s3_srvr.c revision 284295
1/* ssl/s3_srvr.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125#define REUSE_CIPHER_BUG 126#define NETSCAPE_HANG_BUG 127 128#include <stdio.h> 129#include "ssl_locl.h" 130#include "kssl_lcl.h" 131#include "../crypto/constant_time_locl.h" 132#include <openssl/buffer.h> 133#include <openssl/rand.h> 134#include <openssl/objects.h> 135#include <openssl/evp.h> 136#include <openssl/hmac.h> 137#include <openssl/x509.h> 138#ifndef OPENSSL_NO_DH 139#include <openssl/dh.h> 140#endif 141#include <openssl/bn.h> 142#ifndef OPENSSL_NO_KRB5 143#include <openssl/krb5_asn.h> 144#endif 145#include <openssl/md5.h> 146 147static SSL_METHOD *ssl3_get_server_method(int ver); 148#ifndef OPENSSL_NO_ECDH 149static int nid2curve_id(int nid); 150#endif 151 152static SSL_METHOD *ssl3_get_server_method(int ver) 153 { 154 if (ver == SSL3_VERSION) 155 return(SSLv3_server_method()); 156 else 157 return(NULL); 158 } 159 160IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 161 ssl3_accept, 162 ssl_undefined_function, 163 ssl3_get_server_method) 164 165int ssl3_accept(SSL *s) 166 { 167 BUF_MEM *buf; 168 unsigned long l,Time=(unsigned long)time(NULL); 169 void (*cb)(const SSL *ssl,int type,int val)=NULL; 170 int ret= -1; 171 int new_state,state,skip=0; 172 173 RAND_add(&Time,sizeof(Time),0); 174 ERR_clear_error(); 175 clear_sys_error(); 176 177 if (s->info_callback != NULL) 178 cb=s->info_callback; 179 else if (s->ctx->info_callback != NULL) 180 cb=s->ctx->info_callback; 181 182 /* init things to blank */ 183 s->in_handshake++; 184 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 185 186 if (s->cert == NULL) 187 { 188 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 189 return(-1); 190 } 191 192 for (;;) 193 { 194 state=s->state; 195 196 switch (s->state) 197 { 198 case SSL_ST_RENEGOTIATE: 199 s->new_session=1; 200 /* s->state=SSL_ST_ACCEPT; */ 201 202 case SSL_ST_BEFORE: 203 case SSL_ST_ACCEPT: 204 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 205 case SSL_ST_OK|SSL_ST_ACCEPT: 206 207 s->server=1; 208 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 209 210 if ((s->version>>8) != 3) 211 { 212 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 213 return -1; 214 } 215 s->type=SSL_ST_ACCEPT; 216 217 if (s->init_buf == NULL) 218 { 219 if ((buf=BUF_MEM_new()) == NULL) 220 { 221 ret= -1; 222 goto end; 223 } 224 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 225 { 226 ret= -1; 227 goto end; 228 } 229 s->init_buf=buf; 230 } 231 232 if (!ssl3_setup_buffers(s)) 233 { 234 ret= -1; 235 goto end; 236 } 237 238 s->init_num=0; 239 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 240 241 if (s->state != SSL_ST_RENEGOTIATE) 242 { 243 /* Ok, we now need to push on a buffering BIO so that 244 * the output is sent in a way that TCP likes :-) 245 */ 246 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 247 248 ssl3_init_finished_mac(s); 249 s->state=SSL3_ST_SR_CLNT_HELLO_A; 250 s->ctx->stats.sess_accept++; 251 } 252 else if (!s->s3->send_connection_binding && 253 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 254 { 255 /* Server attempting to renegotiate with 256 * client that doesn't support secure 257 * renegotiation. 258 */ 259 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 260 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 261 ret = -1; 262 goto end; 263 } 264 else 265 { 266 /* s->state == SSL_ST_RENEGOTIATE, 267 * we will just send a HelloRequest */ 268 s->ctx->stats.sess_accept_renegotiate++; 269 s->state=SSL3_ST_SW_HELLO_REQ_A; 270 } 271 break; 272 273 case SSL3_ST_SW_HELLO_REQ_A: 274 case SSL3_ST_SW_HELLO_REQ_B: 275 276 s->shutdown=0; 277 ret=ssl3_send_hello_request(s); 278 if (ret <= 0) goto end; 279 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 280 s->state=SSL3_ST_SW_FLUSH; 281 s->init_num=0; 282 283 ssl3_init_finished_mac(s); 284 break; 285 286 case SSL3_ST_SW_HELLO_REQ_C: 287 s->state=SSL_ST_OK; 288 break; 289 290 case SSL3_ST_SR_CLNT_HELLO_A: 291 case SSL3_ST_SR_CLNT_HELLO_B: 292 case SSL3_ST_SR_CLNT_HELLO_C: 293 294 s->shutdown=0; 295 ret=ssl3_get_client_hello(s); 296 if (ret <= 0) goto end; 297 s->new_session = 2; 298 s->state=SSL3_ST_SW_SRVR_HELLO_A; 299 s->init_num=0; 300 break; 301 302 case SSL3_ST_SW_SRVR_HELLO_A: 303 case SSL3_ST_SW_SRVR_HELLO_B: 304 ret=ssl3_send_server_hello(s); 305 if (ret <= 0) goto end; 306#ifndef OPENSSL_NO_TLSEXT 307 if (s->hit) 308 { 309 if (s->tlsext_ticket_expected) 310 s->state=SSL3_ST_SW_SESSION_TICKET_A; 311 else 312 s->state=SSL3_ST_SW_CHANGE_A; 313 } 314#else 315 if (s->hit) 316 s->state=SSL3_ST_SW_CHANGE_A; 317#endif 318 else 319 s->state=SSL3_ST_SW_CERT_A; 320 s->init_num=0; 321 break; 322 323 case SSL3_ST_SW_CERT_A: 324 case SSL3_ST_SW_CERT_B: 325 /* Check if it is anon DH or anon ECDH or KRB5 */ 326 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) 327 && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 328 { 329 ret=ssl3_send_server_certificate(s); 330 if (ret <= 0) goto end; 331#ifndef OPENSSL_NO_TLSEXT 332 if (s->tlsext_status_expected) 333 s->state=SSL3_ST_SW_CERT_STATUS_A; 334 else 335 s->state=SSL3_ST_SW_KEY_EXCH_A; 336 } 337 else 338 { 339 skip = 1; 340 s->state=SSL3_ST_SW_KEY_EXCH_A; 341 } 342#else 343 } 344 else 345 skip=1; 346 347 s->state=SSL3_ST_SW_KEY_EXCH_A; 348#endif 349 s->init_num=0; 350 break; 351 352 case SSL3_ST_SW_KEY_EXCH_A: 353 case SSL3_ST_SW_KEY_EXCH_B: 354 l=s->s3->tmp.new_cipher->algorithms; 355 356 /* clear this, it may get reset by 357 * send_server_key_exchange */ 358 s->s3->tmp.use_rsa_tmp=0; 359 360 361 /* only send if a DH key exchange, fortezza or 362 * RSA but we have a sign only certificate 363 * 364 * For ECC ciphersuites, we send a serverKeyExchange 365 * message only if the cipher suite is either 366 * ECDH-anon or ECDHE. In other cases, the 367 * server certificate contains the server's 368 * public key for key exchange. 369 */ 370 if ((l & SSL_kECDHE) 371 || (l & (SSL_DH|SSL_kFZA)) 372 || ((l & SSL_kRSA) 373 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 374 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 375 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 376 ) 377 ) 378 ) 379 ) 380 { 381 ret=ssl3_send_server_key_exchange(s); 382 if (ret <= 0) goto end; 383 } 384 else 385 skip=1; 386 387 s->state=SSL3_ST_SW_CERT_REQ_A; 388 s->init_num=0; 389 break; 390 391 case SSL3_ST_SW_CERT_REQ_A: 392 case SSL3_ST_SW_CERT_REQ_B: 393 if (/* don't request cert unless asked for it: */ 394 !(s->verify_mode & SSL_VERIFY_PEER) || 395 /* if SSL_VERIFY_CLIENT_ONCE is set, 396 * don't request cert during re-negotiation: */ 397 ((s->session->peer != NULL) && 398 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 399 /* never request cert in anonymous ciphersuites 400 * (see section "Certificate request" in SSL 3 drafts 401 * and in RFC 2246): */ 402 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 403 /* ... except when the application insists on verification 404 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 405 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 406 /* never request cert in Kerberos ciphersuites */ 407 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 408 { 409 /* no cert request */ 410 skip=1; 411 s->s3->tmp.cert_request=0; 412 s->state=SSL3_ST_SW_SRVR_DONE_A; 413 } 414 else 415 { 416 s->s3->tmp.cert_request=1; 417 ret=ssl3_send_certificate_request(s); 418 if (ret <= 0) goto end; 419#ifndef NETSCAPE_HANG_BUG 420 s->state=SSL3_ST_SW_SRVR_DONE_A; 421#else 422 s->state=SSL3_ST_SW_FLUSH; 423 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 424#endif 425 s->init_num=0; 426 } 427 break; 428 429 case SSL3_ST_SW_SRVR_DONE_A: 430 case SSL3_ST_SW_SRVR_DONE_B: 431 ret=ssl3_send_server_done(s); 432 if (ret <= 0) goto end; 433 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 434 s->state=SSL3_ST_SW_FLUSH; 435 s->init_num=0; 436 break; 437 438 case SSL3_ST_SW_FLUSH: 439 440 /* This code originally checked to see if 441 * any data was pending using BIO_CTRL_INFO 442 * and then flushed. This caused problems 443 * as documented in PR#1939. The proposed 444 * fix doesn't completely resolve this issue 445 * as buggy implementations of BIO_CTRL_PENDING 446 * still exist. So instead we just flush 447 * unconditionally. 