s3_clnt.c revision 55714
155714Skris/* ssl/s3_clnt.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5855714Skris 5955714Skris#include <stdio.h> 6055714Skris#include <openssl/buffer.h> 6155714Skris#include <openssl/rand.h> 6255714Skris#include <openssl/objects.h> 6355714Skris#include <openssl/md5.h> 6455714Skris#include <openssl/sha.h> 6555714Skris#include <openssl/evp.h> 6655714Skris#include "ssl_locl.h" 6755714Skris 6855714Skrisstatic SSL_METHOD *ssl3_get_client_method(int ver); 6955714Skrisstatic int ssl3_client_hello(SSL *s); 7055714Skrisstatic int ssl3_get_server_hello(SSL *s); 7155714Skrisstatic int ssl3_get_certificate_request(SSL *s); 7255714Skrisstatic int ca_dn_cmp(X509_NAME **a,X509_NAME **b); 7355714Skrisstatic int ssl3_get_server_done(SSL *s); 7455714Skrisstatic int ssl3_send_client_verify(SSL *s); 7555714Skrisstatic int ssl3_send_client_certificate(SSL *s); 7655714Skrisstatic int ssl3_send_client_key_exchange(SSL *s); 7755714Skrisstatic int ssl3_get_key_exchange(SSL *s); 7855714Skrisstatic int ssl3_get_server_certificate(SSL *s); 7955714Skrisstatic int ssl3_check_cert_and_algorithm(SSL *s); 8055714Skrisstatic SSL_METHOD *ssl3_get_client_method(int ver) 8155714Skris { 8255714Skris if (ver == SSL3_VERSION) 8355714Skris return(SSLv3_client_method()); 8455714Skris else 8555714Skris return(NULL); 8655714Skris } 8755714Skris 8855714SkrisSSL_METHOD *SSLv3_client_method(void) 8955714Skris { 9055714Skris static int init=1; 9155714Skris static SSL_METHOD SSLv3_client_data; 9255714Skris 9355714Skris if (init) 9455714Skris { 9555714Skris init=0; 9655714Skris memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), 9755714Skris sizeof(SSL_METHOD)); 9855714Skris SSLv3_client_data.ssl_connect=ssl3_connect; 9955714Skris SSLv3_client_data.get_ssl_method=ssl3_get_client_method; 10055714Skris } 10155714Skris return(&SSLv3_client_data); 10255714Skris } 10355714Skris 10455714Skrisint ssl3_connect(SSL *s) 10555714Skris { 10655714Skris BUF_MEM *buf; 10755714Skris unsigned long Time=time(NULL),l; 10855714Skris long num1; 10955714Skris void (*cb)()=NULL; 11055714Skris int ret= -1; 11155714Skris int new_state,state,skip=0;; 11255714Skris 11355714Skris RAND_seed(&Time,sizeof(Time)); 11455714Skris ERR_clear_error(); 11555714Skris clear_sys_error(); 11655714Skris 11755714Skris if (s->info_callback != NULL) 11855714Skris cb=s->info_callback; 11955714Skris else if (s->ctx->info_callback != NULL) 12055714Skris cb=s->ctx->info_callback; 12155714Skris 12255714Skris if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 12355714Skris s->in_handshake++; 12455714Skris 12555714Skris for (;;) 12655714Skris { 12755714Skris state=s->state; 12855714Skris 12955714Skris switch(s->state) 13055714Skris { 13155714Skris case SSL_ST_RENEGOTIATE: 13255714Skris s->new_session=1; 13355714Skris s->state=SSL_ST_CONNECT; 13455714Skris s->ctx->stats.sess_connect_renegotiate++; 13555714Skris /* break */ 13655714Skris case SSL_ST_BEFORE: 13755714Skris case SSL_ST_CONNECT: 13855714Skris case SSL_ST_BEFORE|SSL_ST_CONNECT: 13955714Skris case SSL_ST_OK|SSL_ST_CONNECT: 14055714Skris 14155714Skris s->server=0; 14255714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 14355714Skris 14455714Skris if ((s->version & 0xff00 ) != 0x0300) 14555714Skris abort(); 14655714Skris /* s->version=SSL3_VERSION; */ 14755714Skris s->type=SSL_ST_CONNECT; 14855714Skris 14955714Skris if (s->init_buf == NULL) 15055714Skris { 15155714Skris if ((buf=BUF_MEM_new()) == NULL) 15255714Skris { 15355714Skris ret= -1; 15455714Skris goto end; 15555714Skris } 15655714Skris if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 15755714Skris { 15855714Skris ret= -1; 15955714Skris goto end; 16055714Skris } 16155714Skris s->init_buf=buf; 16255714Skris } 16355714Skris 16455714Skris if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 16555714Skris 16655714Skris /* setup buffing BIO */ 16755714Skris if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 16855714Skris 16955714Skris /* don't push the buffering BIO quite yet */ 17055714Skris 17155714Skris ssl3_init_finished_mac(s); 17255714Skris 17355714Skris s->state=SSL3_ST_CW_CLNT_HELLO_A; 17455714Skris s->ctx->stats.sess_connect++; 17555714Skris s->init_num=0; 17655714Skris break; 17755714Skris 17855714Skris case SSL3_ST_CW_CLNT_HELLO_A: 17955714Skris case SSL3_ST_CW_CLNT_HELLO_B: 18055714Skris 18155714Skris s->shutdown=0; 18255714Skris ret=ssl3_client_hello(s); 18355714Skris if (ret <= 0) goto end; 18455714Skris s->state=SSL3_ST_CR_SRVR_HELLO_A; 18555714Skris s->init_num=0; 18655714Skris 18755714Skris /* turn on buffering for the next lot of output */ 18855714Skris if (s->bbio != s->wbio) 18955714Skris s->wbio=BIO_push(s->bbio,s->wbio); 19055714Skris 19155714Skris break; 19255714Skris 19355714Skris case SSL3_ST_CR_SRVR_HELLO_A: 19455714Skris case SSL3_ST_CR_SRVR_HELLO_B: 19555714Skris ret=ssl3_get_server_hello(s); 19655714Skris if (ret <= 0) goto end; 19755714Skris if (s->hit) 19855714Skris s->state=SSL3_ST_CR_FINISHED_A; 19955714Skris else 20055714Skris s->state=SSL3_ST_CR_CERT_A; 20155714Skris s->init_num=0; 20255714Skris break; 20355714Skris 20455714Skris case SSL3_ST_CR_CERT_A: 20555714Skris case SSL3_ST_CR_CERT_B: 20655714Skris /* Check if it is anon DH */ 20755714Skris if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 20855714Skris { 20955714Skris ret=ssl3_get_server_certificate(s); 21055714Skris if (ret <= 0) goto end; 21155714Skris } 21255714Skris else 21355714Skris skip=1; 21455714Skris s->state=SSL3_ST_CR_KEY_EXCH_A; 21555714Skris s->init_num=0; 21655714Skris break; 21755714Skris 21855714Skris case SSL3_ST_CR_KEY_EXCH_A: 21955714Skris case SSL3_ST_CR_KEY_EXCH_B: 22055714Skris ret=ssl3_get_key_exchange(s); 22155714Skris if (ret <= 0) goto end; 22255714Skris s->state=SSL3_ST_CR_CERT_REQ_A; 22355714Skris s->init_num=0; 22455714Skris 22555714Skris /* at this point we check that we have the 22655714Skris * required stuff from the server */ 22755714Skris if (!ssl3_check_cert_and_algorithm(s)) 22855714Skris { 22955714Skris ret= -1; 23055714Skris goto end; 23155714Skris } 23255714Skris break; 23355714Skris 23455714Skris case SSL3_ST_CR_CERT_REQ_A: 23555714Skris case SSL3_ST_CR_CERT_REQ_B: 23655714Skris ret=ssl3_get_certificate_request(s); 23755714Skris if (ret <= 0) goto end; 23855714Skris s->state=SSL3_ST_CR_SRVR_DONE_A; 23955714Skris s->init_num=0; 24055714Skris break; 24155714Skris 24255714Skris case SSL3_ST_CR_SRVR_DONE_A: 24355714Skris case SSL3_ST_CR_SRVR_DONE_B: 24455714Skris ret=ssl3_get_server_done(s); 24555714Skris if (ret <= 0) goto end; 24655714Skris if (s->s3->tmp.cert_req) 24755714Skris s->state=SSL3_ST_CW_CERT_A; 24855714Skris else 24955714Skris s->state=SSL3_ST_CW_KEY_EXCH_A; 25055714Skris s->init_num=0; 25155714Skris 25255714Skris break; 25355714Skris 25455714Skris case SSL3_ST_CW_CERT_A: 25555714Skris case SSL3_ST_CW_CERT_B: 25655714Skris case SSL3_ST_CW_CERT_C: 25755714Skris case SSL3_ST_CW_CERT_D: 25855714Skris