s, 251555714Skris s->session->master_key,p,n); 251655714Skris /* clean up */ 251755714Skris memset(p,0,n); 251855714Skris 251955714Skris /* send off the data */ 252055714Skris n=BN_num_bytes(dh_clnt->pub_key); 252155714Skris s2n(n,p); 252255714Skris BN_bn2bin(dh_clnt->pub_key,p); 252355714Skris n+=2; 252455714Skris 252555714Skris DH_free(dh_clnt); 252655714Skris 252755714Skris /* perhaps clean things up a bit EAY EAY EAY EAY*/ 252855714Skris } 2529109998Smarkm#endif 2530160814Ssimon 2531160814Ssimon#ifndef OPENSSL_NO_ECDH 2532238405Sjkim else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2533160814Ssimon { 2534160814Ssimon const EC_GROUP *srvr_group = NULL; 2535160814Ssimon EC_KEY *tkey; 2536160814Ssimon int ecdh_clnt_cert = 0; 2537160814Ssimon int field_size = 0; 2538160814Ssimon 2539267103Sdelphij if (s->session->sess_cert == NULL) 2540267103Sdelphij { 2541267103Sdelphij ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2542267103Sdelphij SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2543267103Sdelphij goto err; 2544267103Sdelphij } 2545267103Sdelphij 2546160814Ssimon /* Did we send out the client's 2547160814Ssimon * ECDH share for use in premaster 2548160814Ssimon * computation as part of client certificate? 2549160814Ssimon * If so, set ecdh_clnt_cert to 1. 2550160814Ssimon */ 2551238405Sjkim if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2552160814Ssimon { 2553160814Ssimon /* XXX: For now, we do not support client 2554160814Ssimon * authentication using ECDH certificates. 2555160814Ssimon * To add such support, one needs to add 2556160814Ssimon * code that checks for appropriate 2557160814Ssimon * conditions and sets ecdh_clnt_cert to 1. 2558160814Ssimon * For example, the cert have an ECC 2559160814Ssimon * key on the same curve as the server's 2560160814Ssimon * and the key should be authorized for 2561160814Ssimon * key agreement. 2562160814Ssimon * 2563160814Ssimon * One also needs to add code in ssl3_connect 2564160814Ssimon * to skip sending the certificate verify 2565160814Ssimon * message. 2566160814Ssimon * 2567160814Ssimon * if ((s->cert->key->privatekey != NULL) && 2568160814Ssimon * (s->cert->key->privatekey->type == 2569160814Ssimon * EVP_PKEY_EC) && ...) 2570160814Ssimon * ecdh_clnt_cert = 1; 2571160814Ssimon */ 2572160814Ssimon } 2573160814Ssimon 2574160814Ssimon if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2575160814Ssimon { 2576160814Ssimon tkey = s->session->sess_cert->peer_ecdh_tmp; 2577160814Ssimon } 2578160814Ssimon else 2579160814Ssimon { 2580160814Ssimon /* Get the Server Public Key from Cert */ 2581160814Ssimon srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2582160814Ssimon sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2583160814Ssimon if ((srvr_pub_pkey == NULL) || 2584160814Ssimon (srvr_pub_pkey->type != EVP_PKEY_EC) || 2585160814Ssimon (srvr_pub_pkey->pkey.ec == NULL)) 2586160814Ssimon { 2587160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2588160814Ssimon ERR_R_INTERNAL_ERROR); 2589160814Ssimon goto err; 2590160814Ssimon } 2591160814Ssimon 2592160814Ssimon tkey = srvr_pub_pkey->pkey.ec; 2593160814Ssimon } 2594160814Ssimon 2595160814Ssimon srvr_group = EC_KEY_get0_group(tkey); 2596160814Ssimon srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2597160814Ssimon 2598160814Ssimon if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2599160814Ssimon { 2600160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2601160814Ssimon ERR_R_INTERNAL_ERROR); 2602160814Ssimon goto err; 2603160814Ssimon } 2604160814Ssimon 2605160814Ssimon if ((clnt_ecdh=EC_KEY_new()) == NULL) 2606160814Ssimon { 2607160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2608160814Ssimon goto err; 2609160814Ssimon } 2610160814Ssimon 2611160814Ssimon if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2612160814Ssimon { 2613160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2614160814Ssimon goto err; 2615160814Ssimon } 2616160814Ssimon if (ecdh_clnt_cert) 2617160814Ssimon { 2618160814Ssimon /* Reuse key info from our certificate 2619160814Ssimon * We only need our private key to perform 2620160814Ssimon * the ECDH computation. 