s3_clnt.c revision 59191
1/* ssl/s3_clnt.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59#include <stdio.h> 60#include <openssl/buffer.h> 61#include <openssl/rand.h> 62#include <openssl/objects.h> 63#include <openssl/md5.h> 64#include <openssl/sha.h> 65#include <openssl/evp.h> 66#include "ssl_locl.h" 67 68static SSL_METHOD *ssl3_get_client_method(int ver); 69static int ssl3_client_hello(SSL *s); 70static int ssl3_get_server_hello(SSL *s); 71static int ssl3_get_certificate_request(SSL *s); 72static int ca_dn_cmp(X509_NAME **a,X509_NAME **b); 73static int ssl3_get_server_done(SSL *s); 74static int ssl3_send_client_verify(SSL *s); 75static int ssl3_send_client_certificate(SSL *s); 76static int ssl3_send_client_key_exchange(SSL *s); 77static int ssl3_get_key_exchange(SSL *s); 78static int ssl3_get_server_certificate(SSL *s); 79static int ssl3_check_cert_and_algorithm(SSL *s); 80static SSL_METHOD *ssl3_get_client_method(int ver) 81 { 82 if (ver == SSL3_VERSION) 83 return(SSLv3_client_method()); 84 else 85 return(NULL); 86 } 87 88SSL_METHOD *SSLv3_client_method(void) 89 { 90 static int init=1; 91 static SSL_METHOD SSLv3_client_data; 92 93 if (init) 94 { 95 init=0; 96 memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), 97 sizeof(SSL_METHOD)); 98 SSLv3_client_data.ssl_connect=ssl3_connect; 99 SSLv3_client_data.get_ssl_method=ssl3_get_client_method; 100 } 101 return(&SSLv3_client_data); 102 } 103 104int ssl3_connect(SSL *s) 105 { 106 BUF_MEM *buf; 107 unsigned long Time=time(NULL),l; 108 long num1; 109 void (*cb)()=NULL; 110 int ret= -1; 111 int new_state,state,skip=0;; 112 113 RAND_add(&Time,sizeof(Time),0); 114 ERR_clear_error(); 115 clear_sys_error(); 116 117 if (s->info_callback != NULL) 118 cb=s->info_callback; 119 else if (s->ctx->info_callback != NULL) 120 cb=s->ctx->info_callback; 121 122 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 123 s->in_handshake++; 124 125 for (;;) 126 { 127 state=s->state; 128 129 switch(s->state) 130 { 131 case SSL_ST_RENEGOTIATE: 132 s->new_session=1; 133 s->state=SSL_ST_CONNECT; 134 s->ctx->stats.sess_connect_renegotiate++; 135 /* break */ 136 case SSL_ST_BEFORE: 137 case SSL_ST_CONNECT: 138 case SSL_ST_BEFORE|SSL_ST_CONNECT: 139 case SSL_ST_OK|SSL_ST_CONNECT: 140 141 s->server=0; 142 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 143 144 if ((s->version & 0xff00 ) != 0x0300) 145 abort(); 146 /* s->version=SSL3_VERSION; */ 147 s->type=SSL_ST_CONNECT; 148 149 if (s->init_buf == NULL) 150 { 151 if ((buf=BUF_MEM_new()) == NULL) 152 { 153 ret= -1; 154 goto end; 155 } 156 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 157 { 158 ret= -1; 159 goto end; 160 } 161 s->init_buf=buf; 162 } 163 164 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 165 166 /* setup buffing BIO */ 167 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 168 169 /* don't push the buffering BIO quite yet */ 170 171 ssl3_init_finished_mac(s); 172 173 s->state=SSL3_ST_CW_CLNT_HELLO_A; 174 s->ctx->stats.sess_connect++; 175 s->init_num=0; 176 break; 177 178 case SSL3_ST_CW_CLNT_HELLO_A: 179 case SSL3_ST_CW_CLNT_HELLO_B: 180 181 s->shutdown=0; 182 ret=ssl3_client_hello(s); 183 if (ret <= 0) goto end; 184 s->state=SSL3_ST_CR_SRVR_HELLO_A; 185 s->init_num=0; 186 187 /* turn on buffering for the next lot of output */ 188 if (s->bbio != s->wbio) 189 s->wbio=BIO_push(s->bbio,s->wbio); 190 191 break; 192 193 case SSL3_ST_CR_SRVR_HELLO_A: 194 case SSL3_ST_CR_SRVR_HELLO_B: 195 ret=ssl3_get_server_hello(s); 196 if (ret <= 0) goto end; 197 if (s->hit) 198 s->state=SSL3_ST_CR_FINISHED_A; 199 else 200 s->state=SSL3_ST_CR_CERT_A; 201 s->init_num=0; 202 break; 203 204 case SSL3_ST_CR_CERT_A: 205 case SSL3_ST_CR_CERT_B: 206 /* Check if it is anon DH */ 207 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 208 { 209 ret=ssl3_get_server_certificate(s); 210 if (ret <= 0) goto end; 211 } 212 else 213 skip=1; 214 s->state=SSL3_ST_CR_KEY_EXCH_A; 215 s->init_num=0; 216 break; 217 218 case SSL3_ST_CR_KEY_EXCH_A: 219 case SSL3_ST_CR_KEY_EXCH_B: 220 ret=ssl3_get_key_exchange(s); 221 if (ret <= 0) goto end; 222 s->state=SSL3_ST_CR_CERT_REQ_A; 223 s->init_num=0; 224 225 /* at this point we check that we have the 226 * required stuff from the server */ 227 if (!ssl3_check_cert_and_algorithm(s)) 228 { 229 ret= -1; 230 goto end; 231 } 232 break; 233 234 case SSL3_ST_CR_CERT_REQ_A: 235 case SSL3_ST_CR_CERT_REQ_B: 236 ret=ssl3_get_certificate_request(s); 237 if (ret <= 0) goto end; 238 s->state=SSL3_ST_CR_SRVR_DONE_A; 239 s->init_num=0; 240 break; 241 242 case SSL3_ST_CR_SRVR_DONE_A: 243 case SSL3_ST_CR_SRVR_DONE_B: 244 ret=ssl3_get_server_done(s); 245 if (ret <= 0) goto end; 246 if (s->s3->tmp.cert_req) 247 s->state=SSL3_ST_CW_CERT_A; 248 else 249 s->state=SSL3_ST_CW_KEY_EXCH_A; 250 s->init_num=0; 251 252 break; 253 254 case SSL3_ST_CW_CERT_A: 255 case SSL3_ST_CW_CERT_B: 256 case SSL3_ST_CW_CERT_C: 257 case SSL3_ST_CW_CERT_D: 