ret=ssl3_send_client_certificate(s); 25955714Skris if (ret <= 0) goto end; 26055714Skris s->state=SSL3_ST_CW_KEY_EXCH_A; 26155714Skris s->init_num=0; 26255714Skris break; 26355714Skris 26455714Skris case SSL3_ST_CW_KEY_EXCH_A: 26555714Skris case SSL3_ST_CW_KEY_EXCH_B: 26655714Skris ret=ssl3_send_client_key_exchange(s); 26755714Skris if (ret <= 0) goto end; 26855714Skris l=s->s3->tmp.new_cipher->algorithms; 26955714Skris /* EAY EAY EAY need to check for DH fix cert 27055714Skris * sent back */ 27155714Skris /* For TLS, cert_req is set to 2, so a cert chain 27255714Skris * of nothing is sent, but no verify packet is sent */ 27355714Skris if (s->s3->tmp.cert_req == 1) 27455714Skris { 27555714Skris s->state=SSL3_ST_CW_CERT_VRFY_A; 27655714Skris } 27755714Skris else 27855714Skris { 27955714Skris s->state=SSL3_ST_CW_CHANGE_A; 28055714Skris s->s3->change_cipher_spec=0; 28155714Skris } 28255714Skris 28355714Skris s->init_num=0; 28455714Skris break; 28555714Skris 28655714Skris case SSL3_ST_CW_CERT_VRFY_A: 28755714Skris case SSL3_ST_CW_CERT_VRFY_B: 28855714Skris ret=ssl3_send_client_verify(s); 28955714Skris if (ret <= 0) goto end; 29055714Skris s->state=SSL3_ST_CW_CHANGE_A; 29155714Skris s->init_num=0; 29255714Skris s->s3->change_cipher_spec=0; 29355714Skris break; 29455714Skris 29555714Skris case SSL3_ST_CW_CHANGE_A: 29655714Skris case SSL3_ST_CW_CHANGE_B: 29755714Skris ret=ssl3_send_change_cipher_spec(s, 29855714Skris SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 29955714Skris if (ret <= 0) goto end; 30055714Skris s->state=SSL3_ST_CW_FINISHED_A; 30155714Skris s->init_num=0; 30255714Skris 30355714Skris s->session->cipher=s->s3->tmp.new_cipher; 30455714Skris if (s->s3->tmp.new_compression == NULL) 30555714Skris s->session->compress_meth=0; 30655714Skris else 30755714Skris s->session->compress_meth= 30855714Skris s->s3->tmp.new_compression->id; 30955714Skris if (!s->method->ssl3_enc->setup_key_block(s)) 31055714Skris { 31155714Skris ret= -1; 31255714Skris goto end; 31355714Skris } 31455714Skris 31555714Skris if (!s->method->ssl3_enc->change_cipher_state(s, 31655714Skris SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 31755714Skris { 31855714Skris ret= -1; 31955714Skris goto end; 32055714Skris } 32155714Skris 32255714Skris break; 32355714Skris 32455714Skris case SSL3_ST_CW_FINISHED_A: 32555714Skris case SSL3_ST_CW_FINISHED_B: 32655714Skris ret=ssl3_send_finished(s, 32755714Skris SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 32855714Skris s->method->ssl3_enc->client_finished, 32955714Skris s->method->ssl3_enc->client_finished_len); 33055714Skris if (ret <= 0) goto end; 33155714Skris s->state=SSL3_ST_CW_FLUSH; 33255714Skris 33355714Skris /* clear flags */ 33455714Skris s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 33555714Skris if (s->hit) 33655714Skris { 33755714Skris s->s3->tmp.next_state=SSL_ST_OK; 33855714Skris if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 33955714Skris { 34055714Skris s->state=SSL_ST_OK; 34155714Skris s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 34255714Skris s->s3->delay_buf_pop_ret=0; 34355714Skris } 34455714Skris } 34555714Skris else 34655714Skris { 34755714Skris s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 34855714Skris } 34955714Skris s->init_num=0; 35055714Skris break; 35155714Skris 35255714Skris case SSL3_ST_CR_FINISHED_A: 35355714Skris case SSL3_ST_CR_FINISHED_B: 35455714Skris 35555714Skris ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 35655714Skris SSL3_ST_CR_FINISHED_B); 35755714Skris if (ret <= 0) goto end; 35855714Skris 35955714Skris if (s->hit) 36055714Skris s->state=SSL3_ST_CW_CHANGE_A; 36155714Skris else 36255714Skris s->state=SSL_ST_OK; 36355714Skris s->init_num=0; 36455714Skris break; 36555714Skris 36655714Skris case SSL3_ST_CW_FLUSH: 36755714Skris /* number of bytes to be flushed */ 36855714Skris num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 36955714Skris if (num1 > 0) 37055714Skris { 37155714Skris s->rwstate=SSL_WRITING; 37255714Skris num1=BIO_flush(s->wbio); 37355714Skris if (num1 <= 0) { ret= -1; goto end; } 37455714Skris s->rwstate=SSL_NOTHING; 37555714Skris } 37655714Skris 37755714Skris s->state=s->s3->tmp.next_state; 37855714Skris break; 37955714Skris 38055714Skris case SSL_ST_OK: 38155714Skris /* clean a few things up */ 38255714Skris ssl3_cleanup_key_block(s); 38355714Skris 38455714Skris if (s->init_buf != NULL) 38555714Skris { 38655714Skris BUF_MEM_free(s->init_buf); 38755714Skris s->init_buf=NULL; 38855714Skris } 38955714Skris 39055714Skris /* If we are not 'joining' the last two packets, 39155714Skris * remove the buffering now */ 39255714Skris if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 39355714Skris ssl_free_wbio_buffer(s); 39455714Skris /* else do it later in ssl3_write */ 39555714Skris 39655714Skris s->init_num=0; 39755714Skris s->new_session=0; 39855714Skris 39955714Skris ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 40055714Skris if (s->hit) s->ctx->stats.sess_hit++; 40155714Skris 40255714Skris ret=1; 40355714Skris /* s->server=0; */ 40455714Skris s->handshake_func=ssl3_connect; 40555714Skris s->ctx->stats.sess_connect_good++; 40655714Skris 40755714Skris if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 40855714Skris 40955714Skris goto end; 41055714Skris /* break; */ 41155714Skris 41255714Skris default: 41355714Skris SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 41455714Skris ret= -1; 41555714Skris goto end; 41655714Skris /* break; */ 41755714Skris } 41855714Skris 41955714Skris /* did we do anything */ 42055714Skris if (!s->s3->tmp.reuse_message && !skip) 42155714Skris { 42255714Skris if (s->debug) 42355714Skris { 42455714Skris if ((ret=BIO_flush(s->wbio)) <= 0) 42555714Skris goto end; 42655714Skris } 42755714Skris 42855714Skris if ((cb != NULL) && (s->state != state)) 42955714Skris { 43055714Skris new_state=s->state; 43155714Skris s->state=state; 43255714Skris cb(s,SSL_CB_CONNECT_LOOP,1); 43355714Skris s->state=new_state; 43455714Skris } 43555714Skris } 43655714Skris skip=0; 43755714Skris } 43855714Skrisend: 43955714Skris if (cb != NULL) 44055714Skris cb(s,SSL_CB_CONNECT_EXIT,ret); 44155714Skris s->in_handshake--; 44255714Skris return(ret); 44355714Skris } 44455714Skris 44555714Skris 44655714Skrisstatic int ssl3_client_hello(SSL *s) 44755714Skris { 44855714Skris unsigned char *buf; 44955714Skris unsigned char *p,*d; 45055714Skris int i,j; 45155714Skris unsigned long Time,l; 45255714Skris SSL_COMP *comp; 45355714Skris 45455714Skris buf=(unsigned char *)s->init_buf->data; 45555714Skris if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 45655714Skris { 45755714Skris if ((s->session == NULL) || 45855714Skris (s->session->ssl_version != s->version) || 45955714Skris (s->session->not_resumable)) 46055714Skris { 46155714Skris if (!ssl_get_new_session(s,0)) 46255714Skris goto err; 46355714Skris } 46455714Skris /* else use the pre-loaded session */ 46555714Skris 