448 */ 449 450 s->rwstate=SSL_WRITING; 451 if (BIO_flush(s->wbio) <= 0) 452 { 453 ret= -1; 454 goto end; 455 } 456 s->rwstate=SSL_NOTHING; 457 458 s->state=s->s3->tmp.next_state; 459 break; 460 461 case SSL3_ST_SR_CERT_A: 462 case SSL3_ST_SR_CERT_B: 463 /* Check for second client hello (MS SGC) */ 464 ret = ssl3_check_client_hello(s); 465 if (ret <= 0) 466 goto end; 467 if (ret == 2) 468 s->state = SSL3_ST_SR_CLNT_HELLO_C; 469 else { 470 if (s->s3->tmp.cert_request) 471 { 472 ret=ssl3_get_client_certificate(s); 473 if (ret <= 0) goto end; 474 } 475 s->init_num=0; 476 s->state=SSL3_ST_SR_KEY_EXCH_A; 477 } 478 break; 479 480 case SSL3_ST_SR_KEY_EXCH_A: 481 case SSL3_ST_SR_KEY_EXCH_B: 482 ret=ssl3_get_client_key_exchange(s); 483 if (ret <= 0) 484 goto end; 485 if (ret == 2) 486 { 487 /* For the ECDH ciphersuites when 488 * the client sends its ECDH pub key in 489 * a certificate, the CertificateVerify 490 * message is not sent. 491 */ 492 s->state=SSL3_ST_SR_FINISHED_A; 493 s->init_num = 0; 494 } 495 else 496 { 497 s->state=SSL3_ST_SR_CERT_VRFY_A; 498 s->init_num=0; 499 500 /* We need to get hashes here so if there is 501 * a client cert, it can be verified 502 */ 503 s->method->ssl3_enc->cert_verify_mac(s, 504 &(s->s3->finish_dgst1), 505 &(s->s3->tmp.cert_verify_md[0])); 506 s->method->ssl3_enc->cert_verify_mac(s, 507 &(s->s3->finish_dgst2), 508 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 509 } 510 break; 511 512 case SSL3_ST_SR_CERT_VRFY_A: 513 case SSL3_ST_SR_CERT_VRFY_B: 514 515 s->s3->flags |= SSL3_FLAGS_CCS_OK; 516 /* we should decide if we expected this one */ 517 ret=ssl3_get_cert_verify(s); 518 if (ret <= 0) goto end; 519 520 s->state=SSL3_ST_SR_FINISHED_A; 521 s->init_num=0; 522 break; 523 524 case SSL3_ST_SR_FINISHED_A: 525 case SSL3_ST_SR_FINISHED_B: 526 s->s3->flags |= SSL3_FLAGS_CCS_OK; 527 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 528 SSL3_ST_SR_FINISHED_B); 529 if (ret <= 0) goto end; 530 if (s->hit) 531 s->state=SSL_ST_OK; 532#ifndef OPENSSL_NO_TLSEXT 533 else if (s->tlsext_ticket_expected) 534 s->state=SSL3_ST_SW_SESSION_TICKET_A; 535#endif 536 else 537 s->state=SSL3_ST_SW_CHANGE_A; 538 s->init_num=0; 539 break; 540 541#ifndef OPENSSL_NO_TLSEXT 542 case SSL3_ST_SW_SESSION_TICKET_A: 543 case SSL3_ST_SW_SESSION_TICKET_B: 544 ret=ssl3_send_newsession_ticket(s); 545 if (ret <= 0) goto end; 546 s->state=SSL3_ST_SW_CHANGE_A; 547 s->init_num=0; 548 break; 549 550 case SSL3_ST_SW_CERT_STATUS_A: 551 case SSL3_ST_SW_CERT_STATUS_B: 552 ret=ssl3_send_cert_status(s); 553 if (ret <= 0) goto end; 554 s->state=SSL3_ST_SW_KEY_EXCH_A; 555 s->init_num=0; 556 break; 557 558#endif 559 560 case SSL3_ST_SW_CHANGE_A: 561 case SSL3_ST_SW_CHANGE_B: 562 563 s->session->cipher=s->s3->tmp.new_cipher; 564 if (!s->method->ssl3_enc->setup_key_block(s)) 565 { ret= -1; goto end; } 566 567 ret=ssl3_send_change_cipher_spec(s, 568 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 569 570 if (ret <= 0) goto end; 571 s->state=SSL3_ST_SW_FINISHED_A; 572 s->init_num=0; 573 574 if (!s->method->ssl3_enc->change_cipher_state(s, 575 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 576 { 577 ret= -1; 578 goto end; 579 } 580 581 break; 582 583 case SSL3_ST_SW_FINISHED_A: 584 case SSL3_ST_SW_FINISHED_B: 585 ret=ssl3_send_finished(s, 586 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 587 s->method->ssl3_enc->server_finished_label, 588 s->method->ssl3_enc->server_finished_label_len); 589 if (ret <= 0) goto end; 590 s->state=SSL3_ST_SW_FLUSH; 591 if (s->hit) 592 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 593 else 594 s->s3->tmp.next_state=SSL_ST_OK; 595 s->init_num=0; 596 break; 597 598 case SSL_ST_OK: 599 /* clean a few things up */ 600 ssl3_cleanup_key_block(s); 601 602 BUF_MEM_free(s->init_buf); 603 s->init_buf=NULL; 604 605 /* remove buffering on output */ 606 ssl_free_wbio_buffer(s); 607 608 s->init_num=0; 609 610 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 611 { 612 /* actually not necessarily a 'new' session unless 613 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 614 615 s->new_session=0; 616 617 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 618 619 s->ctx->stats.sess_accept_good++; 620 /* s->server=1; */ 621 s->handshake_func=ssl3_accept; 622 623 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 624 } 625 626 ret = 1; 627 goto end; 628 /* break; */ 629 630 default: 631 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 632 ret= -1; 633 goto end; 634 /* break; */ 635 } 636 637 if (!s->s3->tmp.reuse_message && !skip) 638 { 639 if (s->debug) 640 { 641 if ((ret=BIO_flush(s->wbio)) <= 0) 642 goto end; 643 } 644 645 646 if ((cb != NULL) && (s->state != state)) 647 { 648 new_state=s->state; 649 s->state=state; 650 cb(s,SSL_CB_ACCEPT_LOOP,1); 651 s->state=new_state; 652 } 653 } 654 skip=0; 655 } 656end: 657 /* BIO_flush(s->wbio); */ 658 659 s->in_handshake--; 660 if (cb != NULL) 661 cb(s,SSL_CB_ACCEPT_EXIT,ret); 662 return(ret); 663 } 664 665int ssl3_send_hello_request(SSL *s) 666 { 667 unsigned char *p; 668 669 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 670 { 671 p=(unsigned char *)s->init_buf->data; 672 *(p++)=SSL3_MT_HELLO_REQUEST; 673 *(p++)=0; 674 *(p++)=0; 675 *(p++)=0; 676 677 s->state=SSL3_ST_SW_HELLO_REQ_B; 678 /* number of bytes to write */ 679 s->init_num=4; 680 s->init_off=0; 681 } 682 683 /* SSL3_ST_SW_HELLO_REQ_B */ 684 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 685 } 686 687int ssl3_check_client_hello(SSL *s) 688 { 689 int ok; 690 long n; 691 692 /* this function is called when we really expect a Certificate message, 693 * so permit appropriate message length */ 694 n=s->method->ssl_get_message(s, 695 SSL3_ST_SR_CERT_A, 696 SSL3_ST_SR_CERT_B, 697 -1, 698 s->max_cert_list, 699 &ok); 700 if (!ok) return((int)n); 701 s->s3->tmp.reuse_message = 1; 702 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 703 { 704 /* We only allow the client to restart the handshake once per 705 * negotiation. */ 706 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 707 { 708 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 709 return -1; 710 } 711 /* Throw away what we have done so far in the current handshake, 712 * which will now be aborted. (A full SSL_clear would be too much.) */ 713#ifndef OPENSSL_NO_DH 714 if (s->s3->tmp.dh != NULL) 715 { 716 DH_free(s->s3->tmp.dh); 717 s->s3->tmp.dh = NULL; 718 } 719#endif 720#ifndef OPENSSL_NO_ECDH 721 if (s->s3->tmp.ecdh != NULL) 722 { 723 EC_KEY_free(s->s3->tmp.ecdh); 724 s->s3->tmp.ecdh = NULL; 725 } 726#endif 727 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 728 return 2; 729 } 730 return 1; 731} 732 733int ssl3_get_client_hello(SSL *s) 734 { 735 int i,j,ok,al,ret= -1; 736 unsigned int cookie_len; 737 long n; 738 unsigned long id; 739 unsigned char *p,*d,*q; 740 SSL_CIPHER *c; 741#ifndef OPENSSL_NO_COMP 742 SSL_COMP *comp=NULL; 743#endif 744 STACK_OF(SSL_CIPHER) *ciphers=NULL; 745 746 /* We do this so that we will respond with our native type. 747 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 748 * This down switching should be handled by a different method. 749 * If we are SSLv3, we will respond with SSLv3, even if prompted with 750 * TLSv1. 751 */ 752 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 753 { 754 s->state=SSL3_ST_SR_CLNT_HELLO_B; 755 } 756 s->first_packet=1; 757 n=s->method->ssl_get_message(s, 758 SSL3_ST_SR_CLNT_HELLO_B, 759 SSL3_ST_SR_CLNT_HELLO_C, 760 SSL3_MT_CLIENT_HELLO, 761 SSL3_RT_MAX_PLAIN_LENGTH, 762 &ok); 763 764 if (!ok) return((int)n); 765 s->first_packet=0; 766 d=p=(unsigned char *)s->init_msg; 767 768 /* use version from inside client hello, not from record header 769 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 770 s->client_version=(((int)p[0])<<8)|(int)p[1]; 771 p+=2; 772 773 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 774 (s->version != DTLS1_VERSION && s->client_version < s->version)) 775 { 776 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 777 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 778 { 779 /* similar to ssl3_get_record, send alert using remote version number */ 780 s->version = s->client_version; 781 } 782 al = SSL_AD_PROTOCOL_VERSION; 783 goto f_err; 784 } 785 786 /* If we require cookies and this ClientHello doesn't 787 * contain one, just return since we do not want to 788 * allocate any memory yet. So check cookie length... 789 */ 790 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 791 { 792 unsigned int session_length, cookie_length; 793 794 session_length = *(p + SSL3_RANDOM_SIZE); 795 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 796 797 if (cookie_length == 0) 798 return 1; 799 } 800 801 /* load the client random */ 802 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 803 p+=SSL3_RANDOM_SIZE; 804 805 /* get the session-id */ 806 j= *(p++); 807 808 s->hit=0; 809 /* Versions before 0.9.7 always allow session reuse during renegotiation 810 * (i.e. when s->new_session is true), option 811 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. 812 * Maybe this optional behaviour should always have been the default, 813 * but we cannot safely change the default behaviour (or new applications 814 * might be written that become totally unsecure when compiled with 815 * an earlier library version) 816 */ 817 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 818 { 819 if (!ssl_get_new_session(s,1)) 820 goto err; 821 } 822 else 823 { 824 i=ssl_get_prev_session(s, p, j, d + n); 825 if (i == 1) 826 { /* previous session */ 827 s->hit=1; 828 } 829 else if (i == -1) 830 goto err; 831 else /* i == 0 */ 832 { 833 if (!ssl_get_new_session(s,1)) 834 goto err; 835 } 836 } 837 838 p+=j; 839 840 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 841 { 842 /* cookie stuff */ 843 cookie_len = *(p++); 844 845 /* 846 * The ClientHello may contain a cookie even if the 847 * HelloVerify message has not been sent--make sure that it 848 * does not cause an overflow. 