258 ret=ssl3_send_client_certificate(s); 259 if (ret <= 0) goto end; 260 s->state=SSL3_ST_CW_KEY_EXCH_A; 261 s->init_num=0; 262 break; 263 264 case SSL3_ST_CW_KEY_EXCH_A: 265 case SSL3_ST_CW_KEY_EXCH_B: 266 ret=ssl3_send_client_key_exchange(s); 267 if (ret <= 0) goto end; 268 l=s->s3->tmp.new_cipher->algorithms; 269 /* EAY EAY EAY need to check for DH fix cert 270 * sent back */ 271 /* For TLS, cert_req is set to 2, so a cert chain 272 * of nothing is sent, but no verify packet is sent */ 273 if (s->s3->tmp.cert_req == 1) 274 { 275 s->state=SSL3_ST_CW_CERT_VRFY_A; 276 } 277 else 278 { 279 s->state=SSL3_ST_CW_CHANGE_A; 280 s->s3->change_cipher_spec=0; 281 } 282 283 s->init_num=0; 284 break; 285 286 case SSL3_ST_CW_CERT_VRFY_A: 287 case SSL3_ST_CW_CERT_VRFY_B: 288 ret=ssl3_send_client_verify(s); 289 if (ret <= 0) goto end; 290 s->state=SSL3_ST_CW_CHANGE_A; 291 s->init_num=0; 292 s->s3->change_cipher_spec=0; 293 break; 294 295 case SSL3_ST_CW_CHANGE_A: 296 case SSL3_ST_CW_CHANGE_B: 297 ret=ssl3_send_change_cipher_spec(s, 298 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 299 if (ret <= 0) goto end; 300 s->state=SSL3_ST_CW_FINISHED_A; 301 s->init_num=0; 302 303 s->session->cipher=s->s3->tmp.new_cipher; 304 if (s->s3->tmp.new_compression == NULL) 305 s->session->compress_meth=0; 306 else 307 s->session->compress_meth= 308 s->s3->tmp.new_compression->id; 309 if (!s->method->ssl3_enc->setup_key_block(s)) 310 { 311 ret= -1; 312 goto end; 313 } 314 315 if (!s->method->ssl3_enc->change_cipher_state(s, 316 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 317 { 318 ret= -1; 319 goto end; 320 } 321 322 break; 323 324 case SSL3_ST_CW_FINISHED_A: 325 case SSL3_ST_CW_FINISHED_B: 326 ret=ssl3_send_finished(s, 327 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 328 s->method->ssl3_enc->client_finished_label, 329 s->method->ssl3_enc->client_finished_label_len); 330 if (ret <= 0) goto end; 331 s->state=SSL3_ST_CW_FLUSH; 332 333 /* clear flags */ 334 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 335 if (s->hit) 336 { 337 s->s3->tmp.next_state=SSL_ST_OK; 338 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 339 { 340 s->state=SSL_ST_OK; 341 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 342 s->s3->delay_buf_pop_ret=0; 343 } 344 } 345 else 346 { 347 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 348 } 349 s->init_num=0; 350 break; 351 352 case SSL3_ST_CR_FINISHED_A: 353 case SSL3_ST_CR_FINISHED_B: 354 355 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 356 SSL3_ST_CR_FINISHED_B); 357 if (ret <= 0) goto end; 358 359 if (s->hit) 360 s->state=SSL3_ST_CW_CHANGE_A; 361 else 362 s->state=SSL_ST_OK; 363 s->init_num=0; 364 break; 365 366 case SSL3_ST_CW_FLUSH: 367 /* number of bytes to be flushed */ 368 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 369 if (num1 > 0) 370 { 371 s->rwstate=SSL_WRITING; 372 num1=BIO_flush(s->wbio); 373 if (num1 <= 0) { ret= -1; goto end; } 374 s->rwstate=SSL_NOTHING; 375 } 376 377 s->state=s->s3->tmp.next_state; 378 break; 379 380 case SSL_ST_OK: 381 /* clean a few things up */ 382 ssl3_cleanup_key_block(s); 383 384 if (s->init_buf != NULL) 385 { 386 BUF_MEM_free(s->init_buf); 387 s->init_buf=NULL; 388 } 389 390 /* If we are not 'joining' the last two packets, 391 * remove the buffering now */ 392 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 393 ssl_free_wbio_buffer(s); 394 /* else do it later in ssl3_write */ 395 396 s->init_num=0; 397 s->new_session=0; 398 399 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 400 if (s->hit) s->ctx->stats.sess_hit++; 401 402 ret=1; 403 /* s->server=0; */ 404 s->handshake_func=ssl3_connect; 405 s->ctx->stats.sess_connect_good++; 406 407 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 408 409 goto end; 410 /* break; */ 411 412 default: 413 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 414 ret= -1; 415 goto end; 416 /* break; */ 417 } 418 419 /* did we do anything */ 420 if (!s->s3->tmp.reuse_message && !skip) 421 { 422 if (s->debug) 423 { 424 if ((ret=BIO_flush(s->wbio)) <= 0) 425 goto end; 426 } 427 428 if ((cb != NULL) && (s->state != state)) 429 { 430 new_state=s->state; 431 s->state=state; 432 cb(s,SSL_CB_CONNECT_LOOP,1); 433 s->state=new_state; 434 } 435 } 436 skip=0; 437 } 438end: 439 if (cb != NULL) 440 cb(s,SSL_CB_CONNECT_EXIT,ret); 441 s->in_handshake--; 442 return(ret); 443 } 444 445 446static int ssl3_client_hello(SSL *s) 447 { 448 unsigned char *buf; 449 unsigned char *p,*d; 450 int i,j; 451 unsigned long Time,l; 452 SSL_COMP *comp; 453 454 buf=(unsigned char *)s->init_buf->data; 455 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 456 { 457 if ((s->session == NULL) || 458 (s->session->ssl_version != s->version) || 459 (s->session->not_resumable)) 460 { 461 if (!ssl_get_new_session(s,0)) 462 goto err; 463 } 464 /* else use the pre-loaded session */ 465 466 p=s->s3->client_random; 467 