46655714Skris p=s->s3->client_random; 46755714Skris Time=time(NULL); /* Time */ 46855714Skris l2n(Time,p); 46955714Skris RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 47055714Skris 47155714Skris /* Do the message type and length last */ 47255714Skris d=p= &(buf[4]); 47355714Skris 47455714Skris *(p++)=s->version>>8; 47555714Skris *(p++)=s->version&0xff; 47655714Skris s->client_version=s->version; 47755714Skris 47855714Skris /* Random stuff */ 47955714Skris memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 48055714Skris p+=SSL3_RANDOM_SIZE; 48155714Skris 48255714Skris /* Session ID */ 48355714Skris if (s->new_session) 48455714Skris i=0; 48555714Skris else 48655714Skris i=s->session->session_id_length; 48755714Skris *(p++)=i; 48855714Skris if (i != 0) 48955714Skris { 49055714Skris memcpy(p,s->session->session_id,i); 49155714Skris p+=i; 49255714Skris } 49355714Skris 49455714Skris /* Ciphers supported */ 49555714Skris i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2])); 49655714Skris if (i == 0) 49755714Skris { 49855714Skris SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 49955714Skris goto err; 50055714Skris } 50155714Skris s2n(i,p); 50255714Skris p+=i; 50355714Skris 50455714Skris /* COMPRESSION */ 50555714Skris if (s->ctx->comp_methods == NULL) 50655714Skris j=0; 50755714Skris else 50855714Skris j=sk_SSL_COMP_num(s->ctx->comp_methods); 50955714Skris *(p++)=1+j; 51055714Skris for (i=0; i<j; i++) 51155714Skris { 51255714Skris comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 51355714Skris *(p++)=comp->id; 51455714Skris } 51555714Skris *(p++)=0; /* Add the NULL method */ 51655714Skris 51755714Skris l=(p-d); 51855714Skris d=buf; 51955714Skris *(d++)=SSL3_MT_CLIENT_HELLO; 52055714Skris l2n3(l,d); 52155714Skris 52255714Skris s->state=SSL3_ST_CW_CLNT_HELLO_B; 52355714Skris /* number of bytes to write */ 52455714Skris s->init_num=p-buf; 52555714Skris s->init_off=0; 52655714Skris } 52755714Skris 52855714Skris /* SSL3_ST_CW_CLNT_HELLO_B */ 52955714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 53055714Skriserr: 53155714Skris return(-1); 53255714Skris } 53355714Skris 53455714Skrisstatic int ssl3_get_server_hello(SSL *s) 53555714Skris { 53655714Skris STACK_OF(SSL_CIPHER) *sk; 53755714Skris SSL_CIPHER *c; 53855714Skris unsigned char *p,*d; 53955714Skris int i,al,ok; 54055714Skris unsigned int j; 54155714Skris long n; 54255714Skris SSL_COMP *comp; 54355714Skris 54455714Skris n=ssl3_get_message(s, 54555714Skris SSL3_ST_CR_SRVR_HELLO_A, 54655714Skris SSL3_ST_CR_SRVR_HELLO_B, 54755714Skris SSL3_MT_SERVER_HELLO, 54855714Skris 300, /* ?? */ 54955714Skris &ok); 55055714Skris 55155714Skris if (!ok) return((int)n); 55255714Skris d=p=(unsigned char *)s->init_buf->data; 55355714Skris 55455714Skris if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 55555714Skris { 55655714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 55755714Skris s->version=(s->version&0xff00)|p[1]; 55855714Skris al=SSL_AD_PROTOCOL_VERSION; 55955714Skris goto f_err; 56055714Skris } 56155714Skris p+=2; 56255714Skris 56355714Skris /* load the server hello data */ 56455714Skris /* load the server random */ 56555714Skris memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 56655714Skris p+=SSL3_RANDOM_SIZE; 56755714Skris 56855714Skris /* get the session-id */ 56955714Skris j= *(p++); 57055714Skris 57155714Skris if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) 57255714Skris { 57355714Skris /* SSLref returns 16 :-( */ 57455714Skris if (j < SSL2_SSL_SESSION_ID_LENGTH) 57555714Skris { 57655714Skris al=SSL_AD_ILLEGAL_PARAMETER; 57755714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT); 57855714Skris goto f_err; 57955714Skris } 58055714Skris } 58155714Skris if (j != 0 && j == s->session->session_id_length 58255714Skris && memcmp(p,s->session->session_id,j) == 0) 58355714Skris { 58455714Skris if(s->sid_ctx_length != s->session->sid_ctx_length 58555714Skris || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 58655714Skris { 58755714Skris al=SSL_AD_ILLEGAL_PARAMETER; 58855714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 58955714Skris goto f_err; 59055714Skris } 59155714Skris s->hit=1; 59255714Skris } 59355714Skris else /* a miss or crap from the other end */ 59455714Skris { 59555714Skris /* If we were trying for session-id reuse, make a new 59655714Skris * SSL_SESSION so we don't stuff up other people */ 59755714Skris s->hit=0; 59855714Skris if (s->session->session_id_length > 0) 59955714Skris { 60055714Skris if (!ssl_get_new_session(s,0)) 60155714Skris { 60255714Skris al=SSL_AD_INTERNAL_ERROR; 60355714Skris goto f_err; 60455714Skris } 60555714Skris } 60655714Skris s->session->session_id_length=j; 60755714Skris memcpy(s->session->session_id,p,j); /* j could be 0 */ 60855714Skris } 60955714Skris p+=j; 61055714Skris c=ssl_get_cipher_by_char(s,p); 61155714Skris if (c == NULL) 61255714Skris { 61355714Skris /* unknown cipher */ 61455714Skris al=SSL_AD_ILLEGAL_PARAMETER; 61555714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 61655714Skris goto f_err; 61755714Skris } 61855714Skris p+=ssl_put_cipher_by_char(s,NULL,NULL); 61955714Skris 62055714Skris sk=ssl_get_ciphers_by_id(s); 62155714Skris i=sk_SSL_CIPHER_find(sk,c); 62255714Skris if (i < 0) 62355714Skris { 62455714Skris /* we did not say we would use this cipher */ 62555714Skris al=SSL_AD_ILLEGAL_PARAMETER; 62655714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 62755714Skris goto f_err; 62855714Skris } 62955714Skris 63055714Skris if (s->hit && (s->session->cipher != c)) 63155714Skris { 63255714Skris if (!(s->options & 63355714Skris SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 63455714Skris { 63555714Skris al=SSL_AD_ILLEGAL_PARAMETER; 63655714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 63755714Skris goto f_err; 63855714Skris } 63955714Skris } 64055714Skris s->s3->tmp.new_cipher=c; 64155714Skris 64255714Skris /* lets get the compression algorithm */ 64355714Skris /* COMPRESSION */ 64455714Skris j= *(p++); 64555714Skris if (j == 0) 64655714Skris comp=NULL; 64755714Skris else 64855714Skris comp=ssl3_comp_find(s->ctx->comp_methods,j); 64955714Skris 65055714Skris if ((j != 0) && (comp == NULL)) 65155714Skris { 65255714Skris al=SSL_AD_ILLEGAL_PARAMETER; 65355714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 65455714Skris goto f_err; 65555714Skris } 65655714Skris else 65755714Skris { 65855714Skris s->s3->tmp.new_compression=comp; 65955714Skris } 66055714Skris 66155714Skris if (p != (d+n)) 66255714Skris { 66355714Skris /* wrong packet length */ 66455714Skris al=SSL_AD_DECODE_ERROR; 66555714Skris SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 66655714Skris goto err; 66755714Skris } 66855714Skris 66955714Skris return(1); 67055714Skrisf_err: 67155714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 67255714Skriserr: 67355714Skris return(-1); 67455714Skris } 67555714Skris 67655714Skrisstatic int ssl3_get_server_certificate(SSL *s) 67755714Skris { 67855714Skris int al,i,ok,ret= -1; 67955714Skris unsigned long n,nc,llen,l; 68055714Skris X509 *x=NULL; 68155714Skris unsigned char *p,*d,*q; 68255714Skris STACK_OF(X509) *sk=NULL; 68355714Skris SESS_CERT *sc; 68455714Skris EVP_PKEY *pkey=NULL; 68555714Skris 68655714Skris n=ssl3_get_message(s, 68755714Skris SSL3_ST_CR_CERT_A, 68855714Skris SSL3_ST_CR_CERT_B, 68955714Skris -1, 69055714Skris#if defined(MSDOS) && !defined(WIN32) 69155714Skris 1024*30, /* 30k max cert list :-) */ 69255714Skris#else 69355714Skris 1024*100, /* 100k max cert list :-) */ 69455714Skris#endif 69555714Skris &ok); 69655714Skris 69755714Skris if (!ok) return((int)n); 69855714Skris 69955714Skris if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) 70055714Skris { 70155714Skris s->s3->tmp.reuse_message=1; 70255714Skris return(1); 70355714Skris } 70455714Skris 70555714Skris if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 70655714Skris { 70755714Skris al=SSL_AD_UNEXPECTED_MESSAGE; 70855714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 70955714Skris goto f_err; 71055714Skris } 71155714Skris d=p=(unsigned char *)s->init_buf->data; 71255714Skris 71355714Skris if ((sk=sk_X509_new_null()) == NULL) 71455714Skris { 71555714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 71655714Skris goto err; 71755714Skris } 71855714Skris 71955714Skris n2l3(p,llen); 72055714Skris if (llen+3 != n) 72155714Skris { 72255714Skris al=SSL_AD_DECODE_ERROR; 72355714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 72455714Skris goto f_err; 72555714Skris } 72655714Skris for (nc=0; nc<llen; ) 72755714Skris { 72855714Skris n2l3(p,l); 72955714Skris if ((l+nc+3) > llen) 73055714Skris { 73155714Skris al=SSL_AD_DECODE_ERROR; 73255714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 73355714Skris goto f_err; 73455714Skris } 73555714Skris 73655714Skris q=p; 73755714Skris x=d2i_X509(NULL,&q,l); 73855714Skris if (x == NULL) 73955714Skris { 74055714Skris al=SSL_AD_BAD_CERTIFICATE; 74155714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 74255714Skris goto f_err; 74355714Skris } 74455714Skris if (q != (p+l)) 74555714Skris { 74655714Skris al=SSL_AD_DECODE_ERROR; 74755714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 74855714Skris goto f_err; 74955714Skris } 75055714Skris if (!sk_X509_push(sk,x)) 75155714Skris { 75255714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 75355714Skris goto err; 75455714Skris } 75555714Skris x=NULL; 75655714Skris nc+=l+3; 75755714Skris p=q; 75855714Skris } 75955714Skris 76055714Skris i=ssl_verify_cert_chain(s,sk); 76155714Skris if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) 76255714Skris { 76355714Skris al=ssl_verify_alarm_type(s->verify_result); 76455714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 76555714Skris goto f_err; 76655714Skris } 76755714Skris 76855714Skris sc=ssl_sess_cert_new(); 76955714Skris if (sc == NULL) goto err; 77055714Skris 77155714Skris if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 77255714Skris s->session->sess_cert=sc; 77355714Skris 77455714Skris sc->cert_chain=sk; 77555714Skris x=sk_X509_value(sk,0); 77655714Skris sk=NULL; 77755714Skris 77855714Skris pkey=X509_get_pubkey(x); 77955714Skris 78055714Skris if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)) 78155714Skris { 78255714Skris x=NULL; 78355714Skris al=SSL3_AL_FATAL; 78455714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 78555714Skris goto f_err; 78655714Skris } 78755714Skris 78855714Skris i=ssl_cert_type(x,pkey); 78955714Skris if (i < 0) 79055714Skris { 79155714Skris x=NULL; 79255714Skris al=SSL3_AL_FATAL; 79355714Skris SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE); 79455714Skris goto f_err; 79555714Skris } 79655714Skris 79755714Skris sc->peer_cert_type=i; 79855714Skris CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 79955714Skris if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen? 80055714Skris * We just created sc a couple of 80155714Skris * lines ago. */ 80255714Skris X509_free(sc->peer_pkeys[i].x509); 80355714Skris sc->peer_pkeys[i].x509=x; 80455714Skris sc->peer_key= &(sc->peer_pkeys[i]); 80555714Skris 80655714Skris if (s->session->peer != NULL) 80755714Skris X509_free(s->session->peer); 80855714Skris CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 80955714Skris s->session->peer=x; 81055714Skris 81155714Skris x=NULL; 81255714Skris ret=1; 81355714Skris 81455714Skris if (0) 81555714Skris { 81655714Skrisf_err: 81755714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 81855714Skris } 81955714Skriserr: 82055714Skris EVP_PKEY_free(pkey); 82155714Skris X509_free(x); 82255714Skris sk_X509_pop_free(sk,X509_free); 82355714Skris return(ret); 82455714Skris } 82555714Skris 82655714Skrisstatic int ssl3_get_key_exchange(SSL *s) 82755714Skris { 82855714Skris#ifndef NO_RSA 82955714Skris unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 83055714Skris#endif 83155714Skris EVP_MD_CTX md_ctx; 83255714Skris unsigned char *param,*p; 83355714Skris int al,i,j,param_len,ok; 83455714Skris long n,alg; 83555714Skris EVP_PKEY *pkey=NULL; 83655714Skris#ifndef NO_RSA 83755714Skris RSA *rsa=NULL; 83855714Skris#endif 83955714Skris#ifndef NO_DH 84055714Skris DH *dh=NULL; 84155714Skris#endif 84255714Skris 84355714Skris n=ssl3_get_message(s, 84455714Skris SSL3_ST_CR_KEY_EXCH_A, 84555714Skris SSL3_ST_CR_KEY_EXCH_B, 84655714Skris -1, 84755714Skris 1024*8, /* ?? */ 84855714Skris &ok); 84955714Skris 85055714Skris if (!ok) return((int)n); 85155714Skris 85255714Skris if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 85355714Skris { 85455714Skris s->s3->tmp.reuse_message=1; 85555714Skris return(1); 85655714Skris } 85755714Skris 85855714Skris param=p=(unsigned char *)s->init_buf->data; 85955714Skris 86055714Skris if (s->session->sess_cert != NULL) 86155714Skris { 86255714Skris#ifndef NO_RSA 86355714Skris if (s->session->sess_cert->peer_rsa_tmp != NULL) 86455714Skris { 86555714Skris RSA_free(s->session->sess_cert->peer_rsa_tmp); 86655714Skris s->session->sess_cert->peer_rsa_tmp=NULL; 86755714Skris } 86855714Skris#endif 86955714Skris#ifndef NO_DH 87055714Skris if (s->session->sess_cert->peer_dh_tmp) 87155714Skris { 87255714Skris DH_free(s->session->sess_cert->peer_dh_tmp); 87355714Skris s->session->sess_cert->peer_dh_tmp=NULL; 87455714Skris } 87555714Skris#endif 87655714Skris } 87755714Skris else 87855714Skris { 87955714Skris s->session->sess_cert=ssl_sess_cert_new(); 88055714Skris } 88155714Skris 88255714Skris param_len=0; 88355714Skris alg=s->s3->tmp.new_cipher->algorithms; 88455714Skris 88555714Skris#ifndef NO_RSA 88655714Skris if (alg & SSL_kRSA) 88755714Skris { 88855714Skris if ((rsa=RSA_new()) == NULL) 88955714Skris { 89055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 89155714Skris goto err; 89255714Skris } 89355714Skris n2s(p,i); 89455714Skris param_len=i+2; 89555714Skris if (param_len > n) 89655714Skris { 89755714Skris al=SSL_AD_DECODE_ERROR; 