849 */ 850 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 851 { 852 /* too much data */ 853 al = SSL_AD_DECODE_ERROR; 854 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 855 goto f_err; 856 } 857 858 /* verify the cookie if appropriate option is set. */ 859 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 860 cookie_len > 0) 861 { 862 memcpy(s->d1->rcvd_cookie, p, cookie_len); 863 864 if ( s->ctx->app_verify_cookie_cb != NULL) 865 { 866 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 867 cookie_len) == 0) 868 { 869 al=SSL_AD_HANDSHAKE_FAILURE; 870 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 871 SSL_R_COOKIE_MISMATCH); 872 goto f_err; 873 } 874 /* else cookie verification succeeded */ 875 } 876 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 877 s->d1->cookie_len) != 0) /* default verification */ 878 { 879 al=SSL_AD_HANDSHAKE_FAILURE; 880 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 881 SSL_R_COOKIE_MISMATCH); 882 goto f_err; 883 } 884 885 ret = 2; 886 } 887 888 p += cookie_len; 889 } 890 891 n2s(p,i); 892 if ((i == 0) && (j != 0)) 893 { 894 /* we need a cipher if we are not resuming a session */ 895 al=SSL_AD_ILLEGAL_PARAMETER; 896 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 897 goto f_err; 898 } 899 if ((p+i) >= (d+n)) 900 { 901 /* not enough data */ 902 al=SSL_AD_DECODE_ERROR; 903 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 904 goto f_err; 905 } 906 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 907 == NULL)) 908 { 909 goto err; 910 } 911 p+=i; 912 913 /* If it is a hit, check that the cipher is in the list */ 914 if ((s->hit) && (i > 0)) 915 { 916 j=0; 917 id=s->session->cipher->id; 918 919#ifdef CIPHER_DEBUG 920 printf("client sent %d ciphers\n",sk_num(ciphers)); 921#endif 922 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 923 { 924 c=sk_SSL_CIPHER_value(ciphers,i); 925#ifdef CIPHER_DEBUG 926 printf("client [%2d of %2d]:%s\n", 927 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 928#endif 929 if (c->id == id) 930 { 931 j=1; 932 break; 933 } 934 } 935/* Disabled because it can be used in a ciphersuite downgrade 936 * attack: CVE-2010-4180. 937 */ 938#if 0 939 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 940 { 941 /* Special case as client bug workaround: the previously used cipher may 942 * not be in the current list, the client instead might be trying to 943 * continue using a cipher that before wasn't chosen due to server 944 * preferences. We'll have to reject the connection if the cipher is not 945 * enabled, though. */ 946 c = sk_SSL_CIPHER_value(ciphers, 0); 947 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 948 { 949 s->session->cipher = c; 950 j = 1; 951 } 952 } 953#endif 954 if (j == 0) 955 { 956 /* we need to have the cipher in the cipher 957 * list if we are asked to reuse it */ 958 al=SSL_AD_ILLEGAL_PARAMETER; 959 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 960 goto f_err; 961 } 962 } 963 964 /* compression */ 965 i= *(p++); 966 if ((p+i) > (d+n)) 967 { 968 /* not enough data */ 969 al=SSL_AD_DECODE_ERROR; 970 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 971 goto f_err; 972 } 973 q=p; 974 for (j=0; j<i; j++) 975 { 976 if (p[j] == 0) break; 977 } 978 979 p+=i; 980 if (j >= i) 981 { 982 /* no compress */ 983 al=SSL_AD_DECODE_ERROR; 984 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 985 goto f_err; 986 } 987 988#ifndef OPENSSL_NO_TLSEXT 989 /* TLS extensions*/ 990 if (s->version >= SSL3_VERSION) 991 { 992 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) 993 { 994 /* 'al' set by ssl_parse_clienthello_tlsext */ 995 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 996 goto f_err; 997 } 998 } 999 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 1000 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1001 goto err; 1002 } 1003#endif 1004 /* Worst case, we will use the NULL compression, but if we have other 1005 * options, we will now look for them. We have i-1 compression 1006 * algorithms from the client, starting at q. */ 1007 s->s3->tmp.new_compression=NULL; 1008#ifndef OPENSSL_NO_COMP 1009 if (s->ctx->comp_methods != NULL) 1010 { /* See if we have a match */ 1011 int m,nn,o,v,done=0; 1012 1013 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1014 for (m=0; m<nn; m++) 1015 { 1016 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1017 v=comp->id; 1018 for (o=0; o<i; o++) 1019 { 1020 if (v == q[o]) 1021 { 1022 done=1; 1023 break; 1024 } 1025 } 1026 if (done) break; 1027 } 1028 if (done) 1029 s->s3->tmp.new_compression=comp; 1030 else 1031 comp=NULL; 1032 } 1033#endif 1034 1035 /* TLS does not mind if there is extra stuff */ 1036#if 0 /* SSL 3.0 does not mind either, so we should disable this test 1037 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, 1038 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ 1039 if (s->version == SSL3_VERSION) 1040 { 1041 if (p < (d+n)) 1042 { 1043 /* wrong number of bytes, 1044 * there could be more to follow */ 1045 al=SSL_AD_DECODE_ERROR; 1046 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1047 goto f_err; 1048 } 1049 } 1050#endif 1051 1052 /* Given s->session->ciphers and SSL_get_ciphers, we must 1053 * pick a cipher */ 1054 1055 if (!s->hit) 1056 { 1057#ifdef OPENSSL_NO_COMP 1058 s->session->compress_meth=0; 1059#else 1060 s->session->compress_meth=(comp == NULL)?0:comp->id; 1061#endif 1062 if (s->session->ciphers != NULL) 1063 sk_SSL_CIPHER_free(s->session->ciphers); 1064 s->session->ciphers=ciphers; 1065 if (ciphers == NULL) 1066 { 1067 al=SSL_AD_ILLEGAL_PARAMETER; 1068 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); 1069 goto f_err; 1070 } 1071 ciphers=NULL; 1072 c=ssl3_choose_cipher(s,s->session->ciphers, 1073 SSL_get_ciphers(s)); 1074 1075 if (c == NULL) 1076 { 1077 al=SSL_AD_HANDSHAKE_FAILURE; 1078 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 1079 goto f_err; 1080 } 1081 s->s3->tmp.new_cipher=c; 1082 } 1083 else 1084 { 1085 /* Session-id reuse */ 1086#ifdef REUSE_CIPHER_BUG 1087 STACK_OF(SSL_CIPHER) *sk; 1088 SSL_CIPHER *nc=NULL; 1089 SSL_CIPHER *ec=NULL; 1090 1091 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1092 { 1093 sk=s->session->ciphers; 1094 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1095 { 1096 c=sk_SSL_CIPHER_value(sk,i); 1097 if (c->algorithms & SSL_eNULL) 1098 nc=c; 1099 if (SSL_C_IS_EXPORT(c)) 1100 ec=c; 1101 } 1102 if (nc != NULL) 1103 s->s3->tmp.new_cipher=nc; 1104 else if (ec != NULL) 1105 s->s3->tmp.new_cipher=ec; 1106 else 1107 s->s3->tmp.new_cipher=s->session->cipher; 1108 } 1109 else 1110#endif 1111 s->s3->tmp.new_cipher=s->session->cipher; 1112 } 1113 1114 /* we now have the following setup. 1115 * client_random 1116 * cipher_list - our prefered list of ciphers 1117 * ciphers - the clients prefered list of ciphers 1118 * compression - basically ignored right now 1119 * ssl version is set - sslv3 1120 * s->session - The ssl session has been setup. 1121 * s->hit - session reuse flag 1122 * s->tmp.new_cipher - the new cipher to use. 1123 */ 1124 1125#ifndef OPENSSL_NO_TLSEXT 1126 /* Handles TLS extensions that we couldn't check earlier */ 1127 if (s->version >= SSL3_VERSION) 1128 { 1129 if (ssl_check_clienthello_tlsext_late(s) <= 0) 1130 { 1131 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1132 goto err; 1133 } 1134 } 1135#endif 1136 1137 if (ret < 0) ret=1; 1138 if (0) 1139 { 1140f_err: 1141 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1142 } 1143err: 1144 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); 1145 return(ret); 1146 } 1147 1148int ssl3_send_server_hello(SSL *s) 1149 { 1150 unsigned char *buf; 1151 unsigned char *p,*d; 1152 int i,sl; 1153 unsigned long l,Time; 1154 1155 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1156 { 1157 buf=(unsigned char *)s->init_buf->data; 1158 p=s->s3->server_random; 1159 Time=(unsigned long)time(NULL); /* Time */ 1160 l2n(Time,p); 1161 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1162 return -1; 1163 /* Do the message type and length last */ 1164 d=p= &(buf[4]); 1165 1166 *(p++)=s->version>>8; 1167 *(p++)=s->version&0xff; 1168 1169 /* Random stuff */ 1170 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1171 p+=SSL3_RANDOM_SIZE; 1172 1173 /* now in theory we have 3 options to sending back the 1174 * session id. If it is a re-use, we send back the 1175 * old session-id, if it is a new session, we send 1176 * back the new session-id or we send back a 0 length 1177 * session-id if we want it to be single use. 1178 * Currently I will not implement the '0' length session-id 1179 * 12-Jan-98 - I'll now support the '0' length stuff. 1180 * 1181 * We also have an additional case where stateless session 1182 * resumption is successful: we always send back the old 1183 * session id. In this case s->hit is non zero: this can 1184 * only happen if stateless session resumption is succesful 1185 * if session caching is disabled so existing functionality 1186 * is unaffected. 