s3_srvr.c revision 277195
1/* ssl/s3_srvr.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125#define REUSE_CIPHER_BUG 126#define NETSCAPE_HANG_BUG 127 128#include <stdio.h> 129#include "ssl_locl.h" 130#include "kssl_lcl.h" 131#include <openssl/buffer.h> 132#include <openssl/rand.h> 133#include <openssl/objects.h> 134#include <openssl/evp.h> 135#include <openssl/hmac.h> 136#include <openssl/x509.h> 137#ifndef OPENSSL_NO_DH 138#include <openssl/dh.h> 139#endif 140#include <openssl/bn.h> 141#ifndef OPENSSL_NO_KRB5 142#include <openssl/krb5_asn.h> 143#endif 144#include <openssl/md5.h> 145 146static SSL_METHOD *ssl3_get_server_method(int ver); 147#ifndef OPENSSL_NO_ECDH 148static int nid2curve_id(int nid); 149#endif 150 151static SSL_METHOD *ssl3_get_server_method(int ver) 152 { 153 if (ver == SSL3_VERSION) 154 return(SSLv3_server_method()); 155 else 156 return(NULL); 157 } 158 159IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 160 ssl3_accept, 161 ssl_undefined_function, 162 ssl3_get_server_method) 163 164int ssl3_accept(SSL *s) 165 { 166 BUF_MEM *buf; 167 unsigned long l,Time=(unsigned long)time(NULL); 168 void (*cb)(const SSL *ssl,int type,int val)=NULL; 169 int ret= -1; 170 int new_state,state,skip=0; 171 172 RAND_add(&Time,sizeof(Time),0); 173 ERR_clear_error(); 174 clear_sys_error(); 175 176 if (s->info_callback != NULL) 177 cb=s->info_callback; 178 else if (s->ctx->info_callback != NULL) 179 cb=s->ctx->info_callback; 180 181 /* init things to blank */ 182 s->in_handshake++; 183 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 184 185 if (s->cert == NULL) 186 { 187 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 188 return(-1); 189 } 190 191 for (;;) 192 { 193 state=s->state; 194 195 switch (s->state) 196 { 197 case SSL_ST_RENEGOTIATE: 198 s->new_session=1; 199 /* s->state=SSL_ST_ACCEPT; */ 200 201 case SSL_ST_BEFORE: 202 case SSL_ST_ACCEPT: 203 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 204 case SSL_ST_OK|SSL_ST_ACCEPT: 205 206 s->server=1; 207 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 208 209 if ((s->version>>8) != 3) 210 { 211 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 212 return -1; 213 } 214 s->type=SSL_ST_ACCEPT; 215 216 if (s->init_buf == NULL) 217 { 218 if ((buf=BUF_MEM_new()) == NULL) 219 { 220 ret= -1; 221 goto end; 222 } 223 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 224 { 225 ret= -1; 226 goto end; 227 } 228 s->init_buf=buf; 229 } 230 231 if (!ssl3_setup_buffers(s)) 232 { 233 ret= -1; 234 goto end; 235 } 236 237 s->init_num=0; 238 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 239 240 if (s->state != SSL_ST_RENEGOTIATE) 241 { 242 /* Ok, we now need to push on a buffering BIO so that 243 * the output is sent in a way that TCP likes :-) 244 */ 245 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 246 247 ssl3_init_finished_mac(s); 248 s->state=SSL3_ST_SR_CLNT_HELLO_A; 249 s->ctx->stats.sess_accept++; 250 } 251 else if (!s->s3->send_connection_binding && 252 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 253 { 254 /* Server attempting to renegotiate with 255 * client that doesn't support secure 256 * renegotiation. 257 */ 258 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 259 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 260 ret = -1; 261 goto end; 262 } 263 else 264 { 265 /* s->state == SSL_ST_RENEGOTIATE, 266 * we will just send a HelloRequest */ 267 s->ctx->stats.sess_accept_renegotiate++; 268 s->state=SSL3_ST_SW_HELLO_REQ_A; 269 } 270 break; 271 272 case SSL3_ST_SW_HELLO_REQ_A: 273 case SSL3_ST_SW_HELLO_REQ_B: 274 275 s->shutdown=0; 276 ret=ssl3_send_hello_request(s); 277 if (ret <= 0) goto end; 278 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 279 s->state=SSL3_ST_SW_FLUSH; 280 s->init_num=0; 281 282 ssl3_init_finished_mac(s); 283 break; 284 285 case SSL3_ST_SW_HELLO_REQ_C: 286 s->state=SSL_ST_OK; 287 break; 288 289 case SSL3_ST_SR_CLNT_HELLO_A: 290 case SSL3_ST_SR_CLNT_HELLO_B: 291 case SSL3_ST_SR_CLNT_HELLO_C: 292 293 s->shutdown=0; 294 ret=ssl3_get_client_hello(s); 295 if (ret <= 0) goto end; 296 s->new_session = 2; 297 s->state=SSL3_ST_SW_SRVR_HELLO_A; 298 s->init_num=0; 299 break; 300 301 case SSL3_ST_SW_SRVR_HELLO_A: 302 case SSL3_ST_SW_SRVR_HELLO_B: 303 ret=ssl3_send_server_hello(s); 304 if (ret <= 0) goto end; 305#ifndef OPENSSL_NO_TLSEXT 306 if (s->hit) 307 { 308 if (s->tlsext_ticket_expected) 309 s->state=SSL3_ST_SW_SESSION_TICKET_A; 310 else 311 s->state=SSL3_ST_SW_CHANGE_A; 312 } 313#else 314 if (s->hit) 315 s->state=SSL3_ST_SW_CHANGE_A; 316#endif 317 else 318 s->state=SSL3_ST_SW_CERT_A; 319 s->init_num=0; 320 break; 321 322 case SSL3_ST_SW_CERT_A: 323 case SSL3_ST_SW_CERT_B: 324 /* Check if it is anon DH or anon ECDH or KRB5 */ 325 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) 326 && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 327 { 328 ret=ssl3_send_server_certificate(s); 329 if (ret <= 0) goto end; 330#ifndef OPENSSL_NO_TLSEXT 331 if (s->tlsext_status_expected) 332 s->state=SSL3_ST_SW_CERT_STATUS_A; 333 else 334 s->state=SSL3_ST_SW_KEY_EXCH_A; 335 } 336 else 337 { 338 skip = 1; 339 s->state=SSL3_ST_SW_KEY_EXCH_A; 340 } 341#else 342 } 343 else 344 skip=1; 345 346 s->state=SSL3_ST_SW_KEY_EXCH_A; 347#endif 348 s->init_num=0; 349 break; 350 351 case SSL3_ST_SW_KEY_EXCH_A: 352 case SSL3_ST_SW_KEY_EXCH_B: 353 l=s->s3->tmp.new_cipher->algorithms; 354 355 /* clear this, it may get reset by 356 * send_server_key_exchange */ 357 s->s3->tmp.use_rsa_tmp=0; 358 359 360 /* only send if a DH key exchange, fortezza or 361 * RSA but we have a sign only certificate 362 * 363 * For ECC ciphersuites, we send a serverKeyExchange 364 * message only if the cipher suite is either 365 * ECDH-anon or ECDHE. In other cases, the 366 * server certificate contains the server's 367 * public key for key exchange. 368 */ 369 if ((l & SSL_kECDHE) 370 || (l & (SSL_DH|SSL_kFZA)) 371 || ((l & SSL_kRSA) 372 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 373 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 374 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 375 ) 376 ) 377 ) 378 ) 379 { 380 ret=ssl3_send_server_key_exchange(s); 381 if (ret <= 0) goto end; 382 } 383 else 384 skip=1; 385 386 s->state=SSL3_ST_SW_CERT_REQ_A; 387 s->init_num=0; 388 break; 389 390 case SSL3_ST_SW_CERT_REQ_A: 391 case SSL3_ST_SW_CERT_REQ_B: 392 if (/* don't request cert unless asked for it: */ 393 !(s->verify_mode & SSL_VERIFY_PEER) || 394 /* if SSL_VERIFY_CLIENT_ONCE is set, 395 * don't request cert during re-negotiation: */ 396 ((s->session->peer != NULL) && 397 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 398 /* never request cert in anonymous ciphersuites 399 * (see section "Certificate request" in SSL 3 drafts 400 * and in RFC 2246): */ 401 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 402 /* ... except when the application insists on verification 403 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 404 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 405 /* never request cert in Kerberos ciphersuites */ 406 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 407 { 408 /* no cert request */ 409 skip=1; 410 s->s3->tmp.cert_request=0; 411 s->state=SSL3_ST_SW_SRVR_DONE_A; 412 } 413 else 414 { 415 s->s3->tmp.cert_request=1; 416 ret=ssl3_send_certificate_request(s); 417 if (ret <= 0) goto end; 418#ifndef NETSCAPE_HANG_BUG 419 s->state=SSL3_ST_SW_SRVR_DONE_A; 420#else 421 s->state=SSL3_ST_SW_FLUSH; 422 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 423#endif 424 s->init_num=0; 425 } 426 break; 427 428 case SSL3_ST_SW_SRVR_DONE_A: 429 case SSL3_ST_SW_SRVR_DONE_B: 430 ret=ssl3_send_server_done(s); 431 if (ret <= 0) goto end; 432 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 433 s->state=SSL3_ST_SW_FLUSH; 434 s->init_num=0; 435 break; 436 437 case SSL3_ST_SW_FLUSH: 438 439 /* This code originally checked to see if 440 * any data was pending using BIO_CTRL_INFO 441 * and then flushed. This caused problems 442 * as documented in PR#1939. The proposed 443 * fix doesn't completely resolve this issue 444 * as buggy implementations of BIO_CTRL_PENDING 445 * still exist. So instead we just flush 446 * unconditionally. 