1 /* ssl/s3_clnt.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core (at) openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay (at) cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh (at) cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <stdio.h> 152 #include "ssl_locl.h" 153 #include "kssl_lcl.h" 154 #include <openssl/buffer.h> 155 #include <openssl/rand.h> 156 #include <openssl/objects.h> 157 #include <openssl/evp.h> 158 #include <openssl/md5.h> 159 #ifndef OPENSSL_NO_DH 160 #include <openssl/dh.h> 161 #endif 162 #include <openssl/bn.h> 163 #ifndef OPENSSL_NO_ENGINE 164 #include <openssl/engine.h> 165 #endif 166 167 static const SSL_METHOD *ssl3_get_client_method(int ver); 168 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 169 170 static const SSL_METHOD *ssl3_get_client_method(int ver) 171 { 172 if (ver == SSL3_VERSION) 173 return(SSLv3_client_method()); 174 else 175 return(NULL); 176 } 177 178 IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 179 ssl_undefined_function, 180 ssl3_connect, 181 ssl3_get_client_method) 182 183 int ssl3_connect(SSL *s) 184 { 185 BUF_MEM *buf=NULL; 186 unsigned long Time=(unsigned long)time(NULL); 187 void (*cb)(const SSL *ssl,int type,int val)=NULL; 188 int ret= -1; 189 int new_state,state,skip=0; 190 191 RAND_add(&Time,sizeof(Time),0); 192 ERR_clear_error(); 193 clear_sys_error(); 194 195 if (s->info_callback != NULL) 196 cb=s->info_callback; 197 else if (s->ctx->info_callback != NULL) 198 cb=s->ctx->info_callback; 199 200 s->in_handshake++; 201 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 202 #if 0 /* Send app data in separate packet, otherwise, some particular site 203 * (only one site so far) closes the socket. 204 * Note: there is a very small chance that two TCP packets 205 * could be arriving at server combined into a single TCP packet, 206 * then trigger that site to break. We haven't encounter that though. 207 */ 208 if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) 209 { 210 /* Send app data along with CCS/Finished */ 211 s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED; 212 } 213 #endif 214 215 for (;;) 216 { 217 state=s->state; 218 219 switch(s->state) 220 { 221 case SSL_ST_RENEGOTIATE: 222 s->new_session=1; 223 s->state=SSL_ST_CONNECT; 224 s->ctx->stats.sess_connect_renegotiate++; 225 /* break */ 226 case SSL_ST_BEFORE: 227 case SSL_ST_CONNECT: 228 case SSL_ST_BEFORE|SSL_ST_CONNECT: 229 case SSL_ST_OK|SSL_ST_CONNECT: 230 231 s->server=0; 232 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 233 234 if ((s->version & 0xff00 ) != 0x0300) 235 { 236 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 237 ret = -1; 238 goto end; 239 } 240 241 /* s->version=SSL3_VERSION; */ 242 s->type=SSL_ST_CONNECT; 243 244 if (s->init_buf == NULL) 245 { 246 if ((buf=BUF_MEM_new()) == NULL) 247 { 248 ret= -1; 249 goto end; 250 } 251 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 252 { 253 ret= -1; 254 goto end; 255 } 256 s->init_buf=buf; 257 buf=NULL; 258 } 259 260 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 261 262 /* setup buffing BIO */ 263 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 264 265 /* don't push the buffering BIO quite yet */ 266 267 ssl3_init_finished_mac(s); 268 269 s->state=SSL3_ST_CW_CLNT_HELLO_A; 270 s->ctx->stats.sess_connect++; 271 s->init_num=0; 272 break; 273 274 case SSL3_ST_CW_CLNT_HELLO_A: 275 case SSL3_ST_CW_CLNT_HELLO_B: 276 277 s->shutdown=0; 278 ret=ssl3_client_hello(s); 279 if (ret <= 0) goto end; 280 s->state=SSL3_ST_CR_SRVR_HELLO_A; 281 s->init_num=0; 282 283 /* turn on buffering for the next lot of output */ 284 if (s->bbio != s->wbio) 285 s->wbio=BIO_push(s->bbio,s->wbio); 286 287 break; 288 289 case SSL3_ST_CR_SRVR_HELLO_A: 290 case SSL3_ST_CR_SRVR_HELLO_B: 291 ret=ssl3_get_server_hello(s); 292 if (ret <= 0) goto end; 293 294 if (s->hit) 295 s->state=SSL3_ST_CR_FINISHED_A; 296 else 297 s->state=SSL3_ST_CR_CERT_A; 298 s->init_num=0; 299 break; 300 301 case SSL3_ST_CR_CERT_A: 302 case SSL3_ST_CR_CERT_B: 303 #ifndef OPENSSL_NO_TLSEXT 304 ret=ssl3_check_finished(s); 305 if (ret <= 0) goto end; 306 if (ret == 2) 307 { 308 s->hit = 1; 309 if (s->tlsext_ticket_expected) 310 s->state=SSL3_ST_CR_SESSION_TICKET_A; 311 else 312 s->state=SSL3_ST_CR_FINISHED_A; 313 s->init_num=0; 314 break; 315 } 316 #endif 317 /* Check if it is anon DH/ECDH */ 318 /* or PSK */ 319 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 320 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 321 { 322 ret=ssl3_get_server_certificate(s); 323 if (ret <= 0) goto end; 324 #ifndef OPENSSL_NO_TLSEXT 325 if (s->tlsext_status_expected) 326 s->state=SSL3_ST_CR_CERT_STATUS_A; 327 else 328 s->state=SSL3_ST_CR_KEY_EXCH_A; 329 } 330 else 331 { 332 skip = 1; 333 s->state=SSL3_ST_CR_KEY_EXCH_A; 334 } 335 #else 336 } 337 else 338 skip=1; 339 340 s->state=SSL3_ST_CR_KEY_EXCH_A; 341 #endif 342 s->init_num=0; 343 break; 344 345 case SSL3_ST_CR_KEY_EXCH_A: 346 case SSL3_ST_CR_KEY_EXCH_B: 347 ret=ssl3_get_key_exchange(s); 348 if (ret <= 0) goto end; 349 s->state=SSL3_ST_CR_CERT_REQ_A; 350 s->init_num=0; 351 352 /* at this point we check that we have the 353 * required stuff from the server */ 354 if (!ssl3_check_cert_and_algorithm(s)) 355 { 356 ret= -1; 357 goto end; 358 } 359 break; 360 361 case SSL3_ST_CR_CERT_REQ_A: 362 case SSL3_ST_CR_CERT_REQ_B: 363 ret=ssl3_get_certificate_request(s); 364 if (ret <= 0) goto end; 365 s->state=SSL3_ST_CR_SRVR_DONE_A; 366 s->init_num=0; 367 break; 368 369 case SSL3_ST_CR_SRVR_DONE_A: 370 case SSL3_ST_CR_SRVR_DONE_B: 371 ret=ssl3_get_server_done(s); 372 if (ret <= 0) goto end; 373 if (s->s3->tmp.cert_req) 374 s->state=SSL3_ST_CW_CERT_A; 375 else 376 s->state=SSL3_ST_CW_KEY_EXCH_A; 377 s->init_num=0; 378 379 break; 380 381 case SSL3_ST_CW_CERT_A: 382 case SSL3_ST_CW_CERT_B: 383 case SSL3_ST_CW_CERT_C: 384 case SSL3_ST_CW_CERT_D: 385 ret=ssl3_send_client_certificate(s); 386 if (ret <= 0) goto end; 387 s->state=SSL3_ST_CW_KEY_EXCH_A; 388 s->init_num=0; 389 break; 390 391 case SSL3_ST_CW_KEY_EXCH_A: 392 case SSL3_ST_CW_KEY_EXCH_B: 393 ret=ssl3_send_client_key_exchange(s); 394 if (ret <= 0) goto end; 395 /* EAY EAY EAY need to check for DH fix cert 396 * sent back */ 397 /* For TLS, cert_req is set to 2, so a cert chain 398 * of nothing is sent, but no verify packet is sent */ 399 /* XXX: For now, we do not support client 400 * authentication in ECDH cipher suites with 401 * ECDH (rather than ECDSA) certificates. 402 * We need to skip the certificate verify 403 * message when client's ECDH public key is sent 404 * inside the client certificate. 405 */ 406 if (s->s3->tmp.cert_req == 1) 407 { 408 s->state=SSL3_ST_CW_CERT_VRFY_A; 409 } 410 else 411 { 412 s->state=SSL3_ST_CW_CHANGE_A; 413 s->s3->change_cipher_spec=0; 414 } 415 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 416 { 417 s->state=SSL3_ST_CW_CHANGE_A; 418 s->s3->change_cipher_spec=0; 419 } 420 421 s->init_num=0; 422 break; 423 424 case SSL3_ST_CW_CERT_VRFY_A: 425 case SSL3_ST_CW_CERT_VRFY_B: 426 ret=ssl3_send_client_verify(s); 427 if (ret <= 0) goto end; 428 s->state=SSL3_ST_CW_CHANGE_A; 429 s->init_num=0; 430 s->s3->change_cipher_spec=0; 431 break; 432 433 case SSL3_ST_CW_CHANGE_A: 434 case SSL3_ST_CW_CHANGE_B: 435 ret=ssl3_send_change_cipher_spec(s, 436 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 437 if (ret <= 0) goto end; 438 s->state=SSL3_ST_CW_FINISHED_A; 439 s->init_num=0; 440 441 s->session->cipher=s->s3->tmp.new_cipher; 442 #ifdef OPENSSL_NO_COMP 443 s->session->compress_meth=0; 444 #else 445 if (s->s3->tmp.new_compression == NULL) 446 s->session->compress_meth=0; 447 else 448 s->session->compress_meth= 449 s->s3->tmp.new_compression->id; 450 #endif 451 if (!s->method->ssl3_enc->setup_key_block(s)) 452 { 453 ret= -1; 454 goto end; 455 } 456 457 if (!s->method->ssl3_enc->change_cipher_state(s, 458 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 459 { 460 ret= -1; 461 goto end; 462 } 463 464 break; 465 466 case SSL3_ST_CW_FINISHED_A: 467 case SSL3_ST_CW_FINISHED_B: 468 ret=ssl3_send_finished(s, 469 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 470 s->method->ssl3_enc->client_finished_label, 471 s->method->ssl3_enc->client_finished_label_len); 472 if (ret <= 0) goto end; 473 s->state=SSL3_ST_CW_FLUSH; 474 475 /* clear flags */ 476 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 477 if (s->hit) 478 { 479 s->s3->tmp.next_state=SSL_ST_OK; 480 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 481 { 482 s->state=SSL_ST_OK; 483 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 484 s->s3->delay_buf_pop_ret=0; 485 } 486 } 487 else 488 { 489 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128 490 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */ 491 ) 492 { 493 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 494 { 495 s->state=SSL3_ST_CUTTHROUGH_COMPLETE; 496 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 497 s->s3->delay_buf_pop_ret=0; 498 } 499 else 500 { 501 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE; 502 } 503 } 504 else 505 { 506 #ifndef OPENSSL_NO_TLSEXT 507 /* Allow NewSessionTicket if ticket expected */ 508 if (s->tlsext_ticket_expected) 509 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 510 else 511 #endif 512 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 513 } 514 } 515 s->init_num=0; 516 break; 517 518 #ifndef OPENSSL_NO_TLSEXT 519 case SSL3_ST_CR_SESSION_TICKET_A: 520 case SSL3_ST_CR_SESSION_TICKET_B: 521 ret=ssl3_get_new_session_ticket(s); 522 if (ret <= 0) goto end; 523 s->state=SSL3_ST_CR_FINISHED_A; 524 s->init_num=0; 525 break; 526 