1187 */ 1188 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1189 && !s->hit) 1190 s->session->session_id_length=0; 1191 1192 sl=s->session->session_id_length; 1193 if (sl > (int)sizeof(s->session->session_id)) 1194 { 1195 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1196 return -1; 1197 } 1198 *(p++)=sl; 1199 memcpy(p,s->session->session_id,sl); 1200 p+=sl; 1201 1202 /* put the cipher */ 1203 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1204 p+=i; 1205 1206 /* put the compression method */ 1207#ifdef OPENSSL_NO_COMP 1208 *(p++)=0; 1209#else 1210 if (s->s3->tmp.new_compression == NULL) 1211 *(p++)=0; 1212 else 1213 *(p++)=s->s3->tmp.new_compression->id; 1214#endif 1215#ifndef OPENSSL_NO_TLSEXT 1216 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1217 { 1218 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 1219 return -1; 1220 } 1221#endif 1222 /* do the header */ 1223 l=(p-d); 1224 d=buf; 1225 *(d++)=SSL3_MT_SERVER_HELLO; 1226 l2n3(l,d); 1227 1228 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1229 /* number of bytes to write */ 1230 s->init_num=p-buf; 1231 s->init_off=0; 1232 } 1233 1234 /* SSL3_ST_SW_SRVR_HELLO_B */ 1235 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1236 } 1237 1238int ssl3_send_server_done(SSL *s) 1239 { 1240 unsigned char *p; 1241 1242 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1243 { 1244 p=(unsigned char *)s->init_buf->data; 1245 1246 /* do the header */ 1247 *(p++)=SSL3_MT_SERVER_DONE; 1248 *(p++)=0; 1249 *(p++)=0; 1250 *(p++)=0; 1251 1252 s->state=SSL3_ST_SW_SRVR_DONE_B; 1253 /* number of bytes to write */ 1254 s->init_num=4; 1255 s->init_off=0; 1256 } 1257 1258 /* SSL3_ST_SW_SRVR_DONE_B */ 1259 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1260 } 1261 1262int ssl3_send_server_key_exchange(SSL *s) 1263 { 1264#ifndef OPENSSL_NO_RSA 1265 unsigned char *q; 1266 int j,num; 1267 RSA *rsa; 1268 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1269 unsigned int u; 1270#endif 1271#ifndef OPENSSL_NO_DH 1272 DH *dh=NULL,*dhp; 1273#endif 1274#ifndef OPENSSL_NO_ECDH 1275 EC_KEY *ecdh=NULL, *ecdhp; 1276 unsigned char *encodedPoint = NULL; 1277 int encodedlen = 0; 1278 int curve_id = 0; 1279 BN_CTX *bn_ctx = NULL; 1280#endif 1281 EVP_PKEY *pkey; 1282 unsigned char *p,*d; 1283 int al,i; 1284 unsigned long type; 1285 int n; 1286 CERT *cert; 1287 BIGNUM *r[4]; 1288 int nr[4],kn; 1289 BUF_MEM *buf; 1290 EVP_MD_CTX md_ctx; 1291 1292 EVP_MD_CTX_init(&md_ctx); 1293 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1294 { 1295 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1296 cert=s->cert; 1297 1298 buf=s->init_buf; 1299 1300 r[0]=r[1]=r[2]=r[3]=NULL; 1301 n=0; 1302#ifndef OPENSSL_NO_RSA 1303 if (type & SSL_kRSA) 1304 { 1305 rsa=cert->rsa_tmp; 1306 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1307 { 1308 rsa=s->cert->rsa_tmp_cb(s, 1309 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1310 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1311 if(rsa == NULL) 1312 { 1313 al=SSL_AD_HANDSHAKE_FAILURE; 1314 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1315 goto f_err; 1316 } 1317 RSA_up_ref(rsa); 1318 cert->rsa_tmp=rsa; 1319 } 1320 if (rsa == NULL) 1321 { 1322 al=SSL_AD_HANDSHAKE_FAILURE; 1323 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 1324 goto f_err; 1325 } 1326 r[0]=rsa->n; 1327 r[1]=rsa->e; 1328 s->s3->tmp.use_rsa_tmp=1; 1329 } 1330 else 1331#endif 1332#ifndef OPENSSL_NO_DH 1333 if (type & SSL_kEDH) 1334 { 1335 dhp=cert->dh_tmp; 1336 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1337 dhp=s->cert->dh_tmp_cb(s, 1338 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1339 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1340 if (dhp == NULL) 1341 { 1342 al=SSL_AD_HANDSHAKE_FAILURE; 1343 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1344 goto f_err; 1345 } 1346 1347 if (s->s3->tmp.dh != NULL) 1348 { 1349 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1350 goto err; 1351 } 1352 1353 if ((dh=DHparams_dup(dhp)) == NULL) 1354 { 1355 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1356 goto err; 1357 } 1358 1359 s->s3->tmp.dh=dh; 1360 if ((dhp->pub_key == NULL || 1361 dhp->priv_key == NULL || 1362 (s->options & SSL_OP_SINGLE_DH_USE))) 1363 { 1364 if(!DH_generate_key(dh)) 1365 { 1366 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1367 ERR_R_DH_LIB); 1368 goto err; 1369 } 1370 } 1371 else 1372 { 1373 dh->pub_key=BN_dup(dhp->pub_key); 1374 dh->priv_key=BN_dup(dhp->priv_key); 1375 if ((dh->pub_key == NULL) || 1376 (dh->priv_key == NULL)) 1377 { 1378 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1379 goto err; 1380 } 1381 } 1382 r[0]=dh->p; 1383 r[1]=dh->g; 1384 r[2]=dh->pub_key; 1385 } 1386 else 1387#endif 1388#ifndef OPENSSL_NO_ECDH 1389 if (type & SSL_kECDHE) 1390 { 1391 const EC_GROUP *group; 1392 1393 ecdhp=cert->ecdh_tmp; 1394 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1395 { 1396 ecdhp=s->cert->ecdh_tmp_cb(s, 1397 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1398 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1399 } 1400 if (ecdhp == NULL) 1401 { 1402 al=SSL_AD_HANDSHAKE_FAILURE; 1403 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 1404 goto f_err; 1405 } 1406 1407 if (s->s3->tmp.ecdh != NULL) 1408 { 1409 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1410 goto err; 1411 } 1412 1413 /* Duplicate the ECDH structure. */ 1414 if (ecdhp == NULL) 1415 { 1416 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1417 goto err; 1418 } 1419 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1420 { 1421 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1422 goto err; 1423 } 1424 1425 s->s3->tmp.ecdh=ecdh; 1426 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1427 (EC_KEY_get0_private_key(ecdh) == NULL) || 1428 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1429 { 1430 if(!EC_KEY_generate_key(ecdh)) 1431 { 1432 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1433 goto err; 1434 } 1435 } 1436 1437 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1438 (EC_KEY_get0_public_key(ecdh) == NULL) || 1439 (EC_KEY_get0_private_key(ecdh) == NULL)) 1440 { 1441 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1442 goto err; 1443 } 1444 1445 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1446 (EC_GROUP_get_degree(group) > 163)) 1447 { 1448 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1449 goto err; 1450 } 1451 1452 /* XXX: For now, we only support ephemeral ECDH 1453 * keys over named (not generic) curves. For 1454 * supported named curves, curve_id is non-zero. 1455 */ 1456 if ((curve_id = 1457 nid2curve_id(EC_GROUP_get_curve_name(group))) 1458 == 0) 1459 { 1460 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1461 goto err; 1462 } 1463 1464 /* Encode the public key. 1465 * First check the size of encoding and 1466 * allocate memory accordingly. 1467 */ 1468 encodedlen = EC_POINT_point2oct(group, 1469 EC_KEY_get0_public_key(ecdh), 1470 POINT_CONVERSION_UNCOMPRESSED, 1471 NULL, 0, NULL); 1472 1473 encodedPoint = (unsigned char *) 1474 OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1475 bn_ctx = BN_CTX_new(); 1476 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1477 { 1478 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1479 goto err; 1480 } 1481 1482 1483 encodedlen = EC_POINT_point2oct(group, 1484 EC_KEY_get0_public_key(ecdh), 1485 POINT_CONVERSION_UNCOMPRESSED, 1486 encodedPoint, encodedlen, bn_ctx); 1487 1488 if (encodedlen == 0) 1489 { 1490 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1491 goto err; 1492 } 1493 1494 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1495 1496 /* XXX: For now, we only support named (not 1497 * generic) curves in ECDH ephemeral key exchanges. 1498 * In this situation, we need four additional bytes 1499 * to encode the entire ServerECDHParams 1500 * structure. 1501 */ 1502 n = 4 + encodedlen; 1503 1504 /* We'll generate the serverKeyExchange message 1505 * explicitly so we can set these to NULLs 1506 */ 1507 r[0]=NULL; 1508 r[1]=NULL; 1509 r[2]=NULL; 1510 r[3]=NULL; 1511 } 1512 else 1513#endif /* !OPENSSL_NO_ECDH */ 1514 { 1515 al=SSL_AD_HANDSHAKE_FAILURE; 1516 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1517 goto f_err; 1518 } 1519 for (i=0; r[i] != NULL; i++) 1520 { 1521 nr[i]=BN_num_bytes(r[i]); 1522 n+=2+nr[i]; 1523 } 1524 1525 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 1526 { 1527 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1528 == NULL) 1529 { 1530 al=SSL_AD_DECODE_ERROR; 1531 goto f_err; 1532 } 1533 kn=EVP_PKEY_size(pkey); 1534 } 1535 else 1536 { 1537 pkey=NULL; 1538 kn=0; 1539 } 1540 1541 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1542 { 1543 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 1544 goto err; 1545 } 1546 d=(unsigned char *)s->init_buf->data; 1547 p= &(d[4]); 1548 1549 for (i=0; r[i] != NULL; i++) 1550 { 1551 s2n(nr[i],p); 1552 BN_bn2bin(r[i],p); 1553 p+=nr[i]; 1554 } 1555 1556#ifndef OPENSSL_NO_ECDH 1557 if (type & SSL_kECDHE) 1558 { 1559 /* XXX: For now, we only support named (not generic) curves. 