1 /* ssl/s3_srvr.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core (at) openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay (at) cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh (at) cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125 #define REUSE_CIPHER_BUG 126 #define NETSCAPE_HANG_BUG 127 128 #include <stdio.h> 129 #include "ssl_locl.h" 130 #include "kssl_lcl.h" 131 #include <openssl/buffer.h> 132 #include <openssl/rand.h> 133 #include <openssl/objects.h> 134 #include <openssl/evp.h> 135 #include <openssl/hmac.h> 136 #include <openssl/x509.h> 137 #ifndef OPENSSL_NO_DH 138 #include <openssl/dh.h> 139 #endif 140 #include <openssl/bn.h> 141 #ifndef OPENSSL_NO_KRB5 142 #include <openssl/krb5_asn.h> 143 #endif 144 #include <openssl/md5.h> 145 146 static SSL_METHOD *ssl3_get_server_method(int ver); 147 #ifndef OPENSSL_NO_ECDH 148 static int nid2curve_id(int nid); 149 #endif 150 151 static SSL_METHOD *ssl3_get_server_method(int ver) 152 { 153 if (ver == SSL3_VERSION) 154 return(SSLv3_server_method()); 155 else 156 return(NULL); 157 } 158 159 IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 160 ssl3_accept, 161 ssl_undefined_function, 162 ssl3_get_server_method) 163 164 int ssl3_accept(SSL *s) 165 { 166 BUF_MEM *buf; 167 unsigned long l,Time=(unsigned long)time(NULL); 168 void (*cb)(const SSL *ssl,int type,int val)=NULL; 169 int ret= -1; 170 int new_state,state,skip=0; 171 172 RAND_add(&Time,sizeof(Time),0); 173 ERR_clear_error(); 174 clear_sys_error(); 175 176 if (s->info_callback != NULL) 177 cb=s->info_callback; 178 else if (s->ctx->info_callback != NULL) 179 cb=s->ctx->info_callback; 180 181 /* init things to blank */ 182 s->in_handshake++; 183 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 184 185 if (s->cert == NULL) 186 { 187 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 188 return(-1); 189 } 190 191 for (;;) 192 { 193 state=s->state; 194 195 switch (s->state) 196 { 197 case SSL_ST_RENEGOTIATE: 198 s->new_session=1; 199 /* s->state=SSL_ST_ACCEPT; */ 200 201 case SSL_ST_BEFORE: 202 case SSL_ST_ACCEPT: 203 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 204 case SSL_ST_OK|SSL_ST_ACCEPT: 205 206 s->server=1; 207 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 208 209 if ((s->version>>8) != 3) 210 { 211 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 212 return -1; 213 } 214 s->type=SSL_ST_ACCEPT; 215 216 if (s->init_buf == NULL) 217 { 218 if ((buf=BUF_MEM_new()) == NULL) 219 { 220 ret= -1; 221 goto end; 222 } 223 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 224 { 225 ret= -1; 226 goto end; 227 } 228 s->init_buf=buf; 229 } 230 231 if (!ssl3_setup_buffers(s)) 232 { 233 ret= -1; 234 goto end; 235 } 236 237 s->init_num=0; 238 239 if (s->state != SSL_ST_RENEGOTIATE) 240 { 241 /* Ok, we now need to push on a buffering BIO so that 242 * the output is sent in a way that TCP likes :-) 243 */ 244 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 245 246 ssl3_init_finished_mac(s); 247 s->state=SSL3_ST_SR_CLNT_HELLO_A; 248 s->ctx->stats.sess_accept++; 249 } 250 else if (!s->s3->send_connection_binding && 251 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 252 { 253 /* Server attempting to renegotiate with 254 * client that doesn't support secure 255 * renegotiation. 256 */ 257 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 258 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 259 ret = -1; 260 goto end; 261 } 262 else 263 { 264 /* s->state == SSL_ST_RENEGOTIATE, 265 * we will just send a HelloRequest */ 266 s->ctx->stats.sess_accept_renegotiate++; 267 s->state=SSL3_ST_SW_HELLO_REQ_A; 268 } 269 break; 270 271 case SSL3_ST_SW_HELLO_REQ_A: 272 case SSL3_ST_SW_HELLO_REQ_B: 273 274 s->shutdown=0; 275 ret=ssl3_send_hello_request(s); 276 if (ret <= 0) goto end; 277 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 278 s->state=SSL3_ST_SW_FLUSH; 279 s->init_num=0; 280 281 ssl3_init_finished_mac(s); 282 break; 283 284 case SSL3_ST_SW_HELLO_REQ_C: 285 s->state=SSL_ST_OK; 286 break; 287 288 case SSL3_ST_SR_CLNT_HELLO_A: 289 case SSL3_ST_SR_CLNT_HELLO_B: 290 case SSL3_ST_SR_CLNT_HELLO_C: 291 292 s->shutdown=0; 293 ret=ssl3_get_client_hello(s); 294 if (ret <= 0) goto end; 295 s->new_session = 2; 296 s->state=SSL3_ST_SW_SRVR_HELLO_A; 297 s->init_num=0; 298 break; 299 300 case SSL3_ST_SW_SRVR_HELLO_A: 301 case SSL3_ST_SW_SRVR_HELLO_B: 302 ret=ssl3_send_server_hello(s); 303 if (ret <= 0) goto end; 304 #ifndef OPENSSL_NO_TLSEXT 305 if (s->hit) 306 { 307 if (s->tlsext_ticket_expected) 308 s->state=SSL3_ST_SW_SESSION_TICKET_A; 309 else 310 s->state=SSL3_ST_SW_CHANGE_A; 311 } 312 #else 313 if (s->hit) 314 s->state=SSL3_ST_SW_CHANGE_A; 315 #endif 316 else 317 s->state=SSL3_ST_SW_CERT_A; 318 s->init_num=0; 319 break; 320 321 case SSL3_ST_SW_CERT_A: 322 case SSL3_ST_SW_CERT_B: 323 /* Check if it is anon DH or anon ECDH or KRB5 */ 324 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) 325 && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 326 { 327 ret=ssl3_send_server_certificate(s); 328 if (ret <= 0) goto end; 329 #ifndef OPENSSL_NO_TLSEXT 330 if (s->tlsext_status_expected) 331 s->state=SSL3_ST_SW_CERT_STATUS_A; 332 else 333 s->state=SSL3_ST_SW_KEY_EXCH_A; 334 } 335 else 336 { 337 skip = 1; 338 s->state=SSL3_ST_SW_KEY_EXCH_A; 339 } 340 #else 341 } 342 else 343 skip=1; 344 345 s->state=SSL3_ST_SW_KEY_EXCH_A; 346 #endif 347 s->init_num=0; 348 break; 349 350 case SSL3_ST_SW_KEY_EXCH_A: 351 case SSL3_ST_SW_KEY_EXCH_B: 352 l=s->s3->tmp.new_cipher->algorithms; 353 354 /* clear this, it may get reset by 355 * send_server_key_exchange */ 356 if ((s->options & SSL_OP_EPHEMERAL_RSA) 357 #ifndef OPENSSL_NO_KRB5 358 && !(l & SSL_KRB5) 359 #endif /* OPENSSL_NO_KRB5 */ 360 ) 361 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 362 * even when forbidden by protocol specs 363 * (handshake may fail as clients are not required to 364 * be able to handle this) */ 365 s->s3->tmp.use_rsa_tmp=1; 366 else 367 s->s3->tmp.use_rsa_tmp=0; 368 369 370 /* only send if a DH key exchange, fortezza or 371 * RSA but we have a sign only certificate 372 * 373 * For ECC ciphersuites, we send a serverKeyExchange 374 * message only if the cipher suite is either 375 * ECDH-anon or ECDHE. In other cases, the 376 * server certificate contains the server's 377 * public key for key exchange. 378 */ 379 if (s->s3->tmp.use_rsa_tmp 380 || (l & SSL_kECDHE) 381 || (l & (SSL_DH|SSL_kFZA)) 382 || ((l & SSL_kRSA) 383 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 384 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 385 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 386 ) 387 ) 388 ) 389 ) 390 { 391 ret=ssl3_send_server_key_exchange(s); 392 if (ret <= 0) goto end; 393 } 394 else 395 skip=1; 396 397 s->state=SSL3_ST_SW_CERT_REQ_A; 398 s->init_num=0; 399 break; 400 401 case SSL3_ST_SW_CERT_REQ_A: 402 case SSL3_ST_SW_CERT_REQ_B: 403 if (/* don't request cert unless asked for it: */ 404 !(s->verify_mode & SSL_VERIFY_PEER) || 405 /* if SSL_VERIFY_CLIENT_ONCE is set, 406 * don't request cert during re-negotiation: */ 407 ((s->session->peer != NULL) && 408 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 409 /* never request cert in anonymous ciphersuites 410 * (see section "Certificate request" in SSL 3 drafts 411 * and in RFC 2246): */ 412 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 413 /* ... except when the application insists on verification 414 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 415 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 416 /* never request cert in Kerberos ciphersuites */ 417 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 418 { 419 /* no cert request */ 420 skip=1; 421 s->s3->tmp.cert_request=0; 422 s->state=SSL3_ST_SW_SRVR_DONE_A; 423 } 424 else 425 { 426 s->s3->tmp.cert_request=1; 427 ret=ssl3_send_certificate_request(s); 428 if (ret <= 0) goto end; 429 #ifndef NETSCAPE_HANG_BUG 430 s->state=SSL3_ST_SW_SRVR_DONE_A; 431 #else 432 s->state=SSL3_ST_SW_FLUSH; 433 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 434 #endif 435 s->init_num=0; 436 } 437 break; 438 439 case SSL3_ST_SW_SRVR_DONE_A: 440 case SSL3_ST_SW_SRVR_DONE_B: 441 ret=ssl3_send_server_done(s); 442 if (ret <= 0) goto end; 443 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 444 s->state=SSL3_ST_SW_FLUSH; 445 s->init_num=0; 446 break; 447 448 case SSL3_ST_SW_FLUSH: 449 450 /* This code originally checked to see if 451 * any data was pending using BIO_CTRL_INFO 452 * and then flushed. This caused problems 453 * as documented in PR#1939. The proposed 454 * fix doesn't completely resolve this issue 455 * as buggy implementations of BIO_CTRL_PENDING 456 * still exist. So instead we just flush 457 * unconditionally. 