447 */ 448 449 s->rwstate=SSL_WRITING; 450 if (BIO_flush(s->wbio) <= 0) 451 { 452 ret= -1; 453 goto end; 454 } 455 s->rwstate=SSL_NOTHING; 456 457 s->state=s->s3->tmp.next_state; 458 break; 459 460 case SSL3_ST_SR_CERT_A: 461 case SSL3_ST_SR_CERT_B: 462 /* Check for second client hello (MS SGC) */ 463 ret = ssl3_check_client_hello(s); 464 if (ret <= 0) 465 goto end; 466 if (ret == 2) 467 s->state = SSL3_ST_SR_CLNT_HELLO_C; 468 else { 469 if (s->s3->tmp.cert_request) 470 { 471 ret=ssl3_get_client_certificate(s); 472 if (ret <= 0) goto end; 473 } 474 s->init_num=0; 475 s->state=SSL3_ST_SR_KEY_EXCH_A; 476 } 477 break; 478 479 case SSL3_ST_SR_KEY_EXCH_A: 480 case SSL3_ST_SR_KEY_EXCH_B: 481 ret=ssl3_get_client_key_exchange(s); 482 if (ret <= 0) 483 goto end; 484 if (ret == 2) 485 { 486 /* For the ECDH ciphersuites when 487 * the client sends its ECDH pub key in 488 * a certificate, the CertificateVerify 489 * message is not sent. 490 */ 491 s->state=SSL3_ST_SR_FINISHED_A; 492 s->init_num = 0; 493 } 494 else 495 { 496 s->state=SSL3_ST_SR_CERT_VRFY_A; 497 s->init_num=0; 498 499 /* We need to get hashes here so if there is 500 * a client cert, it can be verified 501 */ 502 s->method->ssl3_enc->cert_verify_mac(s, 503 &(s->s3->finish_dgst1), 504 &(s->s3->tmp.cert_verify_md[0])); 505 s->method->ssl3_enc->cert_verify_mac(s, 506 &(s->s3->finish_dgst2), 507 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 508 } 509 break; 510 511 case SSL3_ST_SR_CERT_VRFY_A: 512 case SSL3_ST_SR_CERT_VRFY_B: 513 514 s->s3->flags |= SSL3_FLAGS_CCS_OK; 515 /* we should decide if we expected this one */ 516 ret=ssl3_get_cert_verify(s); 517 if (ret <= 0) goto end; 518 519 s->state=SSL3_ST_SR_FINISHED_A; 520 s->init_num=0; 521 break; 522 523 case SSL3_ST_SR_FINISHED_A: 524 case SSL3_ST_SR_FINISHED_B: 525 s->s3->flags |= SSL3_FLAGS_CCS_OK; 526 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 527 SSL3_ST_SR_FINISHED_B); 528 if (ret <= 0) goto end; 529 if (s->hit) 530 s->state=SSL_ST_OK; 531#ifndef OPENSSL_NO_TLSEXT 532 else if (s->tlsext_ticket_expected) 533 s->state=SSL3_ST_SW_SESSION_TICKET_A; 534#endif 535 else 536 s->state=SSL3_ST_SW_CHANGE_A; 537 s->init_num=0; 538 break; 539 540#ifndef OPENSSL_NO_TLSEXT 541 case SSL3_ST_SW_SESSION_TICKET_A: 542 case SSL3_ST_SW_SESSION_TICKET_B: 543 ret=ssl3_send_newsession_ticket(s); 544 if (ret <= 0) goto end; 545 s->state=SSL3_ST_SW_CHANGE_A; 546 s->init_num=0; 547 break; 548 549 case SSL3_ST_SW_CERT_STATUS_A: 550 case SSL3_ST_SW_CERT_STATUS_B: 551 ret=ssl3_send_cert_status(s); 552 if (ret <= 0) goto end; 553 s->state=SSL3_ST_SW_KEY_EXCH_A; 554 s->init_num=0; 555 break; 556 557#endif 558 559 case SSL3_ST_SW_CHANGE_A: 560 case SSL3_ST_SW_CHANGE_B: 561 562 s->session->cipher=s->s3->tmp.new_cipher; 563 if (!s->method->ssl3_enc->setup_key_block(s)) 564 { ret= -1; goto end; } 565 566 ret=ssl3_send_change_cipher_spec(s, 567 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 568 569 if (ret <= 0) goto end; 570 s->state=SSL3_ST_SW_FINISHED_A; 571 s->init_num=0; 572 573 if (!s->method->ssl3_enc->change_cipher_state(s, 574 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 575 { 576 ret= -1; 577 goto end; 578 } 579 580 break; 581 582 case SSL3_ST_SW_FINISHED_A: 583 case SSL3_ST_SW_FINISHED_B: 584 ret=ssl3_send_finished(s, 585 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 586 s->method->ssl3_enc->server_finished_label, 587 s->method->ssl3_enc->server_finished_label_len); 588 if (ret <= 0) goto end; 589 s->state=SSL3_ST_SW_FLUSH; 590 if (s->hit) 591 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 592 else 593 s->s3->tmp.next_state=SSL_ST_OK; 594 s->init_num=0; 595 break; 596 597 case SSL_ST_OK: 598 /* clean a few things up */ 599 ssl3_cleanup_key_block(s); 600 601 BUF_MEM_free(s->init_buf); 602 s->init_buf=NULL; 603 604 /* remove buffering on output */ 605 ssl_free_wbio_buffer(s); 606 607 s->init_num=0; 608 609 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 610 { 611 /* actually not necessarily a 'new' session unless 612 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 613 614 s->new_session=0; 615 616 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 617 618 s->ctx->stats.sess_accept_good++; 619 /* s->server=1; */ 620 s->handshake_func=ssl3_accept; 621 622 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 623 } 624 625 ret = 1; 626 goto end; 627 /* break; */ 628 629 default: 630 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 631 ret= -1; 632 goto end; 633 /* break; */ 634 } 635 636 if (!s->s3->tmp.reuse_message && !skip) 637 { 638 if (s->debug) 639 { 640 if ((ret=BIO_flush(s->wbio)) <= 0) 641 goto end; 642 } 643 644 645 if ((cb != NULL) && (s->state != state)) 646 { 647 new_state=s->state; 648 s->state=state; 649 cb(s,SSL_CB_ACCEPT_LOOP,1); 650 s->state=new_state; 651 } 652 } 653 skip=0; 654 } 655end: 656 /* BIO_flush(s->wbio); */ 657 658 s->in_handshake--; 659 if (cb != NULL) 660 cb(s,SSL_CB_ACCEPT_EXIT,ret); 661 return(ret); 662 } 663 664int ssl3_send_hello_request(SSL *s) 665 { 666 unsigned char *p; 667 668 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 669 { 670 p=(unsigned char *)s->init_buf->data; 671 *(p++)=SSL3_MT_HELLO_REQUEST; 672 *(p++)=0; 673 *(p++)=0; 674 *(p++)=0; 675 676 s->state=SSL3_ST_SW_HELLO_REQ_B; 677 /* number of bytes to write */ 678 s->init_num=4; 679 s->init_off=0; 680 } 681 682 /* SSL3_ST_SW_HELLO_REQ_B */ 683 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 684 } 685 686int ssl3_check_client_hello(SSL *s) 687 { 688 int ok; 689 long n; 690 691 /* this function is called when we really expect a Certificate message, 692 * so permit appropriate message length */ 693 n=s->method->ssl_get_message(s, 694 SSL3_ST_SR_CERT_A, 695 SSL3_ST_SR_CERT_B, 696 -1, 697 s->max_cert_list, 698 &ok); 699 if (!ok) return((int)n); 700 s->s3->tmp.reuse_message = 1; 701 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 702 { 703 /* We only allow the client to restart the handshake once per 704 * negotiation. */ 705 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 706 { 707 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 708 return -1; 709 } 710 /* Throw away what we have done so far in the current handshake, 711 * which will now be aborted. (A full SSL_clear would be too much.) */ 712#ifndef OPENSSL_NO_DH 713 if (s->s3->tmp.dh != NULL) 714 { 715 DH_free(s->s3->tmp.dh); 716 s->s3->tmp.dh = NULL; 717 } 718#endif 719#ifndef OPENSSL_NO_ECDH 720 if (s->s3->tmp.ecdh != NULL) 721 { 722 EC_KEY_free(s->s3->tmp.ecdh); 723 s->s3->tmp.ecdh = NULL; 724 } 725#endif 726 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 727 return 2; 728 } 729 return 1; 730} 731 732int ssl3_get_client_hello(SSL *s) 733 { 734 int i,j,ok,al,ret= -1; 735 unsigned int cookie_len; 736 long n; 737 unsigned long id; 738 unsigned char *p,*d,*q; 739 SSL_CIPHER *c; 740#ifndef OPENSSL_NO_COMP 741 SSL_COMP *comp=NULL; 742#endif 743 STACK_OF(SSL_CIPHER) *ciphers=NULL; 744 745 /* We do this so that we will respond with our native type. 746 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 747 * This down switching should be handled by a different method. 748 * If we are SSLv3, we will respond with SSLv3, even if prompted with 749 * TLSv1. 750 */ 751 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 752 { 753 s->state=SSL3_ST_SR_CLNT_HELLO_B; 754 } 755 s->first_packet=1; 756 n=s->method->ssl_get_message(s, 757 SSL3_ST_SR_CLNT_HELLO_B, 758 SSL3_ST_SR_CLNT_HELLO_C, 759 SSL3_MT_CLIENT_HELLO, 760 SSL3_RT_MAX_PLAIN_LENGTH, 761 &ok); 762 763 if (!ok) return((int)n); 764 s->first_packet=0; 765 d=p=(unsigned char *)s->init_msg; 766 767 /* use version from inside client hello, not from record header 768 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 769 s->client_version=(((int)p[0])<<8)|(int)p[1]; 770 p+=2; 771 772 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 773 (s->version != DTLS1_VERSION && s->client_version < s->version)) 774 { 775 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 776 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 777 { 778 /* similar to ssl3_get_record, send alert using remote version number */ 779 s->version = s->client_version; 780 } 781 al = SSL_AD_PROTOCOL_VERSION; 782 goto f_err; 783 } 784 785 /* If we require cookies and this ClientHello doesn't 786 * contain one, just return since we do not want to 787 * allocate any memory yet. So check cookie length... 788 */ 789 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 790 { 791 unsigned int session_length, cookie_length; 792 793 session_length = *(p + SSL3_RANDOM_SIZE); 794 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 795 796 if (cookie_length == 0) 797 return 1; 798 } 799 800 /* load the client random */ 801 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 802 p+=SSL3_RANDOM_SIZE; 803 804 /* get the session-id */ 805 j= *(p++); 806 807 s->hit=0; 808 /* Versions before 0.9.7 always allow session reuse during renegotiation 809 * (i.e. when s->new_session is true), option 810 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. 811 * Maybe this optional behaviour should always have been the default, 812 * but we cannot safely change the default behaviour (or new applications 813 * might be written that become totally unsecure when compiled with 814 * an earlier library version) 815 */ 816 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 817 { 818 if (!ssl_get_new_session(s,1)) 819 goto err; 820 } 821 else 822 { 823 i=ssl_get_prev_session(s, p, j, d + n); 824 if (i == 1) 825 { /* previous session */ 826 s->hit=1; 827 } 828 else if (i == -1) 829 goto err; 830 else /* i == 0 */ 831 { 832 if (!ssl_get_new_session(s,1)) 833 goto err; 834 } 835 } 836 837 p+=j; 838 839 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 840 { 841 /* cookie stuff */ 842 cookie_len = *(p++); 843 844 /* 845 * The ClientHello may contain a cookie even if the 846 * HelloVerify message has not been sent--make sure that it 847 * does not cause an overflow. 