1560 * In this situation, the serverKeyExchange message has: 1561 * [1 byte CurveType], [2 byte CurveName] 1562 * [1 byte length of encoded point], followed by 1563 * the actual encoded point itself 1564 */ 1565 *p = NAMED_CURVE_TYPE; 1566 p += 1; 1567 *p = 0; 1568 p += 1; 1569 *p = curve_id; 1570 p += 1; 1571 *p = encodedlen; 1572 p += 1; 1573 memcpy((unsigned char*)p, 1574 (unsigned char *)encodedPoint, 1575 encodedlen); 1576 OPENSSL_free(encodedPoint); 1577 encodedPoint = NULL; 1578 p += encodedlen; 1579 } 1580#endif 1581 1582 /* not anonymous */ 1583 if (pkey != NULL) 1584 { 1585 /* n is the length of the params, they start at &(d[4]) 1586 * and p points to the space at the end. */ 1587#ifndef OPENSSL_NO_RSA 1588 if (pkey->type == EVP_PKEY_RSA) 1589 { 1590 q=md_buf; 1591 j=0; 1592 for (num=2; num > 0; num--) 1593 { 1594 EVP_MD_CTX_set_flags(&md_ctx, 1595 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1596 EVP_DigestInit_ex(&md_ctx,(num == 2) 1597 ?s->ctx->md5:s->ctx->sha1, NULL); 1598 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1599 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1600 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1601 EVP_DigestFinal_ex(&md_ctx,q, 1602 (unsigned int *)&i); 1603 q+=i; 1604 j+=i; 1605 } 1606 if (RSA_sign(NID_md5_sha1, md_buf, j, 1607 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1608 { 1609 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 1610 goto err; 1611 } 1612 s2n(u,p); 1613 n+=u+2; 1614 } 1615 else 1616#endif 1617#if !defined(OPENSSL_NO_DSA) 1618 if (pkey->type == EVP_PKEY_DSA) 1619 { 1620 /* lets do DSS */ 1621 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 1622 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1623 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1624 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1625 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1626 (unsigned int *)&i,pkey)) 1627 { 1628 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 1629 goto err; 1630 } 1631 s2n(i,p); 1632 n+=i+2; 1633 } 1634 else 1635#endif 1636#if !defined(OPENSSL_NO_ECDSA) 1637 if (pkey->type == EVP_PKEY_EC) 1638 { 1639 /* let's do ECDSA */ 1640 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1641 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1642 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1643 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1644 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1645 (unsigned int *)&i,pkey)) 1646 { 1647 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA); 1648 goto err; 1649 } 1650 s2n(i,p); 1651 n+=i+2; 1652 } 1653 else 1654#endif 1655 { 1656 /* Is this error check actually needed? */ 1657 al=SSL_AD_HANDSHAKE_FAILURE; 1658 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1659 goto f_err; 1660 } 1661 } 1662 1663 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1664 l2n3(n,d); 1665 1666 /* we should now have things packed up, so lets send 1667 * it off */ 1668 s->init_num=n+4; 1669 s->init_off=0; 1670 } 1671 1672 s->state = SSL3_ST_SW_KEY_EXCH_B; 1673 EVP_MD_CTX_cleanup(&md_ctx); 1674 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1675f_err: 1676 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1677err: 1678#ifndef OPENSSL_NO_ECDH 1679 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1680 BN_CTX_free(bn_ctx); 1681#endif 1682 EVP_MD_CTX_cleanup(&md_ctx); 1683 return(-1); 1684 } 1685 1686int ssl3_send_certificate_request(SSL *s) 1687 { 1688 unsigned char *p,*d; 1689 int i,j,nl,off,n; 1690 STACK_OF(X509_NAME) *sk=NULL; 1691 X509_NAME *name; 1692 BUF_MEM *buf; 1693 1694 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1695 { 1696 buf=s->init_buf; 1697 1698 d=p=(unsigned char *)&(buf->data[4]); 1699 1700 /* get the list of acceptable cert types */ 1701 p++; 1702 n=ssl3_get_req_cert_type(s,p); 1703 d[0]=n; 1704 p+=n; 1705 n++; 1706 1707 off=n; 1708 p+=2; 1709 n+=2; 1710 1711 sk=SSL_get_client_CA_list(s); 1712 nl=0; 1713 if (sk != NULL) 1714 { 1715 for (i=0; i<sk_X509_NAME_num(sk); i++) 1716 { 1717 name=sk_X509_NAME_value(sk,i); 1718 j=i2d_X509_NAME(name,NULL); 1719 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1720 { 1721 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1722 goto err; 1723 } 1724 p=(unsigned char *)&(buf->data[4+n]); 1725 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1726 { 1727 s2n(j,p); 1728 i2d_X509_NAME(name,&p); 1729 n+=2+j; 1730 nl+=2+j; 1731 } 1732 else 1733 { 1734 d=p; 1735 i2d_X509_NAME(name,&p); 1736 j-=2; s2n(j,d); j+=2; 1737 n+=j; 1738 nl+=j; 1739 } 1740 } 1741 } 1742 /* else no CA names */ 1743 p=(unsigned char *)&(buf->data[4+off]); 1744 s2n(nl,p); 1745 1746 d=(unsigned char *)buf->data; 1747 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1748 l2n3(n,d); 1749 1750 /* we should now have things packed up, so lets send 1751 * it off */ 1752 1753 s->init_num=n+4; 1754 s->init_off=0; 1755#ifdef NETSCAPE_HANG_BUG 1756 if (!BUF_MEM_grow_clean(buf, s->init_num + 4)) 1757 { 1758 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1759 goto err; 1760 } 1761 p=(unsigned char *)s->init_buf->data + s->init_num; 1762 1763 /* do the header */ 1764 *(p++)=SSL3_MT_SERVER_DONE; 1765 *(p++)=0; 1766 *(p++)=0; 1767 *(p++)=0; 1768 s->init_num += 4; 1769#endif 1770 1771 s->state = SSL3_ST_SW_CERT_REQ_B; 1772 } 1773 1774 /* SSL3_ST_SW_CERT_REQ_B */ 1775 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1776err: 1777 return(-1); 1778 } 1779 1780int ssl3_get_client_key_exchange(SSL *s) 1781 { 1782 int i,al,ok; 1783 long n; 1784 unsigned long l; 1785 unsigned char *p; 1786#ifndef OPENSSL_NO_RSA 1787 RSA *rsa=NULL; 1788 EVP_PKEY *pkey=NULL; 1789#endif 1790#ifndef OPENSSL_NO_DH 1791 BIGNUM *pub=NULL; 1792 DH *dh_srvr; 1793#endif 1794#ifndef OPENSSL_NO_KRB5 1795 KSSL_ERR kssl_err; 1796#endif /* OPENSSL_NO_KRB5 */ 1797 1798#ifndef OPENSSL_NO_ECDH 1799 EC_KEY *srvr_ecdh = NULL; 1800 EVP_PKEY *clnt_pub_pkey = NULL; 1801 EC_POINT *clnt_ecpoint = NULL; 1802 BN_CTX *bn_ctx = NULL; 1803#endif 1804 1805 n=s->method->ssl_get_message(s, 1806 SSL3_ST_SR_KEY_EXCH_A, 1807 SSL3_ST_SR_KEY_EXCH_B, 1808 SSL3_MT_CLIENT_KEY_EXCHANGE, 1809 2048, /* ??? */ 1810 &ok); 1811 1812 if (!ok) return((int)n); 1813 p=(unsigned char *)s->init_msg; 1814 1815 l=s->s3->tmp.new_cipher->algorithms; 1816 1817#ifndef OPENSSL_NO_RSA 1818 if (l & SSL_kRSA) 1819 { 1820 unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 1821 int decrypt_len; 1822 unsigned char decrypt_good, version_good; 1823 1824 /* FIX THIS UP EAY EAY EAY EAY */ 1825 if (s->s3->tmp.use_rsa_tmp) 1826 { 1827 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 1828 rsa=s->cert->rsa_tmp; 1829 /* Don't do a callback because rsa_tmp should 1830 * be sent already */ 1831 if (rsa == NULL) 1832 { 1833 al=SSL_AD_HANDSHAKE_FAILURE; 1834 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); 1835 goto f_err; 1836 1837 } 1838 } 1839 else 1840 { 1841 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 1842 if ( (pkey == NULL) || 1843 (pkey->type != EVP_PKEY_RSA) || 1844 (pkey->pkey.rsa == NULL)) 1845 { 1846 al=SSL_AD_HANDSHAKE_FAILURE; 1847 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); 1848 goto f_err; 1849 } 1850 rsa=pkey->pkey.rsa; 1851 } 1852 1853 /* TLS and [incidentally] DTLS, including pre-0.9.8f */ 1854 if (s->version > SSL3_VERSION && 1855 s->client_version != DTLS1_BAD_VER) 1856 { 1857 n2s(p,i); 1858 if (n != i+2) 1859 { 1860 if (!(s->options & SSL_OP_TLS_D5_BUG)) 1861 { 1862 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 1863 goto err; 1864 } 1865 else 1866 p-=2; 1867 } 1868 else 1869 n=i; 1870 } 1871 1872 /* We must not leak whether a decryption failure occurs because 1873 * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see 1874 * RFC 2246, section 7.4.7.1). The code follows that advice of 1875 * the TLS RFC and generates a random premaster secret for the 1876 * case that the decrypt fails. See 1877 * https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ 1878 1879 /* should be RAND_bytes, but we cannot work around a failure. */ 1880 if (RAND_pseudo_bytes(rand_premaster_secret, 1881 sizeof(rand_premaster_secret)) <= 0) 1882 goto err; 1883 decrypt_len = RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 1884 ERR_clear_error(); 1885 1886 /* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. 