527 case SSL3_ST_CR_CERT_STATUS_A: 528 case SSL3_ST_CR_CERT_STATUS_B: 529 ret=ssl3_get_cert_status(s); 530 if (ret <= 0) goto end; 531 s->state=SSL3_ST_CR_KEY_EXCH_A; 532 s->init_num=0; 533 break; 534 #endif 535 536 case SSL3_ST_CR_FINISHED_A: 537 case SSL3_ST_CR_FINISHED_B: 538 539 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 540 SSL3_ST_CR_FINISHED_B); 541 if (ret <= 0) goto end; 542 543 if (s->hit) 544 s->state=SSL3_ST_CW_CHANGE_A; 545 else 546 s->state=SSL_ST_OK; 547 s->init_num=0; 548 break; 549 550 case SSL3_ST_CW_FLUSH: 551 s->rwstate=SSL_WRITING; 552 if (BIO_flush(s->wbio) <= 0) 553 { 554 ret= -1; 555 goto end; 556 } 557 s->rwstate=SSL_NOTHING; 558 s->state=s->s3->tmp.next_state; 559 break; 560 561 case SSL3_ST_CUTTHROUGH_COMPLETE: 562 #ifndef OPENSSL_NO_TLSEXT 563 /* Allow NewSessionTicket if ticket expected */ 564 if (s->tlsext_ticket_expected) 565 s->state=SSL3_ST_CR_SESSION_TICKET_A; 566 else 567 #endif 568 s->state=SSL3_ST_CR_FINISHED_A; 569 570 /* SSL_write() will take care of flushing buffered data if 571 * DELAY_CLIENT_FINISHED is set. 572 */ 573 if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)) 574 ssl_free_wbio_buffer(s); 575 ret = 1; 576 goto end; 577 /* break; */ 578 579 case SSL_ST_OK: 580 /* clean a few things up */ 581 ssl3_cleanup_key_block(s); 582 583 if (s->init_buf != NULL) 584 { 585 BUF_MEM_free(s->init_buf); 586 s->init_buf=NULL; 587 } 588 589 /* If we are not 'joining' the last two packets, 590 * remove the buffering now */ 591 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 592 ssl_free_wbio_buffer(s); 593 /* else do it later in ssl3_write */ 594 595 s->init_num=0; 596 s->new_session=0; 597 598 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 599 if (s->hit) s->ctx->stats.sess_hit++; 600 601 ret=1; 602 /* s->server=0; */ 603 s->handshake_func=ssl3_connect; 604 s->ctx->stats.sess_connect_good++; 605 606 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 607 608 goto end; 609 /* break; */ 610 611 default: 612 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 613 ret= -1; 614 goto end; 615 /* break; */ 616 } 617 618 /* did we do anything */ 619 if (!s->s3->tmp.reuse_message && !skip) 620 { 621 if (s->debug) 622 { 623 if ((ret=BIO_flush(s->wbio)) <= 0) 624 goto end; 625 } 626 627 if ((cb != NULL) && (s->state != state)) 628 { 629 new_state=s->state; 630 s->state=state; 631 cb(s,SSL_CB_CONNECT_LOOP,1); 632 s->state=new_state; 633 } 634 } 635 skip=0; 636 } 637 end: 638 s->in_handshake--; 639 if (buf != NULL) 640 BUF_MEM_free(buf); 641 if (cb != NULL) 642 cb(s,SSL_CB_CONNECT_EXIT,ret); 643 return(ret); 644 } 645 646 647 int ssl3_client_hello(SSL *s) 648 { 649 unsigned char *buf; 650 unsigned char *p,*d; 651 int i; 652 unsigned long Time,l; 653 #ifndef OPENSSL_NO_COMP 654 int j; 655 SSL_COMP *comp; 656 #endif 657 658 buf=(unsigned char *)s->init_buf->data; 659 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 660 { 661 SSL_SESSION *sess = s->session; 662 if ((sess == NULL) || 663 (sess->ssl_version != s->version) || 664 #ifdef OPENSSL_NO_TLSEXT 665 !sess->session_id_length || 666 #else 667 (!sess->session_id_length && !sess->tlsext_tick) || 668 #endif 669 (sess->not_resumable)) 670 { 671 if (!s->session_creation_enabled) 672 { 673 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 674 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 675 goto err; 676 } 677 if (!ssl_get_new_session(s,0)) 678 goto err; 679 } 680 /* else use the pre-loaded session */ 681 682 p=s->s3->client_random; 683 Time=(unsigned long)time(NULL); /* Time */ 684 l2n(Time,p); 685 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 686 goto err; 687 688 /* Do the message type and length last */ 689 d=p= &(buf[4]); 690 691 *(p++)=s->version>>8; 692 *(p++)=s->version&0xff; 693 s->client_version=s->version; 694 695 /* Random stuff */ 696 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 697 p+=SSL3_RANDOM_SIZE; 698 699 /* Session ID */ 700 if (s->new_session) 701 i=0; 702 else 703 i=s->session->session_id_length; 704 *(p++)=i; 705 if (i != 0) 706 { 707 if (i > (int)sizeof(s->session->session_id)) 708 { 709 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 710 goto err; 711 } 712 memcpy(p,s->session->session_id,i); 713 p+=i; 714 } 715 716 /* Ciphers supported */ 717 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 718 if (i == 0) 719 { 720 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 721 goto err; 722 } 723 s2n(i,p); 724 p+=i; 725 726 /* COMPRESSION */ 727 #ifdef OPENSSL_NO_COMP 728 *(p++)=1; 729 #else 730 731 if ((s->options & SSL_OP_NO_COMPRESSION) 732 || !s->ctx->comp_methods) 733 j=0; 734 else 735 j=sk_SSL_COMP_num(s->ctx->comp_methods); 736 *(p++)=1+j; 737 for (i=0; i<j; i++) 738 { 739 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 740 *(p++)=comp->id; 741 } 742 #endif 743 *(p++)=0; /* Add the NULL method */ 744 745 #ifndef OPENSSL_NO_TLSEXT 746 /* TLS extensions*/ 747 if (ssl_prepare_clienthello_tlsext(s) <= 0) 748 { 749 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 750 goto err; 751 } 752 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 753 { 754 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 755 goto err; 756 } 757 #endif 758 759 l=(p-d); 760 d=buf; 761 *(d++)=SSL3_MT_CLIENT_HELLO; 762 l2n3(l,d); 763 764 s->state=SSL3_ST_CW_CLNT_HELLO_B; 765 /* number of bytes to write */ 766 s->init_num=p-buf; 767 s->init_off=0; 768 } 769 770 /* SSL3_ST_CW_CLNT_HELLO_B */ 771 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 772 err: 773 return(-1); 774 } 775 776 int ssl3_get_server_hello(SSL *s) 777 { 778 STACK_OF(SSL_CIPHER) *sk; 779 const SSL_CIPHER *c; 780 unsigned char *p,*d; 781 int i,al,ok; 782 unsigned int j; 783 long n; 784 #ifndef OPENSSL_NO_COMP 785 SSL_COMP *comp; 786 #endif 787 788 n=s->method->ssl_get_message(s, 789 SSL3_ST_CR_SRVR_HELLO_A, 790 SSL3_ST_CR_SRVR_HELLO_B, 791 -1, 792 20000, /* ?? */ 793 &ok); 794 795 if (!ok) return((int)n); 796 797 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 798 { 799 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 800 { 801 if ( s->d1->send_cookie == 0) 802 { 803 s->s3->tmp.reuse_message = 1; 804 return 1; 805 } 806 else /* already sent a cookie */ 807 { 808 al=SSL_AD_UNEXPECTED_MESSAGE; 809 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 810 goto f_err; 811 } 812 } 813 } 814 815 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 816 { 817 al=SSL_AD_UNEXPECTED_MESSAGE; 818 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 819 goto f_err; 820 } 821 822 d=p=(unsigned char *)s->init_msg; 823 824 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 825 { 826 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 827 s->version=(s->version&0xff00)|p[1]; 828 al=SSL_AD_PROTOCOL_VERSION; 829 goto f_err; 830 } 831 p+=2; 832 833 /* load the server hello data */ 834 /* load the server random */ 835 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 836 p+=SSL3_RANDOM_SIZE; 837 838 /* get the session-id */ 839 j= *(p++); 840 841 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 842 { 843 al=SSL_AD_ILLEGAL_PARAMETER; 844 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); 845 goto f_err; 846 } 847 848 #ifndef OPENSSL_NO_TLSEXT 849 /* check if we want to resume the session based on external pre-shared secret */ 850 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 851 { 852 SSL_CIPHER *pref_cipher=NULL; 853 s->session->master_key_length=sizeof(s->session->master_key); 854 if (s->tls_session_secret_cb(s, s->session->master_key, 855 &s->session->master_key_length, 856 NULL, &pref_cipher, 857 s->tls_session_secret_cb_arg)) 858 { 859 s->session->cipher = pref_cipher ? 860 pref_cipher : ssl_get_cipher_by_char(s, p+j); 861 } 862 } 863 #endif /* OPENSSL_NO_TLSEXT */ 864 865 if (j != 0 && j == s->session->session_id_length 866 && memcmp(p,s->session->session_id,j) == 0) 867 { 868 if(s->sid_ctx_length != s->session->sid_ctx_length 869 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 870 { 871 /* actually a client application bug */ 872 al=SSL_AD_ILLEGAL_PARAMETER; 873 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 874 goto f_err; 875 } 876 s->hit=1; 877 } 878 else /* a miss or crap from the other end */ 879 { 880 /* If we were trying for session-id reuse, make a new 881 * SSL_SESSION so we don't stuff up other people */ 882 s->hit=0; 883 if (s->session->session_id_length > 0) 884 { 885 if (!s->session_creation_enabled) 886 { 887 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 888 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 889 goto err; 890 } 891 if (!ssl_get_new_session(s,0)) 892 { 893 al=SSL_AD_INTERNAL_ERROR; 894 goto f_err; 895 } 896 } 897 s->session->session_id_length=j; 898 memcpy(s->session->session_id,p,j); /* j could be 0 */ 899 } 900 p+=j; 901 c=ssl_get_cipher_by_char(s,p); 902 if (c == NULL) 903 { 904 /* unknown cipher */ 905 al=SSL_AD_ILLEGAL_PARAMETER; 906 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 907 goto f_err; 908 } 909 p+=ssl_put_cipher_by_char(s,NULL,NULL); 910 911 sk=ssl_get_ciphers_by_id(s); 912 i=sk_SSL_CIPHER_find(sk,c); 913 if (i < 0) 914 { 915 /* we did not say we would use this cipher */ 916 al=SSL_AD_ILLEGAL_PARAMETER; 917 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 918 goto f_err; 919 } 920 921 /* Depending on the session caching (internal/external), the cipher 922 and/or cipher_id values may not be set. Make sure that 923 cipher_id is set and use it for comparison. */ 924 if (s->session->cipher) 925 s->session->cipher_id = s->session->cipher->id; 926 if (s->hit && (s->session->cipher_id != c->id)) 927 { 928 if (!