458 */ 459 460 s->rwstate=SSL_WRITING; 461 if (BIO_flush(s->wbio) <= 0) 462 { 463 ret= -1; 464 goto end; 465 } 466 s->rwstate=SSL_NOTHING; 467 468 s->state=s->s3->tmp.next_state; 469 break; 470 471 case SSL3_ST_SR_CERT_A: 472 case SSL3_ST_SR_CERT_B: 473 /* Check for second client hello (MS SGC) */ 474 ret = ssl3_check_client_hello(s); 475 if (ret <= 0) 476 goto end; 477 if (ret == 2) 478 s->state = SSL3_ST_SR_CLNT_HELLO_C; 479 else { 480 if (s->s3->tmp.cert_request) 481 { 482 ret=ssl3_get_client_certificate(s); 483 if (ret <= 0) goto end; 484 } 485 s->init_num=0; 486 s->state=SSL3_ST_SR_KEY_EXCH_A; 487 } 488 break; 489 490 case SSL3_ST_SR_KEY_EXCH_A: 491 case SSL3_ST_SR_KEY_EXCH_B: 492 ret=ssl3_get_client_key_exchange(s); 493 if (ret <= 0) 494 goto end; 495 if (ret == 2) 496 { 497 /* For the ECDH ciphersuites when 498 * the client sends its ECDH pub key in 499 * a certificate, the CertificateVerify 500 * message is not sent. 501 */ 502 s->state=SSL3_ST_SR_FINISHED_A; 503 s->init_num = 0; 504 } 505 else 506 { 507 s->state=SSL3_ST_SR_CERT_VRFY_A; 508 s->init_num=0; 509 510 /* We need to get hashes here so if there is 511 * a client cert, it can be verified 512 */ 513 s->method->ssl3_enc->cert_verify_mac(s, 514 &(s->s3->finish_dgst1), 515 &(s->s3->tmp.cert_verify_md[0])); 516 s->method->ssl3_enc->cert_verify_mac(s, 517 &(s->s3->finish_dgst2), 518 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 519 } 520 break; 521 522 case SSL3_ST_SR_CERT_VRFY_A: 523 case SSL3_ST_SR_CERT_VRFY_B: 524 525 /* we should decide if we expected this one */ 526 ret=ssl3_get_cert_verify(s); 527 if (ret <= 0) goto end; 528 529 s->state=SSL3_ST_SR_FINISHED_A; 530 s->init_num=0; 531 break; 532 533 case SSL3_ST_SR_FINISHED_A: 534 case SSL3_ST_SR_FINISHED_B: 535 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 536 SSL3_ST_SR_FINISHED_B); 537 if (ret <= 0) goto end; 538 if (s->hit) 539 s->state=SSL_ST_OK; 540 #ifndef OPENSSL_NO_TLSEXT 541 else if (s->tlsext_ticket_expected) 542 s->state=SSL3_ST_SW_SESSION_TICKET_A; 543 #endif 544 else 545 s->state=SSL3_ST_SW_CHANGE_A; 546 s->init_num=0; 547 break; 548 549 #ifndef OPENSSL_NO_TLSEXT 550 case SSL3_ST_SW_SESSION_TICKET_A: 551 case SSL3_ST_SW_SESSION_TICKET_B: 552 ret=ssl3_send_newsession_ticket(s); 553 if (ret <= 0) goto end; 554 s->state=SSL3_ST_SW_CHANGE_A; 555 s->init_num=0; 556 break; 557 558 case SSL3_ST_SW_CERT_STATUS_A: 559 case SSL3_ST_SW_CERT_STATUS_B: 560 ret=ssl3_send_cert_status(s); 561 if (ret <= 0) goto end; 562 s->state=SSL3_ST_SW_KEY_EXCH_A; 563 s->init_num=0; 564 break; 565 566 #endif 567 568 case SSL3_ST_SW_CHANGE_A: 569 case SSL3_ST_SW_CHANGE_B: 570 571 s->session->cipher=s->s3->tmp.new_cipher; 572 if (!s->method->ssl3_enc->setup_key_block(s)) 573 { ret= -1; goto end; } 574 575 ret=ssl3_send_change_cipher_spec(s, 576 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 577 578 if (ret <= 0) goto end; 579 s->state=SSL3_ST_SW_FINISHED_A; 580 s->init_num=0; 581 582 if (!s->method->ssl3_enc->change_cipher_state(s, 583 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 584 { 585 ret= -1; 586 goto end; 587 } 588 589 break; 590 591 case SSL3_ST_SW_FINISHED_A: 592 case SSL3_ST_SW_FINISHED_B: 593 ret=ssl3_send_finished(s, 594 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 595 s->method->ssl3_enc->server_finished_label, 596 s->method->ssl3_enc->server_finished_label_len); 597 if (ret <= 0) goto end; 598 s->state=SSL3_ST_SW_FLUSH; 599 if (s->hit) 600 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 601 else 602 s->s3->tmp.next_state=SSL_ST_OK; 603 s->init_num=0; 604 break; 605 606 case SSL_ST_OK: 607 /* clean a few things up */ 608 ssl3_cleanup_key_block(s); 609 610 BUF_MEM_free(s->init_buf); 611 s->init_buf=NULL; 612 613 /* remove buffering on output */ 614 ssl_free_wbio_buffer(s); 615 616 s->init_num=0; 617 618 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 619 { 620 /* actually not necessarily a 'new' session unless 621 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 622 623 s->new_session=0; 624 625 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 626 627 s->ctx->stats.sess_accept_good++; 628 /* s->server=1; */ 629 s->handshake_func=ssl3_accept; 630 631 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 632 } 633 634 ret = 1; 635 goto end; 636 /* break; */ 637 638 default: 639 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 640 ret= -1; 641 goto end; 642 /* break; */ 643 } 644 645 if (!s->s3->tmp.reuse_message && !skip) 646 { 647 if (s->debug) 648 { 649 if ((ret=BIO_flush(s->wbio)) <= 0) 650 goto end; 651 } 652 653 654 if ((cb != NULL) && (s->state != state)) 655 { 656 new_state=s->state; 657 s->state=state; 658 cb(s,SSL_CB_ACCEPT_LOOP,1); 659 s->state=new_state; 660 } 661 } 662 skip=0; 663 } 664 end: 665 /* BIO_flush(s->wbio); */ 666 667 s->in_handshake--; 668 if (cb != NULL) 669 cb(s,SSL_CB_ACCEPT_EXIT,ret); 670 return(ret); 671 } 672 673 int ssl3_send_hello_request(SSL *s) 674 { 675 unsigned char *p; 676 677 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 678 { 679 p=(unsigned char *)s->init_buf->data; 680 *(p++)=SSL3_MT_HELLO_REQUEST; 681 *(p++)=0; 682 *(p++)=0; 683 *(p++)=0; 684 685 s->state=SSL3_ST_SW_HELLO_REQ_B; 686 /* number of bytes to write */ 687 s->init_num=4; 688 s->init_off=0; 689 } 690 691 /* SSL3_ST_SW_HELLO_REQ_B */ 692 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 693 } 694 695 int ssl3_check_client_hello(SSL *s) 696 { 697 int ok; 698 long n; 699 700 /* this function is called when we really expect a Certificate message, 701 * so permit appropriate message length */ 702 n=s->method->ssl_get_message(s, 703 SSL3_ST_SR_CERT_A, 704 SSL3_ST_SR_CERT_B, 705 -1, 706 s->max_cert_list, 707 &ok); 708 if (!ok) return((int)n); 709 s->s3->tmp.reuse_message = 1; 710 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 711 { 712 /* Throw away what we have done so far in the current handshake, 713 * which will now be aborted. (A full SSL_clear would be too much.) 714 * I hope that tmp.dh is the only thing that may need to be cleared 715 * when a handshake is not completed ... */ 716 #ifndef OPENSSL_NO_DH 717 if (s->s3->tmp.dh != NULL) 718 { 719 DH_free(s->s3->tmp.dh); 720 s->s3->tmp.dh = NULL; 721 } 722 #endif 723 return 2; 724 } 725 return 1; 726 } 727 728 int ssl3_get_client_hello(SSL *s) 729 { 730 int i,j,ok,al,ret= -1; 731 unsigned int cookie_len; 732 long n; 733 unsigned long id; 734 unsigned char *p,*d,*q; 735 SSL_CIPHER *c; 736 #ifndef OPENSSL_NO_COMP 737 SSL_COMP *comp=NULL; 738 #endif 739 STACK_OF(SSL_CIPHER) *ciphers=NULL; 740 741 /* We do this so that we will respond with our native type. 742 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 743 * This down switching should be handled by a different method. 744 * If we are SSLv3, we will respond with SSLv3, even if prompted with 745 * TLSv1. 746 */ 747 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 748 { 749 s->state=SSL3_ST_SR_CLNT_HELLO_B; 750 } 751 s->first_packet=1; 752 n=s->method->ssl_get_message(s, 753 SSL3_ST_SR_CLNT_HELLO_B, 754 SSL3_ST_SR_CLNT_HELLO_C, 755 SSL3_MT_CLIENT_HELLO, 756 SSL3_RT_MAX_PLAIN_LENGTH, 757 &ok); 758 759 if (!ok) return((int)n); 760 s->first_packet=0; 761 d=p=(unsigned char *)s->init_msg; 762 763 /* use version from inside client hello, not from record header 764 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 765 s->client_version=(((int)p[0])<<8)|(int)p[1]; 766 p+=2; 767 768 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 769 (s->version != DTLS1_VERSION && s->client_version < s->version)) 770 { 771 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 772 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 773 { 774 /* similar to ssl3_get_record, send alert using remote version number */ 775 s->version = s->client_version; 776 } 777 al = SSL_AD_PROTOCOL_VERSION; 778 goto f_err; 779 } 780 781 /* If we require cookies and this ClientHello doesn't 782 * contain one, just return since we do not want to 783 * allocate any memory yet. So check cookie length... 784 */ 785 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 786 { 787 unsigned int session_length, cookie_length; 788 789 session_length = *(p + SSL3_RANDOM_SIZE); 790 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 791 792 if (cookie_length == 0) 793 return 1; 794 } 795 796 /* load the client random */ 797 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 798 p+=SSL3_RANDOM_SIZE; 799 800 /* get the session-id */ 801 j= *(p++); 802 803 s->hit=0; 804 /* Versions before 0.9.7 always allow session reuse during renegotiation 805 * (i.e. when s->new_session is true), option 806 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. 