1887 * decrypt_good will be 0xff if so and zero otherwise. */ 1888 decrypt_good = constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH); 1889 1890 /* If the version in the decrypted pre-master secret is correct 1891 * then version_good will be 0xff, otherwise it'll be zero. 1892 * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 1893 * (http://eprint.iacr.org/2003/052/) exploits the version 1894 * number check as a "bad version oracle". Thus version checks 1895 * are done in constant time and are treated like any other 1896 * decryption error. */ 1897 version_good = constant_time_eq_8(p[0], (unsigned)(s->client_version>>8)); 1898 version_good &= constant_time_eq_8(p[1], (unsigned)(s->client_version&0xff)); 1899 1900 /* The premaster secret must contain the same version number as 1901 * the ClientHello to detect version rollback attacks 1902 * (strangely, the protocol does not offer such protection for 1903 * DH ciphersuites). However, buggy clients exist that send the 1904 * negotiated protocol version instead if the server does not 1905 * support the requested protocol version. If 1906 * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 1907 if (s->options & SSL_OP_TLS_ROLLBACK_BUG) 1908 { 1909 unsigned char workaround_good; 1910 workaround_good = constant_time_eq_8(p[0], (unsigned)(s->version>>8)); 1911 workaround_good &= constant_time_eq_8(p[1], (unsigned)(s->version&0xff)); 1912 version_good |= workaround_good; 1913 } 1914 1915 /* Both decryption and version must be good for decrypt_good 1916 * to remain non-zero (0xff). */ 1917 decrypt_good &= version_good; 1918 1919 /* Now copy rand_premaster_secret over p using 1920 * decrypt_good_mask. */ 1921 for (i = 0; i < (int) sizeof(rand_premaster_secret); i++) 1922 { 1923 p[i] = constant_time_select_8(decrypt_good, p[i], 1924 rand_premaster_secret[i]); 1925 } 1926 1927 s->session->master_key_length= 1928 s->method->ssl3_enc->generate_master_secret(s, 1929 s->session->master_key, 1930 p,i); 1931 OPENSSL_cleanse(p,i); 1932 } 1933 else 1934#endif 1935#ifndef OPENSSL_NO_DH 1936 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1937 { 1938 n2s(p,i); 1939 if (n != i+2) 1940 { 1941 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) 1942 { 1943 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 1944 goto err; 1945 } 1946 else 1947 { 1948 p-=2; 1949 i=(int)n; 1950 } 1951 } 1952 1953 if (n == 0L) /* the parameters are in the cert */ 1954 { 1955 al=SSL_AD_HANDSHAKE_FAILURE; 1956 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 1957 goto f_err; 1958 } 1959 else 1960 { 1961 if (s->s3->tmp.dh == NULL) 1962 { 1963 al=SSL_AD_HANDSHAKE_FAILURE; 1964 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1965 goto f_err; 1966 } 1967 else 1968 dh_srvr=s->s3->tmp.dh; 1969 } 1970 1971 pub=BN_bin2bn(p,i,NULL); 1972 if (pub == NULL) 1973 { 1974 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); 1975 goto err; 1976 } 1977 1978 i=DH_compute_key(p,pub,dh_srvr); 1979 1980 if (i <= 0) 1981 { 1982 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1983 BN_clear_free(pub); 1984 goto err; 1985 } 1986 1987 DH_free(s->s3->tmp.dh); 1988 s->s3->tmp.dh=NULL; 1989 1990 BN_clear_free(pub); 1991 pub=NULL; 1992 s->session->master_key_length= 1993 s->method->ssl3_enc->generate_master_secret(s, 1994 s->session->master_key,p,i); 1995 OPENSSL_cleanse(p,i); 1996 } 1997 else 1998#endif 1999#ifndef OPENSSL_NO_KRB5 2000 if (l & SSL_kKRB5) 2001 { 2002 krb5_error_code krb5rc; 2003 krb5_data enc_ticket; 2004 krb5_data authenticator; 2005 krb5_data enc_pms; 2006 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2007 EVP_CIPHER_CTX ciph_ctx; 2008 EVP_CIPHER *enc = NULL; 2009 unsigned char iv[EVP_MAX_IV_LENGTH]; 2010 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2011 + EVP_MAX_BLOCK_LENGTH]; 2012 int padl, outl; 2013 krb5_timestamp authtime = 0; 2014 krb5_ticket_times ttimes; 2015 int kerr = 0; 2016 2017 EVP_CIPHER_CTX_init(&ciph_ctx); 2018 2019 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2020 2021 n2s(p,i); 2022 enc_ticket.length = i; 2023 2024 if (n < (int)enc_ticket.length + 6) 2025 { 2026 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2027 SSL_R_DATA_LENGTH_TOO_LONG); 2028 goto err; 2029 } 2030 2031 enc_ticket.data = (char *)p; 2032 p+=enc_ticket.length; 2033 2034 n2s(p,i); 2035 authenticator.length = i; 2036 2037 if (n < (int)(enc_ticket.length + authenticator.length) + 6) 2038 { 2039 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2040 SSL_R_DATA_LENGTH_TOO_LONG); 2041 goto err; 2042 } 2043 2044 authenticator.data = (char *)p; 2045 p+=authenticator.length; 2046 2047 n2s(p,i); 2048 enc_pms.length = i; 2049 enc_pms.data = (char *)p; 2050 p+=enc_pms.length; 2051 2052 /* Note that the length is checked again below, 2053 ** after decryption 2054 */ 2055 if(enc_pms.length > sizeof pms) 2056 { 2057 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2058 SSL_R_DATA_LENGTH_TOO_LONG); 2059 goto err; 2060 } 2061 2062 if (n != (long)(enc_ticket.length + authenticator.length + 2063 enc_pms.length + 6)) 2064 { 2065 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2066 SSL_R_DATA_LENGTH_TOO_LONG); 2067 goto err; 2068 } 2069 2070 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2071 &kssl_err)) != 0) 2072 { 2073#ifdef KSSL_DEBUG 2074 printf("kssl_sget_tkt rtn %d [%d]\n", 2075 krb5rc, kssl_err.reason); 2076 if (kssl_err.text) 2077 printf("kssl_err text= %s\n", kssl_err.text); 2078#endif /* KSSL_DEBUG */ 2079 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2080 kssl_err.reason); 2081 goto err; 2082 } 2083 2084 /* Note: no authenticator is not considered an error, 2085 ** but will return authtime == 0. 2086 */ 2087 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2088 &authtime, &kssl_err)) != 0) 2089 { 2090#ifdef KSSL_DEBUG 2091 printf("kssl_check_authent rtn %d [%d]\n", 2092 krb5rc, kssl_err.reason); 2093 if (kssl_err.text) 2094 printf("kssl_err text= %s\n", kssl_err.text); 2095#endif /* KSSL_DEBUG */ 2096 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2097 kssl_err.reason); 2098 goto err; 2099 } 2100 2101 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2102 { 2103 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2104 goto err; 2105 } 2106 2107#ifdef KSSL_DEBUG 2108 kssl_ctx_show(kssl_ctx); 2109#endif /* KSSL_DEBUG */ 2110 2111 enc = kssl_map_enc(kssl_ctx->enctype); 2112 if (enc == NULL) 2113 goto err; 2114 2115 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2116 2117 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2118 { 2119 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2120 SSL_R_DECRYPTION_FAILED); 2121 goto err; 2122 } 2123 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2124 (unsigned char *)enc_pms.data, enc_pms.length)) 2125 { 2126 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2127 SSL_R_DECRYPTION_FAILED); 2128 kerr = 1; 2129 goto kclean; 2130 } 2131 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2132 { 2133 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2134 SSL_R_DATA_LENGTH_TOO_LONG); 2135 kerr = 1; 2136 goto kclean; 2137 } 2138 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2139 { 2140 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2141 SSL_R_DECRYPTION_FAILED); 2142 kerr = 1; 2143 goto kclean; 2144 } 2145 outl += padl; 2146 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2147 { 2148 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2149 SSL_R_DATA_LENGTH_TOO_LONG); 2150 kerr = 1; 2151 goto kclean; 2152 } 2153 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2154 { 2155 /* The premaster secret must contain the same version number as the 2156 * ClientHello to detect version rollback attacks (strangely, the 2157 * protocol does not offer such protection for DH ciphersuites). 2158 * However, buggy clients exist that send random bytes instead of 2159 * the protocol version. 2160 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2161 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2162 */ 2163 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2164 { 2165 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2166 SSL_AD_DECODE_ERROR); 2167 kerr = 1; 2168 goto kclean; 2169 } 2170 } 2171 2172 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2173 2174 s->session->master_key_length= 2175 s->method->ssl3_enc->generate_master_secret(s, 2176 s->session->master_key, pms, outl); 2177 2178 if (kssl_ctx->client_princ) 2179 { 2180 size_t len = strlen(kssl_ctx->client_princ); 2181 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2182 { 2183 s->session->krb5_client_princ_len = len; 2184 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2185 } 2186 } 2187 2188 2189 /* Was doing kssl_ctx_free() here, 2190 ** but it caused problems for apache. 2191 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2192 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2193 */ 2194 2195 kclean: 2196 OPENSSL_cleanse(pms, sizeof(pms)); 2197 if (kerr) 2198 goto err; 2199 } else 2200#endif /* OPENSSL_NO_KRB5 */ 2201 2202#ifndef OPENSSL_NO_ECDH 2203 if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2204 { 2205 int ret = 1; 2206 int field_size = 0; 2207 const EC_KEY *tkey; 2208 const EC_GROUP *group; 2209 const BIGNUM *priv_key; 2210 2211 /* initialize structures for server's ECDH key pair */ 2212 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2213 { 2214 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2215 ERR_R_MALLOC_FAILURE); 2216 goto err; 2217 } 2218 2219 /* Let's get server private key and group information */ 2220 if (l & SSL_kECDH) 2221 { 2222 /* use the certificate */ 2223 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2224 } 2225 else 2226 { 2227 /* use the ephermeral values we saved when 2228 * generating the ServerKeyExchange msg. 2229 */ 2230 tkey = s->s3->tmp.ecdh; 2231 } 2232 2233 group = EC_KEY_get0_group(tkey); 2234 priv_key = EC_KEY_get0_private_key(tkey); 2235 2236 if (!EC_KEY_set_group(srvr_ecdh, group) || 2237 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2238 { 2239 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2240 ERR_R_EC_LIB); 2241 goto err; 2242 } 2243 2244 /* Let's get client's public key */ 2245 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2246 { 2247 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2248 ERR_R_MALLOC_FAILURE); 2249 goto err; 2250 } 2251 2252 if (n == 0L) 2253 { 2254 /* Client Publickey was in Client Certificate */ 2255 2256 if (l & SSL_kECDHE) 2257 { 2258 al=SSL_AD_HANDSHAKE_FAILURE; 2259 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2260 goto f_err; 2261 } 2262 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2263 == NULL) || 2264 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2265 { 2266 /* XXX: For now, we do not support client 2267 * authentication using ECDH certificates 2268 * so this branch (n == 0L) of the code is 2269 * never executed. When that support is 2270 * added, we ought to ensure the key 2271 * received in the certificate is 2272 * authorized for key agreement. 