848 */ 849 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 850 { 851 /* too much data */ 852 al = SSL_AD_DECODE_ERROR; 853 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 854 goto f_err; 855 } 856 857 /* verify the cookie if appropriate option is set. */ 858 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 859 cookie_len > 0) 860 { 861 memcpy(s->d1->rcvd_cookie, p, cookie_len); 862 863 if ( s->ctx->app_verify_cookie_cb != NULL) 864 { 865 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 866 cookie_len) == 0) 867 { 868 al=SSL_AD_HANDSHAKE_FAILURE; 869 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 870 SSL_R_COOKIE_MISMATCH); 871 goto f_err; 872 } 873 /* else cookie verification succeeded */ 874 } 875 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 876 s->d1->cookie_len) != 0) /* default verification */ 877 { 878 al=SSL_AD_HANDSHAKE_FAILURE; 879 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 880 SSL_R_COOKIE_MISMATCH); 881 goto f_err; 882 } 883 884 ret = 2; 885 } 886 887 p += cookie_len; 888 } 889 890 n2s(p,i); 891 if ((i == 0) && (j != 0)) 892 { 893 /* we need a cipher if we are not resuming a session */ 894 al=SSL_AD_ILLEGAL_PARAMETER; 895 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 896 goto f_err; 897 } 898 if ((p+i) >= (d+n)) 899 { 900 /* not enough data */ 901 al=SSL_AD_DECODE_ERROR; 902 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 903 goto f_err; 904 } 905 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 906 == NULL)) 907 { 908 goto err; 909 } 910 p+=i; 911 912 /* If it is a hit, check that the cipher is in the list */ 913 if ((s->hit) && (i > 0)) 914 { 915 j=0; 916 id=s->session->cipher->id; 917 918#ifdef CIPHER_DEBUG 919 printf("client sent %d ciphers\n",sk_num(ciphers)); 920#endif 921 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 922 { 923 c=sk_SSL_CIPHER_value(ciphers,i); 924#ifdef CIPHER_DEBUG 925 printf("client [%2d of %2d]:%s\n", 926 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 927#endif 928 if (c->id == id) 929 { 930 j=1; 931 break; 932 } 933 } 934/* Disabled because it can be used in a ciphersuite downgrade 935 * attack: CVE-2010-4180. 936 */ 937#if 0 938 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 939 { 940 /* Special case as client bug workaround: the previously used cipher may 941 * not be in the current list, the client instead might be trying to 942 * continue using a cipher that before wasn't chosen due to server 943 * preferences. We'll have to reject the connection if the cipher is not 944 * enabled, though. */ 945 c = sk_SSL_CIPHER_value(ciphers, 0); 946 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 947 { 948 s->session->cipher = c; 949 j = 1; 950 } 951 } 952#endif 953 if (j == 0) 954 { 955 /* we need to have the cipher in the cipher 956 * list if we are asked to reuse it */ 957 al=SSL_AD_ILLEGAL_PARAMETER; 958 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 959 goto f_err; 960 } 961 } 962 963 /* compression */ 964 i= *(p++); 965 if ((p+i) > (d+n)) 966 { 967 /* not enough data */ 968 al=SSL_AD_DECODE_ERROR; 969 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 970 goto f_err; 971 } 972 q=p; 973 for (j=0; j<i; j++) 974 { 975 if (p[j] == 0) break; 976 } 977 978 p+=i; 979 if (j >= i) 980 { 981 /* no compress */ 982 al=SSL_AD_DECODE_ERROR; 983 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 984 goto f_err; 985 } 986 987#ifndef OPENSSL_NO_TLSEXT 988 /* TLS extensions*/ 989 if (s->version >= SSL3_VERSION) 990 { 991 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) 992 { 993 /* 'al' set by ssl_parse_clienthello_tlsext */ 994 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 995 goto f_err; 996 } 997 } 998 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 999 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1000 goto err; 1001 } 1002#endif 1003 /* Worst case, we will use the NULL compression, but if we have other 1004 * options, we will now look for them. We have i-1 compression 1005 * algorithms from the client, starting at q. */ 1006 s->s3->tmp.new_compression=NULL; 1007#ifndef OPENSSL_NO_COMP 1008 if (s->ctx->comp_methods != NULL) 1009 { /* See if we have a match */ 1010 int m,nn,o,v,done=0; 1011 1012 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1013 for (m=0; m<nn; m++) 1014 { 1015 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1016 v=comp->id; 1017 for (o=0; o<i; o++) 1018 { 1019 if (v == q[o]) 1020 { 1021 done=1; 1022 break; 1023 } 1024 } 1025 if (done) break; 1026 } 1027 if (done) 1028 s->s3->tmp.new_compression=comp; 1029 else 1030 comp=NULL; 1031 } 1032#endif 1033 1034 /* TLS does not mind if there is extra stuff */ 1035#if 0 /* SSL 3.0 does not mind either, so we should disable this test 1036 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, 1037 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ 1038 if (s->version == SSL3_VERSION) 1039 { 1040 if (p < (d+n)) 1041 { 1042 /* wrong number of bytes, 1043 * there could be more to follow */ 1044 al=SSL_AD_DECODE_ERROR; 1045 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1046 goto f_err; 1047 } 1048 } 1049#endif 1050 1051 /* Given s->session->ciphers and SSL_get_ciphers, we must 1052 * pick a cipher */ 1053 1054 if (!s->hit) 1055 { 1056#ifdef OPENSSL_NO_COMP 1057 s->session->compress_meth=0; 1058#else 1059 s->session->compress_meth=(comp == NULL)?0:comp->id; 1060#endif 1061 if (s->session->ciphers != NULL) 1062 sk_SSL_CIPHER_free(s->session->ciphers); 1063 s->session->ciphers=ciphers; 1064 if (ciphers == NULL) 1065 { 1066 al=SSL_AD_ILLEGAL_PARAMETER; 1067 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); 1068 goto f_err; 1069 } 1070 ciphers=NULL; 1071 c=ssl3_choose_cipher(s,s->session->ciphers, 1072 SSL_get_ciphers(s)); 1073 1074 if (c == NULL) 1075 { 1076 al=SSL_AD_HANDSHAKE_FAILURE; 1077 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 1078 goto f_err; 1079 } 1080 s->s3->tmp.new_cipher=c; 1081 } 1082 else 1083 { 1084 /* Session-id reuse */ 1085#ifdef REUSE_CIPHER_BUG 1086 STACK_OF(SSL_CIPHER) *sk; 1087 SSL_CIPHER *nc=NULL; 1088 SSL_CIPHER *ec=NULL; 1089 1090 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1091 { 1092 sk=s->session->ciphers; 1093 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1094 { 1095 c=sk_SSL_CIPHER_value(sk,i); 1096 if (c->algorithms & SSL_eNULL) 1097 nc=c; 1098 if (SSL_C_IS_EXPORT(c)) 1099 ec=c; 1100 } 1101 if (nc != NULL) 1102 s->s3->tmp.new_cipher=nc; 1103 else if (ec != NULL) 1104 s->s3->tmp.new_cipher=ec; 1105 else 1106 s->s3->tmp.new_cipher=s->session->cipher; 1107 } 1108 else 1109#endif 1110 s->s3->tmp.new_cipher=s->session->cipher; 1111 } 1112 1113 /* we now have the following setup. 1114 * client_random 1115 * cipher_list - our prefered list of ciphers 1116 * ciphers - the clients prefered list of ciphers 1117 * compression - basically ignored right now 1118 * ssl version is set - sslv3 1119 * s->session - The ssl session has been setup. 1120 * s->hit - session reuse flag 1121 * s->tmp.new_cipher - the new cipher to use. 1122 */ 1123 1124#ifndef OPENSSL_NO_TLSEXT 1125 /* Handles TLS extensions that we couldn't check earlier */ 1126 if (s->version >= SSL3_VERSION) 1127 { 1128 if (ssl_check_clienthello_tlsext_late(s) <= 0) 1129 { 1130 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1131 goto err; 1132 } 1133 } 1134#endif 1135 1136 if (ret < 0) ret=1; 1137 if (0) 1138 { 1139f_err: 1140 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1141 } 1142err: 1143 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); 1144 return(ret); 1145 } 1146 1147int ssl3_send_server_hello(SSL *s) 1148 { 1149 unsigned char *buf; 1150 unsigned char *p,*d; 1151 int i,sl; 1152 unsigned long l,Time; 1153 1154 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1155 { 1156 buf=(unsigned char *)s->init_buf->data; 1157 p=s->s3->server_random; 1158 Time=(unsigned long)time(NULL); /* Time */ 1159 l2n(Time,p); 1160 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1161 return -1; 1162 /* Do the message type and length last */ 1163 d=p= &(buf[4]); 1164 1165 *(p++)=s->version>>8; 1166 *(p++)=s->version&0xff; 1167 1168 /* Random stuff */ 1169 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1170 p+=SSL3_RANDOM_SIZE; 1171 1172 /* now in theory we have 3 options to sending back the 1173 * session id. If it is a re-use, we send back the 1174 * old session-id, if it is a new session, we send 1175 * back the new session-id or we send back a 0 length 1176 * session-id if we want it to be single use. 1177 * Currently I will not implement the '0' length session-id 1178 * 12-Jan-98 - I'll now support the '0' length stuff. 