(s->options & 929 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 930 { 931 al=SSL_AD_ILLEGAL_PARAMETER; 932 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 933 goto f_err; 934 } 935 } 936 s->s3->tmp.new_cipher=c; 937 if (!ssl3_digest_cached_records(s)) 938 goto f_err; 939 940 /* lets get the compression algorithm */ 941 /* COMPRESSION */ 942 #ifdef OPENSSL_NO_COMP 943 if (*(p++) != 0) 944 { 945 al=SSL_AD_ILLEGAL_PARAMETER; 946 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 947 goto f_err; 948 } 949 /* If compression is disabled we'd better not try to resume a session 950 * using compression. 951 */ 952 if (s->session->compress_meth != 0) 953 { 954 al=SSL_AD_INTERNAL_ERROR; 955 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 956 goto f_err; 957 } 958 #else 959 j= *(p++); 960 if (s->hit && j != s->session->compress_meth) 961 { 962 al=SSL_AD_ILLEGAL_PARAMETER; 963 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 964 goto f_err; 965 } 966 if (j == 0) 967 comp=NULL; 968 else if (s->options & SSL_OP_NO_COMPRESSION) 969 { 970 al=SSL_AD_ILLEGAL_PARAMETER; 971 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED); 972 goto f_err; 973 } 974 else 975 comp=ssl3_comp_find(s->ctx->comp_methods,j); 976 977 if ((j != 0) && (comp == NULL)) 978 { 979 al=SSL_AD_ILLEGAL_PARAMETER; 980 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 981 goto f_err; 982 } 983 else 984 { 985 s->s3->tmp.new_compression=comp; 986 } 987 #endif 988 989 #ifndef OPENSSL_NO_TLSEXT 990 /* TLS extensions*/ 991 if (s->version >= SSL3_VERSION) 992 { 993 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) 994 { 995 /* 'al' set by ssl_parse_serverhello_tlsext */ 996 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 997 goto f_err; 998 } 999 if (ssl_check_serverhello_tlsext(s) <= 0) 1000 { 1001 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 1002 goto err; 1003 } 1004 } 1005 #endif 1006 1007 if (p != (d+n)) 1008 { 1009 /* wrong packet length */ 1010 al=SSL_AD_DECODE_ERROR; 1011 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1012 goto err; 1013 } 1014 1015 return(1); 1016 f_err: 1017 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1018 err: 1019 return(-1); 1020 } 1021 1022 int ssl3_get_server_certificate(SSL *s) 1023 { 1024 int al,i,ok,ret= -1; 1025 unsigned long n,nc,llen,l; 1026 X509 *x=NULL; 1027 const unsigned char *q,*p; 1028 unsigned char *d; 1029 STACK_OF(X509) *sk=NULL; 1030 SESS_CERT *sc; 1031 EVP_PKEY *pkey=NULL; 1032 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1033 1034 n=s->method->ssl_get_message(s, 1035 SSL3_ST_CR_CERT_A, 1036 SSL3_ST_CR_CERT_B, 1037 -1, 1038 s->max_cert_list, 1039 &ok); 1040 1041 if (!ok) return((int)n); 1042 1043 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1044 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1045 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 1046 { 1047 s->s3->tmp.reuse_message=1; 1048 return(1); 1049 } 1050 1051 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 1052 { 1053 al=SSL_AD_UNEXPECTED_MESSAGE; 1054 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 1055 goto f_err; 1056 } 1057 p=d=(unsigned char *)s->init_msg; 1058 1059 if ((sk=sk_X509_new_null()) == NULL) 1060 { 1061 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1062 goto err; 1063 } 1064 1065 n2l3(p,llen); 1066 if (llen+3 != n) 1067 { 1068 al=SSL_AD_DECODE_ERROR; 1069 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 1070 goto f_err; 1071 } 1072 for (nc=0; nc<llen; ) 1073 { 1074 n2l3(p,l); 1075 if ((l+nc+3) > llen) 1076 { 1077 al=SSL_AD_DECODE_ERROR; 1078 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1079 goto f_err; 1080 } 1081 1082 q=p; 1083 x=d2i_X509(NULL,&q,l); 1084 if (x == NULL) 1085 { 1086 al=SSL_AD_BAD_CERTIFICATE; 1087 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 1088 goto f_err; 1089 } 1090 if (q != (p+l)) 1091 { 1092 al=SSL_AD_DECODE_ERROR; 1093 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1094 goto f_err; 1095 } 1096 if (!sk_X509_push(sk,x)) 1097 { 1098 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1099 goto err; 1100 } 1101 x=NULL; 1102 nc+=l+3; 1103 p=q; 1104 } 1105 1106 i=ssl_verify_cert_chain(s,sk); 1107 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1108 #ifndef OPENSSL_NO_KRB5 1109 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1110 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1111 #endif /* OPENSSL_NO_KRB5 */ 1112 ) 1113 { 1114 al=ssl_verify_alarm_type(s->verify_result); 1115 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1116 goto f_err; 1117 } 1118 ERR_clear_error(); /* but we keep s->verify_result */ 1119 1120 sc=ssl_sess_cert_new(); 1121 if (sc == NULL) goto err; 1122 1123 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1124 s->session->sess_cert=sc; 1125 1126 sc->cert_chain=sk; 1127 /* Inconsistency alert: cert_chain does include the peer's 1128 * certificate, which we don't include in s3_srvr.c */ 1129 x=sk_X509_value(sk,0); 1130 sk=NULL; 1131 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1132 1133 pkey=X509_get_pubkey(x); 1134 1135 /* VRS: allow null cert if auth == KRB5 */ 1136 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1137 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1138 ? 0 : 1; 1139 1140 #ifdef KSSL_DEBUG 1141 printf("pkey,x = %p, %p\n", pkey,x); 1142 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1143 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1144 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1145 #endif /* KSSL_DEBUG */ 1146 1147 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1148 { 1149 x=NULL; 1150 al=SSL3_AL_FATAL; 1151 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1152 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1153 goto f_err; 1154 } 1155 1156 i=ssl_cert_type(x,pkey); 1157 if (need_cert && i < 0) 1158 { 1159 x=NULL; 1160 al=SSL3_AL_FATAL; 1161 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1162 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1163 goto f_err; 1164 } 1165 1166 if (need_cert) 1167 { 1168 sc->peer_cert_type=i; 1169 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1170 /* Why would the following ever happen? 1171 * We just created sc a couple of lines ago. */ 1172 if (sc->peer_pkeys[i].x509 != NULL) 1173 X509_free(sc->peer_pkeys[i].x509); 1174 sc->peer_pkeys[i].x509=x; 1175 sc->peer_key= &(sc->peer_pkeys[i]); 1176 1177 if (s->session->peer != NULL) 1178 X509_free(s->session->peer); 1179 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1180 s->session->peer=x; 1181 } 1182 else 1183 { 1184 sc->peer_cert_type=i; 1185 sc->peer_key= NULL; 1186 1187 if (s->session->peer != NULL) 1188 X509_free(s->session->peer); 1189 s->session->peer=NULL; 1190 } 1191 s->session->verify_result = s->verify_result; 1192 1193 x=NULL; 1194 ret=1; 1195 1196 if (0) 1197 { 1198 f_err: 1199 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1200 } 1201 err: 1202 EVP_PKEY_free(pkey); 1203 X509_free(x); 1204 sk_X509_pop_free(sk,X509_free); 1205 return(ret); 1206 } 1207 1208 int ssl3_get_key_exchange(SSL *s) 1209 { 1210 #ifndef OPENSSL_NO_RSA 1211 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1212 #endif 1213 EVP_MD_CTX md_ctx; 1214 unsigned char *param,*p; 1215 int al,i,j,param_len,ok; 1216 long n,alg_k,alg_a; 1217 EVP_PKEY *pkey=NULL; 1218 #ifndef OPENSSL_NO_RSA 1219 RSA *rsa=NULL; 1220 #endif 1221 #ifndef OPENSSL_NO_DH 1222 DH *dh=NULL; 1223 #endif 1224 #ifndef OPENSSL_NO_ECDH 1225 EC_KEY *ecdh = NULL; 1226 BN_CTX *bn_ctx = NULL; 1227 EC_POINT *srvr_ecpoint = NULL; 1228 int curve_nid = 0; 1229 int encoded_pt_len = 0; 1230 #endif 1231 1232 /* use same message size as in ssl3_get_certificate_request() 1233 * as ServerKeyExchange message may be skipped */ 1234 n=s->method->ssl_get_message(s, 1235 SSL3_ST_CR_KEY_EXCH_A, 1236 SSL3_ST_CR_KEY_EXCH_B, 1237 -1, 1238 s->max_cert_list, 1239 &ok); 1240 if (!ok) return((int)n); 1241 1242 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 1243 { 1244 #ifndef OPENSSL_NO_PSK 1245 /* In plain PSK ciphersuite, ServerKeyExchange can be 1246 omitted if no identity hint is sent. Set 1247 session->sess_cert anyway to avoid problems 1248 later.