Time=time(NULL); /* Time */ 468 l2n(Time,p); 469 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 470 471 /* Do the message type and length last */ 472 d=p= &(buf[4]); 473 474 *(p++)=s->version>>8; 475 *(p++)=s->version&0xff; 476 s->client_version=s->version; 477 478 /* Random stuff */ 479 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 480 p+=SSL3_RANDOM_SIZE; 481 482 /* Session ID */ 483 if (s->new_session) 484 i=0; 485 else 486 i=s->session->session_id_length; 487 *(p++)=i; 488 if (i != 0) 489 { 490 memcpy(p,s->session->session_id,i); 491 p+=i; 492 } 493 494 /* Ciphers supported */ 495 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2])); 496 if (i == 0) 497 { 498 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 499 goto err; 500 } 501 s2n(i,p); 502 p+=i; 503 504 /* COMPRESSION */ 505 if (s->ctx->comp_methods == NULL) 506 j=0; 507 else 508 j=sk_SSL_COMP_num(s->ctx->comp_methods); 509 *(p++)=1+j; 510 for (i=0; i<j; i++) 511 { 512 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 513 *(p++)=comp->id; 514 } 515 *(p++)=0; /* Add the NULL method */ 516 517 l=(p-d); 518 d=buf; 519 *(d++)=SSL3_MT_CLIENT_HELLO; 520 l2n3(l,d); 521 522 s->state=SSL3_ST_CW_CLNT_HELLO_B; 523 /* number of bytes to write */ 524 s->init_num=p-buf; 525 s->init_off=0; 526 } 527 528 /* SSL3_ST_CW_CLNT_HELLO_B */ 529 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 530err: 531 return(-1); 532 } 533 534static int ssl3_get_server_hello(SSL *s) 535 { 536 STACK_OF(SSL_CIPHER) *sk; 537 SSL_CIPHER *c; 538 unsigned char *p,*d; 539 int i,al,ok; 540 unsigned int j; 541 long n; 542 SSL_COMP *comp; 543 544 n=ssl3_get_message(s, 545 SSL3_ST_CR_SRVR_HELLO_A, 546 SSL3_ST_CR_SRVR_HELLO_B, 547 SSL3_MT_SERVER_HELLO, 548 300, /* ?? */ 549 &ok); 550 551 if (!ok) return((int)n); 552 d=p=(unsigned char *)s->init_buf->data; 553 554 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 555 { 556 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 557 s->version=(s->version&0xff00)|p[1]; 558 al=SSL_AD_PROTOCOL_VERSION; 559 goto f_err; 560 } 561 p+=2; 562 563 /* load the server hello data */ 564 /* load the server random */ 565 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 566 p+=SSL3_RANDOM_SIZE; 567 568 /* get the session-id */ 569 j= *(p++); 570 571 if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) 572 { 573 /* SSLref returns 16 :-( */ 574 if (j < SSL2_SSL_SESSION_ID_LENGTH) 575 { 576 al=SSL_AD_ILLEGAL_PARAMETER; 577 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT); 578 goto f_err; 579 } 580 } 581 if (j != 0 && j == s->session->session_id_length 582 && memcmp(p,s->session->session_id,j) == 0) 583 { 584 if(s->sid_ctx_length != s->session->sid_ctx_length 585 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 586 { 587 al=SSL_AD_ILLEGAL_PARAMETER; 588 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 589 goto f_err; 590 } 591 s->hit=1; 592 } 593 else /* a miss or crap from the other end */ 594 { 595 /* If we were trying for session-id reuse, make a new 596 * SSL_SESSION so we don't stuff up other people */ 597 s->hit=0; 598 if (s->session->session_id_length > 0) 599 { 600 if (!ssl_get_new_session(s,0)) 601 { 602 al=SSL_AD_INTERNAL_ERROR; 603 goto f_err; 604 } 605 } 606 s->session->session_id_length=j; 607 memcpy(s->session->session_id,p,j); /* j could be 0 */ 608 } 609 p+=j; 610 c=ssl_get_cipher_by_char(s,p); 611 if (c == NULL) 612 { 613 /* unknown cipher */ 614 al=SSL_AD_ILLEGAL_PARAMETER; 615 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 616 goto f_err; 617 } 618 p+=ssl_put_cipher_by_char(s,NULL,NULL); 619 620 sk=ssl_get_ciphers_by_id(s); 621 i=sk_SSL_CIPHER_find(sk,c); 622 if (i < 0) 623 { 624 /* we did not say we would use this cipher */ 625 al=SSL_AD_ILLEGAL_PARAMETER; 626 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 627 goto f_err; 628 } 629 630 if (s->hit && (s->session->cipher != c)) 631 { 632 if (!(s->options & 633 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 634 { 635 al=SSL_AD_ILLEGAL_PARAMETER; 636 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 637 goto f_err; 638 } 639 } 640 s->s3->tmp.new_cipher=c; 641 642 /* lets get the compression algorithm */ 643 /* COMPRESSION */ 644 j= *(p++); 645 if (j == 0) 646 comp=NULL; 647 else 648 comp=ssl3_comp_find(s->ctx->comp_methods,j); 649 650 if ((j != 0) && (comp == NULL)) 651 { 652 al=SSL_AD_ILLEGAL_PARAMETER; 653 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 654 goto f_err; 655 } 656 else 657 { 658 s->s3->tmp.new_compression=comp; 659 } 660 661 if (p != (d+n)) 662 { 663 /* wrong packet length */ 664 al=SSL_AD_DECODE_ERROR; 665 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 666 goto err; 667 } 668 669 return(1); 670f_err: 671 ssl3_send_alert(s,SSL3_AL_FATAL,al); 672err: 673 return(-1); 674 } 675 676static int ssl3_get_server_certificate(SSL *s) 677 { 678 int al,i,ok,ret= -1; 679 unsigned long n,nc,llen,l; 680 X509 *x=NULL; 681 