1179 * 1180 * We also have an additional case where stateless session 1181 * resumption is successful: we always send back the old 1182 * session id. In this case s->hit is non zero: this can 1183 * only happen if stateless session resumption is succesful 1184 * if session caching is disabled so existing functionality 1185 * is unaffected. 1186 */ 1187 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1188 && !s->hit) 1189 s->session->session_id_length=0; 1190 1191 sl=s->session->session_id_length; 1192 if (sl > (int)sizeof(s->session->session_id)) 1193 { 1194 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1195 return -1; 1196 } 1197 *(p++)=sl; 1198 memcpy(p,s->session->session_id,sl); 1199 p+=sl; 1200 1201 /* put the cipher */ 1202 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1203 p+=i; 1204 1205 /* put the compression method */ 1206#ifdef OPENSSL_NO_COMP 1207 *(p++)=0; 1208#else 1209 if (s->s3->tmp.new_compression == NULL) 1210 *(p++)=0; 1211 else 1212 *(p++)=s->s3->tmp.new_compression->id; 1213#endif 1214#ifndef OPENSSL_NO_TLSEXT 1215 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1216 { 1217 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 1218 return -1; 1219 } 1220#endif 1221 /* do the header */ 1222 l=(p-d); 1223 d=buf; 1224 *(d++)=SSL3_MT_SERVER_HELLO; 1225 l2n3(l,d); 1226 1227 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1228 /* number of bytes to write */ 1229 s->init_num=p-buf; 1230 s->init_off=0; 1231 } 1232 1233 /* SSL3_ST_SW_SRVR_HELLO_B */ 1234 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1235 } 1236 1237int ssl3_send_server_done(SSL *s) 1238 { 1239 unsigned char *p; 1240 1241 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1242 { 1243 p=(unsigned char *)s->init_buf->data; 1244 1245 /* do the header */ 1246 *(p++)=SSL3_MT_SERVER_DONE; 1247 *(p++)=0; 1248 *(p++)=0; 1249 *(p++)=0; 1250 1251 s->state=SSL3_ST_SW_SRVR_DONE_B; 1252 /* number of bytes to write */ 1253 s->init_num=4; 1254 s->init_off=0; 1255 } 1256 1257 /* SSL3_ST_SW_SRVR_DONE_B */ 1258 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1259 } 1260 1261int ssl3_send_server_key_exchange(SSL *s) 1262 { 1263#ifndef OPENSSL_NO_RSA 1264 unsigned char *q; 1265 int j,num; 1266 RSA *rsa; 1267 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1268 unsigned int u; 1269#endif 1270#ifndef OPENSSL_NO_DH 1271 DH *dh=NULL,*dhp; 1272#endif 1273#ifndef OPENSSL_NO_ECDH 1274 EC_KEY *ecdh=NULL, *ecdhp; 1275 unsigned char *encodedPoint = NULL; 1276 int encodedlen = 0; 1277 int curve_id = 0; 1278 BN_CTX *bn_ctx = NULL; 1279#endif 1280 EVP_PKEY *pkey; 1281 unsigned char *p,*d; 1282 int al,i; 1283 unsigned long type; 1284 int n; 1285 CERT *cert; 1286 BIGNUM *r[4]; 1287 int nr[4],kn; 1288 BUF_MEM *buf; 1289 EVP_MD_CTX md_ctx; 1290 1291 EVP_MD_CTX_init(&md_ctx); 1292 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1293 { 1294 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1295 cert=s->cert; 1296 1297 buf=s->init_buf; 1298 1299 r[0]=r[1]=r[2]=r[3]=NULL; 1300 n=0; 1301#ifndef OPENSSL_NO_RSA 1302 if (type & SSL_kRSA) 1303 { 1304 rsa=cert->rsa_tmp; 1305 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1306 { 1307 rsa=s->cert->rsa_tmp_cb(s, 1308 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1309 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1310 if(rsa == NULL) 1311 { 1312 al=SSL_AD_HANDSHAKE_FAILURE; 1313 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1314 goto f_err; 1315 } 1316 RSA_up_ref(rsa); 1317 cert->rsa_tmp=rsa; 1318 } 1319 if (rsa == NULL) 1320 { 1321 al=SSL_AD_HANDSHAKE_FAILURE; 1322 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 1323 goto f_err; 1324 } 1325 r[0]=rsa->n; 1326 r[1]=rsa->e; 1327 s->s3->tmp.use_rsa_tmp=1; 1328 } 1329 else 1330#endif 1331#ifndef OPENSSL_NO_DH 1332 if (type & SSL_kEDH) 1333 { 1334 dhp=cert->dh_tmp; 1335 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1336 dhp=s->cert->dh_tmp_cb(s, 1337 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1338 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1339 if (dhp == NULL) 1340 { 1341 al=SSL_AD_HANDSHAKE_FAILURE; 1342 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1343 goto f_err; 1344 } 1345 1346 if (s->s3->tmp.dh != NULL) 1347 { 1348 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1349 goto err; 1350 } 1351 1352 if ((dh=DHparams_dup(dhp)) == NULL) 1353 { 1354 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1355 goto err; 1356 } 1357 1358 s->s3->tmp.dh=dh; 1359 if ((dhp->pub_key == NULL || 1360 dhp->priv_key == NULL || 1361 (s->options & SSL_OP_SINGLE_DH_USE))) 1362 { 1363 if(!DH_generate_key(dh)) 1364 { 1365 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1366 ERR_R_DH_LIB); 1367 goto err; 1368 } 1369 } 1370 else 1371 { 1372 dh->pub_key=BN_dup(dhp->pub_key); 1373 dh->priv_key=BN_dup(dhp->priv_key); 1374 if ((dh->pub_key == NULL) || 1375 (dh->priv_key == NULL)) 1376 { 1377 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1378 goto err; 1379 } 1380 } 1381 r[0]=dh->p; 1382 r[1]=dh->g; 1383 r[2]=dh->pub_key; 1384 } 1385 else 1386#endif 1387#ifndef OPENSSL_NO_ECDH 1388 if (type & SSL_kECDHE) 1389 { 1390 const EC_GROUP *group; 1391 1392 ecdhp=cert->ecdh_tmp; 1393 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1394 { 1395 ecdhp=s->cert->ecdh_tmp_cb(s, 1396 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1397 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1398 } 1399 if (ecdhp == NULL) 1400 { 1401 al=SSL_AD_HANDSHAKE_FAILURE; 1402 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 1403 goto f_err; 1404 } 1405 1406 if (s->s3->tmp.ecdh != NULL) 1407 { 1408 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1409 goto err; 1410 } 1411 1412 /* Duplicate the ECDH structure. */ 1413 if (ecdhp == NULL) 1414 { 1415 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1416 goto err; 1417 } 1418 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1419 { 1420 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1421 goto err; 1422 } 1423 1424 s->s3->tmp.ecdh=ecdh; 1425 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1426 (EC_KEY_get0_private_key(ecdh) == NULL) || 1427 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1428 { 1429 if(!EC_KEY_generate_key(ecdh)) 1430 { 1431 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1432 goto err; 1433 } 1434 } 1435 1436 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1437 (EC_KEY_get0_public_key(ecdh) == NULL) || 1438 (EC_KEY_get0_private_key(ecdh) == NULL)) 1439 { 1440 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1441 goto err; 1442 } 1443 1444 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1445 (EC_GROUP_get_degree(group) > 163)) 1446 { 1447 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1448 goto err; 1449 } 1450 1451 /* XXX: For now, we only support ephemeral ECDH 1452 * keys over named (not generic) curves. For 1453 * supported named curves, curve_id is non-zero. 1454 */ 1455 if ((curve_id = 1456 nid2curve_id(EC_GROUP_get_curve_name(group))) 1457 == 0) 1458 { 1459 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1460 goto err; 1461 } 1462 1463 /* Encode the public key. 1464 * First check the size of encoding and 1465 * allocate memory accordingly. 1466 */ 1467 encodedlen = EC_POINT_point2oct(group, 1468 EC_KEY_get0_public_key(ecdh), 1469 POINT_CONVERSION_UNCOMPRESSED, 1470 NULL, 0, NULL); 1471 1472 encodedPoint = (unsigned char *) 1473 OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1474 bn_ctx = BN_CTX_new(); 1475 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1476 { 1477 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1478 goto err; 1479 } 1480 1481 1482 encodedlen = EC_POINT_point2oct(group, 1483 EC_KEY_get0_public_key(ecdh), 1484 POINT_CONVERSION_UNCOMPRESSED, 1485 encodedPoint, encodedlen, bn_ctx); 1486 1487 if (encodedlen == 0) 1488 { 1489 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1490 goto err; 1491 } 1492 1493 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1494 1495 /* XXX: For now, we only support named (not 1496 * generic) curves in ECDH ephemeral key exchanges. 1497 * In this situation, we need four additional bytes 1498 * to encode the entire ServerECDHParams 1499 * structure. 1500 */ 1501 n = 4 + encodedlen; 1502 1503 /* We'll generate the serverKeyExchange message 1504 * explicitly so we can set these to NULLs 1505 */ 1506 r[0]=NULL; 1507 r[1]=NULL; 1508 r[2]=NULL; 1509 r[3]=NULL; 1510 } 1511 else 1512#endif /* !OPENSSL_NO_ECDH */ 1513 { 1514 al=SSL_AD_HANDSHAKE_FAILURE; 1515 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1516 goto f_err; 1517 } 1518 for (i=0; r[i] != NULL; i++) 1519 { 1520 nr[i]=BN_num_bytes(r[i]); 1521 n+=2+nr[i]; 1522 } 1523 1524 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 1525 { 1526 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1527 == NULL) 1528 { 1529 al=SSL_AD_DECODE_ERROR; 1530 goto f_err; 1531 } 1532 kn=EVP_PKEY_size(pkey); 1533 } 1534 else 1535 { 1536 pkey=NULL; 1537 kn=0; 1538 } 1539 1540 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1541 { 1542 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 1543 goto err; 1544 } 1545 d=(unsigned char *)s->init_buf->data; 1546 p= &(d[4]); 1547 1548 for (i=0; r[i] != NULL; i++) 1549 { 1550 s2n(nr[i],p); 1551 BN_bn2bin(r[i],p); 1552 p+=nr[i]; 1553 } 1554 1555#ifndef OPENSSL_NO_ECDH 1556 if (type & SSL_kECDHE) 1557 { 1558 /* XXX: For now, we only support named (not generic) curves. 