807 * Maybe this optional behaviour should always have been the default, 808 * but we cannot safely change the default behaviour (or new applications 809 * might be written that become totally unsecure when compiled with 810 * an earlier library version) 811 */ 812 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 813 { 814 if (!ssl_get_new_session(s,1)) 815 goto err; 816 } 817 else 818 { 819 i=ssl_get_prev_session(s, p, j, d + n); 820 if (i == 1) 821 { /* previous session */ 822 s->hit=1; 823 } 824 else if (i == -1) 825 goto err; 826 else /* i == 0 */ 827 { 828 if (!ssl_get_new_session(s,1)) 829 goto err; 830 } 831 } 832 833 p+=j; 834 835 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 836 { 837 /* cookie stuff */ 838 cookie_len = *(p++); 839 840 /* 841 * The ClientHello may contain a cookie even if the 842 * HelloVerify message has not been sent--make sure that it 843 * does not cause an overflow. 844 */ 845 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 846 { 847 /* too much data */ 848 al = SSL_AD_DECODE_ERROR; 849 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 850 goto f_err; 851 } 852 853 /* verify the cookie if appropriate option is set. */ 854 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 855 cookie_len > 0) 856 { 857 memcpy(s->d1->rcvd_cookie, p, cookie_len); 858 859 if ( s->ctx->app_verify_cookie_cb != NULL) 860 { 861 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 862 cookie_len) == 0) 863 { 864 al=SSL_AD_HANDSHAKE_FAILURE; 865 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 866 SSL_R_COOKIE_MISMATCH); 867 goto f_err; 868 } 869 /* else cookie verification succeeded */ 870 } 871 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 872 s->d1->cookie_len) != 0) /* default verification */ 873 { 874 al=SSL_AD_HANDSHAKE_FAILURE; 875 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 876 SSL_R_COOKIE_MISMATCH); 877 goto f_err; 878 } 879 880 ret = 2; 881 } 882 883 p += cookie_len; 884 } 885 886 n2s(p,i); 887 if ((i == 0) && (j != 0)) 888 { 889 /* we need a cipher if we are not resuming a session */ 890 al=SSL_AD_ILLEGAL_PARAMETER; 891 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 892 goto f_err; 893 } 894 if ((p+i) >= (d+n)) 895 { 896 /* not enough data */ 897 al=SSL_AD_DECODE_ERROR; 898 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 899 goto f_err; 900 } 901 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 902 == NULL)) 903 { 904 goto err; 905 } 906 p+=i; 907 908 /* If it is a hit, check that the cipher is in the list */ 909 if ((s->hit) && (i > 0)) 910 { 911 j=0; 912 id=s->session->cipher->id; 913 914 #ifdef CIPHER_DEBUG 915 printf("client sent %d ciphers\n",sk_num(ciphers)); 916 #endif 917 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 918 { 919 c=sk_SSL_CIPHER_value(ciphers,i); 920 #ifdef CIPHER_DEBUG 921 printf("client [%2d of %2d]:%s\n", 922 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 923 #endif 924 if (c->id == id) 925 { 926 j=1; 927 break; 928 } 929 } 930 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 931 { 932 /* Special case as client bug workaround: the previously used cipher may 933 * not be in the current list, the client instead might be trying to 934 * continue using a cipher that before wasn't chosen due to server 935 * preferences. We'll have to reject the connection if the cipher is not 936 * enabled, though. */ 937 c = sk_SSL_CIPHER_value(ciphers, 0); 938 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 939 { 940 s->session->cipher = c; 941 j = 1; 942 } 943 } 944 if (j == 0) 945 { 946 /* we need to have the cipher in the cipher 947 * list if we are asked to reuse it */ 948 al=SSL_AD_ILLEGAL_PARAMETER; 949 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 950 goto f_err; 951 } 952 } 953 954 /* compression */ 955 i= *(p++); 956 if ((p+i) > (d+n)) 957 { 958 /* not enough data */ 959 al=SSL_AD_DECODE_ERROR; 960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 961 goto f_err; 962 } 963 q=p; 964 for (j=0; j<i; j++) 965 { 966 if (p[j] == 0) break; 967 } 968 969 p+=i; 970 if (j >= i) 971 { 972 /* no compress */ 973 al=SSL_AD_DECODE_ERROR; 974 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 975 goto f_err; 976 } 977 978 #ifndef OPENSSL_NO_TLSEXT 979 /* TLS extensions*/ 980 if (s->version >= SSL3_VERSION) 981 { 982 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) 983 { 984 /* 'al' set by ssl_parse_clienthello_tlsext */ 985 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 986 goto f_err; 987 } 988 } 989 if (ssl_check_clienthello_tlsext(s) <= 0) { 990 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 991 goto err; 992 } 993 #endif 994 /* Worst case, we will use the NULL compression, but if we have other 995 * options, we will now look for them. We have i-1 compression 996 * algorithms from the client, starting at q. */ 997 s->s3->tmp.new_compression=NULL; 998 #ifndef OPENSSL_NO_COMP 999 if (s->ctx->comp_methods != NULL) 1000 { /* See if we have a match */ 1001 int m,nn,o,v,done=0; 1002 1003 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1004 for (m=0; m<nn; m++) 1005 { 1006 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1007 v=comp->id; 1008 for (o=0; o<i; o++) 1009 { 1010 if (v == q[o]) 1011 { 1012 done=1; 1013 break; 1014 } 1015 } 1016 if (done) break; 1017 } 1018 if (done) 1019 s->s3->tmp.new_compression=comp; 1020 else 1021 comp=NULL; 1022 } 1023 #endif 1024 1025 /* TLS does not mind if there is extra stuff */ 1026 #if 0 /* SSL 3.0 does not mind either, so we should disable this test 1027 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, 1028 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ 1029 if (s->version == SSL3_VERSION) 1030 { 1031 if (p < (d+n)) 1032 { 1033 /* wrong number of bytes, 1034 * there could be more to follow */ 1035 al=SSL_AD_DECODE_ERROR; 1036 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1037 goto f_err; 1038 } 1039 } 1040 #endif 1041 1042 /* Given s->session->ciphers and SSL_get_ciphers, we must 1043 * pick a cipher */ 1044 1045 if (!s->hit) 1046 { 1047 #ifdef OPENSSL_NO_COMP 1048 s->session->compress_meth=0; 1049 #else 1050 s->session->compress_meth=(comp == NULL)?0:comp->id; 1051 #endif 1052 if (s->session->ciphers != NULL) 1053 sk_SSL_CIPHER_free(s->session->ciphers); 1054 s->session->ciphers=ciphers; 1055 if (ciphers == NULL) 1056 { 1057 al=SSL_AD_ILLEGAL_PARAMETER; 1058 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); 1059 goto f_err; 1060 } 1061 ciphers=NULL; 1062 c=ssl3_choose_cipher(s,s->session->ciphers, 1063 SSL_get_ciphers(s)); 1064 1065 if (c == NULL) 1066 { 1067 al=SSL_AD_HANDSHAKE_FAILURE; 1068 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 1069 goto f_err; 1070 } 1071 s->s3->tmp.new_cipher=c; 1072 } 1073 else 1074 { 1075 /* Session-id reuse */ 1076 #ifdef REUSE_CIPHER_BUG 1077 STACK_OF(SSL_CIPHER) *sk; 1078 SSL_CIPHER *nc=NULL; 1079 SSL_CIPHER *ec=NULL; 1080 1081 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1082 { 1083 sk=s->session->ciphers; 1084 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1085 { 1086 c=sk_SSL_CIPHER_value(sk,i); 1087 if (c->algorithms & SSL_eNULL) 1088 nc=c; 1089 if (SSL_C_IS_EXPORT(c)) 1090 ec=c; 1091 } 1092 if (nc != NULL) 1093 s->s3->tmp.new_cipher=nc; 1094 else if (ec != NULL) 1095 s->s3->tmp.new_cipher=ec; 1096 else 1097 s->s3->tmp.new_cipher=s->session->cipher; 1098 } 1099 else 1100 #endif 1101 s->s3->tmp.new_cipher=s->session->cipher; 1102 } 1103 1104 /* we now have the following setup. 1105 * client_random 1106 * cipher_list - our prefered list of ciphers 1107 * ciphers - the clients prefered list of ciphers 1108 * compression - basically ignored right now 1109 * ssl version is set - sslv3 1110 * s->session - The ssl session has been setup. 1111 * s->hit - session reuse flag 1112 * s->tmp.new_cipher - the new cipher to use. 1113 */ 1114 1115 if (ret < 0) ret=1; 1116 if (0) 1117 { 1118 f_err: 1119 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1120 } 1121 err: 1122 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); 1123 return(ret); 1124 } 1125 1126 int ssl3_send_server_hello(SSL *s) 1127 { 1128 unsigned char *buf; 1129 unsigned char *p,*d; 1130 int i,sl; 1131 unsigned long l,Time; 1132 1133 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1134 { 1135 buf=(unsigned char *)s->init_buf->data; 1136 p=s->s3->server_random; 1137 Time=(unsigned long)time(NULL); /* Time */ 1138 l2n(Time,p); 1139 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1140 return -1; 1141 /* Do the message type and length last */ 1142 d=p= &(buf[4]); 1143 1144 *(p++)=s->version>>8; 1145 *(p++)=s->version&0xff; 1146 1147 /* Random stuff */ 1148 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1149 p+=SSL3_RANDOM_SIZE; 1150 1151 /* now in theory we have 3 options to sending back the 1152 * session id. If it is a re-use, we send back the 1153 * old session-id, if it is a new session, we send 1154 * back the new session-id or we send back a 0 length 1155 * session-id if we want it to be single use. 1156 * Currently I will not implement the '0' length session-id 1157 * 12-Jan-98 - I'll now support the '0' length stuff. 1158 * 1159 * We also have an additional case where stateless session 1160 * resumption is successful: we always send back the old 1161 * session id. In this case s->hit is non zero: this can 1162 * only happen if stateless session resumption is succesful 1163 * if session caching is disabled so existing functionality 1164 * is unaffected. 