unsigned char *p,*d,*q; 682 STACK_OF(X509) *sk=NULL; 683 SESS_CERT *sc; 684 EVP_PKEY *pkey=NULL; 685 686 n=ssl3_get_message(s, 687 SSL3_ST_CR_CERT_A, 688 SSL3_ST_CR_CERT_B, 689 -1, 690#if defined(MSDOS) && !defined(WIN32) 691 1024*30, /* 30k max cert list :-) */ 692#else 693 1024*100, /* 100k max cert list :-) */ 694#endif 695 &ok); 696 697 if (!ok) return((int)n); 698 699 if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) 700 { 701 s->s3->tmp.reuse_message=1; 702 return(1); 703 } 704 705 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 706 { 707 al=SSL_AD_UNEXPECTED_MESSAGE; 708 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 709 goto f_err; 710 } 711 d=p=(unsigned char *)s->init_buf->data; 712 713 if ((sk=sk_X509_new_null()) == NULL) 714 { 715 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 716 goto err; 717 } 718 719 n2l3(p,llen); 720 if (llen+3 != n) 721 { 722 al=SSL_AD_DECODE_ERROR; 723 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 724 goto f_err; 725 } 726 for (nc=0; nc<llen; ) 727 { 728 n2l3(p,l); 729 if ((l+nc+3) > llen) 730 { 731 al=SSL_AD_DECODE_ERROR; 732 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 733 goto f_err; 734 } 735 736 q=p; 737 x=d2i_X509(NULL,&q,l); 738 if (x == NULL) 739 { 740 al=SSL_AD_BAD_CERTIFICATE; 741 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 742 goto f_err; 743 } 744 if (q != (p+l)) 745 { 746 al=SSL_AD_DECODE_ERROR; 747 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 748 goto f_err; 749 } 750 if (!sk_X509_push(sk,x)) 751 { 752 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 753 goto err; 754 } 755 x=NULL; 756 nc+=l+3; 757 p=q; 758 } 759 760 i=ssl_verify_cert_chain(s,sk); 761 if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) 762 { 763 al=ssl_verify_alarm_type(s->verify_result); 764 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 765 goto f_err; 766 } 767 768 sc=ssl_sess_cert_new(); 769 if (sc == NULL) goto err; 770 771 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 772 s->session->sess_cert=sc; 773 774 sc->cert_chain=sk; 775 /* Inconsistency alert: cert_chain does include the peer's 776 * certificate, which we don't include in s3_srvr.c */ 777 x=sk_X509_value(sk,0); 778 sk=NULL; 779 780 pkey=X509_get_pubkey(x); 781 782 if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)) 783 { 784 x=NULL; 785 al=SSL3_AL_FATAL; 786 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 787 goto f_err; 788 } 789 790 i=ssl_cert_type(x,pkey); 791 if (i < 0) 792 { 793 x=NULL; 794 al=SSL3_AL_FATAL; 795 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE); 796 goto f_err; 797 } 798 799 sc->peer_cert_type=i; 800 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 801 if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen? 802 * We just created sc a couple of 803 * lines ago. */ 804 X509_free(sc->peer_pkeys[i].x509); 805 sc->peer_pkeys[i].x509=x; 806 sc->peer_key= &(sc->peer_pkeys[i]); 807 808 if (s->session->peer != NULL) 809 X509_free(s->session->peer); 810 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 811 s->session->peer=x; 812 813 x=NULL; 814 ret=1; 815 816 if (0) 817 { 818f_err: 819 ssl3_send_alert(s,SSL3_AL_FATAL,al); 820 } 821err: 822 EVP_PKEY_free(pkey); 823 X509_free(x); 824 sk_X509_pop_free(sk,X509_free); 825 return(ret); 826 } 827 828static int ssl3_get_key_exchange(SSL *s) 829 { 830#ifndef NO_RSA 831 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 832#endif 833 EVP_MD_CTX md_ctx; 834 unsigned char *param,*p; 835 int al,i,j,param_len,ok; 836 long n,alg; 837 EVP_PKEY *pkey=NULL; 838#ifndef NO_RSA 839 RSA *rsa=NULL; 840#endif 841#ifndef NO_DH 842 DH *dh=NULL; 843#endif 844 845 n=ssl3_get_message(s, 846 SSL3_ST_CR_KEY_EXCH_A, 847 SSL3_ST_CR_KEY_EXCH_B, 848 -1, 849 1024*8, /* ?? */ 850 &ok); 851 852 if (!ok) return((int)n); 853 854 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 855 { 856 s->s3->tmp.reuse_message=1; 857 return(1); 858 } 859 860 param=p=(unsigned char *)s->init_buf->data; 861 862 if (s->session->sess_cert != NULL) 863 { 864#ifndef NO_RSA 865 if (s->session->sess_cert->peer_rsa_tmp != NULL) 866 { 867 RSA_free(s->session->sess_cert->peer_rsa_tmp); 868 s->session->sess_cert->peer_rsa_tmp=NULL; 869 } 870#endif 871#ifndef NO_DH 872 if (s->session->sess_cert->peer_dh_tmp) 873 { 874 DH_free(s->session->sess_cert->peer_dh_tmp); 875 s->session->sess_cert->peer_dh_tmp=NULL; 876 } 877#endif 878 } 879 else 880 { 881 s->session->sess_cert=ssl_sess_cert_new(); 882 } 883 884 param_len=0; 885 alg=s->s3->tmp.new_cipher->algorithms; 886 887#ifndef NO_RSA 888 if (alg & SSL_kRSA) 889 { 890 if ((rsa=RSA_new()) == NULL) 891 { 892 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 893 goto err; 894 } 895 n2s(p,i); 896 param_len=i+2; 897 if (param_len > n) 898 { 899 al=SSL_AD_DECODE_ERROR; 900 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 901 goto f_err; 902 } 903 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 