2621160814Ssimon */ 2622160814Ssimon const BIGNUM *priv_key; 2623160814Ssimon tkey = s->cert->key->privatekey->pkey.ec; 2624160814Ssimon priv_key = EC_KEY_get0_private_key(tkey); 2625160814Ssimon if (priv_key == NULL) 2626160814Ssimon { 2627160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2628160814Ssimon goto err; 2629160814Ssimon } 2630160814Ssimon if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2631160814Ssimon { 2632160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2633160814Ssimon goto err; 2634160814Ssimon } 2635160814Ssimon } 2636160814Ssimon else 2637160814Ssimon { 2638160814Ssimon /* Generate a new ECDH key pair */ 2639160814Ssimon if (!(EC_KEY_generate_key(clnt_ecdh))) 2640160814Ssimon { 2641160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2642160814Ssimon goto err; 2643160814Ssimon } 2644160814Ssimon } 2645160814Ssimon 2646160814Ssimon /* use the 'p' output buffer for the ECDH key, but 2647160814Ssimon * make sure to clear it out afterwards 2648160814Ssimon */ 2649160814Ssimon 2650160814Ssimon field_size = EC_GROUP_get_degree(srvr_group); 2651160814Ssimon if (field_size <= 0) 2652160814Ssimon { 2653160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2654160814Ssimon ERR_R_ECDH_LIB); 2655160814Ssimon goto err; 2656160814Ssimon } 2657160814Ssimon n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2658160814Ssimon if (n <= 0) 2659160814Ssimon { 2660160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2661160814Ssimon ERR_R_ECDH_LIB); 2662160814Ssimon goto err; 2663160814Ssimon } 2664160814Ssimon 2665160814Ssimon /* generate master key from the result */ 2666160814Ssimon s->session->master_key_length = s->method->ssl3_enc \ 2667160814Ssimon -> generate_master_secret(s, 2668160814Ssimon s->session->master_key, 2669160814Ssimon p, n); 2670160814Ssimon 2671160814Ssimon memset(p, 0, n); /* clean up */ 2672160814Ssimon 2673160814Ssimon if (ecdh_clnt_cert) 2674160814Ssimon { 2675160814Ssimon /* Send empty client key exch message */ 2676160814Ssimon n = 0; 2677160814Ssimon } 2678160814Ssimon else 2679160814Ssimon { 2680160814Ssimon /* First check the size of encoding and 2681160814Ssimon * allocate memory accordingly. 2682160814Ssimon */ 2683160814Ssimon encoded_pt_len = 2684160814Ssimon EC_POINT_point2oct(srvr_group, 2685160814Ssimon EC_KEY_get0_public_key(clnt_ecdh), 2686160814Ssimon POINT_CONVERSION_UNCOMPRESSED, 2687160814Ssimon NULL, 0, NULL); 2688160814Ssimon 2689160814Ssimon encodedPoint = (unsigned char *) 2690160814Ssimon OPENSSL_malloc(encoded_pt_len * 2691160814Ssimon sizeof(unsigned char)); 2692160814Ssimon bn_ctx = BN_CTX_new(); 2693160814Ssimon if ((encodedPoint == NULL) || 2694160814Ssimon (bn_ctx == NULL)) 2695160814Ssimon { 2696160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2697160814Ssimon goto err; 2698160814Ssimon } 2699160814Ssimon 2700160814Ssimon /* Encode the public key */ 2701160814Ssimon n = EC_POINT_point2oct(srvr_group, 2702160814Ssimon EC_KEY_get0_public_key(clnt_ecdh), 2703160814Ssimon POINT_CONVERSION_UNCOMPRESSED, 2704160814Ssimon encodedPoint, encoded_pt_len, bn_ctx); 2705160814Ssimon 2706160814Ssimon *p = n; /* length of encoded point */ 2707160814Ssimon /* Encoded point will be copied here */ 2708160814Ssimon p += 1; 2709160814Ssimon /* copy the point */ 2710160814Ssimon memcpy((unsigned char *)p, encodedPoint, n); 2711160814Ssimon /* increment n to account for length field */ 2712160814Ssimon n += 1; 2713160814Ssimon } 2714160814Ssimon 2715160814Ssimon /* Free allocated memory */ 2716160814Ssimon BN_CTX_free(bn_ctx); 2717160814Ssimon if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2718160814Ssimon if (clnt_ecdh != NULL) 2719160814Ssimon EC_KEY_free(clnt_ecdh); 2720160814Ssimon EVP_PKEY_free(srvr_pub_pkey); 2721160814Ssimon } 2722160814Ssimon#endif /* !OPENSSL_NO_ECDH */ 2723238405Sjkim else if (alg_k & SSL_kGOST) 2724238405Sjkim { 2725238405Sjkim /* GOST key exchange message creation */ 2726238405Sjkim EVP_PKEY_CTX *pkey_ctx; 2727238405Sjkim X509 *peer_cert; 2728238405Sjkim size_t msglen; 2729238405Sjkim unsigned int md_len; 2730238405Sjkim int keytype; 2731238405Sjkim unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2732238405Sjkim