1165 */ 1166 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1167 && !s->hit) 1168 s->session->session_id_length=0; 1169 1170 sl=s->session->session_id_length; 1171 if (sl > (int)sizeof(s->session->session_id)) 1172 { 1173 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1174 return -1; 1175 } 1176 *(p++)=sl; 1177 memcpy(p,s->session->session_id,sl); 1178 p+=sl; 1179 1180 /* put the cipher */ 1181 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1182 p+=i; 1183 1184 /* put the compression method */ 1185 #ifdef OPENSSL_NO_COMP 1186 *(p++)=0; 1187 #else 1188 if (s->s3->tmp.new_compression == NULL) 1189 *(p++)=0; 1190 else 1191 *(p++)=s->s3->tmp.new_compression->id; 1192 #endif 1193 #ifndef OPENSSL_NO_TLSEXT 1194 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1195 { 1196 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 1197 return -1; 1198 } 1199 #endif 1200 /* do the header */ 1201 l=(p-d); 1202 d=buf; 1203 *(d++)=SSL3_MT_SERVER_HELLO; 1204 l2n3(l,d); 1205 1206 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1207 /* number of bytes to write */ 1208 s->init_num=p-buf; 1209 s->init_off=0; 1210 } 1211 1212 /* SSL3_ST_SW_SRVR_HELLO_B */ 1213 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1214 } 1215 1216 int ssl3_send_server_done(SSL *s) 1217 { 1218 unsigned char *p; 1219 1220 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1221 { 1222 p=(unsigned char *)s->init_buf->data; 1223 1224 /* do the header */ 1225 *(p++)=SSL3_MT_SERVER_DONE; 1226 *(p++)=0; 1227 *(p++)=0; 1228 *(p++)=0; 1229 1230 s->state=SSL3_ST_SW_SRVR_DONE_B; 1231 /* number of bytes to write */ 1232 s->init_num=4; 1233 s->init_off=0; 1234 } 1235 1236 /* SSL3_ST_SW_SRVR_DONE_B */ 1237 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1238 } 1239 1240 int ssl3_send_server_key_exchange(SSL *s) 1241 { 1242 #ifndef OPENSSL_NO_RSA 1243 unsigned char *q; 1244 int j,num; 1245 RSA *rsa; 1246 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1247 unsigned int u; 1248 #endif 1249 #ifndef OPENSSL_NO_DH 1250 DH *dh=NULL,*dhp; 1251 #endif 1252 #ifndef OPENSSL_NO_ECDH 1253 EC_KEY *ecdh=NULL, *ecdhp; 1254 unsigned char *encodedPoint = NULL; 1255 int encodedlen = 0; 1256 int curve_id = 0; 1257 BN_CTX *bn_ctx = NULL; 1258 #endif 1259 EVP_PKEY *pkey; 1260 unsigned char *p,*d; 1261 int al,i; 1262 unsigned long type; 1263 int n; 1264 CERT *cert; 1265 BIGNUM *r[4]; 1266 int nr[4],kn; 1267 BUF_MEM *buf; 1268 EVP_MD_CTX md_ctx; 1269 1270 EVP_MD_CTX_init(&md_ctx); 1271 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1272 { 1273 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1274 cert=s->cert; 1275 1276 buf=s->init_buf; 1277 1278 r[0]=r[1]=r[2]=r[3]=NULL; 1279 n=0; 1280 #ifndef OPENSSL_NO_RSA 1281 if (type & SSL_kRSA) 1282 { 1283 rsa=cert->rsa_tmp; 1284 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1285 { 1286 rsa=s->cert->rsa_tmp_cb(s, 1287 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1288 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1289 if(rsa == NULL) 1290 { 1291 al=SSL_AD_HANDSHAKE_FAILURE; 1292 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1293 goto f_err; 1294 } 1295 RSA_up_ref(rsa); 1296 cert->rsa_tmp=rsa; 1297 } 1298 if (rsa == NULL) 1299 { 1300 al=SSL_AD_HANDSHAKE_FAILURE; 1301 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 1302 goto f_err; 1303 } 1304 r[0]=rsa->n; 1305 r[1]=rsa->e; 1306 s->s3->tmp.use_rsa_tmp=1; 1307 } 1308 else 1309 #endif 1310 #ifndef OPENSSL_NO_DH 1311 if (type & SSL_kEDH) 1312 { 1313 dhp=cert->dh_tmp; 1314 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1315 dhp=s->cert->dh_tmp_cb(s, 1316 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1317 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1318 if (dhp == NULL) 1319 { 1320 al=SSL_AD_HANDSHAKE_FAILURE; 1321 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1322 goto f_err; 1323 } 1324 1325 if (s->s3->tmp.dh != NULL) 1326 { 1327 DH_free(dh); 1328 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1329 goto err; 1330 } 1331 1332 if ((dh=DHparams_dup(dhp)) == NULL) 1333 { 1334 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1335 goto err; 1336 } 1337 1338 s->s3->tmp.dh=dh; 1339 if ((dhp->pub_key == NULL || 1340 dhp->priv_key == NULL || 1341 (s->options & SSL_OP_SINGLE_DH_USE))) 1342 { 1343 if(!DH_generate_key(dh)) 1344 { 1345 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1346 ERR_R_DH_LIB); 1347 goto err; 1348 } 1349 } 1350 else 1351 { 1352 dh->pub_key=BN_dup(dhp->pub_key); 1353 dh->priv_key=BN_dup(dhp->priv_key); 1354 if ((dh->pub_key == NULL) || 1355 (dh->priv_key == NULL)) 1356 { 1357 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1358 goto err; 1359 } 1360 } 1361 r[0]=dh->p; 1362 r[1]=dh->g; 1363 r[2]=dh->pub_key; 1364 } 1365 else 1366 #endif 1367 #ifndef OPENSSL_NO_ECDH 1368 if (type & SSL_kECDHE) 1369 { 1370 const EC_GROUP *group; 1371 1372 ecdhp=cert->ecdh_tmp; 1373 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1374 { 1375 ecdhp=s->cert->ecdh_tmp_cb(s, 1376 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1377 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1378 } 1379 if (ecdhp == NULL) 1380 { 1381 al=SSL_AD_HANDSHAKE_FAILURE; 1382 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 1383 goto f_err; 1384 } 1385 1386 if (s->s3->tmp.ecdh != NULL) 1387 { 1388 EC_KEY_free(s->s3->tmp.ecdh); 1389 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1390 goto err; 1391 } 1392 1393 /* Duplicate the ECDH structure. */ 1394 if (ecdhp == NULL) 1395 { 1396 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1397 goto err; 1398 } 1399 if (!EC_KEY_up_ref(ecdhp)) 1400 { 1401 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1402 goto err; 1403 } 1404 ecdh = ecdhp; 1405 1406 s->s3->tmp.ecdh=ecdh; 1407 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1408 (EC_KEY_get0_private_key(ecdh) == NULL) || 1409 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1410 { 1411 if(!EC_KEY_generate_key(ecdh)) 1412 { 1413 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1414 goto err; 1415 } 1416 } 1417 1418 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1419 (EC_KEY_get0_public_key(ecdh) == NULL) || 1420 (EC_KEY_get0_private_key(ecdh) == NULL)) 1421 { 1422 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1423 goto err; 1424 } 1425 1426 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1427 (EC_GROUP_get_degree(group) > 163)) 1428 { 1429 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1430 goto err; 1431 } 1432 1433 /* XXX: For now, we only support ephemeral ECDH 1434 * keys over named (not generic) curves. For 1435 * supported named curves, curve_id is non-zero. 1436 */ 1437 if ((curve_id = 1438 nid2curve_id(EC_GROUP_get_curve_name(group))) 1439 == 0) 1440 { 1441 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1442 goto err; 1443 } 1444 1445 /* Encode the public key. 1446 * First check the size of encoding and 1447 * allocate memory accordingly. 1448 */ 1449 encodedlen = EC_POINT_point2oct(group, 1450 EC_KEY_get0_public_key(ecdh), 1451 POINT_CONVERSION_UNCOMPRESSED, 1452 NULL, 0, NULL); 1453 1454 encodedPoint = (unsigned char *) 1455 OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1456 bn_ctx = BN_CTX_new(); 1457 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1458 { 1459 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1460 goto err; 1461 } 1462 1463 1464 encodedlen = EC_POINT_point2oct(group, 1465 EC_KEY_get0_public_key(ecdh), 1466 POINT_CONVERSION_UNCOMPRESSED, 1467 encodedPoint, encodedlen, bn_ctx); 1468 1469 if (encodedlen == 0) 1470 { 1471 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1472 goto err; 1473 } 1474 1475 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1476 1477 /* XXX: For now, we only support named (not 1478 * generic) curves in ECDH ephemeral key exchanges. 1479 * In this situation, we need four additional bytes 1480 * to encode the entire ServerECDHParams 1481 * structure. 1482 */ 1483 n = 4 + encodedlen; 1484 1485 /* We'll generate the serverKeyExchange message 1486 * explicitly so we can set these to NULLs 1487 */ 1488 r[0]=NULL; 1489 r[1]=NULL; 1490 r[2]=NULL; 1491 r[3]=NULL; 1492 } 1493 else 1494 #endif /* !OPENSSL_NO_ECDH */ 1495 { 1496 al=SSL_AD_HANDSHAKE_FAILURE; 1497 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1498 goto f_err; 1499 } 1500 for (i=0; r[i] != NULL; i++) 1501 { 1502 nr[i]=BN_num_bytes(r[i]); 1503 n+=2+nr[i]; 1504 } 1505 1506 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 1507 { 1508 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1509 == NULL) 1510 { 1511 al=SSL_AD_DECODE_ERROR; 1512 goto f_err; 1513 } 1514 kn=EVP_PKEY_size(pkey); 1515 } 1516 else 1517 { 1518 pkey=NULL; 1519 kn=0; 1520 } 1521 1522 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1523 { 1524 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 1525 goto err; 1526 } 1527 d=(unsigned char *)s->init_buf->data; 1528 p= &(d[4]); 1529 1530 for (i=0; r[i] != NULL; i++) 1531 { 1532 s2n(nr[i],p); 1533 BN_bn2bin(r[i],p); 1534 p+=nr[i]; 1535 } 1536 1537 #ifndef OPENSSL_NO_ECDH 1538 if (type & SSL_kECDHE) 1539 { 1540 /* XXX: For now, we only support named (not generic) curves. 