*/ 1249 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1250 { 1251 s->session->sess_cert=ssl_sess_cert_new(); 1252 if (s->ctx->psk_identity_hint) 1253 OPENSSL_free(s->ctx->psk_identity_hint); 1254 s->ctx->psk_identity_hint = NULL; 1255 } 1256 #endif 1257 s->s3->tmp.reuse_message=1; 1258 return(1); 1259 } 1260 1261 param=p=(unsigned char *)s->init_msg; 1262 if (s->session->sess_cert != NULL) 1263 { 1264 #ifndef OPENSSL_NO_RSA 1265 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1266 { 1267 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1268 s->session->sess_cert->peer_rsa_tmp=NULL; 1269 } 1270 #endif 1271 #ifndef OPENSSL_NO_DH 1272 if (s->session->sess_cert->peer_dh_tmp) 1273 { 1274 DH_free(s->session->sess_cert->peer_dh_tmp); 1275 s->session->sess_cert->peer_dh_tmp=NULL; 1276 } 1277 #endif 1278 #ifndef OPENSSL_NO_ECDH 1279 if (s->session->sess_cert->peer_ecdh_tmp) 1280 { 1281 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1282 s->session->sess_cert->peer_ecdh_tmp=NULL; 1283 } 1284 #endif 1285 } 1286 else 1287 { 1288 s->session->sess_cert=ssl_sess_cert_new(); 1289 } 1290 1291 param_len=0; 1292 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1293 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1294 EVP_MD_CTX_init(&md_ctx); 1295 1296 #ifndef OPENSSL_NO_PSK 1297 if (alg_k & SSL_kPSK) 1298 { 1299 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; 1300 1301 al=SSL_AD_HANDSHAKE_FAILURE; 1302 n2s(p,i); 1303 param_len=i+2; 1304 /* Store PSK identity hint for later use, hint is used 1305 * in ssl3_send_client_key_exchange. Assume that the 1306 * maximum length of a PSK identity hint can be as 1307 * long as the maximum length of a PSK identity. */ 1308 if (i > PSK_MAX_IDENTITY_LEN) 1309 { 1310 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1311 SSL_R_DATA_LENGTH_TOO_LONG); 1312 goto f_err; 1313 } 1314 if (param_len > n) 1315 { 1316 al=SSL_AD_DECODE_ERROR; 1317 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1318 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1319 goto f_err; 1320 } 1321 /* If received PSK identity hint contains NULL 1322 * characters, the hint is truncated from the first 1323 * NULL. p may not be ending with NULL, so create a 1324 * NULL-terminated string. */ 1325 memcpy(tmp_id_hint, p, i); 1326 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1327 if (s->ctx->psk_identity_hint != NULL) 1328 OPENSSL_free(s->ctx->psk_identity_hint); 1329 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1330 if (s->ctx->psk_identity_hint == NULL) 1331 { 1332 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1333 goto f_err; 1334 } 1335 1336 p+=i; 1337 n-=param_len; 1338 } 1339 else 1340 #endif /* !OPENSSL_NO_PSK */ 1341 #ifndef OPENSSL_NO_RSA 1342 if (alg_k & SSL_kRSA) 1343 { 1344 if ((rsa=RSA_new()) == NULL) 1345 { 1346 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1347 goto err; 1348 } 1349 n2s(p,i); 1350 param_len=i+2; 1351 if (param_len > n) 1352 { 1353 al=SSL_AD_DECODE_ERROR; 1354 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 1355 goto f_err; 1356 } 1357 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1358 { 1359 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1360 goto err; 1361 } 1362 p+=i; 1363 1364 n2s(p,i); 1365 param_len+=i+2; 1366 if (param_len > n) 1367 { 1368 al=SSL_AD_DECODE_ERROR; 1369 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 1370 goto f_err; 1371 } 1372 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1373 { 1374 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1375 goto err; 1376 } 1377 p+=i; 1378 n-=param_len; 1379 1380 /* this should be because we are using an export cipher */ 1381 if (alg_a & SSL_aRSA) 1382 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1383 else 1384 { 1385 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1386 goto err; 1387 } 1388 s->session->sess_cert->peer_rsa_tmp=rsa; 1389 rsa=NULL; 1390 } 1391 #else /* OPENSSL_NO_RSA */ 1392 if (0) 1393 ; 1394 #endif 1395 #ifndef OPENSSL_NO_DH 1396 else if (alg_k & SSL_kEDH) 1397 { 1398 if ((dh=DH_new()) == NULL) 1399 { 1400 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 1401 goto err; 1402 } 1403 n2s(p,i); 1404 param_len=i+2; 1405 if (param_len > n) 1406 { 1407 al=SSL_AD_DECODE_ERROR; 1408 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 1409 goto f_err; 1410 } 1411 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1412 { 1413 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1414 goto err; 1415 } 1416 p+=i; 1417 1418 n2s(p,i); 1419 param_len+=i+2; 1420 if (param_len > n) 1421 { 1422 al=SSL_AD_DECODE_ERROR; 1423 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 1424 goto f_err; 1425 } 1426 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1427 { 1428 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1429 goto err; 1430 } 1431 p+=i; 1432 1433 n2s(p,i); 1434 param_len+=i+2; 1435 if (param_len > n) 1436 { 1437 al=SSL_AD_DECODE_ERROR; 1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 1439 goto f_err; 1440 } 1441 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1442 { 1443 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1444 goto err; 1445 } 1446 p+=i; 1447 n-=param_len; 1448 1449 #ifndef OPENSSL_NO_RSA 1450 if (alg_a & SSL_aRSA) 1451 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1452 #else 1453 if (0) 1454 ; 1455 #endif 1456 #ifndef OPENSSL_NO_DSA 1457 else if (alg_a & SSL_aDSS) 1458 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1459 #endif 1460 /* else anonymous DH, so no certificate or pkey. */ 1461 1462 s->session->sess_cert->peer_dh_tmp=dh; 1463 dh=NULL; 1464 } 1465 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1466 { 1467 al=SSL_AD_ILLEGAL_PARAMETER; 1468 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1469 goto f_err; 1470 } 1471 #endif /* !OPENSSL_NO_DH */ 1472 1473 #ifndef OPENSSL_NO_ECDH 1474 else if (alg_k & SSL_kEECDH) 1475 { 1476 EC_GROUP *ngroup; 1477 const EC_GROUP *group; 1478 1479 if ((ecdh=EC_KEY_new()) == NULL) 1480 { 1481 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1482 goto err; 1483 } 1484 1485 /* Extract elliptic curve parameters and the 1486 * server's ephemeral ECDH public key. 1487 * Keep accumulating lengths of various components in 1488 * param_len and make sure it never exceeds n. 1489 */ 1490 1491 /* XXX: For now we only support named (not generic) curves 1492 * and the ECParameters in this case is just three bytes. 1493 */ 1494 param_len=3; 1495 if ((param_len > n) || 1496 (*p != NAMED_CURVE_TYPE) || 1497 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1498 { 1499 al=SSL_AD_INTERNAL_ERROR; 1500 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1501 goto f_err; 1502 } 1503 1504 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1505 if (ngroup == NULL) 1506 { 1507 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1508 goto err; 1509 } 1510 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1511 { 1512 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1513 goto err; 1514 } 1515 EC_GROUP_free(ngroup); 1516 1517 group = EC_KEY_get0_group(ecdh); 1518 1519 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1520 (EC_GROUP_get_degree(group) > 163)) 1521 { 1522 al=SSL_AD_EXPORT_RESTRICTION; 1523 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1524 goto f_err; 1525 } 1526 1527 p+=3; 1528 1529 /* Next, get the encoded ECPoint */ 1530 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1531 ((bn_ctx = BN_CTX_new()) == NULL)) 1532 { 1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1534 goto err; 1535 } 1536 1537 encoded_pt_len = *p; /* length of encoded point */ 1538 p+=1; 1539 param_len += (1 + encoded_pt_len); 1540 if ((param_len > n) || 1541 (EC_POINT_oct2point(group, srvr_ecpoint, 1542 p, encoded_pt_len, bn_ctx) == 0)) 1543 { 1544 al=SSL_AD_DECODE_ERROR; 1545 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); 1546 goto f_err; 1547 } 1548 1549 n-=param_len; 1550 p+=encoded_pt_len; 1551 1552 /* The ECC/TLS specification does not mention 1553 * the use of DSA to sign ECParameters in the server 1554 * key exchange message. We do support RSA and ECDSA. 1555 */ 1556 if (0) ; 1557 #ifndef OPENSSL_NO_RSA 1558 else if (alg_a & SSL_aRSA) 1559 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1560 #endif 1561 #ifndef OPENSSL_NO_ECDSA 1562 else if (alg_a & SSL_aECDSA) 1563 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1564 #endif 1565 /* else anonymous ECDH, so no certificate or pkey. */ 1566 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1567 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1568 ecdh=NULL; 1569 BN_CTX_free(bn_ctx); 1570 EC_POINT_free(srvr_ecpoint); 1571 srvr_ecpoint = NULL; 1572 } 1573 else if (alg_k) 1574 { 1575 al=SSL_AD_UNEXPECTED_MESSAGE; 1576 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1577 goto f_err; 1578 } 1579 #endif /* !OPENSSL_NO_ECDH */ 1580 1581 1582 /* p points to the next byte, there are 'n' bytes left */ 1583 1584 /* if it was signed, check the signature */ 1585 if (pkey != NULL) 1586 { 1587 n2s(p,i); 1588 n-=2; 1589 j=EVP_PKEY_size(pkey); 1590 1591 if ((i != n) || (n > j) || (n <= 0)) 1592 { 1593 /* wrong packet length */ 1594 al=SSL_AD_DECODE_ERROR; 1595 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1596 goto f_err; 1597 } 1598 1599 #ifndef OPENSSL_NO_RSA 1600 if (pkey->type == EVP_PKEY_RSA) 1601 { 1602 int num; 1603 1604 j=0; 1605 q=md_buf; 1606 for (num=2; num > 0; num--) 1607 { 1608 EVP_DigestInit_ex(&md_ctx,(num == 2) 1609 ?s->ctx->md5:s->ctx->sha1, NULL); 1610 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1611 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1612 EVP_DigestUpdate(&md_ctx,param,param_len); 1613 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1614 q+=i; 1615 j+=i; 1616 } 1617 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1618 pkey->pkey.rsa); 1619 if (i < 0) 1620 { 1621 al=SSL_AD_DECRYPT_ERROR; 1622 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1623 goto f_err; 1624 } 1625 if (i == 0) 1626 { 1627 /* bad signature */ 1628 al=SSL_AD_DECRYPT_ERROR; 1629 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1630 goto f_err; 1631 } 1632 } 1633 else 1634 #endif 1635 #ifndef OPENSSL_NO_DSA 1636 if (pkey->type == EVP_PKEY_DSA) 1637 { 1638 /* lets do DSS */ 1639 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); 1640 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1641 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1642 EVP_VerifyUpdate(&md_ctx,param,param_len); 1643 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1644 { 1645 /* bad signature */ 1646 al=SSL_AD_DECRYPT_ERROR; 1647 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1648 goto f_err; 1649 } 1650 } 1651 else 1652 #endif 1653 #ifndef OPENSSL_NO_ECDSA 1654 if (pkey->type == EVP_PKEY_EC) 1655 { 1656 /* let's do ECDSA */ 1657 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1658 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1659 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1660 EVP_VerifyUpdate(&md_ctx,param,param_len); 