1559 * In this situation, the serverKeyExchange message has: 1560 * [1 byte CurveType], [2 byte CurveName] 1561 * [1 byte length of encoded point], followed by 1562 * the actual encoded point itself 1563 */ 1564 *p = NAMED_CURVE_TYPE; 1565 p += 1; 1566 *p = 0; 1567 p += 1; 1568 *p = curve_id; 1569 p += 1; 1570 *p = encodedlen; 1571 p += 1; 1572 memcpy((unsigned char*)p, 1573 (unsigned char *)encodedPoint, 1574 encodedlen); 1575 OPENSSL_free(encodedPoint); 1576 encodedPoint = NULL; 1577 p += encodedlen; 1578 } 1579#endif 1580 1581 /* not anonymous */ 1582 if (pkey != NULL) 1583 { 1584 /* n is the length of the params, they start at &(d[4]) 1585 * and p points to the space at the end. */ 1586#ifndef OPENSSL_NO_RSA 1587 if (pkey->type == EVP_PKEY_RSA) 1588 { 1589 q=md_buf; 1590 j=0; 1591 for (num=2; num > 0; num--) 1592 { 1593 EVP_MD_CTX_set_flags(&md_ctx, 1594 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1595 EVP_DigestInit_ex(&md_ctx,(num == 2) 1596 ?s->ctx->md5:s->ctx->sha1, NULL); 1597 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1598 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1599 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1600 EVP_DigestFinal_ex(&md_ctx,q, 1601 (unsigned int *)&i); 1602 q+=i; 1603 j+=i; 1604 } 1605 if (RSA_sign(NID_md5_sha1, md_buf, j, 1606 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1607 { 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 1609 goto err; 1610 } 1611 s2n(u,p); 1612 n+=u+2; 1613 } 1614 else 1615#endif 1616#if !defined(OPENSSL_NO_DSA) 1617 if (pkey->type == EVP_PKEY_DSA) 1618 { 1619 /* lets do DSS */ 1620 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 1621 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1622 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1623 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1624 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1625 (unsigned int *)&i,pkey)) 1626 { 1627 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 1628 goto err; 1629 } 1630 s2n(i,p); 1631 n+=i+2; 1632 } 1633 else 1634#endif 1635#if !defined(OPENSSL_NO_ECDSA) 1636 if (pkey->type == EVP_PKEY_EC) 1637 { 1638 /* let's do ECDSA */ 1639 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1640 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1641 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1642 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1643 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1644 (unsigned int *)&i,pkey)) 1645 { 1646 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA); 1647 goto err; 1648 } 1649 s2n(i,p); 1650 n+=i+2; 1651 } 1652 else 1653#endif 1654 { 1655 /* Is this error check actually needed? */ 1656 al=SSL_AD_HANDSHAKE_FAILURE; 1657 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1658 goto f_err; 1659 } 1660 } 1661 1662 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1663 l2n3(n,d); 1664 1665 /* we should now have things packed up, so lets send 1666 * it off */ 1667 s->init_num=n+4; 1668 s->init_off=0; 1669 } 1670 1671 s->state = SSL3_ST_SW_KEY_EXCH_B; 1672 EVP_MD_CTX_cleanup(&md_ctx); 1673 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1674f_err: 1675 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1676err: 1677#ifndef OPENSSL_NO_ECDH 1678 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1679 BN_CTX_free(bn_ctx); 1680#endif 1681 EVP_MD_CTX_cleanup(&md_ctx); 1682 return(-1); 1683 } 1684 1685int ssl3_send_certificate_request(SSL *s) 1686 { 1687 unsigned char *p,*d; 1688 int i,j,nl,off,n; 1689 STACK_OF(X509_NAME) *sk=NULL; 1690 X509_NAME *name; 1691 BUF_MEM *buf; 1692 1693 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1694 { 1695 buf=s->init_buf; 1696 1697 d=p=(unsigned char *)&(buf->data[4]); 1698 1699 /* get the list of acceptable cert types */ 1700 p++; 1701 n=ssl3_get_req_cert_type(s,p); 1702 d[0]=n; 1703 p+=n; 1704 n++; 1705 1706 off=n; 1707 p+=2; 1708 n+=2; 1709 1710 sk=SSL_get_client_CA_list(s); 1711 nl=0; 1712 if (sk != NULL) 1713 { 1714 for (i=0; i<sk_X509_NAME_num(sk); i++) 1715 { 1716 name=sk_X509_NAME_value(sk,i); 1717 j=i2d_X509_NAME(name,NULL); 1718 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1719 { 1720 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1721 goto err; 1722 } 1723 p=(unsigned char *)&(buf->data[4+n]); 1724 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1725 { 1726 s2n(j,p); 1727 i2d_X509_NAME(name,&p); 1728 n+=2+j; 1729 nl+=2+j; 1730 } 1731 else 1732 { 1733 d=p; 1734 i2d_X509_NAME(name,&p); 1735 j-=2; s2n(j,d); j+=2; 1736 n+=j; 1737 nl+=j; 1738 } 1739 } 1740 } 1741 /* else no CA names */ 1742 p=(unsigned char *)&(buf->data[4+off]); 1743 s2n(nl,p); 1744 1745 d=(unsigned char *)buf->data; 1746 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1747 l2n3(n,d); 1748 1749 /* we should now have things packed up, so lets send 1750 * it off */ 1751 1752 s->init_num=n+4; 1753 s->init_off=0; 1754#ifdef NETSCAPE_HANG_BUG 1755 if (!BUF_MEM_grow_clean(buf, s->init_num + 4)) 1756 { 1757 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1758 goto err; 1759 } 1760 p=(unsigned char *)s->init_buf->data + s->init_num; 1761 1762 /* do the header */ 1763 *(p++)=SSL3_MT_SERVER_DONE; 1764 *(p++)=0; 1765 *(p++)=0; 1766 *(p++)=0; 1767 s->init_num += 4; 1768#endif 1769 1770 s->state = SSL3_ST_SW_CERT_REQ_B; 1771 } 1772 1773 /* SSL3_ST_SW_CERT_REQ_B */ 1774 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1775err: 1776 return(-1); 1777 } 1778 1779int ssl3_get_client_key_exchange(SSL *s) 1780 { 1781 int i,al,ok; 1782 long n; 1783 unsigned long l; 1784 unsigned char *p; 1785#ifndef OPENSSL_NO_RSA 1786 RSA *rsa=NULL; 1787 EVP_PKEY *pkey=NULL; 1788#endif 1789#ifndef OPENSSL_NO_DH 1790 BIGNUM *pub=NULL; 1791 DH *dh_srvr; 1792#endif 1793#ifndef OPENSSL_NO_KRB5 1794 KSSL_ERR kssl_err; 1795#endif /* OPENSSL_NO_KRB5 */ 1796 1797#ifndef OPENSSL_NO_ECDH 1798 EC_KEY *srvr_ecdh = NULL; 1799 EVP_PKEY *clnt_pub_pkey = NULL; 1800 EC_POINT *clnt_ecpoint = NULL; 1801 BN_CTX *bn_ctx = NULL; 1802#endif 1803 1804 n=s->method->ssl_get_message(s, 1805 SSL3_ST_SR_KEY_EXCH_A, 1806 SSL3_ST_SR_KEY_EXCH_B, 1807 SSL3_MT_CLIENT_KEY_EXCHANGE, 1808 2048, /* ??? */ 1809 &ok); 1810 1811 if (!ok) return((int)n); 1812 p=(unsigned char *)s->init_msg; 1813 1814 l=s->s3->tmp.new_cipher->algorithms; 1815 1816#ifndef OPENSSL_NO_RSA 1817 if (l & SSL_kRSA) 1818 { 1819 /* FIX THIS UP EAY EAY EAY EAY */ 1820 if (s->s3->tmp.use_rsa_tmp) 1821 { 1822 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 1823 rsa=s->cert->rsa_tmp; 1824 /* Don't do a callback because rsa_tmp should 1825 * be sent already */ 1826 if (rsa == NULL) 1827 { 1828 al=SSL_AD_HANDSHAKE_FAILURE; 1829 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); 1830 goto f_err; 1831 1832 } 1833 } 1834 else 1835 { 1836 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 1837 if ( (pkey == NULL) || 1838 (pkey->type != EVP_PKEY_RSA) || 1839 (pkey->pkey.rsa == NULL)) 1840 { 1841 al=SSL_AD_HANDSHAKE_FAILURE; 1842 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); 1843 goto f_err; 1844 } 1845 rsa=pkey->pkey.rsa; 1846 } 1847 1848 /* TLS and [incidentally] DTLS, including pre-0.9.8f */ 1849 if (s->version > SSL3_VERSION && 1850 s->client_version != DTLS1_BAD_VER) 1851 { 1852 n2s(p,i); 1853 if (n != i+2) 1854 { 1855 if (!(s->options & SSL_OP_TLS_D5_BUG)) 1856 { 1857 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 1858 goto err; 1859 } 1860 else 1861 p-=2; 1862 } 1863 else 1864 n=i; 1865 } 1866 1867 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 1868 1869 al = -1; 1870 1871 if (i != SSL_MAX_MASTER_KEY_LENGTH) 1872 { 1873 al=SSL_AD_DECODE_ERROR; 1874 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 1875 } 1876 1877 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 1878 { 1879 /* The premaster secret must contain the same version number as the 1880 * ClientHello to detect version rollback attacks (strangely, the 1881 * protocol does not offer such protection for DH ciphersuites). 1882 * However, buggy clients exist that send the negotiated protocol 1883 * version instead if the server does not support the requested 1884 * protocol version. 