1541 * In this situation, the serverKeyExchange message has: 1542 * [1 byte CurveType], [2 byte CurveName] 1543 * [1 byte length of encoded point], followed by 1544 * the actual encoded point itself 1545 */ 1546 *p = NAMED_CURVE_TYPE; 1547 p += 1; 1548 *p = 0; 1549 p += 1; 1550 *p = curve_id; 1551 p += 1; 1552 *p = encodedlen; 1553 p += 1; 1554 memcpy((unsigned char*)p, 1555 (unsigned char *)encodedPoint, 1556 encodedlen); 1557 OPENSSL_free(encodedPoint); 1558 p += encodedlen; 1559 } 1560 #endif 1561 1562 /* not anonymous */ 1563 if (pkey != NULL) 1564 { 1565 /* n is the length of the params, they start at &(d[4]) 1566 * and p points to the space at the end. */ 1567 #ifndef OPENSSL_NO_RSA 1568 if (pkey->type == EVP_PKEY_RSA) 1569 { 1570 q=md_buf; 1571 j=0; 1572 for (num=2; num > 0; num--) 1573 { 1574 EVP_MD_CTX_set_flags(&md_ctx, 1575 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1576 EVP_DigestInit_ex(&md_ctx,(num == 2) 1577 ?s->ctx->md5:s->ctx->sha1, NULL); 1578 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1579 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1580 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1581 EVP_DigestFinal_ex(&md_ctx,q, 1582 (unsigned int *)&i); 1583 q+=i; 1584 j+=i; 1585 } 1586 if (RSA_sign(NID_md5_sha1, md_buf, j, 1587 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1588 { 1589 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 1590 goto err; 1591 } 1592 s2n(u,p); 1593 n+=u+2; 1594 } 1595 else 1596 #endif 1597 #if !defined(OPENSSL_NO_DSA) 1598 if (pkey->type == EVP_PKEY_DSA) 1599 { 1600 /* lets do DSS */ 1601 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 1602 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1603 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1604 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1605 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1606 (unsigned int *)&i,pkey)) 1607 { 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 1609 goto err; 1610 } 1611 s2n(i,p); 1612 n+=i+2; 1613 } 1614 else 1615 #endif 1616 #if !defined(OPENSSL_NO_ECDSA) 1617 if (pkey->type == EVP_PKEY_EC) 1618 { 1619 /* let's do ECDSA */ 1620 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1621 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1622 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1623 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1624 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1625 (unsigned int *)&i,pkey)) 1626 { 1627 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA); 1628 goto err; 1629 } 1630 s2n(i,p); 1631 n+=i+2; 1632 } 1633 else 1634 #endif 1635 { 1636 /* Is this error check actually needed? */ 1637 al=SSL_AD_HANDSHAKE_FAILURE; 1638 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1639 goto f_err; 1640 } 1641 } 1642 1643 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1644 l2n3(n,d); 1645 1646 /* we should now have things packed up, so lets send 1647 * it off */ 1648 s->init_num=n+4; 1649 s->init_off=0; 1650 } 1651 1652 s->state = SSL3_ST_SW_KEY_EXCH_B; 1653 EVP_MD_CTX_cleanup(&md_ctx); 1654 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1655 f_err: 1656 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1657 err: 1658 #ifndef OPENSSL_NO_ECDH 1659 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1660 BN_CTX_free(bn_ctx); 1661 #endif 1662 EVP_MD_CTX_cleanup(&md_ctx); 1663 return(-1); 1664 } 1665 1666 int ssl3_send_certificate_request(SSL *s) 1667 { 1668 unsigned char *p,*d; 1669 int i,j,nl,off,n; 1670 STACK_OF(X509_NAME) *sk=NULL; 1671 X509_NAME *name; 1672 BUF_MEM *buf; 1673 1674 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1675 { 1676 buf=s->init_buf; 1677 1678 d=p=(unsigned char *)&(buf->data[4]); 1679 1680 /* get the list of acceptable cert types */ 1681 p++; 1682 n=ssl3_get_req_cert_type(s,p); 1683 d[0]=n; 1684 p+=n; 1685 n++; 1686 1687 off=n; 1688 p+=2; 1689 n+=2; 1690 1691 sk=SSL_get_client_CA_list(s); 1692 nl=0; 1693 if (sk != NULL) 1694 { 1695 for (i=0; i<sk_X509_NAME_num(sk); i++) 1696 { 1697 name=sk_X509_NAME_value(sk,i); 1698 j=i2d_X509_NAME(name,NULL); 1699 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1700 { 1701 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1702 goto err; 1703 } 1704 p=(unsigned char *)&(buf->data[4+n]); 1705 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1706 { 1707 s2n(j,p); 1708 i2d_X509_NAME(name,&p); 1709 n+=2+j; 1710 nl+=2+j; 1711 } 1712 else 1713 { 1714 d=p; 1715 i2d_X509_NAME(name,&p); 1716 j-=2; s2n(j,d); j+=2; 1717 n+=j; 1718 nl+=j; 1719 } 1720 } 1721 } 1722 /* else no CA names */ 1723 p=(unsigned char *)&(buf->data[4+off]); 1724 s2n(nl,p); 1725 1726 d=(unsigned char *)buf->data; 1727 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1728 l2n3(n,d); 1729 1730 /* we should now have things packed up, so lets send 1731 * it off */ 1732 1733 s->init_num=n+4; 1734 s->init_off=0; 1735 #ifdef NETSCAPE_HANG_BUG 1736 p=(unsigned char *)s->init_buf->data + s->init_num; 1737 1738 /* do the header */ 1739 *(p++)=SSL3_MT_SERVER_DONE; 1740 *(p++)=0; 1741 *(p++)=0; 1742 *(p++)=0; 1743 s->init_num += 4; 1744 #endif 1745 1746 s->state = SSL3_ST_SW_CERT_REQ_B; 1747 } 1748 1749 /* SSL3_ST_SW_CERT_REQ_B */ 1750 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1751 err: 1752 return(-1); 1753 } 1754 1755 int ssl3_get_client_key_exchange(SSL *s) 1756 { 1757 int i,al,ok; 1758 long n; 1759 unsigned long l; 1760 unsigned char *p; 1761 #ifndef OPENSSL_NO_RSA 1762 RSA *rsa=NULL; 1763 EVP_PKEY *pkey=NULL; 1764 #endif 1765 #ifndef OPENSSL_NO_DH 1766 BIGNUM *pub=NULL; 1767 DH *dh_srvr; 1768 #endif 1769 #ifndef OPENSSL_NO_KRB5 1770 KSSL_ERR kssl_err; 1771 #endif /* OPENSSL_NO_KRB5 */ 1772 1773 #ifndef OPENSSL_NO_ECDH 1774 EC_KEY *srvr_ecdh = NULL; 1775 EVP_PKEY *clnt_pub_pkey = NULL; 1776 EC_POINT *clnt_ecpoint = NULL; 1777 BN_CTX *bn_ctx = NULL; 1778 #endif 1779 1780 n=s->method->ssl_get_message(s, 1781 SSL3_ST_SR_KEY_EXCH_A, 1782 SSL3_ST_SR_KEY_EXCH_B, 1783 SSL3_MT_CLIENT_KEY_EXCHANGE, 1784 2048, /* ??? */ 1785 &ok); 1786 1787 if (!ok) return((int)n); 1788 p=(unsigned char *)s->init_msg; 1789 1790 l=s->s3->tmp.new_cipher->algorithms; 1791 1792 #ifndef OPENSSL_NO_RSA 1793 if (l & SSL_kRSA) 1794 { 1795 /* FIX THIS UP EAY EAY EAY EAY */ 1796 if (s->s3->tmp.use_rsa_tmp) 1797 { 1798 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 1799 rsa=s->cert->rsa_tmp; 1800 /* Don't do a callback because rsa_tmp should 1801 * be sent already */ 1802 if (rsa == NULL) 1803 { 1804 al=SSL_AD_HANDSHAKE_FAILURE; 1805 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); 1806 goto f_err; 1807 1808 } 1809 } 1810 else 1811 { 1812 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 1813 if ( (pkey == NULL) || 1814 (pkey->type != EVP_PKEY_RSA) || 1815 (pkey->pkey.rsa == NULL)) 1816 { 1817 al=SSL_AD_HANDSHAKE_FAILURE; 1818 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); 1819 goto f_err; 1820 } 1821 rsa=pkey->pkey.rsa; 1822 } 1823 1824 /* TLS and [incidentally] DTLS, including pre-0.9.8f */ 1825 if (s->version > SSL3_VERSION && 1826 s->client_version != DTLS1_BAD_VER) 1827 { 1828 n2s(p,i); 1829 if (n != i+2) 1830 { 1831 if (!(s->options & SSL_OP_TLS_D5_BUG)) 1832 { 1833 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 1834 goto err; 1835 } 1836 else 1837 p-=2; 1838 } 1839 else 1840 n=i; 1841 } 1842 1843 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 1844 1845 al = -1; 1846 1847 if (i != SSL_MAX_MASTER_KEY_LENGTH) 1848 { 1849 al=SSL_AD_DECODE_ERROR; 1850 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 1851 } 1852 1853 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 1854 { 1855 /* The premaster secret must contain the same version number as the 1856 * ClientHello to detect version rollback attacks (strangely, the 1857 * protocol does not offer such protection for DH ciphersuites). 1858 * However, buggy clients exist that send the negotiated protocol 1859 * version instead if the server does not support the requested 1860 * protocol version. 