904 { 905 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 906 goto err; 907 } 908 p+=i; 909 910 n2s(p,i); 911 param_len+=i+2; 912 if (param_len > n) 913 { 914 al=SSL_AD_DECODE_ERROR; 915 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 916 goto f_err; 917 } 918 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 919 { 920 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 921 goto err; 922 } 923 p+=i; 924 n-=param_len; 925 926 /* this should be because we are using an export cipher */ 927 if (alg & SSL_aRSA) 928 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 929 else 930 { 931 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 932 goto err; 933 } 934 s->session->sess_cert->peer_rsa_tmp=rsa; 935 rsa=NULL; 936 } 937 else 938#endif 939#ifndef NO_DH 940 if (alg & SSL_kEDH) 941 { 942 if ((dh=DH_new()) == NULL) 943 { 944 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 945 goto err; 946 } 947 n2s(p,i); 948 param_len=i+2; 949 if (param_len > n) 950 { 951 al=SSL_AD_DECODE_ERROR; 952 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 953 goto f_err; 954 } 955 if (!(dh->p=BN_bin2bn(p,i,NULL))) 956 { 957 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 958 goto err; 959 } 960 p+=i; 961 962 n2s(p,i); 963 param_len+=i+2; 964 if (param_len > n) 965 { 966 al=SSL_AD_DECODE_ERROR; 967 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 968 goto f_err; 969 } 970 if (!(dh->g=BN_bin2bn(p,i,NULL))) 971 { 972 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 973 goto err; 974 } 975 p+=i; 976 977 n2s(p,i); 978 param_len+=i+2; 979 if (param_len > n) 980 { 981 al=SSL_AD_DECODE_ERROR; 982 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 983 goto f_err; 984 } 985 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 986 { 987 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 988 goto err; 989 } 990 p+=i; 991 n-=param_len; 992 993#ifndef NO_RSA 994 if (alg & SSL_aRSA) 995 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 996 else 997#endif 998#ifndef NO_DSA 999 if (alg & SSL_aDSS) 1000 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1001#endif 1002 /* else anonymous DH, so no certificate or pkey. */ 1003 1004 s->session->sess_cert->peer_dh_tmp=dh; 1005 dh=NULL; 1006 } 1007 else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) 1008 { 1009 al=SSL_AD_ILLEGAL_PARAMETER; 1010 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1011 goto f_err; 1012 } 1013#endif 1014 if (alg & SSL_aFZA) 1015 { 1016 al=SSL_AD_HANDSHAKE_FAILURE; 1017 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1018 goto f_err; 1019 } 1020 1021 1022 /* p points to the next byte, there are 'n' bytes left */ 1023 1024 1025 /* if it was signed, check the signature */ 1026 if (pkey != NULL) 1027 { 1028 n2s(p,i); 1029 n-=2; 1030 j=EVP_PKEY_size(pkey); 1031 1032 if ((i != n) || (n > j) || (n <= 0)) 1033 { 1034 /* wrong packet length */ 1035 al=SSL_AD_DECODE_ERROR; 1036 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1037 goto f_err; 1038 } 1039 1040#ifndef NO_RSA 1041 if (pkey->type == EVP_PKEY_RSA) 1042 { 1043 int num; 1044 1045 j=0; 1046 q=md_buf; 1047 for (num=2; num > 0; num--) 1048 { 1049 EVP_DigestInit(&md_ctx,(num == 2) 1050 ?s->ctx->md5:s->ctx->sha1); 1051 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1052 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1053 EVP_DigestUpdate(&md_ctx,param,param_len); 1054 EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i); 1055 q+=i; 1056 j+=i; 1057 } 1058 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1059 pkey->pkey.rsa); 1060 if (i < 0) 1061 { 1062 al=SSL_AD_DECRYPT_ERROR; 1063 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1064 goto f_err; 1065 } 1066 if (i == 0) 1067 { 1068 /* bad signature */ 1069 al=SSL_AD_DECRYPT_ERROR; 1070 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1071 goto f_err; 1072 } 1073 } 1074 else 1075#endif 1076#ifndef NO_DSA 1077 if (pkey->type == EVP_PKEY_DSA) 1078 { 1079 /* lets do DSS */ 1080 EVP_VerifyInit(&md_ctx,EVP_dss1()); 1081 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1082 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1083 EVP_VerifyUpdate(&md_ctx,param,param_len); 1084 if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) 1085 { 1086 /* bad signature */ 1087 al=SSL_AD_DECRYPT_ERROR; 1088 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1089 goto f_err; 1090 } 1091 } 1092 else 1093#endif 1094 { 1095 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 1096 goto err; 1097 } 1098 } 1099 else 1100 { 1101 /* still data left over */ 1102 if (!