EVP_MD_CTX *ukm_hash; 2733238405Sjkim EVP_PKEY *pub_key; 2734238405Sjkim 2735238405Sjkim /* Get server sertificate PKEY and create ctx from it */ 2736238405Sjkim peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2737238405Sjkim if (!peer_cert) 2738238405Sjkim peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2739238405Sjkim if (!peer_cert) { 2740238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2741238405Sjkim goto err; 2742238405Sjkim } 2743238405Sjkim 2744238405Sjkim pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2745238405Sjkim /* If we have send a certificate, and certificate key 2746238405Sjkim 2747238405Sjkim * parameters match those of server certificate, use 2748238405Sjkim * certificate key for key exchange 2749238405Sjkim */ 2750238405Sjkim 2751238405Sjkim /* Otherwise, generate ephemeral key pair */ 2752238405Sjkim 2753238405Sjkim EVP_PKEY_encrypt_init(pkey_ctx); 2754238405Sjkim /* Generate session key */ 2755238405Sjkim RAND_bytes(premaster_secret,32); 2756238405Sjkim /* If we have client certificate, use its secret as peer key */ 2757238405Sjkim if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2758238405Sjkim if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2759238405Sjkim /* If there was an error - just ignore it. Ephemeral key 2760238405Sjkim * would be used 2761238405Sjkim */ 2762238405Sjkim ERR_clear_error(); 2763238405Sjkim } 2764238405Sjkim } 2765238405Sjkim /* Compute shared IV and store it in algorithm-specific 2766238405Sjkim * context data */ 2767238405Sjkim ukm_hash = EVP_MD_CTX_create(); 2768238405Sjkim EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2769238405Sjkim EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2770238405Sjkim EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2771238405Sjkim EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2772238405Sjkim EVP_MD_CTX_destroy(ukm_hash); 2773238405Sjkim if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2774238405Sjkim 8,shared_ukm)<0) { 2775238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2776238405Sjkim SSL_R_LIBRARY_BUG); 2777238405Sjkim goto err; 2778238405Sjkim } 2779238405Sjkim /* Make GOST keytransport blob message */ 2780238405Sjkim /*Encapsulate it into sequence */ 2781238405Sjkim *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2782238405Sjkim msglen=255; 2783238405Sjkim if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2784238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2785238405Sjkim SSL_R_LIBRARY_BUG); 2786238405Sjkim goto err; 2787238405Sjkim } 2788238405Sjkim if (msglen >= 0x80) 2789238405Sjkim { 2790238405Sjkim *(p++)=0x81; 2791238405Sjkim *(p++)= msglen & 0xff; 2792238405Sjkim n=msglen+3; 2793238405Sjkim } 2794238405Sjkim else 2795238405Sjkim { 2796238405Sjkim *(p++)= msglen & 0xff; 2797238405Sjkim n=msglen+2; 2798238405Sjkim } 2799238405Sjkim memcpy(p, tmp, msglen); 2800238405Sjkim /* Check if pubkey from client certificate was used */ 2801238405Sjkim if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2802238405Sjkim { 2803238405Sjkim /* Set flag "skip certificate verify" */ 2804238405Sjkim s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2805238405Sjkim } 2806238405Sjkim EVP_PKEY_CTX_free(pkey_ctx); 2807238405Sjkim s->session->master_key_length= 2808238405Sjkim s->method->ssl3_enc->generate_master_secret(s, 2809238405Sjkim s->session->master_key,premaster_secret,32); 2810238405Sjkim EVP_PKEY_free(pub_key); 2811238405Sjkim 2812238405Sjkim } 2813238405Sjkim#ifndef OPENSSL_NO_SRP 2814238405Sjkim else if (alg_k & SSL_kSRP) 2815238405Sjkim { 2816238405Sjkim if (s->srp_ctx.A != NULL) 2817238405Sjkim { 2818238405Sjkim /* send off the data */ 2819238405Sjkim n=BN_num_bytes(s->srp_ctx.A); 2820238405Sjkim s2n(n,p); 2821238405Sjkim BN_bn2bin(s->srp_ctx.A,p); 2822238405Sjkim n+=2; 2823238405Sjkim } 2824238405Sjkim else 2825238405Sjkim { 2826238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2827238405Sjkim goto err; 2828238405Sjkim } 2829238405Sjkim if (s->session->srp_username != NULL) 2830238405Sjkim OPENSSL_free(s->session->srp_username); 2831238405Sjkim s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2832238405Sjkim