1661 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1662 { 1663 /* bad signature */ 1664 al=SSL_AD_DECRYPT_ERROR; 1665 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1666 goto f_err; 1667 } 1668 } 1669 else 1670 #endif 1671 { 1672 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1673 goto err; 1674 } 1675 } 1676 else 1677 { 1678 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1679 /* aNULL or kPSK do not need public keys */ 1680 { 1681 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1682 goto err; 1683 } 1684 /* still data left over */ 1685 if (n != 0) 1686 { 1687 al=SSL_AD_DECODE_ERROR; 1688 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 1689 goto f_err; 1690 } 1691 } 1692 EVP_PKEY_free(pkey); 1693 EVP_MD_CTX_cleanup(&md_ctx); 1694 return(1); 1695 f_err: 1696 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1697 err: 1698 EVP_PKEY_free(pkey); 1699 #ifndef OPENSSL_NO_RSA 1700 if (rsa != NULL) 1701 RSA_free(rsa); 1702 #endif 1703 #ifndef OPENSSL_NO_DH 1704 if (dh != NULL) 1705 DH_free(dh); 1706 #endif 1707 #ifndef OPENSSL_NO_ECDH 1708 BN_CTX_free(bn_ctx); 1709 EC_POINT_free(srvr_ecpoint); 1710 if (ecdh != NULL) 1711 EC_KEY_free(ecdh); 1712 #endif 1713 EVP_MD_CTX_cleanup(&md_ctx); 1714 return(-1); 1715 } 1716 1717 int ssl3_get_certificate_request(SSL *s) 1718 { 1719 int ok,ret=0; 1720 unsigned long n,nc,l; 1721 unsigned int llen,ctype_num,i; 1722 X509_NAME *xn=NULL; 1723 const unsigned char *p,*q; 1724 unsigned char *d; 1725 STACK_OF(X509_NAME) *ca_sk=NULL; 1726 1727 n=s->method->ssl_get_message(s, 1728 SSL3_ST_CR_CERT_REQ_A, 1729 SSL3_ST_CR_CERT_REQ_B, 1730 -1, 1731 s->max_cert_list, 1732 &ok); 1733 1734 if (!ok) return((int)n); 1735 1736 s->s3->tmp.cert_req=0; 1737 1738 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1739 { 1740 s->s3->tmp.reuse_message=1; 1741 return(1); 1742 } 1743 1744 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1745 { 1746 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1747 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 1748 goto err; 1749 } 1750 1751 /* TLS does not like anon-DH with client cert */ 1752 if (s->version > SSL3_VERSION) 1753 { 1754 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1755 { 1756 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1757 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1758 goto err; 1759 } 1760 } 1761 1762 p=d=(unsigned char *)s->init_msg; 1763 1764 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1765 { 1766 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1767 goto err; 1768 } 1769 1770 /* get the certificate types */ 1771 ctype_num= *(p++); 1772 if (ctype_num > SSL3_CT_NUMBER) 1773 ctype_num=SSL3_CT_NUMBER; 1774 for (i=0; i<ctype_num; i++) 1775 s->s3->tmp.ctype[i]= p[i]; 1776 p+=ctype_num; 1777 1778 /* get the CA RDNs */ 1779 n2s(p,llen); 1780 #if 0 1781 { 1782 FILE *out; 1783 out=fopen("/tmp/vsign.der","w"); 1784 fwrite(p,1,llen,out); 1785 fclose(out); 1786 } 1787 #endif 1788 1789 if ((llen+ctype_num+2+1) != n) 1790 { 1791 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1792 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 1793 goto err; 1794 } 1795 1796 for (nc=0; nc<llen; ) 1797 { 1798 n2s(p,l); 1799 if ((l+nc+2) > llen) 1800 { 1801 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1802 goto cont; /* netscape bugs */ 1803 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1804 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1805 goto err; 1806 } 1807 1808 q=p; 1809 1810 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1811 { 1812 /* If netscape tolerance is on, ignore errors */ 1813 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1814 goto cont; 1815 else 1816 { 1817 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1818 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 1819 goto err; 1820 } 1821 } 1822 1823 if (q != (p+l)) 1824 { 1825 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1826 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 1827 goto err; 1828 } 1829 if (!sk_X509_NAME_push(ca_sk,xn)) 1830 { 1831 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1832 goto err; 1833 } 1834 1835 p+=l; 1836 nc+=l+2; 1837 } 1838 1839 if (0) 1840 { 1841 cont: 1842 ERR_clear_error(); 1843 } 1844 1845 /* we should setup a certificate to return.... */ 1846 s->s3->tmp.cert_req=1; 1847 s->s3->tmp.ctype_num=ctype_num; 1848 if (s->s3->tmp.ca_names != NULL) 1849 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1850 s->s3->tmp.ca_names=ca_sk; 1851 ca_sk=NULL; 1852 1853 ret=1; 1854 err: 1855 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1856 return(ret); 1857 } 1858 1859 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 1860 { 1861 return(X509_NAME_cmp(*a,*b)); 1862 } 1863 #ifndef OPENSSL_NO_TLSEXT 1864 int ssl3_get_new_session_ticket(SSL *s) 1865 { 1866 int ok,al,ret=0, ticklen; 1867 long n; 1868 const unsigned char *p; 1869 unsigned char *d; 1870 1871 n=s->method->ssl_get_message(s, 1872 SSL3_ST_CR_SESSION_TICKET_A, 1873 SSL3_ST_CR_SESSION_TICKET_B, 1874 -1, 1875 16384, 1876 &ok); 1877 1878 if (!ok) 1879 return((int)n); 1880 1881 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 1882 { 1883 s->s3->tmp.reuse_message=1; 1884 return(1); 1885 } 1886 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 1887 { 1888 al=SSL_AD_UNEXPECTED_MESSAGE; 1889 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); 1890 goto f_err; 1891 } 1892 if (n < 6) 1893 { 1894 /* need at least ticket_lifetime_hint + ticket length */ 1895 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1896 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1897 goto f_err; 1898 } 1899 1900 p=d=(unsigned char *)s->init_msg; 1901 n2l(p, s->session->tlsext_tick_lifetime_hint); 1902 n2s(p, ticklen); 1903 /* ticket_lifetime_hint + ticket_length + ticket */ 1904 if (ticklen + 6 != n) 1905 { 1906 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1907 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1908 goto f_err; 1909 } 1910 if (s->session->tlsext_tick) 1911 { 1912 OPENSSL_free(s->session->tlsext_tick); 1913 s->session->tlsext_ticklen = 0; 1914 } 1915 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1916 if (!s->session->tlsext_tick) 1917 { 1918 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); 1919 goto err; 1920 } 1921 memcpy(s->session->tlsext_tick, p, ticklen); 1922 s->session->tlsext_ticklen = ticklen; 1923 /* There are two ways to detect a resumed ticket sesion. 1924 * One is to set an appropriate session ID and then the server 1925 * must return a match in ServerHello. This allows the normal 1926 * client session ID matching to work and we know much 1927 * earlier that the ticket has been accepted. 1928 * 1929 * The other way is to set zero length session ID when the 1930 * ticket is presented and rely on the handshake to determine 1931 * session resumption. 1932 * 1933 * We choose the former approach because this fits in with 1934 * assumptions elsewhere in OpenSSL. The session ID is set 1935 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 1936 * ticket. 1937 */ 1938 EVP_Digest(p, ticklen, 1939 s->session->session_id, &s->session->session_id_length, 1940 #ifndef OPENSSL_NO_SHA256 1941 EVP_sha256(), NULL); 1942 #else 1943 EVP_sha1(), NULL); 1944 #endif 1945 ret=1; 1946 return(ret); 1947 f_err: 1948 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1949 err: 1950 return(-1); 1951 } 1952 1953 int ssl3_get_cert_status(SSL *s) 1954 { 1955 int ok, al; 1956 unsigned long resplen,n; 1957 const unsigned char *p; 1958 1959 n=s->method->ssl_get_message(s, 1960 SSL3_ST_CR_CERT_STATUS_A, 1961 SSL3_ST_CR_CERT_STATUS_B, 1962 SSL3_MT_CERTIFICATE_STATUS, 1963 16384, 1964 &ok); 1965 1966 if (!ok) return((int)n); 1967 if (n < 4) 1968 { 1969 /* need at least status type + length */ 1970 al = SSL_AD_DECODE_ERROR; 1971 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1972 goto f_err; 1973 } 1974 p = (unsigned char *)s->init_msg; 1975 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 1976 { 1977 al = SSL_AD_DECODE_ERROR; 1978 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 1979 goto f_err; 1980 } 1981 n2l3(p, resplen); 1982 if (resplen + 4 != n) 1983 { 1984 al = SSL_AD_DECODE_ERROR; 1985 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1986 goto f_err; 1987 } 1988 if (s->tlsext_ocsp_resp) 1989 OPENSSL_free(s->tlsext_ocsp_resp); 1990 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 1991 if (!s->tlsext_ocsp_resp) 1992 { 1993 al = SSL_AD_INTERNAL_ERROR; 1994 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 1995 goto f_err; 1996 } 1997 s->tlsext_ocsp_resplen = resplen; 1998 if (s->ctx->tlsext_status_cb) 1999 { 2000 int ret; 2001 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2002 if (ret == 0) 2003 { 2004 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2005 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2006 goto f_err; 2007 } 2008 if (ret < 0) 2009 { 2010 al = SSL_AD_INTERNAL_ERROR; 2011 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2012 goto f_err; 2013 } 2014 } 2015 return 1; 2016 f_err: 2017 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2018 return(-1); 2019 } 2020 #endif 2021 2022 int ssl3_get_server_done(SSL *s) 2023 { 2024 int ok,ret=0; 2025 long n; 2026 2027 n=s->method->ssl_get_message(s, 2028 SSL3_ST_CR_SRVR_DONE_A, 2029 SSL3_ST_CR_SRVR_DONE_B, 2030 SSL3_MT_SERVER_DONE, 2031 30, /* should be very small, like 0 :-) */ 2032 &ok); 2033 2034 if (!ok) return((int)n); 2035 if (n > 0) 2036 { 2037 /* should contain no data */ 2038 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2039 