(alg & SSL_aNULL)) 1103 { 1104 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 1105 goto err; 1106 } 1107 if (n != 0) 1108 { 1109 al=SSL_AD_DECODE_ERROR; 1110 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 1111 goto f_err; 1112 } 1113 } 1114 EVP_PKEY_free(pkey); 1115 return(1); 1116f_err: 1117 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1118err: 1119 EVP_PKEY_free(pkey); 1120#ifndef NO_RSA 1121 if (rsa != NULL) 1122 RSA_free(rsa); 1123#endif 1124#ifndef NO_DH 1125 if (dh != NULL) 1126 DH_free(dh); 1127#endif 1128 return(-1); 1129 } 1130 1131static int ssl3_get_certificate_request(SSL *s) 1132 { 1133 int ok,ret=0; 1134 unsigned long n,nc,l; 1135 unsigned int llen,ctype_num,i; 1136 X509_NAME *xn=NULL; 1137 unsigned char *p,*d,*q; 1138 STACK_OF(X509_NAME) *ca_sk=NULL; 1139 1140 n=ssl3_get_message(s, 1141 SSL3_ST_CR_CERT_REQ_A, 1142 SSL3_ST_CR_CERT_REQ_B, 1143 -1, 1144#if defined(MSDOS) && !defined(WIN32) 1145 1024*30, /* 30k max cert list :-) */ 1146#else 1147 1024*100, /* 100k max cert list :-) */ 1148#endif 1149 &ok); 1150 1151 if (!ok) return((int)n); 1152 1153 s->s3->tmp.cert_req=0; 1154 1155 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1156 { 1157 s->s3->tmp.reuse_message=1; 1158 return(1); 1159 } 1160 1161 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1162 { 1163 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1164 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 1165 goto err; 1166 } 1167 1168 /* TLS does not like anon-DH with client cert */ 1169 if (s->version > SSL3_VERSION) 1170 { 1171 l=s->s3->tmp.new_cipher->algorithms; 1172 if (l & SSL_aNULL) 1173 { 1174 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1175 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1176 goto err; 1177 } 1178 } 1179 1180 d=p=(unsigned char *)s->init_buf->data; 1181 1182 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1183 { 1184 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1185 goto err; 1186 } 1187 1188 /* get the certificate types */ 1189 ctype_num= *(p++); 1190 if (ctype_num > SSL3_CT_NUMBER) 1191 ctype_num=SSL3_CT_NUMBER; 1192 for (i=0; i<ctype_num; i++) 1193 s->s3->tmp.ctype[i]= p[i]; 1194 p+=ctype_num; 1195 1196 /* get the CA RDNs */ 1197 n2s(p,llen); 1198#if 0 1199{ 1200FILE *out; 1201out=fopen("/tmp/vsign.der","w"); 1202fwrite(p,1,llen,out); 1203fclose(out); 1204} 1205#endif 1206 1207 if ((llen+ctype_num+2+1) != n) 1208 { 1209 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1210 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 1211 goto err; 1212 } 1213 1214 for (nc=0; nc<llen; ) 1215 { 1216 n2s(p,l); 1217 if ((l+nc+2) > llen) 1218 { 1219 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1220 goto cont; /* netscape bugs */ 1221 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1222 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1223 goto err; 1224 } 1225 1226 q=p; 1227 1228 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1229 { 1230 /* If netscape tolerance is on, ignore errors */ 1231 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1232 goto cont; 1233 else 1234 { 1235 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1236 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 1237 goto err; 1238 } 1239 } 1240 1241 if (q != (p+l)) 1242 { 1243 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1244 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 1245 goto err; 1246 } 1247 if (!sk_X509_NAME_push(ca_sk,xn)) 1248 { 1249 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1250 goto err; 1251 } 1252 1253 p+=l; 1254 nc+=l+2; 1255 } 1256 1257 if (0) 1258 { 1259cont: 1260 ERR_clear_error(); 1261 } 1262 1263 /* we should setup a certificate to return.... */ 1264 s->s3->tmp.cert_req=1; 1265 s->s3->tmp.ctype_num=ctype_num; 1266 if (s->s3->tmp.ca_names != NULL) 1267 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1268 s->s3->tmp.ca_names=ca_sk; 1269 ca_sk=NULL; 1270 1271 ret=1; 1272err: 1273 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1274 return(ret); 1275 } 1276 1277static int ca_dn_cmp(X509_NAME **a, X509_NAME **b) 1278 { 1279 return(X509_NAME_cmp(*a,*b)); 1280 } 1281 1282static int ssl3_get_server_done(SSL *s) 1283 { 1284 int ok,ret=0; 1285 long n; 1286 1287 n=ssl3_get_message(s, 1288 SSL3_ST_CR_SRVR_DONE_A, 1289 SSL3_ST_CR_SRVR_DONE_B, 1290 SSL3_MT_SERVER_DONE, 1291 30, /* should be very small, like 0 :-) */ 1292 &ok); 1293 1294 if (!ok) return((int)n); 1295 if (n > 0) 1296 { 1297 /* should contain no data */ 1298 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1299 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 1300 } 1301 ret=1; 1302 return(ret); 1303 } 1304 1305static int ssl3_send_client_key_exchange(SSL *s) 1306 { 1307 unsigned char *p,*d; 1308 int n; 1309 unsigned long l; 1310#ifndef NO_RSA 1311 unsigned char *q; 1312 EVP_PKEY *pkey=NULL; 1313#endif 1314 1315 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 1316 { 1317 d=(unsigned char *)s->init_buf->data; 1318 p= &(d[4]); 1319 1320 l=s->s3->tmp.new_cipher->algorithms; 1321 1322#ifndef NO_RSA 1323 if (l & SSL_kRSA) 1324 { 1325 RSA *rsa; 1326 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 1327 1328 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1329 