1885 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 1886 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 1887 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 1888 { 1889 al=SSL_AD_DECODE_ERROR; 1890 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 1891 1892 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 1893 * (http://eprint.iacr.org/2003/052/) exploits the version 1894 * number check as a "bad version oracle" -- an alert would 1895 * reveal that the plaintext corresponding to some ciphertext 1896 * made up by the adversary is properly formatted except 1897 * that the version number is wrong. To avoid such attacks, 1898 * we should treat this just like any other decryption error. */ 1899 } 1900 } 1901 1902 if (al != -1) 1903 { 1904 /* Some decryption failure -- use random value instead as countermeasure 1905 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 1906 * (see RFC 2246, section 7.4.7.1). */ 1907 ERR_clear_error(); 1908 i = SSL_MAX_MASTER_KEY_LENGTH; 1909 p[0] = s->client_version >> 8; 1910 p[1] = s->client_version & 0xff; 1911 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 1912 goto err; 1913 } 1914 1915 s->session->master_key_length= 1916 s->method->ssl3_enc->generate_master_secret(s, 1917 s->session->master_key, 1918 p,i); 1919 OPENSSL_cleanse(p,i); 1920 } 1921 else 1922#endif 1923#ifndef OPENSSL_NO_DH 1924 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1925 { 1926 n2s(p,i); 1927 if (n != i+2) 1928 { 1929 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) 1930 { 1931 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 1932 goto err; 1933 } 1934 else 1935 { 1936 p-=2; 1937 i=(int)n; 1938 } 1939 } 1940 1941 if (n == 0L) /* the parameters are in the cert */ 1942 { 1943 al=SSL_AD_HANDSHAKE_FAILURE; 1944 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 1945 goto f_err; 1946 } 1947 else 1948 { 1949 if (s->s3->tmp.dh == NULL) 1950 { 1951 al=SSL_AD_HANDSHAKE_FAILURE; 1952 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1953 goto f_err; 1954 } 1955 else 1956 dh_srvr=s->s3->tmp.dh; 1957 } 1958 1959 pub=BN_bin2bn(p,i,NULL); 1960 if (pub == NULL) 1961 { 1962 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); 1963 goto err; 1964 } 1965 1966 i=DH_compute_key(p,pub,dh_srvr); 1967 1968 if (i <= 0) 1969 { 1970 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1971 BN_clear_free(pub); 1972 goto err; 1973 } 1974 1975 DH_free(s->s3->tmp.dh); 1976 s->s3->tmp.dh=NULL; 1977 1978 BN_clear_free(pub); 1979 pub=NULL; 1980 s->session->master_key_length= 1981 s->method->ssl3_enc->generate_master_secret(s, 1982 s->session->master_key,p,i); 1983 OPENSSL_cleanse(p,i); 1984 } 1985 else 1986#endif 1987#ifndef OPENSSL_NO_KRB5 1988 if (l & SSL_kKRB5) 1989 { 1990 krb5_error_code krb5rc; 1991 krb5_data enc_ticket; 1992 krb5_data authenticator; 1993 krb5_data enc_pms; 1994 KSSL_CTX *kssl_ctx = s->kssl_ctx; 1995 EVP_CIPHER_CTX ciph_ctx; 1996 EVP_CIPHER *enc = NULL; 1997 unsigned char iv[EVP_MAX_IV_LENGTH]; 1998 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 1999 + EVP_MAX_BLOCK_LENGTH]; 2000 int padl, outl; 2001 krb5_timestamp authtime = 0; 2002 krb5_ticket_times ttimes; 2003 2004 EVP_CIPHER_CTX_init(&ciph_ctx); 2005 2006 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2007 2008 n2s(p,i); 2009 enc_ticket.length = i; 2010 2011 if (n < (int)enc_ticket.length + 6) 2012 { 2013 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2014 SSL_R_DATA_LENGTH_TOO_LONG); 2015 goto err; 2016 } 2017 2018 enc_ticket.data = (char *)p; 2019 p+=enc_ticket.length; 2020 2021 n2s(p,i); 2022 authenticator.length = i; 2023 2024 if (n < (int)(enc_ticket.length + authenticator.length) + 6) 2025 { 2026 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2027 SSL_R_DATA_LENGTH_TOO_LONG); 2028 goto err; 2029 } 2030 2031 authenticator.data = (char *)p; 2032 p+=authenticator.length; 2033 2034 n2s(p,i); 2035 enc_pms.length = i; 2036 enc_pms.data = (char *)p; 2037 p+=enc_pms.length; 2038 2039 /* Note that the length is checked again below, 2040 ** after decryption 2041 */ 2042 if(enc_pms.length > sizeof pms) 2043 { 2044 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2045 SSL_R_DATA_LENGTH_TOO_LONG); 2046 goto err; 2047 } 2048 2049 if (n != (long)(enc_ticket.length + authenticator.length + 2050 enc_pms.length + 6)) 2051 { 2052 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2053 SSL_R_DATA_LENGTH_TOO_LONG); 2054 goto err; 2055 } 2056 2057 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2058 &kssl_err)) != 0) 2059 { 2060#ifdef KSSL_DEBUG 2061 printf("kssl_sget_tkt rtn %d [%d]\n", 2062 krb5rc, kssl_err.reason); 2063 if (kssl_err.text) 2064 printf("kssl_err text= %s\n", kssl_err.text); 2065#endif /* KSSL_DEBUG */ 2066 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2067 kssl_err.reason); 2068 goto err; 2069 } 2070 2071 /* Note: no authenticator is not considered an error, 2072 ** but will return authtime == 0. 2073 */ 2074 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2075 &authtime, &kssl_err)) != 0) 2076 { 2077#ifdef KSSL_DEBUG 2078 printf("kssl_check_authent rtn %d [%d]\n", 2079 krb5rc, kssl_err.reason); 2080 if (kssl_err.text) 2081 printf("kssl_err text= %s\n", kssl_err.text); 2082#endif /* KSSL_DEBUG */ 2083 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2084 kssl_err.reason); 2085 goto err; 2086 } 2087 2088 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2089 { 2090 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2091 goto err; 2092 } 2093 2094#ifdef KSSL_DEBUG 2095 kssl_ctx_show(kssl_ctx); 2096#endif /* KSSL_DEBUG */ 2097 2098 enc = kssl_map_enc(kssl_ctx->enctype); 2099 if (enc == NULL) 2100 goto err; 2101 2102 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2103 2104 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2105 { 2106 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2107 SSL_R_DECRYPTION_FAILED); 2108 goto err; 2109 } 2110 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2111 (unsigned char *)enc_pms.data, enc_pms.length)) 2112 { 2113 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2114 SSL_R_DECRYPTION_FAILED); 2115 goto err; 2116 } 2117 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2118 { 2119 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2120 SSL_R_DATA_LENGTH_TOO_LONG); 2121 goto err; 2122 } 2123 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2124 { 2125 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2126 SSL_R_DECRYPTION_FAILED); 2127 goto err; 2128 } 2129 outl += padl; 2130 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2131 { 2132 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2133 SSL_R_DATA_LENGTH_TOO_LONG); 2134 goto err; 2135 } 2136 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2137 { 2138 /* The premaster secret must contain the same version number as the 2139 * ClientHello to detect version rollback attacks (strangely, the 2140 * protocol does not offer such protection for DH ciphersuites). 2141 * However, buggy clients exist that send random bytes instead of 2142 * the protocol version. 2143 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2144 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2145 */ 2146 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2147 { 2148 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2149 SSL_AD_DECODE_ERROR); 2150 goto err; 2151 } 2152 } 2153 2154 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2155 2156 s->session->master_key_length= 2157 s->method->ssl3_enc->generate_master_secret(s, 2158 s->session->master_key, pms, outl); 2159 2160 if (kssl_ctx->client_princ) 2161 { 2162 size_t len = strlen(kssl_ctx->client_princ); 2163 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2164 { 2165 s->session->krb5_client_princ_len = len; 2166 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2167 } 2168 } 2169 2170 2171 /* Was doing kssl_ctx_free() here, 2172 ** but it caused problems for apache. 2173 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2174 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2175 */ 2176 } 2177 else 2178#endif /* OPENSSL_NO_KRB5 */ 2179 2180#ifndef OPENSSL_NO_ECDH 2181 if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2182 { 2183 int ret = 1; 2184 int field_size = 0; 2185 const EC_KEY *tkey; 2186 const EC_GROUP *group; 2187 const BIGNUM *priv_key; 2188 2189 /* initialize structures for server's ECDH key pair */ 2190 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2191 { 2192 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2193 ERR_R_MALLOC_FAILURE); 2194 goto err; 2195 } 2196 2197 /* Let's get server private key and group information */ 2198 if (l & SSL_kECDH) 2199 { 2200 /* use the certificate */ 2201 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2202 } 2203 else 2204 { 2205 /* use the ephermeral values we saved when 2206 * generating the ServerKeyExchange msg. 2207 */ 2208 tkey = s->s3->tmp.ecdh; 2209 } 2210 2211 group = EC_KEY_get0_group(tkey); 2212 priv_key = EC_KEY_get0_private_key(tkey); 2213 2214 if (!EC_KEY_set_group(srvr_ecdh, group) || 2215 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2216 { 2217 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2218 ERR_R_EC_LIB); 2219 goto err; 2220 } 2221 2222 /* Let's get client's public key */ 2223 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2224 { 2225 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2226 ERR_R_MALLOC_FAILURE); 2227 goto err; 2228 } 2229 2230 if (n == 0L) 2231 { 2232 /* Client Publickey was in Client Certificate */ 2233 2234 if (l & SSL_kECDHE) 2235 { 2236 al=SSL_AD_HANDSHAKE_FAILURE; 2237 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2238 goto f_err; 2239 } 2240 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2241 == NULL) || 2242 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2243 { 2244 /* XXX: For now, we do not support client 2245 * authentication using ECDH certificates 2246 * so this branch (n == 0L) of the code is 2247 * never executed. When that support is 2248 * added, we ought to ensure the key 2249 * received in the certificate is 2250 * authorized for key agreement. 