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2040 return -1; 2041 } 2042 ret=1; 2043 return(ret); 2044 } 2045 2046 2047 int ssl3_send_client_key_exchange(SSL *s) 2048 { 2049 unsigned char *p,*d; 2050 int n; 2051 unsigned long alg_k; 2052 #ifndef OPENSSL_NO_RSA 2053 unsigned char *q; 2054 EVP_PKEY *pkey=NULL; 2055 #endif 2056 #ifndef OPENSSL_NO_KRB5 2057 KSSL_ERR kssl_err; 2058 #endif /* OPENSSL_NO_KRB5 */ 2059 #ifndef OPENSSL_NO_ECDH 2060 EC_KEY *clnt_ecdh = NULL; 2061 const EC_POINT *srvr_ecpoint = NULL; 2062 EVP_PKEY *srvr_pub_pkey = NULL; 2063 unsigned char *encodedPoint = NULL; 2064 int encoded_pt_len = 0; 2065 BN_CTX * bn_ctx = NULL; 2066 #endif 2067 2068 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 2069 { 2070 d=(unsigned char *)s->init_buf->data; 2071 p= &(d[4]); 2072 2073 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2074 2075 /* Fool emacs indentation */ 2076 if (0) {} 2077 #ifndef OPENSSL_NO_RSA 2078 else if (alg_k & SSL_kRSA) 2079 { 2080 RSA *rsa; 2081 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2082 2083 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2084 rsa=s->session->sess_cert->peer_rsa_tmp; 2085 else 2086 { 2087 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 2088 if ((pkey == NULL) || 2089 (pkey->type != EVP_PKEY_RSA) || 2090 (pkey->pkey.rsa == NULL)) 2091 { 2092 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2093 goto err; 2094 } 2095 rsa=pkey->pkey.rsa; 2096 EVP_PKEY_free(pkey); 2097 } 2098 2099 tmp_buf[0]=s->client_version>>8; 2100 tmp_buf[1]=s->client_version&0xff; 2101 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2102 goto err; 2103 2104 s->session->master_key_length=sizeof tmp_buf; 2105 2106 q=p; 2107 /* Fix buf for TLS and beyond */ 2108 if (s->version > SSL3_VERSION) 2109 p+=2; 2110 n=RSA_public_encrypt(sizeof tmp_buf, 2111 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2112 #ifdef PKCS1_CHECK 2113 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2114 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2115 #endif 2116 if (n <= 0) 2117 { 2118 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 2119 goto err; 2120 } 2121 2122 /* Fix buf for TLS and beyond */ 2123 if (s->version > SSL3_VERSION) 2124 { 2125 s2n(n,q); 2126 n+=2; 2127 } 2128 2129 s->session->master_key_length= 2130 s->method->ssl3_enc->generate_master_secret(s, 2131 s->session->master_key, 2132 tmp_buf,sizeof tmp_buf); 2133 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 2134 } 2135 #endif 2136 #ifndef OPENSSL_NO_KRB5 2137 else if (alg_k & SSL_kKRB5) 2138 { 2139 krb5_error_code krb5rc; 2140 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2141 /* krb5_data krb5_ap_req; */ 2142 krb5_data *enc_ticket; 2143 krb5_data authenticator, *authp = NULL; 2144 EVP_CIPHER_CTX ciph_ctx; 2145 const EVP_CIPHER *enc = NULL; 2146 unsigned char iv[EVP_MAX_IV_LENGTH]; 2147 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2148 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2149 + EVP_MAX_IV_LENGTH]; 2150 int padl, outl = sizeof(epms); 2151 2152 EVP_CIPHER_CTX_init(&ciph_ctx); 2153 2154 #ifdef KSSL_DEBUG 2155 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2156 alg_k, SSL_kKRB5); 2157 #endif /* KSSL_DEBUG */ 2158 2159 authp = NULL; 2160 #ifdef KRB5SENDAUTH 2161 if (KRB5SENDAUTH) authp = &authenticator; 2162 #endif /* KRB5SENDAUTH */ 2163 2164 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2165 &kssl_err); 2166 enc = kssl_map_enc(kssl_ctx->enctype); 2167 if (enc == NULL) 2168 goto err; 2169 #ifdef KSSL_DEBUG 2170 { 2171 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2172 if (krb5rc && kssl_err.text) 2173 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2174 } 2175 #endif /* KSSL_DEBUG */ 2176 2177 if (krb5rc) 2178 { 2179 ssl3_send_alert(s,SSL3_AL_FATAL, 2180 SSL_AD_HANDSHAKE_FAILURE); 2181 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2182 kssl_err.reason); 2183 goto err; 2184 } 2185 2186 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2187 ** in place of RFC 2712 KerberosWrapper, as in: 2188 ** 2189 ** Send ticket (copy to *p, set n = length) 2190 ** n = krb5_ap_req.length; 2191 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2192 ** if (krb5_ap_req.data) 2193 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2194 ** 2195 ** Now using real RFC 2712 KerberosWrapper 2196 ** (Thanks to Simon Wilkinson <sxw (at) sxw.org.uk>) 2197 ** Note: 2712 "opaque" types are here replaced 2198 ** with a 2-byte length followed by the value. 2199 ** Example: 2200 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2201 ** Where "xx xx" = length bytes. Shown here with 2202 ** optional authenticator omitted. 2203 */ 2204 2205 /* KerberosWrapper.Ticket */ 2206 s2n(enc_ticket->length,p); 2207 memcpy(p, enc_ticket->data, enc_ticket->length); 2208 p+= enc_ticket->length; 2209 n = enc_ticket->length + 2; 2210 2211 /* KerberosWrapper.Authenticator */ 2212 if (authp && authp->length) 2213 { 2214 s2n(authp->length,p); 2215 memcpy(p, authp->data, authp->length); 2216 p+= authp->length; 2217 n+= authp->length + 2; 2218 2219 free(authp->data); 2220 authp->data = NULL; 2221 authp->length = 0; 2222 } 2223 else 2224 { 2225 s2n(0,p);/* null authenticator length */ 2226 n+=2; 2227 } 2228 2229 tmp_buf[0]=s->client_version>>8; 2230 tmp_buf[1]=s->client_version&0xff; 2231 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2232 goto err; 2233 2234 /* 20010420 VRS. Tried it this way; failed. 2235 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2236 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2237 ** kssl_ctx->length); 2238 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2239 */ 2240 2241 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2242 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2243 kssl_ctx->key,iv); 2244 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2245 sizeof tmp_buf); 2246 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2247 outl += padl; 2248 if (outl > (int)sizeof epms) 2249 { 2250 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2251 goto err; 2252 } 2253 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2254 2255 /* KerberosWrapper.EncryptedPreMasterSecret */ 2256 s2n(outl,p); 2257 memcpy(p, epms, outl); 2258 p+=outl; 2259 n+=outl + 2; 2260 2261 s->session->master_key_length= 2262 s->method->ssl3_enc->generate_master_secret(s, 2263 s->session->master_key, 2264 tmp_buf, sizeof tmp_buf); 2265 2266 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2267 OPENSSL_cleanse(epms, outl); 2268 } 2269 #endif 2270 #ifndef OPENSSL_NO_DH 2271 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2272 { 2273 DH *dh_srvr,*dh_clnt; 2274 2275 if (s->session->sess_cert == NULL) 2276 { 2277 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2278 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2279 goto err; 2280 } 2281 2282 if (s->session->sess_cert->peer_dh_tmp != NULL) 2283 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2284 else 2285 { 2286 /* we get them from the cert */ 2287 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2288 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2289 goto err; 2290 } 2291 2292 /* generate a new random key */ 2293 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2294 { 2295 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2296 goto err; 2297 } 2298 if (!DH_generate_key(dh_clnt)) 2299 { 2300 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2301 goto err; 2302 } 2303 2304 /* use the 'p' output buffer for the DH key, but 2305 * make sure to clear it out afterwards */ 2306 2307 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2308 2309 if (n <= 0) 2310 { 2311 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2312 goto err; 2313 } 2314 2315 /* generate master key from the result */ 2316 s->session->master_key_length= 2317 s->method->ssl3_enc->generate_master_secret(s, 2318 s->session->master_key,p,n); 2319 /* clean up */ 2320 memset(p,0,n); 2321 2322 /* send off the data */ 2323 n=BN_num_bytes(dh_clnt->pub_key); 2324 s2n(n,p); 2325 BN_bn2bin(dh_clnt->pub_key,p); 2326 n+=2; 2327 2328 DH_free(dh_clnt); 2329 2330 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2331 } 2332 #endif 2333 2334 #ifndef OPENSSL_NO_ECDH 2335 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2336 { 2337 const EC_GROUP *srvr_group = NULL; 2338 EC_KEY *tkey; 2339 int ecdh_clnt_cert = 0; 2340 int field_size = 0; 2341 2342 /* Did we send out the client's 2343 * ECDH share for use in premaster 2344 * computation as part of client certificate? 2345 * If so, set ecdh_clnt_cert to 1. 2346 */ 2347 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2348 { 2349 /* XXX: For now, we do not support client 2350 * authentication using ECDH certificates. 2351 * To add such support, one needs to add 2352 * code that checks for appropriate 2353 * conditions and sets ecdh_clnt_cert to 1. 2354 * For example, the cert have an ECC 2355 * key on the same curve as the server's 2356 * and the key should be authorized for 2357 * key agreement. 2358 * 2359 * One also needs to add code in ssl3_connect 2360 * to skip sending the certificate verify 2361 * message. 2362 * 2363 * if ((s->cert->key->privatekey != NULL) && 2364 * (s->cert->key->privatekey->type == 2365 * EVP_PKEY_EC) && ...) 