rsa=s->session->sess_cert->peer_rsa_tmp; 1330 else 1331 { 1332 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1333 if ((pkey == NULL) || 1334 (pkey->type != EVP_PKEY_RSA) || 1335 (pkey->pkey.rsa == NULL)) 1336 { 1337 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 1338 goto err; 1339 } 1340 rsa=pkey->pkey.rsa; 1341 EVP_PKEY_free(pkey); 1342 } 1343 1344 tmp_buf[0]=s->client_version>>8; 1345 tmp_buf[1]=s->client_version&0xff; 1346 if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0) 1347 goto err; 1348 1349 s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; 1350 1351 q=p; 1352 /* Fix buf for TLS and beyond */ 1353 if (s->version > SSL3_VERSION) 1354 p+=2; 1355 n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH, 1356 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 1357#ifdef PKCS1_CHECK 1358 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 1359 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 1360#endif 1361 if (n <= 0) 1362 { 1363 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 1364 goto err; 1365 } 1366 1367 /* Fix buf for TLS and beyond */ 1368 if (s->version > SSL3_VERSION) 1369 { 1370 s2n(n,q); 1371 n+=2; 1372 } 1373 1374 s->session->master_key_length= 1375 s->method->ssl3_enc->generate_master_secret(s, 1376 s->session->master_key, 1377 tmp_buf,SSL_MAX_MASTER_KEY_LENGTH); 1378 memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH); 1379 } 1380 else 1381#endif 1382#ifndef NO_DH 1383 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1384 { 1385 DH *dh_srvr,*dh_clnt; 1386 1387 if (s->session->sess_cert->peer_dh_tmp != NULL) 1388 dh_srvr=s->session->sess_cert->peer_dh_tmp; 1389 else 1390 { 1391 /* we get them from the cert */ 1392 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1393 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1394 goto err; 1395 } 1396 1397 /* generate a new random key */ 1398 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 1399 { 1400 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1401 goto err; 1402 } 1403 if (!DH_generate_key(dh_clnt)) 1404 { 1405 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1406 goto err; 1407 } 1408 1409 /* use the 'p' output buffer for the DH key, but 1410 * make sure to clear it out afterwards */ 1411 1412 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 1413 1414 if (n <= 0) 1415 { 1416 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1417 goto err; 1418 } 1419 1420 /* generate master key from the result */ 1421 s->session->master_key_length= 1422 s->method->ssl3_enc->generate_master_secret(s, 1423 s->session->master_key,p,n); 1424 /* clean up */ 1425 memset(p,0,n); 1426 1427 /* send off the data */ 1428 n=BN_num_bytes(dh_clnt->pub_key); 1429 s2n(n,p); 1430 BN_bn2bin(dh_clnt->pub_key,p); 1431 n+=2; 1432 1433 DH_free(dh_clnt); 1434 1435 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 1436 } 1437 else 1438#endif 1439 { 1440 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1441 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); 1442 goto err; 1443 } 1444 1445 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 1446 l2n3(n,d); 1447 1448 s->state=SSL3_ST_CW_KEY_EXCH_B; 1449 /* number of bytes to write */ 1450 s->init_num=n+4; 1451 s->init_off=0; 1452 } 1453 1454 /* SSL3_ST_CW_KEY_EXCH_B */ 1455 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1456err: 1457 return(-1); 1458 } 1459 1460static int ssl3_send_client_verify(SSL *s) 1461 { 1462 unsigned char *p,*d; 1463 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1464 EVP_PKEY *pkey; 1465#ifndef NO_RSA 1466 unsigned u=0; 1467#endif 1468 unsigned long n; 1469#ifndef NO_DSA 1470 int j; 1471#endif 1472 1473 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 1474 { 1475 d=(unsigned char *)s->init_buf->data; 1476 p= &(d[4]); 1477 pkey=s->cert->key->privatekey; 1478 1479 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2), 1480 &(data[MD5_DIGEST_LENGTH])); 1481 1482#ifndef NO_RSA 1483 if (pkey->type == EVP_PKEY_RSA) 1484 { 1485 s->method->ssl3_enc->cert_verify_mac(s, 1486 &(s->s3->finish_dgst1),&(data[0])); 1487 if (RSA_sign(NID_md5_sha1, data, 1488 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 1489 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 1490 { 1491 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 1492 goto err; 1493 } 1494 s2n(u,p); 1495 n=u+2; 1496 } 1497 else 1498#endif 1499#ifndef NO_DSA 1500 if (pkey->type == EVP_PKEY_DSA) 1501 { 1502 if (!DSA_sign(pkey->save_type, 1503 &(data[MD5_DIGEST_LENGTH]), 1504 SHA_DIGEST_LENGTH,&(p[2]), 1505 (unsigned int *)&j,pkey->pkey.dsa)) 1506 { 1507 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 1508 goto err; 1509 } 1510 s2n(j,p); 1511 n=j+2; 1512 } 1513 else 1514#endif 1515 { 1516 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR); 1517 goto err; 1518 } 1519 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 1520 l2n3(n,d); 1521 1522 s->init_num=(int)n+4; 1523 