if (s->session->srp_username == NULL) 2833238405Sjkim { 2834238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2835238405Sjkim ERR_R_MALLOC_FAILURE); 2836238405Sjkim goto err; 2837238405Sjkim } 2838238405Sjkim 2839238405Sjkim if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 2840238405Sjkim { 2841238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2842238405Sjkim goto err; 2843238405Sjkim } 2844238405Sjkim } 2845238405Sjkim#endif 2846238405Sjkim#ifndef OPENSSL_NO_PSK 2847238405Sjkim else if (alg_k & SSL_kPSK) 2848238405Sjkim { 2849238405Sjkim char identity[PSK_MAX_IDENTITY_LEN]; 2850238405Sjkim unsigned char *t = NULL; 2851238405Sjkim unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2852238405Sjkim unsigned int pre_ms_len = 0, psk_len = 0; 2853238405Sjkim int psk_err = 1; 2854238405Sjkim 2855238405Sjkim n = 0; 2856238405Sjkim if (s->psk_client_callback == NULL) 2857238405Sjkim { 2858238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2859238405Sjkim SSL_R_PSK_NO_CLIENT_CB); 2860238405Sjkim goto err; 2861238405Sjkim } 2862238405Sjkim 2863238405Sjkim psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2864238405Sjkim identity, PSK_MAX_IDENTITY_LEN, 2865238405Sjkim psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2866238405Sjkim if (psk_len > PSK_MAX_PSK_LEN) 2867238405Sjkim { 2868238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2869238405Sjkim ERR_R_INTERNAL_ERROR); 2870238405Sjkim goto psk_err; 2871238405Sjkim } 2872238405Sjkim else if (psk_len == 0) 2873238405Sjkim { 2874238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2875238405Sjkim SSL_R_PSK_IDENTITY_NOT_FOUND); 2876238405Sjkim goto psk_err; 2877238405Sjkim } 2878238405Sjkim 2879238405Sjkim /* create PSK pre_master_secret */ 2880238405Sjkim pre_ms_len = 2+psk_len+2+psk_len; 2881238405Sjkim t = psk_or_pre_ms; 2882238405Sjkim memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2883238405Sjkim s2n(psk_len, t); 2884238405Sjkim memset(t, 0, psk_len); 2885238405Sjkim t+=psk_len; 2886238405Sjkim s2n(psk_len, t); 2887238405Sjkim 2888238405Sjkim if (s->session->psk_identity_hint != NULL) 2889238405Sjkim OPENSSL_free(s->session->psk_identity_hint); 2890238405Sjkim s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2891238405Sjkim if (s->ctx->psk_identity_hint != NULL && 2892238405Sjkim s->session->psk_identity_hint == NULL) 2893238405Sjkim { 2894238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2895238405Sjkim ERR_R_MALLOC_FAILURE); 2896238405Sjkim goto psk_err; 2897238405Sjkim } 2898238405Sjkim 2899238405Sjkim if (s->session->psk_identity != NULL) 2900238405Sjkim OPENSSL_free(s->session->psk_identity); 2901238405Sjkim s->session->psk_identity = BUF_strdup(identity); 2902238405Sjkim if (s->session->psk_identity == NULL) 2903238405Sjkim { 2904238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2905238405Sjkim ERR_R_MALLOC_FAILURE); 2906238405Sjkim goto psk_err; 2907238405Sjkim } 2908238405Sjkim 2909238405Sjkim s->session->master_key_length = 2910238405Sjkim s->method->ssl3_enc->generate_master_secret(s, 2911238405Sjkim s->session->master_key, 2912238405Sjkim psk_or_pre_ms, pre_ms_len); 2913238405Sjkim n = strlen(identity); 2914238405Sjkim s2n(n, p); 2915238405Sjkim memcpy(p, identity, n); 2916238405Sjkim n+=2; 2917238405Sjkim psk_err = 0; 2918238405Sjkim psk_err: 2919238405Sjkim OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2920238405Sjkim OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2921238405Sjkim if (psk_err != 0) 2922238405Sjkim { 2923238405Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2924238405Sjkim goto err; 2925238405Sjkim } 2926238405Sjkim } 2927238405Sjkim#endif 292855714Skris else 292955714Skris { 2930160814Ssimon ssl3_send_alert(s, SSL3_AL_FATAL, 2931160814Ssimon SSL_AD_HANDSHAKE_FAILURE); 2932160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2933160814Ssimon ERR_R_INTERNAL_ERROR); 293455714Skris goto err; 293555714Skris } 293655714Skris 293755714Skris *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 293855714Skris l2n3(n,d); 293955714Skris 294055714Skris s->state=SSL3_ST_CW_KEY_EXCH_B; 294155714Skris /* number of bytes to write */ 294255714Skris