2366 * ecdh_clnt_cert = 1; 2367 */ 2368 } 2369 2370 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2371 { 2372 tkey = s->session->sess_cert->peer_ecdh_tmp; 2373 } 2374 else 2375 { 2376 /* Get the Server Public Key from Cert */ 2377 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2378 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2379 if ((srvr_pub_pkey == NULL) || 2380 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2381 (srvr_pub_pkey->pkey.ec == NULL)) 2382 { 2383 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2384 ERR_R_INTERNAL_ERROR); 2385 goto err; 2386 } 2387 2388 tkey = srvr_pub_pkey->pkey.ec; 2389 } 2390 2391 srvr_group = EC_KEY_get0_group(tkey); 2392 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2393 2394 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2395 { 2396 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2397 ERR_R_INTERNAL_ERROR); 2398 goto err; 2399 } 2400 2401 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2402 { 2403 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2404 goto err; 2405 } 2406 2407 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2408 { 2409 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2410 goto err; 2411 } 2412 if (ecdh_clnt_cert) 2413 { 2414 /* Reuse key info from our certificate 2415 * We only need our private key to perform 2416 * the ECDH computation. 2417 */ 2418 const BIGNUM *priv_key; 2419 tkey = s->cert->key->privatekey->pkey.ec; 2420 priv_key = EC_KEY_get0_private_key(tkey); 2421 if (priv_key == NULL) 2422 { 2423 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2424 goto err; 2425 } 2426 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2427 { 2428 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2429 goto err; 2430 } 2431 } 2432 else 2433 { 2434 /* Generate a new ECDH key pair */ 2435 if (!(EC_KEY_generate_key(clnt_ecdh))) 2436 { 2437 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2438 goto err; 2439 } 2440 } 2441 2442 /* use the 'p' output buffer for the ECDH key, but 2443 * make sure to clear it out afterwards 2444 */ 2445 2446 field_size = EC_GROUP_get_degree(srvr_group); 2447 if (field_size <= 0) 2448 { 2449 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2450 ERR_R_ECDH_LIB); 2451 goto err; 2452 } 2453 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2454 if (n <= 0) 2455 { 2456 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2457 ERR_R_ECDH_LIB); 2458 goto err; 2459 } 2460 2461 /* generate master key from the result */ 2462 s->session->master_key_length = s->method->ssl3_enc \ 2463 -> generate_master_secret(s, 2464 s->session->master_key, 2465 p, n); 2466 2467 memset(p, 0, n); /* clean up */ 2468 2469 if (ecdh_clnt_cert) 2470 { 2471 /* Send empty client key exch message */ 2472 n = 0; 2473 } 2474 else 2475 { 2476 /* First check the size of encoding and 2477 * allocate memory accordingly. 2478 */ 2479 encoded_pt_len = 2480 EC_POINT_point2oct(srvr_group, 2481 EC_KEY_get0_public_key(clnt_ecdh), 2482 POINT_CONVERSION_UNCOMPRESSED, 2483 NULL, 0, NULL); 2484 2485 encodedPoint = (unsigned char *) 2486 OPENSSL_malloc(encoded_pt_len * 2487 sizeof(unsigned char)); 2488 bn_ctx = BN_CTX_new(); 2489 if ((encodedPoint == NULL) || 2490 (bn_ctx == NULL)) 2491 { 2492 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2493 goto err; 2494 } 2495 2496 /* Encode the public key */ 2497 n = EC_POINT_point2oct(srvr_group, 2498 EC_KEY_get0_public_key(clnt_ecdh), 2499 POINT_CONVERSION_UNCOMPRESSED, 2500 encodedPoint, encoded_pt_len, bn_ctx); 2501 2502 *p = n; /* length of encoded point */ 2503 /* Encoded point will be copied here */ 2504 p += 1; 2505 /* copy the point */ 2506 memcpy((unsigned char *)p, encodedPoint, n); 2507 /* increment n to account for length field */ 2508 n += 1; 2509 } 2510 2511 /* Free allocated memory */ 2512 BN_CTX_free(bn_ctx); 2513 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2514 if (clnt_ecdh != NULL) 2515 EC_KEY_free(clnt_ecdh); 2516 EVP_PKEY_free(srvr_pub_pkey); 2517 } 2518 #endif /* !OPENSSL_NO_ECDH */ 2519 else if (alg_k & SSL_kGOST) 2520 { 2521 /* GOST key exchange message creation */ 2522 EVP_PKEY_CTX *pkey_ctx; 2523 X509 *peer_cert; 2524 size_t msglen; 2525 unsigned int md_len; 2526 int keytype; 2527 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2528 EVP_MD_CTX *ukm_hash; 2529 EVP_PKEY *pub_key; 2530 2531 /* Get server sertificate PKEY and create ctx from it */ 2532 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2533 if (!peer_cert) 2534 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2535 if (!peer_cert) { 2536 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2537 goto err; 2538 } 2539 2540 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2541 /* If we have send a certificate, and certificate key 2542 2543 * parameters match those of server certificate, use 2544 * certificate key for key exchange 2545 */ 2546 2547 /* Otherwise, generate ephemeral key pair */ 2548 2549 EVP_PKEY_encrypt_init(pkey_ctx); 2550 /* Generate session key */ 2551 RAND_bytes(premaster_secret,32); 2552 /* If we have client certificate, use its secret as peer key */ 2553 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2554 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2555 /* If there was an error - just ignore it. Ephemeral key 2556 * would be used 2557 */ 2558 ERR_clear_error(); 2559 } 2560 } 2561 /* Compute shared IV and store it in algorithm-specific 2562 * context data */ 2563 ukm_hash = EVP_MD_CTX_create(); 2564 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2565 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2566 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2567 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2568 EVP_MD_CTX_destroy(ukm_hash); 2569 if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2570 8,shared_ukm)<0) { 2571 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2572 SSL_R_LIBRARY_BUG); 2573 goto err; 2574 } 2575 /* Make GOST keytransport blob message */ 2576 /*Encapsulate it into sequence */ 2577 *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2578 msglen=255; 2579 if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2580 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2581 SSL_R_LIBRARY_BUG); 2582 goto err; 2583 } 2584 if (msglen >= 0x80) 2585 { 2586 *(p++)=0x81; 2587 *(p++)= msglen & 0xff; 2588 n=msglen+3; 2589 } 2590 else 2591 { 2592 *(p++)= msglen & 0xff; 2593 n=msglen+2; 2594 } 2595 memcpy(p, tmp, msglen); 2596 /* Check if pubkey from client certificate was used */ 2597 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2598 { 2599 /* Set flag "skip certificate verify" */ 2600 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2601 } 2602 EVP_PKEY_CTX_free(pkey_ctx); 2603 s->session->master_key_length= 2604 s->method->ssl3_enc->generate_master_secret(s, 2605 s->session->master_key,premaster_secret,32); 2606 EVP_PKEY_free(pub_key); 2607 2608 } 2609 #ifndef OPENSSL_NO_PSK 2610 else if (alg_k & SSL_kPSK) 2611 { 2612 char identity[PSK_MAX_IDENTITY_LEN]; 2613 unsigned char *t = NULL; 2614 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2615 unsigned int pre_ms_len = 0, psk_len = 0; 2616 int psk_err = 1; 2617 2618 n = 0; 2619 if (s->psk_client_callback == NULL) 2620 { 2621 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2622 SSL_R_PSK_NO_CLIENT_CB); 2623 goto err; 2624 } 2625 2626 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2627 identity, PSK_MAX_IDENTITY_LEN, 2628 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2629 if (psk_len > PSK_MAX_PSK_LEN) 2630 { 2631 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2632 ERR_R_INTERNAL_ERROR); 2633 goto psk_err; 2634 } 2635 else if (psk_len == 0) 2636 { 2637 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2638 SSL_R_PSK_IDENTITY_NOT_FOUND); 2639 goto psk_err; 2640 } 2641 2642 /* create PSK pre_master_secret */ 2643 pre_ms_len = 2+psk_len+2+psk_len; 2644 t = psk_or_pre_ms; 2645 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2646 s2n(psk_len, t); 2647 memset(t, 0, psk_len); 2648 t+=psk_len; 2649 s2n(psk_len, t); 2650 2651 if (s->session->psk_identity_hint != NULL) 2652 OPENSSL_free(s->session->psk_identity_hint); 2653 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2654 if (s->ctx->psk_identity_hint != NULL && 2655 s->session->psk_identity_hint == NULL) 2656 { 2657 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2658 ERR_R_MALLOC_FAILURE); 2659 goto psk_err; 2660 } 2661 2662 if (s->session->psk_identity != NULL) 2663 OPENSSL_free(s->session->psk_identity); 2664 s->session->psk_identity = BUF_strdup(identity); 2665 if (s->session->psk_identity == NULL) 2666 { 2667 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2668 ERR_R_MALLOC_FAILURE); 2669 goto psk_err; 2670 } 2671 2672 s->session->master_key_length = 2673 s->method->ssl3_enc->generate_master_secret(s, 2674 s->session->master_key, 2675 psk_or_pre_ms, pre_ms_len); 2676 n = strlen(identity); 2677 s2n(n, p); 2678 memcpy(p, identity, n); 2679 n+=2; 2680 psk_err = 0; 2681 psk_err: 2682 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2683 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2684 if (psk_err != 0) 2685 { 2686 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2687 goto err; 2688 } 2689 } 2690 #endif 2691 else 2692 { 2693 ssl3_send_alert(s, SSL3_AL_FATAL, 2694 SSL_AD_HANDSHAKE_FAILURE); 2695 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2696 ERR_R_INTERNAL_ERROR); 2697 goto err; 2698 } 2699 2700 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 2701 l2n3(n,d); 2702 2703 s->state=SSL3_ST_CW_KEY_EXCH_B; 2704 /* number of bytes to write */ 2705 s->init_num=n+4; 2706 s->init_off=0; 2707 } 2708 2709 /* SSL3_ST_CW_KEY_EXCH_B */ 2710 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2711 err: 2712 #ifndef OPENSSL_NO_ECDH 2713 BN_CTX_free(bn_ctx); 2714 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2715 if (clnt_ecdh != NULL) 2716 EC_KEY_free(clnt_ecdh); 