2273 * ECDH_compute_key implicitly checks that 2274 * the two ECDH shares are for the same 2275 * group. 2276 */ 2277 al=SSL_AD_HANDSHAKE_FAILURE; 2278 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2279 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2280 goto f_err; 2281 } 2282 2283 if (EC_POINT_copy(clnt_ecpoint, 2284 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2285 { 2286 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2287 ERR_R_EC_LIB); 2288 goto err; 2289 } 2290 ret = 2; /* Skip certificate verify processing */ 2291 } 2292 else 2293 { 2294 /* Get client's public key from encoded point 2295 * in the ClientKeyExchange message. 2296 */ 2297 if ((bn_ctx = BN_CTX_new()) == NULL) 2298 { 2299 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2300 ERR_R_MALLOC_FAILURE); 2301 goto err; 2302 } 2303 2304 /* Get encoded point length */ 2305 i = *p; 2306 p += 1; 2307 if (n != 1 + i) 2308 { 2309 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2310 ERR_R_EC_LIB); 2311 goto err; 2312 } 2313 if (EC_POINT_oct2point(group, 2314 clnt_ecpoint, p, i, bn_ctx) == 0) 2315 { 2316 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2317 ERR_R_EC_LIB); 2318 goto err; 2319 } 2320 /* p is pointing to somewhere in the buffer 2321 * currently, so set it to the start 2322 */ 2323 p=(unsigned char *)s->init_buf->data; 2324 } 2325 2326 /* Compute the shared pre-master secret */ 2327 field_size = EC_GROUP_get_degree(group); 2328 if (field_size <= 0) 2329 { 2330 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2331 ERR_R_ECDH_LIB); 2332 goto err; 2333 } 2334 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2335 if (i <= 0) 2336 { 2337 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2338 ERR_R_ECDH_LIB); 2339 goto err; 2340 } 2341 2342 EVP_PKEY_free(clnt_pub_pkey); 2343 EC_POINT_free(clnt_ecpoint); 2344 if (srvr_ecdh != NULL) 2345 EC_KEY_free(srvr_ecdh); 2346 BN_CTX_free(bn_ctx); 2347 2348 /* Compute the master secret */ 2349 s->session->master_key_length = s->method->ssl3_enc-> \ 2350 generate_master_secret(s, s->session->master_key, p, i); 2351 2352 OPENSSL_cleanse(p, i); 2353 return (ret); 2354 } 2355 else 2356#endif 2357 { 2358 al=SSL_AD_HANDSHAKE_FAILURE; 2359 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2360 SSL_R_UNKNOWN_CIPHER_TYPE); 2361 goto f_err; 2362 } 2363 2364 return(1); 2365f_err: 2366 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2367#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) 2368err: 2369#endif 2370#ifndef OPENSSL_NO_ECDH 2371 EVP_PKEY_free(clnt_pub_pkey); 2372 EC_POINT_free(clnt_ecpoint); 2373 if (srvr_ecdh != NULL) 2374 EC_KEY_free(srvr_ecdh); 2375 BN_CTX_free(bn_ctx); 2376#endif 2377 return(-1); 2378 } 2379 2380int ssl3_get_cert_verify(SSL *s) 2381 { 2382 EVP_PKEY *pkey=NULL; 2383 unsigned char *p; 2384 int al,ok,ret=0; 2385 long n; 2386 int type=0,i,j; 2387 X509 *peer; 2388 2389 n=s->method->ssl_get_message(s, 2390 SSL3_ST_SR_CERT_VRFY_A, 2391 SSL3_ST_SR_CERT_VRFY_B, 2392 -1, 2393 SSL3_RT_MAX_PLAIN_LENGTH, 2394 &ok); 2395 2396 if (!ok) return((int)n); 2397 2398 if (s->session->peer != NULL) 2399 { 2400 peer=s->session->peer; 2401 pkey=X509_get_pubkey(peer); 2402 type=X509_certificate_type(peer,pkey); 2403 } 2404 else 2405 { 2406 peer=NULL; 2407 pkey=NULL; 2408 } 2409 2410 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2411 { 2412 s->s3->tmp.reuse_message=1; 2413 if (peer != NULL) 2414 { 2415 al=SSL_AD_UNEXPECTED_MESSAGE; 2416 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 2417 goto f_err; 2418 } 2419 ret=1; 2420 goto end; 2421 } 2422 2423 if (peer == NULL) 2424 { 2425 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2426 al=SSL_AD_UNEXPECTED_MESSAGE; 2427 goto f_err; 2428 } 2429 2430 if (!(type & EVP_PKT_SIGN)) 2431 { 2432 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2433 al=SSL_AD_ILLEGAL_PARAMETER; 2434 goto f_err; 2435 } 2436 2437 if (s->s3->change_cipher_spec) 2438 { 2439 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2440 al=SSL_AD_UNEXPECTED_MESSAGE; 2441 goto f_err; 2442 } 2443 2444 /* we now have a signature that we need to verify */ 2445 p=(unsigned char *)s->init_msg; 2446 n2s(p,i); 2447 n-=2; 2448 if (i > n) 2449 { 2450 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2451 al=SSL_AD_DECODE_ERROR; 2452 goto f_err; 2453 } 2454 2455 j=EVP_PKEY_size(pkey); 2456 if ((i > j) || (n > j) || (n <= 0)) 2457 { 2458 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); 2459 al=SSL_AD_DECODE_ERROR; 2460 goto f_err; 2461 } 2462 2463#ifndef OPENSSL_NO_RSA 2464 if (pkey->type == EVP_PKEY_RSA) 2465 { 2466 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2467 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2468 pkey->pkey.rsa); 2469 if (i < 0) 2470 { 2471 al=SSL_AD_DECRYPT_ERROR; 2472 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); 2473 goto f_err; 2474 } 2475 if (i == 0) 2476 { 2477 al=SSL_AD_DECRYPT_ERROR; 2478 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); 2479 goto f_err; 2480 } 2481 } 2482 else 2483#endif 2484#ifndef OPENSSL_NO_DSA 2485 if (pkey->type == EVP_PKEY_DSA) 2486 { 2487 j=DSA_verify(pkey->save_type, 2488 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2489 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2490 if (j <= 0) 2491 { 2492 /* bad signature */ 2493 al=SSL_AD_DECRYPT_ERROR; 2494 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2495 goto f_err; 2496 } 2497 } 2498 else 2499#endif 2500#ifndef OPENSSL_NO_ECDSA 2501 if (pkey->type == EVP_PKEY_EC) 2502 { 2503 j=ECDSA_verify(pkey->save_type, 2504 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2505 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2506 if (j <= 0) 2507 { 2508 /* bad signature */ 2509 al=SSL_AD_DECRYPT_ERROR; 2510 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2511 SSL_R_BAD_ECDSA_SIGNATURE); 2512 goto f_err; 2513 } 2514 } 2515 else 2516#endif 2517 { 2518 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2519 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2520 goto f_err; 2521 } 2522 2523 2524 ret=1; 2525 if (0) 2526 { 2527f_err: 2528 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2529 } 2530end: 2531 EVP_PKEY_free(pkey); 2532 return(ret); 2533 } 2534 2535int ssl3_get_client_certificate(SSL *s) 2536 { 2537 int i,ok,al,ret= -1; 2538 X509 *x=NULL; 2539 unsigned long l,nc,llen,n; 2540 const unsigned char *p,*q; 2541 unsigned char *d; 2542 STACK_OF(X509) *sk=NULL; 2543 2544 n=s->method->ssl_get_message(s, 2545 SSL3_ST_SR_CERT_A, 2546 SSL3_ST_SR_CERT_B, 2547 -1, 2548 s->max_cert_list, 2549 &ok); 2550 2551 if (!ok) return((int)n); 2552 2553 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2554 { 2555 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2556 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2557 { 2558 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2559 al=SSL_AD_HANDSHAKE_FAILURE; 2560 goto f_err; 2561 } 2562 /* If tls asked for a client cert, the client must return a 0 list */ 2563 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2564 { 2565 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2566 al=SSL_AD_UNEXPECTED_MESSAGE; 2567 goto f_err; 2568 } 2569 s->s3->tmp.reuse_message=1; 2570 return(1); 2571 } 2572 2573 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2574 { 2575 al=SSL_AD_UNEXPECTED_MESSAGE; 2576 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 2577 goto f_err; 2578 } 2579 p=d=(unsigned char *)s->init_msg; 2580 2581 if ((sk=sk_X509_new_null()) == NULL) 2582 { 2583 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2584 goto err; 2585 } 2586 2587 n2l3(p,llen); 2588 if (llen+3 != n) 2589 { 2590 al=SSL_AD_DECODE_ERROR; 2591 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 2592 goto f_err; 2593 } 2594 for (nc=0; nc<llen; ) 2595 { 2596 n2l3(p,l); 2597 if ((l+nc+3) > llen) 2598 { 2599 al=SSL_AD_DECODE_ERROR; 2600 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2601 goto f_err; 2602 } 2603 2604 q=p; 2605 x=d2i_X509(NULL,&p,l); 2606 if (x == NULL) 2607 { 2608 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); 2609 goto err; 2610 } 