89855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 89955714Skris goto f_err; 90055714Skris } 90155714Skris if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 90255714Skris { 90355714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 90455714Skris goto err; 90555714Skris } 90655714Skris p+=i; 90755714Skris 90855714Skris n2s(p,i); 90955714Skris param_len+=i+2; 91055714Skris if (param_len > n) 91155714Skris { 91255714Skris al=SSL_AD_DECODE_ERROR; 91355714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 91455714Skris goto f_err; 91555714Skris } 91655714Skris if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 91755714Skris { 91855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 91955714Skris goto err; 92055714Skris } 92155714Skris p+=i; 92255714Skris n-=param_len; 92355714Skris 92455714Skris /* this should be because we are using an export cipher */ 92555714Skris if (alg & SSL_aRSA) 92655714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 92755714Skris else 92855714Skris { 92955714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 93055714Skris goto err; 93155714Skris } 93255714Skris s->session->sess_cert->peer_rsa_tmp=rsa; 93355714Skris rsa=NULL; 93455714Skris } 93555714Skris else 93655714Skris#endif 93755714Skris#ifndef NO_DH 93855714Skris if (alg & SSL_kEDH) 93955714Skris { 94055714Skris if ((dh=DH_new()) == NULL) 94155714Skris { 94255714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 94355714Skris goto err; 94455714Skris } 94555714Skris n2s(p,i); 94655714Skris param_len=i+2; 94755714Skris if (param_len > n) 94855714Skris { 94955714Skris al=SSL_AD_DECODE_ERROR; 95055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 95155714Skris goto f_err; 95255714Skris } 95355714Skris if (!(dh->p=BN_bin2bn(p,i,NULL))) 95455714Skris { 95555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 95655714Skris goto err; 95755714Skris } 95855714Skris p+=i; 95955714Skris 96055714Skris n2s(p,i); 96155714Skris param_len+=i+2; 96255714Skris if (param_len > n) 96355714Skris { 96455714Skris al=SSL_AD_DECODE_ERROR; 96555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 96655714Skris goto f_err; 96755714Skris } 96855714Skris if (!(dh->g=BN_bin2bn(p,i,NULL))) 96955714Skris { 97055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 97155714Skris goto err; 97255714Skris } 97355714Skris p+=i; 97455714Skris 97555714Skris n2s(p,i); 97655714Skris param_len+=i+2; 97755714Skris if (param_len > n) 97855714Skris { 97955714Skris al=SSL_AD_DECODE_ERROR; 98055714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 98155714Skris goto f_err; 98255714Skris } 98355714Skris if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 98455714Skris { 98555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 98655714Skris goto err; 98755714Skris } 98855714Skris p+=i; 98955714Skris n-=param_len; 99055714Skris 99155714Skris#ifndef NO_RSA 99255714Skris if (alg & SSL_aRSA) 99355714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 99455714Skris else 99555714Skris#endif 99655714Skris#ifndef NO_DSA 99755714Skris if (alg & SSL_aDSS) 99855714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 99955714Skris#endif 100055714Skris /* else anonymous DH, so no certificate or pkey. */ 100155714Skris 100255714Skris s->session->sess_cert->peer_dh_tmp=dh; 100355714Skris dh=NULL; 100455714Skris } 100555714Skris else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) 100655714Skris { 100755714Skris al=SSL_AD_ILLEGAL_PARAMETER; 100855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 100955714Skris goto f_err; 101055714Skris } 101155714Skris#endif 101255714Skris if (alg & SSL_aFZA) 101355714Skris { 101455714Skris al=SSL_AD_HANDSHAKE_FAILURE; 101555714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 101655714Skris goto f_err; 101755714Skris } 101855714Skris 101955714Skris 102055714Skris /* p points to the next byte, there are 'n' bytes left */ 102155714Skris 102255714Skris 102355714Skris /* if it was signed, check the signature */ 102455714Skris if (pkey != NULL) 102555714Skris { 102655714Skris n2s(p,i); 102755714Skris n-=2; 102855714Skris j=EVP_PKEY_size(pkey); 102955714Skris 103055714Skris if ((i != n) || (n > j) || (n <= 0)) 103155714Skris { 103255714Skris /* wrong packet length */ 103355714Skris al=SSL_AD_DECODE_ERROR; 103455714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 103555714Skris goto f_err; 103655714Skris } 103755714Skris 103855714Skris#ifndef NO_RSA 103955714Skris if (pkey->type == EVP_PKEY_RSA) 104055714Skris { 104155714Skris int num; 104255714Skris 104355714Skris j=0; 104455714Skris q=md_buf; 104555714Skris for (num=2; num > 0; num--) 104655714Skris { 104755714Skris EVP_DigestInit(&md_ctx,(num == 2) 104855714Skris ?s->ctx->md5:s->ctx->sha1); 104955714Skris EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 105055714Skris EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 105155714Skris EVP_DigestUpdate(&md_ctx,param,param_len); 105255714Skris EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i); 105355714Skris q+=i; 105455714Skris j+=i; 105555714Skris } 105655714Skris i=RSA_public_decrypt((int)n,p,p,pkey->pkey.rsa, 105755714Skris RSA_PKCS1_PADDING); 105855714Skris if (i <= 0) 105955714Skris { 106055714Skris al=SSL_AD_DECRYPT_ERROR; 106155714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 106255714Skris goto f_err; 106355714Skris } 106455714Skris if ((j != i) || (memcmp(p,md_buf,i) != 0)) 106555714Skris { 106655714Skris /* bad signature */ 106755714Skris al=SSL_AD_DECRYPT_ERROR; 106855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 106955714Skris goto f_err; 107055714Skris } 107155714Skris } 107255714Skris else 107355714Skris#endif 107455714Skris#ifndef NO_DSA 107555714Skris if (pkey->type == EVP_PKEY_DSA) 107655714Skris { 107755714Skris /* lets do DSS */ 107855714Skris EVP_VerifyInit(&md_ctx,EVP_dss1()); 107955714Skris EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 108055714Skris EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 108155714Skris EVP_VerifyUpdate(&md_ctx,param,param_len); 108255714Skris if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) 108355714Skris { 108455714Skris /* bad signature */ 108555714Skris al=SSL_AD_DECRYPT_ERROR; 108655714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 108755714Skris goto f_err; 108855714Skris } 108955714Skris } 109055714Skris else 109155714Skris#endif 109255714Skris { 109355714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 109455714Skris goto err; 109555714Skris } 109655714Skris } 109755714Skris else 109855714Skris { 109955714Skris /* still data left over */ 110055714Skris if (!