1861 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 1862 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 1863 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 1864 { 1865 al=SSL_AD_DECODE_ERROR; 1866 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 1867 1868 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 1869 * (http://eprint.iacr.org/2003/052/) exploits the version 1870 * number check as a "bad version oracle" -- an alert would 1871 * reveal that the plaintext corresponding to some ciphertext 1872 * made up by the adversary is properly formatted except 1873 * that the version number is wrong. To avoid such attacks, 1874 * we should treat this just like any other decryption error. */ 1875 } 1876 } 1877 1878 if (al != -1) 1879 { 1880 /* Some decryption failure -- use random value instead as countermeasure 1881 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 1882 * (see RFC 2246, section 7.4.7.1). */ 1883 ERR_clear_error(); 1884 i = SSL_MAX_MASTER_KEY_LENGTH; 1885 p[0] = s->client_version >> 8; 1886 p[1] = s->client_version & 0xff; 1887 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 1888 goto err; 1889 } 1890 1891 s->session->master_key_length= 1892 s->method->ssl3_enc->generate_master_secret(s, 1893 s->session->master_key, 1894 p,i); 1895 OPENSSL_cleanse(p,i); 1896 } 1897 else 1898 #endif 1899 #ifndef OPENSSL_NO_DH 1900 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1901 { 1902 n2s(p,i); 1903 if (n != i+2) 1904 { 1905 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) 1906 { 1907 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 1908 goto err; 1909 } 1910 else 1911 { 1912 p-=2; 1913 i=(int)n; 1914 } 1915 } 1916 1917 if (n == 0L) /* the parameters are in the cert */ 1918 { 1919 al=SSL_AD_HANDSHAKE_FAILURE; 1920 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 1921 goto f_err; 1922 } 1923 else 1924 { 1925 if (s->s3->tmp.dh == NULL) 1926 { 1927 al=SSL_AD_HANDSHAKE_FAILURE; 1928 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1929 goto f_err; 1930 } 1931 else 1932 dh_srvr=s->s3->tmp.dh; 1933 } 1934 1935 pub=BN_bin2bn(p,i,NULL); 1936 if (pub == NULL) 1937 { 1938 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); 1939 goto err; 1940 } 1941 1942 i=DH_compute_key(p,pub,dh_srvr); 1943 1944 if (i <= 0) 1945 { 1946 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1947 goto err; 1948 } 1949 1950 DH_free(s->s3->tmp.dh); 1951 s->s3->tmp.dh=NULL; 1952 1953 BN_clear_free(pub); 1954 pub=NULL; 1955 s->session->master_key_length= 1956 s->method->ssl3_enc->generate_master_secret(s, 1957 s->session->master_key,p,i); 1958 OPENSSL_cleanse(p,i); 1959 } 1960 else 1961 #endif 1962 #ifndef OPENSSL_NO_KRB5 1963 if (l & SSL_kKRB5) 1964 { 1965 krb5_error_code krb5rc; 1966 krb5_data enc_ticket; 1967 krb5_data authenticator; 1968 krb5_data enc_pms; 1969 KSSL_CTX *kssl_ctx = s->kssl_ctx; 1970 EVP_CIPHER_CTX ciph_ctx; 1971 EVP_CIPHER *enc = NULL; 1972 unsigned char iv[EVP_MAX_IV_LENGTH]; 1973 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 1974 + EVP_MAX_BLOCK_LENGTH]; 1975 int padl, outl; 1976 krb5_timestamp authtime = 0; 1977 krb5_ticket_times ttimes; 1978 1979 EVP_CIPHER_CTX_init(&ciph_ctx); 1980 1981 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 1982 1983 n2s(p,i); 1984 enc_ticket.length = i; 1985 1986 if (n < (int)enc_ticket.length + 6) 1987 { 1988 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1989 SSL_R_DATA_LENGTH_TOO_LONG); 1990 goto err; 1991 } 1992 1993 enc_ticket.data = (char *)p; 1994 p+=enc_ticket.length; 1995 1996 n2s(p,i); 1997 authenticator.length = i; 1998 1999 if (n < (int)(enc_ticket.length + authenticator.length) + 6) 2000 { 2001 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2002 SSL_R_DATA_LENGTH_TOO_LONG); 2003 goto err; 2004 } 2005 2006 authenticator.data = (char *)p; 2007 p+=authenticator.length; 2008 2009 n2s(p,i); 2010 enc_pms.length = i; 2011 enc_pms.data = (char *)p; 2012 p+=enc_pms.length; 2013 2014 /* Note that the length is checked again below, 2015 ** after decryption 2016 */ 2017 if(enc_pms.length > sizeof pms) 2018 { 2019 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2020 SSL_R_DATA_LENGTH_TOO_LONG); 2021 goto err; 2022 } 2023 2024 if (n != (long)(enc_ticket.length + authenticator.length + 2025 enc_pms.length + 6)) 2026 { 2027 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2028 SSL_R_DATA_LENGTH_TOO_LONG); 2029 goto err; 2030 } 2031 2032 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2033 &kssl_err)) != 0) 2034 { 2035 #ifdef KSSL_DEBUG 2036 printf("kssl_sget_tkt rtn %d [%d]\n", 2037 krb5rc, kssl_err.reason); 2038 if (kssl_err.text) 2039 printf("kssl_err text= %s\n", kssl_err.text); 2040 #endif /* KSSL_DEBUG */ 2041 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2042 kssl_err.reason); 2043 goto err; 2044 } 2045 2046 /* Note: no authenticator is not considered an error, 2047 ** but will return authtime == 0. 2048 */ 2049 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2050 &authtime, &kssl_err)) != 0) 2051 { 2052 #ifdef KSSL_DEBUG 2053 printf("kssl_check_authent rtn %d [%d]\n", 2054 krb5rc, kssl_err.reason); 2055 if (kssl_err.text) 2056 printf("kssl_err text= %s\n", kssl_err.text); 2057 #endif /* KSSL_DEBUG */ 2058 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2059 kssl_err.reason); 2060 goto err; 2061 } 2062 2063 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2064 { 2065 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2066 goto err; 2067 } 2068 2069 #ifdef KSSL_DEBUG 2070 kssl_ctx_show(kssl_ctx); 2071 #endif /* KSSL_DEBUG */ 2072 2073 enc = kssl_map_enc(kssl_ctx->enctype); 2074 if (enc == NULL) 2075 goto err; 2076 2077 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2078 2079 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2080 { 2081 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2082 SSL_R_DECRYPTION_FAILED); 2083 goto err; 2084 } 2085 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2086 (unsigned char *)enc_pms.data, enc_pms.length)) 2087 { 2088 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2089 SSL_R_DECRYPTION_FAILED); 2090 goto err; 2091 } 2092 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2093 { 2094 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2095 SSL_R_DATA_LENGTH_TOO_LONG); 2096 goto err; 2097 } 2098 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2099 { 2100 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2101 SSL_R_DECRYPTION_FAILED); 2102 goto err; 2103 } 2104 outl += padl; 2105 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2106 { 2107 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2108 SSL_R_DATA_LENGTH_TOO_LONG); 2109 goto err; 2110 } 2111 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2112 { 2113 /* The premaster secret must contain the same version number as the 2114 * ClientHello to detect version rollback attacks (strangely, the 2115 * protocol does not offer such protection for DH ciphersuites). 2116 * However, buggy clients exist that send random bytes instead of 2117 * the protocol version. 2118 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2119 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2120 */ 2121 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2122 { 2123 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2124 SSL_AD_DECODE_ERROR); 2125 goto err; 2126 } 2127 } 2128 2129 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2130 2131 s->session->master_key_length= 2132 s->method->ssl3_enc->generate_master_secret(s, 2133 s->session->master_key, pms, outl); 2134 2135 if (kssl_ctx->client_princ) 2136 { 2137 size_t len = strlen(kssl_ctx->client_princ); 2138 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2139 { 2140 s->session->krb5_client_princ_len = len; 2141 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2142 } 2143 } 2144 2145 2146 /* Was doing kssl_ctx_free() here, 2147 ** but it caused problems for apache. 2148 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2149 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2150 */ 2151 } 2152 else 2153 #endif /* OPENSSL_NO_KRB5 */ 2154 2155 #ifndef OPENSSL_NO_ECDH 2156 if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2157 { 2158 int ret = 1; 2159 int field_size = 0; 2160 const EC_KEY *tkey; 2161 const EC_GROUP *group; 2162 const BIGNUM *priv_key; 2163 2164 /* initialize structures for server's ECDH key pair */ 2165 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2166 { 2167 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2168 ERR_R_MALLOC_FAILURE); 2169 goto err; 2170 } 2171 2172 /* Let's get server private key and group information */ 2173 if (l & SSL_kECDH) 2174 { 2175 /* use the certificate */ 2176 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2177 } 2178 else 2179 { 2180 /* use the ephermeral values we saved when 2181 * generating the ServerKeyExchange msg. 2182 */ 2183 tkey = s->s3->tmp.ecdh; 2184 } 2185 2186 group = EC_KEY_get0_group(tkey); 2187 priv_key = EC_KEY_get0_private_key(tkey); 2188 2189 if (!EC_KEY_set_group(srvr_ecdh, group) || 2190 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2191 { 2192 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2193 ERR_R_EC_LIB); 2194 goto err; 2195 } 2196 2197 /* Let's get client's public key */ 2198 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2199 { 2200 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2201 ERR_R_MALLOC_FAILURE); 2202 goto err; 2203 } 2204 2205 if (n == 0L) 2206 { 2207 /* Client Publickey was in Client Certificate */ 2208 2209 if (l & SSL_kECDHE) 2210 { 2211 al=SSL_AD_HANDSHAKE_FAILURE; 2212 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2213 goto f_err; 2214 } 2215 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2216 == NULL) || 2217 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2218 { 2219 /* XXX: For now, we do not support client 2220 * authentication using ECDH certificates 2221 * so this branch (n == 0L) of the code is 2222 * never executed. When that support is 2223 * added, we ought to ensure the key 2224 * received in the certificate is 2225 * authorized for key agreement. 