2611 if (p != (q+l)) 2612 { 2613 al=SSL_AD_DECODE_ERROR; 2614 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2615 goto f_err; 2616 } 2617 if (!sk_X509_push(sk,x)) 2618 { 2619 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2620 goto err; 2621 } 2622 x=NULL; 2623 nc+=l+3; 2624 } 2625 2626 if (sk_X509_num(sk) <= 0) 2627 { 2628 /* TLS does not mind 0 certs returned */ 2629 if (s->version == SSL3_VERSION) 2630 { 2631 al=SSL_AD_HANDSHAKE_FAILURE; 2632 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); 2633 goto f_err; 2634 } 2635 /* Fail for TLS only if we required a certificate */ 2636 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2637 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2638 { 2639 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2640 al=SSL_AD_HANDSHAKE_FAILURE; 2641 goto f_err; 2642 } 2643 } 2644 else 2645 { 2646 i=ssl_verify_cert_chain(s,sk); 2647 if (i <= 0) 2648 { 2649 al=ssl_verify_alarm_type(s->verify_result); 2650 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); 2651 goto f_err; 2652 } 2653 } 2654 2655 if (s->session->peer != NULL) /* This should not be needed */ 2656 X509_free(s->session->peer); 2657 s->session->peer=sk_X509_shift(sk); 2658 s->session->verify_result = s->verify_result; 2659 2660 /* With the current implementation, sess_cert will always be NULL 2661 * when we arrive here. */ 2662 if (s->session->sess_cert == NULL) 2663 { 2664 s->session->sess_cert = ssl_sess_cert_new(); 2665 if (s->session->sess_cert == NULL) 2666 { 2667 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 2668 goto err; 2669 } 2670 } 2671 if (s->session->sess_cert->cert_chain != NULL) 2672 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 2673 s->session->sess_cert->cert_chain=sk; 2674 /* Inconsistency alert: cert_chain does *not* include the 2675 * peer's own certificate, while we do include it in s3_clnt.c */ 2676 2677 sk=NULL; 2678 2679 ret=1; 2680 if (0) 2681 { 2682f_err: 2683 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2684 } 2685err: 2686 if (x != NULL) X509_free(x); 2687 if (sk != NULL) sk_X509_pop_free(sk,X509_free); 2688 return(ret); 2689 } 2690 2691int ssl3_send_server_certificate(SSL *s) 2692 { 2693 unsigned long l; 2694 X509 *x; 2695 2696 if (s->state == SSL3_ST_SW_CERT_A) 2697 { 2698 x=ssl_get_server_send_cert(s); 2699 if (x == NULL && 2700 /* VRS: allow null cert if auth == KRB5 */ 2701 (s->s3->tmp.new_cipher->algorithms 2702 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 2703 != (SSL_aKRB5|SSL_kKRB5)) 2704 { 2705 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 2706 return(0); 2707 } 2708 2709 l=ssl3_output_cert_chain(s,x); 2710 s->state=SSL3_ST_SW_CERT_B; 2711 s->init_num=(int)l; 2712 s->init_off=0; 2713 } 2714 2715 /* SSL3_ST_SW_CERT_B */ 2716 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2717 } 2718 2719 2720#ifndef OPENSSL_NO_ECDH 2721/* This is the complement of curve_id2nid in s3_clnt.c. */ 2722static int nid2curve_id(int nid) 2723{ 2724 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) 2725 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ 2726 switch (nid) { 2727 case NID_sect163k1: /* sect163k1 (1) */ 2728 return 1; 2729 case NID_sect163r1: /* sect163r1 (2) */ 2730 return 2; 2731 case NID_sect163r2: /* sect163r2 (3) */ 2732 return 3; 2733 case NID_sect193r1: /* sect193r1 (4) */ 2734 return 4; 2735 case NID_sect193r2: /* sect193r2 (5) */ 2736 return 5; 2737 case NID_sect233k1: /* sect233k1 (6) */ 2738 return 6; 2739 case NID_sect233r1: /* sect233r1 (7) */ 2740 return 7; 2741 case NID_sect239k1: /* sect239k1 (8) */ 2742 return 8; 2743 case NID_sect283k1: /* sect283k1 (9) */ 2744 return 9; 2745 case NID_sect283r1: /* sect283r1 (10) */ 2746 return 10; 2747 case NID_sect409k1: /* sect409k1 (11) */ 2748 return 11; 2749 case NID_sect409r1: /* sect409r1 (12) */ 2750 return 12; 2751 case NID_sect571k1: /* sect571k1 (13) */ 2752 return 13; 2753 case NID_sect571r1: /* sect571r1 (14) */ 2754 return 14; 2755 case NID_secp160k1: /* secp160k1 (15) */ 2756 return 15; 2757 case NID_secp160r1: /* secp160r1 (16) */ 2758 return 16; 2759 case NID_secp160r2: /* secp160r2 (17) */ 2760 return 17; 2761 case NID_secp192k1: /* secp192k1 (18) */ 2762 return 18; 2763 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 2764 return 19; 2765 case NID_secp224k1: /* secp224k1 (20) */ 2766 return 20; 2767 case NID_secp224r1: /* secp224r1 (21) */ 2768 return 21; 2769 case NID_secp256k1: /* secp256k1 (22) */ 2770 return 22; 2771 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 2772 return 23; 2773 case NID_secp384r1: /* secp384r1 (24) */ 2774 return 24; 2775 case NID_secp521r1: /* secp521r1 (25) */ 2776 return 25; 2777 default: 2778 return 0; 2779 } 2780} 2781#endif 2782#ifndef OPENSSL_NO_TLSEXT 2783int ssl3_send_newsession_ticket(SSL *s) 2784 { 2785 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 2786 { 2787 unsigned char *p, *senc, *macstart; 2788 int len, slen; 2789 unsigned int hlen; 2790 EVP_CIPHER_CTX ctx; 2791 HMAC_CTX hctx; 2792 SSL_CTX *tctx = s->initial_ctx; 2793 unsigned char iv[EVP_MAX_IV_LENGTH]; 2794 unsigned char key_name[16]; 2795 2796 /* get session encoding length */ 2797 slen = i2d_SSL_SESSION(s->session, NULL); 2798 /* Some length values are 16 bits, so forget it if session is 2799 * too long 2800 */ 2801 if (slen > 0xFF00) 2802 return -1; 2803 /* Grow buffer if need be: the length calculation is as 2804 * follows 1 (size of message name) + 3 (message length 2805 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 2806 * 16 (key name) + max_iv_len (iv length) + 2807 * session_length + max_enc_block_size (max encrypted session 2808 * length) + max_md_size (HMAC). 2809 */ 2810 if (!BUF_MEM_grow(s->init_buf, 2811 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 2812 EVP_MAX_MD_SIZE + slen)) 2813 return -1; 2814 senc = OPENSSL_malloc(slen); 2815 if (!senc) 2816 return -1; 2817 p = senc; 2818 i2d_SSL_SESSION(s->session, &p); 2819 2820 p=(unsigned char *)s->init_buf->data; 2821 /* do the header */ 2822 *(p++)=SSL3_MT_NEWSESSION_TICKET; 2823 /* Skip message length for now */ 2824 p += 3; 2825 EVP_CIPHER_CTX_init(&ctx); 2826 HMAC_CTX_init(&hctx); 2827 /* Initialize HMAC and cipher contexts. If callback present 2828 * it does all the work otherwise use generated values 2829 * from parent ctx. 2830 */ 2831 if (tctx->tlsext_ticket_key_cb) 2832 { 2833 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 2834 &hctx, 1) < 0) 2835 { 2836 OPENSSL_free(senc); 2837 return -1; 2838 } 2839 } 2840 else 2841 { 2842 RAND_pseudo_bytes(iv, 16); 2843 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2844 tctx->tlsext_tick_aes_key, iv); 2845 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2846 tlsext_tick_md(), NULL); 2847 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 2848 } 2849 l2n(s->session->tlsext_tick_lifetime_hint, p); 2850 /* Skip ticket length for now */ 2851 p += 2; 2852 /* Output key name */ 2853 macstart = p; 2854 memcpy(p, key_name, 16); 2855 p += 16; 2856 /* output IV */ 2857 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 2858 p += EVP_CIPHER_CTX_iv_length(&ctx); 2859 /* Encrypt session data */ 2860 EVP_EncryptUpdate(&ctx, p, &len, senc, slen); 2861 p += len; 2862 EVP_EncryptFinal(&ctx, p, &len); 2863 p += len; 2864 EVP_CIPHER_CTX_cleanup(&ctx); 2865 2866 HMAC_Update(&hctx, macstart, p - macstart); 2867 HMAC_Final(&hctx, p, &hlen); 2868 HMAC_CTX_cleanup(&hctx); 2869 2870 p += hlen; 2871 /* Now write out lengths: p points to end of data written */ 2872 /* Total length */ 2873 len = p - (unsigned char *)s->init_buf->data; 2874 p=(unsigned char *)s->init_buf->data + 1; 2875 l2n3(len - 4, p); /* Message length */ 2876 p += 4; 2877 s2n(len - 10, p); /* Ticket length */ 2878 2879 /* number of bytes to write */ 2880 s->init_num= len; 2881 s->state=SSL3_ST_SW_SESSION_TICKET_B; 2882 s->init_off=0; 2883 OPENSSL_free(senc); 2884 } 2885 2886 /* SSL3_ST_SW_SESSION_TICKET_B */ 2887 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2888 } 2889 2890int ssl3_send_cert_status(SSL *s) 2891 { 2892 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 2893 { 2894 unsigned char *p; 2895 /* Grow buffer if need be: the length calculation is as 2896 * follows 1 (message type) + 3 (message length) + 2897 * 1 (ocsp response type) + 3 (ocsp response length) 2898 * + (ocsp response) 2899 */ 2900 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 2901 return -1; 2902 2903 p=(unsigned char *)s->init_buf->data; 2904 2905 /* do the header */ 2906 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 2907 /* message length */ 2908 l2n3(s->tlsext_ocsp_resplen + 4, p); 2909 /* status type */ 2910 *(p++)= s->tlsext_status_type; 2911 /* length of OCSP response */ 2912 l2n3(s->tlsext_ocsp_resplen, p); 2913 /* actual response */ 2914 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 2915 /* number of bytes to write */ 2916 s->init_num = 8 + s->tlsext_ocsp_resplen; 2917 s->state=SSL3_ST_SW_CERT_STATUS_B; 2918 s->init_off = 0; 2919 } 2920 2921 /* SSL3_ST_SW_CERT_STATUS_B */ 2922 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2923 } 2924#endif 2925