(alg & SSL_aNULL)) 110155714Skris { 110255714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 110355714Skris goto err; 110455714Skris } 110555714Skris if (n != 0) 110655714Skris { 110755714Skris al=SSL_AD_DECODE_ERROR; 110855714Skris SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 110955714Skris goto f_err; 111055714Skris } 111155714Skris } 111255714Skris EVP_PKEY_free(pkey); 111355714Skris return(1); 111455714Skrisf_err: 111555714Skris ssl3_send_alert(s,SSL3_AL_FATAL,al); 111655714Skriserr: 111755714Skris EVP_PKEY_free(pkey); 111855714Skris#ifndef NO_RSA 111955714Skris if (rsa != NULL) 112055714Skris RSA_free(rsa); 112155714Skris#endif 112255714Skris#ifndef NO_DH 112355714Skris if (dh != NULL) 112455714Skris DH_free(dh); 112555714Skris#endif 112655714Skris return(-1); 112755714Skris } 112855714Skris 112955714Skrisstatic int ssl3_get_certificate_request(SSL *s) 113055714Skris { 113155714Skris int ok,ret=0; 113255714Skris unsigned long n,nc,l; 113355714Skris unsigned int llen,ctype_num,i; 113455714Skris X509_NAME *xn=NULL; 113555714Skris unsigned char *p,*d,*q; 113655714Skris STACK_OF(X509_NAME) *ca_sk=NULL; 113755714Skris 113855714Skris n=ssl3_get_message(s, 113955714Skris SSL3_ST_CR_CERT_REQ_A, 114055714Skris SSL3_ST_CR_CERT_REQ_B, 114155714Skris -1, 114255714Skris#if defined(MSDOS) && !defined(WIN32) 114355714Skris 1024*30, /* 30k max cert list :-) */ 114455714Skris#else 114555714Skris 1024*100, /* 100k max cert list :-) */ 114655714Skris#endif 114755714Skris &ok); 114855714Skris 114955714Skris if (!ok) return((int)n); 115055714Skris 115155714Skris s->s3->tmp.cert_req=0; 115255714Skris 115355714Skris if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 115455714Skris { 115555714Skris s->s3->tmp.reuse_message=1; 115655714Skris return(1); 115755714Skris } 115855714Skris 115955714Skris if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 116055714Skris { 116155714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 116255714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 116355714Skris goto err; 116455714Skris } 116555714Skris 116655714Skris /* TLS does not like anon-DH with client cert */ 116755714Skris if (s->version > SSL3_VERSION) 116855714Skris { 116955714Skris l=s->s3->tmp.new_cipher->algorithms; 117055714Skris if (l & SSL_aNULL) 117155714Skris { 117255714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 117355714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 117455714Skris goto err; 117555714Skris } 117655714Skris } 117755714Skris 117855714Skris d=p=(unsigned char *)s->init_buf->data; 117955714Skris 118055714Skris if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 118155714Skris { 118255714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 118355714Skris goto err; 118455714Skris } 118555714Skris 118655714Skris /* get the certificate types */ 118755714Skris ctype_num= *(p++); 118855714Skris if (ctype_num > SSL3_CT_NUMBER) 118955714Skris ctype_num=SSL3_CT_NUMBER; 119055714Skris for (i=0; i<ctype_num; i++) 119155714Skris s->s3->tmp.ctype[i]= p[i]; 119255714Skris p+=ctype_num; 119355714Skris 119455714Skris /* get the CA RDNs */ 119555714Skris n2s(p,llen); 119655714Skris#if 0 119755714Skris{ 119855714SkrisFILE *out; 119955714Skrisout=fopen("/tmp/vsign.der","w"); 120055714Skrisfwrite(p,1,llen,out); 120155714Skrisfclose(out); 120255714Skris} 120355714Skris#endif 120455714Skris 120555714Skris if ((llen+ctype_num+2+1) != n) 120655714Skris { 120755714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 120855714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 120955714Skris goto err; 121055714Skris } 121155714Skris 121255714Skris for (nc=0; nc<llen; ) 121355714Skris { 121455714Skris n2s(p,l); 121555714Skris if ((l+nc+2) > llen) 121655714Skris { 121755714Skris if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 121855714Skris goto cont; /* netscape bugs */ 121955714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 122055714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 122155714Skris goto err; 122255714Skris } 122355714Skris 122455714Skris q=p; 122555714Skris 122655714Skris if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 122755714Skris { 122855714Skris /* If netscape tollerance is on, ignore errors */ 122955714Skris if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 123055714Skris goto cont; 123155714Skris else 123255714Skris { 123355714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 123455714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 123555714Skris goto err; 123655714Skris } 123755714Skris } 123855714Skris 123955714Skris if (q != (p+l)) 124055714Skris { 124155714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 124255714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 124355714Skris goto err; 124455714Skris } 124555714Skris if (!sk_X509_NAME_push(ca_sk,xn)) 124655714Skris { 124755714Skris SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 124855714Skris goto err; 124955714Skris } 125055714Skris 125155714Skris p+=l; 125255714Skris nc+=l+2; 125355714Skris } 125455714Skris 125555714Skris if (0) 125655714Skris { 125755714Skriscont: 125855714Skris ERR_clear_error(); 125955714Skris } 126055714Skris 126155714Skris /* we should setup a certficate to return.... */ 126255714Skris s->s3->tmp.cert_req=1; 126355714Skris s->s3->tmp.ctype_num=ctype_num; 126455714Skris if (s->s3->tmp.ca_names != NULL) 126555714Skris sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 126655714Skris s->s3->tmp.ca_names=ca_sk; 126755714Skris ca_sk=NULL; 126855714Skris 126955714Skris ret=1; 127055714Skriserr: 127155714Skris if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 127255714Skris return(ret); 127355714Skris } 127455714Skris 127555714Skrisstatic int ca_dn_cmp(X509_NAME **a, X509_NAME **b) 127655714Skris { 127755714Skris return(X509_NAME_cmp(*a,*b)); 127855714Skris } 127955714Skris 128055714Skrisstatic int ssl3_get_server_done(SSL *s) 128155714Skris { 128255714Skris int ok,ret=0; 128355714Skris long n; 128455714Skris 128555714Skris n=ssl3_get_message(s, 128655714Skris SSL3_ST_CR_SRVR_DONE_A, 128755714Skris SSL3_ST_CR_SRVR_DONE_B, 128855714Skris SSL3_MT_SERVER_DONE, 128955714Skris 30, /* should be very small, like 0 :-) */ 129055714Skris &ok); 129155714Skris 129255714Skris if (!ok) return((int)n); 129355714Skris if (n > 0) 129455714Skris { 129555714Skris /* should contain no data */ 129655714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 129755714Skris SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 129855714Skris } 129955714Skris ret=1; 130055714Skris return(ret); 130155714Skris } 130255714Skris 130355714Skrisstatic int ssl3_send_client_key_exchange(SSL *s) 130455714Skris { 130555714Skris unsigned char *p,*d; 130655714Skris int n; 130755714Skris unsigned long l; 130855714Skris#ifndef NO_RSA 130955714Skris unsigned char *q; 131055714Skris EVP_PKEY *pkey=NULL; 131155714Skris#endif 131255714Skris 131355714Skris if (s->state == SSL3_ST_CW_KEY_EXCH_A) 131455714Skris { 131555714Skris d=(unsigned char *)s->init_buf->data; 131655714Skris p= &(d[4]); 131755714Skris 131855714Skris l=s->s3->tmp.new_cipher->algorithms; 131955714Skris 132055714Skris#ifndef NO_RSA 132155714Skris if (l & SSL_kRSA) 132255714Skris { 132355714Skris RSA *rsa; 132455714Skris unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 132555714Skris 132655714Skris if (s->session->sess_cert->peer_rsa_tmp != NULL) 132755714Skris rsa=s->session->sess_cert->peer_rsa_tmp; 132855714Skris else 132955714Skris { 133055714Skris pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 133155714Skris if ((pkey == NULL) || 133255714Skris (pkey->type != EVP_PKEY_RSA) || 133355714Skris (pkey->pkey.rsa == NULL)) 133455714Skris { 133555714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 133655714Skris goto err; 133755714Skris } 133855714Skris rsa=pkey->pkey.rsa; 133955714Skris EVP_PKEY_free(pkey); 134055714Skris } 134155714Skris 134255714Skris tmp_buf[0]=s->client_version>>8; 134355714Skris tmp_buf[1]=s->client_version&0xff; 134455714Skris RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2); 134555714Skris 134655714Skris s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; 134755714Skris 134855714Skris q=p; 134955714Skris /* Fix buf for TLS and beyond */ 135055714Skris if (s->version > SSL3_VERSION) 135155714Skris p+=2; 135255714Skris n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH, 135355714Skris tmp_buf,p,rsa,RSA_PKCS1_PADDING); 135455714Skris#ifdef PKCS1_CHECK 135555714Skris if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 135655714Skris if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 135755714Skris#endif 135855714Skris if (n <= 0) 135955714Skris { 136055714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 136155714Skris goto err; 136255714Skris } 136355714Skris 136455714Skris /* Fix buf for TLS and beyond */ 136555714Skris if (s->version > SSL3_VERSION) 136655714Skris { 136755714Skris s2n(n,q); 136855714Skris n+=2; 136955714Skris } 137055714Skris 137155714Skris s->session->master_key_length= 137255714Skris s->method->ssl3_enc->generate_master_secret(s, 137355714Skris s->session->master_key, 137455714Skris tmp_buf,SSL_MAX_MASTER_KEY_LENGTH); 137555714Skris memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH); 137655714Skris } 137755714Skris else 137855714Skris#endif 137955714Skris#ifndef NO_DH 138055714Skris if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 138155714Skris { 138255714Skris DH *dh_srvr,*dh_clnt; 138355714Skris 138455714Skris if (s->session->sess_cert->peer_dh_tmp != NULL) 138555714Skris dh_srvr=s->session->sess_cert->peer_dh_tmp; 138655714Skris else 138755714Skris { 138855714Skris /* we get them from the cert */ 138955714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 139055714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 139155714Skris goto err; 139255714Skris } 139355714Skris 139455714Skris /* generate a new random key */ 139555714Skris if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 139655714Skris { 139755714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 139855714Skris goto err; 139955714Skris } 140055714Skris if (!DH_generate_key(dh_clnt)) 140155714Skris { 140255714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 140355714Skris goto err; 140455714Skris } 140555714Skris 140655714Skris /* use the 'p' output buffer for the DH key, but 140755714Skris * make sure to clear it out afterwards */ 140855714Skris 140955714Skris n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 141055714Skris 141155714Skris if (n <= 0) 141255714Skris { 141355714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 141455714Skris goto err; 141555714Skris } 141655714Skris 141755714Skris /* generate master key from the result */ 141855714Skris s->session->master_key_length= 141955714Skris s->method->ssl3_enc->generate_master_secret(s, 142055714Skris s->session->master_key,p,n); 142155714Skris /* clean up */ 142255714Skris memset(p,0,n); 142355714Skris 142455714Skris /* send off the data */ 142555714Skris n=BN_num_bytes(dh_clnt->pub_key); 142655714Skris s2n(n,p); 142755714Skris BN_bn2bin(dh_clnt->pub_key,p); 142855714Skris n+=2; 142955714Skris 143055714Skris DH_free(dh_clnt); 143155714Skris 143255714Skris /* perhaps clean things up a bit EAY EAY EAY EAY*/ 143355714Skris } 143455714Skris else 143555714Skris#endif 143655714Skris { 143755714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 143855714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 143955714Skris goto err; 144055714Skris } 144155714Skris 144255714Skris *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 144355714Skris l2n3(n,d); 144455714Skris 144555714Skris s->state=SSL3_ST_CW_KEY_EXCH_B; 144655714Skris /* number of bytes to write */ 144755714Skris s->init_num=n+4; 144855714Skris s->init_off=0; 144955714Skris } 145055714Skris 145155714Skris /* SSL3_ST_CW_KEY_EXCH_B */ 145255714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 145355714Skriserr: 145455714Skris return(-1); 145555714Skris } 145655714Skris 145755714Skrisstatic int ssl3_send_client_verify(SSL *s) 145855714Skris { 145955714Skris unsigned char *p,*d; 146055714Skris unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 146155714Skris EVP_PKEY *pkey; 146255714Skris#ifndef NO_RSA 146355714Skris int i=0; 146455714Skris#endif 146555714Skris unsigned long n; 146655714Skris#ifndef NO_DSA 146755714Skris int j; 146855714Skris#endif 146955714Skris 147055714Skris if (s->state == SSL3_ST_CW_CERT_VRFY_A) 147155714Skris { 147255714Skris d=(unsigned char *)s->init_buf->data; 147355714Skris p= &(d[4]); 147455714Skris pkey=s->cert->key->privatekey; 147555714Skris 147655714Skris s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2), 147755714Skris &(data[MD5_DIGEST_LENGTH])); 147855714Skris 147955714Skris#ifndef NO_RSA 148055714Skris if (pkey->type == EVP_PKEY_RSA) 148155714Skris { 148255714Skris s->method->ssl3_enc->cert_verify_mac(s, 148355714Skris &(s->s3->finish_dgst1),&(data[0])); 148455714Skris i=RSA_private_encrypt( 148555714Skris MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 148655714Skris data,&(p[2]),pkey->pkey.rsa, 148755714Skris RSA_PKCS1_PADDING); 148855714Skris if (i <= 0) 148955714Skris { 149055714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 149155714Skris goto err; 149255714Skris } 149355714Skris s2n(i,p); 149455714Skris n=i+2; 149555714Skris } 149655714Skris else 149755714Skris#endif 149855714Skris#ifndef NO_DSA 149955714Skris if (pkey->type == EVP_PKEY_DSA) 150055714Skris { 150155714Skris if (!DSA_sign(pkey->save_type, 150255714Skris &(data[MD5_DIGEST_LENGTH]), 150355714Skris SHA_DIGEST_LENGTH,&(p[2]), 150455714Skris (unsigned int *)&j,pkey->pkey.dsa)) 150555714Skris { 150655714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 150755714Skris goto err; 150855714Skris } 150955714Skris s2n(j,p); 151055714Skris n=j+2; 151155714Skris } 151255714Skris else 151355714Skris#endif 151455714Skris { 151555714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR); 151655714Skris goto err; 151755714Skris } 151855714Skris *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 151955714Skris l2n3(n,d); 152055714Skris 152155714Skris s->init_num=(int)n+4; 152255714Skris