2717 EVP_PKEY_free(srvr_pub_pkey); 2718 #endif 2719 return(-1); 2720 } 2721 2722 int ssl3_send_client_verify(SSL *s) 2723 { 2724 unsigned char *p,*d; 2725 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2726 EVP_PKEY *pkey; 2727 EVP_PKEY_CTX *pctx=NULL; 2728 #ifndef OPENSSL_NO_RSA 2729 unsigned u=0; 2730 #endif 2731 unsigned long n; 2732 int j; 2733 2734 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2735 { 2736 d=(unsigned char *)s->init_buf->data; 2737 p= &(d[4]); 2738 pkey=s->cert->key->privatekey; 2739 /* Create context from key and test if sha1 is allowed as digest */ 2740 pctx = EVP_PKEY_CTX_new(pkey,NULL); 2741 EVP_PKEY_sign_init(pctx); 2742 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2743 { 2744 s->method->ssl3_enc->cert_verify_mac(s, 2745 NID_sha1, 2746 &(data[MD5_DIGEST_LENGTH])); 2747 } 2748 else 2749 { 2750 ERR_clear_error(); 2751 } 2752 #ifndef OPENSSL_NO_RSA 2753 if (pkey->type == EVP_PKEY_RSA) 2754 { 2755 s->method->ssl3_enc->cert_verify_mac(s, 2756 NID_md5, 2757 &(data[0])); 2758 if (RSA_sign(NID_md5_sha1, data, 2759 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 2760 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 2761 { 2762 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 2763 goto err; 2764 } 2765 s2n(u,p); 2766 n=u+2; 2767 } 2768 else 2769 #endif 2770 #ifndef OPENSSL_NO_DSA 2771 if (pkey->type == EVP_PKEY_DSA) 2772 { 2773 if (!DSA_sign(pkey->save_type, 2774 &(data[MD5_DIGEST_LENGTH]), 2775 SHA_DIGEST_LENGTH,&(p[2]), 2776 (unsigned int *)&j,pkey->pkey.dsa)) 2777 { 2778 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 2779 goto err; 2780 } 2781 s2n(j,p); 2782 n=j+2; 2783 } 2784 else 2785 #endif 2786 #ifndef OPENSSL_NO_ECDSA 2787 if (pkey->type == EVP_PKEY_EC) 2788 { 2789 if (!ECDSA_sign(pkey->save_type, 2790 &(data[MD5_DIGEST_LENGTH]), 2791 SHA_DIGEST_LENGTH,&(p[2]), 2792 (unsigned int *)&j,pkey->pkey.ec)) 2793 { 2794 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2795 ERR_R_ECDSA_LIB); 2796 goto err; 2797 } 2798 s2n(j,p); 2799 n=j+2; 2800 } 2801 else 2802 #endif 2803 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2804 { 2805 unsigned char signbuf[64]; 2806 int i; 2807 size_t sigsize=64; 2808 s->method->ssl3_enc->cert_verify_mac(s, 2809 NID_id_GostR3411_94, 2810 data); 2811 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 2812 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2813 ERR_R_INTERNAL_ERROR); 2814 goto err; 2815 } 2816 for (i=63,j=0; i>=0; j++, i--) { 2817 p[2+j]=signbuf[i]; 2818 } 2819 s2n(j,p); 2820 n=j+2; 2821 } 2822 else 2823 { 2824 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 2825 goto err; 2826 } 2827 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 2828 l2n3(n,d); 2829 2830 s->state=SSL3_ST_CW_CERT_VRFY_B; 2831 s->init_num=(int)n+4; 2832 s->init_off=0; 2833 } 2834 EVP_PKEY_CTX_free(pctx); 2835 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2836 err: 2837 EVP_PKEY_CTX_free(pctx); 2838 return(-1); 2839 } 2840 2841 int ssl3_send_client_certificate(SSL *s) 2842 { 2843 X509 *x509=NULL; 2844 EVP_PKEY *pkey=NULL; 2845 int i; 2846 unsigned long l; 2847 2848 if (s->state == SSL3_ST_CW_CERT_A) 2849 { 2850 if ((s->cert == NULL) || 2851 (s->cert->key->x509 == NULL) || 2852 (s->cert->key->privatekey == NULL)) 2853 s->state=SSL3_ST_CW_CERT_B; 2854 else 2855 s->state=SSL3_ST_CW_CERT_C; 2856 } 2857 2858 /* We need to get a client cert */ 2859 if (s->state == SSL3_ST_CW_CERT_B) 2860 { 2861 /* If we get an error, we need to 2862 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 2863 * We then get retied later */ 2864 i=0; 2865 i = ssl_do_client_cert_cb(s, &x509, &pkey); 2866 if (i < 0) 2867 { 2868 s->rwstate=SSL_X509_LOOKUP; 2869 return(-1); 2870 } 2871 s->rwstate=SSL_NOTHING; 2872 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 2873 { 2874 s->state=SSL3_ST_CW_CERT_B; 2875 if ( !SSL_use_certificate(s,x509) || 2876 !SSL_use_PrivateKey(s,pkey)) 2877 i=0; 2878 } 2879 else if (i == 1) 2880 { 2881 i=0; 2882 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 2883 } 2884 2885 if (x509 != NULL) X509_free(x509); 2886 if (pkey != NULL) EVP_PKEY_free(pkey); 2887 if (i == 0) 2888 { 2889 if (s->version == SSL3_VERSION) 2890 { 2891 s->s3->tmp.cert_req=0; 2892 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 2893 return(1); 2894 } 2895 else 2896 { 2897 s->s3->tmp.cert_req=2; 2898 } 2899 } 2900 2901 /* Ok, we have a cert */ 2902 s->state=SSL3_ST_CW_CERT_C; 2903 } 2904 2905 if (s->state == SSL3_ST_CW_CERT_C) 2906 { 2907 s->state=SSL3_ST_CW_CERT_D; 2908 l=ssl3_output_cert_chain(s, 2909 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 2910 s->init_num=(int)l; 2911 s->init_off=0; 2912 } 2913 /* SSL3_ST_CW_CERT_D */ 2914 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2915 } 2916 2917 #define has_bits(i,m) (((i)&(m)) == (m)) 2918 2919 int ssl3_check_cert_and_algorithm(SSL *s) 2920 { 2921 int i,idx; 2922 long alg_k,alg_a; 2923 EVP_PKEY *pkey=NULL; 2924 SESS_CERT *sc; 2925 #ifndef OPENSSL_NO_RSA 2926 RSA *rsa; 2927 #endif 2928 #ifndef OPENSSL_NO_DH 2929 DH *dh; 2930 #endif 2931 2932 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2933 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 2934 2935 /* we don't have a certificate */ 2936 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 2937 return(1); 2938 2939 sc=s->session->sess_cert; 2940 if (sc == NULL) 2941 { 2942 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); 2943 goto err; 2944 } 2945 2946 #ifndef OPENSSL_NO_RSA 2947 rsa=s->session->sess_cert->peer_rsa_tmp; 2948 #endif 2949 #ifndef OPENSSL_NO_DH 2950 dh=s->session->sess_cert->peer_dh_tmp; 2951 #endif 2952 2953 /* This is the passed certificate */ 2954 2955 idx=sc->peer_cert_type; 2956 #ifndef OPENSSL_NO_ECDH 2957 if (idx == SSL_PKEY_ECC) 2958 { 2959 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2960 s->s3->tmp.new_cipher) == 0) 2961 { /* check failed */ 2962 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 2963 goto f_err; 2964 } 2965 else 2966 { 2967 return 1; 2968 } 2969 } 2970 #endif 2971 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 2972 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 2973 EVP_PKEY_free(pkey); 2974 2975 2976 /* Check that we have a certificate if we require one */ 2977 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 2978 { 2979 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 2980 goto f_err; 2981 } 2982 #ifndef OPENSSL_NO_DSA 2983 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 2984 { 2985 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 2986 goto f_err; 2987 } 2988 #endif 2989 #ifndef OPENSSL_NO_RSA 2990 if ((alg_k & SSL_kRSA) && 2991 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 2992 { 2993 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2994 goto f_err; 2995 } 2996 #endif 2997 #ifndef OPENSSL_NO_DH 2998 if ((alg_k & SSL_kEDH) && 2999 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 3000 { 3001 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 3002 goto f_err; 3003 } 3004 else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 3005 { 3006 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 3007 goto f_err; 3008 } 3009 #ifndef OPENSSL_NO_DSA 3010 else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 3011 { 3012 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 3013 goto f_err; 3014 } 3015 #endif 3016 #endif 3017 3018 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 3019 { 3020 #ifndef OPENSSL_NO_RSA 3021 if (alg_k & SSL_kRSA) 3022 { 3023 if (rsa == NULL 3024 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3025 { 3026 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 3027 goto f_err; 3028 } 3029 } 3030 else 3031 #endif 3032 #ifndef OPENSSL_NO_DH 3033 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 3034 { 3035 if (dh == NULL 3036 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3037 { 3038 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 3039 goto f_err; 3040 } 3041 } 3042 else 3043 #endif 3044 { 3045 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 3046 goto f_err; 3047 } 3048 } 3049 return(1); 3050 f_err: 3051 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 3052 err: 3053 return(0); 3054 } 3055 3056 /* Check to see if handshake is full or resumed. Usually this is just a 3057 * case of checking to see if a cache hit has occurred. In the case of 3058 * session tickets we have to check the next message to be sure. 3059 */ 3060 3061 #ifndef OPENSSL_NO_TLSEXT 3062 int ssl3_check_finished(SSL *s) 3063 { 3064 int ok; 3065 long n; 3066 /* If we have no ticket it cannot be a resumed session. */ 3067 if (!s->session->tlsext_tick) 3068 return 1; 3069 /* this function is called when we really expect a Certificate 3070 * message, so permit appropriate message length */ 3071 n=s->method->ssl_get_message(s, 3072 SSL3_ST_CR_CERT_A, 3073 SSL3_ST_CR_CERT_B, 3074 -1, 3075 s->max_cert_list, 3076 &ok); 3077 if (!ok) return((int)n); 3078 s->s3->tmp.reuse_message = 1; 3079 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3080 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3081 return 2; 3082 3083 return 1; 3084 } 3085 #endif 3086 3087 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3088 { 3089 int i = 0; 3090 #ifndef OPENSSL_NO_ENGINE 3091 if (s->ctx->client_cert_engine) 3092 { 3093 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3094 SSL_get_client_CA_list(s), 3095 px509, ppkey, NULL, NULL, NULL); 3096 if (i != 0) 3097 return i; 3098 } 3099 #endif 3100 if (s->ctx->client_cert_cb) 3101 i = s->ctx->client_cert_cb(s,px509,ppkey); 3102 return i; 3103 } 3104