s->init_num=n+4; 294355714Skris s->init_off=0; 294455714Skris } 294555714Skris 294655714Skris /* SSL3_ST_CW_KEY_EXCH_B */ 294755714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 294855714Skriserr: 2949160814Ssimon#ifndef OPENSSL_NO_ECDH 2950160814Ssimon BN_CTX_free(bn_ctx); 2951160814Ssimon if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2952160814Ssimon if (clnt_ecdh != NULL) 2953160814Ssimon EC_KEY_free(clnt_ecdh); 2954160814Ssimon EVP_PKEY_free(srvr_pub_pkey); 2955160814Ssimon#endif 295655714Skris return(-1); 295755714Skris } 295855714Skris 2959160814Ssimonint ssl3_send_client_verify(SSL *s) 296055714Skris { 296155714Skris unsigned char *p,*d; 296255714Skris unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 296355714Skris EVP_PKEY *pkey; 2964238405Sjkim EVP_PKEY_CTX *pctx=NULL; 2965238405Sjkim EVP_MD_CTX mctx; 296659191Skris unsigned u=0; 296755714Skris unsigned long n; 296855714Skris int j; 296955714Skris 2970238405Sjkim EVP_MD_CTX_init(&mctx); 2971238405Sjkim 297255714Skris if (s->state == SSL3_ST_CW_CERT_VRFY_A) 297355714Skris { 297455714Skris d=(unsigned char *)s->init_buf->data; 297555714Skris p= &(d[4]); 297655714Skris pkey=s->cert->key->privatekey; 2977238405Sjkim/* Create context from key and test if sha1 is allowed as digest */ 2978238405Sjkim pctx = EVP_PKEY_CTX_new(pkey,NULL); 2979238405Sjkim EVP_PKEY_sign_init(pctx); 2980238405Sjkim if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2981238405Sjkim { 2982238405Sjkim if (TLS1_get_version(s) < TLS1_2_VERSION) 2983238405Sjkim s->method->ssl3_enc->cert_verify_mac(s, 2984238405Sjkim NID_sha1, 2985238405Sjkim &(data[MD5_DIGEST_LENGTH])); 2986238405Sjkim } 2987238405Sjkim else 2988238405Sjkim { 2989238405Sjkim ERR_clear_error(); 2990238405Sjkim } 2991238405Sjkim /* For TLS v1.2 send signature algorithm and signature 2992238405Sjkim * using agreed digest and cached handshake records. 2993238405Sjkim */ 2994238405Sjkim if (TLS1_get_version(s) >= TLS1_2_VERSION) 2995238405Sjkim { 2996238405Sjkim long hdatalen = 0; 2997238405Sjkim void *hdata; 2998238405Sjkim const EVP_MD *md = s->cert->key->digest; 2999238405Sjkim hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 3000238405Sjkim &hdata); 3001238405Sjkim if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 3002238405Sjkim { 3003238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3004238405Sjkim ERR_R_INTERNAL_ERROR); 3005238405Sjkim goto err; 3006238405Sjkim } 3007238405Sjkim p += 2; 3008238405Sjkim#ifdef SSL_DEBUG 3009238405Sjkim fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 3010238405Sjkim EVP_MD_name(md)); 3011238405Sjkim#endif 3012238405Sjkim if (!EVP_SignInit_ex(&mctx, md, NULL) 3013238405Sjkim || !EVP_SignUpdate(&mctx, hdata, hdatalen) 3014238405Sjkim || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 3015238405Sjkim { 3016238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3017238405Sjkim ERR_R_EVP_LIB); 3018238405Sjkim goto err; 3019238405Sjkim } 3020238405Sjkim s2n(u,p); 3021238405Sjkim n = u + 4; 3022238405Sjkim if (!ssl3_digest_cached_records(s)) 3023238405Sjkim goto err; 3024238405Sjkim } 3025238405Sjkim else 3026109998Smarkm#ifndef OPENSSL_NO_RSA 302755714Skris if (pkey->type == EVP_PKEY_RSA) 302855714Skris { 302955714Skris s->method->ssl3_enc->cert_verify_mac(s, 3030238405Sjkim NID_md5, 3031238405Sjkim &(data[0])); 303259191Skris if (RSA_sign(NID_md5_sha1, data, 303359191Skris MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 303459191Skris &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 303555714Skris { 303655714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 303755714Skris goto err; 303855714Skris } 303959191Skris s2n(u,p); 304059191Skris n=u+2; 304155714Skris } 304255714Skris else 304355714Skris#endif 3044109998Smarkm#ifndef OPENSSL_NO_DSA 304555714Skris if (pkey->type == EVP_PKEY_DSA) 304655714Skris { 304755714Skris if (!DSA_sign(pkey->save_type, 304855714Skris &(data[MD5_DIGEST_LENGTH]), 304955714Skris SHA_DIGEST_LENGTH,&(p[2]), 305055714Skris (unsigned int *)&j,pkey->pkey.dsa)) 305155714Skris { 305255714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 305355714Skris goto err; 305455714Skris } 