s->init_off=0; 152355714Skris } 152455714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 152555714Skriserr: 152655714Skris return(-1); 152755714Skris } 152855714Skris 152955714Skrisstatic int ssl3_send_client_certificate(SSL *s) 153055714Skris { 153155714Skris X509 *x509=NULL; 153255714Skris EVP_PKEY *pkey=NULL; 153355714Skris int i; 153455714Skris unsigned long l; 153555714Skris 153655714Skris if (s->state == SSL3_ST_CW_CERT_A) 153755714Skris { 153855714Skris if ((s->cert == NULL) || 153955714Skris (s->cert->key->x509 == NULL) || 154055714Skris (s->cert->key->privatekey == NULL)) 154155714Skris s->state=SSL3_ST_CW_CERT_B; 154255714Skris else 154355714Skris s->state=SSL3_ST_CW_CERT_C; 154455714Skris } 154555714Skris 154655714Skris /* We need to get a client cert */ 154755714Skris if (s->state == SSL3_ST_CW_CERT_B) 154855714Skris { 154955714Skris /* If we get an error, we need to 155055714Skris * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 155155714Skris * We then get retied later */ 155255714Skris i=0; 155355714Skris if (s->ctx->client_cert_cb != NULL) 155455714Skris i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); 155555714Skris if (i < 0) 155655714Skris { 155755714Skris s->rwstate=SSL_X509_LOOKUP; 155855714Skris return(-1); 155955714Skris } 156055714Skris s->rwstate=SSL_NOTHING; 156155714Skris if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 156255714Skris { 156355714Skris s->state=SSL3_ST_CW_CERT_B; 156455714Skris if ( !SSL_use_certificate(s,x509) || 156555714Skris !SSL_use_PrivateKey(s,pkey)) 156655714Skris i=0; 156755714Skris } 156855714Skris else if (i == 1) 156955714Skris { 157055714Skris i=0; 157155714Skris SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 157255714Skris } 157355714Skris 157455714Skris if (x509 != NULL) X509_free(x509); 157555714Skris if (pkey != NULL) EVP_PKEY_free(pkey); 157655714Skris if (i == 0) 157755714Skris { 157855714Skris if (s->version == SSL3_VERSION) 157955714Skris { 158055714Skris s->s3->tmp.cert_req=0; 158155714Skris ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 158255714Skris return(1); 158355714Skris } 158455714Skris else 158555714Skris { 158655714Skris s->s3->tmp.cert_req=2; 158755714Skris } 158855714Skris } 158955714Skris 159055714Skris /* Ok, we have a cert */ 159155714Skris s->state=SSL3_ST_CW_CERT_C; 159255714Skris } 159355714Skris 159455714Skris if (s->state == SSL3_ST_CW_CERT_C) 159555714Skris { 159655714Skris s->state=SSL3_ST_CW_CERT_D; 159755714Skris l=ssl3_output_cert_chain(s, 159855714Skris (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 159955714Skris s->init_num=(int)l; 160055714Skris s->init_off=0; 160155714Skris } 160255714Skris /* SSL3_ST_CW_CERT_D */ 160355714Skris return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 160455714Skris } 160555714Skris 160655714Skris#define has_bits(i,m) (((i)&(m)) == (m)) 160755714Skris 160855714Skrisstatic int ssl3_check_cert_and_algorithm(SSL *s) 160955714Skris { 161055714Skris int i,idx; 161155714Skris long algs; 161255714Skris EVP_PKEY *pkey=NULL; 161355714Skris SESS_CERT *sc; 161455714Skris#ifndef NO_RSA 161555714Skris RSA *rsa; 161655714Skris#endif 161755714Skris#ifndef NO_DH 161855714Skris DH *dh; 161955714Skris#endif 162055714Skris 162155714Skris sc=s->session->sess_cert; 162255714Skris 162355714Skris if (sc == NULL) 162455714Skris { 162555714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR); 162655714Skris goto err; 162755714Skris } 162855714Skris 162955714Skris algs=s->s3->tmp.new_cipher->algorithms; 163055714Skris 163155714Skris /* we don't have a certificate */ 163255714Skris if (algs & (SSL_aDH|SSL_aNULL)) 163355714Skris return(1); 163455714Skris 163555714Skris#ifndef NO_RSA 163655714Skris rsa=s->session->sess_cert->peer_rsa_tmp; 163755714Skris#endif 163855714Skris#ifndef NO_DH 163955714Skris dh=s->session->sess_cert->peer_dh_tmp; 164055714Skris#endif 164155714Skris 164255714Skris /* This is the passed certificate */ 164355714Skris 164455714Skris idx=sc->peer_cert_type; 164555714Skris pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 164655714Skris i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 164755714Skris EVP_PKEY_free(pkey); 164855714Skris 164955714Skris 165055714Skris /* Check that we have a certificate if we require one */ 165155714Skris if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 165255714Skris { 165355714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 165455714Skris goto f_err; 165555714Skris } 165655714Skris#ifndef NO_DSA 165755714Skris else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 165855714Skris { 165955714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 166055714Skris goto f_err; 166155714Skris } 166255714Skris#endif 166355714Skris#ifndef NO_RSA 166455714Skris if ((algs & SSL_kRSA) && 166555714Skris !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 166655714Skris { 166755714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 166855714Skris goto f_err; 166955714Skris } 167055714Skris#endif 167155714Skris#ifndef NO_DH 167255714Skris if ((algs & SSL_kEDH) && 167355714Skris !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 167455714Skris { 167555714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 167655714Skris goto f_err; 167755714Skris } 167855714Skris else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 167955714Skris { 168055714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 168155714Skris goto f_err; 168255714Skris } 168355714Skris#ifndef NO_DSA 168455714Skris else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 168555714Skris { 168655714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 168755714Skris goto f_err; 168855714Skris } 168955714Skris#endif 169055714Skris#endif 169155714Skris 169255714Skris if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP)) 169355714Skris { 169455714Skris#ifndef NO_RSA 169555714Skris if (algs & SSL_kRSA) 169655714Skris { 169755714Skris if (rsa == NULL 169855714Skris || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs)) 169955714Skris { 170055714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 170155714Skris goto f_err; 170255714Skris } 170355714Skris } 170455714Skris else 170555714Skris#endif 170655714Skris#ifndef NO_DH 170755714Skris if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 170855714Skris { 170955714Skris if (dh == NULL 171055714Skris || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs)) 171155714Skris { 171255714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 171355714Skris goto f_err; 171455714Skris } 171555714Skris } 171655714Skris else 171755714Skris#endif 171855714Skris { 171955714Skris SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 172055714Skris goto f_err; 172155714Skris } 172255714Skris } 172355714Skris return(1); 172455714Skrisf_err: 172555714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 172655714Skriserr: 172755714Skris return(0); 172855714Skris } 172955714Skris 1730