2251 * ECDH_compute_key implicitly checks that 2252 * the two ECDH shares are for the same 2253 * group. 2254 */ 2255 al=SSL_AD_HANDSHAKE_FAILURE; 2256 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2257 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2258 goto f_err; 2259 } 2260 2261 if (EC_POINT_copy(clnt_ecpoint, 2262 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2263 { 2264 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2265 ERR_R_EC_LIB); 2266 goto err; 2267 } 2268 ret = 2; /* Skip certificate verify processing */ 2269 } 2270 else 2271 { 2272 /* Get client's public key from encoded point 2273 * in the ClientKeyExchange message. 2274 */ 2275 if ((bn_ctx = BN_CTX_new()) == NULL) 2276 { 2277 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2278 ERR_R_MALLOC_FAILURE); 2279 goto err; 2280 } 2281 2282 /* Get encoded point length */ 2283 i = *p; 2284 p += 1; 2285 if (n != 1 + i) 2286 { 2287 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2288 ERR_R_EC_LIB); 2289 goto err; 2290 } 2291 if (EC_POINT_oct2point(group, 2292 clnt_ecpoint, p, i, bn_ctx) == 0) 2293 { 2294 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2295 ERR_R_EC_LIB); 2296 goto err; 2297 } 2298 /* p is pointing to somewhere in the buffer 2299 * currently, so set it to the start 2300 */ 2301 p=(unsigned char *)s->init_buf->data; 2302 } 2303 2304 /* Compute the shared pre-master secret */ 2305 field_size = EC_GROUP_get_degree(group); 2306 if (field_size <= 0) 2307 { 2308 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2309 ERR_R_ECDH_LIB); 2310 goto err; 2311 } 2312 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2313 if (i <= 0) 2314 { 2315 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2316 ERR_R_ECDH_LIB); 2317 goto err; 2318 } 2319 2320 EVP_PKEY_free(clnt_pub_pkey); 2321 EC_POINT_free(clnt_ecpoint); 2322 if (srvr_ecdh != NULL) 2323 EC_KEY_free(srvr_ecdh); 2324 BN_CTX_free(bn_ctx); 2325 2326 /* Compute the master secret */ 2327 s->session->master_key_length = s->method->ssl3_enc-> \ 2328 generate_master_secret(s, s->session->master_key, p, i); 2329 2330 OPENSSL_cleanse(p, i); 2331 return (ret); 2332 } 2333 else 2334#endif 2335 { 2336 al=SSL_AD_HANDSHAKE_FAILURE; 2337 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2338 SSL_R_UNKNOWN_CIPHER_TYPE); 2339 goto f_err; 2340 } 2341 2342 return(1); 2343f_err: 2344 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2345#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) 2346err: 2347#endif 2348#ifndef OPENSSL_NO_ECDH 2349 EVP_PKEY_free(clnt_pub_pkey); 2350 EC_POINT_free(clnt_ecpoint); 2351 if (srvr_ecdh != NULL) 2352 EC_KEY_free(srvr_ecdh); 2353 BN_CTX_free(bn_ctx); 2354#endif 2355 return(-1); 2356 } 2357 2358int ssl3_get_cert_verify(SSL *s) 2359 { 2360 EVP_PKEY *pkey=NULL; 2361 unsigned char *p; 2362 int al,ok,ret=0; 2363 long n; 2364 int type=0,i,j; 2365 X509 *peer; 2366 2367 n=s->method->ssl_get_message(s, 2368 SSL3_ST_SR_CERT_VRFY_A, 2369 SSL3_ST_SR_CERT_VRFY_B, 2370 -1, 2371 514, /* 514? */ 2372 &ok); 2373 2374 if (!ok) return((int)n); 2375 2376 if (s->session->peer != NULL) 2377 { 2378 peer=s->session->peer; 2379 pkey=X509_get_pubkey(peer); 2380 type=X509_certificate_type(peer,pkey); 2381 } 2382 else 2383 { 2384 peer=NULL; 2385 pkey=NULL; 2386 } 2387 2388 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2389 { 2390 s->s3->tmp.reuse_message=1; 2391 if (peer != NULL) 2392 { 2393 al=SSL_AD_UNEXPECTED_MESSAGE; 2394 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 2395 goto f_err; 2396 } 2397 ret=1; 2398 goto end; 2399 } 2400 2401 if (peer == NULL) 2402 { 2403 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2404 al=SSL_AD_UNEXPECTED_MESSAGE; 2405 goto f_err; 2406 } 2407 2408 if (!(type & EVP_PKT_SIGN)) 2409 { 2410 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2411 al=SSL_AD_ILLEGAL_PARAMETER; 2412 goto f_err; 2413 } 2414 2415 if (s->s3->change_cipher_spec) 2416 { 2417 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2418 al=SSL_AD_UNEXPECTED_MESSAGE; 2419 goto f_err; 2420 } 2421 2422 /* we now have a signature that we need to verify */ 2423 p=(unsigned char *)s->init_msg; 2424 n2s(p,i); 2425 n-=2; 2426 if (i > n) 2427 { 2428 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2429 al=SSL_AD_DECODE_ERROR; 2430 goto f_err; 2431 } 2432 2433 j=EVP_PKEY_size(pkey); 2434 if ((i > j) || (n > j) || (n <= 0)) 2435 { 2436 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); 2437 al=SSL_AD_DECODE_ERROR; 2438 goto f_err; 2439 } 2440 2441#ifndef OPENSSL_NO_RSA 2442 if (pkey->type == EVP_PKEY_RSA) 2443 { 2444 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2445 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2446 pkey->pkey.rsa); 2447 if (i < 0) 2448 { 2449 al=SSL_AD_DECRYPT_ERROR; 2450 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); 2451 goto f_err; 2452 } 2453 if (i == 0) 2454 { 2455 al=SSL_AD_DECRYPT_ERROR; 2456 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); 2457 goto f_err; 2458 } 2459 } 2460 else 2461#endif 2462#ifndef OPENSSL_NO_DSA 2463 if (pkey->type == EVP_PKEY_DSA) 2464 { 2465 j=DSA_verify(pkey->save_type, 2466 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2467 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2468 if (j <= 0) 2469 { 2470 /* bad signature */ 2471 al=SSL_AD_DECRYPT_ERROR; 2472 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2473 goto f_err; 2474 } 2475 } 2476 else 2477#endif 2478#ifndef OPENSSL_NO_ECDSA 2479 if (pkey->type == EVP_PKEY_EC) 2480 { 2481 j=ECDSA_verify(pkey->save_type, 2482 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2483 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2484 if (j <= 0) 2485 { 2486 /* bad signature */ 2487 al=SSL_AD_DECRYPT_ERROR; 2488 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2489 SSL_R_BAD_ECDSA_SIGNATURE); 2490 goto f_err; 2491 } 2492 } 2493 else 2494#endif 2495 { 2496 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2497 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2498 goto f_err; 2499 } 2500 2501 2502 ret=1; 2503 if (0) 2504 { 2505f_err: 2506 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2507 } 2508end: 2509 EVP_PKEY_free(pkey); 2510 return(ret); 2511 } 2512 2513int ssl3_get_client_certificate(SSL *s) 2514 { 2515 int i,ok,al,ret= -1; 2516 X509 *x=NULL; 2517 unsigned long l,nc,llen,n; 2518 const unsigned char *p,*q; 2519 unsigned char *d; 2520 STACK_OF(X509) *sk=NULL; 2521 2522 n=s->method->ssl_get_message(s, 2523 SSL3_ST_SR_CERT_A, 2524 SSL3_ST_SR_CERT_B, 2525 -1, 2526 s->max_cert_list, 2527 &ok); 2528 2529 if (!ok) return((int)n); 2530 2531 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2532 { 2533 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2534 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2535 { 2536 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2537 al=SSL_AD_HANDSHAKE_FAILURE; 2538 goto f_err; 2539 } 2540 /* If tls asked for a client cert, the client must return a 0 list */ 2541 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2542 { 2543 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2544 al=SSL_AD_UNEXPECTED_MESSAGE; 2545 goto f_err; 2546 } 2547 s->s3->tmp.reuse_message=1; 2548 return(1); 2549 } 2550 2551 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2552 { 2553 al=SSL_AD_UNEXPECTED_MESSAGE; 2554 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 2555 goto f_err; 2556 } 2557 p=d=(unsigned char *)s->init_msg; 2558 2559 if ((sk=sk_X509_new_null()) == NULL) 2560 { 2561 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2562 goto err; 2563 } 2564 2565 n2l3(p,llen); 2566 if (llen+3 != n) 2567 { 2568 al=SSL_AD_DECODE_ERROR; 2569 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 2570 goto f_err; 2571 } 2572 for (nc=0; nc<llen; ) 2573 { 2574 n2l3(p,l); 2575 if ((l+nc+3) > llen) 2576 { 2577 al=SSL_AD_DECODE_ERROR; 2578 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2579 goto f_err; 2580 } 2581 2582 q=p; 2583 x=d2i_X509(NULL,&p,l); 2584 if (x == NULL) 2585 { 2586 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); 2587 goto err; 2588 } 2589 if (p != (q+l)) 2590 { 2591 al=SSL_AD_DECODE_ERROR; 2592 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2593 goto f_err; 2594 } 2595 