2226 * ECDH_compute_key implicitly checks that 2227 * the two ECDH shares are for the same 2228 * group. 2229 */ 2230 al=SSL_AD_HANDSHAKE_FAILURE; 2231 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2232 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2233 goto f_err; 2234 } 2235 2236 if (EC_POINT_copy(clnt_ecpoint, 2237 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2238 { 2239 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2240 ERR_R_EC_LIB); 2241 goto err; 2242 } 2243 ret = 2; /* Skip certificate verify processing */ 2244 } 2245 else 2246 { 2247 /* Get client's public key from encoded point 2248 * in the ClientKeyExchange message. 2249 */ 2250 if ((bn_ctx = BN_CTX_new()) == NULL) 2251 { 2252 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2253 ERR_R_MALLOC_FAILURE); 2254 goto err; 2255 } 2256 2257 /* Get encoded point length */ 2258 i = *p; 2259 p += 1; 2260 if (EC_POINT_oct2point(group, 2261 clnt_ecpoint, p, i, bn_ctx) == 0) 2262 { 2263 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2264 ERR_R_EC_LIB); 2265 goto err; 2266 } 2267 /* p is pointing to somewhere in the buffer 2268 * currently, so set it to the start 2269 */ 2270 p=(unsigned char *)s->init_buf->data; 2271 } 2272 2273 /* Compute the shared pre-master secret */ 2274 field_size = EC_GROUP_get_degree(group); 2275 if (field_size <= 0) 2276 { 2277 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2278 ERR_R_ECDH_LIB); 2279 goto err; 2280 } 2281 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2282 if (i <= 0) 2283 { 2284 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2285 ERR_R_ECDH_LIB); 2286 goto err; 2287 } 2288 2289 EVP_PKEY_free(clnt_pub_pkey); 2290 EC_POINT_free(clnt_ecpoint); 2291 if (srvr_ecdh != NULL) 2292 EC_KEY_free(srvr_ecdh); 2293 BN_CTX_free(bn_ctx); 2294 2295 /* Compute the master secret */ 2296 s->session->master_key_length = s->method->ssl3_enc-> \ 2297 generate_master_secret(s, s->session->master_key, p, i); 2298 2299 OPENSSL_cleanse(p, i); 2300 return (ret); 2301 } 2302 else 2303 #endif 2304 { 2305 al=SSL_AD_HANDSHAKE_FAILURE; 2306 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2307 SSL_R_UNKNOWN_CIPHER_TYPE); 2308 goto f_err; 2309 } 2310 2311 return(1); 2312 f_err: 2313 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2314 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) 2315 err: 2316 #endif 2317 #ifndef OPENSSL_NO_ECDH 2318 EVP_PKEY_free(clnt_pub_pkey); 2319 EC_POINT_free(clnt_ecpoint); 2320 if (srvr_ecdh != NULL) 2321 EC_KEY_free(srvr_ecdh); 2322 BN_CTX_free(bn_ctx); 2323 #endif 2324 return(-1); 2325 } 2326 2327 int ssl3_get_cert_verify(SSL *s) 2328 { 2329 EVP_PKEY *pkey=NULL; 2330 unsigned char *p; 2331 int al,ok,ret=0; 2332 long n; 2333 int type=0,i,j; 2334 X509 *peer; 2335 2336 n=s->method->ssl_get_message(s, 2337 SSL3_ST_SR_CERT_VRFY_A, 2338 SSL3_ST_SR_CERT_VRFY_B, 2339 -1, 2340 514, /* 514? */ 2341 &ok); 2342 2343 if (!ok) return((int)n); 2344 2345 if (s->session->peer != NULL) 2346 { 2347 peer=s->session->peer; 2348 pkey=X509_get_pubkey(peer); 2349 type=X509_certificate_type(peer,pkey); 2350 } 2351 else 2352 { 2353 peer=NULL; 2354 pkey=NULL; 2355 } 2356 2357 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2358 { 2359 s->s3->tmp.reuse_message=1; 2360 if ((peer != NULL) && (type | EVP_PKT_SIGN)) 2361 { 2362 al=SSL_AD_UNEXPECTED_MESSAGE; 2363 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 2364 goto f_err; 2365 } 2366 ret=1; 2367 goto end; 2368 } 2369 2370 if (peer == NULL) 2371 { 2372 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2373 al=SSL_AD_UNEXPECTED_MESSAGE; 2374 goto f_err; 2375 } 2376 2377 if (!(type & EVP_PKT_SIGN)) 2378 { 2379 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2380 al=SSL_AD_ILLEGAL_PARAMETER; 2381 goto f_err; 2382 } 2383 2384 if (s->s3->change_cipher_spec) 2385 { 2386 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2387 al=SSL_AD_UNEXPECTED_MESSAGE; 2388 goto f_err; 2389 } 2390 2391 /* we now have a signature that we need to verify */ 2392 p=(unsigned char *)s->init_msg; 2393 n2s(p,i); 2394 n-=2; 2395 if (i > n) 2396 { 2397 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2398 al=SSL_AD_DECODE_ERROR; 2399 goto f_err; 2400 } 2401 2402 j=EVP_PKEY_size(pkey); 2403 if ((i > j) || (n > j) || (n <= 0)) 2404 { 2405 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); 2406 al=SSL_AD_DECODE_ERROR; 2407 goto f_err; 2408 } 2409 2410 #ifndef OPENSSL_NO_RSA 2411 if (pkey->type == EVP_PKEY_RSA) 2412 { 2413 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2414 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2415 pkey->pkey.rsa); 2416 if (i < 0) 2417 { 2418 al=SSL_AD_DECRYPT_ERROR; 2419 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); 2420 goto f_err; 2421 } 2422 if (i == 0) 2423 { 2424 al=SSL_AD_DECRYPT_ERROR; 2425 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); 2426 goto f_err; 2427 } 2428 } 2429 else 2430 #endif 2431 #ifndef OPENSSL_NO_DSA 2432 if (pkey->type == EVP_PKEY_DSA) 2433 { 2434 j=DSA_verify(pkey->save_type, 2435 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2436 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2437 if (j <= 0) 2438 { 2439 /* bad signature */ 2440 al=SSL_AD_DECRYPT_ERROR; 2441 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2442 goto f_err; 2443 } 2444 } 2445 else 2446 #endif 2447 #ifndef OPENSSL_NO_ECDSA 2448 if (pkey->type == EVP_PKEY_EC) 2449 { 2450 j=ECDSA_verify(pkey->save_type, 2451 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2452 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2453 if (j <= 0) 2454 { 2455 /* bad signature */ 2456 al=SSL_AD_DECRYPT_ERROR; 2457 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2458 SSL_R_BAD_ECDSA_SIGNATURE); 2459 goto f_err; 2460 } 2461 } 2462 else 2463 #endif 2464 { 2465 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2466 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2467 goto f_err; 2468 } 2469 2470 2471 ret=1; 2472 if (0) 2473 { 2474 f_err: 2475 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2476 } 2477 end: 2478 EVP_PKEY_free(pkey); 2479 return(ret); 2480 } 2481 2482 int ssl3_get_client_certificate(SSL *s) 2483 { 2484 int i,ok,al,ret= -1; 2485 X509 *x=NULL; 2486 unsigned long l,nc,llen,n; 2487 const unsigned char *p,*q; 2488 unsigned char *d; 2489 STACK_OF(X509) *sk=NULL; 2490 2491 n=s->method->ssl_get_message(s, 2492 SSL3_ST_SR_CERT_A, 2493 SSL3_ST_SR_CERT_B, 2494 -1, 2495 s->max_cert_list, 2496 &ok); 2497 2498 if (!ok) return((int)n); 2499 2500 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2501 { 2502 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2503 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2504 { 2505 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2506 al=SSL_AD_HANDSHAKE_FAILURE; 2507 goto f_err; 2508 } 2509 /* If tls asked for a client cert, the client must return a 0 list */ 2510 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2511 { 2512 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2513 al=SSL_AD_UNEXPECTED_MESSAGE; 2514 goto f_err; 2515 } 2516 s->s3->tmp.reuse_message=1; 2517 return(1); 2518 } 2519 2520 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2521 { 2522 al=SSL_AD_UNEXPECTED_MESSAGE; 2523 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 2524 goto f_err; 2525 } 2526 p=d=(unsigned char *)s->init_msg; 2527 2528 if ((sk=sk_X509_new_null()) == NULL) 2529 { 2530 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2531 goto err; 2532 } 2533 2534 n2l3(p,llen); 2535 if (llen+3 != n) 2536 { 2537 al=SSL_AD_DECODE_ERROR; 2538 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 2539 goto f_err; 2540 } 2541 for (nc=0; nc<llen; ) 2542 { 2543 n2l3(p,l); 2544 if ((l+nc+3) > llen) 2545 { 2546 al=SSL_AD_DECODE_ERROR; 2547 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2548 goto f_err; 2549 } 2550 2551 q=p; 2552 x=d2i_X509(NULL,&p,l); 2553 if (x == NULL) 2554 { 2555 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); 2556 goto err; 2557 } 2558 if (p != (q+l)) 2559 { 2560 al=SSL_AD_DECODE_ERROR; 2561 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2562 goto f_err; 2563 } 2564 if (!sk_X509_push(sk,x)) 2565 { 2566 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2567 