305555714Skris s2n(j,p); 305655714Skris n=j+2; 305755714Skris } 305855714Skris else 305955714Skris#endif 3060160814Ssimon#ifndef OPENSSL_NO_ECDSA 3061160814Ssimon if (pkey->type == EVP_PKEY_EC) 306255714Skris { 3063160814Ssimon if (!ECDSA_sign(pkey->save_type, 3064160814Ssimon &(data[MD5_DIGEST_LENGTH]), 3065160814Ssimon SHA_DIGEST_LENGTH,&(p[2]), 3066160814Ssimon (unsigned int *)&j,pkey->pkey.ec)) 3067160814Ssimon { 3068160814Ssimon SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3069160814Ssimon ERR_R_ECDSA_LIB); 3070160814Ssimon goto err; 3071160814Ssimon } 3072160814Ssimon s2n(j,p); 3073160814Ssimon n=j+2; 3074160814Ssimon } 3075160814Ssimon else 3076160814Ssimon#endif 3077238405Sjkim if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 3078238405Sjkim { 3079238405Sjkim unsigned char signbuf[64]; 3080238405Sjkim int i; 3081238405Sjkim size_t sigsize=64; 3082238405Sjkim s->method->ssl3_enc->cert_verify_mac(s, 3083238405Sjkim NID_id_GostR3411_94, 3084238405Sjkim data); 3085238405Sjkim if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 3086238405Sjkim SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3087238405Sjkim ERR_R_INTERNAL_ERROR); 3088238405Sjkim goto err; 3089238405Sjkim } 3090238405Sjkim for (i=63,j=0; i>=0; j++, i--) { 3091238405Sjkim p[2+j]=signbuf[i]; 3092238405Sjkim } 3093238405Sjkim s2n(j,p); 3094238405Sjkim n=j+2; 3095238405Sjkim } 3096238405Sjkim else 3097238405Sjkim { 3098109998Smarkm SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 309955714Skris goto err; 3100238405Sjkim } 310155714Skris *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 310255714Skris l2n3(n,d); 310355714Skris 3104120631Snectar s->state=SSL3_ST_CW_CERT_VRFY_B; 310555714Skris s->init_num=(int)n+4; 310655714Skris s->init_off=0; 310755714Skris } 3108238405Sjkim EVP_MD_CTX_cleanup(&mctx); 3109238405Sjkim EVP_PKEY_CTX_free(pctx); 311055714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 311155714Skriserr: 3112238405Sjkim EVP_MD_CTX_cleanup(&mctx); 3113238405Sjkim EVP_PKEY_CTX_free(pctx); 311455714Skris return(-1); 311555714Skris } 311655714Skris 3117160814Ssimonint ssl3_send_client_certificate(SSL *s) 311855714Skris { 311955714Skris X509 *x509=NULL; 312055714Skris EVP_PKEY *pkey=NULL; 312155714Skris int i; 312255714Skris unsigned long l; 312355714Skris 312455714Skris if (s->state == SSL3_ST_CW_CERT_A) 312555714Skris { 312655714Skris if ((s->cert == NULL) || 312755714Skris (s->cert->key->x509 == NULL) || 312855714Skris (s->cert->key->privatekey == NULL)) 312955714Skris s->state=SSL3_ST_CW_CERT_B; 313055714Skris else 313155714Skris s->state=SSL3_ST_CW_CERT_C; 313255714Skris } 313355714Skris 313455714Skris /* We need to get a client cert */ 313555714Skris if (s->state == SSL3_ST_CW_CERT_B) 313655714Skris { 313755714Skris /* If we get an error, we need to 313855714Skris * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 313955714Skris * We then get retied later */ 314055714Skris i=0; 3141194206Ssimon i = ssl_do_client_cert_cb(s, &x509, &pkey); 314255714Skris if (i < 0) 314355714Skris { 314455714Skris s->rwstate=SSL_X509_LOOKUP; 314555714Skris return(-1); 314655714Skris } 314755714Skris s->rwstate=SSL_NOTHING; 314855714Skris if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 314955714Skris { 315055714Skris s->state=SSL3_ST_CW_CERT_B; 315155714Skris if ( !SSL_use_certificate(s,x509) || 315255714Skris !SSL_use_PrivateKey(s,pkey)) 315355714Skris i=0; 315455714Skris } 315555714Skris else if (i == 1) 315655714Skris { 315755714Skris i=0; 315855714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 315955714Skris } 316055714Skris 316155714Skris if (x509 != NULL) X509_free(x509); 316255714Skris if (pkey != NULL) EVP_PKEY_free(pkey); 316355714Skris if (i == 0) 316455714Skris { 316555714Skris if (s->version == SSL3_VERSION) 316655714Skris { 316755714Skris s->s3->tmp.cert_req=0; 316855714Skris ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 316955714Skris return(1); 317055714Skris } 317155714Skris else 317255714Skris { 317355714Skris s->s3->tmp.cert_req=2; 317455714Skris } 317555714Skris } 317655714Skris 317755714Skris /* Ok, we have a cert */ 317855714Skris s->state=SSL3_ST_CW_CERT_C; 317955714Skris } 318055714Skris 318155714Skris if (s->state == SSL3_ST_CW_CERT_C) 318255714Skris { 318355714Skris s->state=SSL3_ST_CW_CERT_D; 318455714Skris l=ssl3_output_cert_chain(s, 318555714Skris (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 318655714Skris s->init_num=(int)l; 318755714Skris s->init_off=0; 318855714Skris } 318955714Skris /* SSL3_ST_CW_CERT_D */ 319055714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 319155714Skris } 319255714Skris 319355714Skris#define has_bits(i,m) (((i)&(m)) == (m)) 319455714Skris 3195160814Ssimonint ssl3_check_cert_and_algorithm(SSL *s) 319655714Skris { 319755714Skris int i,idx; 3198238405Sjkim long alg_k,alg_a; 319955714Skris EVP_PKEY *pkey=NULL; 320055714Skris SESS_CERT *sc; 3201109998Smarkm#ifndef OPENSSL_NO_RSA 320255714Skris RSA *rsa; 320355714Skris#endif 3204109998Smarkm#ifndef OPENSSL_NO_DH 320555714Skris DH *dh; 320655714Skris#endif 320755714Skris 3208238405Sjkim alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 3209238405Sjkim alg_a=s->s3->tmp.new_cipher->algorithm_auth; 321055714Skris 3211194206Ssimon /* we don't have a certificate */ 3212238405Sjkim if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 3213194206Ssimon return(1); 3214194206Ssimon 3215238405Sjkim sc=s->session->sess_cert; 321655714Skris if (sc == NULL) 321755714Skris { 3218109998Smarkm SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); 321955714Skris goto err; 322055714Skris } 322155714Skris 3222109998Smarkm#ifndef OPENSSL_NO_RSA 322355714Skris rsa=s->session->sess_cert->peer_rsa_tmp; 322455714Skris#endif 3225109998Smarkm#ifndef OPENSSL_NO_DH 322655714Skris dh=s->session->sess_cert->peer_dh_tmp; 322755714Skris#endif 322855714Skris 322955714Skris /* This is the passed certificate */ 323055714Skris 323155714Skris idx=sc->peer_cert_type; 3232160814Ssimon#ifndef OPENSSL_NO_ECDH 3233160814Ssimon if (idx == SSL_PKEY_ECC) 3234160814Ssimon { 3235238405Sjkim if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 3236238405Sjkim s) == 0) 3237160814Ssimon { /* check failed */ 3238160814Ssimon SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 3239238405Sjkim goto f_err; 3240160814Ssimon } 3241160814Ssimon else 3242160814Ssimon { 3243160814Ssimon return 1; 3244160814Ssimon } 3245160814Ssimon } 3246160814Ssimon#endif 324755714Skris pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 324855714Skris i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 324955714Skris EVP_PKEY_free(pkey); 325055714Skris 325155714Skris 325255714Skris /* Check that we have a certificate if we require one */ 3253238405Sjkim if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 325455714Skris { 325555714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 325655714Skris goto f_err; 325755714Skris } 3258109998Smarkm#ifndef OPENSSL_NO_DSA 3259238405Sjkim else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 326055714Skris { 326155714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 326255714Skris goto f_err; 326355714Skris } 326455714Skris#endif 3265109998Smarkm#ifndef OPENSSL_NO_RSA 3266238405Sjkim if ((alg_k & SSL_kRSA) && 326755714Skris !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 326855714Skris { 326955714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 327055714Skris goto f_err; 327155714Skris } 327255714Skris#endif 3273109998Smarkm#ifndef OPENSSL_NO_DH 3274238405Sjkim if ((alg_k & SSL_kEDH) && 327555714Skris !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 327655714Skris { 327755714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 327855714Skris goto f_err; 327955714Skris } 3280238405Sjkim else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 328155714Skris { 328255714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 328355714Skris goto f_err; 328455714Skris } 3285109998Smarkm#ifndef OPENSSL_NO_DSA 3286238405Sjkim else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 328755714Skris { 328855714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 328955714Skris goto f_err; 329055714Skris } 329155714Skris#endif 329255714Skris#endif 329355714Skris 329459191Skris if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 329555714Skris { 3296109998Smarkm#ifndef