if (!sk_X509_push(sk,x)) 2596 { 2597 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2598 goto err; 2599 } 2600 x=NULL; 2601 nc+=l+3; 2602 } 2603 2604 if (sk_X509_num(sk) <= 0) 2605 { 2606 /* TLS does not mind 0 certs returned */ 2607 if (s->version == SSL3_VERSION) 2608 { 2609 al=SSL_AD_HANDSHAKE_FAILURE; 2610 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); 2611 goto f_err; 2612 } 2613 /* Fail for TLS only if we required a certificate */ 2614 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2615 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2616 { 2617 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2618 al=SSL_AD_HANDSHAKE_FAILURE; 2619 goto f_err; 2620 } 2621 } 2622 else 2623 { 2624 i=ssl_verify_cert_chain(s,sk); 2625 if (i <= 0) 2626 { 2627 al=ssl_verify_alarm_type(s->verify_result); 2628 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); 2629 goto f_err; 2630 } 2631 } 2632 2633 if (s->session->peer != NULL) /* This should not be needed */ 2634 X509_free(s->session->peer); 2635 s->session->peer=sk_X509_shift(sk); 2636 s->session->verify_result = s->verify_result; 2637 2638 /* With the current implementation, sess_cert will always be NULL 2639 * when we arrive here. */ 2640 if (s->session->sess_cert == NULL) 2641 { 2642 s->session->sess_cert = ssl_sess_cert_new(); 2643 if (s->session->sess_cert == NULL) 2644 { 2645 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 2646 goto err; 2647 } 2648 } 2649 if (s->session->sess_cert->cert_chain != NULL) 2650 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 2651 s->session->sess_cert->cert_chain=sk; 2652 /* Inconsistency alert: cert_chain does *not* include the 2653 * peer's own certificate, while we do include it in s3_clnt.c */ 2654 2655 sk=NULL; 2656 2657 ret=1; 2658 if (0) 2659 { 2660f_err: 2661 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2662 } 2663err: 2664 if (x != NULL) X509_free(x); 2665 if (sk != NULL) sk_X509_pop_free(sk,X509_free); 2666 return(ret); 2667 } 2668 2669int ssl3_send_server_certificate(SSL *s) 2670 { 2671 unsigned long l; 2672 X509 *x; 2673 2674 if (s->state == SSL3_ST_SW_CERT_A) 2675 { 2676 x=ssl_get_server_send_cert(s); 2677 if (x == NULL && 2678 /* VRS: allow null cert if auth == KRB5 */ 2679 (s->s3->tmp.new_cipher->algorithms 2680 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 2681 != (SSL_aKRB5|SSL_kKRB5)) 2682 { 2683 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 2684 return(0); 2685 } 2686 2687 l=ssl3_output_cert_chain(s,x); 2688 s->state=SSL3_ST_SW_CERT_B; 2689 s->init_num=(int)l; 2690 s->init_off=0; 2691 } 2692 2693 /* SSL3_ST_SW_CERT_B */ 2694 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2695 } 2696 2697 2698#ifndef OPENSSL_NO_ECDH 2699/* This is the complement of curve_id2nid in s3_clnt.c. */ 2700static int nid2curve_id(int nid) 2701{ 2702 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) 2703 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ 2704 switch (nid) { 2705 case NID_sect163k1: /* sect163k1 (1) */ 2706 return 1; 2707 case NID_sect163r1: /* sect163r1 (2) */ 2708 return 2; 2709 case NID_sect163r2: /* sect163r2 (3) */ 2710 return 3; 2711 case NID_sect193r1: /* sect193r1 (4) */ 2712 return 4; 2713 case NID_sect193r2: /* sect193r2 (5) */ 2714 return 5; 2715 case NID_sect233k1: /* sect233k1 (6) */ 2716 return 6; 2717 case NID_sect233r1: /* sect233r1 (7) */ 2718 return 7; 2719 case NID_sect239k1: /* sect239k1 (8) */ 2720 return 8; 2721 case NID_sect283k1: /* sect283k1 (9) */ 2722 return 9; 2723 case NID_sect283r1: /* sect283r1 (10) */ 2724 return 10; 2725 case NID_sect409k1: /* sect409k1 (11) */ 2726 return 11; 2727 case NID_sect409r1: /* sect409r1 (12) */ 2728 return 12; 2729 case NID_sect571k1: /* sect571k1 (13) */ 2730 return 13; 2731 case NID_sect571r1: /* sect571r1 (14) */ 2732 return 14; 2733 case NID_secp160k1: /* secp160k1 (15) */ 2734 return 15; 2735 case NID_secp160r1: /* secp160r1 (16) */ 2736 return 16; 2737 case NID_secp160r2: /* secp160r2 (17) */ 2738 return 17; 2739 case NID_secp192k1: /* secp192k1 (18) */ 2740 return 18; 2741 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 2742 return 19; 2743 case NID_secp224k1: /* secp224k1 (20) */ 2744 return 20; 2745 case NID_secp224r1: /* secp224r1 (21) */ 2746 return 21; 2747 case NID_secp256k1: /* secp256k1 (22) */ 2748 return 22; 2749 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 2750 return 23; 2751 case NID_secp384r1: /* secp384r1 (24) */ 2752 return 24; 2753 case NID_secp521r1: /* secp521r1 (25) */ 2754 return 25; 2755 default: 2756 return 0; 2757 } 2758} 2759#endif 2760#ifndef OPENSSL_NO_TLSEXT 2761int ssl3_send_newsession_ticket(SSL *s) 2762 { 2763 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 2764 { 2765 unsigned char *p, *senc, *macstart; 2766 int len, slen; 2767 unsigned int hlen; 2768 EVP_CIPHER_CTX ctx; 2769 HMAC_CTX hctx; 2770 SSL_CTX *tctx = s->initial_ctx; 2771 unsigned char iv[EVP_MAX_IV_LENGTH]; 2772 unsigned char key_name[16]; 2773 2774 /* get session encoding length */ 2775 slen = i2d_SSL_SESSION(s->session, NULL); 2776 /* Some length values are 16 bits, so forget it if session is 2777 * too long 2778 */ 2779 if (slen > 0xFF00) 2780 return -1; 2781 /* Grow buffer if need be: the length calculation is as 2782 * follows 1 (size of message name) + 3 (message length 2783 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 2784 * 16 (key name) + max_iv_len (iv length) + 2785 * session_length + max_enc_block_size (max encrypted session 2786 * length) + max_md_size (HMAC). 2787 */ 2788 if (!BUF_MEM_grow(s->init_buf, 2789 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 2790 EVP_MAX_MD_SIZE + slen)) 2791 return -1; 2792 senc = OPENSSL_malloc(slen); 2793 if (!senc) 2794 return -1; 2795 p = senc; 2796 i2d_SSL_SESSION(s->session, &p); 2797 2798 p=(unsigned char *)s->init_buf->data; 2799 /* do the header */ 2800 *(p++)=SSL3_MT_NEWSESSION_TICKET; 2801 /* Skip message length for now */ 2802 p += 3; 2803 EVP_CIPHER_CTX_init(&ctx); 2804 HMAC_CTX_init(&hctx); 2805 /* Initialize HMAC and cipher contexts. If callback present 2806 * it does all the work otherwise use generated values 2807 * from parent ctx. 2808 */ 2809 if (tctx->tlsext_ticket_key_cb) 2810 { 2811 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 2812 &hctx, 1) < 0) 2813 { 2814 OPENSSL_free(senc); 2815 return -1; 2816 } 2817 } 2818 else 2819 { 2820 RAND_pseudo_bytes(iv, 16); 2821 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2822 tctx->tlsext_tick_aes_key, iv); 2823 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2824 tlsext_tick_md(), NULL); 2825 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 2826 } 2827 l2n(s->session->tlsext_tick_lifetime_hint, p); 2828 /* Skip ticket length for now */ 2829 p += 2; 2830 /* Output key name */ 2831 macstart = p; 2832 memcpy(p, key_name, 16); 2833 p += 16; 2834 /* output IV */ 2835 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 2836 p += EVP_CIPHER_CTX_iv_length(&ctx); 2837 /* Encrypt session data */ 2838 EVP_EncryptUpdate(&ctx, p, &len, senc, slen); 2839 p += len; 2840 EVP_EncryptFinal(&ctx, p, &len); 2841 p += len; 2842 EVP_CIPHER_CTX_cleanup(&ctx); 2843 2844 HMAC_Update(&hctx, macstart, p - macstart); 2845 HMAC_Final(&hctx, p, &hlen); 2846 HMAC_CTX_cleanup(&hctx); 2847 2848 p += hlen; 2849 /* Now write out lengths: p points to end of data written */ 2850 /* Total length */ 2851 len = p - (unsigned char *)s->init_buf->data; 2852 p=(unsigned char *)s->init_buf->data + 1; 2853 l2n3(len - 4, p); /* Message length */ 2854 p += 4; 2855 s2n(len - 10, p); /* Ticket length */ 2856 2857 /* number of bytes to write */ 2858 s->init_num= len; 2859 s->state=SSL3_ST_SW_SESSION_TICKET_B; 2860 s->init_off=0; 2861 OPENSSL_free(senc); 2862 } 2863 2864 /* SSL3_ST_SW_SESSION_TICKET_B */ 2865 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2866 } 2867 2868int ssl3_send_cert_status(SSL *s) 2869 { 2870 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 2871 { 2872 unsigned char *p; 2873 /* Grow buffer if need be: the length calculation is as 2874 * follows 1 (message type) + 3 (message length) + 2875 * 1 (ocsp response type) + 3 (ocsp response length) 2876 * + (ocsp response) 2877 */ 2878 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 2879 return -1; 2880 2881 p=(unsigned char *)s->init_buf->data; 2882 2883 /* do the header */ 2884 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 2885 /* message length */ 2886 l2n3(s->tlsext_ocsp_resplen + 4, p); 2887 /* status type */ 2888 *(p++)= s->tlsext_status_type; 2889 /* length of OCSP response */ 2890 l2n3(s->tlsext_ocsp_resplen, p); 2891 /* actual response */ 2892 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 2893 /* number of bytes to write */ 2894 s->init_num = 8 + s->tlsext_ocsp_resplen; 2895 s->state=SSL3_ST_SW_CERT_STATUS_B; 2896 s->init_off = 0; 2897 } 2898 2899 /* SSL3_ST_SW_CERT_STATUS_B */ 2900 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2901 } 2902#endif 2903