goto err; 2568 } 2569 x=NULL; 2570 nc+=l+3; 2571 } 2572 2573 if (sk_X509_num(sk) <= 0) 2574 { 2575 /* TLS does not mind 0 certs returned */ 2576 if (s->version == SSL3_VERSION) 2577 { 2578 al=SSL_AD_HANDSHAKE_FAILURE; 2579 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); 2580 goto f_err; 2581 } 2582 /* Fail for TLS only if we required a certificate */ 2583 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2584 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2585 { 2586 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2587 al=SSL_AD_HANDSHAKE_FAILURE; 2588 goto f_err; 2589 } 2590 } 2591 else 2592 { 2593 i=ssl_verify_cert_chain(s,sk); 2594 if (i <= 0) 2595 { 2596 al=ssl_verify_alarm_type(s->verify_result); 2597 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); 2598 goto f_err; 2599 } 2600 } 2601 2602 if (s->session->peer != NULL) /* This should not be needed */ 2603 X509_free(s->session->peer); 2604 s->session->peer=sk_X509_shift(sk); 2605 s->session->verify_result = s->verify_result; 2606 2607 /* With the current implementation, sess_cert will always be NULL 2608 * when we arrive here. */ 2609 if (s->session->sess_cert == NULL) 2610 { 2611 s->session->sess_cert = ssl_sess_cert_new(); 2612 if (s->session->sess_cert == NULL) 2613 { 2614 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 2615 goto err; 2616 } 2617 } 2618 if (s->session->sess_cert->cert_chain != NULL) 2619 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 2620 s->session->sess_cert->cert_chain=sk; 2621 /* Inconsistency alert: cert_chain does *not* include the 2622 * peer's own certificate, while we do include it in s3_clnt.c */ 2623 2624 sk=NULL; 2625 2626 ret=1; 2627 if (0) 2628 { 2629 f_err: 2630 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2631 } 2632 err: 2633 if (x != NULL) X509_free(x); 2634 if (sk != NULL) sk_X509_pop_free(sk,X509_free); 2635 return(ret); 2636 } 2637 2638 int ssl3_send_server_certificate(SSL *s) 2639 { 2640 unsigned long l; 2641 X509 *x; 2642 2643 if (s->state == SSL3_ST_SW_CERT_A) 2644 { 2645 x=ssl_get_server_send_cert(s); 2646 if (x == NULL && 2647 /* VRS: allow null cert if auth == KRB5 */ 2648 (s->s3->tmp.new_cipher->algorithms 2649 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 2650 != (SSL_aKRB5|SSL_kKRB5)) 2651 { 2652 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 2653 return(0); 2654 } 2655 2656 l=ssl3_output_cert_chain(s,x); 2657 s->state=SSL3_ST_SW_CERT_B; 2658 s->init_num=(int)l; 2659 s->init_off=0; 2660 } 2661 2662 /* SSL3_ST_SW_CERT_B */ 2663 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2664 } 2665 2666 2667 #ifndef OPENSSL_NO_ECDH 2668 /* This is the complement of curve_id2nid in s3_clnt.c. */ 2669 static int nid2curve_id(int nid) 2670 { 2671 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) 2672 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ 2673 switch (nid) { 2674 case NID_sect163k1: /* sect163k1 (1) */ 2675 return 1; 2676 case NID_sect163r1: /* sect163r1 (2) */ 2677 return 2; 2678 case NID_sect163r2: /* sect163r2 (3) */ 2679 return 3; 2680 case NID_sect193r1: /* sect193r1 (4) */ 2681 return 4; 2682 case NID_sect193r2: /* sect193r2 (5) */ 2683 return 5; 2684 case NID_sect233k1: /* sect233k1 (6) */ 2685 return 6; 2686 case NID_sect233r1: /* sect233r1 (7) */ 2687 return 7; 2688 case NID_sect239k1: /* sect239k1 (8) */ 2689 return 8; 2690 case NID_sect283k1: /* sect283k1 (9) */ 2691 return 9; 2692 case NID_sect283r1: /* sect283r1 (10) */ 2693 return 10; 2694 case NID_sect409k1: /* sect409k1 (11) */ 2695 return 11; 2696 case NID_sect409r1: /* sect409r1 (12) */ 2697 return 12; 2698 case NID_sect571k1: /* sect571k1 (13) */ 2699 return 13; 2700 case NID_sect571r1: /* sect571r1 (14) */ 2701 return 14; 2702 case NID_secp160k1: /* secp160k1 (15) */ 2703 return 15; 2704 case NID_secp160r1: /* secp160r1 (16) */ 2705 return 16; 2706 case NID_secp160r2: /* secp160r2 (17) */ 2707 return 17; 2708 case NID_secp192k1: /* secp192k1 (18) */ 2709 return 18; 2710 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 2711 return 19; 2712 case NID_secp224k1: /* secp224k1 (20) */ 2713 return 20; 2714 case NID_secp224r1: /* secp224r1 (21) */ 2715 return 21; 2716 case NID_secp256k1: /* secp256k1 (22) */ 2717 return 22; 2718 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 2719 return 23; 2720 case NID_secp384r1: /* secp384r1 (24) */ 2721 return 24; 2722 case NID_secp521r1: /* secp521r1 (25) */ 2723 return 25; 2724 default: 2725 return 0; 2726 } 2727 } 2728 #endif 2729 #ifndef OPENSSL_NO_TLSEXT 2730 int ssl3_send_newsession_ticket(SSL *s) 2731 { 2732 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 2733 { 2734 unsigned char *p, *senc, *macstart; 2735 int len, slen; 2736 unsigned int hlen; 2737 EVP_CIPHER_CTX ctx; 2738 HMAC_CTX hctx; 2739 SSL_CTX *tctx = s->initial_ctx; 2740 unsigned char iv[EVP_MAX_IV_LENGTH]; 2741 unsigned char key_name[16]; 2742 2743 /* get session encoding length */ 2744 slen = i2d_SSL_SESSION(s->session, NULL); 2745 /* Some length values are 16 bits, so forget it if session is 2746 * too long 2747 */ 2748 if (slen > 0xFF00) 2749 return -1; 2750 /* Grow buffer if need be: the length calculation is as 2751 * follows 1 (size of message name) + 3 (message length 2752 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 2753 * 16 (key name) + max_iv_len (iv length) + 2754 * session_length + max_enc_block_size (max encrypted session 2755 * length) + max_md_size (HMAC). 2756 */ 2757 if (!BUF_MEM_grow(s->init_buf, 2758 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 2759 EVP_MAX_MD_SIZE + slen)) 2760 return -1; 2761 senc = OPENSSL_malloc(slen); 2762 if (!senc) 2763 return -1; 2764 p = senc; 2765 i2d_SSL_SESSION(s->session, &p); 2766 2767 p=(unsigned char *)s->init_buf->data; 2768 /* do the header */ 2769 *(p++)=SSL3_MT_NEWSESSION_TICKET; 2770 /* Skip message length for now */ 2771 p += 3; 2772 EVP_CIPHER_CTX_init(&ctx); 2773 HMAC_CTX_init(&hctx); 2774 /* Initialize HMAC and cipher contexts. If callback present 2775 * it does all the work otherwise use generated values 2776 * from parent ctx. 2777 */ 2778 if (tctx->tlsext_ticket_key_cb) 2779 { 2780 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 2781 &hctx, 1) < 0) 2782 { 2783 OPENSSL_free(senc); 2784 return -1; 2785 } 2786 } 2787 else 2788 { 2789 RAND_pseudo_bytes(iv, 16); 2790 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2791 tctx->tlsext_tick_aes_key, iv); 2792 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2793 tlsext_tick_md(), NULL); 2794 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 2795 } 2796 l2n(s->session->tlsext_tick_lifetime_hint, p); 2797 /* Skip ticket length for now */ 2798 p += 2; 2799 /* Output key name */ 2800 macstart = p; 2801 memcpy(p, key_name, 16); 2802 p += 16; 2803 /* output IV */ 2804 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 2805 p += EVP_CIPHER_CTX_iv_length(&ctx); 2806 /* Encrypt session data */ 2807 EVP_EncryptUpdate(&ctx, p, &len, senc, slen); 2808 p += len; 2809 EVP_EncryptFinal(&ctx, p, &len); 2810 p += len; 2811 EVP_CIPHER_CTX_cleanup(&ctx); 2812 2813 HMAC_Update(&hctx, macstart, p - macstart); 2814 HMAC_Final(&hctx, p, &hlen); 2815 HMAC_CTX_cleanup(&hctx); 2816 2817 p += hlen; 2818 /* Now write out lengths: p points to end of data written */ 2819 /* Total length */ 2820 len = p - (unsigned char *)s->init_buf->data; 2821 p=(unsigned char *)s->init_buf->data + 1; 2822 l2n3(len - 4, p); /* Message length */ 2823 p += 4; 2824 s2n(len - 10, p); /* Ticket length */ 2825 2826 /* number of bytes to write */ 2827 s->init_num= len; 2828 s->state=SSL3_ST_SW_SESSION_TICKET_B; 2829 s->init_off=0; 2830 OPENSSL_free(senc); 2831 } 2832 2833 /* SSL3_ST_SW_SESSION_TICKET_B */ 2834 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2835 } 2836 2837 int ssl3_send_cert_status(SSL *s) 2838 { 2839 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 2840 { 2841 unsigned char *p; 2842 /* Grow buffer if need be: the length calculation is as 2843 * follows 1 (message type) + 3 (message length) + 2844 * 1 (ocsp response type) + 3 (ocsp response length) 2845 * + (ocsp response) 2846 */ 2847 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 2848 return -1; 2849 2850 p=(unsigned char *)s->init_buf->data; 2851 2852 /* do the header */ 2853 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 2854 /* message length */ 2855 l2n3(s->tlsext_ocsp_resplen + 4, p); 2856 /* status type */ 2857 *(p++)= s->tlsext_status_type; 2858 /* length of OCSP response */ 2859 l2n3(s->tlsext_ocsp_resplen, p); 2860 /* actual response */ 2861 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 2862 /* number of bytes to write */ 2863 s->init_num = 8 + s->tlsext_ocsp_resplen; 2864 s->state=SSL3_ST_SW_CERT_STATUS_B; 2865 s->init_off = 0; 2866 } 2867 2868 /* SSL3_ST_SW_CERT_STATUS_B */ 2869 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2870 } 2871 #endif 2872