s->init_off=0; 1524 } 1525 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1526err: 1527 return(-1); 1528 } 1529 1530static int ssl3_send_client_certificate(SSL *s) 1531 { 1532 X509 *x509=NULL; 1533 EVP_PKEY *pkey=NULL; 1534 int i; 1535 unsigned long l; 1536 1537 if (s->state == SSL3_ST_CW_CERT_A) 1538 { 1539 if ((s->cert == NULL) || 1540 (s->cert->key->x509 == NULL) || 1541 (s->cert->key->privatekey == NULL)) 1542 s->state=SSL3_ST_CW_CERT_B; 1543 else 1544 s->state=SSL3_ST_CW_CERT_C; 1545 } 1546 1547 /* We need to get a client cert */ 1548 if (s->state == SSL3_ST_CW_CERT_B) 1549 { 1550 /* If we get an error, we need to 1551 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 1552 * We then get retied later */ 1553 i=0; 1554 if (s->ctx->client_cert_cb != NULL) 1555 i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); 1556 if (i < 0) 1557 { 1558 s->rwstate=SSL_X509_LOOKUP; 1559 return(-1); 1560 } 1561 s->rwstate=SSL_NOTHING; 1562 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 1563 { 1564 s->state=SSL3_ST_CW_CERT_B; 1565 if ( !SSL_use_certificate(s,x509) || 1566 !SSL_use_PrivateKey(s,pkey)) 1567 i=0; 1568 } 1569 else if (i == 1) 1570 { 1571 i=0; 1572 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 1573 } 1574 1575 if (x509 != NULL) X509_free(x509); 1576 if (pkey != NULL) EVP_PKEY_free(pkey); 1577 if (i == 0) 1578 { 1579 if (s->version == SSL3_VERSION) 1580 { 1581 s->s3->tmp.cert_req=0; 1582 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 1583 return(1); 1584 } 1585 else 1586 { 1587 s->s3->tmp.cert_req=2; 1588 } 1589 } 1590 1591 /* Ok, we have a cert */ 1592 s->state=SSL3_ST_CW_CERT_C; 1593 } 1594 1595 if (s->state == SSL3_ST_CW_CERT_C) 1596 { 1597 s->state=SSL3_ST_CW_CERT_D; 1598 l=ssl3_output_cert_chain(s, 1599 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 1600 s->init_num=(int)l; 1601 s->init_off=0; 1602 } 1603 /* SSL3_ST_CW_CERT_D */ 1604 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1605 } 1606 1607#define has_bits(i,m) (((i)&(m)) == (m)) 1608 1609static int ssl3_check_cert_and_algorithm(SSL *s) 1610 { 1611 int i,idx; 1612 long algs; 1613 EVP_PKEY *pkey=NULL; 1614 SESS_CERT *sc; 1615#ifndef NO_RSA 1616 RSA *rsa; 1617#endif 1618#ifndef NO_DH 1619 DH *dh; 1620#endif 1621 1622 sc=s->session->sess_cert; 1623 1624 if (sc == NULL) 1625 { 1626 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR); 1627 goto err; 1628 } 1629 1630 algs=s->s3->tmp.new_cipher->algorithms; 1631 1632 /* we don't have a certificate */ 1633 if (algs & (SSL_aDH|SSL_aNULL)) 1634 return(1); 1635 1636#ifndef NO_RSA 1637 rsa=s->session->sess_cert->peer_rsa_tmp; 1638#endif 1639#ifndef NO_DH 1640 dh=s->session->sess_cert->peer_dh_tmp; 1641#endif 1642 1643 /* This is the passed certificate */ 1644 1645 idx=sc->peer_cert_type; 1646 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 1647 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 1648 EVP_PKEY_free(pkey); 1649 1650 1651 /* Check that we have a certificate if we require one */ 1652 if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 1653 { 1654 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 1655 goto f_err; 1656 } 1657#ifndef NO_DSA 1658 else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 1659 { 1660 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 1661 goto f_err; 1662 } 1663#endif 1664#ifndef NO_RSA 1665 if ((algs & SSL_kRSA) && 1666 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 1667 { 1668 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 1669 goto f_err; 1670 } 1671#endif 1672#ifndef NO_DH 1673 if ((algs & SSL_kEDH) && 1674 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 1675 { 1676 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 1677 goto f_err; 1678 } 1679 else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 1680 { 1681 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 1682 goto f_err; 1683 } 1684#ifndef NO_DSA 1685 else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 1686 { 1687 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 1688 goto f_err; 1689 } 1690#endif 1691#endif 1692 1693 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 1694 { 1695#ifndef NO_RSA 1696 if (algs & SSL_kRSA) 1697 { 1698 if (rsa == NULL 1699 || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 1700 { 1701 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 1702 goto f_err; 1703 } 1704 } 1705 else 1706#endif 1707#ifndef NO_DH 1708 if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1709 { 1710 if (dh == NULL 1711 || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 1712 { 1713 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 1714 goto f_err; 1715 } 1716 } 1717 else 1718#endif 1719 { 1720 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1721 goto f_err; 1722 } 1723 } 1724 return(1); 1725f_err: 1726 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1727err: 1728 return(0); 1729 } 1730 1731