OPENSSL_NO_RSA 3297238405Sjkim if (alg_k & SSL_kRSA) 329855714Skris { 329955714Skris if (rsa == NULL 3300127128Snectar || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 330155714Skris { 330255714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 330355714Skris goto f_err; 330455714Skris } 330555714Skris } 330655714Skris else 330755714Skris#endif 3308109998Smarkm#ifndef OPENSSL_NO_DH 3309238405Sjkim if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 331055714Skris { 331155714Skris if (dh == NULL 3312127128Snectar || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 331355714Skris { 331455714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 331555714Skris goto f_err; 331655714Skris } 331755714Skris } 331855714Skris else 331955714Skris#endif 332055714Skris { 332155714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 332255714Skris goto f_err; 332355714Skris } 332455714Skris } 332555714Skris return(1); 332655714Skrisf_err: 332755714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 332855714Skriserr: 332955714Skris return(0); 333055714Skris } 333155714Skris 3332238405Sjkim#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 3333238405Sjkimint ssl3_send_next_proto(SSL *s) 3334160814Ssimon { 3335238405Sjkim unsigned int len, padding_len; 3336238405Sjkim unsigned char *d; 3337160814Ssimon 3338238405Sjkim if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3339238405Sjkim { 3340238405Sjkim len = s->next_proto_negotiated_len; 3341238405Sjkim padding_len = 32 - ((len + 2) % 32); 3342238405Sjkim d = (unsigned char *)s->init_buf->data; 3343238405Sjkim d[4] = len; 3344238405Sjkim memcpy(d + 5, s->next_proto_negotiated, len); 3345238405Sjkim d[5 + len] = padding_len; 3346238405Sjkim memset(d + 6 + len, 0, padding_len); 3347238405Sjkim *(d++)=SSL3_MT_NEXT_PROTO; 3348238405Sjkim l2n3(2 + len + padding_len, d); 3349238405Sjkim s->state = SSL3_ST_CW_NEXT_PROTO_B; 3350238405Sjkim s->init_num = 4 + 2 + len + padding_len; 3351238405Sjkim s->init_off = 0; 3352238405Sjkim } 3353238405Sjkim 3354238405Sjkim return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3355160814Ssimon} 3356238405Sjkim#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 3357194206Ssimon 3358194206Ssimon/* Check to see if handshake is full or resumed. Usually this is just a 3359194206Ssimon * case of checking to see if a cache hit has occurred. In the case of 3360194206Ssimon * session tickets we have to check the next message to be sure. 3361194206Ssimon */ 3362194206Ssimon 3363194206Ssimon#ifndef OPENSSL_NO_TLSEXT 3364205128Ssimonint ssl3_check_finished(SSL *s) 3365194206Ssimon { 3366194206Ssimon int ok; 3367194206Ssimon long n; 3368238405Sjkim /* If we have no ticket it cannot be a resumed session. */ 3369238405Sjkim if (!s->session->tlsext_tick) 3370194206Ssimon return 1; 3371194206Ssimon /* this function is called when we really expect a Certificate 3372194206Ssimon * message, so permit appropriate message length */ 3373194206Ssimon n=s->method->ssl_get_message(s, 3374194206Ssimon SSL3_ST_CR_CERT_A, 3375194206Ssimon SSL3_ST_CR_CERT_B, 3376194206Ssimon -1, 3377194206Ssimon s->max_cert_list, 3378194206Ssimon &ok); 3379194206Ssimon if (!ok) return((int)n); 3380194206Ssimon s->s3->tmp.reuse_message = 1; 3381194206Ssimon if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3382194206Ssimon || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3383194206Ssimon return 2; 3384194206Ssimon 3385194206Ssimon return 1; 3386194206Ssimon } 3387194206Ssimon#endif 3388194206Ssimon 3389194206Ssimonint ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3390194206Ssimon { 3391194206Ssimon int i = 0; 3392194206Ssimon#ifndef OPENSSL_NO_ENGINE 3393194206Ssimon if (s->ctx->client_cert_engine) 3394194206Ssimon { 3395194206Ssimon i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3396194206Ssimon SSL_get_client_CA_list(s), 3397194206Ssimon px509, ppkey, NULL, NULL, NULL); 3398194206Ssimon if (i != 0) 3399194206Ssimon return i; 3400194206Ssimon } 3401194206Ssimon#endif 3402194206Ssimon if (s->ctx->client_cert_cb) 3403194206Ssimon i = s->ctx->client_cert_cb(s,px509,ppkey); 3404194206Ssimon return i; 3405194206Ssimon } 3406